2021 Fintech Book

Fintech
2021
Contributing editors
Angus McLean and Penny Miller
© Law Business Research 2020

Publisher
Tom Barnes
Fintech
tom.barnes@lbresearch.com
Subscriptions
Claire Bagnall
2021
claire.bagnall@lbresearch.com
Senior business development manager

Adam Sargent
adam.sargent@gettingthedealthrough.com
Published by
Law Business Research Ltd Contributing editors
Meridian House, 34-35 Farringdon Street
London, EC4A 4HL, UK Angus McLean and Penny Miller
The information provided in this publication Simmons & Simmons LLP
is general and may not apply in a specific
situation. Legal advice should always
be sought before taking any legal action
based on the information provided. This
information is not intended to create, nor
does receipt of it constitute, a lawyer– Lexology Getting The Deal Through is delighted to publish the fifth edition of Fintech, which is
client relationship. The publishers and available in print and online at www.lexology.com/gtdt.
authors accept no responsibility for any Lexology Getting The Deal Through provides international expert analysis in key areas of
acts or omissions contained herein. The law, practice and regulation for corporate counsel, cross-border legal practitioners, and company
information provided was verified between directors and officers.
June and August 2020. Be advised that this Throughout this edition, and following the unique Lexology Getting The Deal Through format,
is a developing area. the same key questions are answered by leading practitioners in each of the jurisdictions featured.
Our coverage this year includes new chapters on Australia, Brazil, Denmark, Egypt, Liechtenstein,
© Law Business Research Ltd 2020 Malta, New Zealand and Turkey.
No photocopying without a CLA licence. Lexology Getting The Deal Through titles are published annually in print. Please ensure you
First published 2016 are referring to the latest edition or to the online version at www.lexology.com/gtdt.
Fifth edition Every effort has been made to cover all matters of concern to readers. However, specific
ISBN 978-1-83862-339-5 legal advice should always be sought from experienced local advisers.
Lexology Getting The Deal Through gratefully acknowledges the efforts of all the contribu-
Printed and distributed by
tors to this volume, who were chosen for their recognised expertise. We also extend special
Encompass Print Solutions
thanks to the contributing editors, Angus McLean and Penny Miller of Simmons & Simmons LLP,
Tel: 0844 2480 112
for their continued assistance with this volume.
London
August 2020
Reproduced with permission from Law Business Research Ltd

This article was first published in September 2020
For further information please contact editorial@gettingthedealthrough.com
www.lexology.com/gtdt 1
Contents
Introduction5 Indonesia102
Angus McLean and Penny Miller Winnie Rolindrawan and Harry Kuswara
Simmons & Simmons LLP SSEK Legal Consultants
Australia6 Ireland109
Michael Bacina, Andrea Beatty, Tim Clark, Will Fennell, Sarah Johnson, Liam Flynn and Lorna Smith
Tim O’Callaghan and Andrew Rankin Matheson
Piper Alderman
Japan117
Belgium17 Akihito Miyake, Ken Kawai, Tomoyuki Tanaka and Asako Matsuo
Vincent Verkooijen, Jérémie Doornaert, Martin Carlier, Anderson Mori & Tomotsune
Dimitri Van Uytvanck and Marc de Munter
Simmons & Simmons LLP Kenya125
John Syekei, Dominic Indokhomi, Irene Muthoni and Mercy Mwaniki
Brazil28 Coulson Harney Advocates
Nei Zelmanovits, Thais De Gobbi, Pedro Nasi, Vicente Braga,
Érica Yamashita, Diego Gualda, Vinicius Costa and Alina Miyake Liechtenstein134
Machado Meyer Advogados Thomas Nägele and Thomas Feldkircher
NÄGELE Attorneys at Law
China39
Jingyuan Shi Malta142
Simmons & Simmons LLP Leonard Bonello and James Debono
Ganado Advocates
Denmark48
Rasmus Mandøe Jensen and Christian Scott Uhlig Netherlands150
Plesner Advokatpartnerselskab Aron Berket, Jeroen Bos and Marline Hillen
Simmons & Simmons LLP
Egypt57
Mohamed Hashish New Zealand 161
Soliman, Hashish & Partners Derek Roth-Biester and Megan Pearce
Anderson Lloyd Lawyers
Germany64
Christopher Götz, Dang Ngo, Elmar Weinand, Eva Heinrichs, Singapore170
Felix Biedermann, Janine Marinello, Jochen Kindermann, Grace Chong, Jason Valoti, Calvin Tan, Benedict Tan, Marcus Teo,
Martin Gramsch and Sascha Kuhn Ng Aik Kai, Sun Zixiang, Low Si Rong and Seah Ern Xu
Simmons & Simmons LLP Simmons & Simmons JWS
Gibraltar77 South Africa 181

David Borge, Kunal Budhrani and Peter Howitt David Geral, Kirsten Kern, Livia Dyer, Claire Franklyn, Xolani Nyali
Ince and Bright Tibane
Bowmans
Hong Kong 84
Ian Wood Spain194
Simmons & Simmons LLP Alfredo De Lorenzo, Álvaro Muñoz, Carlos Jiménez de Laiglesia,
Ignacio González, Juan Sosa and María Tomillo
India93 Simmons & Simmons LLP
Anuj Kaila and Stephen Mathias
Kochhar & Co
2 Fintech 2021
Contents
Sweden203
Emma Stuart-Beck, Caroline Krassén, Anton Sjökvist, Mikaela Lang,
Henrik Schön, Trine Osen Bergqvist, Nicklas Thorgerzon,
Karl-Hugo Engdahl, Maria Schultzberg, Viveka Classon
and Malin Malm Waerme
Vinge
Switzerland212
Clara-Ann Gordon and Thomas A Frick
Niederer Kraft Frey
Taiwan220
Abe T S Sung and Eddie Hsiung
Lee and Li Attorneys at Law
Turkey230
Cigdem Ayozger Ongun and Begum Erturk
SRP-Legal Law Firm
United Arab Emirates 238

Muneer Khan, Jack Rossiter and Raza Rizvi
United Kingdom 250

Angus McLean, George Morris, Jo Crookshank, Kate Cofman-Nicoresti,
Olly Jones, Penny Miller and Peter Broadhurst
Introduction
Angus McLean and Penny Miller
What’s old is new dealing with young fintech firms in the future, not to mention inves-
With the excitement surrounding the potential for financial technology tors. The next few years will present the ultimate test for the energy,
to change the world and transform lives over the past few years, it resourcefulness and adaptability of the entrepreneurs who will have
is worth remembering that financial innovation has been with us for to navigate their businesses through these unprecedented headwinds.
some time. From the invention of money before the beginning of written
history to the advent of the double-entry accounting method in Korea A broad church
during the Goryeo dynasty and its adoption by the Medici family in the You know that fintech has penetrated the public consciousness when the
14th century, fintech has come a long way. portmanteau enters the dictionary for the first time. Last year, Merriam
However, in recent years it has it has been difficult to open a news- Webster defined fintech as ‘products and companies that employ newly
paper (or a news aggregator) without reading about the promise of developed digital and online technologies in the banking and financial
artificial intelligence, distributed ledger technology, cloud computing services industries’. It should be clear from this definition that fintech
and ever-cheaper computer power. is a broad church. It encompasses businesses of all sizes, from the
Combined with the creation of new business models, the increasing founder writing the first lines of code to some of the largest companies
democratisation of technical education, significant investment and in the world. It also encompasses a wide variety of technologies and
public policy and regulatory support, the fintech sector has experienced business models. Fintech products and services now exist across the
remarkable growth. There can never have been a better time to be a entire financial services sector, including:
fintech-focused entrepreneur, financier, investor, policy maker, tech- • payments processing and networks;
nologist or (whisper it quietly) lawyer. • crypto-assets;
• mobile wallets and remittances;
Challenging times • retail investing and secondary markets;
Is all that about to change though? Like every industry, the fintech • capital markets and institutional trading;
sector has been heavily affected by the covid-19 pandemic. Some sub- • core banking and infrastructure;
sectors within the industry, such as digital asset and payments firms, • wealth management;
have benefited from increased volumes of business. However, many • personal finance and saving;
have struggled both from a business perspective and from the wider • digital banking;
effect the pandemic has had on the global economy. In particular, the • real estate lending and investing;
economic uncertainty created by the pandemic has had a big impact on • financial regulation and compliance;
the ability of fintech firms to raise new investment at the same levels • insurance;
(and valuations) as previously possible. Despite numerous support • payroll and benefits;
packages launched by governments around the globe, this trend looks • credit scores and analytics; and
likely to continue in the short term at least. • personal and business lending.
When taken together with the impact of the accounting scandal
that has embroiled the German payments firm Wirecard, the fintech While there are significant differences between the legal issues affecting
sector looks to be in the eye of a perfect storm of challenges. For a businesses operating across this diverse universe of sub-sectors, this
young industry that has only every enjoyed the tailwinds of a largely publication seeks to address the most pressing issues that we see in
supportive regulatory and policy environment and enthusiastic inves- our day-to-day practice, advising firms in all of these areas.
tors, the double shock of these two very significant events could well
reshape the sector. The public failure and alleged mismanagement of Fintech 2021
one of the biggest names in sector looks likely to be the fintech indus- This publication is intended to provide a user-friendly resource to help
try’s ‘ENRON moment’. fintech entrepreneurs and their advisers and investors around the
How the various stakeholders respond will be key to the longer- world navigate the often complex key legal and regulatory issues on
term prospects for the sector. There is no doubt that events at Wirecard which we are most often asked to advise.
have already had an impact on the level of regulatory scrutiny that is Now, more than ever, understanding the legal and regulatory
being imposed on fintech firms. That trend is only likely to continue landscape on which you operate is paramount to success. We hope this
as regulators and policymakers begin to look at the sector with a new edition serves as a valuable reference point wherever you are on your
perspective. It will also inevitably affect the approach of counterparties fintech journey.
Australia
Michael Bacina, Andrea Beatty, Tim Clark, Will Fennell, Sarah Johnson, Tim O’Callaghan
and Andrew Rankin
Piper Alderman
FINTECH LANDSCAPE AND INITIATIVES be made available from 1 July 2020, with consumer data relating to
mortgages and personal loans to be made available from 1 November
General innovation climate 2020. However, the Australian Competition and Consumer Commission
1 What is the general state of fintech innovation in your (ACCC) has given non-major banks and credit unions temporary exemp-
jurisdiction? tion to begin sharing product reference data from those dates on the
basis that covid-19 has caused widespread delays and resource real-
The Australian fintech sector continues to rapidly evolve, as entities locations at banks.
work together to transform the industry and reshape the provision On 7 February 2020, the Hon Karen Andrews announced the
of financial services in the wake of covid-19. Recognising the size Department of Industry, Innovation and Science’s National Blockchain
and scope of the opportunity for Australian consumers and business Roadmap, which identifies opportunities for Australia to capitalise on
arising from fintech, the federal government established a Senate economic opportunities presented by blockchain technologies. The
Select Committee on Financial Technology and Regulatory Technology Department of the Treasury is due to publish its report on initial coin
in late 2019, to which there have been over 160 public submis- offerings, arising from a consultation held in early 2019.
sions to date.
FINANCIAL REGULATION
Government and regulatory support
2 Do government bodies or regulators provide any support Regulatory bodies
specific to financial innovation? If so, what are the key 3 Which bodies regulate the provision of fintech products and
benefits of such support? services?
While various regulators and government departments offer fintech- ASIC

specific services or benefits, there is no overarching fintech strategy The Australian Securities and Investment Commission (ASIC) is
yet implemented by the government. However, the Senate Select the primary regulator of credit and financial products in Australia. It
Committee on Financial Technology and Regulatory Technology is due regulates the conduct of providers of credit and financial products
to present its final report on 16 April 2021. and services.
The Australian Securities and Investments Commission’s (ASIC) ASIC is responsible for granting and regulating Australian credit
innovation hub encourages eligible businesses to apply for informal licences (ACLs) in accordance with the National Consumer Credit
assistance and guidance on Australia’s financial services laws. Protection Act 2009 (Cth) (the NCCP Act) and the National Consumer
Unfortunately, the hub does not offer businesses any legally binding Credit Protection Regulations 2010 (Cth) (the NCCP Regulations).
guidance or specific confirmation as to whether exemptions to certain ASIC is also responsible for granting and regulating Australian
regulatory requirements will apply. The hub does provide a designated financial services licences (AFSL) which are governed under a licensing
contact for applicants and 12 months of informal guidance. regime contained in Chapter 7 of the Corporations Act 2001 (Cth).
ASIC also operates a fintech regulatory sandbox, allowing eligible
fintech entities to test certain products or services for up to 12 months APRA
without an Australian financial services licence. The sandbox is The Australian Prudential Regulation Authority (APRA) is responsible
currently limited to services offering advice or dealing in certain deposit for prudential supervision and regulation of banks, neobanks, insurers
or payment products (up to A$10,000 if issued by an authorised deposit- and superannuation funds (other than self-managed superannuation
taking institution), general insurance (up to A$50,000 insured), liquid funds). It is responsible for authorising entities to carry on banking or
securities (up to A$10,000) and limited consumer credit contracts (with insurance business in Australia or to be the trustee of a superannuation
certain features and between A$2,001 and A$25,000). Legislation has fund. APRA’s main concern is financial system stability.
been passed to enable the expansion of the parameters of the sandbox
by later regulation. AUSTRAC
The government has emphasised its commitment to implementing Most financial services are considered designated services under the
the consumer data right regime, which seeks to ensure that information Anti-money Laundering and Counter-Terrorism Financing Act 2006 (Cth)
is accessed and transferred to accredited data recipients in a safe and (the AML/CTF Act) and are regulated by the Australian Transaction
efficient manner. After an initial delay, consumer data relating to credit Reports and Analysis Centre (AUSTRAC).
and debit cards, deposit accounts and transaction accounts is due to
6 Fintech 2021
Piper Alderman Australia
RBA Consumer lending

The Reserve Bank of Australia (RBA) is Australia’s central bank. In addi- 5 Is consumer lending regulated in your jurisdiction?
tion to its traditional central bank functions, the RBA is responsible for
regulating payment systems (ie, systems that facilitate the circulation Consumer lending in Australia is regulated by the NCCP Act, which
of money). Under the Payment Systems (Regulation) Act 1998 (Cth), includes the National Credit Code (NCC), and the NCCP Regulations.
the RBA has the power to designate a payment system where it is in Under the NCCP Act, any persons that engage in a credit activity
the public interest to do so and, thereafter, impose access regimes and must hold an ACL. There are several exemptions from the requirements
standards on participants in that payment system as well as arrange for to hold an ACL including the making of business-to-business loans.
the arbitration of disputes between participants.
Responsible lending
ACCC Chapter 3 of the NCCP Act details the responsible lending obligations
The Australian Competition and Consumer Commission (ACCC) is for credit licensees, which vary between different types of credit activity.
responsible for protecting consumer, business and communal inter- Key obligations include giving a credit guide (when applicable) to
ests by promoting competition and fair trade in the market. The ACCC collect and verify financial information about a prospective debtor and
ensures that all individuals and businesses comply with the Competition assessing the unsuitability of a credit contract for a particular consumer.
and Consumer Act 2010 (Cth), including the Australian Consumer Law, ASIC’s guidance regarding responsible lending is set out in
which contains prohibitions on misleading and deceptive conduct and ‘Regulatory Guide 209: Credit licensing: Responsible lending conduct’,
unconscionable conduct. which ASIC released in December 2019 to provide more specific guid-
ance about responsible lending obligations.
Regulated activities
4 Which activities trigger a licensing requirement in your External dispute resolution
jurisdiction? All ACL holders must be a member of the Australian Financial
Complaints Authority scheme, which is the mandatory external dispute
The following activities constitute ‘carrying on a financial services busi- resolution scheme for financial services providers.
ness’ in Australia and require an AFSL:
• providing financial product advice; Secondary market loan trading
• dealing in a financial product; 6 Are there restrictions on trading loans in the secondary
• making a market for a financial product; market in your jurisdiction?
• providing a custodial or depository service;
• operating a registered managed investment scheme; At present, there are no legislative restrictions on trading loans in the
• providing a crowdfunding service; secondary market in Australia. However, trading is limited by a fairly
• providing traditional trustee company services; and illiquid market, as most lenders prefer to take a ‘buy and hold’ approach.
• claims handling is currently expected to be licensed from 30 Further, for consumer debts regulated by the NCCP Act, assignees of
June 2021. the legal title must also hold an ACL.
In general, these activities include any product or service with a predom- Collective investment schemes
inant investment character and any dealing in that product or service. In 7 Describe the regulatory regime for collective investment
addition, the federal government announced in May 2020 that litigation schemes and whether fintech companies providing alternative
funders would be required to hold an AFSL. finance products or services would fall within its scope.
Activities relating to the following credit products constitute
carrying on a credit activity and require an ACL: Collective investment arrangements usually fall within the scope of the
• credit contracts; Corporations Act definition of a ‘managed investment scheme’ (MIS).
• credit services (ie, credit assistance and acting as an intermediary); An arrangement or scheme will be an MIS if:
• consumer leases; • people contribute money or money’s worth as consideration to
• mortgages; and acquire interests to benefits produced by the scheme (whether the
• guarantees, both as the credit provider or as a person that performs rights are actual, prospective or contingent, and whether they are
the obligations, or exercises the rights, of a credit provider. enforceable);
• any of the contributions are pooled or used in a common enter-
Lending is regulated only if it is to an individual or strata corporation prise to produce financial benefits or benefits consisting of rights
predominantly: or interests in property for the members who hold interests in the
• for personal, domestic or household purposes; scheme; and
• to purchase, renovate or improve residential property for invest- • members of the scheme do not have day-to-day control of the
ment purposes; or operation of the scheme (regardless of whether they have voting
• to refinance credit that has been provided wholly or predominantly or other similar rights).
to purchase, renovate or improve residential property for invest-
ment purposes. The definition of an MIS is deliberately broad and can include arrange-
However, some exceptions apply. ments that would not traditionally be considered an investment.
Examples include class action litigation, collective buying schemes,
Taking money on deposit (other than as a part payment for goods or digital token offerings meeting the above definition, lottery syndicates
services) and making advances of money amounts to banking business and time share schemes.
and will require an authorised deposit-taking institution (ADI) licence. After being announced in the 2016–17 Federal Budget, the regula-
tory framework for a new corporate collective investment vehicle (CCIV)
structure is yet to be settled but is expected to include:
Australia Piper Alderman
• that a CCIV must be a public company, structured as an umbrella • have their financial reports audited once they raise A$3 million
fund with sub-funds, each of which may hold different assets and or more from CSF offers; and
have different investment strategies; • comply with the related party transaction rules that apply to
• that a CCIV must be operated by a corporate director that is an public companies.
Australian public company and holds an AFSL with CCIV authori-
sation; and Other obligations applicable to CSF offers include:
• that a retail CCIV must separate out investor funds using a licensed • an investor cap of A$10,000 per year per company for retail
depositary with authorisation to provide deposit services to CCIVs, investors;
and this depository will hold the assets of the CCIV on trust and • a CSF offer document containing minimum information; and
provide oversight of the operations of the CCIV. • a five-day cooling-off period for investors.
The CCIV is designed to encourage the entry of new and alternative In addition, CSF offers must be made by the holder of an AFSL or on a
service providers into the Australian market by providing an interna- platform operated by a CSF intermediary holding an AFSL.
tionally recognisable investment structure and making compliance
processes simpler for Australian fund managers seeking to offer prod- Invoice trading
ucts overseas. 11 Describe any specific regulation of invoice trading in your
At present, given the broad definition of an MIS, fintech entities jurisdiction.
making an offering that are at risk of being considered an MIS must
obtain an AFSL and meet disclosure requirements to offer their product. In general, credit facilities (including any kind of financial accommoda-
tion provided by one person to another) are not financial products, so
Alternative investment funds trading in debts is not subject to the AFSL regime. As far as the struc-
8 Are managers of alternative investment funds regulated? ture of a factoring arrangement may cause it to be an over-the-counter
‘derivative’ as defined in the Corporations Act (which ordinarily requires
Collective investment undertakings that do not provide investors with an AFSL to deal in), specific licensing relief is available under the ASIC
day-to-day control over the operation of the investment will generally Corporations (Factoring Arrangements) Instrument (2017/794) in some
be considered an MIS and as a result the provider will need to hold circumstances.
an AFSL. Funds offering specific asset classes, such as hedge fund or
property products, may be subject to additional licensing and disclosure Payment services
obligations. 12 Are payment services regulated in your jurisdiction?
Peer-to-peer and marketplace lending The provision of a purchased payment facility (PPF) or being the holder
9 Describe any specific regulation of peer-to-peer or of stored value for a PPF is deemed to be carrying on banking business.
marketplace lending in your jurisdiction. Consequently, providers of PPFs (eg, digital wallet services) must obtain
an ADI authorisation from APRA. However, the authorisation granted
Australia has no specific legislation dealing with peer-to-peer lending. is typically subject to a condition limiting them to providing PPFs and
However, the investment aspect of these marketplaces will often be preventing them from lending money (other than incidental advances to
structured as an MIS regulated by the Corporations Act, requiring that customers in the course of providing a PPF).
the operator hold an AFSL.
The provision of consumer credit is regulated under the NCCP Open banking
Act, requiring an operator to hold an ACL. The NCCP Act and the NCC 13 Are there any laws or regulations introduced to promote
contain consumer protection provisions requiring an operator to assess competition that require financial institutions to make
whether credit is unsuitable to a consumer before providing it. Credit customer or product data available to third parties?
provided for investment purposes, business purposes or to non-natural
persons is not regulated by the NCCP Act but may be subject to the ASIC On 5 February 2020, the ACCC published the Competition and Consumer
Act if it is provided to small businesses. (Consumer Data Right) Rules. These Rules require Australia’s four
Additional advertising guidance has been published by ASIC for major banks to share product reference data with accredited data recip-
marketplace lending products. ients, and give legislative force to consumer data sharing obligations in
banking. The Rules were meant to become mandatory from 1 July 2020,
Crowdfunding however it has been pushed back three months until 1 October 2020 due
10 Describe any specific regulation of crowdfunding in your to the covid-19 pandemic.
jurisdiction.
Robo-advice
Australia’s regulatory framework for equity-based crowd-sourced 14 Describe any specific regulation of robo-advisers or other
funding (CSF) allows eligible companies to raise up to A$5 million companies that provide retail customers with automated
using CSF. access to investment products in your jurisdiction.
CSF offers can be made only by ‘eligible’ CSF companies, including:
• unlisted public companies with less than: While there is not specific regulation of robo-advisers, ‘robo-advice’
• A$25 million in consolidated gross assets; and is defined in the Australian Securities and Investment Commission
• A$25 million in annual revenue; and (ASIC) Regulatory Guide 255 as the provision of financial product advice
• proprietary companies that: using algorithms and technology and without the direct involvement
• maintain a minimum of two directors; of a human adviser. Where that robo-advice is generating general or
• prepare annual financial and directors’ reports in accordance personal financial product advice, that advice will be a financial service
with accounting standards; under the Corporations Act, unless an exemption applies.
8 Fintech 2021
To the extent that AI or robo-advice is used to provide a desig- SALES AND MARKETING
nated service under the Anti-money Laundering and Counter-Terrorism
Financing Act 2006 (Cth), the business providing that service – even if Restrictions
automated – will likely have reporting obligations to AUSTRAC. 19 What restrictions apply to the sales and marketing of
financial services and products in your jurisdiction?
Insurance products
15 Do fintech companies that sell or market insurance products A person will be conducting financial and related activities whenever
in your jurisdiction need to be regulated? they publish advertisements in Australia that are reasonably likely to
induce Australians to acquire a financial service or product. Marketing
In general, a person carrying on a life or general insurance business a product itself may constitute an Australian financial services licence-
must be authorised by APRA to conduct business and hold an AFSL, regulated activity, unless an exemption applies.
unless an exemption applies. Persons other than insurers that sell or The Australian Securities and Investment Commission Act provides
market insurance products must hold an AFSL unless a specific exemp- for consumer protection surrounding advertising and marketing of finan-
tion applies. Persons that sell or market home contents or personal and cial services, including prohibitions on misleading or deceptive conduct.
domestic property insurance products with an insured value less than Advertisements and promotional material in respect of credit prod-
A$50,000 may be eligible for 12-month licensing relief under the regula- ucts must comply with the National Consumer Credit Protection Act
tory sandbox exemption in the ASIC Corporations (Concept Validation 2009 (Cth). This includes a requirement to include a credit licensee’s
Licensing Exemption) Instrument 2016/1175. Australian credit licence number on all printed ads.
Advertisements and promotional material in respect of finan-
Credit references cial products must comply with the Corporations Act. This includes a
16 Are there any restrictions on providing credit references or requirement to include the identity of the issuer or the seller, confir-
credit information services in your jurisdiction? mation that a product disclosure statement (PDS) is available and a
statement that a person should consider the PDS in deciding whether to
Subject to the Privacy Act 1988 (Cth), only credit reporting agencies are acquire or to continue to hold a product.
authorised to collect, collate and disclose consumer credit reporting The Australian advertising industry also self-regulates via industry
information to credit providers. There are no restrictions on commer- standards.
cial credit references or commercial credit information, subject to
privacy law. CHANGE OF CONTROL
CROSS-BORDER REGULATION Notification and consent

20 Describe any rules relating to notification or consent
Passporting requirements if a regulated business changes control.
17 Can regulated activities be passported into your jurisdiction?
Subject to exemptions, the Corporations Act contains a takeover prohi-
On 31 March 2020, the Australian Securities and Investments bition, which prohibits a person from acquiring a relevant interest in
Commission (ASIC) repealed licensing exemptions that apply to foreign the issued voting shares or the voting interests (as the case may be)
financial service providers (FFSPs) regulated under an overseas regu- of a listed body (including a listed managed investment scheme) or an
latory regime that ASIC had assessed as sufficiently equivalent to the unlisted company with more than 50 members in the entity if:
Australian regulatory regime. From 1 April 2020, FFSPs must apply for • the person acquires the interest through a transaction (defined
a foreign AFS licence to provide financial services to wholesale clients broadly) in relation to the securities; and
in accordance with Regulatory Guide 176: Foreign financial services • because of the transaction, that person's or someone else's voting
providers (RG 176). Transitional arrangements will apply to FFSPs that power in the entity increases from less than to more than 20 per
were able to rely on the sufficient equivalence relief on 31 March 2020, cent, or from a starting point that is more than 20 per cent and less
such that they may continue to rely on that relief from 1 April 2020 until than 90 per cent.
either the FFSP has been granted a foreign AFS licence commencing
before 31 March 2022 or the end of the transitional period on 31 March There are also restrictions on the acquisition of shareholdings in certain
2022 (whichever occurs first). financial sector companies and on the acquisition of substantial inter-
ests in Australian businesses.
Requirement for a local presence The takeover prohibition applies to the acquisition of relevant
18 Can fintech companies obtain a licence to provide financial interests in:
services in your jurisdiction without establishing a local • listed Australian companies;
presence? • unlisted Australian companies with more than 50 members;
• Australian-listed bodies; and
From 1 April 2020, new FFSPs will be required by ASIC to apply for a • Australian-listed managed investment schemes.
foreign AFS licence to provide financial services to wholesale clients.
Existing FFSPs that are currently relying upon sufficient equivalence The takeover prohibition will be triggered whenever a person seeks
relief will have a transitional two-year relief period until 31 March 2022 to acquire a relevant interest in securities that results in the person's
before being required to obtain a foreign AFS licence. voting power being more than 20 per cent. This includes transactions
where the person's voting power is already more than 20 per cent. The
requirements are expressed to apply both in and outside Australia.
The concept of 'relevant interest' is detailed and expansive.
'Voting power' is defined as the total number of voting shares or inter-
ests in which a person and their associates have a relevant interest,
represented as a percentage of the total number of voting shares inter- In 2017, amendments to the AML/CTF Act required that digital currency
ests in the relevant entity. 'Associate' is also broadly defined to include: exchanges be registered with AUSTRAC.
• subsidiaries, holding companies and sibling entities controlled by The main provisions regarding anti-bribery are included in federal
the same ultimate holding company; and state or territory legislation, including the Criminal Code Act 1995
• persons with whom the relevant person enters, or proposes to (Cth). Federal legislation prohibits bribing foreign and Commonwealth
enter, into an agreement for the purpose of controlling or influ- public officials, and state or territory legislation prohibits some private
encing the composition of the target's board or its affairs; and and commercial bribery practices. There is currently no specific bribery
• a person with whom the relevant person acts, or proposes to act, in legislation in place in Australia.
relation to the target's affairs.
Guidance
Under the Financial Sector (Shareholdings) Act 1998 (Cth), a person 22 Is there regulatory or industry anti-financial crime guidance
may not acquire more than 20 per cent of the voting shares or practical for fintech companies?
control of Australian banks, other authorised deposit-taking institutions
and Australian insurers without the approval of the federal Treasurer. There is currently no guidance specific to fintech companies.
The restrictions also apply to Australian and foreign holding companies
of these financial sector companies. PEER-TO-PEER AND MARKETPLACE LENDING
Under the Foreign Acquisitions and Takeovers Act 1975 (Cth), there
are restrictions on foreign persons acquiring a substantial interest (ie, Execution and enforceability of loan agreements
more than 20 per cent (individually) or 40 per cent (collectively)) in 23 What are the requirements for executing loan agreements or
Australian companies without the approval of the Foreign Investment security agreements? Is there a risk that loan agreements
Review Board. The constitutions of some Australian companies (particu- or security agreements entered into on a peer-to-peer or
larly those privatised by the federal and state governments) also contain marketplace lending platform will not be enforceable?
restrictions on foreign shareholdings.
There are several exceptions to the takeover prohibition, which Loan and security agreements may be executed by companies either
allow a person to obtain voting power of more than 20 per cent if they with or without a common seal in accordance with section 127 of the
fall within the terms of the permitted exception. The most commonly Corporations Act. Subject to the formulation of a loan agreement, and
relied on exceptions include: state or territory requirements for the execution of deeds (where an
• making a takeover offer; interest in land can only be granted or disposed of by deed), these agree-
• obtaining the approval of members of the target; ments may be executed electronically in accordance with the Electronic
• obtaining control by means of a scheme of arrangement; Transactions Act 1999 (Cth) and equivalent state or territory legislation.
• 'creeping' (ie, acquiring no more than 3 per cent of the voting power The same requirements apply to peer-to-peer or marketplace lending
in any six-month period); platforms. There have recently been amendments made to state, terri-
• underwriting; or tory and federal legislation to provide more certainty around electronic
• making the acquisition through an upstream company listed on an signatures for deeds or for witnessing remotely in response to the
approved foreign financial market. social distancing requirements of covid-19.
FINANCIAL CRIME Assignment of loans

24 What steps are required to perfect an assignment of
Anti-bribery and anti-money laundering procedures loans originated on a peer-to-peer or marketplace lending
21 Are fintech companies required by law or regulation to have platform? What are the implications for the purchaser if the
procedures to combat bribery or money laundering? assignment is not perfected? Is it possible to assign these
loans without informing the borrower?
The Anti-money Laundering and Counter-Terrorism Financing Act 2006
(Cth) (the AML/CTF Act) imposes obligations regarding the prevention An assignment of loans in these circumstances may be effected by
of money laundering and terrorism financing, including: a deed of assignment and will be perfected once the assignee takes
• conducting know-your-customer customer identification; control of the loan. If no valid deed is effected, the assignment may
• transaction monitoring and reporting, including reporting transfers constitute a deemed security interest and perfected by registering
of physical currency of A$10,000 or more and international funds a valid security interest over the collateral on the Personal Property
transfer instructions; Securities Register (PPSR). Failure to register on the PPSR may result
• suspicious matter reporting; in the security becoming void against a liquidator. On liquidation, the
• having an AML/CTF programme in place; and unperfected security interest vests in the grantor on its liquidation and
• submitting annual compliance certificates with the Australian the relevant secured party loses their interest.
Transaction Reports and Analysis Centre (AUSTRAC). No notice or consent is required to transfer loans on a peer-to-peer
lending platform. However, the assignee must provide a copy of their
Entities providing designated services under section 6 of the AML/ credit guide as soon as is practicable following the assignment.
CTF Act must comply with the requirements of the Act. ‘Designated
services’ include: Securitisation risk retention requirements
• taking deposits; 25 Are securitisation transactions subject to risk retention
• being a lender, account provider or insurer; requirements?
• providing remittance services; and
• exchanging currency (including digital currency in the course of There are currently no minimum risk retention requirements.
operating a digital currency exchange business).
10 Fintech 2021
Securitisation confidentiality and data protection requirements Crypto-assets

26 Is a special purpose company used to purchase and securitise 29 Are there rules or regulations governing the use of crypto-
peer-to-peer or marketplace loans subject to a duty of assets, including digital currencies, digital wallets and
confidentiality or data protection laws regarding information e-money?
relating to the borrowers?
The AML/CTF Act defines a ‘digital currency’ as:
If the special purpose company used to purchase and securitise is • a digital representation of value that:
subject to the Privacy Act, the company must comply with its obligations • functions as a medium of exchange, a store of economic value
under the Act regarding the data protection of the borrowers. The duty or a unit of account;
of confidentiality will apply to the underlying loan or security agree- • is not issued by or under the authority of a government body;
ment, subject to the usual practice of including express consents in the • is interchangeable with money and may be used as consid-
underlying documents to permit disclosures. eration; and
• is generally available to members of the public; or
ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER • a means of exchange or digital process or crediting declared to be
TECHNOLOGY AND CRYPTO-ASSETS digital currency under the AML/CTF Rules.
Artificial intelligence The AML/CTF Rules may be updated by the CEO of AUSTRAC and do not
27 Are there rules or regulations governing the use of artificial require Parliament to change underlying legislation. Where a business
intelligence, including in relation to robo-advice? wishes to offer a service of converting fiat currency to digital currency, it
will be providing a designated service under the AML/CTF Act and that
‘Robo-advice’ is defined in the Australian Securities and Investment business will be required to be registered as a digital currency exchange
Commission (ASIC) Regulatory Guide 255. (DCE) with AUSTRAC unless an exemption applies. This is expected to
The obligations that apply to the provision of traditional financial be expanded in the future to capture conversion services from digital
product advice and digital advice are functionally identical. For example, currency to digital currency.
no Australian financial services licence (AFSL) is required for the Over 300 digital currency exchanges are registered in Australia.
provision of factual information. However, if robo-advice is generating For businesses that plan to issue or offer to deal in digital assets
general or personal financial product advice, that advice will be a finan- or crypto-assets, the starting point is to determine if the crypto-assets
cial service under the Corporations Act, unless an exemption applies. or tokens are financial products within the definition of the Corporations
ASIC has provided specific relief from holding a licence to providers Act. If so, a business issuing crypto-assets will be required to hold an
of generic financial calculators under Regulatory Guide 167 and the AFSL. A business offering to deal in crypto-assets, such as by operating
ASIC Instrument 2016/207. A ‘generic financial calculator’ is defined as a market, must also obtain an AFSL if it is dealing with, giving advice or
a facility, device, table or thing used to make general calculations and providing intermediary services for crypto-assets that constitute finan-
that does not advertise a specific product. cial products.
To the extent that AI or robo-advice is used to provide a desig- If a business is offering payment services, such as accepting crypto-
nated service under the Anti-money Laundering and Counter-Terrorism assets and making payments, assuming the crypto-asset is not a financial
Financing Act 2006 (Cth) (the AML/CTF Act), the business providing that product, the business will still be providing a ‘non-cash payment facility’
service – even if automated – may have reporting obligations to the as defined in section 763D of the Corporations Act, and the entity will be
Australian Transaction Reports and Analysis Centre (AUSTRAC). required to hold an AFSL unless an exemption applies (Regulatory Guide
185 provides for a low value NCP exemption that many fintech businesses
Distributed ledger technology rely on). Digital wallets in Australia will most likely constitute non-cash
28 Are there rules or regulations governing the use of payment facilities. The non-cash payment facility concept in Australia is
distributed ledger technology or blockchains? broadly analogous to the e-money regulatory system in Europe.
Finally, if digital assets stored by a business are financial products,
There are no specific rules or regulations governing the use of distrib- that business must ensure that it holds the appropriate custodial and
uted ledger technology or blockchain. depository authorisations under an AFSL.
ASIC’s INFO 219 sets out an assessment tool for businesses to
identify whether an AFSL may be required for distributed ledger tech- Digital currency exchanges
nology-based (DLT) services. This tool includes a set of factors to be 30 Are there rules or regulations governing the operation of
considered by the business, such as: digital currency exchanges or brokerages?
• Which DLT platform is being used?
• How it will be run? The conversion of fiat currency to a crypto assets is a designated service,
• How does it work? requiring registration as a DCE with AUSTRAC. To register as a DCE, a
• How is the DLT using data? business must prepare an AML/CTF programme and meet specified
• How the DLT affects others? threshold and suspicious transaction reporting obligations.
In addition to the need to register with AUSTRAC, if a DCE is issuing
ASIC’s view is that many DLT token offerings will likely be a managed tokens that are financial products (eg, via an initial exchange offering
investment scheme (MIS), and that fintech providers that offer market or listing a token from an initial coin offering if the tokens constitute
infrastructure or clearing and settlement will likely require licensing or an financial products), the exchange will need to hold an AFSL to deal in
exemption. To date there has been no case law deciding if this is correct. The those tokens and may need a market authorisation. Digital currency or
Department of the Treasury’s ICO Review report is overdue for publication. crypto-payment services will require an AFSL unless they fall under an
The offering of digital currency conversion services in the course of exemption such as the low value exemption.
operating a digital currency exchange business will require an operator Depending on the exchange’s structure, and how digital assets are
(including one located offshore) to register with AUSTRAC. cleared or settled, an exchange may be operating a clearing settlement
facility and, as a result, be required to hold a clearing and settlement • notify APRA of material information security incidents (separate to
facility licence under Part 7.3 of the Corporations Act. notifiable data breach obligations under the Privacy Act 1988 (Cth)).
Initial coin offerings Fintech businesses dealing with APRA-regulated entities may still need
31 Are there rules or regulations governing initial coin offerings to be cognisant of CPS 234, as APRA-regulated entities must meet the
(ICOs) or token generation events? requirements of CPS 234 even if their information assets are managed
by third parties.
In May 2019, ASIC updated its INFO 225 guidance in relation to initial ASIC’s Regulatory Guide 255 – Providing Digital Financial Product
coin offerings (ICOs). ASIC considers that there is a high risk that most Advice to Retail Clients sets out requirements that Australian financial
ICOs or token generation events will be considered MISs requiring the services licensees that provide certain digital financial product advice
responsible entity to hold an AFSL. ASIC expects entities that do not should follow to protect against malicious cyber activity.
have an AFSL to be able to justify a conclusion that their token or ICO is
not a financial product. OUTSOURCING AND CLOUD COMPUTING
Unfortunately, INFO 225 still does not provide clear guidance on
how entities can undertake a token offering that is compliant with the Outsourcing
obligations of an MIS operated by an AFSL holder in relation to matters 34 Are there legal requirements or regulatory guidance with
such as custody or secondary trading of crypto-assets or provide respect to the outsourcing by a financial services company of
any categories of crypto-token that will not be considered financial a material aspect of its business?
products.
The Australian Securities and Investments Commission’s (ASIC)
DATA PROTECTION AND CYBERSECURITY Regulatory Guide 104 – Licensing: Meeting the General Obligations sets
out guidance of ASIC’s expectations for Australian financial services licen-
Data protection sees outsourcing their functions. In particular, while they can outsource
32 What rules and regulations govern the processing and their functions, they cannot outsource their responsibilities as a licensee
transfer (domestic and cross-border) of data relating to and remain responsible for complying with licensee obligations.
fintech products and services? Certain Australian Prudential Regulatory Authority-regulated
(APRA) financial institutions are required to comply with prudential
While there are no legal requirements or regulatory guidance relating standards on outsourcing (CPS 231) and related guidelines. Separate
to personal data that is aimed specifically at fintech businesses, all prudential standards (SPS 231 and HPS 231) apply to registrable super-
are subject to the obligations of the Privacy Act, including a notifiable annuation entity licensees and private health insurers respectively.
data breach reporting requirement. The Privacy Act is concerned with These mandatory standards set out requirements on how material busi-
the protection of personal information, which includes an individual’s ness activity can be outsourced.
identity or information from which an individual’s identity can be ascer- A ‘material business activity’ is an activity that has the potential, if
tained. Additional protections are required when businesses deal with disrupted, to have a significant impact on the APRA-regulated institution
prescribed sensitive information that includes certain health-related or its ability to manage risks effectively.
information. The notifiable data breach reporting requirements require The principal requirements under these prudential standards are:
that processes be put in place by businesses to address data breaches, • having a board-approved policy for the outsourcing of material
including reporting certain data breaches to the Office of the Australian business activities and monitoring of outsourcing arrangements;
Information Commissioner. • having an agreement with any outsourced service provider
involving a material business activity that addresses, at a minimum,
Cybersecurity certain matters in CPS 231 (including matters relating to owner-
33 What cybersecurity regulations or standards apply to fintech ship, storage and control of data);
businesses? • consulting APRA before entering into any offshoring arrangement
involving a material business activity; and
There are no overarching regulations or standards on cybersecurity in • notifying APRA as soon as possible after entering into an
Australia. However, there are certain regulatory standards and guide- outsourcing agreement involving a material business activity, but
lines that offer guidance. no later than 20 business days after the execution of an outsourcing
The Australian Prudential Regulatory Authority (APRA) has issued agreement.
several mandatory standards and regulatory guidelines concerning
cybersecurity and cloud computing as they relate to businesses In addition, APRA has issued several mandatory standards and regu-
providing financial services, superannuation and insurance. These latory guidelines concerning cloud computing, including standards on
include prudential standards on outsourcing (CPS 231, SPS 231 and business continuity management (CPS 232 and SPS 232) and informa-
HPS 231), business continuity management (CPS 232 and SPS 232), tion security (CPS 234).
information security (CPS 234) and related regulatory guidelines.
CPS 234 took effect from 1 July 2019 and applies to certain Cloud computing
APRA-regulated entities. Among other things, CPS 234 requires ARPA- 35 Are there legal requirements or regulatory guidance with
regulated entities to: respect to the use of cloud computing in the financial services
• clearly define information security-related roles and responsibilities; industry?
• maintain appropriate information security capability commensu-
rate with the size and extent of threats to their information assets; APRA has issued various mandatory standard and regulatory guide-
• implement appropriate controls to protect their information assets lines regarding cloud computing, including prudential standards on
and ensure their effectiveness through systematic testing and outsourcing (CPS 231, SPS 231 and HPS 231), business continuity
assurance; and management (CPS 232 and SPS 232) and information security (CPS 234).
12 Fintech 2021
CPS 231 concerns outsourcing arrangements generally and Confidentiality

applies where the use of cloud computing services involves material Confidential information is protected by case law, where the owner has
business activities. APRA’s ‘Outsourcing Involving Cloud Computing taken steps to keep the information confidential and a person receiving
Services’ information paper provides regulatory guidance relating to that information in circumstances of confidence releases to others or
risk management, notification and consultation obligations for APRA- uses the information in a manner not authorised by the owner, or both.
regulated entities using cloud computing services.
The Privacy Act 1988 (Cth) regulates the collection, use, disclosure IP developed by employees and contractors
and handling of personal information that could be relevant to cloud 37 Who owns new intellectual property developed by an
computing services. Organisations that have to comply with the Privacy employee during the course of employment? Do the same
Act must comply with the Australian Privacy Principles and have specific rules apply to new intellectual property developed by
obligations where data is disclosed outside Australia. contractors or consultants?
INTELLECTUAL PROPERTY RIGHTS An employer will own intellectual property developed by an employee
during the course of their employment – unless the employment
IP protection for software contract stipulates otherwise – and where the material giving rise to
36 Which intellectual property rights are available to protect the IP rights was created as part of the duties for which the employee
software, and how do you obtain those rights? was employed. Where an employee’s duties involve the development of
intellectual property, their employment contract should refer to these
The three main forms of IP protection for software in Australia are copy- duties and specify that IP rights in material created by the employee will
right, patents and confidentiality. be owned by the employer.
New intellectual property developed by contractors or consultants
Copyright will generally be owned by the contractor or consultant unless there is
Computer programs as defined under the Copyright Act 1958 (Cth) a written assignment to the contrary.
qualify for protection under copyright law as literary works, provided An employee, contractor or consultant that has assigned the IP
that the requirements for copyright subsistence are met. There is no rights in materials that they have created will continue to retain their
registration requirement in Australia. moral rights, which are provided for in Part IX of the Copyright Act 1968
Copyright law requires a computer program to be attributable to (Cth). Individuals have the following rights that last for the same period
an author and not reproduced or copied from another source. As the as copyright protection (generally 70 years):
copyright owner will usually be the authors who created or developed • to be identified as the author of the work;
the source code of the software, fintech businesses must ensure that • not to have authorship of their work falsely attributed; and
when third-party software developers are commissioned, the engage- • integrity of authorship (ie, the right not to have their work subjected
ment agreement stipulated that copyright in the software is assigned to to derogatory treatment).
the fintech entity. Copyright will generally vest in the employer where
an individual has developed the computer program in the course of Individuals cannot assign, transfer or sell their moral rights, but may
their employment duties. The duration of the copyright protection for consent to their moral rights being infringed, provided that the consent
published works is usually 70 years from the death of the author of the relates to specified acts or omissions or specified types of acts or omis-
copyright work. sions. An employee can also provide a broad consent to their employer
covering any acts or omissions in relation to all works created by the
Patents employee during their employment.
In Australia, two types of patent can be granted, the traditional
standard patent providing 20 years of protection and an innovation Joint ownership
patent providing eight years of protection. The innovation patent has a 38 Are there any restrictions on a joint owner of intellectual
faster and cheaper application process and less stringent patentability property’s right to use, license, charge or assign its right in
requirements, but has been reviewed, and will be abolished from 25 intellectual property?
August 2021.
An invention must meet the requirements of Patents Act 1990 (Cth) The rights of a joint owner of intellectual property differs according to
to receive patent protection. Specifically, the patent must be a patent- the type of intellectual property.
able subject matter that is new, useful, involves an innovative step (in Unless there is an agreement to the contrary, co-owners of copy-
respect of innovation patents) or inventive step (in respect of standard right material own the copyright as tenants in common in equal shares
patents) and satisfies other formality requirements. and not as joint tenants. A co-owner may not do or authorise any act
The requirement of patentable subject matter must be satisfied comprised in the copyright of a work, including reproducing the copyright
for business methods implemented by a computer program. In general, materials, granting a licence to a third party or charging or assigning
a separate result beyond the typical working of a computer must be any right in this copyright, without the consent of the co-owner. The
achieved for a business method implemented in or by a computer non-consenting owner is entitled to an injunction against the infringing
process to be patentable. The mere use of well-known and understood co-owner and licensee preventing these unauthorised acts.
functions of computers for implementing business methods is insuffi- A joint owner of a patent is entitled to an equal undivided share in
cient for patent protection. that patent, unless there is an agreement to the contrary. Therefore, a
Finally, certain aspects of software, including software-imple- joint owner may use the patent for their own benefit without accounting
mented inventions or business methods, may also be protected by to the other joint owner or owners, but may not grant a licence under,
imposing confidentiality obligations on customers and keeping those or assign an interest in, the patent without the consent of the other joint
aspects a trade secret of the business. owner or owners.
Trade secrets Remedies for infringement of IP

39 How are trade secrets protected? Are trade secrets kept 41 What remedies are available to individuals or companies
confidential during court proceedings? whose intellectual property rights have been infringed?
There is no legislation that specifically protects trade secrets. However, Registered IP rights are each governed by a different legislative scheme,
section 183 of the Corporations Act 2001 (Cth), which requires that a for example:
current or former director, officer or employee of a corporation does not • the Copyright Act 1968;
improperly use the information to gain an advantage for themselves or • the Designs Act 2003;
others or cause detriment to the organisation, is sufficiently broad to • the Patents Act 1990; and
cover trade secrets. • the Trademarks Act 1995.
Trade secrets are also protected by equitable principles relating to
breach of confidence. A breach of confidence requires that: In general, the Federal Court of Australia is the most appropriate court
• an obligation of confidence exists in relation to specific information; to initiate proceedings for infringement of IP rights, particularly for
• the information disclosed is of a confidential nature; registered rights or actions brought under the Australia Consumer Law,
• the information was received in circumstances importing an obli- as the legislative schemes that govern those rights are federal acts.
gation of confidence; The court has the power to award various remedies in IP infringe-
• there is an actual or threatened misuse of the information without ment proceedings, including:
the disclosing party’s consent; and • injunctive relief (both interim and final injunctions may be awarded);
• the breach resulted in the disclosing party suffering damage. • an Anton Piller order (ie, search and seizure order);
• damages or account of profits;
The courts may make orders to protect trade secrets contained in discov- • declaratory relief;
ered documents or documents produced by a third party. The court will • costs; and
weigh the risk of inadvertent or accidental disclosure and the likely loss • additional damages in circumstances of flagrancy of the
against the extent to which a party’s ability to seek advice and provide infringement.
instructions may be hampered if a claim for confidentiality is upheld.
The limitation period for bringing infringement proceedings is six years.
Branding However, the courts will be less inclined to assist when an applicant has
40 What intellectual property rights are available to protect delayed bringing infringement proceedings.
branding and how do you obtain those rights? How can It is not uncommon for the respondent to cross claim with an
fintech businesses ensure they do not infringe existing action to revoke the registered right of the applicant (eg, on the grounds
brands? that the registration does not conform with the requisite requirements
of registration). The owner of the registered right should carefully
Branding elements are usually protected by trademark registration. examine the validity of the registration before threatening infringement
A trademark is a badge of origin or a sign used to distinguish goods proceedings.
and services from those of others, including: The recipient of a threat of infringement is entitled to initiate legal
• product names; proceedings to seek orders that the threats are groundless and seek
• tag lines; injunctive relief to prevent further threats from being made. In general,
• logos; proceedings initiated on the basis of groundless threats will be unsuc-
• aspects of packaging; and cessful once the applicant issues proceedings.
• colours, sounds and scents.
COMPETITION
Trademark registration provides exclusive rights to use, license and sell
the trademark for an initial period of 10 years, which continues indefi- Sector-specific issues
nitely provided the renewal fees are paid every 10 years. 42 Are there any specific competition issues that exist with
An application to register a trademark is made with IP Australia. respect to fintech companies in your jurisdiction?
Assuming no objections or oppositions, the process takes approximately
seven months. The Australian Federal Government recently implemented an ‘open
As a practical measure, before choosing a trademark applicants banking regime’, whereby consumers have a general right to control
should ensure that the domain name (web URL), social media names their data pursuant to the Treasury Laws Amendment (Consumer Data
(eg, Facebook page or Twitter handle) and business name are available. Right) Act 2019 (Cth) (the Consumer Data Right).
Unregistered trademarks can be protected by establishing that the Australian Treasurer, Hon Josh Frydenberg MP, in his second
use of the same or a similar trademark by a person is likely to mislead reading speech on the Treasury Laws Amendment (Consumer Data
others to believe that the person is somehow connected with the appli- Right) Bill 2019, stated that:
cant (ie, misleading and deceptive conduct in breach of the Australian
Consumer Law) or amounts to passing off. This requires the applicant to The consumer data right … will drive competition… For consumers,
prove that they have reputation in the trademark to such an extent that improved access to data will support better price comparison
the use of the trademark by someone else would be misleading. services, taking into account their unique circumstances, and
To ensure that applicants do not infringe the rights of a third party’s promote more convenient switching between products and
existing brands, they should: providers…
• search the Australian Trade Marks Register for any similar regis-
tered trademarks; and After several delays in implementing the Consumer Data Right, on 5
• conduct a general market knowledge enquiry to identify any unreg- February 2020, the Australian Competition and Consumer Commission
istered trademarks that may have a reputation. made the Competition and Consumer (Consumer Data Right) Rules
14 Fintech 2021
2020, which were subsequently revised on 19 June 2020 (as amended, Australia has an R&D tax incentive designed to encourage compa-
the Rules). nies to invest in R&D activity. The tax incentive is in the form of two tax
Pursuant to the Rules: offsets that apply to eligible R&D expenditure, namely:
• certain obligations regarding banks’ product data became a statu- • a 43.5 per cent refundable tax offset for the first A$100 million
tory requirement for the Australia and New Zealand Banking Group of eligible expenditure for certain eligible entities whose aggre-
Limited, Commonwealth Bank of Australia, National Australia Bank gated turnover is less than A$20 million and provided they are not
Limited and Westpac Banking Corporation (together, the ‘big four’ controlled by income tax exempt entities; and
banks) on 6 February 2020 and were to be a requirement for non- • a 38.5 per cent non-refundable tax offset for the first A$100 million
major banks from 1 July 2020; however, the ACCC has granted a of eligible expenditure for all other eligible entities, which may be
three-month exemption until 1 October 2020 because of the impact carried forward.
of the covid-19 pandemic;
• the disclosure of consumer data to accredited persons commenced The Taxpayer Alert 2017/5 sets out the view of the Australian Taxation
for the big four banks from 1 July 2020 and is currently scheduled Office in relation to R&D claims on software development projects.
to commence for non-major banks on 1 November 2020; and
• the balance of the obligations will be rolled-out progressively Increased tax burden
between 1 July 2020 and 30 June 2022. 44 Are there any new or proposed tax laws or guidance that
could significantly increase tax or administrative costs for
Fintech companies are also subject to the competition law prohibitions fintech companies in your jurisdiction?
contained in the Competition and Consumer Act 2010 (Cth) (CCA). The
CCA prohibits various forms of anti-competitive practices, including the There are no new or proposed laws or guidance specifically affecting
misuse of market power, exclusive dealing (including third line forcing), fintech companies.
resale price maintenance and cartel conduct. The Australian Consumer
Law contained in Schedule 2 of the CCA provides consumer protection IMMIGRATION
in the form of:
• general prohibitions against conduct that is likely to mislead or Sector-specific schemes
deceive or that is unconscionable; 45 What immigration schemes are available for fintech
• specific prohibitions against unfair practices including false or businesses to recruit skilled staff from abroad? Are there
misleading representations on goods or services; and any special regimes specific to the technology or financial
• an ability for Australian Courts to declare unfair contract terms sectors?
contained in standard form consumer contracts to be void, such
that they are unenforceable. There are no immigration schemes specific to the technology or finan-
cial sectors. The following visa options may be open to skilled workers
TAX recruited from overseas by fintech businesses:
• Temporary Work (Short Stay Specialist) (subclass 400) visa: for
Incentives three to six months in a highly specialised job;
43 Are there any tax incentives available for fintech companies • Temporary Skill Shortage (subclass 482) visa: for up to four years,
and investors to encourage innovation and investment in the for workers sponsored by their employer and whose occupa-
fintech sector in your jurisdiction? tion is on the Australian government’s list of skilled occupations
or the employer has a labour agreement with the Australian
Australia has many tax concessions applicable to fintech companies. government; and
The early-stage investment company (ESIC) regime provides that a • Employer Nomination Scheme (subclass 186) visa: permanent, for
company must be recently incorporated and not have incurred expendi- workers nominated by their employer and whose occupation is on
ture or generated income over certain limits in the preceding income the Australian government’s list of skilled occupations.
year. The company must meet either a 100-point or a principles-based
innovation test. If the company qualifies as an ESIC, investors qualify for UPDATE AND TRENDS
a 20 per cent non-refundable carry forward tax offset. The amount of the
tax offset is 20 per cent of the amount paid for the shares to a maximum Current developments
of A$200,000. Investors also enjoy no capital gains tax for the first 10 46 Are there any other current developments or emerging
years of their holding of the shares. trends to note?
Australia also has concessions for start-up companies in relation
to employee share schemes. In general, any discount an employee The key emerging trend is a renewed focus from the federal govern-
receives on shares or options or rights is treated as assessable income. ment on the opportunities fintech provides, and the potential upsides for
However, under this concession, start-up companies can offer (without Australian consumers and the broader economy. Following the volume
the discount being taxed): of submissions to the Senate Select Committee, and the subsequent
• shares with a discount to market value of no more than 15 changes to the economy, the Committee is requesting further submis-
per cent; or sions on what support is necessary in the short-, medium- and long
• rights or options with an exercise price being the market value of a term, including post-recovery, focusing on solutions that can be deliv-
share when the right or option is acquired. ered swiftly by government and the private sector.
In calculating the market value of a share, the company can use a net
tangible asset valuation method. This allows a fintech entity with, for
example, a large IP or goodwill element to issue equity at a significant
discount to employees.
Coronavirus
47 What emergency legislation, relief programmes and other
initiatives specific to your practice area has your state
implemented to address the pandemic? Have any existing
government programmes, laws or regulations been amended
to address these concerns? What best practices are advisable
for clients?
While there has not been any government initiatives specifically Michael Bacina
mbacina@piperalderman.com.au
targeted at the fintech sector in response to covid-19, the federal and
state governments have implemented various legislative changes, Andrea Beatty
stimulus packages and relief programmes generally. FinTech Australia, abeatty@piperalderman.com.au
a member organisation that advocates for fintech issues in Australia, Tim Clark
has published a short guide of the various available government assis- tclark@piperalderman.com.au
tance programs specifically for fintech businesses. We have, however,
Will Fennell
summarised two key developments below.
wfennell@piperalderman.com.au
Hardship Sarah Johnson

The Australian Securities and Investments Commission (ASIC) has sjohnson@piperalderman.com.au
suggested various arrangements for entities considering hardship Tim O’Callaghan
complaints, such as delaying scheduled loan repayments, waiving fees tocallaghan@piperalderman.com.au
and charges, interest-free periods, no interest rate increases and debt
Andrew Rankin
collection. Lenders are treating covid-19 relief measures as tempo-
arankin@piperalderman.com.au
rary and not formal arrangements regulated by the National Credit
Code (NCC). This aligns with the public policy intent of these meas-
ures. ASIC has been called to issue a legislative instrument exempting Level 23, Governor Macquarie Tower
the application of time period rules under the NCC for covid-19 hard- 1 Farrer Place
ship arrangements to deal with the significant quantities of hardship Sydney NSW 2000
Australia
requests received – but this has not yet occurred. AFCA has yet to report
Tel: +61 2 9253 9999
a material increase in banking disputes, but expects to see an increase
www.piperalderman.com.au
in hardship disputes in six months’ time when deferrals expire.
Electronic signatures
Widespread social distancing requirements have restricted the ability
for entities to rely on ‘wet signatures’, and has caused an increase
in entities seeking to rely on electronic signatures. The Electronic
Transactions Amendment (COVID-19 Witnessing of Documents)
Regulation 2020 (NSW) allows a broad range of documents to be signed
electronically and remotely. In New South Wales, this means that docu-
ments can be witnessed through an audiovisual link, providing relief to
those who cannot physically sign or witness documents. At the federal
level, the government has introduced the Corporations (Coronavirus
Economic Response) Determination (No. 1) 2020, which modifies the
legislative requirements regarding meetings and execution of company
documents to facilitate electronic methods.
16 Fintech 2021
Belgium
Vincent Verkooijen, Jérémie Doornaert, Martin Carlier, Dimitri Van Uytvanck and Marc de Munter
FINTECH LANDSCAPE AND INITIATIVES FINANCIAL REGULATION
General innovation climate Regulatory bodies

1 What is the general state of fintech innovation in your 3 Which bodies regulate the provision of fintech products and
jurisdiction? services?
Although the Belgian fintech ecosystem is currently booming (over The Financial Services and Markets Authority (FSMA) and the National
the years, the number of start-ups active in the financial sector with a Bank of Belgium (NBB) are generally the bodies responsible for regu-
predominantly technological approach has increased steadily), Belgian lating the provision of fintech products and services in Belgium.
fintech companies that have reached a size large enough to play in the
big league can still be counted on the fingers of one hand. In effect, Regulated activities
Belgian fintech companies have a tendency to rely more on organic 4 Which activities trigger a licensing requirement in your
growth and to focus for longer periods on the local market, taking jurisdiction?
more time to cross the Belgian border. Transforming all these prom-
ising start-ups into scale-ups capable of competing on the international A large number of financial activities trigger licensing requirements
scene is therefore a major challenge that requires stronger support and in Belgium. The following providers of financial services are regulated
financing. (among others): credit institutions, certain lenders, stockbroking and
investment firms, fund management companies, payment institutions,
Government and regulatory support e-money institutions, and insurance and reinsurance firms.
2 Do government bodies or regulators provide any support The supervision of financial institutions in Belgium is organised
specific to financial innovation? If so, what are the key according to a ‘twin peaks’ model, by which the competences are
benefits of such support? shared between two autonomous supervisors: the NBB and the FSMA.
Each regulator has a specific set of objectives. The NBB is the principal
No. However, a Belgian fintech platform called B-Hive was launched in prudential supervisor for (among others) banks, insurance companies,
January 2017 to support fintech start-ups. The Belgian federal govern- stockbroking firms, payment and e-money institutions, on both a macro-
ment – by means of the federal investment fund – and a number of major and micro-level. The FSMA is responsible for supervising the financial
banks, insurers and market infrastructure players support the project. markets and the information circulated by companies, certain catego-
B-Hive has recently set up hubs in New York, London and Tel Aviv. ries of financial service providers (including investment firms and fund
In addition, both the National Bank of Belgium and the Financial management companies) and intermediaries, compliance by financial
Services and Markets Authority (FSMA) offer fintech companies the institutions with conduct of business rules and the marketing of finan-
opportunity to enter into direct contact with them through a dedicated cial products to the public. The Federal Public Services Economy, small
‘fintech portal’ available on their websites. The purpose of the Fintech and medium-sized enterprises (SMEs), Self-employed and Energy (FPS
Contact Point is to support a dialogue between the regulator and fintech Economy) also has certain supervisory powers (eg, consumer credit,
companies whereby the regulator aims to get back to the firms within payment services).
three business days and to assist them in understanding the applicable Only credit institutions may receive deposits from the public in
regulatory framework. This facility can be used, for example, for any Belgium or solicit the public in Belgium in view of receiving deposits.
project relating to crowdfunding, distributed ledger technology, virtual Credit institutions are regulated by the Belgian Act of 25 April 2014
currencies, application programming interfaces or alternative distribu- relating to the status and supervision of credit institutions and stock-
tion models. broking firms. Besides deposit-taking, the majority of the activities
Finally, a sectorial association called Fintech Belgium has been listed under Annex I of the Capital Requirements Directive may only
created, regrouping around 100 Belgian fintech companies. be carried out by licensed entities, are subject to specific regulations,
or both. Certain lenders are also subject to local supervision (eg,
consumer lenders, consumer mortgage lenders). Commercial lending
(on a stand-alone basis) does not require a licence but specific rules of
conduct apply where lending to SMEs. These rules of conduct include
a duty of rigour, a duty of information and a right of prepayment for the
enterprise. SMEs are individual or legal entities pursuing an economic
purpose in a sustainable manner or liberal professions (eg, lawyers
and notaries) that have no more than one of the following criteria in
Belgium Simmons & Simmons LLP
their last and penultimate closed financial year: 50 employees on an Receivables in respect of consumer loans may only be transferred
annual basis, annual turnover of €9 million and total balance sheet of to a limited number of assignees (including credit institutions, regulated
€4.5 million. lenders, credit insurers and a specific category of collective investment
All investment services contemplated by the second Markets in scheme designed for making investments in receivables, the société
Financial Instruments Directive are regulated and may only be carried d’investissement en créances or vennootschap voor belegging in schuld-
out by duly licensed entities. Investment services include reception vorderingen). The transfer of consumer mortgage loans is also subject
and transmission of orders, execution of orders, proprietary trading, to specific rules.
portfolio management, investment advice, underwriting and placing
of financial instruments and operation of multilateral trading facilities, Collective investment schemes
where they are carried out in respect of financial instruments such 7 Describe the regulatory regime for collective investment
as transferable securities (shares, bonds, puts or calls on shares or schemes and whether fintech companies providing alternative
bonds, etc), money market instruments, units in collective investment finance products or services would fall within its scope.
undertakings (UCITS), derivative contracts and instruments. Dealing in
foreign exchange spot and forward contracts (on one’s own account or In Belgium, collective investment schemes (CISs) and the management
as agent) is also regulated in Belgium. Investment services are carried of CISs are regulated entities and activities respectively. In general, a
out by (Belgian or foreign) investment firms. Belgian investment firms CIS is any entity whose purpose is the collective investment of financial
can be set up either as stockbroking firms (subject to the Act of 25 April means collected from investors through an offer of financial instruments.
2014 on alternative investment firms and their managers) or portfolio The persons participating in the scheme (the investors) must not have
management and investment advice firms (subject to the Act of 25 day-to-day control over the management of the property. Furthermore,
October 2016 on investment firms and services). the contributions of the participants and the profits or income out of
The Act of 3 August 2012 implemented the Undertakings for which payments are to be made to them must be pooled and the prop-
Collective Investments in Transferable Securities Directive and regu- erty managed as a whole.
lates UCITS funds, UCITS management companies and funds investing Whether a fintech company will fall within the scope of this regime
in receivables. The Act of 19 April 2014 has implemented the Alternative will depend on the exact nature of its business. Fintech companies that
Investment Fund Managers Directive (AIFMD) and regulates alternative manage assets on a pooled basis on behalf of investors should give
investment funds and their managers. particular consideration to whether they may be operating a CIS. Fintech
Payment services institutions and e-money institutions are regu- companies that are geared more towards providing advice or payment
lated by the Act of 11 March 2018, which implemented the second services may be less likely to operate a CIS, but should nonetheless
Payment Services Directive (PSD2) in Belgium. Insurance and rein- check this and have regard to their other regulatory obligations.
surance companies are ruled by the Act of 13 March 2016. Insurance
contracts are regulated by the Act of 4 April 2014. Alternative investment funds
Intermediaries in banking and investment services, insurance 8 Are managers of alternative investment funds regulated?
intermediaries and consumer credit intermediaries are also subject to
local supervision. Managers of alternative investment funds are regulated in Belgium under
It is an offence to carry out any of the above regulated financial the AIFMD, which was implemented in Belgium by the Act of 19 April
services in Belgium without being duly licensed by or registered with 2014 relating to alternative investment funds and their managers, imple-
the relevant regulator, subject to applicable EU passporting rules. menting royal decrees and circulars and guidance issued by the FSMA.
Consumer lending Peer-to-peer and marketplace lending

5 Is consumer lending regulated in your jurisdiction? 9 Describe any specific regulation of peer-to-peer or
marketplace lending in your jurisdiction.
Consumer lending is a regulated activity in Belgium under Book VII of
the Belgian Code of Economic Law. ‘Consumer’ means any individual There are currently no (consumer) peer-to-peer lending platforms oper-
acting for purposes that do not fall within his or her trade, business, ating in Belgium. The Belgian regulatory framework does not currently
craft or professional activity. authorise direct lending by consumers to consumers. The main legal
A licensing requirement applies to consumer lenders (including obstacles are, first, that the Belgian prospectus regulations prevent
consumer mortgage lenders) and intermediaries in consumer lending. individuals from raising funds publicly, even with the intervention of
Certain (limited) exemptions are available. In addition, there are ongoing a platform. In practice, this means that an individual cannot solicit the
requirements that have to be complied with by the lenders (eg, provi- public to lend him or her money. Second, consumer lenders must be
sion of information, documents and statements, and form and content of approved by the FSMA and only approved lenders have access to the
the credit agreement itself). Central Individual Credit Register (CICR).
However, alternative ways to structure this type of lending are
Secondary market loan trading possible, for example, by using an indirect lending model whereby a
6 Are there restrictions on trading loans in the secondary legal entity is interposed between the lenders and the borrowers. In such
market in your jurisdiction? an indirect model, there is no direct relationship between the lenders
and the borrowers. The legal entity must be approved by the FSMA as
Provided that the borrowers do not qualify as consumers and the loan (consumer) lender and grants the loans to the borrowers. To finance the
itself is being traded and not a loan instrument, there are in principle no loans, the legal entity issues notes, which typically replicate the repay-
restrictions on trading (receivables in respect of) loans in the secondary ment characteristics of the underlying loans and can be subscribed by
market in Belgium. However, the loan agreement must not prohibit the the lenders (in principle, based on a prospectus approved by the FSMA).
assignment and civil law requirements may have to be complied with Peer-to-peer lending mainly differs from lending-based crowd-
to ensure the enforceability of the transfer of the loan (and, as the case funding by the fact that the borrowers are individuals or consumers
may be, the security rights attached thereto) in relation to third parties. borrowing for private purposes.
18 Fintech 2021
Simmons & Simmons LLP Belgium
Crowdfunding Payment services

10 Describe any specific regulation of crowdfunding in your 12 Are payment services regulated in your jurisdiction?
jurisdiction.
Yes. Payment services are regulated by the Act of 11 March 2018,
Belgium adopted a law on crowdfunding platforms on 18 December which implemented the PSD2 in Belgium. A firm that provides payment
2016, which entered into force on 1 February 2017 and creates a legal services in or from Belgium as a regular occupation or business activity
framework for crowdfunding and alternative types of funding. The (and is not exempt) must apply for registration as a payment institution.
Belgian Crowdfunding Act is applicable to both lending-based and
equity-based crowdfunding platforms. Open banking
The Belgian Crowdfunding Act only regulates financing by the 13 Are there any laws or regulations introduced to promote
crowd of a business or a professional project. It is not applicable to competition that require financial institutions to make
platforms that only offer or provide alternative funding services to the customer or product data available to third parties?
following investors or lenders: legal entities, (MiFID) professional inves-
tors or fewer than 150 persons. Pursuant to the implementation of the PSD2 into Belgian law by the Act
Crowdfunding platforms are defined as any natural or legal persons of 11 March 2018, financial institutions holding ‘payment accounts’ (eg,
that offer or provide alternative funding services in the Belgian territory current accounts, credit card accounts, prepaid card accounts) will be
through a website or any other electronic means, and that are not regu- required to allow, for free, access to their customers’ account informa-
lated companies. The financing is raised by the issuance of ‘investment tion to third-party payment service providers, subject to the consent
instruments’, which can be issued directly by ‘issuers-entrepreneurs’ of the customer. From a technical point of view, third-party payment
(enterprises carrying out business, trade, craft, profession or real estate service providers could get either direct access to the account or
activities), or through start-up funds or funding vehicles. For these indirect access through a dedicated interface, such as an application
purposes, ‘investment instruments’ include: programming interface.
• transferable securities (such as shares and transferable debt
instruments); Robo-advice
• units issued by start-up funds; and 14 Describe any specific regulation of robo-advisers or other
• standardised loans (ie, loans for which the duration, interest companies that provide retail customers with automated
rate and general conditions are not negotiable; only the invested access to investment products in your jurisdiction.
amount can vary).
There is no specific regulation on robo-advice in Belgium. Consequently,
The marketing of investment instruments can be carried out in the whatever the mechanism underling the robo-adviser’s functioning, the
context of a public or private offering and may not involve the provision services it provides will be considered as investment service relating
of any investment service other than, as the case may be, investment to financial instruments within the meaning of the Law of 25 October
advice or reception and transmission of orders. 2016. This investment service will be considered either as investment
Crowdfunding platforms offering these types of alternative funding advice or portfolio management and companies using robo-advice on a
services must be authorised by the FSMA and are subject to rules of professional basis will be subject to regulatory requirements applicable
conduct. Regulated entities (credit institutions and investment firms) do to investment firms providing the above-mentioned services.
not, however, need an additional licence to provide alternative funding
services, but they must notify the FSMA and comply with the same rules Insurance products
of conduct as the platforms. 15 Do fintech companies that sell or market insurance products
If the investment exceeds certain thresholds, a prospectus must be in your jurisdiction need to be regulated?
issued and approved by the FSMA. No prospectus is required where the
project remains below €300,000 (per project) and €5,000 (per investor). Yes. Insurance intermediaries must be licensed by the FSMA before
starting their activities as broker, agent or sub-agent. Intermediaries
Invoice trading who only act as ‘introducers’ (ie, who only provide general information
11 Describe any specific regulation of invoice trading in your without interfering with the practical execution of insurance contracts or
jurisdiction. with the handling of claims) are not subject to licensing requirements.
Insurance intermediaries must prove to the FSMA that they have
Factoring (on a stand-alone basis) is not a regulated activity. In Belgium, sufficient professional knowledge and adequate experience, and they
factoring is based on the transfer of ownership of the accounts receiv- have to comply with ongoing requirements.
able. It is the activity whereby the factor (the buyer of the receivables) Furthermore, Belgian law has introduced MiFID-like conduct of
pays an agreed percentage of approved debts in exchange for the business rules in the insurance sector, which include rules on suitability
transfer of the related receivables by the client (the seller of the assessment and inducements.
receivables).
A distinction is made between ‘non-recourse’ factoring (where Credit references
credit protection is part of the factoring agreement) and ‘with recourse’ 16 Are there any restrictions on providing credit references or
factoring (where the credit risk on the debtors of the receivables credit information services in your jurisdiction?
remains with the seller).
Some factoring contracts (also referred to as ‘invoice discounting’) There are two credit information registers: the CICR and the Central
permit the client to manage the receivables on the factor’s behalf. The Corporate Credit Register (CCCR), which are both operated by the NBB.
contract generally provides that this option can be switched off if the The CICR records information relating to all consumer credits and
client does not comply with its obligations with due and proper care. mortgage loans contracted by natural persons for private purposes as
well as any payment defaults resulting from these loans. The sharing of
credit data is an obligation for regulated financial institutions (including
banks, firms specialising in consumer credit or mortgage loans and SALES AND MARKETING
credit card issuers).
Furthermore, regulated lenders have an obligation to consult Restrictions
the CICR in the process of assessing the borrower’s creditworthiness. 19 What restrictions apply to the sales and marketing of financial
Credit data to be reported in the CICR include the debtor’s or co-debtor's services and products in your jurisdiction?
identification details, the characteristics of the credit contract and the
details of the overdue debt. Financial products (such as investment products, savings products
The CCCR records information on credits granted to legal persons and insurance products)
(enterprises) and natural persons (individuals) in connection with their Marketing materials for financial products are governed by Royal Decree
business activity. Participation in the CCCR is mandatory for some finan- dated 25 April 2014 and Financial Services and Markets Authority (FSMA)
cial institutions, including: guidance, which regulate the advertising of financial products where
• credit institutions established in Belgium and licensed by the distributed to retail clients. ‘Marketing materials’ means any communi-
NBB (also branches incorporated under foreign law established cation designed specifically to promote the acquisition of the product,
in Belgium); irrespective of the medium used or the method of dissemination.
• finance-lease companies established in Belgium and licensed by The general requirements are that:
the FPS Economy; • the information included in the marketing materials shall not be
• factoring companies established in Belgium; and misleading or incorrect;
• insurance companies established in Belgium and licensed for • only information relevant for the Belgian market should be presented;
classes 14 (guarantee insurance) and 15 (credit insurance) • it is recommended to translate the marketing materials into French
by the NBB. or Dutch as there is a general requirement that the marketing mate-
rials must be understandable by a retail investor (also, technical
Participants have to report each month to the CCCR all informa- terms should be avoided or, if it is impossible to avoid using technical
tion on any current contract (granted amounts) and non-repayments. terms, they should be explained in a way that is easily understand-
Participants, debtors as well as other central credit offices abroad may able for a retail client where these terms appear);
consult the data recorded in the CCCR. • the marketing materials should not emphasise the potential benefits
of the product without also giving a fair, balanced and visible indica-
CROSS-BORDER REGULATION tion of the risks, limits or conditions applicable to the product;
• the marketing materials should not disguise, mitigate or conceal
Passporting important items, mentions or warnings;
17 Can regulated activities be passported into your jurisdiction? • the marketing materials should not highlight characteristics that are
not relevant or that are of little relevance for a sound understanding
All financial services benefiting from European passporting rights of the nature and the risks of the product;
may be provided by EEA firms licensed in their home country under • the information conveyed in the marketing materials should be in
one of the EU single market directives (eg, the Banking Consolidation line with the information in the prospectus or any other contractual
Directive, Capital Requirements Directive, Solvency II, Markets in or pre-contractual information; and
Financial Instruments Directive (MiFID II), Insurance Mediation • any advertisement should be clearly recognisable as such.
Directive, Insurance Distribution Directive, Mortgage Credit Directive,
Undertakings for Collective Investments in Transferable Securities Furthermore, detailed guidance is provided by the FSMA for the marketing
Directive, Alternative Investment Fund Managers Directive, Payment materials to comply with the non-misleading information principle.
Services Directive or E-Money Directive) either on a cross-border Detailed content requirements apply. The presentation of performance
basis without a permanent establishment in Belgium or through a figures is also highly regulated.
Belgian branch.
To exercise this right, the firm must first provide notice to its home Consumer credit
regulator. The directive under which the EEA firm is seeking to exercise The Belgian Code of Economic Law contains provisions on advertising,
passporting rights will determine the conditions and processes that the (pre-contractual) information requirements, misleading and aggressive
firm has to follow. commercial practices and unfair contract terms.
Furthermore, under certain conditions and limits, non-EEA firms All advertising setting out the interest rate or the costs of the credit
may be authorised to provide investment services (as defined under must be drafted in a clear, summarised and explicit way, and contain
MiFID II) either on a cross-border basis in Belgium or through a specific legal information that must be illustrated by a representative
Belgian branch. example. Advertising must also include the warning: ‘Be aware, borrowing
money costs money’. Some advertising practices are also prohibited –
Requirement for a local presence for example, encouraging consumers to regroup their existing credits,
18 Can fintech companies obtain a licence to provide financial emphasising the ease and speed by which credit can be obtained and
services in your jurisdiction without establishing a local such like.
presence?
CHANGE OF CONTROL
The Belgian regulator only grants licences to companies established in
Belgium. However, EEA fintech firms may exercise passporting rights Notification and consent
to provide services in Belgium. Under certain conditions and limits, 20 Describe any rules relating to notification or consent
non-EEA firms may also be authorised to provide (MiFID) investment requirements if a regulated business changes control.
services on a cross-border basis in Belgium or through a Belgian branch.
Shareholders intending to hold (directly or indirectly) a qualifying holding
in certain regulated businesses must make a prior notification to, and be
20 Fintech 2021
approved by, the Financial Services and Markets Authority or the National banking network. As long as all the required formalities are fulfilled,
Bank of Belgium, as appropriate. A qualifying holding means any direct however, it should be possible to structure secured loans.
or indirect holding that represents 10 per cent or more of the capital or
voting rights, makes it possible to exercise a significant influence over the Assignment of loans
management of the undertaking, or both. There are additional thresholds 24 What steps are required to perfect an assignment of
at 20, 30 and 50 per cent and companies may decide to insert specific loans originated on a peer-to-peer or marketplace lending
thresholds in their articles of association. In addition, shareholders platform? What are the implications for the purchaser if the
ceasing to hold a qualifying holding, or reducing their holding below 10, assignment is not perfected? Is it possible to assign these
20, 30 or 50 per cent, must also make a prior notification to the relevant loans without informing the borrower?
Belgian regulator.
Finally, shareholders who have acquired a direct or indirect holding The formalities for assignment will depend on how the lending is struc-
of 5 per cent or more (or have reduced their holding to below 5 per cent) tured (via a loan agreement or a debt instrument and through a direct
of capital or voting rights must make a notification to the relevant Belgian or an indirect model).
regulator within 10 business days of the acquisition. As a general rule, and in the absence of any contractual provisions
prohibiting the transfer, the transfer of a loan agreement by the lender
FINANCIAL CRIME requires the express prior consent of the borrower (as an agreement
involves both rights and obligations for both parties). Such consent may
Anti-bribery and anti-money laundering procedures be granted in the loan agreement itself. Alternatively, the lender can
21 Are fintech companies required by law or regulation to have transfer only its rights (ie, its receivable in relation to the borrower)
procedures to combat bribery or money laundering? without the express consent of the borrower. Indeed, according to
article 1690 of the Belgian Civil Code, the transfer of a receivable or
There is no legal or regulatory requirement for fintech companies to have right is valid between parties (transferor and transferee) and enforce-
anti-bribery or anti-money laundering procedures unless the company able in relation to all third parties other than the assigned debtor (ie, the
is a licensed financial institution (eg, a payment services institution) or borrower) by the mere conclusion of the transfer agreement. However,
carries out business that is subject to the Belgian anti-money laundering the transfer will only become enforceable in relation to the borrower
regulations. Specific customer due diligence and know-your-customer once the transfer is notified to it or once the borrower has acknowl-
obligations apply to e-money products. Fintech companies, regardless of edged the transfer. In practice, if (and as long as) the assignment is
whether they are authorised, ought to have appropriate financial crime not perfected, this means that repayment is validly made to the initial
policies and procedures in place as a matter of good governance and lender. The latter can act as servicer for the receivables, which, in prac-
proportionate risk management. tice, avoids having to notify the borrowers upfront.
The transfer of consumer loans is subject to specific rules. If secu-
Guidance rity rights are attached to the loans, additional formalities may also
22 Is there regulatory or industry anti-financial crime guidance be required.
for fintech companies? The formalities to transfer a debt instrument depend on the type of
instrument (bearer, registered or dematerialised) and whether the latter
There is no anti-financial crime guidance specifically for fintech firms. is freely negotiable or not.
The general rules and standards set out for regulated financial institu- If the applicable transfer formalities are not fulfilled, the transfer
tions apply, particularly the circulars issued by the Belgian regulators could be held to be unenforceable towards the borrower and possibly
(the National Bank of Belgium and the Financial Services and Markets third parties.
Authority). These documents are helpful for non-authorised fintech firms
and may inform their own internal financial crime policies and procedures. Securitisation risk retention requirements
25 Are securitisation transactions subject to risk retention
PEER-TO-PEER AND MARKETPLACE LENDING requirements?
Execution and enforceability of loan agreements Yes, the EU risk retention rules apply to securitisations of loans
23 What are the requirements for executing loan agreements or originated on a peer-to-peer or marketplace lending platform (P2P secu-
security agreements? Is there a risk that loan agreements ritisations). The risk retention requirements set out in the sectoral EU
or security agreements entered into on a peer-to-peer or legislation will apply to P2P securitisations that are offered to European
marketplace lending platform will not be enforceable? banks, investment firms, alternative investment funds or insurers.
Under the current sectoral EU risk retention rules, certain investors
As a general rule, there are no documentary or execution requirements (such as credit institutions, Markets in Financial Instruments Directive-
applicable to loan and security agreements (other than security over real regulated firms and firms regulated under the Alternative Investment
estate), which can be signed by private contract and in counterparts (with Fund Managers Directive) will be subject to higher regulatory capital
as many originals as there are parties to the agreement). The nature charges where they invest in securitisation positions that do not comply
of the collateral will determine the type of security that can be granted with the risk retention rules.
and the formalities required to make it enforceable in relation to third Those rules require that either the sponsor, originator or original
parties. The revision of the legal regime applicable to security interests in lender in respect of the securitisation explicitly discloses to the investor
movable assets (which came into force in early 2018), whereby it became that it will retain, on an ongoing basis, a material net economic interest
possible to perfect such security by way of filing in a central register. in the securitisation (which in any event is not less than 5 per cent)
Consumer loans, however, are subject to specific formal and content using one of five prescribed retention methods. Those methods include,
legal requirements. among other things, retention of:
In the current Belgian market, peer-to-peer loans generally do • the most subordinated tranches, so that the retention equals no less
not involve security agreements as they operate outside the traditional than 5 per cent of the nominal value of the securitised exposures;
• 5 per cent of the nominal value of each of the tranches sold to documents that would prevent it from disclosing information about the
investors; or loans and the relevant borrowers to the SPV and the other securitisation
• randomly selected exposures equivalent to no less than 5 per cent parties. If there are such restrictions in the underlying loan documenta-
of the nominal value of the securitised exposures. tion, the assignor will require the consent of the relevant borrower to
disclose to the SPV and other securitisation parties the information they
The definitions of ‘sponsor’ and ‘originator’ as used in the sectoral EU require before agreeing to the asset sale.
legislation are set out in Regulation (EU) 2017/2402. The term ‘original In addition, the SPV will want to ensure that there are no restric-
lender’ is undefined. tions in the loan documents that would prevent it from complying with
Since 1 January 2019, there has been a direct requirement on the its disclosure obligations under Belgian and EU law (such as those
sponsor, originator and original lender to agree on an entity that will act set out in the Credit Rating Agency Regulation). Again, if such restric-
as retention holder and to ensure compliance with the retention require- tions are included in the underlying loan documents, the SPV would be
ment. In the absence of agreement among the originator, sponsor and required to obtain the relevant borrower’s consent to such disclosure.
original lender as to who will be the retention holder, the originator will Furthermore, if the borrowers are individuals, the SPV, its agents
be the retention holder. Definitions of ‘sponsor’, ‘originator’ and ‘original and the peer-to-peer platform will each be required to comply with the
lender’ are set out in the EU Securitisation Regulation. statutory data protection requirements under Belgian law.
The EU Securitisation Regulation does not explicitly set out the juris-
dictional scope of the ‘direct’ retention obligation, but there is a helpful ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
note in the Explanatory Memorandum to the European Commission’s TECHNOLOGY AND CRYPTO-ASSETS
original proposal for the EU Securitisation Regulation that the intention
is that the ‘direct’ approach would not apply to securitisations (including Artificial intelligence
P2P securitisations) where none of the originator, sponsor or original 27 Are there rules or regulations governing the use of artificial
lender is ‘established in the EU’. ‘Establishment’ is typically described by intelligence, including in relation to robo-advice?
reference to the jurisdiction in which the legal entity is incorporated or
has its registered office. Therefore, the non-EU subsidiary of an EU entity Currently, there is no specific regulation on robo-advice or artificial
may not be subject to the ‘direct’ retention obligation because a subsid- intelligence in Belgium.
iary is typically a separate legal entity, whereas a non-EU branch of an EU
entity may be caught within this provision because a branch is typically Distributed ledger technology
not a separate legal entity. Market participants are still seeking clarity on 28 Are there rules or regulations governing the use of
this and it is expected that this point will be raised as part of the ongoing distributed ledger technology or blockchains?
European Banking Authority (EBA) consultation on risk retention.
Distributed ledger technology is in a developmental phase and, as a
Possible retaining entities in respect of P2P securitisations consequence, it is not yet subject to specific legal or regulatory rules
Typically, a peer-to-peer lending platform will not qualify as the ‘sponsor’, or guidelines. Several legal and regulatory issues need to be carefully
‘originator’ or ‘original lender’ of a P2P securitisation, and another entity considered relating to the clearing, settling and recording of payments,
with the capacity to retain will, therefore, need to be identified. The range securities, derivatives or other financial transactions. The impact of
of entities with capacity to retain is broader under the EU Securitisation various rules and regulations must be analysed and may be relevant
Regulation than under the current EU sectoral legislation and, therefore, in respect of digital transformation initiatives, such as the Central
the ability of an entity to retain will depend on the rules that apply at the Securities Depositories Regulation, the Settlement Finality Directive,
time the securitised notes are issued. the European Market Infrastructure Regulation, Markets in Financial
Any entity that retains in the capacity of ‘originator’ is expected to Instruments Directive and so on. Outsourcing arrangements also need
be an entity of substance, and the EU Securitisation Regulation expressly to be carefully reviewed where regulated firms outsource technological
provides that an entity shall not be considered to be an originator where innovations to third parties.
it has been established or operates for the sole purpose of securitising Data protection requirements and customer data protection also
exposures. The EU Securitisation Regulation does not specify in what need detailed analysis because of the transparency of transactions,
circumstances an entity will be considered to have been established for which is inherent to the blockchain technology, and the fact that once
the sole purpose of securitising exposures but, in December 2017, the data is stored it cannot be altered (this could be an issue for the compli-
EBA published a consultation paper that proposed that an originator will ance with the right for rectification or the right to be forgotten).
not be considered to have been established with the ‘sole purpose’ of Given that the nodes on a blockchain can be located anywhere in
securitising exposures if it satisfies certain conditions, including that: the world, the determination of the data controller, applicable law and
• it has a broader business enterprise and strategy; competent courts in the case of litigation and the drafting of appropriate
• it has sufficient decision makers with the required experience; and contractual provisions in that respect are also essential.
• its ability to make payment obligations depends neither on the A particular point of attention relates to the status of the decen-
exposures to be securitised nor on any exposures retained for the tralised autonomous organisations that are used to execute smart
purposes of the risk retention regulations. contracts, recording activity on the blockchain.
Securitisation confidentiality and data protection requirements Crypto-assets

26 Is a special purpose company used to purchase and securitise 29 Are there rules or regulations governing the use of crypto-
peer-to-peer or marketplace loans subject to a duty of assets, including digital currencies, digital wallets and
confidentiality or data protection laws regarding information e-money?
Although they are all stored electronically, a distinction must be made
The entity assigning loans to the special purpose vehicle (SPV) must between e-money and other digital currencies, crypto-assets and digital
ensure that there are no confidentiality requirements in the loan wallets (digital instruments). According to the second E-Money Directive
22 Fintech 2021
(2009/110/EC) as implemented in Belgian law, e-money means ‘mone- to the Protection of Individuals regarding the Processing of Personal
tary value as represented by a claim on the issuer that is stored Data and came into force on 5 September 2018. The GDPR, however,
electronically, issued on receipt of funds of an amount not less in value remains the principal legislation governing the processing of personal
than the monetary value issued, and accepted as a means of payment data as only few provisions of the Belgian law concern private compa-
by undertakings other than the issuer’. Digital Instruments do not fall nies. The GDPR provides how data controllers (the natural person
under this definition as they do not represent a claim on the issuer, or legal person, which, alone or jointly with others, determines the
which is not obliged to exchange them back to real money. Furthermore, purposes and means of the processing of personal data) may process
they are purely digital and not necessarily linked to the real funds upon the personal data of living individuals (data subjects). The GDPR
which they were issued. requires that businesses may only process personal data where that
Consequently, digital instruments are currently not regulated processing is done in a lawful, fair and transparent manner. The Belgian
under Belgian law. No licence is required to issue digital instruments law provides some specific provisions on the consent, the processing of
and they are not subject to regulatory supervision. Digital instruments health-related and judicial data, the processing for statistical purposes
do not benefit from legal protection. The Financial Services and Markets or scientific research, exceptions to data subjects’ rights, etc.
Authority (FSMA) has issued several warnings advising the Belgian The GDPR requires that any processing of personal data must
public against the risks of these currencies (eg, the risk of consider- be done pursuant to one of six lawful bases for processing. The most
able currency fluctuations and the risk of losing the virtual money if the commonly used lawful basis for processing is to obtain the consent of
trading platform is hacked). the data subject to that processing – in relying on this lawful basis, the
business must ensure that consent is freely given, specific, informed and
Digital currency exchanges unambiguous, and capable of being withdrawn as easily as it is given.
30 Are there rules or regulations governing the operation of Other lawful bases for processing data include where that processing
digital currency exchanges or brokerages? is necessary for the business to perform a contract it has with the data
subject, or where required to comply with a legal obligation.
A distinction must be made between e-money and virtual curren- The GDPR also provides a set of rights for the data subjects,
cies. E-money is currently regulated by the second E-Money Directive including the right to information, the right to access to their personal
(2009/110/EC), which refers to, among others, the Anti-Money data, to correct their personal data should it be inaccurate, the right
Laundering Directive (now 2015/849 EU) setting out various rules to oppose (upon request and free of charge) the processing of their
regarding the operation of exchanges or brokerage offices in the EU. personal data for marketing purposes, the right to withdraw one’s
Additionally, the Law of 11 March 2018 on the Status and Supervision consent and the right to data portability.
of Payment Institutions and Electronic Payment Institutions amends The GDPR also differs from the previous regime in that it places a
the Investment Law, which sets out similar rules for the operation of significantly increased compliance burden on businesses, including, for
e-money currency exchanges and brokerage as those applicable to non- example, mandatory requirements to notify regulators of data breaches,
digital currencies. obligations to keep detailed records on processing and requirements for
Virtual currencies, however, are not subject to regulatory supervi- most entities to appoint a data protection officer.
sion and there are no rules or guidelines relating to the operation of The Belgian Data Protection Authority is the body that controls
exchanges or brokerage offices in Belgium for these digital currencies. compliance with the GDPR and applicable Belgian law by businesses.
Various warnings in respect of digital currency exchanges have been Data subjects now have the right to lodge a complaint with the Belgian
issued by the FSMA. Data Protection Authority. Significant administrative sanctions (up to the
greater of €20 million and 4 per cent of the worldwide turnover) can be
Initial coin offerings imposed following a breach of the GDPR.
31 Are there rules or regulations governing initial coin offerings Recital 26 of the GDPR states that where data has been processed
(ICOs) or token generation events? such that it is truly anonymised, the principles within the GDPR do not
apply to the processing of that data. Businesses will have to determine
The FSMA issued a communication on ICOs in Belgium on 13 November what steps must be taken to ensure that personal data is indeed truly
2017, building on a communication by the European Securities and anonymised.
Markets Authority on the same subject and on the same date. While The Article 29 Working Party (an EU body comprising repre-
no specific regulatory rules are in place for ICOs, depending on its sentatives from data protection regulators across the member states)
structuring it might fall within the scope of more generic Belgian laws released Opinion 05/2014 on Anonymisation Techniques (in the context
such as the law implementing the Prospectus Directive and the law on of the previous EU data protection regime). This Opinion discusses the
crowdfunding platforms. main anonymisation techniques used – randomisation and generalisa-
tion (including aggregation). The Opinion states that when assessing the
DATA PROTECTION AND CYBERSECURITY robustness of an anonymisation technique, it is necessary to consider:
• if it is still possible to single out an individual;
Data protection • if it is still possible to link records relating to an individual; and
32 What rules and regulations govern the processing and • if information can be inferred concerning an individual.
transfer (domestic and cross-border) of data relating to
fintech products and services? In relation to aggregation, the Opinion further states that aggregation
techniques should aim to prevent a data subject from being singled out
There are no regulations specifically governing the processing and by grouping them with other data subjects. While aggregation will avoid
transfer of personal data relating to fintech products and services. the risk of singling out, it is necessary to be aware that links and infer-
However, the processing and transfer of personal data relating to ences may still be possible with certain aggregation techniques.
fintech products and services shall be governed by the General Data The position on anonymisation taken from the Article 29 Working
Protection Regulation (GDPR), which took effect on 25 May 2018. The Party’s Opinion is broadly unchanged in the GDPR. The GDPR itself
GDPR was implemented in Belgium by the Law of 30 July 2018 relating also gives limited guidance on anonymisation in Recital 26, requiring
data controllers to consider a number of factors in deciding if personal OUTSOURCING AND CLOUD COMPUTING
data has been truly anonymised, including the costs and time required
to de-anonymise, the technology available at the time to attempt Outsourcing
de-anonymisation, and further developments in technology. 34 Are there legal requirements or regulatory guidance with
respect to the outsourcing by a financial services company of
Cybersecurity a material aspect of its business?
33 What cybersecurity regulations or standards apply to fintech
businesses? When a Markets in Financial Instruments Directive firm outsources
operational tasks of critical importance to the continuous and satis-
Belgium has implemented Directive (EU) 2016/1148 (the NIS Directive) factory provision of investment services and activities, it has to take
by way of the Belgian Law of 7 April 2019 (entered into force on 3 May appropriate measures to limit the associated operational risk. In
2019) establishing a framework for the security of network and informa- particular, the outsourcing must not substantially affect the effective-
tion systems of general interest for public security. The Law applies to ness of the internal control procedures of the company or the ability
sectors of banking and financial market infrastructure and establishes, of the regulator to check whether the company is fulfilling its legal
among others, security and notification requirements for operators obligations.
of essential services and for digital service providers. Many practical The Financial Services and Markets Authority has issued a circular
aspects provided for in the Law of 7 April 2019 are further elaborated on on sound management practices for outsourcing by credit institutions
in a Belgian Royal Decree dated 12 July 2019. and investment firms, and, recently, the National Bank of Belgium issued
The Payment Services Directive (EU) 2015/2366 entered into a recommendation on outsourcing by credit institutions and investment
force on 12 January 2016, setting out, among others, rules concerning firms to providers of cloud computing that implements the recommen-
strict security requirements for electronic payments and the protec- dations of the European Banking Authority on this subject.
tion of consumers’ financial data, guaranteeing safe authentication and
reducing the risk of fraud. Belgium implemented the provisions of the Cloud computing
Payment Services Directive by way of the Belgian Law of 11 March 2018. 35 Are there legal requirements or regulatory guidance with
Regarding cybersecurity, the Law of 11 March 2018 stipulates a security respect to the use of cloud computing in the financial services
policy containing a number of obligations for payment service providers. industry?
Furthermore, Regulation (EU) 526/2013 is of importance in the
fintech sector, as it establishes the European Union Agency for Network There are no specific legal requirements with respect to the use of cloud
and Information Security (ENISA). ENISA provides recommendations on computing in the financial services industry. However, the outsourcing
cybersecurity, supports policy development and its implementation, and of cloud computing by regulated entities is subject to regulatory super-
collaborates with operational teams throughout Europe for the purpose vision from both a data protection and an IT security perspective.
of contributing to a high level of network and information security
within the EU. INTELLECTUAL PROPERTY RIGHTS
Moreover, on 13 September 2017, the European Commission
published the Proposal for a Regulation of the European Parliament and IP protection for software
of the Council on ENISA, the ‘EU Cybersecurity Agency’, and repealing 36 Which intellectual property rights are available to protect
Regulation (EU) 526/2013, and on ICT cybersecurity certification. The software, and how do you obtain those rights?
Proposal reinforces ENISA’s role in the areas where the agency is
already competent, and introduces new areas where support is needed, Under Belgian law, computer programs (or software) are protected by
in particular the NIS Directive, the review of the EU Cybersecurity copyright (article XI.294-XI.304 of the Belgian Code of Economic Law) and
Strategy, the upcoming EU Cybersecurity Blueprint for cyber crisis assimilated as literary works in the meaning of the Berne Convention.
cooperation and ICT security certification. Copyright protection also covers the source code, object code, architec-
Additionally, on 17 May 2017, the European Parliament adopted ture of the software and preparatory design materials (provided that
Resolution 2016/2243 on fintech: the influence of technology on the they can lead to a computer program). Ideas and principles that underlie
future of the financial sector. This resolution further underlines that any element of a program, including those that underlie its interfaces,
regulation on the provision of financial services infrastructure needs are, however, excluded from the copyright protection.
to provide for appropriate incentive structures for providers to invest The author of the software owns the rights as soon as it is created,
adequately in cybersecurity and emphasises the need for end-to-end provided that the software is original. No registration is required to
security across the whole financial services value chain. This resolution benefit from the protection. For evidentiary purposes, it is, however,
is non-binding and has a purely advisory function. useful to include the name of the author and the creation date in the
Finally, in March 2018 the European Commission adopted an action code of the software and to file it with a public notary or the Benelux
plan on fintech, setting out a number of steps that the Commission Office for Intellectual Property.
intends to take, one of which is to increase cybersecurity and the integ- If the software code has been kept confidential it may also be
rity of the financial system. The action plan mentions the fact that the protected as confidential information. No registration is required, but
European Parliament has called on the Commission ‘to make cyberse- confidentiality agreements are recommended if third parties have
curity the number one priority in the fintech action plan’. It states that access to it.
the transposition by member states of the NIS Directive is ongoing but Computer programs and business methods are explicitly excluded
that gaps may remain in EU financial sector legislation that should be from patent protection. The exclusion from patentability is, however,
filled to improve the sector’s resilience. Therefore, we can expect this limited to the software as such and it is possible to grant a patent to an
field to evolve in the near future. invention implemented by or including a piece of software.
In Belgium, databases underlying software programs may also be
protected by copyright (article XI.186-XI.188 Belgian Code of Economic
Law) and, in certain circumstances, by sui generis database right (Book
24 Fintech 2021
XI, Title 7 Belgian Code of Economic Law). The database right is a stan- discloses confidential information and to enter into proper confidenti-
dalone right that protects databases that have involved a substantial ality agreements with those persons. These confidentiality agreements
investment in obtaining, verifying or presenting their contents (article should include provisions such as the definition of confidential informa-
XI.306 Belgian Code of Economic Law). Both database copyright and tion, the duration of the confidentiality obligations (knowing that under
database rights arise automatically without any need for registration. general Belgian civil law, it is always possible to terminate an obliga-
Database rights do not apply to computer programs as such, including tion for an indefinite term against ‘reasonable’ notice, meaning that a
those used in the manufacture or operation of databases. fixed term should be provided in the confidentiality agreement) and the
limited use of trade secrets and confidential information regarding the
IP developed by employees and contractors purpose of a specific project.
37 Who owns new intellectual property developed by an Legal proceedings are, in principle, public, so it would be possible
employee during the course of employment? Do the same to hear trade secrets and confidential information during hearings or
rules apply to new intellectual property developed by pleadings. In addition, the Belgian Judicial Code does not restrict access
contractors or consultants? to documents including trade secrets – it provides for principles of
collaboration as regards production of evidence in court proceedings
Unless otherwise provided in writing, where a computer program is and the requirement for any party to submit all documents to the other
created by an employee in the execution of his or her duties or following party, without specifications or exceptions concerning trade secrets.
the instructions given by his or her employer, the employer will be In practice, however, it appears that, depending on the interest that
exclusively entitled to exercise all economic rights in the program so is considered most relevant, Belgian (commercial) courts may choose
created. This means that the IP rights subsisting in a computer program to limit the production of evidence to certain elements or even block
are automatically transferred to the employer when an employee has access to or disclosure of trade secrets (eg, if there is no sufficient
developed the software in the framework of his or her employment evidence of a breach).
contract. This automatic transfer only applies to the economic rights, not
the moral rights of the author. The rule is different for other forms of IP Branding
rights, meaning that (except for above-mentioned computer programs), 40 What intellectual property rights are available to protect
IP that is created by an employee in execution of his or her employment branding and how do you obtain those rights? How can
contract in principle belongs to the employee himself or herself, unless fintech businesses ensure they do not infringe existing
a clause explicitly stipulates that it belongs to the employer. brands?
Where IP is developed by a contractor or a consultant, the rights
are owned by the author of the software (ie, the contractor or the Brands can be protected by a Benelux trademark (covering the Benelux
consultant). The fintech company will only own the economic rights territory) or by an EU trademark (covering the EU territory). Registration
if they have been explicitly transferred in writing (even if the fintech is required to obtain a trademark right (with the Benelux Office for
company has commissioned the software). The same goes for other IP Intellectual Property for Benelux trademarks or with the European
developed by a contractor or consultant. Therefore, contracts must be Union Intellectual Property Office (EUIPO) for EU trademarks).
carefully drafted. Brands can also be protected by market practices if they have
acquired sufficient goodwill in the market and another undertaking tries
Joint ownership to take advantage of the reputation or market position of the brand.
38 Are there any restrictions on a joint owner of intellectual Brands in the form of logos or slogans can also be protected by
property’s right to use, license, charge or assign its right in copyright as artistic works (provided they are original) or by Benelux
intellectual property? or EU design and models rights (provided that they are new and have
specific character).
There are no legal restrictions to the exercise of IP rights by a joint The Benelux Office for Intellectual Property and EUIPO have public
owner. However, in general, an agreement is required between the joint databases that can be consulted to check the availability of a design
owners regarding their respective IP rights, in the absence of which the or trademark. It is highly advisable for new businesses to conduct
IP rights must be exercised jointly. There are certain exceptions to this, trademark and design searches to check whether earlier registrations
depending on the type of IP. exist that are identical or similar to their proposed brand names. It may
also be advisable to conduct searches for any unregistered trademark
Trade secrets rights that have gained sufficient distinctiveness on the market that may
39 How are trade secrets protected? Are trade secrets kept prevent use of the proposed mark. Specialised companies offer services
confidential during court proceedings? to carry out these searches.
Belgium mainly implemented the Trade Secrets Directive (EU) 2016/943 Remedies for infringement of IP
in Book XI of the Code of Economic Law. The Directive requires member 41 What remedies are available to individuals or companies
states to provide protection for information that: whose intellectual property rights have been infringed?
• is secret, in the sense that it is not generally known among, or
readily accessible to, persons within the circles that normally deal The following remedies and proceedings may be available:
with the kind of information in question; • (unilateral) primary injunction;
• has commercial value because it is secret; and • cease-and-desist action;
• has been subject to reasonable steps by the holder of the informa- • damages; and
tion to keep it secret. • application with custom authorities for border detention.
If a competitor legally obtains the trade secrets or confidential infor-

mation of a company, it is, in principle, free to use it. Therefore, it is
highly recommended to be prudent regarding the persons to whom one
COMPETITION start-up is a micro-enterprise). The investment (shares) must be

retained for at least four years to benefit from the tax shelter. Since
Sector-specific issues assessment year 2019, the tax shelter system has been extended to
42 Are there any specific competition issues that exist with new equity investments in growth companies, via capital increases
respect to fintech companies in your jurisdiction? in cash in the fifth to 10th year after their incorporation. The tax
reduction amounts to 25 per cent of the investment;
Competition law (ie, Book IV of the Belgian Code of Economic Law and • the provision of loans by physical persons via approved crowd-
the EU competition rules in the case of an effect on trade between EU funding platforms is encouraged fiscally by a (withholding) tax
member states) applies to all undertakings carrying out business in exemption on the interest of the loans up to the first bracket of
Belgium, irrespective of their sector. Hence, the competition law rules €15,860 (assessment year 2021) and this for the first four years of
(such as the prohibition of anticompetitive agreements, the prohibi- the loan. This (withholding) tax exemption is subject to the loans
tion of abuse of dominance, merger control and, in Belgium as of 1 having a minimum maturity of four years and is only applicable if
December 2020 at the latest, abuse of economic dependence) apply to the loans have been provided to start-up companies not older than
fintech companies. four years;
While fintech is generally considered to be beneficial for consumers • start-up companies can benefit from reduced labour costs, via
(because of cost reduction, improvements in efficiency, greater trans- a retention of 10 per cent or 20 per cent (if employer is micro-
parency and increased financial inclusion), it could raise competition law enterprise) of the payroll tax withheld by the employer on the
issues. Competition authorities in all jurisdictions, including Belgium, employee salaries;
face a range of potentially complex competition law issues in relation to • the new innovation tax deduction of 85 per cent of the net income
fintech offerings. These are likely to include: realised by companies also applies to income and gains from copy-
• the extent to which a fintech solution has or obtains (through right protected software, including adaptations of existing software
growth, acquisition or joint venture) market power (eg, because of and derivative works;
big data or network effects) and the consequences of this; • an increased deduction for investment in certain digital assets and
• the risks that the definition of any technical standards involved in environmental friendly R&D investments and patents of 13.5 per
any jointly developed fintech solution result in other third parties cent of the acquisition value; and
being excluded; • private individuals trading in bitcoins are not necessarily taxed on
• whether banks are limiting access of fintech companies to bank the gains as professional income, but insofar the trade is specula-
accounts and thereby hindering competition in the payment market. tive in nature (short holding period, high risk, etc), the gains may be
The European Commission, in this context, conducted dawn raids taxed as miscellaneous income at 33 per cent, with an exemption
in 2017 at the premises of banking associations in, among others, from social security contributions.
the Netherlands and Poland (the investigation is on-going as at the
time of writing); Increased tax burden
• the extent to which there can be any exclusivity between the finance 44 Are there any new or proposed tax laws or guidance that
and technology providers of a fintech offering; and could significantly increase tax or administrative costs for
• the limits of any specified tying or bundling. The European fintech companies in your jurisdiction?
Commission, in this context, started to investigate Apple in 2019
because the company would direct users of iPhones towards As far as we know, Belgium is not intending to launch a separate digital
Apple Pay over other payment methods such as those of Google or tax that could affect fintech companies, but closely monitors the OECD
Samsung (the investigation is on-going as at the time of writing). work on the digitalised economy. In particular, the current focus is on
the OECD/G20 Inclusive Framework (Pillar One on revised nexus and
On 9 July 2018, the Economic Affairs Committee of the European profit allocation rules and Pillar Two on development of a global anti-
Parliament published a study regarding competition issues in fintech. base erosion proposal and minimum tax proposal) to address the tax
The study concludes that the procompetitive effects of fintech needs challenges arising from the digitalisation of the economy and what the
to be weighed against the anticompetitive effects and that, currently, impact (if any, taking into account the proposed exclusion of at least
it would be better to research, monitor and regulate than to enforce regulated financial services from Pillar One) may be of these proposals
through the usual competition tools (ie, investigate and sanction). on, inter alia, the Belgian fintech sector.
TAX IMMIGRATION
Incentives Sector-specific schemes

43 Are there any tax incentives available for fintech companies 45 What immigration schemes are available for fintech
and investors to encourage innovation and investment in the businesses to recruit skilled staff from abroad? Are there
fintech sector in your jurisdiction? any special regimes specific to the technology or financial
sectors?
In support of the ‘Digital Belgium’ action plan, the Belgian federal
government has introduced a number of tax incentives that are avail- To work in Belgium for a longer period than 90 days, foreign workers
able to fintech companies and investors subject to certain conditions must have a valid work permit. This condition does not apply to nationals
being met. These incentives include, among others: of a member state of the EEA (the countries of the EU and Iceland,
• the Belgian tax shelter regime for start-ups, which provides for a Norway and Liechtenstein) and Switzerland and to some categories of
tax reduction for physical persons who invest in start-ups, has been workers who are exempted.
extended to direct and indirect equity investments via approved Belgian employers must apply for a single permit if they want to
crowdfunding platforms. The tax reduction amounts to up to 30 employ a foreign worker.
per cent or 45 per cent of the invested amount (45 per cent if the There are no special regimes specific to the fintech sector.
26 Fintech 2021
UPDATE AND TRENDS
Current developments
46 Are there any other current developments or emerging
trends to note?
Not to our knowledge.
Coronavirus Vincent Verkooijen

vincent.verkooijen@simmons-simmons.com
initiatives specific to your practice area has your state Jérémie Doornaert
implemented to address the pandemic? Have any existing jeremie.doornaert@simmons-simmons.com
government programmes, laws or regulations been amended Martin Carlier
to address these concerns? What best practices are advisable martin.carlier@simmons-simmons.com
for clients?
Dimitri Van Uytvanck
dimitri.vanuytvanck@simmons-simmons.com
Despite the various measures enacted by Belgium to mitigate the
effects of the covid-19 pandemic, companies in Belgium generally Marc de Munter
remain subject to Belgian regulations and bound by the contractual m.demunter@bakertilly.be
arrangements they entered into. In this respect, clients are advised to
operate with the same approach as they did before the crisis and to Avenue Louise 143
liaise with competent authorities or external counsel in circumstances 1050 Brussels
where specific issues arise. Belgium
Tel: +32 2 542 09 60
Finance Fax: +32 2 542 09 61
Federal measures www.simmons-simmons.com
These include:
• a €50 billion state guarantee scheme for all new credit and credit
lines of up to a 12-month duration that credit institutions grant
to non-financial companies and viable self-employed persons for Employment
their activities in Belgium; A simplified procedure for temporary unemployment was approved by
• Belgian companies, organisations and self-employed persons the government on 20 March 2020. All temporary unemployment owing
financially affected by covid-19 can apply to their credit institutions to covid-19 is considered as temporary unemployment owing to force
for a deferral of payment of their corporate credits for a maximum majeure. In the case of force majeure it is not required that the company
of six months; cease activities completely. In practice, this means that some employees
• a temporary moratorium on bankruptcies has been introduced, may be temporary unemployed and others may not. This simplified
according to which, between 24 April 2020 and 17 June 2020 procedure is applicable until 30 June 2020. There is a possibility that
(included), any company in financial difficulty because of covid-19 this will be prolonged.
will be protected against any executory or conservatory meas-
ures and any declaration of bankruptcy, judicial dissolution or Competition
forced transfer; In relation to competition law, the Belgian Competition Authority – in a
• a payment scheme for debts owed to the administration to provide joint statement with other European competition authorities – stated
financial leeway to enable companies to overcome their temporary it would continue to apply antitrust rules, but would not actively inter-
financial difficulties, which includes: vene against necessary and temporary measures put in place to avoid
• a payment plan; a shortage of supply.
• exemption from interest on arrears; and On 8 April 2020, the European Commission issued a Temporary
• remission of fines for non-payment; Framework relating to business cooperation in response to situations
• bridging rights for the self-employed; and of urgency stemming from the covid-19 outbreak (see Simmons &
• flexibility in the execution of federal government contracts. Simmons’ article on the Temporary Framework published on 8 April
2020 for more information). The relevance of this Temporary Framework
Regional measures for the fintech sector appears to be limited.
These include:
• premiums granted to companies on which full closure is imposed Data privacy
owing to covid-19 measures; and Belgium has not adopted any specific measures to derogate or
• funds made available by several regional institutions, and, more specifically govern the processing of personal data in the context of
specifically, Participatiemaatschappij Vlaanderen developed three- a pandemic. The Belgian Data Protection Authority has made it clear
year subordinated loans under which a medium-term financial that the principles and obligations under the General Data Protection
buffer with subordinated loans of up to €800,000 over three years Regulation (GDPR) and Belgian implementing legislation would be
is available for start-ups, scale-ups, small and medium-sized enter- softened in the context of a pandemic. General principles and obliga-
prises and the self-employed. tions under the GDPR and Belgian implementing legislation should,
therefore, fully apply.
Brazil
Nei Zelmanovits, Thais De Gobbi, Pedro Nasi, Vicente Braga, Érica Yamashita, Diego Gualda,
Vinicius Costa and Alina Miyake
Machado Meyer Advogados
FINTECH LANDSCAPE AND INITIATIVES In the case of the BCB, all the actions described above are part of
a broader agenda, in place since 2018 and currently known as ‘Agenda
General innovation climate BC#’, which seeks to foster financial inclusion, competition, transparency
1 What is the general state of fintech innovation in your and education, and identifies the fintech sector as a strategic partner.
jurisdiction?
As a developing country with a young population, a culture of plurality,
a strong appetite for social media, a high percentage of unbanked popu- Regulatory bodies
lation and tens of millions of entrepreneurs, Brazil has a lively and 3 Which bodies regulate the provision of fintech products and
booming fintech scene. According to recent data, there are more than services?
700 fintech entities in Brazil (an increase of more than 30 per cent since
last year), employing around 40,000 people. Fintech products and services involving payment (the issuance of pre-
Although, historically speaking, Brazilian regulators were very paid cards and credit cards, acquiring services, etc) and lending are
cautious and not particularly sympathetic towards innovation, this subject to the rules issued by the National Monetary Council (CMN) and
has been gradually changing over the past few years, especially the Central Bank of Brazil (BCB), whereas those regarding securities,
as policymakers see the fintech sector as an opportunity to foster such as crowdfunding, are subject to the regulatory framework issued
some long-desired competition and financial inclusion in the finan- by the Securities and Exchange Commission (CVM).
cial industry.
Led by a few already well-established companies, the sector enjoys Regulated activities
massive adherence and political support from the general public and is 4 Which activities trigger a licensing requirement in your
expected to grow further in the upcoming years. jurisdiction?
Government and regulatory support The legal framework for financial institutions in Brazil is set by Law No.
2 Do government bodies or regulators provide any support 4,595 of 31 December 1964, while Law No. 6,385 of 7 December 1976
specific to financial innovation? If so, what are the key regulates securities offerings and trading. Several activities trigger a
benefits of such support? licensing requirement in Brazil pursuant to applicable regulations,
including:
Since 2018, the Central Bank of Brazil (BCB) has allowed payment insti- • conducting banking business (ie, performing financial intermedi-
tutions (payment fintech companies) to function outside its regulation ation on a regular and professional basis through the raising of
and supervision – including without the need for a licence – as long as funds from the public in general, as well the custody of values on
their activities do not reach specific operational thresholds. The BCB also behalf of third parties: this requires authorisation from the BCB;
created two new categories of financial institution with simpler regula- • rendering certain types of payment services: this requires authori-
tory requirements to accommodate credit-granting fintech entities that sation from the BCB upon reaching the thresholds set forth in
perform their services exclusively through electronic platforms: direct applicable regulations;
lending companies and peer-to-peer lending companies. • dealing in securities transactions in regulated markets as principal
In mid-2019, the BCB, the Securities and Exchange Commission or agent (ie, securities brokerage services): this requires authorisa-
(CVM) and the Superintendence of Private Insurance, together with the tion from the BCB and the CVM;
Special Finance Bureau of the Ministry of Economy, jointly announced • rendering investment advisory services: this requires authorisa-
their intention to set up a regulatory sandbox for fintech companies to tion from the CVM; and
test and develop new products. The first of those initiatives is expected • operating in the foreign exchange market: this requires authorisa-
to begin by the end of 2020. tion from the BCB.
Both the BCB and the CVM, together with other entities, engage
with and support financial innovation labs (the Financial and Technology
Innovation Laboratory (launched by the BCB) and the Laboratory of
Financial Innovation (in connection with the CVM)), which are aimed at
providing guidance and identifying opportunities and obstacles to the
fintech sector.
28 Fintech 2021
Machado Meyer Advogados Brazil
Consumer lending individuals to enter into a lending and financing transaction among
5 Is consumer lending regulated in your jurisdiction? themselves, exclusively by means of electronic platforms.
Crowdfunding platforms (and the offer of securities in connection
Yes. The provision of consumer lending in Brazil (eg, overdraft, credit thereof) are subject to a specific rule issued by the CVM and may only be
card invoice financing and consumer loans) is restricted to financial operated by a legal entity duly authorised by the CVM to do so.
institutions duly authorised to operate by the BCB and subject to certain
specific rules. Alternative investment funds
Interest rates vary depending on the institution and are not subject 8 Are managers of alternative investment funds regulated?
to specific limits (except for overdraft interests, which were recently
limited to 8 per cent per month). Administrators of any investment fund, which are responsible for a
However, when extending credit to individuals, micro-companies group of services related to the maintenance and proper operation of
and small companies, financial institutions must disclose to the client, the fund, such as treasury, bookkeeping, custody of financial assets and
prior to the execution of the credit transaction, the total effective cost, portfolio management, are regulated by the CVM and are required to
expressed as an annual percentage rate, which evidences the sum of obtain a licence before commencing their activities.
all the costs related to the transaction (including taxes and fees). This Administrators may delegate certain responsibilities to third
allows consumers to compare the total cost of the loans offered by parties, such as portfolio management activities. Portfolio managers
different institutions. (either individuals or legal entities) are also regulated by the CVM and
Individuals, micro-companies and small companies are also enti- are required to obtain a specific licence.
tled to prepay their debts, in whole or in part, without having to pay any
additional fees in connection thereof. Peer-to-peer and marketplace lending
Furthermore, when entering into transactions with, or rendering 9 Describe any specific regulation of peer-to-peer or
services to, consumers, financial institutions are also subject to the marketplace lending in your jurisdiction.
Consumer Defence Code.
SEPs are financial institutions of which the main purpose is to enable
Secondary market loan trading individuals to enter into lending and financing transactions among
6 Are there restrictions on trading loans in the secondary themselves exclusively by means of electronic platforms. Transactions
market in your jurisdiction? intermediated by SEPs will have the characteristics of a linked credit
transaction, in which there is a link between the funds raised from the
In general, no, provided that the loans do not have a securities nature creditors and the corresponding loan transaction entered into with the
in accordance with applicable laws and regulations. Certain exceptions debtor, with the respective subordination of the repayment of the funds
apply, such as in respect of direct lending companies, which may only delivered by the creditors to the payment of the loan transaction by the
assign credit to financial institutions, receivables investment funds and debtors. Granting of loans with their own funds, as well as any type of
securitisation companies. risk retention, either directly or indirectly, is not allowed for SEPs.
To be effective towards the debtor, the debtor must be notified of SEPs may also provide certain ancillary services in connection with
the credit assignment. their main activity, such as credit analysis for clients and third parties,
collection of debts on behalf of clients and third parties and issuance of
Collective investment schemes electronic money, according to applicable regulations.
7 Describe the regulatory regime for collective investment Finally, SEPs must:
schemes and whether fintech companies providing • be incorporated as corporations and have paid-up stock capital and
alternative finance products or services would fall within its shareholders’ equity of 1 million reais;
scope. • segregate their funds from the funds of creditors and debtors;
• provide information to their clients and users in respect of the
In Brazil, the types of special condominium (pool of assets) directed to nature and complexity of the transactions and services offered;
investment purposes, of which the portfolio is indirectly owned by their • use a proper credit analysis model; and
investors (quota holders) proportionally to the amounts invested by • comply with proportional operational and prudential requirements
each of them (investment funds) and their permitted investments, are consistent with their size and profile.
subject to the rules and regulatory oversight of the CVM.
Investment funds are divided into two main groups: Crowdfunding
• ‘traditional’ investment funds, which may invest in several different 10 Describe any specific regulation of crowdfunding in your
types of financial assets (eg, equity, fixed income, real estate and jurisdiction.
derivatives); and
• structured funds, such as: Crowdfunding in Brazil is regulated by the CVM and defined as the
• private equity funds, which may invest mainly in securities (eg, raising of funds through public offers for the distribution of securities
shares and subscription bonuses) and convertible notes; and issued by small businesses conducted with exemption from registration
• credit receivables investment funds, which may invest in through an electronic investment platform.
credit rights arising from different sectors of the economy, The rule expressly excludes peer-to-peer loans from its activities
such as financial, industrial and commercial ones. (which are regulated by the BCB). However, the regulation does not
limit the type of security to be offered; therefore, small businesses may
Fintech companies, such as peer-to-peer lending and crowdfunding issue shares, debentures or other securities as long as they are legally
platforms, are subject to a different regulatory regime. available.
Peer-to-peer lending platforms are operated by peer-to-peer The public offering (which is limited to 5 million reais) must take
lending companies (SEPs), which are a type of financial institution place through an electronic platform managed by a company duly incor-
(and not an investment fund), the main purpose of which is to enable porated in Brazil and registered with the CVM, which is responsible for
Brazil Machado Meyer Advogados
verifying compliance by the issuer and the offering with applicable regu- Only financial institutions belonging to segments S1 and S2 of
latory requirements. the Brazilian financial system (which mainly comprises major banks),
The offers are intended for any type of investor, subject to a 10,000 according to segmentation rules set forth in Brazil, will be required to
reais investment limit per calendar year (exceptions apply to certain join open banking at its inception. Other institutions, such as payment
investors, such as qualified investors). institutions, are allowed to participate on a voluntary basis, but only
The grouping of investors supporting a lead investor in ‘participatory those licensed by the BCB may take part in the open banking directly.
investment syndicates’ is expressly allowed, as is the incorporation of an Non-licensed institutions may participate through partnerships
investment vehicle for those purposes (subject to certain requirements). with authorised participant institutions. Any participation must follow
the principle of reciprocity (ie, the recipient must also share informa-
Invoice trading tion). All regulated institutions offering payment accounts, on-demand
11 Describe any specific regulation of invoice trading in your deposit accounts and savings accounts will also be required to join open
jurisdiction. banking in its third phase (August 2021) in respect of payments initiation
services and the sharing of data related to those services.
Trade notes are regulated by Law No. 5,474 of 18 July 1968 as well as by The new regulation is based on the principle that registration data
Decree No. 57,663 of 24 January 1966, which also governs the endorse- and information on the products and services provided belong to the
ment of trade notes, jointly with the Civil Code. customer, and it is up to him or her to decide whether to share them
Furthermore, in May 2020, the CMN and the BCB issued two rules with third parties. Therefore, consent will always be required before any
governing the use of book-entry trade notes. Following the trend of customer data sharing.
dematerialisation of financial assets and securities seen in the Brazilian Self-regulatory provisions will play an important role in the imple-
market in recent decades, the new rules regulate: mentation of open banking in Brazil. Participants will be required to
• financial transactions guaranteed by book-entry trade notes and discuss, prepare and execute a convention regulating operational
the discounting or sale of those receivables; and aspects of the ecosystem, such as technological standardisation,
• the bookkeeping activity of those securities. communications and security protocols, reimbursements among partic-
ipants, disputes resolution and standardisation of data and service
The rules aim to provide greater security for issuance, registration, layouts, among others. This convention will be subject to approval
settlement and trading in respect of those transactions. The main by the BCB.
change introduced by the rules is the mandatory use of registered book-
entry trade notes. Financial institutions should, therefore, require their Robo-advice
counterparts, in particular sellers who wish to discount their receiva- 14 Describe any specific regulation of robo-advisers or other
bles, to issue and register the respective book-entry trade notes. companies that provide retail customers with automated
access to investment products in your jurisdiction.
Payment services
12 Are payment services regulated in your jurisdiction? There is no specific regulatory framework for robo-advisers. However,
the CVM has already identified three main activities performed by
The legal framework for payment services in Brazil is set by Law No. robo-advisers: the provision of financial advice, asset management and
12,865 of 9 October 2013. A licence is required upon reaching specific financial analysis (robo-traders are considered financial analysts). As
operational thresholds if the fintech company executes the following each of these activities is specifically regulated by the CVM, a robo-
types of payment services: adviser providing any of these must comply with the same regulatory
• issuance of electronic money and associated services, such as requirements applicable for traditional providers.
issuance of prepaid instruments, management of prepaid payment
accounts and provision of payment transactions based on elec- Insurance products
tronic money deposited into those accounts; 15 Do fintech companies that sell or market insurance products
• issuance of post-paid payment instruments (such as credit in your jurisdiction need to be regulated?
cards); and
• acquiring services. Insurance companies and the marketing of insurance products in Brazil
are subject to regulation and supervision by different authorities: the
Fintech companies providing the payment services mentioned above Superintendence of Private Insurance and the National Council of Private
are defined by applicable legislation as payment institutions. Insurance. Only duly licensed insurance companies may provide insur-
Owners of card networks (ie, the legal entities in charge of ance coverage in Brazil. The solicitation and intermediation of insurance
managing the rules, procedures and the use of the brand associated contracts may be carried out only by licensed insurance brokers.
with a card network) must request authorisation for the card network Pursuant to applicable regulations, legal entities may promote and
that they operate (upon reaching certain triggers). Card networks are market insurance products for and on behalf of insurance companies,
defined by applicable regulations as the set of rules governing the use acting as their representatives. Insurance representatives do not need
of payment instruments accepted by more than one recipient entity. to be regulated or obtain any type of authorisation, but they must act
within the powers established in the relevant agreement executed with
Open banking the relevant insurance company.
13 Are there any laws or regulations introduced to promote Insurance representatives may not act as brokers; therefore,
competition that require financial institutions to make any sales of insurance products carried out by the representative are
customer or product data available to third parties? considered direct sales by the insurance company if not intermediated
by a duly licensed broker.
The BCB recently issued baseline regulations for open banking (via Only certain lines of insurance may be sold through this channel,
application programming interfaces) based on the UK model, the imple- namely the simpler insurance, such as all risks, travel, extended
mentation of which is expected to start in November 2020. warranty, life, unemployment and consumer credit.
30 Fintech 2021
Not all licensed fintech companies may act as insurance represent- CHANGE OF CONTROL
atives. Payment institutions (direct lending companies and peer-to-peer
lending companies) are authorised to act as insurance representa- Notification and consent
tives for the distribution of insurance products that are related to their 20 Describe any rules relating to notification or consent
lending activities. requirements if a regulated business changes control.
Credit references Any transaction resulting in a change of control (direct or indirect)

16 Are there any restrictions on providing credit references or of a licensed fintech company (ie, payment institution, direct lending
credit information services in your jurisdiction? company and peer-to-peer lending company) is subject to the prior
approval of the Central Bank of Brazil, which must be requested within
Yes. Credit references and credit information services are regulated 15 days of the execution of the relevant agreements. The approval
under the Positive Register Law (Law No. 12,414 of 9 June 2011) and the process takes from around six months to one year and involves the
Positive Register Decree (Decree No. 9,936 of 24 July 2019). A licence submission of several documents of the new shareholders.
from the CVM is required when carrying out credit-rating operations In general terms, during the approval process the potential new
regarding securities in Brazil. controller must evidence its knowledge on the segment of business
Any company providing such information on natural persons that the fintech company operates in and that its financial capacity is
must comply with the Brazilian General Data Protection Law (Law No. compatible with the size, nature and purpose of the acquired business,
13,709/2018). among other things.
CROSS-BORDER REGULATION FINANCIAL CRIME
Passporting Anti-bribery and anti-money laundering procedures

17 Can regulated activities be passported into your jurisdiction? 21 Are fintech companies required by law or regulation to have
procedures to combat bribery or money laundering?
There is no concept of passporting rights in Brazil. To engage in regu-
lated financial activities, a company must apply for the relevant licences, Fintech companies include a myriad of entities engaged in different
the process of which may impose special requirements on foreign types of business. Some fintech companies are regulated by the Central
companies. Bank of Brazil (BCB), some are subject to the Securities and Exchange
Commission (CVM), and some may not be subject to any specific
Requirement for a local presence government body.
18 Can fintech companies obtain a licence to provide financial In respect of those subject to the BCB and the CVM, there are specific
services in your jurisdiction without establishing a local regulations to be observed in addition to Law No. 9,613 of 3 March 1998
presence? on the money laundering offence and preventative measures.
Recent regulations issued by the BCB and the CVM, which will
No. All fintech companies must establish a local presence in Brazil to soon come into full effect, introduced a new framework on this matter,
obtain a licence (assuming that a licence applies; not all fintech activities founded on a risk-based approach. Following international practices, the
are regulated). new rules contemplate both full and simplified procedures (depending
on the risk of money laundering), and it is reasonable to believe that
SALES AND MARKETING best practices and standard procedures adopted by the market may
play an important role.
Restrictions In respect of non-regulated fintech entities, including cryptocur-
19 What restrictions apply to the sales and marketing of rency exchanges, in some circumstances, they may be subject to certain
financial services and products in your jurisdiction? rules (such as the maintenance of client files and the reporting of suspi-
cious transactions to the Council for Financial Activities Control (COAF),
The reception and transmission of orders in relation to financial instru- a federal government body responsible for anti-money laundering and
ments is a regulated financial activity, as is the provision of financial counterterrorist financing). These rules are particularly important for
advice and financial analysis regarding securities. Thus, the sale and those engaged in the digital currency business and other fintech compa-
marketing of financial services and products in Brazil is subject to nies not regulated by the BCB and the CVM.
licensing requirements.
Generally, the information provided to market financial services Guidance
and products must be straightforward and truthful, not mislead the 22 Is there regulatory or industry anti-financial crime guidance
customer and be restricted to its suitable audience. The financial for fintech companies?
services and products providers may also be subject to additional
marketing rules as specified in the laws and regulations governing the There is no anti-financial crime guidance specifically for fintech compa-
specific types of financial services or products. nies; however, cryptocurrency exchanges and the various payment
institutions that participate in the payment chain but are not regulated
(including sub-acquirers) are having discussions to determine how
certain anti-money laundering and counterterrorist financing obliga-
tions should be implemented. Moreover, the COAF frequently engages
in educational initiatives as part of the National Strategy Against
Corruption and Money Laundering.
PEER-TO-PEER AND MARKETPLACE LENDING Securitisation risk retention requirements

Execution and enforceability of loan agreements requirements?
23 What are the requirements for executing loan agreements or
security agreements? Is there a risk that loan agreements No, there are no risk retention requirements for securitisation transac-
or security agreements entered into on a peer-to-peer or tions carried out by SCDs or SEPs. SEPs may not retain any portion of
marketplace lending platform will not be enforceable? the risk related to the credit transactions intermediated by them.
To be valid, loan and security agreements are subject to the same Securitisation confidentiality and data protection requirements
general requirements set forth by the Civil Code for the validity of 26 Is a special purpose company used to purchase and securitise
any agreement (be executed by capable parties; have a licit, feasible, peer-to-peer or marketplace loans subject to a duty of
determined or determinable object or purpose; and be formalised in a confidentiality or data protection laws regarding information
manner provided by, or not prohibited by, applicable laws). relating to the borrowers?
Furthermore, the validity of the transaction is dependent on the
absence of any legal defects (such as fraud in enforcement procedures, Brazilian financial institutions (such as SEPs and SCDs) are subject to
fraud against creditors and simulation). banking secrecy requirements. In summary, they are prevented from
In general, credit transactions executed on a peer-to-peer platform disclosing to third parties any information concerning the transactions
are formalised through bank credit notes, which are subject to addi- and services provided by them to their customers, except in certain situ-
tional requirements, and signed electronically, which is permitted by ations provided by applicable laws.
applicable laws and regulations. It is debatable whether third parties, such as investment funds and
Specific requirements may be applicable to security instruments securitisation companies purchasing loans originated by financial insti-
depending on their type. tutions, would also be subject to banking secrecy requirements.
In any case, provided that the relevant loan and security agree- In any case, according to the Brazilian General Data Protection
ments entered into on a peer-to-peer or marketplace lending platform Law (which is not yet in full force), a purchaser of the relevant loans
are compliant with applicable laws and regulations (and that the peer- is subject to specific data protection obligations in respect of personal
to-peer lending company (SEP) or the direct lending company (SCD) data, which is defined as any information relating to an identified or
is duly authorised by the Central Bank of Brazil), those transactions identifiable natural person (including identifying numbers, location
should be deemed valid for all legal purposes. data or electronic identifiers when these are related to a person). In
those cases, it will be necessary to evaluate the role of the contracting
Assignment of loans parties as controllers or processors in the context of the operation and
24 What steps are required to perfect an assignment of to include the applicable data protection provisions in the agreements
loans originated on a peer-to-peer or marketplace lending to safeguard the parties accordingly.
platform? What are the implications for the purchaser if the
assignment is not perfected? Is it possible to assign these ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
loans without informing the borrower? TECHNOLOGY AND CRYPTO-ASSETS
With regard to SCDs (which may provide direct loans using their own Artificial intelligence
funds), the loans are usually formalised through bank credit notes 27 Are there rules or regulations governing the use of artificial
(issued by clients to the SCD), which may be transferred by the SCD intelligence, including in relation to robo-advice?
through endorsement or assignment (the latter carried out pursuant to
the rules of the Civil Code). In general, loans are assigned by the SCDs There is no specific regulatory framework for the use of artificial
to finance their operations. intelligence in financial markets. Furthermore, there is no legal distinc-
SEPs may adopt different business models. Some of those finan- tion between robo-advice and traditional investment advice in Brazil.
cial institutions endorse the relevant credit instrument issued to their As such, companies providing robo-advice must fulfil the same legal
benefit (by the borrower) to the creditor (which includes investment requirements as companies providing traditional investment advice,
funds and securitisation companies). which are regulated by the Securities and Exchange Commission (CVM).
Assignment of credit pursuant to the Civil Code is subject to regis-
tration with the registries of the titles and deeds of the place where the Distributed ledger technology
relevant parties reside if they are to be effective towards third parties. 28 Are there rules or regulations governing the use of
On the other hand, endorsements are not subject to this registration distributed ledger technology or blockchains?
requirement.
Although the Civil Code requires the borrower to be notified for Not presently, but there are certain bills under discussion in the House
a credit assignment to be effective towards the borrower, the lack of of Representatives that, if approved, will establish a regulatory frame-
notification does not affect the validity of the assignment between the work for digital currency transactions, exchanges and wallets.
parties. From a practical standpoint, SEPs and SCDs usually collect
payments from borrowers on behalf of creditors (assignees), which Crypto-assets
is why the absence of notification does not pose an issue under those 29 Are there rules or regulations governing the use of crypto-
structures. assets, including digital currencies, digital wallets and
e-money?
Currently, no. As a general rule, digital currencies are considered as

intangible movable assets (with high liquidity) that are, in principle, not
subject to banking or securities laws and regulations in Brazil.
32 Fintech 2021
The Central Bank of Brazil (BCB) has issued certain public notices DATA PROTECTION AND CYBERSECURITY
acknowledging that digital currencies such as bitcoin are virtual curren-
cies and, thus, would be different from electronic currencies (e-money), Data protection
which are governed by Brazilian payment and electronic currency laws 32 What rules and regulations govern the processing and
and regulations. Electronic currencies are funds (based on the ‘official transfer (domestic and cross-border) of data relating to
currency’ or fiat currency) stored in electronic devices or electronic fintech products and services?
systems that allow for end users to enter into payment transactions.
Digital or virtual currencies, on the other hand, are not considered offi- The processing and transfer of data should be verified according to the
cial currencies even though they may work as a means for end users to scope, regardless of whether the processing or transfer would include
enter into payment transactions. personal data. In Brazil, personal data is considered to be any information
In one of those public notices, the regulator stated that transactions relating to an identified or identifiable natural person.
with digital currencies that imply international transfers denominated in The Brazilian General Data Protection Law (LGPD), which provides
foreign currencies must take place in accordance with the applicable the general rules for privacy and data protection in Brazil, sets forth the
foreign exchange regulations (in particular, the requirement to enter conditions of any processing and transferring (including cross-border
into any foreign exchange transaction exclusively through institutions transfer) of personal data. The LGPD is expected to enter into full force
authorised to operate in the foreign exchange market). on 3 May 2021.
Currently, there are certain bills being discussed in the House of Cross-border personal data processing is allowed:
Representatives that, if approved, may affect digital currency transac- • to countries or international organisations that provide the appro-
tions, exchanges and wallets. In particular, the bills propose to place priate level of protection of personal data, as approved by the
digital currency transactions and exchanges under the BCB’s supervi- Brazilian National Data Protection Authority;
sion, create a series of rules and principles for their activity and protect • where the controller provides and demonstrates guarantees of
user resources in the event of exchange bankruptcy. Although there compliance with the principles and rights of the data subject and
is still much uncertainty regarding future regulation, there should be data protection regime established in the law, in the form of:
more discussions and public hearings about these bills in the House of • specific contractual clauses for a given transfer;
Representatives in the coming months. • standard contractual clauses;
• binding corporate rules; or
Digital currency exchanges • seals, certificates and codes of conduct that are regularly issued;
30 Are there rules or regulations governing the operation of • when the transfer is required for international legal cooperation
digital currency exchanges or brokerages? between government intelligence, investigation and police bodies, in
accordance with the international law instruments;
Currently, digital currency exchanges or brokerages are not specifically • when the transfer is required for the protection of life or the physical
regulated in Brazil. However, digital currency exchanges domiciled in integrity of the data subject or any third party; or
Brazil for tax purposes must make certain tax-related reports to the • for other reasons, such as consent or compliance with a legal or
Federal Revenue Service (RFB) in respect of transactions involving regulatory obligation by the controller.
crypto-assets carried out by users and their yearly balance information.
The RFB defines an ‘exchange of crypto-assets’ as a legal entity that For anonymised data (when the data relates to a data subject who cannot
offers services related to crypto-assets transactions, including inter- be identified), considering the use of reasonable and available technical
mediation, negotiation and custody – accepting any payment means, means at the time of the processing, there is no restriction on the transfer
including crypto-assets. The definition is very broad and encompasses of the information.
different kinds of companies dealing with crypto-assets. Fintech companies licensed by the Central Bank of Brazil (BCB) must
comply with certain rules on the outsourcing of relevant data storage,
Initial coin offerings data processing and cloud computing services in Brazil or abroad when
31 Are there rules or regulations governing initial coin offerings those services are considered critical services within the institution. As a
(ICOs) or token generation events? general rule, they must guarantee the confidentiality, integrity and avail-
ability of the data and systems, and they must ensure that their partners
Currently, ICOs or other token generation events are not regulated in and third-party service providers also have policies, procedures and
Brazil. The CVM has issued statements and investor alerts advising that controls to prevent incidents related to the cyber environment as well as
unregistered public offerings of tokens that constitute a security under ensure the security of sensitive information. The outsourcing of critical
Brazilian laws are illegal when they involve securities, subjecting the services must be reported to the BCB, and, if services are contracted
offering and the parties to applicable sanctions. In other words, if the abroad, authorisation is required in the absence of agreement for the
underlying rights attributes a security nature to the relevant asset, the exchange of information between the BCB and the supervisory authority
transaction, the issuer and other parties involved must comply with of the country where the data storage and processing services will
applicable securities laws and regulations. When evaluating if a certain be provided.
coin offering is a security offering, the CVM has been applying a test
similar to the Howey test. Cybersecurity
businesses?
Fintech companies licensed by the BCB (ie, payment institutions, direct

lending companies and peer-to-peer lending companies) must comply
with specific cybersecurity regulations. In general terms, applicable regu-
lations establish that these entities must guarantee the confidentiality,
integrity and availability of the data and information systems; put in place
policies, procedures and controls to prevent incidents related to the cyber Certain specific provisions must be included in the relevant
environment; and ensure the security of sensitive information. outsourcing agreements. As a general rule, the regulated institution
To that end, licensed fintech companies must put in place a cyber- outsourcing the services must verify that the service provider is able
security policy that takes into consideration the entity’s size, risk profile to ensure:
and business model, as well as the nature of the operations and data • compliance with Brazilian laws and regulations;
sensitiveness. An action and response plan in respect of security inci- • access by the regulated institution to the data to be processed or
dents must be established as well. stored by the service provider;
The cybersecurity policy must, among other things, comprise: • confidentiality, integrity, reliability, availability and recovery of the
• procedures and controls adopted to reduce vulnerability to incidents; data to be processed or stored by the service provider;
• specific controls, including those directed at information traceability, • adherence to the certifications required by the institution for the
that aim to ensure the security of sensitive information; rendering of the services;
• procedures to record incidents relevant to the entity’s activities as • access by the institution to the reports prepared by an independent
well as the analysis of their cause and impact, and the control of audit company hired by the service provider in respect of the proce-
their effects; dures and controls used in the rendering of the services;
• guidelines on: • supply of information and management resources adequate to
• the development of scenarios that reflect incidents considered monitor the services;
in business continuity tests; • identification and segregation of the data of the clients of the institu-
• the definition of procedures and controls directed at the prevention through physical or logical means; and
tion and treatment of incidents to be adopted by third-party • the quality of the access controls aimed at protecting the data and
providers that handle sensitive data or information, or that are information in respect of the clients of the institution.
relevant for the institution’s operational activities;
• the classification of data and information according to its Data on Brazilian clients (personal, financial or otherwise) should be
relevance; and treated as confidential and should not be transferred to third parties
• the definition of parameters to be used in the assessment of the without the express prior consent of those concerned. Data location and
relevance of incidents; processing may take place inside or outside the Brazilian territory, but
• mechanisms for dissemination of a cybersecurity culture within the access to data stored abroad must be granted at all times to the BCB for
entity, including the implementation of programmes for the training inspection purposes.
and periodic evaluation of employees, the provision of information to
clients and users regarding precautions when using financial prod- Cloud computing
ucts and services and the commitment of senior management to the 35 Are there legal requirements or regulatory guidance with
continuous improvement of procedures related to cybersecurity; and respect to the use of cloud computing in the financial services
• initiatives for sharing information with other entities regarding the industry?
relevant incidents.
The contracting of critical cloud computing services by licensed enti-
The procedures and controls adopted to reduce the institutions’ vulner- ties must follow the requirements imposed by applicable regulations.
ability to incidents and to meet other cybersecurity objectives should Cloud computing services encompass the availability of at least one of
include, at least, authentication, encryption, intrusion prevention and the following services:
detection, information leakage prevention, periodic testing and scanning • data processing, data storage, infrastructure of computer networks
for vulnerabilities, protection against malicious software, establishment and other computer services that allow the implementation or
of traceability mechanisms, computer network access and segmentation execution of software by a financial institution, including operational
controls, and maintenance of data and information backups. systems and applications developed by a financial institution or
acquired by it from third parties;
OUTSOURCING AND CLOUD COMPUTING • implementation or execution of applications developed by a finan-
cial institution or acquired by it from third parties, using computer
Outsourcing resources of a third-party service provider; or
34 Are there legal requirements or regulatory guidance with • execution, through the internet, of applications implemented or
respect to the outsourcing by a financial services company of a developed by the third-party service provider, using computer
material aspect of its business? resources of the third party.
Yes. Licensed institutions must comply with specific rules for contracting INTELLECTUAL PROPERTY RIGHTS
data storage, data processing and cloud computing services with third
parties in Brazil or abroad when those services are considered critical IP protection for software
services within the institution. There are no express guidelines for 36 Which intellectual property rights are available to protect
institutions to determine when a service should be qualified as critical; software, and how do you obtain those rights?
applicable regulations simply state that the financial institution must
take into account the importance of the service and the sensitiveness Intellectual property rights for software in Brazil are regulated by Law
of the data and information to be processed, stored or managed by the No. 9,609 of 19 February 1998. Typically, software will be protected under
services provider. the Copyright Law and will not be patentable. However, it is possible to
The outsourcing of critical services must be reported to the Central require the patent of software related to an invention that meets the
Bank of Brazil (BCB), and, if those services are contracted abroad, patent requirements set forth by the Industrial Property Law (Law No.
authorisation is required in the absence of agreement for the exchange 9,279 of 14 May 1996).
of information between the BCB and the supervisory authority of the The copyright on software provides the holder with all related
country where the data storage and processing services will be provided. economic rights, independently of any previous registration. In respect of
34 Fintech 2021
moral rights, except for the right to claim the authorship of the software, Joint ownership
no other moral rights are applicable. 38 Are there any restrictions on a joint owner of intellectual
The owner is also assured the exclusive commercial licensing rights property’s right to use, license, charge or assign its right in
of the software and technology transference. In the latter case, the tech- intellectual property?
nology transfer agreements must be registered with the National Institute
of Industrial Property (INPI) to have effect in relation to third parties. Brazilian copyright law provides for the possibility for co-authorship of
When software is protected by copyright, the protection is inde- works. The co-authors (or joint owners) receive legal protection both for
pendent of any form of registration, extending for 50 years from its their individual contributions and for the entire work. They must exer-
creation, after which the work enters the public domain. However, cise their rights by common agreement (unless otherwise agreed).
the owner has the option to register the source code before the INPI If the contributions of each author are not divisible (identifiable), no
under Federal Decree No. 2,556 of 20 April 1998. The registration will co-author may publish or authorise the publication of the work without
not put forth any differences in the protection of the specific rights over the consent of the others. However, it should be noted that each author
the software, but is instead an alternative to publicise the ownership of may defend his or her rights over the work without the consent of the
the software. others. The intellectual property produced by them will be an undivided
During the 50 years in which the computer programs are protected, part, assuming that each author will have equal and proportional partic-
only the owner can authorise its use by third parties by means of a ipation in the software, unless otherwise stipulated in writing.
licensing agreement. In the absence of a written licensing agreement, When the work is made through an institution, organisation or legal
the tax invoice relating to the acquisition or licensing of a copy of the entity, which is formed by the participation of different authors, whose
program will evidence the regularity of its use. contributions merge into an autonomous creation, it is called a collec-
tive work, as per section 17 of the Federal Law No. 9,610/98. Article 5,
IP developed by employees and contractors item XXVIII, item ‘a’ of the Federal Constitution also ensures individual
37 Who owns new intellectual property developed by an participation in a collective work.
employee during the course of employment? Do the same The legislation guarantees to the joint owner of collective work his
rules apply to new intellectual property developed by or her due remuneration and establishes the property rights over the
contractors or consultants? collective work as a single right of the organisation. The contract with
the organisation shall indicate the contribution of each of the partici-
Law No. 9,609 of 19 February 1998, which provides the rights and obliga- pants, the remuneration and other conditions for its execution, such as
tions for the protection of software’s intellectual property, states that the licensing, charging and the assignment.
software ownership developed as a result of services provided within Unlike the co-authorship, the collective work, despite being elabo-
a specific contract will belong to the contracting party (an employer, a rated by several people, becomes a unique work, and for this reason,
company or a public agency) unless it can be proven that the software the agreement shall establish the participation of each author, and the
was created without connection to the performance of the contract and conditions for the economic exploitation of it.
without the use of resources, technological information, industrial or
commercial secrets, materials, installations or equipment belonging to Trade secrets
the contracting party. 39 How are trade secrets protected? Are trade secrets kept
The same provisions are applicable in the case of an employment confidential during court proceedings?
agreement. Violations of those intellectual property rights may result in
penalties. Trade secrets are protected by the Industrial Property Law, which
Brazilian copyright laws provide for the possibility for co-authorship characterises as a criminal offence the ‘disclosure, exploitation or use,
of works. The co-authors (or joint owners) receive legal protection both without authorisation, of confidential knowledge, information or data,
for their individual contributions and for the entire work. They must exer- usable in industry, commerce or the provision of services, excluding
cise their rights by common agreement (unless otherwise agreed). information which is publicly known or evident to a person skilled in the
If the contributions of each author are not divisible (identifiable), field, to which one has had access through a contractual or employment
none of the co-authors may publish or authorise the publication of the relationship’. Penalties may include imprisonment of the offender, from
work without the consent of the others. However, each author may three months to one year, or a fine. In addition, the company is liable for
defend his or her right over the work without the consent of the others. any proven damages as a civil violation.
The intellectual property produced by them will be an undivided part, The Industrial Property Law also assures injured parties ‘the right
assuming that each author will have equal and proportional participation to receive compensation for the loss caused by acts of infringement of
in the software unless otherwise stipulated in writing. industrial property rights and by acts of unfair competition’.
When the work is made through an institution, organisation or legal To prove that one is the lawful holder of the violated rights, it must
entity, which is formed by the participation of different authors, whose be evidenced that reasonable steps to maintain the confidentiality of
contributions merge into a single creation, it is called a collective work. the information were taken and that access to the information by the
The Constitution also ensures individual participation in a collective work. infringing party was fraudulent and unlawful, in breach of contractual
The legislation guarantees to the joint owner of a collective work or legal obligations.
his or her due remuneration and establishes the property rights over the The injured party can request judicial secrecy over the lawsuit.
collective work as a single right of the organisation. The contract with the Furthermore, if a trade secret is disclosed ‘in the course of a court
organisation indicates the contribution of each of the participants and the action in order to defend the interests of any of the parties, the judge
remuneration and other conditions for its execution, such as licensing, must determine that the case proceed in judicial secrecy’, which implies
charging and the assignment. restricted access to the case files and hearings only by the parties, their
Unlike co-authorship, the collective work, despite being created lawyers, the judge and his or her clerks.
from the collaboration of several people, becomes a unique work, and for
this reason, the agreement establishes the participation of each author,
and the conditions for the economic exploitation of it.
Branding COMPETITION
40 What intellectual property rights are available to protect
branding and how do you obtain those rights? How can Sector-specific issues
fintech businesses ensure they do not infringe existing 42 Are there any specific competition issues that exist with
brands? respect to fintech companies in your jurisdiction?
There are two ways of protecting branding rights in Brazil: the grant of Digital markets have been the focus of competition enforcers worldwide,
industrial design registration and the grant of trademark registration (or including Brazil. The banking market is dominated by a few players and
brand registration). Both are related to the registration before the INPI. fintech companies are viewed by the Brazilian antitrust authority – the
The industrial design registration protects the design of a product. Administrative Council for Economic Defence (CADE) – as disruptive
The product should have a new aesthetic or an ornamental aspect that companies, capable of offering more specific and profitable financial
differs from existing products. The requirements are that the design products and services and, consequently, of exerting competitive pres-
should be new (when it has not been made public in Brazil or abroad sure on banks and other financial institutions.
before the deposit of the request to the INPI) and original (when it In this sense, in the past couple of years, CADE has been conducting
results from a distinctive visual configuration in relation to other several investigations of alleged anticompetitive practices involving
previous objects, including those resulting from the combination of the abuse of dominant position, particularly by financial institutions to
known elements). The registration grants ownership to a specific brand. exclude or limit the operations of fintech companies, such as the refusal
The conditions for an application for registration can be found in articles to provide services or information that are essential for the operation of
101 to 106 of the Industrial Property Law. their business or providing the services on discriminatory basis.
The trademark registration is related to: As for merger cases, although CADE has yet to review a merger
• distinctive signs, such as company names or logos, products and filing solely affecting the fintech market, cases involving large banks
service marks, used to distinguish them from their competitors that may entail conglomerate or vertical integration issues are being
• certification marks, which are those used to certify that a product subject to close scrutiny by CADE to ensure that the acquisition is not
or service complies with certain technical specifications; and aimed at alleviating the threat of potential competition or preventing
• collective marks, which are used to identify products and services an increase of market power that could further lead to discrimination
of the members of a certain entity. or market foreclosure. Behavioural remedies, for instance, have been
adopted to ensure future competition in the acquisition by a major bank
The conditions for an application for trademark registration can be or stake in a platform for financial products (investments).
found in the Industrial Property Law. In October 2019, CADE published a comprehensive report on the
Foreign businesses, including in the fintech field, can ensure that payment industry, concluding that its technological developments
they do not infringe existing brands in Brazil by properly applying for – including the surge of fintech companies – require a dynamic assess-
the registration of its own brand and industrial property before the INPI. ment, with the introduction of more sophisticated and appropriate tools
The current legal protection of intellectual and industrial prop- to evaluate the effects of those constant changes on competition in
erty in Brazil derives from the Agreement on Trade-Related Aspects of digital markets. The concentration in the banking market, the verticali-
Intellectual Property Rights. sation of the players in the payment industry, and the introduction of
open banking in Brazil will continue to demand CADE’s attention and
Remedies for infringement of IP careful review to ensure competition, innovation and improved welfare.
41 What remedies are available to individuals or companies There is a memorandum of understanding between CADE and
whose intellectual property rights have been infringed? the Central Bank of Brazil (BCB) for joint cooperation, providing for
coordinated actions, the exchange of information, meetings and discus-
Under Law No. 9,609 of 19 February 1998, the violation of a piece of sions, for example, on the legal framework that may impact competition
software’s intellectual property is a criminal offence, punishable by the involving institutions regulated by the BCB, as well as collaboration in
imprisonment of the offender from six months to two years or a fine, and the review of merger filings or investigation of anticompetitive practices
a civil tort. The offender is also liable for all losses and harm suffered involving financial institutions.
by the claimant when the offender acts in bad faith or with the intention
of imitating the claimant, or commits a gross error by violating a third TAX
party’s intellectual property.
Crimes against brands and industrial designs may be found in the Incentives
Industrial Property Law, accompanied by their respective penalties. The 43 Are there any tax incentives available for fintech companies
penalties usually involve a period of incarceration from three months to and investors to encourage innovation and investment in the
one year or the application of a fine. fintech sector in your jurisdiction?
Crimes or illicit activity that violates copyright can be found in
Law No. 9,610 of 19 February 1998, which establishes the obligatory There are no specific tax incentives for fintech companies or investors
compensation for losses and damage as well as other applicable sanc- in Brazil.
tions, such as the suspension of transmissions or product sales and the Certain fintech companies that invest in research, development
destruction of illicit copies, according to the type of violation. and innovation projects and that have surpassed the break-even point
currently enjoy reductions from corporate income tax (IRPJ), social
contribution on net profits (CSLL), the tax on manufactured products
and withholding income tax under Law No. 11,196 of 21 November 2005.
These benefits are available to any Brazilian company assessing IRPJ or
CSLL under the real profit regime.
36 Fintech 2021
Increased tax burden

44 Are there any new or proposed tax laws or guidance that
fintech companies in your jurisdiction?
Certain fintech entities in Brazil (eg, digital banks, direct lending compa-
nies and peer-to-peer lending companies) are qualified as financial
institutions under Brazilian law. Those entities are subject to taxes
imposed on net profits, namely IRPJ and CSLL, and taxes imposed on
gross revenues, namely the contribution to the employees’ profit partici- Nei Zelmanovits
pation programme (PIS) and the Contribution to the Financing of Social nsz@machadomeyer.com.br
Security (COFINS) under the financial institution regime.
Thais de Gobbi
This regime is more burdensome than the regimes applicable tgobbi@machadomeyer.com.br
to other companies in Brazil: the aggregate rate of corporate income
tax and the CSLL is 45 per cent, and the aggregate rate of the PIS and Pedro Nasi
pdn@machadomeyer.com.br
COFINS is 4.65 per cent (with no credit deductions), rather than the
respective rates (with credit deductions) of 34 per cent and 9.25 per Vicente Braga
cent applicable to companies assessing the IRPJ and the CSLL under vbraga@machadomeyer.com.br
the real profit regime. Érica Yamashita
Other tax regimes are applicable to small and medium-sized eyamashita@machadomeyer.com.br
companies in Brazil, which are not subject to the financial institutions’
Diego Gualda
regime. In those cases, the tax burden tends to be even lower.
dlgualda@machadomeyer.com.br
In relation to crypto-asset exchanges, the Federal Revenue Service
has created an ancillary obligation for exchanges incorporated in Brazil: Vinicius Costa
they must disclose a set of information regarding every transaction vcosta@machadomeyer.com.br
intermediated by them. Alina Miyake
At this stage, the digital taxes that have been created do not affect amiyake@machadomeyer.com.br
the fintech environment.
Av. Brigadeiro Faria Lima

IMMIGRATION
No. 3144, 11th floor
Sector-specific schemes São Paulo, SP 01451 000
Brazil
45 What immigration schemes are available for fintech Tel: +55 11 3150 7000
businesses to recruit skilled staff from abroad? Are there www.machadomeyer.com.br
any special regimes specific to the technology or financial
sectors?
There are no specific immigration schemes available for fintech busi- In addition, the advent of regulatory sandbox initiatives promises to
nesses, nor for the technology and financial sectors in Brazil. The foster innovation, especially those related to the use of blockchain and
ordinary rules described in the Migration Law (Law No. 13,445 of 24 distributed ledger technology. The widespread use of tokenised assets
May 2017) and the Migration Decree (Decree No. 9,199 of 20 November is particularly expected, considering how the Securities and Exchange
2017) concerning work and residence permit requirements apply, which Commission (CVM) designed its regulatory sandbox initiative. Moreover,
includes the possibility of granting a permit for the provision of services alternatives for trading foreign exchange are expected, as some stable-
of technical assistance and technological transfer. coins make their way into the Brazilian market and the BCB welcomes
its first cohort of regulatory sandbox applicants.
UPDATE AND TRENDS News regarding the development of all these initiatives may be
found at the official websites of the BCB and the CVM.
46 Are there any other current developments or emerging Coronavirus
trends to note? 47 What emergency legislation, relief programmes and other
In 2020, the Central Bank of Brazil (BCB) started to implement the implemented to address the pandemic? Have any existing
instant payments system (PIX), which promises to foster competi- government programmes, laws or regulations been amended
tion in the retail payment industry – a sector in which fintech entities to address these concerns? What best practices are advisable
are overrepresented – and accelerate transactions through mobile for clients?
and QR codes.
The Brazilian open banking initiative is also scheduled to launch The government has enacted several pieces of emergency legislation
its first phase this year. The initiative was initially mostly aimed at insti- and other initiatives, aiming mostly to preserve jobs and to help small
tutions already regulated by the BCB, but the regulator was adamant and medium-sized enterprises.
about keeping an open door for the participation of non-regulated In the financial sector, the National Monetary Council (CMN) and
entities. Participation is designed to take place through partnership the BCB are considering the impacts of the pandemic in financial insti-
agreements with regulated entities in a provider capacity, focused on tutions and are openly aware of the challenges of maintaining their
enhancing the user’s experience. financial stability while ensuring that the economy has proper access
to the lending market. Thus, to provide temporary regulatory relief, the

BCB and the CMN have:
• postponed the enforcement of several regulatory requirements
due to enter in effect throughout the year;
• softened the rules regulating reserve requirements for financial
institutions to increase liquidity in the financial system;
• relaxed the provisioning rules for refinancing loans; and
• lowered the capital requirements for smaller and less complex
financial institutions.
In addition, specifically regarding the fintech sector, to facilitate access

to credit by small and medium-sized enterprises during the pandemic,
direct lending companies were authorised to issue credit cards and to
grant credit with funding provided by the Brazilian Development Bank.
38 Fintech 2021
China
Jingyuan Shi
FINTECH LANDSCAPE AND INITIATIVES incentives and special funds. Besides, some regions in China, such as
Beijing, Guangdong-Hong Kong-Macao Greater Bay Area, Chengdu,
General innovation climate Chongqing and Hangzhou, also issued incentive plans for the
1 What is the general state of fintech innovation in your fintech industry.
jurisdiction?
China’s reputation as a global leader in fintech innovation continues
to grow, and fintech companies in China have particular expertise in Regulatory bodies
areas such as payments, AI, blockchain and digital currency. Going 3 Which bodies regulate the provision of fintech products and
forward, we expect fintech innovation in China to play a substantial services?
role in the development of the entire financial services industry. The
Chinese government actively encourages innovation by fintech compa- There is no single regulatory body responsible for the regulation of
nies. However, the fintech sector remains highly regulated and this fintech products and services. Different fintech services and products
seem unlikely to change. In fact, it is possible that fintech companies are regulated by different regulatory bodies. The main regulatory
may be subject to greater regulatory supervision in the future, espe- bodies include the People's Bank of China (PBOC), China Banking
cially where they carry out business related to peer-to-peer online and Insurance Regulatory Commission (CBIRC) and China Securities
lending, blockchain-based currency, online insurance, the central- Regulatory Commission (CSRC).
ised storage of deposits in payments sectors, cybersecurity and data
protection. Regulated activities
4 Which activities trigger a licensing requirement in your
Government and regulatory support jurisdiction?
2 Do government bodies or regulators provide any support
specific to financial innovation? If so, what are the key The following activities are regulated and require a licence:
benefits of such support? • carrying on securities brokerage;
• carrying on securities investment consultancy;
In August 2019, the People's Bank of China (PBOC) issued the Fintech • financial advising relating to securities trading or investment;
Development Plan (2019–2021) (the Fintech Plan), which calls for • securities underwriting and sponsorship;
strengthening the strategic deployment of fintech and the rational • carrying on proprietary account transactions;
use of financial technology. The Fintech Plan outlines the principles, • carrying on securities asset management;
objectives, tasks and supporting measures of fintech development in • taking in deposits from the general public;
the three years from 2019 to 2021. It sets out 27 major tasks covering • handling domestic and foreign settlements;
six areas, including measures to remove the data barrier for different • handling, accepting and discounting of negotiable instruments;
financial businesses, to accelerate the integration of AI technology and • issuing financial bonds;
financial operations. • acting as an agent for the issue, honouring and underwriting of
Following the Fintech Plan, the PBOC and other five government government bonds;
ministries and commissions approved 10 fintech application pilot prov- • buying and selling government bonds and financial bonds;
inces and cities for the term of one year, which are Beijing, Shanghai, • offering and providing discretionary investment manage-
Jiangsu, Zhejiang, Fujian, Shandong, Guangdong, Chongqing, Sichuan ment services;
and Shanxi. A sandbox scheme was first introduced in Beijing in • buying and selling foreign exchange, and acting as an agent for the
December 2019 and expanded to five more cities and districts in late purchase and sale of foreign exchange;
April 2020, namely Shanghai, Chongqing, Shenzhen, Xiongan New Area • carrying on fund management services;
of Hebei, Hangzhou and Suzhou. • carrying on fund custodian services;
The pilot areas mentioned above have issued their own incen- • carrying on derivative products transactions;
tive plans. For example, in January 2020, the government of Shanghai • lending micro loans online or offline; and
issued the Implementation Plan for Accelerating the Construction of • providing consumer finance services.
Shanghai Fintech Centre, which calls for actively exploring financial
technology regulatory innovation and carrying out trials for fintech
innovations. In addition, the Shanghai government supports fintech
companies that meet certain qualifications to apply for relevant tax
China Simmons & Simmons LLP
Consumer lending are funds managed by fund managers, placed in the custody of fund
5 Is consumer lending regulated in your jurisdiction? custodians and used in the interest of the holders of the fund units
for investment in securities. Accordingly, peer-to-peer or marketplace
Consumer lending is a regulated activity and is governed by the General lenders or crowdfunding platforms do not fit the definition of collec-
Rules of Loans, the Administrative Measures for Pilot Consumer tive investment schemes and do not fall into the regulatory scope
Finance Companies (the Consumer Finance Measures) and the of the them.
Commercial Bank Law.
The General Rules of Loans require that lenders are approved by Alternative investment funds
the PBOC to engage in lending business, hold a financial legal person 8 Are managers of alternative investment funds regulated?
licence or a financial institution business licence issued by the PBOC,
and are approved and registered by the Administration for Industry Managers of alternative investment funds that raise capital from a
and Commerce. number of investors and invest it in accordance with a defined invest-
The Consumer Finance Measures regulates the operating activities ment policy for the benefit of those investors are regulated. These
of consumer finance companies that refer to non-bank financial institu- activities are broadly defined as asset management services, and
tions and do not receive public deposits but provide loans to resident may be conducted by securities companies, trust companies and fund
individuals within China for consumption purposes (excluding house management companies and their subsidiaries. Managers are subject
and vehicle purchases) under the principle of small sum and disper- to different regulatory regimes depending on the specific form of these
sion. The consumer finance companies must be approved by the CBIRC. alternative investment funds.
Secondary market loan trading Peer-to-peer and marketplace lending

6 Are there restrictions on trading loans in the secondary 9 Describe any specific regulation of peer-to-peer or
market in your jurisdiction? marketplace lending in your jurisdiction.
Trading loans between financial institutions in the secondary market The Interim Measures for the Administration of Business Activities on
are subject to regulatory supervision by the CBIRC and the following Online Lending Information Intermediary Agencies (the Online Lending
restrictions: Rules), issued on 17 August 2016 by the CBIRC, specifically target
• the financial institutions must report certain information to the activities of peer-to-peer lending between individuals through an
the CBIRC; internet-based platform. The Online Lending Rules require that the peer-
• the transfer of loans is subject to the consent of the borrower and to-peer lending platforms register with the local branch of the CBIRC,
the guarantor (if any); apply for the applicable telecommunication service operation licence
• all outstanding principal and interest must be transferred and include serving as an internet lending information intermediary
as a whole; in its business scope, and shall only act as information intermediaries
• parties are prohibited from making any direct or indirect repur- between parties. Peer-to-peer lending platforms must not conduct
chase arrangements; and credit enhancement services, cash concentration or fundraising activi-
• if the lender is from a consortium, other members of the consor- ties for themselves, or provide security or guarantee arrangements for
tium shall have the right of first refusal for such a transfer. lenders. The Online Lending Rules also set out detailed requirements
for information disclosure, protection of lenders and borrowers and risk
Trading loans between non-financial institutions are generally not control measures.
subject to mandatory regulatory restrictions. In the years 2017 to 2019, the Chinese government and relevant
regulatory authorities issued various regulations and guidelines
Collective investment schemes governing the peer-to-peer online lending industry. The main purpose
7 Describe the regulatory regime for collective investment was to regulate peer-to-peer industry behaviour and enhance supervi-
schemes and whether fintech companies providing sion of the industry.
alternative finance products or services would fall within its
scope. Crowdfunding
10 Describe any specific regulation of crowdfunding in your
The establishment and operation of securities investment funds within jurisdiction.
China via public and non-public raising of funds is regulated by the
Securities Investment Fund Law. The primary regulatory body for The Guideline Opinion on Promoting the Healthy Development of
funds in China is the CSRC. Generally, the regulation on public raising Internet Finance has defined equity-based crowdfunding as public equity
funds (retail funds) is more detailed and restrictive than for private financing in small amounts through an internet-based platform. The
funds. Retail funds and retail fund managers must be registered with Opinion provides that equity crowdfunding must be conducted through
the CSRC. Fundraising, fund custodian and investment activities are an agency platform such as a website or other digital medium, and
strictly regulated by the CSRC. Agencies that engage in sales, sales that the CSRC will be the regulatory authority for equity crowdfunding
payment, unit registration, valuation services, investment consulting, business. In 2016, the CSRC issued an action plan for risk control of
rating, information technology system services and other fund services equity-based crowdfunding, prohibiting the establishment of private
related to publicly raised funds are subject to registration or record equity funds or public offering of securities through crowdfunding.
filing in accordance with the requirements of the CSRC. Private funds In 2014, the Securities Association of China was entrusted by the
and private fund managers must register with the Asset Management CSRC to draft a Management Measures for Private Equity Crowdfunding
Association of China, an industry self-disciplinary body under the super- (Trial). The Measures were released for public comment in December
vision of the CSRC. 2014. However, the final version of the Measures has not yet been offi-
Pursuant to article 2 of Securities Investment Fund Law, the defi- cially released.
nition of collective investment schemes (securities investment funds)
40 Fintech 2021
Simmons & Simmons LLP China
Invoice trading Robo-advice

11 Describe any specific regulation of invoice trading in your 14 Describe any specific regulation of robo-advisers or other
jurisdiction. companies that provide retail customers with automated
The Chinese Negotiable Instruments Law, issued in 2004, applies to
three categories of negotiable instruments including money order, In 2018, the PBOC, the CBIRC, the CSRC and SAFE jointly issued the
promissory note and cheque. It provides rules for the transfer, endorse- Guidelines on Standardising the Asset Management Business of
ment, acceptance and payment of the three negotiable instruments. Financial Institutions (the Guidelines). The Guidelines define robo-advice
However, there is no specific regulation of invoice trading or as investment consulting service, and, thus, institutions or personnel
invoice trading platforms in China. Depending on how the business is carrying out robo-advice services must obtain relevant investment
structured, a firm that operates an invoice trading platform may be consulting service qualifications. The Guidelines confirm that robo-
carrying on a number of different regulated activities for which it must advice services must also strictly comply with the general rules of
have permission. asset management services, such as the rules regarding the suitability
of investors, investment scope, information disclosure and risk isola-
Payment services tion. In addition, the Guidelines also highlight that the development of
12 Are payment services regulated in your jurisdiction? investment algorithms must be diverse, thus avoiding the increase of
the pro-periodicity of investment behaviour.
Payment services provided by non-financial institutions (payment In addition, some cities, such as Shanghai and Beijing, have
services providers) in China are primarily regulated by the PBOC under issued incentive plans for new businesses that include robo-advisers.
the Administrative Measures for the Payment Services Provided by For example, Shanghai has issued the Action Plan for Promoting the
Non-financial Institutions. Payment services refer to any of the following Development of Online New Businesses of Shanghai City.
transfer services provided by non-financial institutions as the interme-
diaries between the payer and the payee: Insurance products
• online payments; 15 Do fintech companies that sell or market insurance products
• issuance of prepaid cards; in your jurisdiction need to be regulated?
• acceptance of payments using a bank card; and
• any other payment services as determined by the PBOC. Yes. In addition to the general insurance laws and regulations, internet
insurance companies are obliged to comply with the Interim Measures
A payment service provider is required to obtain a payment service for the Supervision of Internet Insurance Business and Implementation
licence issued by the PBOC to provide payment services in China. For Rules for the Information Disclosure of Internet Insurance Business
cross-border payments, payment services providers will need to obtain a issued by the CBIRC. Insurance companies and brokers must be CBIRC-
licence from the foreign exchange authority (ie, the State Administration licensed to carry out their business. They are permitted to conduct
of Foreign Exchange (SAFE)), in addition to the payment licence issued internet insurance business on their own online platforms or through
by the PBOC. Non-financial payment institutions must deposit customer third-party online platforms (these third-party online platforms are not
reserve funds in accounts with the PBOC or qualified commercial banks required to be CBIRC-licensed because all the insurance-related activi-
to protect the funds. ties are, and must be, conducted by the licensed insurance companies
According to the legislation plan issued by the PBOC on 17 April and brokers, instead of the platform operator).
2020, the drafting of the ‘Measures for the Administration of Cross-
border Payment Services’ has been put on the agenda to further Credit references
regulate cross-border payment services. 16 Are there any restrictions on providing credit references or
credit information services in your jurisdiction?
Open banking
13 Are there any laws or regulations introduced to promote Yes. The Administrative Regulations on the Credit Reporting Industry
competition that require financial institutions to make are the primary regulations for credit references and credit informa-
customer or product data available to third parties? tion services. The providers of corporate credit information services
are subject to filing requirements with the PBOC, while the providers of
There are currently no such laws or regulations in China. On 13 February personal credit information services are subject to prior approval from
2020, the PBOC issued the financial industry standard of the application the PBOC and stricter qualification requirements.
programming interface secure management specification for commer- In 2018, the PBOC issued its first (and the only so far) personal
cial banks (not mandatory but recommended). The standard specifies credit rating business licence to Baihang Credit Co, Ltd, a newly estab-
the type and security level of the application programming interface lished company comprising the eight companies in the pilot and the
(API) of commercial banks and the security design, deployment, inte- National Internet Finance Association.
gration, operation and maintenance, termination and system downline
and management, as well as other security technology and require- CROSS-BORDER REGULATION
ments. Some media organisations report that the financial authorities
plan to launch new regulations and policies for the open banking sector Passporting
and open API. 17 Can regulated activities be passported into your jurisdiction?
Regulated activities cannot be passported into China.
Requirement for a local presence FINANCIAL CRIME

18 Can fintech companies obtain a licence to provide financial
services in your jurisdiction without establishing a local Anti-bribery and anti-money laundering procedures
presence? 21 Are fintech companies required by law or regulation to have
In our experience, a licence for regulated activities would only be
granted to an entity that has a local presence. Therefore, it is unlikely Yes. The Administrative Measures for Anti-money Laundering and
that Chinese regulators, including the People's Bank of China, China Counter-terrorism Financing by Internet Finance Service Agencies (for
Securities Regulatory Commission (CSRC) and China Banking and Trial Implementation) issued by the People's Bank of China (PBOC) and
Insurance Regulatory Commission, would grant a licence for regulated China Banking and Insurance Regulatory Commission, effective on 1
activities to an entity that was not permanently established in China. January 2019, applies to all the approved institutions that carry out
Under special circumstances, foreign securities companies may conduct internet finance business in China. Internet finance businesses include
certain activities within China subject to the approval of the CSRC. but are not limited to online payment, peer-to-peer lending, peer-to-
Foreign institutions may provide financial information services without peer lending information intermediary services, equity crowdfunding
a local presence in China subject to the approval of the Cyberspace financing, internet fund sale, internet insurance, internet trust and
Administration of China, which is the primary authority for internet internet consumption finance.
content regulation in China. Institutions other than financial institutions and non-banking
payment institutions must register the fulfilment of duties in anti-
SALES AND MARKETING money laundering and counter-terrorism financing on the online
monitoring platform set up by the PBOC, while financial institutions and
Restrictions non-banking payment institutions may, depending on the need for anti-
19 What restrictions apply to the sales and marketing of money laundering work, connect with the online monitoring platform to
financial services and products in your jurisdiction? participate in exchange of work information, share technical facilities
and assess risks.
The sale of financial services and products is regulated by different Other major requirements for institutions carrying out internet
regulatory bodies depending on the type of financial services and prod- finance business include, among others:
ucts being sold. For example, the sale of fund products is subject to the • establishing an internal control system and compliance manage-
approval of the China Securities Regulatory Commission and the sale of ment policies for anti-money laundering and counter-terrorism
insurance products is subject to the approval of the China Banking and financing and reporting these systems and policies to relevant
Insurance Regulatory Commission. regulators;
Regarding the marketing of financial services and products, • conducting know-your-client (KYC) checks with due diligence;
different requirements are applicable to different types of services. • putting in place a monitoring and reporting system for large
In relation to securities-related services, for example, securities amount transactions and doubtful transactions; and
companies are required to obtain sufficient knowledge of the investors • cooperating with on-site and off-site inspections and anti-
and recommend suitable products and services based on the situation of money laundering investigations conducted by the PBOC or its
each investor. Securities companies must ensure that investors under- local branches.
stand the risks clearly and each investor must sign a risk disclosure
statement. Securities companies are not allowed to promise guaranteed In addition, under regulations for third-party payment transactions,
profits to the investors or make up for loss in promoting or marketing KYC checks must be completed on clients for anti-money laundering
financial products. purposes and there are annual limits on outgoing payments. Payment
For insurance services, internet insurance institutions must not platform operators can offer three types of accounts that have esca-
make any misrepresentations, exaggerate previous track records lating regulatory requirements. Accounts with lower annual limits have
or promise guaranteed profits as part of the marketing process. lower minimum KYC requirements and accounts with higher annual
Information concerning insurance products, services, premiums, etc, limits have more comprehensive KYC requirements.
must be clearly presented to the customers.
In relation to peer-to-peer lending, internet platforms must comply Guidance
with the information disclosure obligations and must not present fraud- 22 Is there regulatory or industry anti-financial crime guidance
ulent records or misleading representations or make major omissions for fintech companies?
when communicating with customers.
Yes. On 18 July 2015, several central government ministries and
CHANGE OF CONTROL commissions jointly issued the Guideline on Promoting the Healthy
Development of Internet Finance. The purpose of these guidelines was
Notification and consent to further the government’s promotion of, and incentives given to, digital
20 Describe any rules relating to notification or consent financial services and innovative platforms, while also establishing
requirements if a regulated business changes control. regulatory competences between different commissions.
In general, if a regulated business changes control it must make a

change of registration application to the regulatory authority. The
change of control may only take place after the change of registration
has been approved.
42 Fintech 2021
PEER-TO-PEER AND MARKETPLACE LENDING Securitisation risk retention requirements

Execution and enforceability of loan agreements requirements?
security agreements? Is there a risk that loan agreements There are no risk retention requirements for securitisation under
or security agreements entered into on a peer-to-peer or Chinese law.
marketplace lending platform will not be enforceable?
Securitisation confidentiality and data protection requirements
There are no specific legal requirements for executing loan agreements 26 Is a special purpose company used to purchase and securitise
or security agreements in China. peer-to-peer or marketplace loans subject to a duty of
The Interim Measures for the Administration of Business Activities confidentiality or data protection laws regarding information
on Online Lending Information Intermediary Agencies, issued by the relating to the borrowers?
China Banking and Insurance Regulatory Commission on 17 August
2016, provide that online lending platforms are designated as informa- The peer-to-peer platform operator must keep the lender’s and borrow-
tion intermediaries for borrowers and lenders and must not provide er’s information confidential, and further processing activities of data
credit enhancement or security or guarantee arrangements for the loan from the subjects in China must be carried out in China. However, there
transactions by itself. is no mandatory rule in China requiring that a purchaser of the relevant
Therefore, a peer-to-peer lending platform is merely an informa- loans shall be subject to specific data protection obligations (although,
tion exchange, and loan and security agreements cannot be entered in practice, they are most likely contractually bound so).
into on the peer-to-peer marketplace itself. Accordingly, the use of a
peer-to-peer marketplace does not impact the legal effectiveness and ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
enforcement of loan agreements or security agreements. TECHNOLOGY AND CRYPTO-ASSETS
Assignment of loans Artificial intelligence

24 What steps are required to perfect an assignment of 27 Are there rules or regulations governing the use of artificial
loans originated on a peer-to-peer or marketplace lending intelligence, including in relation to robo-advice?
assignment is not perfected? Is it possible to assign these In 2018, the People's Bank of China (PBOC), China Banking and Insurance
loans without informing the borrower? Regulatory Commission, China Securities Regulatory Commission and
State Administration of Foreign Exchange jointly issued the Guidelines on
According to the Provisions of the Supreme People’s Court on Several Standardising the Asset Management Business of Financial Institutions
Issues concerning the Application of Law in the Trial of Private Lending (the Guidelines). The Guidelines define robo-advice as investment
Cases and the Contract Law, the legal assignment of a loan by the consulting service, and, thus, institutions or personnel carrying out
assignor (ie, the lender) to the assignee (ie, the purchaser) will be robo-advice services must obtain relevant investment consulting
perfected provided that: service qualifications. The Guidelines confirm that robo-advice services
• the following circumstances are not applicable to the assignment: must also strictly comply with the general rules of asset management
the rights may not be assigned in light of the nature of the contract, services, such as the rules regarding suitability of investors, invest-
according to the agreement between the parties and according to ment scope, information disclosure and risk isolation. In addition, the
the provisions of the laws; Guidelines also highlight that the development of investment algo-
• a notice of the assignment has been given to the borrower; rithms must be diverse, thus avoiding the increase of the pro-periodicity
• the assignor absolutely assigns the receivable to the assignee; and of investment behaviour.
• where the laws or administrative regulations stipulate that the
assignment of rights or transfer of obligations shall undergo Distributed ledger technology
approval or registration procedures, these provisions shall 28 Are there rules or regulations governing the use of
be followed. distributed ledger technology or blockchains?
If the assignment is not perfected, it may still constitute an equitable On 10 January 2019, the Cyberspace Administration of China (CAC)
assignment (in contrast to a legal assignment), which is still recognised issued the Administrative Provisions on Blockchain Information
by Chinese courts. However, the disadvantage of an undisclosed assign- Services (the Blockchain Provisions), which came into effect on 15
ment is that, in the event of taking any legal action against the borrower February 2019. The Blockchain Provisions apply to blockchain infor-
for payment, the assignee would have to join the assignor in any such mation services in China, which are defined as information services
legal action against the borrower (in contrast to being able to sue in its delivered to the public by way of the internet or application programs
own name in the case of legal assignment) and the assignee may be based on blockchain technology or systems. The Blockchain Provisions
vulnerable to, among other things, certain competing claims and other do not require blockchain service providers to obtain special operating
set-off rights that may otherwise have been halted by the serving of permits from regulators. However, if the blockchain services fall within
notice on the borrower. the application scope of other Chinese rules, such as telecom business-
It is not possible to transfer loans to the purchaser without related regulations, the blockchain service will still be subject to the
informing the borrower. Unless the borrower is notified, the assign- operating permits under those rules. Although there is no operating
ment shall not be binding on the borrower. This notice by the assignor permits requirement on providing blockchain services, the Blockchain
to assign its rights must not be revoked, unless such revocation is Provisions require blockchain service providers to file a record with the
consented to by the assignee. CAC within 10 working days from the commencement of the blockchain
services. In addition, the Blockchain Provisions set out certain security
requirements for blockchain service providers. For example, blockchain
service providers should certify the real identity of blockchain service mainland China) had to stop. For completed ICOs (launched within main-
users by checking relevant information and keeping the login records of land China), exit arrangements were made for the investors that would
the users for at least six months. reasonably protect the investors’ interest. All financial institutions and
In October 2019, the Central Committee of the Communist Party of third-party payment institutions must not provide services in connec-
China organised a special study on blockchain technology chaired by tion with ICOs or virtual currency.
Chinese President Xi Jinping, who promoted the use of the technology
and its industrial innovation and development. This top-level endorse- DATA PROTECTION AND CYBERSECURITY
ment was viewed as an encouragement to those in the sector, which
has been dampened since the ban on initial coin offerings (ICOs) in 2017 Data protection
(however, there has been no relaxation of this ban). 32 What rules and regulations govern the processing and
In the Fintech Development Plan (2019–2021) issued by the PBOC, transfer (domestic and cross-border) of data relating to
the regulator proposed to improve China’s internet identity authentica- fintech products and services?
tion system by steadily advancing the testing, R&D and application of
distributed ledger technology. The key regulation governing the processing and transfer of data is the
Chinese Cybersecurity Law (the Cybersecurity Law) promulgated by
Crypto-assets the Standing Committee that was effective in 2017. It sets out the main
29 Are there rules or regulations governing the use of crypto- requirements and principles related to cybersecurity and data privacy.
assets, including digital currencies, digital wallets and The Cybersecurity Law is not specifically aimed at fintech companies.
e-money? Instead, it applies generally to a ‘network operator’, which is broadly
defined as ‘the owner or manager of a network, or a network service
The PBOC, together with six ministries, issued the Notice on Preventing provider’.
Financial Risks relating to Initial Coin Offerings on 7 September 2017, Under the Cybersecurity Law, the general principles of use and
which remains the primary regulation on ICOs. The Notice states that processing of personal data in China include that:
all financial institutions and non-banking payment institutions in China • the collection, use and processing of personal data shall be legiti-
must not directly or indirectly provide products or services for ICO mate, reasonable and necessary;
financing and cryptocurrency activities, including account opening, • data subjects shall be informed of the purpose, scope, method and
registration, trading, clearing and settlement services, and must not rules of data collection and processing, rights to access and correct
provide insurance services for ICOs and cryptocurrency activities or personal data, and the implications for refusal of data collection or
include any of them in insurance coverage. processing;
In light of above, virtual currency is generally not recognised and • the consent of data subjects shall be obtained prior to any collec-
virtual currency issuance and trading is generally prohibited in China. tion, use, processing or transfer of his or her personal data;
The PBOC recently announced that it has made some break- • the data collected shall be kept strictly confidential and shall not
throughs on its Digital Currency Electronic Payment (DCEP) project. The be leaked, tampered with, sold or otherwise illegally provided to
DCEP is the digital version of the renminbi and has the same legal status third parties;
and functionality as paper currency. The value of DCEP is also backed • the data processor shall take reasonable technical and other
by state credit. The DCEP will be distributed to the market through measures to ensure the safety of collected data and shall promptly
the PBOC and other commercial banks and banking institutions. It is notify and make remedies in case of data breach incidents; and
reported that the DCEP will first be pilot tested in Suzhou, Shenzhen, • telecoms service providers shall establish a compliant mechanism
Xiongan New Area and Chengdu in May 2020. However, the DCEP is fiat for data collection and processing, and shall provide data subjects
money, and its development does not in any way suggest a change in the access to their collected data and the right to correct such data.
regulator’s attitude towards cryptocurrencies.
In addition, the Cybersecurity Law requires that personal information
Digital currency exchanges and important data collected or gathered by the Critical Information
30 Are there rules or regulations governing the operation of Infrastructure (CII) operators during their operations is stored within the
digital currency exchanges or brokerages? territory of China. Where it is necessary to provide this information and
data to overseas entities owing to business demands, a security assess-
Virtual currency trading is generally prohibited in China, and digital ment must be conducted. The draft Measures for Security Assessment
currency exchanges and brokerages are also banned. of Data Exportation and the draft Measures for Security Assessment of
Cross-Border Transfer of Personal Information were published, which
Initial coin offerings further extend the security assessment requirements on cross-border
31 Are there rules or regulations governing initial coin offerings transfer from CII to all network operators. However, these two meas-
(ICOs) or token generation events? ures have not been finalised and adopted.
In addition to the Cybersecurity Law, certain industrial-specific
The PBOC, together with six ministries, issued the Notice on Preventing laws (including regulations in the financial sector) prohibit or restrict
Financial Risks relating to Initial Coin Offerings on 7 September 2017 the cross-border transfer of certain types of sensitive data. For example,
confirming that initial coin offerings (ICOs) are considered a type of financial institutions must not provide the personal financial information
unauthorised public financing activity, and, therefore, these activities of citizens in China to any entity overseas, subject to exceptions made by
must (within mainland China) stop immediately. The Notice reaffirmed the law. A credit rating entity must not collect sensitive personal infor-
the official position that virtual currency is not legitimate in mainland mation relating to, for example, religion, gene information, fingerprints,
China and must not be traded. The Notice states that ICOs are deemed blood type, diseases and other medical history, or other information
a significant risk to the financial stability of society and may allow prohibited by law.
various crimes (such as illegal offering of securities, illegal fund raising The Cybersecurity Law allows network operators to provide
and financial fraud). Effective immediately, all ICOs (launched within personal data to a third party without consent under exceptional
44 Fintech 2021
circumstances where the personal data has been anonymised so that it • avoidance of a high concentration level of suppliers;
cannot be used or recovered to identify a specific individual. • stricter due diligence on suppliers by the banking institutions and
Besides the mandatory laws and regulations, two new specifica- third parties when necessary, on their technology and industrial
tions that came into effect in 2020 are notable to fintech companies. experiences, internal control and management capability and conti-
One is the Personal Information Security Specification issued by the nuity of operation;
Standardisation Administration of China, which sets out a much higher • a specific chapter on cross-border and off-site IT outsourcing,
standard for personal data protection than the mandatory laws and which may involve international compliance; and
introduces many concepts and rules for data protection derived from • any outsourcing involving client information must be authorised by
EU data protection laws. The other is the Personal Financial Information the clients and comply with regulations and policies.
Protection Technology Specification issued by the People's Bank of China,
which classifies personal financial data into three categories according The banking institutions are required to report their important
to the level of sensitivity and requires personal financial data be trans- outsourcing activities to CBIRC or its local branches beforehand.
ferred via safe channels or in the form of encrypted data. The Personal Important outsourcing activities include, among others:
Financial Information Protection Technology Specification requires that, • outsourcing of the entire IT service;
under certain circumstances, (such as sharing and transfer, disclosure • outsourcing of the entire data centre or disaster recovery centre;
and aggregation of personal financial information) a security impact • outsourcing of the analysis or processing of client information or
assessment be conducted. transaction data;
Although the above two specifications are not binding, they are • off-site outsourcing of operation systems with client data storage;
recommended as best practice for personal data protection in China. • affiliated outsourcing; and
• cross-border IT outsourcing.
Cybersecurity
33 What cybersecurity regulations or standards apply to fintech In addition, banking institutions must report to the CBIRC or its local
businesses? branches within two working days in cases of leaks of sensitive data,
data damage or suspension of important operations, possible suspen-
There are no cybersecurity regulations specific to fintech business. sion of outsourcing services caused by force majeure or the operational
The general cyber security obligations of network operators under the or financial problems of the suppliers, violation of laws and regulations
Cybersecurity Law include requirements to: by the suppliers, and other significant events.
• establish internal cybersecurity policies and procedures; The Asset Management Association of China (AMAC) issued the
• implement proper technical measures to prevent hacking and Interim Administrative Measures for Private Funds Services Business
viruses as well as to monitor network operations; on 1 March 2017. The Measures require that service providers providing
• retain network operation records and logs for at least six months; fundraising, investment consulting, fund unit registration, valuation
• formulate and implement contingency plans; and audit and information technology system services to private fund
• address cyber risks known to the operators; and managers register with the AMAC. The service providers must not sub-
• report any cybersecurity incident to the government and the contract any such outsourcing business to third parties.
customers affected by the incident.
Cloud computing
OUTSOURCING AND CLOUD COMPUTING 35 Are there legal requirements or regulatory guidance with
respect to the use of cloud computing in the financial services
Outsourcing industry?
34 Are there legal requirements or regulatory guidance with
respect to the outsourcing by a financial services company of Cloud computing is deemed a type of value-added telecommunication
a material aspect of its business? service and requires a telecoms service licence. There are no specific
legal rules relating to the use of cloud computing in the financial sector,
The China Banking and Insurance Regulatory Commission (CBIRC) but the State Council has issued several related policy documents, such
issued the Guidelines of Risk Management for Outsourcing by Banking as the Guiding Opinions on Actively Promoting the ‘Internet Plus’ Action
Financial Institutions on 4 June 2010. The Guidelines define outsourcing Plan (2015), the Opinions on Promoting the Innovation and Development
activities as entrusting service providers to continually process certain of Cloud Computing and Fostering New Business models of Information
business for and on behalf of the banking institutions themselves. The Industry (2015) and the Development Plan of Promoting Inclusive
board of directors and senior management of the banking institutions Finance (2015), where the use of cloud computing in the financial sector
shall be ultimately responsible for the outsourcing activities. The banking and the use of online financial cloud service platforms is encouraged.
institutions must conduct a risk assessment prior to engaging any
outsourcing service providers. The banking institutions must enter into INTELLECTUAL PROPERTY RIGHTS
written agreements with service providers and establish a client infor-
mation confidentiality mechanism. Additionally, the service providers IP protection for software
must not sub-contract any outsourcing business to third parties. 36 Which intellectual property rights are available to protect
In 2013, the CBIRC issued the Guidelines on the Risk Supervision software, and how do you obtain those rights?
of Information Technology Outsourcing of Banking Financial Institutions,
which provide more detailed requirements on outsourcing in terms of Computer software is protected by copyright as an independent cate-
risk evaluation, due diligence, contracting, security management, super- gory of works. The subject of copyright is the code script of the software
vision and assessment, and services suspension and termination. Key and not the operating process or results of the software.
issues covered in the Guidelines and requirements include: Software copyright arises automatically upon completion of the
• major risks in the IT outsourcing of banking institutions; code script. Although registration is not a mandatory requirement for
• thorough assessment of outsourcing risks at least once a year; granting copyright, there is a specific procedure of software copyright
registration under Chinese law. Copyright issuers may apply to the Trade secrets
China Copyright Protection Centre for the registration of software copy- 39 How are trade secrets protected? Are trade secrets kept
right, licence agreement and assignment agreement of the software confidential during court proceedings?
copyright.
If the software code has been kept confidential it may also be Trade secrets are protected against unauthorised disclosure, misuse
protected as confidential information. No registration is required. and appropriation under competition laws in China. It is also provided
Although it is not common, software can also be protected by in employment contract law that employees are responsible for keeping
patents as long as the software demonstrates novelty, creativity and the trade secrets of their employer confidential. Trade secrets are
applicability as required by patent laws. Patents must be applied for, defined as any technology information or business operation informa-
granted and registered before the competent patent office. tion that: is unknown to the public; can bring about economic benefits
to the owner; has practical utility; and the owner has adopted security
IP developed by employees and contractors measures on. Serious infringement of trade secrets can be deemed a
37 Who owns new intellectual property developed by an criminal offence in China.
employee during the course of employment? Do the same Trade secrets are kept confidential during court proceedings. Cases
rules apply to new intellectual property developed by involving trade secrets can be heard in private if a party so requests.
contractors or consultants?
Branding
The copyright of works created mainly by using the materials and 40 What intellectual property rights are available to protect
technical resources of the employer (and that were the employer’s branding and how do you obtain those rights? How can
responsibility) shall belong to the employer. Otherwise, any works fintech businesses ensure they do not infringe existing
created during the course of employment shall belong to the employee brands?
who develops it. However, the employer has the priority right to exploit
the work within the scope of its normal business operation. Furthermore, Brands can be protected as registered trademarks in China. Other
the author may not authorise a third party to use the work in the same branding factors, such as trade names, commercial appearance,
manner in which his or her employer uses it, without the employer’s product packaging and decoration, can be protected from plagiarism
consent, within two years of the work’s completion. under competition laws in China.
The patent right of an invention accomplished in the course of Certain branding, such as logos and stylised marks, can also be
performing normal employee duties or mainly by using the material and protected by design rights and may also be protected by copyright as
technical resources of the employer shall be owned by the employer. artistic works.
However, in practice, most employers, especially technology All registered trademarks are publicly announced upon registra-
companies, will specify in the employment contract that all intellectual tion and recorded in the trademark database of the State Intellectual
property rights of works and inventions developed during the course Property Office of China, and can be publicly searched. It is highly advis-
of employment or for the purpose of fulfilling a work assignment are able for fintech businesses to conduct trademark searches to check
owned by the employer. whether earlier registrations exist that are identical or similar to their
The rules do not apply to new intellectual property developed by proposed brand names. It may also be advisable to conduct internet
contractors or consultants unless otherwise agreed, the intellectual searches for any unregistered trademark rights that are also recognised
property rights of inventions or works developed by contractors or and protected in China, which may prevent use of the proposed mark.
consultants shall be owned by the contractors or consultants.
In practice, it is often provided in the commissioning contract that Remedies for infringement of IP
the commissioner owns the intellectual property rights of the work, or 41 What remedies are available to individuals or companies
that the author owns the rights but shall grant the commissioner an whose intellectual property rights have been infringed?
exclusive and royalty-free licence to use the commissioned work for the
purposes contemplated at the time of the commissioning. Remedies include preliminary and final injunctions, damages or an
account of profits, destruction of infringing products, and costs.
Joint ownership
38 Are there any restrictions on a joint owner of intellectual COMPETITION
property’s right to use, license, charge or assign its right in
intellectual property? Sector-specific issues
42 Are there any specific competition issues that exist with
The joint owners of intellectual property rights must negotiate and respect to fintech companies in your jurisdiction?
reach agreement on the use, licensing and assignment of these intel-
lectual property rights. If no such agreement exists, any joint owner has There is a competition regime in China that applies to all entities
the right to use or grant a non-exclusive licence to third parties, and the carrying out business in China. However, there are no particular aspects
licence fees collected shall be distributed among all joint owners. The of this regime that would affect fintech businesses disproportionately to
granting of a sole or exclusive licence, and the charge, assignment or other businesses.
other disposal of the intellectual property rights shall be subject to the
consent of all joint owners.
The joint owners of a trademark are not subject to the above restric-
tions. This is because, usually, the joint owners register the trademark
under different classes and will not create confusion for customers.
Each joint owner is entitled to use, license, charge or assign its right in
the trademark without the consent of the other joint owners.
46 Fintech 2021
TAX
Incentives
43 Are there any tax incentives available for fintech companies
and investors to encourage innovation and investment in the
fintech sector in your jurisdiction?
There are no tax incentives specifically applicable to fintech companies.

However, there are some incentives and government support policies Jingyuan Shi
jingyuan.shi@simmons-simmons.com
applicable to IT and high-tech companies, tech start-ups and their inves-
tors. These industrial policies and incentives are found across different
regions and districts of China. 25th Floor Kerry Centre South Tower
In addition, there are also tax incentives available for some finan- 1 Guang Hua Road
cial sector companies (which could be fintech companies), if they meet Chaoyang District
certain conditions. For example, the interest income of a microloan Beijing
company’s lending to farmers is entitled to VAT exemption and income 100020
China
tax reduction until the end of 2023.
Tel: +86 10 8588 4500
Increased tax burden Fax: +86 10 8588 4588
www.simmons-simmons.com
Coronavirus
There are no new or proposed tax laws or guidance that could signifi- 47 What emergency legislation, relief programmes and other
cantly increase tax or administrative costs for fintech companies in China. initiatives specific to your practice area has your state
IMMIGRATION government programmes, laws or regulations been amended
Sector-specific schemes for clients?
45 What immigration schemes are available for fintech
businesses to recruit skilled staff from abroad? Are there On 1 February 2020, the PBOC, Ministry of Finance, China Banking
any special regimes specific to the technology or financial and Insurance Regulatory Commission, China Securities Regulatory
sectors? Commission and State Administration of Foreign Exchange jointly
issued a Notification on Further Strengthening Financial Support
There are no immigration schemes specifically for fintech talent, but for the Prevention and Control of Novel Coronavirus Pneumonia
the National Foreign Experts Bureau together with another two govern- Outbreak, which introduced 30 measures to provide financial support
ment authorities jointly issues a notice in January 2018, encouraging for epidemic control and to avoid potential financial risks. The major
foreign scientists, specialised talents and highly skilled technical talents measures include:
to come to work in China. Eligible applicants can be issued visas that are • that financial institutions are required to increase the amount of
valid for five to 10 years with multiple entry. loans for small and medium enterprises;
• that credit bureaus are required not to record citizens’ debt defaults
UPDATE AND TRENDS if these defaults are caused by the outbreak; and
• that relevant authorities are required to improve the efficiency
Current developments of services such as bond issuance, reduce the approval time for
46 Are there any other current developments or emerging capital market-related transactions and exempt the listing fees for
trends to note? companies based in regions with severe outbreaks.
One area of particular note in the People's Bank of China's (PBOC) Fintech In addition, the State Council announced in February that social secu-
Development Plan (2019–2021) is the proposal for a new standard for rity contributions will be exempted for medium-sized, small and micro
domestic payments, an area in which Chinese fintech players are heavily companies and large companies in Hubei province for five months, and
focused. The PBOC aims to propel the interoperability of different reduced by half for large businesses in other areas for three months.
payment barcode systems by setting out a single set of coding rules At the provincial level, most local governments also introduced
for barcode payments. This unified barcode system is hoped to enable similar financial support policies for fighting against covid-19. To
every scanning terminal in China to recognise any domestic payment boost consumption, some local governments are working closely
barcode (regardless of the payment service provider) and will greatly with e-payment service providers to provide citizens with consump-
enhance payment efficiency. tion coupons.
Denmark
Rasmus Mandøe Jensen and Christian Scott Uhlig
Plesner Advokatpartnerselskab

In recent years, the fintech sector has experienced significant growth in The main financial regulator is the Financial Supervisory Authority,
Denmark. This has been facilitated by: which also oversees compliance with anti-money laundering
• a highly educated and digitally literate population; regulation.
• a high degree of digitisation of public sector systems; Compliance with certain business conduct rules and other
• the support of specific government policies aimed at promoting consumer and competition-oriented rules is overseen by the
fintech innovation; and Competition and Consumer Authority.
• the development of Copenhagen as an international fintech hub. The Data Protection Agency oversees compliance with data
protection rules.
Under the auspices of Copenhagen Fintech (https://copenhagenfintech. The Central Bank has limited oversight over systemically impor-
dk/), a dedicated fintech lab opened in Copenhagen in 2016 (https:// tant payment and securities clearing and settlement infrastructures
copenhagenfintech.dk/startups/copenhagen-fintech-lab/) and has and similar systems.
become a central hub for fintech activity in Denmark.
In recent few years, a number of partnerships between fintech Regulated activities
start-ups and banks have been announced, which reflects the current 4 Which activities trigger a licensing requirement in your
trend of fintech companies seeking to partner and cooperate with jurisdiction?
existing financial sector bodies rather than attempting to be in competi-
tion with and opposition to them. Banking
While there has been significant activity in traditional fintech core Deposit-taking activities generally require a banking licence under
areas such as payments and investment services, ancillary areas such the Financial Business Act (https://www.retsinformation.dk/eli/
as regtech and insurtech remain less developed, but are expected to lta/2019/937) to legally operate in Denmark. There are no de minimis
grow in the future. or similar exemption available.
Lending does not require a licence in Denmark, although a regis-
Government and regulatory support tration under the Act on Measures to Prevent Money Laundering
2 Do government bodies or regulators provide any support and Financing of Terrorism may be required (as described below).
specific to financial innovation? If so, what are the key However, under the Financial Supervisory Authority's current guid-
benefits of such support? ance, EU banking institutions may have to passport their licence into
Denmark if they wish to perform lending activities there.
The government has specific policies aimed at promoting fintech busi- A new Act on Consumer Loan Undertakings entered into force on
ness and investments and to support Copenhagen as an international 1 July 2019, creating an exception to the licence-free lending require-
fintech hub. Recently, this has resulted in increased funding for the ment in Denmark.
Financial Supervisory Authority, enabling it to dedicate resources to a
specialised fintech office and create a regulatory sandbox. The Financial Payment services or e-money issuance
Supervisory Authority opened applications for its regulatory sandbox The performance of payment services, as defined in the Annex to
in 2018 and opened for applications for its second cohort during 2019. the Payments Act implementing Annex I to the revised EU Payment
In terms of purpose and eligibility criteria, the sandbox is similar to the Services Directive (2015/2366/EU) (PSD2), requires a licence under the
existing one operated by the UK Financial Conduct Authority. Payments Act (https://www.retsinformation.dk/eli/lta/2019/1024).
The Payments Act generally reflects the catalogue of exemptions
to the licence requirement in article 3 of the PSD2 and article 1 of the
Second EU Electronic Money Directive (2009/110/EU) (EMD2), except
that technical services covered by the exemption in article 3(j) of the
PSD2 are subject to certain fee regulations in the Payments Act.
Specifically, regarding the limited network exemption (article 3(k)
of the PSD2 and article 1(4) of the EMD2), although limited network
48 Fintech 2021
Plesner Advokatpartnerselskab Denmark
products are exempted from the licence requirement, they must still The licensing exemptions set out in article 2 of the EU Markets in
comply with the disclosure, business conduct and fee rules of the Financial Instruments II Directive have generally been implemented
Payments Act, as well as the regulation on issuance and redemption without material changes.
of e-money (corresponding mainly to Titles III and IV of the PSD2 and
article 11 of the EMD2). However, the disclosure, business conduct and Investment advice
fee rules do not apply to e-money issued within a limited network if: Undertakings that provide investment advice must be licensed as an
• the instrument cannot load a value of more than 3,000 investment adviser if they do not hold another licence that permits them
Danish kroner; to provide investment advice. Investment advisers may also receive and
• the instrument cannot be reloaded; and transmit orders.
• the issuer's aggregate outstanding e-money liabilities do not
exceed an amount equivalent to €5 million, in which case only the Financial advice
rules on redemption of e-money apply. Undertakings that provide advice on financial products to consumers
must be licensed as financial advisers. For this purpose, ‘financial prod-
Denmark has not elected to use the options in article 32 of the PSD2 ucts’ are credit agreements, excluding residential credit agreements,
and article 9 of the EMD2 to exempt low-volume and low-value payment deposits, insurances, pension and investment products. ‘Investment
services or e-money from the licensing requirement; however, the products’ are transferable securities, units or shares in collective
Payments Act provides for a less burdensome licensing process for investment schemes, deposits in banks where the return depends on
such providers and issuers, which are also exempt from the own funds the performance of one or more underlying assets, guarantee certifi-
requirements. cates, cooperative certificates and mortgage deeds.
Foreign exchange Residential credit intermediation

Unless performed by a licensed bank, foreign exchange activi- Undertakings that provide advice on or arrange or facilitate residen-
ties require a licence under the Act on Measures to Prevent Money tial credit agreements to consumers must be licensed as residential
Laundering and Financing of Terrorism (https://www.retsinformation. credit intermediaries. Residential credit agreements essentially cover
dk/eli/lta/2017/651). Exemptions from certain parts of the Act are the granting of loans secured on real estate.
available for entities whose foreign exchange activities are de minimis
– including a requirement that the foreign exchange business does Alternative investment funds
not account for more than 5 per cent of the entity's aggregate annual The management of alternative investment funds triggers a registra-
turnover – and purely ancillary to their main business. tion or licensing requirement depending on the size of the assets of
In addition, the Act on Measures to Prevent Money Laundering the managed investment fund. The threshold for authorisation rather
and Financing of Terrorism was amended following a legislative act than registration is assets under management by the manager of
that entered into force on 10 January 2020. Part of the purpose of €100 million (or €500 million if certain conditions are complied with).
the amendments is to implement the Fifth EU Anti-money Laundering Authorised managers must comply with all of the requirements of the
Directive (2018/843/EU) in Denmark. The amendment has subjected, legislation implementing the EU Alternative Investment Fund Managers
among others, providers of exchange services between virtual and fiat Directive, whereas a registered manager must comply with only a few
currencies to regulation under the Act just as such operators will have limited requirements.
to be registered under the Act. The definition of ‘alternative investment funds’ has been imple-
mented from the EU Alternative Investment Fund Managers Directive
Investment activities without material changes.
The provision of ‘investment services’ – as defined in the EU Markets
in Financial Instruments II Directive – and custody services triggers a Insurances
licensing requirement under Danish law. Insurance activities generally trigger a licensing requirement. The
There are three different investment firm sizes in terms of own Financial Business Act provides certain specific exemptions to the
funds requirements: licensing requirement, none of which would be expected to be relevant
• Small investment firms are subject to a minimum own funds for fintech businesses.
requirement of €50,000, a share capital of 500,000 kroner and the If the activity does not amount to being an insurer but involves
Capital Requirements Regulation own funds requirements and insurance distribution, the activity will require a licence if it constitutes
are permitted to provide: insurance or reinsurance mediation. There are no exemptions to this
• reception and transmission of orders; requirement. On the other hand, intermediaries that perform only ancil-
• execution of orders; lary insurance intermediation must be registered.
• discretionary portfolio management; and In general, the Danish market has seen only a limited number of
• investment advice. insurtech providers, including Undo, which has entered into a partner-
• Medium-sized investment firms permitted to provide the same ship with Danish insurance provider Tryg and Penni and has previously
investment services as small investment firms in addition to worked with the Danish insurance provider TopDanmark.
safe keeping (which is a core service in Denmark) are subject
to a minimum own funds requirement of €125,000, and a share Anti-money laundering
capital of 500,000 kroner and Capital Requirements Regulation Fintech businesses that are not otherwise required to have a licence
own funds requirements. under any of the above regulations must be registered with the
• Large investment firms permitted to provide all types of invest- Financial Supervisory Authority if they perform any of the activities set
ment service are subject to a minimum own funds requirement out in Annex I to the Act on Measures to Prevent Money Laundering and
of €730,000, a share capital of 500,000 kroner and Capital the Financing of Terrorism, including:
Requirements Regulation own funds requirements. • deposit taking;
• lending;
Denmark Plesner Advokatpartnerselskab
• financial leasing; constitutes equity crowdfunding, thereby subjecting the fintech

• assistance in offering securities and services ancillary thereto; and business to the rules regulating¸ among other things, offerings of
• the storage, administration and management of securities. securities and prospectus requirements;
• the Payments Act (implementing the PSD2 or the EMD2), if the
Consumer lending activity involves offering payment services or issuing e-money;
5 Is consumer lending regulated in your jurisdiction? • the Investment Association Act (implementing the EU Undertakings
for Collective Investment in Transferable Securities Directive
The Act on Consumer Loan Undertakings (https://www.retsinforma- (2009/65/EU)), if the activity involves establishing or managing
tion.dk/eli/lta/2019/450) entered into force on 1 July 2019, creating undertakings for collective investment in transferable securities; or
an exception to the absence of a requirement for a licence to lend in • the Act on Alternative Investment Fund Managers (implementing
Denmark. The new Act applies to most types of consumer loan and the EU Alternative Investment Fund Managers Directive (2011/61/
credit agreements unless: EU) (AIFMD)), if the activity involves establishing or managing an
• they are provided by an already licensed bank or other finan- alternative investment fund.
cial business;
• the agreement is for a zero-interest and zero-fee loan; or In respect of crowdfunding lending platforms, as of 1 July 2020, lenders
• the agreement is a leasing agreement without any obligation engaging on the platform will – regardless of whether the lenders are
to purchase. professional lenders or acting in a private capacity – be subject to a
cap of 35 per cent of the annual percentage rate on such loans, if the
Under the Act on Consumer Loan Undertakings, consumer loan and borrower is a consumer.
credit in-scope providers must obtain a licence from the Financial
Supervisory Authority (as during which, the management of the Alternative investment funds
consumer loan undertaking will be subject to customary fit and proper 8 Are managers of alternative investment funds regulated?
requirements) and will be subject to ongoing conduct of business rules.
An amendment to the Act on Consumer Loan Undertakings and As Denmark is an EU member state, the AIFMD applies.
the Marketing Practices Act entered into force on 1 July 2020. The The management of alternative investment funds triggers a regis-
amendments include (1) a 35 per cent cap on the annual percentage tration or licensing requirement depending on the size of the assets
rate (APR) on consumer loans, including on peer-to-peer loans; (2) a of the managed investment fund. The threshold for authorisation
cap on expenses (eg, interest, fees and reminder charges) over the life rather than registration is assets under management by a manager of
of the credit of 100 per cent of the original principal amount; and (3) a €100 million (or €500 million if certain conditions are complied with).
prohibition on marketing consumer loans with an APR of more than 25 Authorised managers must comply with all of the requirements of the
per cent as well as any marketing of consumer loans in connection with legislation implementing the AIFMD, whereas a registered manager
gambling or betting, or both (subject to limited exceptions, including must comply with only a few limited requirements.
marketing on the credit provider's own website). The definition of ‘alternative investment funds’ has been imple-
However, in respect of online marketing directed at consumers, mented from the AIFMD without material changes.
the above-mentioned marketing prohibition will not apply to consumer
loan undertakings located in other EU countries. To the extent that the Peer-to-peer and marketplace lending
marketing by these foreign consumer loan undertaking is carried out 9 Describe any specific regulation of peer-to-peer or
on television or on-demand services or in connection with gambling or marketplace lending in your jurisdiction.
betting, or both, the marketing prohibition will apply.
Such types of alternative financing are not subject to bespoke regu-
Secondary market loan trading lation in Denmark. However, whether they are professional lenders or
6 Are there restrictions on trading loans in the secondary acting in a private capacity, the lenders using the platform and the loans
market in your jurisdiction? provided by them over the platform have, from 1 July 2020, been subject
to a cap of 35 per cent of the annual percentage rate on these loans if
There are no restrictions on trading loans in the secondary market the borrower is a consumer.
under Danish law.
Crowdfunding
Collective investment schemes 10 Describe any specific regulation of crowdfunding in your
7 Describe the regulatory regime for collective investment jurisdiction.
schemes and whether fintech companies providing
alternative finance products or services would fall within its Crowdfunding and other types of alternative financing are not subject to
scope. bespoke regulation in Denmark. However, if the crowdfunding scheme
in question constitutes ‘donation-based crowdfunding’, the rules set out
Fintech companies providing such financial products or services are in the Danish Fundraising Act may apply.
not subject to any bespoke regulation. However, to the extent that their Non-bank lending or equity crowdfunding vehicles have a relatively
services constitute a regulated activity pursuant to the generally appli- limited market share. Recently, several projects have been launched
cable regulatory regime, these companies fall within the scope of the that focus on crowdfunding the ownership of real estate.
relevant regulation. Depending on the structure of the crowdfunding scheme (eg,
Depending on the nature of the activity, fintech businesses may equity-based crowdfunding), the general capital market rules, including
be subject to one or more of the following laws, each of which include EU Regulation 596/2014 on market abuse, EU Regulation 2017/1129 on
associated delegated regulations: prospectuses and the Danish Capital Markets Act (https://www.retsin-
• the Capital Markets Act and the EU Market Abuse Regulation formation.dk/eli/lta/2019/459) may apply.
(2014/596), to the extent that the crowdfunding scheme in question
50 Fintech 2021
Invoice trading CROSS-BORDER REGULATION

11 Describe any specific regulation of invoice trading in your
jurisdiction. Passporting
Invoice trading is not subject to bespoke regulation. However, to the
extent that the relevant invoice trading scheme constitutes a factoring Yes, to the extent that the entity is an EU entity and the underlying EU
arrangement, such factoring arrangements are subject to the Anti- law provides for a passporting system.
money Laundering Act and would trigger a registration requirement
with the Financial Supervisory Authority, as well as a requirement to Requirement for a local presence
comply with the other provisions set out in the Act. 18 Can fintech companies obtain a licence to provide financial
services in your jurisdiction without establishing a local
Payment services presence?
12 Are payment services regulated in your jurisdiction?
In general, obtaining a Danish licence (as opposed to passporting an
The performance of payment services, as defined in the Annex to the existing licence) for financial services requires that the applicant be
Payments Act implementing Annex I to the PSD2, requires a licence domiciled in Denmark.
under the Payments Act.
SALES AND MARKETING
Open banking
13 Are there any laws or regulations introduced to promote Restrictions
competition that require financial institutions to make 19 What restrictions apply to the sales and marketing of financial
customer or product data available to third parties? services and products in your jurisdiction?
No, except the rules implementing articles 65 to 68 of the PSD2. The The laws and regulations that govern and restrict the sale and marketing
Payments Act contains rules that severely restrict the processing and of financial services and products in Denmark include:
use of payment data. • the Act on Alternative Investment Fund Managers (implementing the
EU Alternative Investment Fund Managers Directive (2011/61/EU));
Robo-advice • the Markets in Financial Instruments Directive (2014/65/EU);
14 Describe any specific regulation of robo-advisers or other • the Consumer Contracts Act (implementing parts of the EU
companies that provide retail customers with automated Directive on Consumer Rights (2011/83/EU) and the EU Directive
access to investment products in your jurisdiction. on Distance Marketing of Consumer Financial Services (2002/65/
EU)), which contains rules on pre-contractual information require-
Robo-advice is not subject to specific regulation in Denmark. In July ments, right of withdrawal, termination and binding periods;
2019, the Financial Supervisory Authority published a regulatory note • the Marketing Practices Act (implementing the EU Directive on
regarding best practice when using supervised machine learning. Unfair Commercial Practices (2005/29/EU)), which – in addition
to the rules implementing the EU Unfair Commercial Practices
Insurance products Directive – contains rules on, among other things:
15 Do fintech companies that sell or market insurance products • unsolicited marketing;
in your jurisdiction need to be regulated? • comparative advertisements;
• the marketing of consumer credit;
Insurance activities generally trigger a licensing requirement. The • Consumer Ombudsman activities; and
Financial Business Act provides certain specific exemptions to the • how businesses must comply with good marketing practices;
licensing requirement, none of which are considered relevant for fintech • the Payments Act (implementing the Payment Services Directive
businesses. (2015/2366/EU)), which contains rules implementing the disclo-
If the activity is not of a scale for the provider to be considered an sure, business conduct and fee rules set out in Titles III and IV of the
insurer but involves insurance distribution, the activity will require a directive and corresponding provisions of the Second EU Electronic
licence if it constitutes insurance or reinsurance mediation. There are no Money Directive (2009/110/EU));
exemptions to this requirement. On the other hand, intermediaries that • the Credit Contracts Act (implementing parts of the EU Consumer
perform only ancillary insurance intermediation must be registered. Credit Directive (2008/48/EU)), which applies to credit arrange-
ments with consumers and that contains, among other things:
Credit references • mandatory disclosure requirements;
16 Are there any restrictions on providing credit references or • rules on changes to interest rates;
credit information services in your jurisdiction? • walk-away rights; and
• rules on term and termination;
Credit information services and credit information bureaus must gener- • the Act on Consumer Loan Undertakings, which applies to certain
ally adhere to the rules set out in the EU General Data Protection forms of loan and credit to consumers provided by lenders that are
Regulation and the Danish Data Protection Act. Credit information not banks or other forms of licensed financial business;
bureaus must seek a licence from the Danish Data Protection Agency • the Executive Order on Good Business Practices for Financial
prior to the commencement of any data processing. Businesses (implementing parts of the EU Directive on Consumer
Rights), which contains rules on duty of care to customers,
disclosure requirements, advising customers and restrictions
on amending or terminating customer contracts and applies to,
among others:
• banks; platforms are not subject to bespoke regulation, there is no specific risk
• mortgage banks; and that the agreements in question would not be enforceable.
• investment firms; and However, new legislation has been adopted by the Danish parlia-
• the Executive Order on Good Business Conduct for Insurance ment on 4 June 2020, which entered into effect on 1 July 2020, and
Distributors (implementing parts of the EU Insurance Distribution amended the Act on Consumer Loan Undertakings. The amendments
Directive (2016/97/EU)), if the activity involves insurance distribution. include a 35 per cent cap on the annual percentage rate (APR) on
consumer loans, including on peer-to-peer loans to consumers. To the
As of 1 July 2020, the Marketing Practices Act also (subject to limited extent that a consumer loan agreement has APR higher than the 35 per
exceptions, including marketing on the credit provider’s own website) cent cap and the lender does not hold a licence as a consumer loan
prohibits the on-marketing of consumer loans with an annual percentage provider or is licensed as a financial institution, the lender will only be
rate of more than 25 per cent and all marketing of consumer loans in entitled to demand repayment of the principal (ie, repayment without
connection with gambling or betting, or both. any interest). To the extent that the lender holds a license as a consumer
loan provider or is licensed as a financial institution, the lender would in
CHANGE OF CONTROL this case only be entitled to demand repayment of the principal together
with costs (the interest and fees, etc) up to an APR of 35 per cent.
Notification and consent
20 Describe any rules relating to notification or consent Assignment of loans
requirements if a regulated business changes control. 24 What steps are required to perfect an assignment of
loans originated on a peer-to-peer or marketplace lending
In general, if a regulated business changes control, this triggers a notifi- platform? What are the implications for the purchaser if the
cation or a consent requirement from the Financial Supervisory Authority. assignment is not perfected? Is it possible to assign these
This includes businesses and undertakings subject to the regulations set loans without informing the borrower?
out in the Financial Business Act. Further, to the extent that a company
must register with the Financial Supervisory Authority pursuant to the In the relationship between an assignor and assignee, the transfer of the
Anti-money Laundering Act, there would be a de facto consent require- assignment will be effective once an assignment agreement has been
ment from the Financial Supervisory Authority in the event of a change entered into. However, for the sale to be effective against any creditors
of control, as the Financial Supervisory Authority can revoke a registra- of the assignor and the bankruptcy estate of the assignor, the assignee
tion if it considers that the company or the management of the company (or the assignor, or both) must notify the relevant borrower of the sale
no longer meets the requirements under the Anti-money Laundering Act. and inform it to redirect payments under the loan to the assignee.
If an assignment has not been duly perfected, it may be voided
FINANCIAL CRIME subject to a hardening period, pursuant to which it may become void-
able and unenforceable. In the case of unaffiliated parties, the normal
Anti-bribery and anti-money laundering procedures hardening period under Danish law is three months.
21 Are fintech companies required by law or regulation to have Therefore, it is impossible to complete the perfection requirements
procedures to combat bribery or money laundering? without informing the borrower. However, in the relationship between
the assignor and assignee, the borrower need not be notified to validate
Fintech businesses that require a licence under the Financial Business the assignment.
Act, the Payments Act, the Alternative Fund Managers Act or the Act
on Financial Advisers, Investment Advisers and Residential Credit Securitisation risk retention requirements
Intermediaries or require a licence to carry out insurance activities, 25 Are securitisation transactions subject to risk retention
investment services or the provision of investment or financial advice are requirements?
subject to the rules set out in the Act on Measures to Prevent Money
Laundering and the Financing of Terrorism. This also applies to fintech There are no specific Danish law risk retention requirements; however,
businesses carrying out activities as a foreign exchange (and not other- the rules on risk retention requirements set out in the Capital
wise subject to regulatory requirements under the Financial Business Act). Requirements Regulation may apply.
Guidance Securitisation confidentiality and data protection requirements

22 Is there regulatory or industry anti-financial crime guidance 26 Is a special purpose company used to purchase and securitise
for fintech companies? peer-to-peer or marketplace loans subject to a duty of
confidentiality or data protection laws regarding information
No such guidelines have been made available at this time. relating to the borrowers?
PEER-TO-PEER AND MARKETPLACE LENDING Such special purpose vehicles are subject to both the EU General Data
Protection Regulation and the Danish Data Protection Act.
Execution and enforceability of loan agreements
security agreements? Is there a risk that loan agreements
or security agreements entered into on a peer-to-peer or
There are no specific requirements for executing loan agreements or

security agreements other than authorisation and execution of a loan
or security agreement. As peer-to-peer lending marketplace lending
52 Fintech 2021
ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER Danish rules, including special rules on the processing of national iden-
TECHNOLOGY AND CRYPTO-ASSETS tification numbers (ie, CPR number).
Fintech products and services that involve the processing of
Artificial intelligence personal data on behalf of another company (ie, the customer or data
27 Are there rules or regulations governing the use of artificial controller) require that a written data processing agreement is entered
intelligence, including in relation to robo-advice? into. Further, if data is transferred outside the European Union, a legal
basis for the transfer must be in place.
AI is not subject to bespoke regulation in Denmark. In July 2019, the
Financial Supervisory Authority published a regulatory note regarding Cybersecurity
best practice when using supervised machine learning. 33 What cybersecurity regulations or standards apply to fintech
businesses?
Distributed ledger technology
28 Are there rules or regulations governing the use of Financial businesses (eg, banks, investment firms and insurers),
distributed ledger technology or blockchains? payment institutions and e-money institutions must generally have
prudent IT and cybersecurity systems, procedures and policies.
Distributed ledger technology and blockchain are not subject to bespoke However, apart from these general regulatory requirements, there
regulation in Denmark. are no generally applicable statutory cybersecurity regulations or
standards.
Crypto-assets Further, particularly within payment services, there are a number
29 Are there rules or regulations governing the use of crypto- of important IT and cybersecurity standards, including:
assets, including digital currencies, digital wallets and • the Regulatory Technical Standards on Strong Customer
e-money? Authentication and Common and Secure Open Standards of
Communication (Commission Delegated Regulation (EU) 2018/389);
Crypto-assets and digital currencies are not subject to bespoke regula- • the Guidelines on the Security Measures for Operational and
tion. Digital wallets and e-money are subject to the EU rules pursuant Security Risks of Payment Services (promulgated under the
to the revised EU Payment Services Directive (2015/2366/EU). revised EU Payment Services Directive); and
Furthermore, as of 10 January 2020, custodian wallet providers and • the payment card industry (PCI) IT industry security standards,
providers of exchange services between virtual and fiat currencies are particularly the PCI Data Security Standard and the PCI Payment
subject to regulation under the Act. Application Data Security Standard. Although these are widely
accepted industry standards, they do not constitute public law
Digital currency exchanges regulations and as such are not directly enforced by the Financial
30 Are there rules or regulations governing the operation of Supervisory Authority.
digital currency exchanges or brokerages?
OUTSOURCING AND CLOUD COMPUTING
There are no specific rules regulating the operation of digital currency
exchanges or brokerages; however, custodian wallet providers and Outsourcing
providers of exchange services between virtual and fiat currencies 34 Are there legal requirements or regulatory guidance with
fall under the Act on Measures to Prevent Money Laundering and the respect to the outsourcing by a financial services company of
Financing of Terrorism. a material aspect of its business?
Initial coin offerings The Executive Order on Outsourcing of Material Areas of Activity (the
31 Are there rules or regulations governing initial coin offerings Outsourcing Order) sets out the legal requirements relating to the
(ICOs) or token generation events? outsourcing by a financial services company of a material aspect of its
business. In addition to the Outsourcing Order, the Financial Supervisory
There are no specific rules regulating initial coin offerings (ICOs) or Authority has published regulatory guidance on its requirements.
token generation events. However, to the extent that coins or tokens A new draft Outsourcing Order has been put forward that will
offered in an ICO constitute financial instruments, the general capital significantly amend the existing Outsourcing Order.
market rules, including the EU Regulation 596/2014 on market abuse The purpose of the new legislative proposal is to, inter alia, align
and the Danish Capital Markets Act, apply. the Danish outsourcing rules with the outsourcing guidelines of the
European Banking Authority. As one of the key changes to the existing
DATA PROTECTION AND CYBERSECURITY Outsourcing Order, it is the intention that electronic money institutions
and payment institutions be subject to the rules set out therein. The new
Data protection Outsourcing Order contains some national gold plating provisions (eg,
32 What rules and regulations govern the processing and regarding outsourcing to cloud service providers) that goes beyond the
transfer (domestic and cross-border) of data relating to outsourcing guidelines of the European Banking Authority.
fintech products and services? The new Outsourcing Order will regulate all outsourcing and will
entail further requirements for ‘critical or important’ outsourcing, which
The EU General Data Protection Regulation (GDPR) and the Danish Data includes, inter alia, outsourcing of capital and liquidity-risk manage-
Protection Act (DDPA) apply to fintech products and services if personal ment, outsourcing of IT and security and outsourcing of key functions.
data is processed. The regulations apply to all data processing relating The new Outsourcing Order sets out specific requirement for the
to an identified or identifiable natural person (eg, name, account and outsourcing of ‘critical or important’ areas, including detailed require-
credit card information, other customer identification data and internet ments for the outsourcing agreement between the company and the
protocol address). The DDPA supplements the GDPR with national outsourcing provider; for example, requirements for the description of
the outsourced activity and whether the outsourcing provider may sub- Inventions (patents and utility models)
outsource the activity to a third party. If a person (eg, an employee or a consultant) has made a technical
Furthermore, the new Outsourcing Order will require businesses invention that can be patented or registered as a utility model, the
to keep a register of information on all of the relevant company's starting point is that the employee or the consultant is entitled to this
outsourcing and outsourcing providers. invention.
The new Outsourcing Order entered into force on 1 July 2020. Pursuant to the Danish Employees’ Inventions Act, if the invention
has been made as part of the employment, the employer is entitled to
Cloud computing claim that the right to the invention be transferred to them if the use
35 Are there legal requirements or regulatory guidance with of the invention falls within the scope of the activities of the company.
respect to the use of cloud computing in the financial services The same applies if the employee’s invention relates to a specific
industry? task assigned to him or her by the employer. Even if the invention was
made during off-duty hours, the employer could still be entitled to claim
In addition to the Outsourcing Order and the related Financial Supervisory the right to the invention. The Danish Employees' Inventions Act does
Authority regulatory guidance on the Outsourcing Order, Danish finan- not apply to consultants.
cial services companies use the European Banking Authority guidelines The Act on inventions at public research institutions regulates the
on outsourcing as guidance. right to inventions made by teachers and other scientific employees at
universities. The Act stipulates that the employee is entitled to an inven-
INTELLECTUAL PROPERTY RIGHTS tion that he or she has made him or herself; however, the Act also states
that the institution has a right to claim that this invention be transferred
IP protection for software to it, if the employee made the invention as part of his or her work.
36 Which intellectual property rights are available to protect
software, and how do you obtain those rights? Designs
The right to a design depends on whether it is a Danish design or a
Fintech innovations may be protected as inventions under patent law community design. The Danish Designs Act stipulates that the person
if they are patentable. This includes filing for a patent and meeting the who created the Danish design or the person to whom the designer's
requirements under Danish patent laws (eg, patentable subject matter, right has been transferred has the right to acquire the exclusive right
novelty and inventive step). Fintech innovations may also be protected as to the design.
utility models where the bar for protection is lower than that of a patent. The Danish Designs Act does not regulate the relationship between
Further, if the innovation is embodied in software coding, copyright employer and employee. It is, however, assumed that under the Danish
protection may be available to the author (in this case, the programmer) Designs Act the design rights belong to the employer, unless the design
if the software coding has a sufficient degree of originality. In addition, is also protected by copyright. In the latter case, the design right follows
fintech innovations may be protected as sui generis database rights if the copyright and is determined based on an analogy of the rules on
the conditions for protection set out in section 71 of the Copyright Act copyright for employees (see above).
(incorporating the EU directive on the Legal Protection of Databases According to article 14(3) of the Regulation on Community designs,
(96/9/EU)) are met. any rights to a community design shall vest in the employer unless
Although not intellectual property in the traditional sense, a fintech otherwise agreed or specified under national law. This only applies
innovation may be protected as a trade secret under the Trade Secrets to traditional employment relationships (employer–employee). For
Act (incorporating the EU directive on the Protection of Undisclosed commissioned designs, the question of whom the rights belong to must
Know-How and Business Information (Trade Secrets) (2016/943/EU)) if be decided specifically.
the innovation is kept secret.
Trademarks
IP developed by employees and contractors The trader, and not the person who created the sign, owns the rights
37 Who owns new intellectual property developed by an to the sign. If an employee owns the copyright or design rights to the
employee during the course of employment? Do the same sign, the employer can only use it if they have agreed on this or if it is
rules apply to new intellectual property developed by otherwise justified under the copyright and design rules. Accordingly, it
contractors or consultants? is important to determine whether the employee created the trademark
as a part of his or her work or whether the exploitation of the trademark
Copyright falls within the scope of the usual activities of the employer.
The Danish Copyright Act stipulates that the person who creates a work If a consultant owns the copyright to the sign, the trader will have
owns the copyright to that work. This applies regardless of whether the a right of use only unless otherwise agreed.
person is an employee or a contractor or consultant.
In relation to copyright created during the term of employment, the Joint ownership
general rule is that there is an automatic transfer of copyright from the 38 Are there any restrictions on a joint owner of intellectual
employee to the employer by virtue of the employment provided certain property’s right to use, license, charge or assign its right in
criteria are met. The employer shall only be entitled to the parts of the intellectual property?
employee's copyright that were necessary for the employer’s usual
activities at the time when the employee created the work. Further, it As the joint ownership of IP rights is commonly regulated on a contrac-
is a condition that the employment is of a permanent nature and that tual basis between the joint owners, restrictions on a joint owner follow
creating the work was part of the employee's tasks. from the contractual regulation thereof.
Further, the copyright to computer programs developed by an If an invention is made jointly, each person will own a propor-
employee within the scope of his or her employment or as a result of tionate share of the invention in the absence of a prior agreement. The
the employer's directions, automatically transfer in full to the employer. joint ownership entails some restrictions in each person's right to use,
license, charge or assign the invention, even without an agreement.
54 Fintech 2021
In general, all joint owners of an invention must agree on substantial Remedies for infringement of IP
decisions regarding the jointly owned invention, including agreements 41 What remedies are available to individuals or companies
on licensing. Each owner may individually sell or assign its own share in whose intellectual property rights have been infringed?
the invention unless otherwise agreed.
With regard to copyright, co-authors to a copyrighted work, where A number of remedies are available to individuals or companies whose
each contribution cannot be separated as independent works, enjoy IP rights have been infringed, including:
joint co-ownership in the copyright of the work. • financial compensation (eg, damages and reasonable
remuneration);
Trade secrets • injunctions (eg, preliminary injunctions);
39 How are trade secrets protected? Are trade secrets kept • corrective measures;
confidential during court proceedings? • the publication of judicial decisions;
• reasonable compensation for legal costs; and
Confidential information and trade secrets are covered by the new • criminal penalties.
Trade Secrets Act (incorporating the EU Directive on the Protection
of Undisclosed Know-How and Business Information (Trade Secrets) COMPETITION
(2016/943/EU)) and the Danish Penal Code.
With regard to the confidentiality of trade secrets (including confi- Sector-specific issues
dential information) during court proceedings, the Trade Secrets Act 42 Are there any specific competition issues that exist with
stipulates that the duty of confidentiality to which the court's staff (eg, respect to fintech companies in your jurisdiction?
the judge), lawyers and others employed by the law firm are subject,
implies that the unlawful use or disclosure of trade secrets that the The fintech nature of a product or service does not in itself give rise to
person in question has learned about through involvement in or access particular competition law issues.
to the legal proceedings is a punishable offence. This also applies to However, aspects of the fintech business model mean that certain
other persons involved in the legal proceedings, such as witnesses. competition law considerations – of general application – often become
relevant in the context of fintech businesses.
Branding One example of this is the widespread use of partnerships between
40 What intellectual property rights are available to protect fintech businesses and incumbent financial institutions that, depending
branding and how do you obtain those rights? How can on the nature of the partnership, may raise competition law questions
fintech businesses ensure they do not infringe existing about horizontal or vertical cooperation.
brands? At the other end of the spectrum, where a fintech product or
service requires the fintech business to access a financial institution's
The most relevant IP rights protecting branding are set out in the systems or customer data and the financial institution is reluctant to
Trademarks Act, the Marketing Practices Act and the Copyright Act. provide this access, questions of anticompetitive behaviour may arise in
The Trademarks Act protects signs used in branding, such as brand certain circumstances.
names, mottos or catchphrases and logos. The Marketing Practices Act
protects certain commercial signs that have the necessary degree of TAX
distinctiveness. Copyright protection may in principle be afforded under
the Copyright Act for user interfaces in software and website designs, Incentives
which may enjoy copyright protection with regard to branding; however, 43 Are there any tax incentives available for fintech companies
in practice, this protection is difficult to obtain. and investors to encourage innovation and investment in the
Trademark protection in Denmark may be obtained by way of both fintech sector in your jurisdiction?
a community (EU) trademark and on the national level in Denmark as a
Danish trademark. In Denmark, trademark protection may be obtained Danish tax law provides no specific fintech incentives. However, Danish
by way of both registration and use-based rights. To be registered as a tax law contains general tax incentives in the form of tax-favourable
trademark, the trademark owner must be able reproduce the trademark treatment on granting shares, options and warrants, where a company
in an appropriate manner by using technology that is generally avail- can grant up to 10 per cent (or 20 per cent if certain requirements are
able in order to determine the content of the trademark right clearly and met) of an employee's remuneration through such instruments. These
precisely. Protection under the Marketing Practices Act is obtained by favourable tax incentives have in part been introduced to promote start-
use, when necessary degree of distinctiveness exists. up businesses in Denmark.
To avoid trademark infringement of existing brands, fintech busi-
nesses should perform appropriate freedom-to-operate analysis prior Increased tax burden
to launching brands, including checking both national and EU registers 44 Are there any new or proposed tax laws or guidance that
for potentially conflicting registered rights. As protection in some cases could significantly increase tax or administrative costs for
can be established by use, a market check is also necessary. Similarly, fintech companies in your jurisdiction?
as regards the Marketing Practices Act, where protection is also estab-
lished formlessly, a market check is necessary. There are no such proposed tax laws currently implemented or
The Danish Patent and Trademark Office will, in connection with underway.
a trademark application, produce a search report showing rights with
which the applicant may come into conflict. However, the owners of
these prior rights are not automatically notified of this and, thus, it is up
to each owner to stay informed and assess whether they believe their
rights are infringed.
IMMIGRATION
Sector-specific schemes
businesses to recruit skilled staff from abroad? Are there
sectors?
Citizens from other EU and EEA countries or Switzerland may work Rasmus Mandøe Jensen
rmj@plesner.com
in Denmark under the EU rules on the free movement of persons and
services. As a clear starting point, these citizens must have a work Christian Scott Uhlig
permit to work in Denmark. csu@plesner.com
There are several immigration schemes aimed at the recruitment
of skilled staff. However, none are specific to the technology or financial Amerika Plads 37
sector. The most relevant schemes for a fintech business are: DK-2100 Copenhagen
• the Pay Limit Scheme, which ensures that an employee is granted Denmark
a work permit if their annual salary is over a certain amount Tel: +45 33 12 11 33
(436,000 kroner) and the employment terms correspond to Danish www.plesner.com
standards;
• the Positive List scheme, under which residence and work permits
are granted to employees who have been offered jobs that are listed
on the Positive List covering certain professions and fields that are and ‘covid-19 investor loans’, which both are aimed at seed-stage start-
currently experiencing a shortage of qualified professionals. The ups, and ‘covid-19 syndicated loans’, which are aimed at late-stage
list contains more than 100 professions and is available on the start-ups.
Danish Immigration Service website; and These covid-19 financing schemes are set to expire on 30
• the fast-track scheme, which makes it faster and easier for certified September 2020.
companies to recruit foreign employees with special qualifications
to work in Denmark
Additional immigration schemes are available that may be relevant (eg,

for trainees or intra-group secondments).
UPDATE AND TRENDS
trends to note?
No updates at this time.
Coronavirus
for clients?
In the area of banking and finance, the Danish authorities have put in
place several schemes as a result of the covid-19 outbreak, however
none specifically targeted fintech companies.
These schemes include, inter alia, a guarantee scheme from the
Danish Growth Fund covering up to 70 per cent of loans issued for the
purpose of funding losses resulting from the covid-19 outbreak as well
as a similar guarantee scheme from the Danish Export Credit Agency
directed at Danish export businesses (ie, businesses where a minimum
of 10 per cent of the revenue stream from the last financial year related
to exports), which also covers up to 70 per cent of losses incurred by
lenders on new credit lines offered for liquidity purposes.
Furthermore, the Danish Growth Fund has initiated certain lending
schemes directed at Danish start-ups. These schemes include ‘covid-19
start loans’, which are aimed at pre-seed start-ups, as well as certain
match-rate financing schemes, including ‘covid-19 business angel loans
56 Fintech 2021
Egypt
Mohamed Hashish
Soliman, Hashish & Partners
FINTECH LANDSCAPE AND INITIATIVES After an almost five-month review, the House of Representatives intro-
duced a number of amendments to the Law, which were approved, in
General innovation climate principle, by the House of Representatives on 5 May 2020.
1 What is the general state of fintech innovation in your The Draft Banking Law was referred to the State Council for review,
jurisdiction? which approved and referred it to the President for issuance.
Fintech is governed by several Egyptian laws and regulations, including Government and regulatory support
the following main laws and regulations (as amended): 2 Do government bodies or regulators provide any support
• the Non-cash Payment Methods Law No. 18 of 2019; specific to financial innovation? If so, what are the key
• Law No. 88 of 2003 on the Central Bank of Egypt and the Banking benefits of such support?
Sector (the Banking Law) and its executive regulation;
• the E-signature Law No. 15 of 2004 and its executive regulation; In May 2019, the CBE launched a regulatory sandbox for the purpose of
• the Non-Financial Markets and Instruments Law No. 10 of 2009; providing fintech players with is a virtual space within which, subject
• the Microfinance Law No. 141 of 2014; to a specific framework, applicants can experiment with their solutions
• the Trade Code No. 17 of 1999; for a limited period of time on a small scale and under a well-defined
• the Consumer Finance Law No. 18 of 2020; parameter.
• the Cybercrime Law No. 175 of 2018; Furthermore, a number of funds initiatives are available to fintech
• the Investment Law No. 72 of 2017 and its executive regulation; start-ups in Egypt. For example, in March 2019, the CBE launched the
• the Consumer Protection Law No. 181 of 2018 and its executive Fintech Innovation Fund with a value of 1 billion Egyptian pounds. In
regulation; April 2019, the International Finance Corporation launched, in collabora-
• the Small and Microenterprises Law No. 141 of 2004 and its execution with two local partners in Egypt, a two-year programme to support
tive regulation; the fintech space in Egypt, and the World Bank Group set aside US$200
• the Telecoms Law No. 10 of 2003; million for small and medium-sized enterprises in Egypt, which can be
• the Media Law No. 180 of 2018; used also by small and medium-sized fintech players.
• the Capital Market Law No. 95 of 1992 and its executive regulation;
• the Movable Securities Law No. 115 of 2015 and its executive FINANCIAL REGULATION
regulation;
• the Anti-Money Laundering Law No. 80 of 2002 and its executive Regulatory bodies
regulation; 3 Which bodies regulate the provision of fintech products and
• the Public Entities Contracts Law No. 182 of 2018 and its executive services?
regulation; and
• Presidential Decree No. 89 of 2017, founding the National Several bodies are responsible for enforcing fintech-related laws and
Payments Council. regulations, including:
• the Central Bank of Egypt (CBE), which is empowered by Law No.
There has been rapid global change in the banking and finance sector, 88 of 2003 on the Central Bank of Egypt and the Banking Sector
particularly in the fintech space. The banking sector in Egypt, being a (the Banking Law) to, among other things, regulate bank accounts
country that witnessed two revolutions in 2011 and 2013, was certainly and banking transactions;
affected by this change as well as the local political challenges. • the Information Technology Industry Development Agency, which is
As a result, the Egyptian government, upon a request by the Central empowered by the E-signature Law No. 15 of 2004 to, among other
Bank of Egypt (CBE), proposed a new Draft Banking Law. This Law things, promote and develop the information technology and commu-
was prepared based on, among other things, several pieces of advice nications industry, support small and medium-sized enterprises in
provided by international consultancy firms, a comparative study on the using e-transactions and regulate e-signature services activities;
laws of other countries, international standards, the Basel Framework, • the Financial Regulatory Authority (FRA), which is empowered by
recommendations of the Organisation for Economic Co-operation and the Non-Financial Markets and Instruments Law No. 10 of 2009
Development, the World Bank Group and the International Monetary to, among other things, license the carrying out of non-banking
Fund, as well as recommendations made by the banks that are regis- financial activities and the protection of stakeholders within the
tered with the CBE. non-banking financial market;
In accordance with the Constitution, the Draft Banking Law was • the National Payments Council, which is empowered by Presidential
submitted to the House of Representatives for review and approval. Decree No. 89 of 2017 to, among other things, reduce the use of
Egypt Soliman, Hashish & Partners
cash outside the banking sector, support and encourage the use of Secondary market loan trading
electronic methods and channels instead of cash, and protect the 6 Are there restrictions on trading loans in the secondary
consumers of any payment systems and services; and market in your jurisdiction?
• the National Telecommunications Regulatory Authority, which is
generally empowered by the Telecoms Law No. 10 of 2003 to regu- In general, there are no restrictions on trading loans in Egypt. However,
late and enhance telecommunication services. if the trading is being carried out on a regular basis, then it may be
deemed as the carrying out of banking activities, in which case licensing
Regulated activities by and registration with the CBE is required.
4 Which activities trigger a licensing requirement in your The assignment of debts in Egypt is subject to a specific legal
jurisdiction? framework to be effective in respect of debtor and surety (if any).
In general, according to the Banking Law and several judgments issued Collective investment schemes
by the economic courts, neither natural nor juristic persons may practise 7 Describe the regulatory regime for collective investment
any banking activity in Egypt without being licensed by and registered schemes and whether fintech companies providing
with the CBE. alternative finance products or services would fall within its
‘Banking activities’ are defined under the Banking Law as any activ- scope.
ities regarding the receipt of deposits, the provision of refinancing, loans,
facilities, contributions to share capital in local companies and any other As a general rule, no activity relating to investment funds can be carried
activities that are considered as banking activities according to banking out unless a licence is obtained from the FRA. Banks registered with the
customs that are carried out on a regular basis and as the main business CBE may carry out the activity, provided that an approval is obtained
activities of any person carrying out those activities. This definition is from the CBE.
also found in the Trade Code No. 17 of 1999. Investment funds may, in general, be established in the form of a
Any person that violates those provisions is subject to imprison- joint-stock company with a minimum issued capital of 5 million Egyptian
ment of between 24 hours and three years or a fine of between 5,000 pounds or any equivalent currency.
Egyptian pounds and 50,000 Egyptian pounds, or both, in accordance Licensed investment funds must deposit any securities that
with the Banking Law. There are two main prerequisites that must be they are investing in with one of the banks that is registered with the
satisfied to apply those penalties in respect of any banking activity, CBE, providing that the bank (and its related parties) does not control
namely carrying out the banking activity on a regular basis and having or hold more than 10 per cent of the total shares in the investment
the banking activity as the main activities of any person, including indi- fund company.
viduals and juristic persons. One of the licensing requirements to be qualified for the invest-
Other than the general rule above, each of the following activities is ment fund underwriting is to have the minimum required infrastructure
also regulated and subject to licensing requirements in Egypt: and technology to do so.
• microfinancing; Investment funds may take the form of an open-end fund, closed-
• investment banking; end fund, private equity fund, exchange-traded fund, money market
• brokerage; fund, debt fund, real estate fund, donor-advised fund or related fund.
• factoring; Promoting investment funds is generally not allowed before estab-
• foreign exchange trading; lishing them except for in the case of private equity funds and providing,
• payment services; among other things, that a notification is sent to the FRA and that no
• e-commerce; underwriting is made as a part of the promotion.
• financial leasing; Most of the alternative financial products and services that are
• mortgage finance; and provided by fintech companies generally fall within the scope of either
• consumer lending. collective investment schemes or banking activities.
Consumer lending Alternative investment funds

5 Is consumer lending regulated in your jurisdiction? 8 Are managers of alternative investment funds regulated?
The Consumer Finance Law No. 18 of 2020 was issued on 16 March 2020, Yes, managers of alternative investment funds are regulated, including
governing any activity aiming at financing the purchase of products or board members.
services for consumption purposes as long as the activity will be carried
out on a regular basis. Among the activities covered is financing through Peer-to-peer and marketplace lending
payment cards or any other means decided by the CBE. 9 Describe any specific regulation of peer-to-peer or
The consumer finance-related activities above may not be carried out marketplace lending in your jurisdiction.
in Egypt unless a licence is obtained from the FRA. The licence requires,
among other things, the carrying out of the activities by a joint-stock Peer-to-peer and marketplace lending can be deemed as banking
company with an issued capital of at least 10 million Egyptian pounds. activities, in which case licensing by and registration with the CBE is
The Consumer Finance Law (including the licensing requirement) required.
does not apply to all banks registered with the CBE nor any entity licensed
to carry out mortgage financing, financial leasing, factoring, microfi- Crowdfunding
nancing or the purchasing of properties from real estate developers. 10 Describe any specific regulation of crowdfunding in your
The Consumer Finance Law applies only to vehicles, durable jurisdiction.
products, educational services, medical services, travel and leisure
services as well as any other products and services that are determined Crowdfunding falls within the meaning of banking activities; however, it
by the FRA. may also be a form of donor-advised fund.
58 Fintech 2021
Soliman, Hashish & Partners Egypt
In practice, a number of donor-advised funds have been estab- Robo-advice

lished by a special presidential decree rather than a licence from the 14 Describe any specific regulation of robo-advisers or other
FRA. For example, Presidential Decree No. 139 of 2014 established a companies that provide retail customers with automated
fund of a private nature called the Tahya Misr Fund for the purpose of access to investment products in your jurisdiction.
assisting the government in, among other things, establishing develop-
ment and service projects as well as developing slums and micro and Robo-advice is not yet regulated in Egypt.
small projects.
The government has used the crowdfunding approach to fund a Insurance products
number of public utility projects, such as the crowdfunding that was 15 Do fintech companies that sell or market insurance products
used in 2014 to fund the development of the New Suez Canal, which cost in your jurisdiction need to be regulated?
Egypt around 30 billion Egyptian pounds.
According to the Insurance Law No. 10 of 1981, no one is allowed in
Invoice trading person or through an intermediary to carry out any activity related to
11 Describe any specific regulation of invoice trading in your insurance or reinsurance in Egypt without obtaining a licence from the
jurisdiction. FRA. Fintech companies that sell or market insurance products fall
within this restriction and are regulated in Egypt.
Invoice trading may be characterised under Egyptian law as banking
activities (if providing credit), and it may also be characterised as a Credit references
factoring. This can be assessed on a case-by-case basis. 16 Are there any restrictions on providing credit references or
Licensed factors are allowed to provide, among other things, guar- credit information services in your jurisdiction?
antee, collection and account management services.
The following main three conditions are required in the subject of All services relating to the provision of credit rating and indebtedness
any factoring transaction: references are regulated. Those services require a licence from the CBE.
1 it must be created from a commercial transaction related to the At present, there is only one licensed company, the Egyptian Credit
relevant buyer and debtor but not through a cash financing; Bureau, that is subject to a specific legal framework governing the
2 it must not be associated with any third party’s existing or future provisions of those references.
right; and In general, disclosing credit ratings and indebtedness references
3 it must not be limited or restricted unless otherwise agreed by the related to any person is not allowed unless an approval from the person
relevant factor and buyer. is obtained.
The subject may also be fully depreciated, provided that points (2) and CROSS-BORDER REGULATION
(3) are satisfied.
The provisions of Law No. 88 of 2003 on the Central Bank of Egypt Passporting
and the Banking Sector and several judgments issued by the economic 17 Can regulated activities be passported into your jurisdiction?
courts also apply to factoring.
Not applicable.
Payment services
12 Are payment services regulated in your jurisdiction? Requirement for a local presence
There is a specific regulation governing payment services that are services in your jurisdiction without establishing a local
provided by technical payment aggregators or payment facilitators. presence?
Services agreements are subject to specific know-your-customer and
anti-money laundering checks and must include specific terms and No,
conditions for those services, including a restriction on sub-contracting
unless certain conditions are being met. SALES AND MARKETING
Under the Draft Banking Law, no activity concerning the opera-
tion of a payment system or the provision of a payment system may be Restrictions
carried out unless a licence is obtained by the CBE. This new restric- 19 What restrictions apply to the sales and marketing of
tion applies to all persons, whether natural or juristic, carrying out the financial services and products in your jurisdiction?
activity in Egypt or providing the services from abroad to any residents
in Egypt, with the exceptions of stock exchanges, futures exchanges, In general, the sales and marketing of financial services and products in
securities settlement systems, licensed central clearing, depository and Egypt are regulated and subject to a prior licence and approval.
registry systems, custodian banks and internal systems of the Egyptian
Ministry of Finance that do not include payment, collection, setting-off CHANGE OF CONTROL
or clearance of payment.
Open banking 20 Describe any rules relating to notification or consent
13 Are there any laws or regulations introduced to promote requirements if a regulated business changes control.
competition that require financial institutions to make
customer or product data available to third parties? It depends on several elements, such as the type and location of busi-
ness that is the subject of the change of control. For example, no one
No. is allowed to acquire between 5 and 10 per cent of the issued capital
of any bank registered with the Central Bank of Egypt (CBE) unless a
notification is sent to the CBE. Prior approval from the CBE is required Securitisation risk retention requirements
to acquire more than 10 per cent of the issued capital. A similar restric- 25 Are securitisation transactions subject to risk retention
tion applies to insurance companies. requirements?
FINANCIAL CRIME In general, the originator of a securitisation portfolio must guarantee

its existence at the assignment date, and the originator is not liable for
Anti-bribery and anti-money laundering procedures settling any dues that are the subject of the portfolio upon the perfec-
21 Are fintech companies required by law or regulation to have tion of the assignment to the relevant securitisation special purpose
procedures to combat bribery or money laundering? vehicle.
The assignment is required, in general, not to be conditional except
Money laundering is mainly governed by the Anti-Money Laundering for one condition that requires complete subscription to the securitised
Law No. 80 of 2002 (the AML Law) and its executive regulation. portfolio.
The AML Law names 15 entities that must comply with the its
provisions and its executive regulation, including all banks, branches of Securitisation confidentiality and data protection requirements
foreign banks in Egypt and money transfer entities. 26 Is a special purpose company used to purchase and securitise
Those entities are also subject to several obligations under other peer-to-peer or marketplace loans subject to a duty of
laws governing their specific activities. Violating these obligations confidentiality or data protection laws regarding information
will result in imposing different penalties including fines or imprison- relating to the borrowers?
ment, or both.
Not applicable.
Guidance
22 Is there regulatory or industry anti-financial crime guidance ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
for fintech companies? TECHNOLOGY AND CRYPTO-ASSETS
Yes, all available guides can be found on the anti-money laundering Artificial intelligence
page of the Central Bank of Egypt’s website. 27 Are there rules or regulations governing the use of artificial
intelligence, including in relation to robo-advice?
PEER-TO-PEER AND MARKETPLACE LENDING
There is no special regulation in Egypt governing artificial intelligence.
Execution and enforceability of loan agreements However, according to Prime Ministerial Decree No. 2889 of 2019, a new
23 What are the requirements for executing loan agreements or national council was established: the Artificial Intelligence National
security agreements? Is there a risk that loan agreements Council (AINC). The AINC is empowered to determine, supervise and
or security agreements entered into on a peer-to-peer or follow up on Egypt’s national strategy for artificial intelligence in light of
marketplace lending platform will not be enforceable? international developments.
In addition, since 2019, the Minister of High Education has started
In general, loan agreements do not require any execution formali- to add special artificial intelligence departments to several engineering
ties, whereas almost all types of securities, such as mortgages, liens, universities in Egypt.
pledges, assignments of rights and movable collateral, have specific
execution formalities to be enforceable and effective in respect of Distributed ledger technology
third parties. 28 Are there rules or regulations governing the use of
Peer-to-peer and marketplace lending platforms may be deemed distributed ledger technology or blockchains?
as banking activities; therefore, there is an invalidity risk associated
with any loan granted within the peer-to-peer and marketplace lending There are no specific regulations or rules applied to distributed ledger
platform without compliance with the relevant licensing framework. technology or blockchain. However, the Draft Banking Law includes a
Chapter regulating fintech, including, among other things, the possibility
Assignment of loans of issuing cryptocurrencies for the first time in Egypt.
loans originated on a peer-to-peer or marketplace lending Crypto-assets
platform? What are the implications for the purchaser if the 29 Are there rules or regulations governing the use of crypto-
assignment is not perfected? Is it possible to assign these assets, including digital currencies, digital wallets and
loans without informing the borrower? e-money?
In general, there are no restrictions on trading loans in Egypt. However, There is no specific regulation governing crypto-assets in Egypt.
if the trading is being carried out on a regular basis, then it may be However, the Draft Banking Law includes a Chapter regulating fintech,
deemed as the carrying out of banking activities, in which case licensing including, among other things, the possibility of issuing cryptocurren-
by and registration with the Central Bank of Egypt is required. cies for the first time in Egypt.
The assignment of debts in Egypt is subject to a specific legal The Mobile Payment Regulation was issued by the Central Bank
framework to be effective in respect of debtor and surety (if any). of Egypt (CBE) in November 2016. The Regulation governs mobile
payments and provides the minimum requirements that banks must
meet to authorise mobile payments, including risk management, super-
visory requirements, customers’ security, mobile cash, partnership with
services providers, interoperability, authentication, confidentiality and
licensing framework.
60 Fintech 2021
The Mobile Payment Regulation does not apply to mobile banking, Cybersecurity
which is governed separately. 33 What cybersecurity regulations or standards apply to fintech
Each bank is allowed to issue mobile cash of up to 5 per cent of its businesses?
paid-in capital or 50 million Egyptian pounds, whichever is less. Mobile
cash may only be issued in Egyptian pounds, not in any other currency. According to the Cybercrime Law No. 175 of 2018, all providers of infor-
Local transactions in mobile cash within Egypt are allowed within mation technology and telecommunications services, including the
specific daily and monthly thresholds adopted by the CBE. However, processing or storing of data, must retain and store users’ data for at
these thresholds may be exceeded if a positive outcome for the know- least 180 continuous days, including identification, the content of the
your-customer and authentication process is made. services’ system, communication traffic, terminals and any other data
The Mobile Payment Regulation allows the receipt of mobile cash required by the National Telecommunications Regulatory Authority.
transfers from abroad, subject to satisfying a number of conditions, The providers must also keep all stored and archived data
including that the transfers must be converted into Egyptian pounds (including personal data) confidential and not disclose the data unless
and be limited to natural persons. there is court order to do so.
Digital currency exchanges OUTSOURCING AND CLOUD COMPUTING

30 Are there rules or regulations governing the operation of
digital currency exchanges or brokerages? Outsourcing
There is no specific regulation governing crypto-assets in Egypt. respect to the outsourcing by a financial services company of
However, the Draft Banking Law includes a Chapter regulating fintech, a material aspect of its business?
including, among other things, the possibility of issuing cryptocurren-
cies for the first time in Egypt. Yes. There are specific legal requirements and regulatory guidance
for the outsourcing of specific services. For example, online trading is
Initial coin offerings subject to specific regulations requiring brokerage companies to satisfy
31 Are there rules or regulations governing initial coin offerings certain conditions and requirements to provide any trading solutions
(ICOs) or token generation events? online. These conditions and requirements include specific technical
requirements and conditions on the information technology infrastruc-
There is no specific regulation governing ICOs in Egypt. However, the ture of the brokerage companies.
Draft Banking Law includes a Chapter regulating fintech. Another example, according to a Circular issued by the Central
Bank of Egypt (CBE) in 2014, is that no bank registered with the CBE
DATA PROTECTION AND CYBERSECURITY may provide internet banking solutions, including online lending, unless
prior authorisation is obtained from the CBE. This prior authorisation
Data protection requires all banks registered with the CBE to meet specific legal require-
32 What rules and regulations govern the processing and ments, including the provision of a penetration test report to the CBE.
fintech products and services? Cloud computing
There is not yet a personal data protection law in Egypt. However, on respect to the use of cloud computing in the financial services
24 February 2020, the House of Representatives approved Egypt’s first industry?
personal data protection law (the Data Protection Law), and it is now
subject to issuance by the President. Cloud computing is subject to the Cybercrime Law No. 175 of 2018,
The approved Data Protection Law prohibits any act of transfer, which applies to any person providing users, directly or indirectly, with
storage or sharing of personal data, which was collected or prepared any information technology and telecommunications service, including
for processing, to any foreign state unless the following two main condi- processing or data storage. Those providers must retain and store
tions are being satisfied: users’ data for at least 180 continuous days, including identification, the
• a protection level applies that is not less than the one adopted by content of services’ system, communication traffic, terminals and any
the Data Protection Law; and other data required by the National Telecommunications Regulatory
• a licence by the Personal Data Protection Centre is obtained. Authority.
According to the Media Law No. 180 of 2018, a prior licence from
The executive regulations to be issued for the approved Data Protection the Supreme Council for Media Regulation is required to launch any
Law will specify the policies, criteria, requirements and rules that must website in Egypt if:
be met for the transfer, storage, sharing, processing and protection of • the website will be created in Egypt;
personal data across borders. • the website will be managed by any person in Egypt; or
The details of the licensing process are not yet clear. The process • any of the website’s subdomains will be managed by any
may depend on a number of factors, including the country to which person in Egypt.
the personal data will be transferred, national security concerns and
whether the other country allows the transfer of personal data to Egypt.
INTELLECTUAL PROPERTY RIGHTS claim damages that cover all the losses incurred to the owner as well
as all the profits of which the owner has been deprived as a result of
IP protection for software the infringement.
software, and how do you obtain those rights? COMPETITION
Software is protected in Egypt in the form of copyright. This protection Sector-specific issues
requires the registration of the software, including, among other things, 42 Are there any specific competition issues that exist with
the first and final 10 pages of the source code, with the Information respect to fintech companies in your jurisdiction?
Technology Industry Development Agency.
To assess whether there is an antitrust-related risk, it must first be deter-
IP developed by employees and contractors mined whether the relevant fintech player is deemed to be in a dominant
37 Who owns new intellectual property developed by an position in accordance with the meaning given under the Antitrust Law
employee during the course of employment? Do the same No. 3 of 2005 (the Antitrust Law) and its executive regulations.
rules apply to new intellectual property developed by For a fintech player and its controlled affiliates in Egypt to be
contractors or consultants? deemed to be in a dominant position under the Antitrust Law, the
player must:
According to the Intellectual Property Rights Law No. 82 of 2002 (the 1 hold a market share exceeding 25 per cent of the market that is
IPRs Law), only the person who provides the direction to create a joint relevant to each service provided by the player (the relevant
work is entitled to exercise the author rights of the work. This rule market), the percentage being calculated based on two elements,
applies to copyright created by employees during the course of their namely the relevant products (the relevant market products) and
employment. the geographic area during a certain period;
For contractors and consultants, it depends on the specific terms 2 be able to make an impact on changing the prices or the quantity of
and conditions of the relevant development or services agreement. the market products (the dominant ability); and
3 not be in a position to limit the dominant ability, noting that the
Joint ownership competitors have the ability to carry out the same business as the
38 Are there any restrictions on a joint owner of intellectual fintech player in Egypt whether in the present or in the future.
intellectual property? Points (2) and (3) are reviewed and assessed by the Egyptian Competition
Authority (ECA) based on specific criteria.
According to the IPRs Law, if there is more than one author of any work, If the fintech player is in a dominant position in the relevant market,
all participants in the work are considered joint authors, and none of then that player must be in a position to conduct certain practices,
them can individually use any right over the work unless otherwise including entering into any agreement with any of its suppliers or its
agreed between the authors in writing. customers that results in limiting competition.
The assessment of any violation under the Antitrust Law is made
Trade secrets by ECA on a case-by-case basis according to specific criteria, including,
39 How are trade secrets protected? Are trade secrets kept among other things, the benefits of customers and commercial customs.
confidential during court proceedings? The assessment is subject to a judicial review by the economic courts.
Trade secrets (including confidential information) are protected by the TAX

IPRs Law, provided that the secrets:
• are maintained as confidential and are not within the public domain; Incentives
• maintain their value as a result of their confidential status; and 43 Are there any tax incentives available for fintech companies
• maintain their confidentiality status under the effective protection and investors to encourage innovation and investment in the
measures taken by their owner. fintech sector in your jurisdiction?
According to the IPRs Law, the court will maintain the confidentially of The Investment Law No. 72 of 2017 provides fintech companies, subject
trade secrets. to the satisfaction of specific criteria, with several key guarantees and
incentives, including:
Branding • exemption from stamp duty and the notarisation fee imposed on
40 What intellectual property rights are available to protect articles of incorporation, facilities and loans agreements, security
branding and how do you obtain those rights? How can documents or plot of land purchase agreements for five years,
fintech businesses ensure they do not infringe existing starting from the date of registration with the Commercial Registry;
brands? • application of a unified custom duty at a flat rate of 2 per cent of the
value of any equipment, machinery and device that is necessary for
Branding is generally protected as both copyright and trademarks. establishment of the investment projects; and
• tax reduction for seven years, counting from the date of starting the
Remedies for infringement of IP investment projects in Egypt, subject to a specific formula.
41 What remedies are available to individuals or companies
whose intellectual property rights have been infringed?
There are several remedies under Egyptian law for owners of intel-
lectual property rights, including specific performance and the right to
62 Fintech 2021

The Tax Authority is currently in the process of proposing several

amendments to the existing tax regimes in Egypt, whereby a new digital
tax will be introduced. However, it is too early to know the rates of the
proposed digital tax. Mohamed Hashish
m.hashish@shandpartners.com
IMMIGRATION
10th Floor, Degla Plaza Building (75/77)
Sector-specific schemes 199 St, Degla
45 What immigration schemes are available for fintech New Maadi, Cairo
businesses to recruit skilled staff from abroad? Are there Egypt
any special regimes specific to the technology or financial Tel: +201 00047 0077
www.shandpartners.com
sectors?
As a general rule, non-Egyptians are not allowed to work in Egypt

without being permitted to do so by the Ministry of Manpower. In prac-
tice, the issuance of a work permit takes up to three months, and it is overcome the repercussions of the pandemic. The Rules also provide
valid from one to three years. that these businesses should not lay off any of their employees or
The proportion of foreign employees must not exceed 10 per cent reduce the salaries of their employees.
of the total number of employees and must not exceed 20 per cent of
the company’s payroll. The 10 per cent threshold may be increased to 20
per cent for fintech businesses subject to specific criteria.
UPDATE AND TRENDS
trends to note?
The Egyptian government, upon a request by the Central Bank of Egypt

(CBE), has proposed a new Draft Banking Law. This Law was prepared
based on, among other things, several pieces of advice provided
by international consultancy firms, a comparative study on the laws
of other countries, international standards, the Basel Framework,
recommendations of the Organisation for Economic Co-operation and
Development, the World Bank Group and the International Monetary
Fund, as well as recommendations made by the banks that are regis-
tered with CBE.
In accordance with the Constitution, the Draft Banking Law was
submitted to the House of Representatives for review and approval.
After an almost five-month review, the House of Representatives intro-
duced a number of amendments to the Law, which were approved, in
principle, by the House of Representatives on 5 May 2020.
Coronavirus
for clients?
In response to the covid-19 pandemic, several pieces of emergency legis-

lation and relief initiatives have been issued in the private sector. For
example, a new law was issued under Law No. 24 of 2020, determining
the financial rules for facing the challenges brought on the pandemic
(the Financial Support Rules). The Financial Support Rules grant all
businesses working in the sectors that have been badly affected by
the pandemic a number of benefits and exemptions to support them to
Germany
Christopher Götz, Dang Ngo, Elmar Weinand, Eva Heinrichs, Felix Biedermann, Janine Marinello,
Jochen Kindermann, Martin Gramsch and Sascha Kuhn
FINTECH LANDSCAPE AND INITIATIVES be subject to reduced requirements provided it limits its activities
to, broadly:
General innovation climate • the distribution of open or closed-end funds registered for public
1 What is the general state of fintech innovation in your distribution in Germany; or
jurisdiction? • the distribution of participation rights, subordinated loans or profit
participation rights.
According to latest statistics, the fintech market has reached a level
of saturation. Recent statistics show that after a peak of new compa- In these cases, the local trade office would be the competent supervi-
nies in 2017 the number of new fintech start-ups in Germany reduced to sory authority.
eight in 2019. As a result of strong competition with non-German fintech
companies, several big tech companies and long-established market Regulated activities
participants, a substantial increase in new fintech companies in the 4 Which activities trigger a licensing requirement in your
German market is not expected. There is a trend towards established jurisdiction?
business models that have proven to be reliable. Established companies
benefit from higher funding compared to smaller or new companies for Pursuant to section 32(1), sentence 1 of the German Banking Act
whom access to funding seems to have become more difficult. (KWG), anyone wishing to conduct banking business or to provide
financial services in Germany commercially or on a scale that requires
Government and regulatory support a commercially organised business undertaking requires a written
2 Do government bodies or regulators provide any support licence from BaFin. What constitutes banking business or financial
specific to financial innovation? If so, what are the key services is set out in section 1(1) and (1a) KWG and includes, among
benefits of such support? other things:
• the acceptance of monies from the public (deposit business);
The German government and municipalities support fintech companies • the provision of money loans (lending business);
in various ways. The Federal Financial Supervisory Authority (BaFin) is • the brokering of business involving the purchase and sale of finan-
the financial regulatory authority in Germany. BaFin set up a dedicated cial instruments (investment broking);
team to support fintech companies in relation to their market entry, • providing customers or their representatives with personal recom-
and it also organises events (eg, the annual BaFin-Tech conference) to mendations in respect of transactions relating to certain financial
discuss regulatory developments with market participants. Although instruments where the recommendation is based on an evalua-
fintech companies do not benefit from special treatment, BaFin supports tion of the investor’s personal circumstances or is presented as
fintech companies in relation to evaluating licensing requirements and being suitable for the investor and is not provided exclusively via
clarifying ongoing regulatory aspects. The German FinTechRat includes information distribution channels or for the general public (invest-
experts appointed by the German Ministry of Finance who support the ment advice);
legislature in developing a suitable regulatory framework. All German • the purchase and sale of financial instruments on behalf of and for
cities that are hubs for fintech (Berlin, Frankfurt, Munich and Hamburg) the account of others (contract broking);
offer additional support through fintech centres. In addition, universities • the management of individual portfolios of financial instruments
in or around fintech centres tend support and dedicate resources to the for others on a discretionary basis (portfolio management);
development of an effective fintech ecosystem. • dealing in foreign notes and coins (foreign currency dealing);
• the ongoing purchase of receivables on the basis of standard
FINANCIAL REGULATION agreements, with or without recourse (factoring);
• the conclusion of financial lease agreements in the capacity of the
Regulatory bodies lessor and the management of asset-leasing special purpose vehi-
3 Which bodies regulate the provision of fintech products and cles (financial leasing); and
services? • the purchase and sale of financial instruments separately from the
management of a collective investment scheme for a community of
The Federal Financial Supervisory Authority (BaFin) is responsible for investors, who are natural persons, on a discretionary basis with
regulating fintech products and services in Germany if they fall under regard to the choice of financial instruments (asset management).
the scope of regulated activities or products. A fintech company may
64 Fintech 2021
Simmons & Simmons LLP Germany
Since the beginning of 2020, crypto-custody business has been added Alternative investment funds
to the list of licensable activities. Crypto-custody business is defined as 8 Are managers of alternative investment funds regulated?
the safekeeping, administration and storage of crypto-assets or private
cryptographic keys used to hold, store and transfer crypto-assets for Managers of alternative investment funds located in Germany are
others (crypto assets custody services). regulated under the KAGB. The same also applies to a certain extent to
In general, a licence is required for any investment services and German branches of non-German managers of alternative investment
activities listed in section A of Annex I of the Directive 2014/65/EU funds. Alternative investment funds may only be marketed in Germany
on markets in financial instruments or Annex I of Directive 2013/36/ once they are registered or passported for distribution to investors in
EU on access to the activity of credit institutions and the prudential Germany. Germany has implemented the Alternative Investment Fund
supervision of credit institutions and investment firms. The provision of Managers Directive 2011/61/EU.
payment services is licensable based on the provisions of the German Depending on the nature of their actual activities, fintech companies
Act on the Supervision of Payment Services (ZAG). could fall outside the scope of the KAGB if their activities do not consti-
The trading of claims deriving from fully drawn loan agreements tute an investment fund. An investment fund is, pursuant to section 1(1),
does not trigger a licence requirement, provided that the claim is not sentence 1 of the KAGB, any collective investment scheme that raises
amended. However, amendments requiring a new credit decision (eg, capital from a number of investors, with a view to investing in accord-
prolongation) can constitute licensable lending business. ance with a defined investment policy for the benefit of those investors
and that does not constitute an undertaking operating outside of the
Consumer lending financial sector. Such a number of investors will be deemed to exist if
5 Is consumer lending regulated in your jurisdiction? the fund rules or the articles of association of the collective investment
fund do not limit the number of potential investors to a single investor.
The contractual basis for consumer lending contracts can be found in
the German Civil Law Code. The civil law provisions contain an elabo- Peer-to-peer and marketplace lending
rate protection regime and require the borrower to comply with, among 9 Describe any specific regulation of peer-to-peer or
other things, certain disclosure obligations and walk-away rights for marketplace lending in your jurisdiction.
the borrowers. In particular, the licence requirement is triggered if
the repayment obligation is in cash. Where the repayment obligation Lenders and borrowers
takes the form of financial instruments or other goods or rights, other BaFin has published guidance on the question of when the participants
licensing requirements may apply (eg, investment services). of a P2P marketplace typically conduct lending or deposit business on a
scale that triggers a licensing requirement. According to this guidance,
Secondary market loan trading BaFin assesses potential licence requirements on a case-by-case basis,
6 Are there restrictions on trading loans in the secondary taking into account the activities of each single investor. It is particularly
market in your jurisdiction? important that investors do not invest on a commercial scale or in a
manner that would require a commercially organised business under-
In general, the trading of fully drawn loans does not trigger a licensing taking, because otherwise a banking licence requirement is triggered.
requirement in Germany. Restrictions on the trading of loans may apply BaFin suggests that a commercially organised business undertaking is
under the terms of the respective contract or as a result of data protec- required if more than €500,000 is invested or more than 100 loans are
tion rules. granted. An investor invests on a commercial scale if he or she under-
takes the investments for a certain time and with a view to making a
Collective investment schemes profit. In addition, under certain circumstances crowd-lending models
7 Describe the regulatory regime for collective investment are subject to the Act on Capital Investments, so that several investor
schemes and whether fintech companies providing protection rules apply, such as the requirement to produce a sales
alternative finance products or services would fall within its prospectus, which must be approved by BaFin. However, exemptions
scope. may apply.
The German Capital Investment Code (KAGB) provides the licensing and Peer-to-peer or platform operators
supervision regime for investment management companies and invest- Whether the operation of a crowd-lending platform requires a licence
ment funds in Germany. In addition, the marketing of investment funds (and which kind of licence) depends on the actual services that are
to investors in Germany is also regulated under the KAGB. The KAGB provided. Generally, it depends on the way the contracting is designed
takes a holistic approach and provides the legal regime for all collective on the platform. In cases where the operator of the platform merely
investment schemes (eg, alternative investment funds and undertak- provides the infrastructure, the licensable activities are more likely to
ings for collective investments in transferable securities). The aim of the be conducted by the users of the platform. If, on the other hand, the
KAGB is to ensure an adequate supervision of collective investments, operator of the platform steps into each transaction and takes on its
including the administration, marketing and compliance with investment own credit risk, it is likely that the licensable activity will be conducted
rules. However, crowdfunding platforms and peer-to-peer (P2P) lending by the platform operator. However, the pure brokerage of loans would
platforms are generally not viewed as collective investment schemes generally not be considered as banking, financial or payment services,
by BaFin. BaFin focuses on the lending aspect and indicates in several so ‘only’ an authorisation under the GewO may be required.
guidance notes that, depending on the actual nature of the services
provided, licensable lending business may be conducted. Further, the
brokerage of loans requires a licence under the German Industrial Code
(GewO) and, therefore, the operation of a P2P lending platform could
trigger the requirement for a loan broker licence.
Germany Simmons & Simmons LLP
Crowdfunding In terms of their supervision and regulation, robo-advising busi-

10 Describe any specific regulation of crowdfunding in your nesses are generally subject to the same rules as if such services were
jurisdiction. rendered ‘manually’. Thus, automated investment advice will need to
comply with the applicable licensing requirements and conduct of busi-
There are several different kinds of crowdfunding platforms available ness rules. BaFin’s guidance sets out that the provision of robo-advice
in Germany. In a guidance note, BaFin sets out four main crowd- could fall under a number of regulated services, including investment
funding models: advice and contract broking. Additionally, providers often offer portfolio
• donation-based and rewards-based crowdfunding, which is also management services under the label of robo-advice. Depending on the
referred to as crowd sponsoring; actual structure of the business, additional conduct of business rules
• loan-based crowdfunding (crowd lending); and may apply. For example, where the provider uses an advisory model
• crowd investing. and gives personalised recommendations to its investors, certain
documentation obligations apply. In addition, the provider may need to
In the latter two types, the aim is to generate a financial return. BaFin determine the suitability and appropriateness of the financial products
does not apply specific regulatory regimes to different business models that it recommends.
per se. BaFin instead focuses on the nature of the activities undertaken
by the users and the operators of the crowdfunding platforms and Insurance products
decides on a case-by-case basis whether licensable activities are being 15 Do fintech companies that sell or market insurance products
conducted and by whom. in your jurisdiction need to be regulated?
Invoice trading Fintech companies selling or marketing insurance products in Germany

11 Describe any specific regulation of invoice trading in your are likely to be regulated by BaFin if they conduct insurance business in
jurisdiction. Germany and by the local chamber of industry and commerce if they act
as insurance brokers in Germany.
Invoice trading is generally not a regulated activity. However, if the
actual activities constitute a financial service (eg, factoring, which Credit references
means the ongoing purchase of receivables on the basis of standard 16 Are there any restrictions on providing credit references or
agreements, with or without recourse) this activity is regulated and credit information services in your jurisdiction?
requires a financial services licence.
Should a credit information service qualify as a credit-rating agency, the
Payment services rules of the EU Credit Rating Agency Regulation apply.
CROSS-BORDER REGULATION
Germany has implemented the Payment Services Directive and, thus,
anyone wishing to conduct payment services as a payment institu- Passporting
tion commercially or on a scale that requires commercially organised 17 Can regulated activities be passported into your jurisdiction?
business operations needs written authorisation from BaFin. What
constitutes payment services is set out in ZAG and comprises the same As Germany is a member of the European Union, institutions holding a
activities set out in the Payment Services Directive. licence to conduct regulated activities in any EEA country can apply for
a ‘passport’. The passport is a notification procedure to the home state
Open banking regulator. Such a passport would enable the licence holder to estab-
13 Are there any laws or regulations introduced to promote lish a physical presence in the form of a branch in the host country or
competition that require financial institutions to make to provide services on a cross-border basis without a physical pres-
customer or product data available to third parties? ence. The passport avoids a complete authorisation procedure if a party
intends to carry out a regulated activity in another EU country. Not all
No, we are not aware of any such laws or regulations. services can be passported. Crypto-assets custody services and asset
management services are, for example, services that are not harmonised
Robo-advice and will trigger a licence requirement when carried out in Germany.
14 Describe any specific regulation of robo-advisers or other
companies that provide retail customers with automated Requirement for a local presence
access to investment products in your jurisdiction. 18 Can fintech companies obtain a licence to provide financial
Robo-advice is any form of customer support on investment decisions presence?
by making use of partially or fully automated IT systems. There are
several different kinds of automated investment advice platforms that A German financial services licence will only be granted to a fintech
are active in Germany. BaFin has issued guidance on robo-advice, company that has established a physical presence in Germany. However,
indicating that these services can be qualified as (and regulated a fintech company with a financial services licence in another EEA
as) investment advice, financial portfolio management, acquisition country can apply for a passport to Germany and, thus, would be able
brokerage and investment brokerage (each depending on its individual to provide financial services in Germany through a branch or without a
features), and, thus, offering respective services regularly requires physical presence on a purely cross-border basis.
licensing under German banking (eg, KWG and the German Securities
Trading Act) and commercial law (eg, GewO). Most offerings currently
available on the German market constitute investment advice or finan-
cial portfolio management.
66 Fintech 2021
SALES AND MARKETING under the Money Laundering Act. For this reason, the corresponding
sanctions also result directly from the law itself.
Restrictions There have been some important changes to the Money Laundering
19 What restrictions apply to the sales and marketing of Act in the past: on 1 January 2020, the Act was amended to implement
financial services and products in your jurisdiction? the requirements of EU’s Fifth Anti-money Laundering Directive. The
changes imposed additional obligations, especially for regulated finan-
There are various restrictions regarding the sales and marketing of cial services businesses, including fintech companies. Since this date,
financial services and products in Germany. The marketing of a regu- institutions in the field of crypto-assets (eg, virtual currency exchange
lated activity in Germany constitutes a licensable activity and providing platforms and custodian wallet providers) are explicitly included in the
those services without the necessary licence constitutes a criminal group of obliged entities.
offence. The marketing of financial instruments is subject to a detailed Generally, entities subject to German AML laws are, or will be
regulatory framework set out in Directive 2014/65/EU on markets required to, among other things:
in financial instruments. Providing false or misleading information is • implement preventive policies, controls and procedures;
generally prohibited. Further rules apply for specific types of financial • identify and assess the firm’s exposure to money laundering risk
instruments like investment funds. by, for example, undertaking a risk assessment;
• perform customer due diligence to an adequate standard
CHANGE OF CONTROL depending on the risk profile of that client;
• keep appropriate records;
Notification and consent • monitor compliance with the anti-money laundering regulations,
20 Describe any rules relating to notification or consent including internal communication of policies and procedures; and
requirements if a regulated business changes control. • report suspicious transactions.
Investors that intend to acquire 10 per cent or more of the capital or the Furthermore, the abovementioned amendment of the Money
voting rights of a regulated entity are required to file a disclosure as Laundering Act includes unified, enhanced due diligence requirements
holders of a significant holding. These investors must provide detailed for transactions with high-risk countries and extended data access
information regarding their background, the origin of their funding, the competencies for the Federal Financial Intelligence Unit and law
CVs of relevant persons and the details of their group structure. The enforcement agencies. In addition, digital companies will be required
Federal Financial Supervisory Authority then generally has 60 days to to provide payment service providers with access to infrastructure
approve or oppose the acquisition and may make approval subject to services. These include, for example, interfaces for near field commu-
certain actions being taken. nication, which is required for cashless payments by mobile phone at
In addition, notification requirements under securities trading or physical points of sale.
stock corporation laws may apply, depending on the legal nature of Violations of anti-money laundering regulations are administra-
the target. tive offences and will result in fines of up to €5 million or 10 per cent of
the institution’s total revenue.
FINANCIAL CRIME According to recent federal jurisdiction plans, fines of up to 10 per
cent of a corporation's annual turnover for regulatory offences may be
Anti-bribery and anti-money laundering procedures imposed. Furthermore, corporations are to be excluded from public
21 Are fintech companies required by law or regulation to have tenders for a term of five years if they have been fined for bribery or if
procedures to combat bribery or money laundering? a member of the executive board has been convicted for bribery. At a
state level, some German federal states already have adopted an act
Firstly, a distinction must be made between anti-corruption and bribery that allows their authorities to exclude companies from public tenders
(ABC) regulations and rules for combating money laundering (AML). if the company or its employees are associated with ABC-related
As taking and giving bribes are criminal offences under the behaviour.
German Criminal Code, only individuals can be held criminally liable. In addition, Germany has been debating for years whether compa-
Corporations and legal entities as such can solely be subject to regu- nies should be held liable under a kind of criminal law (ie, corporate
latory investigations and sanctions. However, if the individual acts on sanctions law) if its responsible persons commit crimes or regulatory
behalf of a corporate body, the corporation may be subject to additional offences. The current federal government is working on such an act
fines and confiscation of assets gained because of the criminal conduct and has recently published a first draft. However, this draft will likely
or forfeiture of other assets. All relevant administrative offences be revised a few times before it enters into force.
committed in Germany are mainly covered under the provisions of the In summary, despite some differences in the material scope, it is
Act on Regulatory Offences. important for fintech companies to adhere to the legal requirements of
Thus, German regulatory offences law allows legal entities to be ABC and AML regulations and to create a corresponding compliance
fined for bribery offences that have been committed by their legal repre- structure. After all, the risk for the company is always the same in the
sentatives or by any other senior management employee, the conduct of event of infringement as very high fines are threatened.
whom can be associated to the legal entity. Fines of up to €600 million
have been imposed for bribery offences in the past. Guidance
In contrast to this, all companies in Germany must generally 22 Is there regulatory or industry anti-financial crime guidance
comply with national AML regulations. In addition, where an institu- for fintech companies?
tion is an obliged entity under the German Money Laundering Act (see
section 2), it is under numerous additional obligations (eg, to set up a There is no specific anti-financial crime guidance for fintech compa-
specific AML compliance system). This means that it is not – as with the nies apart from the general advice that companies should always be
ABC regulations – a matter of breach of criminal provisions by natural compliant with relevant regulations. Therefore, it is essential to have
persons (eg, employees), but that the entity itself may violate the rules an adequate compliance system in place.
The design of the compliance system and the compliance organi- to damage claims by the borrower; if the form requirements are not
sation is fundamentally subject to the business judgement rule as an complied with, the loan agreement can be void; or if the consumer has
entrepreneurial decision. The management has to make decisions not been instructed correctly on his or her revocation rights, the loan
based on appropriate information, acting for the benefit of the entity. can become revocable for an indefinite period. With regard to formal
Above all, in terms of compliance, this means analysing the risks to requirements for the execution of the loan and security agreements,
which the company is exposed as part of its business activities and to written form is required; electronic form is permitted as well, except
repeat that continuously and regularly. Based on the risk analysis, the for in the case of certain security documents where a notarisation by
management must make appropriate organisational arrangements for a German notary is required (eg, land charge deeds, which include an
compliance in the company, such as: immediate enforcement clause or share pledge agreements, which
• use of increased compliance resources in countries with a high risk relate to the pledge of shares in a German limited liability company).
of corruption;
• stricter compliance checks on public contracts; Assignment of loans
• ongoing due diligence and monitoring; 24 What steps are required to perfect an assignment of
• ongoing internal training; loans originated on a peer-to-peer or marketplace lending
• separate rules for dealing with certain occupational groups; platform? What are the implications for the purchaser if the
• clear rules; and assignment is not perfected? Is it possible to assign these
• where appropriate, controls for contacts with competitors. loans without informing the borrower?
However, institutions that are regulated by the Federal Financial An assignment agreement would need to be concluded in relation to the
Supervisory Authority, in addition, should comply with all applicable assignment of the loan claims; there are no further perfection require-
anti-financial crime guidance for the financial sector. ments and the borrower’s consent is not required. The assignment is
also valid if it is not being disclosed to the borrowers. In the case of a
PEER-TO-PEER AND MARKETPLACE LENDING transfer of rights and obligations under a loan agreement (ie, transfer
of the whole contractual relationship) to a new lender of record, the
Execution and enforceability of loan agreements borrower (as both debtor and creditor of the transferred rights and
23 What are the requirements for executing loan agreements or obligations) would need to consent to the transfer. Usually, the loan
security agreements? Is there a risk that loan agreements documentation would include provisions requiring the prior consent of
or security agreements entered into on a peer-to-peer or the borrower to such a transfer. In the case of an assignment of rights
marketplace lending platform will not be enforceable? under a loan agreement, an assignment is generally possible without
the consent of the borrower. If an assignment of the rights under a
There is no special legislation applicable in Germany in relation to peer- loan agreement was explicitly excluded by a borrower in the loan docu-
to-peer (P2P) lending (ie, the general regulatory and civil law provisions mentation, the assignment would be void. However, in the case of the
are applicable). A distinction needs to be made between direct and indi- indirect P2P lending structure, the loan documentation should already
rect P2P lending. include the prior consent of the borrower to transfer the rights and obli-
• In relation to direct P2P lending, the agreement is concluded gations under the loan agreement to the investor (or intermediary, as
directly between the investor and the borrower. However, owing to the case may be).
regulatory limitations (ie, licence requirements for lending activity),
this structure is not popular in Germany. Securitisation risk retention requirements
• In relation to indirect P2P lending (which is more common in 25 Are securitisation transactions subject to risk retention
Germany), a cooperating licensed bank is involved. The licensed requirements?
bank enters into a loan agreement with the borrower. Once the
loan agreement between the bank and the borrower has been Regulation (EU) 2017/2402 provides for the general securitisation
entered into, the bank assigns under a purchase and assignment framework, including rules regarding risk retention. Under this frame-
agreement its claims under the loan agreement pro rata to the work, the originator, sponsor or original lender of a securitisation must
respective investor whereby often an affiliated company (inter- retain a material net economic interest in the securitisation of not less
mediary) of the platform provider is interposed. Thus, there is no than 5 per cent. However, if securitisation is achieved via an interme-
direct agreement between the borrower and the investor. The bank diary single purpose company, this entity will no longer be allowed
cooperates with the platform provider under a cooperation agree- to retain risk as the originator. Rather, this may only be done by an
ment and the platform provider serves as loan broker under a loan originator with a broader business purpose, the sponsor or the original
brokerage agreement with the borrower. For the loan brokerage, lender. The required entity must possess sufficient substance to hold
the platform provider needs permission according to the German the assets for a minimum period of time before they are securitised.
Industrial Code. Further, the platform provider must not receive Furthermore, assets to be securitised must not be selected with the aim
monies that are determined to have been forwarded, otherwise a of rendering the losses on such assets higher than the losses on compa-
payment services licence could be required. Generally, care should rable assets remaining on the balance sheet of the originator without
be taken in the documentation that the purchase of claims does not disclosing this accordingly to investors.
qualify as factoring, that the money laundering requirements have
been complied with and that the borrower consents to the transfer
of the borrower’s personal data to the investors.
With regard to loan agreements with consumers, consumer protection

laws need to be taken into account (ie, special information and form
requirements as well as revocation rights are applicable). If consumer
information undertakings are not complied with, this can give rise
68 Fintech 2021
Securitisation confidentiality and data protection requirements could fall under a number of regulated services, including investment
26 Is a special purpose company used to purchase and securitise advice and contract broking. Additionally, providers often offer portfolio
peer-to-peer or marketplace loans subject to a duty of management services under the label of robo-advice. Depending on the
confidentiality or data protection laws regarding information actual structure of the business, additional conduct of business rules
relating to the borrowers? may apply. For example, where the provider uses an advisory model
and gives personalised recommendations to its investors, certain
Yes, the special purpose company would be subject to data protection documentation obligations apply. In addition, the provider may need to
laws regarding information relating to the borrowers. However, in the determine the suitability and appropriateness of the financial products
case of the indirect P2P lending structure, the loan documentation that it recommends.
should already include the consent of the borrower to share its informa-
tion with the special purpose company. Distributed ledger technology
28 Are there rules or regulations governing the use of
ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER distributed ledger technology or blockchains?
TECHNOLOGY AND CRYPTO-ASSETS
No, there is no single regulation specifically addressing distributed
Artificial intelligence ledger technology (DLT). However, use cases deploying DLT or block-
27 Are there rules or regulations governing the use of artificial chain technology in regulated markets (eg, securities markets) must
intelligence, including in relation to robo-advice? comply with the existing legal framework applicable to the specific
service and its providers. European requirements such as the European
In Germany, the Federal Financial Supervisory Authority (BaFin) has Market Infrastructure Regulation (EU) No 648/2012 (EMIR), the
actively addressed these regulatory aspects in the past; however, Markets in Financial Instruments Regulation (EU) No 600/2014 (MiFIR),
currently this is an ongoing process. Starting in 2018, BaFin conducted the Central Securities Depositaries Regulation (EU) No 909/2014,
a comprehensive study on the challenges and implications for supervi- the Markets in Financial Instruments Directive II 2014/65/ EU, the
sion and regulation of AI-based and big data-based services, concluding Alternative Investment Fund Managers Directive 2011/61/EU and the
that proliferation of these technologies will increasingly challenge Securities Financing Transactions Regulation (EU) 2015/2365 as well as
current regulatory frameworks. Besides ascertaining the need to adapt the national implementation thereto must be regarded. For instance, a
the supervisory framework accordingly, regulated companies remain use case involving the clearing of assets by deploying DLT would have
accountable for regulatory compliance in AI-based and big data-based to fulfil the requirements of EMIR and MiFIR regarding authorisation
products. While management boards remain fully accountable for any and regulated entities. BaFin has the power to prohibit unauthorised
results automatically produced or used within their company (section businesses. In addition, smart contracts and initial coin offerings (ICOs)
25a German Banking Act (KWG)), these results must also remain trans- are currently under close scrutiny by the supervisory authorities.
parent and explainable to ensure persisting human control. Thus, BaFin BaFin issued a consumer warning with regards to risks associated
considers the use of ‘black-box’ algorithms an indicator of dysfunctional with ICOs on 15 November 2017. Specific risks identified by BaFin include
(unlawful) business organisation. In addition, the accurateness and reli- the significant price fluctuations of tokens and, in many cases, a lack of
ability of AI-based and big data-based products must be ensured. This, information regarding ICO providers making ICO businesses prone to
again, requires robust data quality, thorough testing and continuous the risk of fraud, money laundering and the financing of terrorism. BaFin
supervision of algorithmic decision models, as well as technical safe- also published an advisory letter to the classification of tokens on 20
guards against maldevelopment (eg, automated shutdown procedures). February 2018. The key aspect of this letter is that BaFin will assess
Since late 2019, there has been increasing demand by various on a case-by-case basis whether a token constitutes a financial instru-
stakeholders in the German financial market for BaFin to engage in ment, a security or a capital investment. The supervisory classification
authorising the use of algorithms for automated decision-making. To of a token determines the applicability of the existing legal framework,
date, this request remains unheard. BaFin announced that, apart from the services and products associated with the tokens. Depending on the
existing authorisation of individual scenarios (eg, article 142 et seqq classification of tokens, several legislative acts apply including, among
and 362 et seqq EU Capital Requirements Regulation; high-frequency others, the WpHG, the German Securities Prospectus Act, the German
trading), there is no legal basis for requiring or granting such authorisa- Capital Investment Act, the German Capital Investment Code and the
tion on a general basis. KWG. Further, at the beginning of 2020 crypto-custody business was
Robo-advice is any form of customer support on investment deci- added to the list of licensable activities.
sions by making use of partially or fully automated IT systems. There
are several different kinds of automated investment advice platforms Crypto-assets
that are active in Germany. BaFin has issued guidance on robo-advice, 29 Are there rules or regulations governing the use of crypto-
indicating that these services can be qualified as (and regulated assets, including digital currencies, digital wallets and
as) investment advice, financial portfolio management, acquisition e-money?
brokerage and investment brokerage (each depending on its individual
features), and, thus, offering respective services regularly requires Yes. BaFin treats bitcoin and other crypto-tokens as a financial instru-
licensing under German banking (eg, KWG and the German Securities ment in the form of ‘units of account’. These units of account are similar
Trading Act) and commercial law (eg, the German Industrial Code). Most to foreign currencies and are not legal tender. Bitcoin is neither central
offerings currently available on the German market constitute invest- bank money nor e-money under German law: it is not central money
ment advice or financial portfolio management. because it is not issued by the central bank, and it is not e-money because
In terms of their supervision and regulation, robo-advising busi- it is not issued by an issuer against whom a claim can be established. The
nesses are generally subject to the same rules as if such service was distribution of bitcoin requires authorisation by BaFin if the distribution
rendered ‘manually’. Thus, automated investment advice will need to is performed on a commercial basis or requires a commercially organ-
comply with the applicable licensing requirements and conduct of busi- ised business operation. If virtual currencies are bought and sold for
ness rules. BaFin’s guidance sets out that the provision of robo-advice third parties, this could be classified as ‘proprietary trading’ under the
German Banking Act, depending on the specific arrangements deployed, The GDPR requires that any processing of personal data be done
which requires a BaFin authorisation as well. In addition, e-money insti- pursuant to one of six lawful bases for processing. The most commonly
tutions must be authorised and subject to supervision by BaFin. Offering used lawful basis for processing is to obtain the consent of the data
digital wallets online may require BaFin authorisation depending on the subject to that processing – in relying on this lawful basis, the busi-
tokens and the wallet services being provided. BaFin has the power to ness must ensure that the consent is freely given, specific, informed
prohibit any unauthorised business activities with immediate effect. and unambiguous, and capable of being withdrawn as easily as it is
At the beginning of 2020, crypto-custody business was added to given. This places a significant burden on businesses to ensure that
the list of licensable activities. Crypto-custody business is defined as their customers are fully informed as to what their personal data is
the safekeeping, administration and storage of crypto-assets or private being used for, which is a crucial change to the previous regime under
cryptographic keys used to hold, store and transfer crypto-assets for which disclosure did not need to be so transparent. Other lawful bases
others (crypto-assets custody services). for processing data include where that processing is necessary for the
business to perform a contract it has with the data subject, or where
Digital currency exchanges required to comply with an obligation the business has at law (not a
30 Are there rules or regulations governing the operation of contractual obligation).
digital currency exchanges or brokerages? The GDPR further differs from the previous regime in that it places a
significantly increased compliance burden on businesses, including, for
There is no special legal regime for digital currency exchanges or example, mandatory requirements to notify regulators of data breaches,
brokerages in Germany. The German regulator assesses activities in obligations to keep detailed records on processing, and requirements
the context of cryptocurrencies or tokens on a case-by-case basis. It for most entities to appoint a data protection officer.
has been BaFin’s administrative practice for several years now to view The GDPR does not apply to personal data that has been truly
bitcoin and similar cryptocurrencies as financial instruments in the form anonymised – as anonymised data cannot, by definition, be personal
of units of account. Consequently, the rules for dealings with financial data. However, to ensure that GDPR does not apply to a certain data set,
instruments apply. In a guidance note dated 20 February 2018, BaFin that data set must be truly anonymised. The GDPR itself gives limited
states that the mining of cryptocurrencies and the sale of the mined guidance on anonymisation in Recital 26, requiring data controllers to
tokens are, in principle, licence-free in Germany. However, persons who, consider a number of factors in deciding if personal data has been truly
for example, buy and sell cryptocurrencies in their own name and for anonymised, including the costs and time required to de-anonymise,
the account of others on a commercial scale are likely to conduct the the technology available at the time to attempt de-anonymisation and
licensable business of financial brokerage. Further, operating a digital further developments in technology.
currency exchange could qualify as operating a multilateral trading When it comes to international data transfers, a two-step test must
facility. Additionally, operators of mining pools may be carrying on be carried out. First, the legitimacy of an international data transfer has
licensable activities. the same requirements as a national data transfer. An international data
transfer can only be legitimate if an analogous transfer within Germany
Initial coin offerings was legitimate. Second, an international data transfer is only legitimate
31 Are there rules or regulations governing initial coin offerings if the country to which data is to be transferred provides for reasonable
(ICOs) or token generation events? data protection legislation. The transfer of data to other members of the
EEA is permitted because those countries provide for an adequate level
BaFin is of the view that each initial coin offering has to be judged of data protection. In the case of a data transfer to a country outside the
on a case-by-case basis, applying the existing legal framework. First, EEA, it must be ensured that the country of destination also provides
BaFin categorises the token to be issued and then, depending on the for an adequate level of protection. With regard to certain jurisdictions,
legal nature of the token (security token, utility token, payment token, the European Commission has provided decisions on the adequacy of
etc), applies the applicable legal framework. The consequence of this data protection. Another way of ensuring that adequate safeguards
approach is that, for example, a securities prospectus would be required are provided is the use of one of the model contracts approved by the
for the issuance of securities tokens and a payment services licence European Commission (standard contractual clauses (SCCs)). To date,
would be required for the issuance of payment tokens. the European Commission has already approved different types of
There is, however, no special legal regime for token-generating model contracts. In addition, there is theoretically another solution that
events yet. Discussions between the legislature and the respective renders an assessment of the second step (legality of a data transfer
stakeholders, including the Federal Ministry of Finance and BaFin, are to an entity in a country without an adequate level of data protection)
ongoing with a view to evaluating the need for special legislation and its unnecessary, namely corporate binding rules (CBRs). CBRs are codes
potential scope. of conduct and a set of rules a company can draft to allow data transfer
outside the EEA and to overcome some practical problems with SCCs.
DATA PROTECTION AND CYBERSECURITY From an EU perspective, the United States does not provide for adequate
protection of personal data. For this reason, the European Commission
Data protection has adopted a special decision in respect of the US: an adequate level
32 What rules and regulations govern the processing and of protection will be deemed to apply for those organisations that have
transfer (domestic and cross-border) of data relating to registered under the EU–US Privacy Shield. However, financial institu-
fintech products and services? tions cannot register under the Privacy Shield.
Businesses that infringe the GDPR may be subject to administra-
On 25 May 2018, the EU General Data Regulation (GDPR) came into force tive fines of an amount up to €20 million or 4 per cent of global turnover,
with direct effect across the EU. The GDPR governs the storage, viewing, whichever is higher.
use of, manipulation and other processing by businesses of data that In Germany, a new Federal Data Protection Act (BDSG) came into
relates to a living individual. In summary, the GDPR requires that busi- force at the same time as the GDPR. The BDSG makes use of opening
nesses only process personal data where that processing is done in a clauses, such as for the processing of personal data in the context of
lawful, fair and transparent manner, as further described in the GDPR. employment and for the appointment of data protection officers. The
70 Fintech 2021
oversight of GDPR, including compliance and enforcement, is carried OUTSOURCING AND CLOUD COMPUTING
out in Germany by 16 data protection supervisory authorities (one
supervisory authority based in each federal state). Outsourcing
German data protection authorities have not issued any specific 34 Are there legal requirements or regulatory guidance with
guidance for fintech companies. respect to the outsourcing by a financial services company of
a material aspect of its business?
Cybersecurity
33 What cybersecurity regulations or standards apply to fintech There is a legal regime for outsourcing by financial services compa-
businesses? nies. Section 25b of the German Banking Act (KWG) sets the framework
and the Federal Financial Supervisory Authority's (BaFin) publication
‘Fintech’ here is understood as technology-enabled innovation in finan- ‘Minimum Requirements for Risk Management’ (MaRisk) further details
cial services often resulting in new business models, applications, the requirements for outsourcing in chapter AT9. Further, BaFin indi-
processes or products each materially affecting the traditional provi- cates that the ‘Guidelines on Outsourcing’ published by the Committee
sion of financial services. Owing to the technology-neutral regulation of European Banking Supervisors and European Banking Authority are
of financial markets in Germany, there are no cybersecurity standards also relevant for BaFin’s administrative practice.
specifically addressing fintech companies. In broad terms, it can be said that the outsourcer needs to ensure
The Federal Financial Supervisory Authority's (BaFin) standards on that its risk profile does not change owing to the outsourcing and that
cybersecurity reflect the traditional demarcations of regulatory frame- the outsourced services must be in compliance with the applicable legal
works in Germany: the German Banking Act (ie, BaFin Circular 10/2017 requirements. The outsourcing of services must not lead to outsourcing
on Banking Supervisory Requirements for IT), the Insurance Supervision of the management’s responsibilities and the regulator must not be
Act (ie, BaFin Circular 10/2018 on Insurance Supervisory Requirements hindered in its supervisory activities owing to the outsourcing. Further,
for IT) and German Capital Investment Code (ie, BaFin Circular 11/2019 the outsourcing agreement must meet certain criteria, if material parts
on Capital Management Supervisory Requirements for IT). of the business are outsourced. Controlling and audit functions may
According to BaFin, compliance with its sector-specific stand- only be outsourced to an extent that it does not bias the capability of
ards on IT security and cybersecurity does not relieve any regulated the outsourcing entity to monitor, understand and manage the risks it
entity from complying with other (general) standards in this field. incurs during its business operations.
For Germany, this namely refers to standards issued by the Federal
Office for Information Security (BSI), including the IT-Basic Protection Cloud computing
Compendium, the Standards 200-1 to 200-3 (security and risk manage- 35 Are there legal requirements or regulatory guidance with
ment), the Technical Guidelines and, particularly relevant, the standards respect to the use of cloud computing in the financial services
on certain aspects of cybersecurity. Fintech businesses must also industry?
comply with IT and data security requirements stipulated in other appli-
cable laws (such as the GDPR). Sections 25a paragraph 1 and 25b KWG stipulate specific legal require-
Certain stakeholders on the financial markets are, thus, also ments relating to IT outsourcing and, as such, cloud computing in the
regulated as operators of a critical infrastructure or digital service, or financial services industry. Regulatory guidance is given in this context
both, under the German IT Security Act (IT-SiG). Briefly, any facility or by MaRisk. According to MaRisk, any material outsourcing requires an
installation (or parts thereof) in the finance and insurance sectors is outsourcing agreement in writing that fulfils minimum requirements,
considered a critical infrastructure if their failure or impairment would such as stipulating audit rights (in favour of the financial services
lead to considerable supply bottlenecks or threats to public safety. provider as well as the supervisory authority), data protection and exit
Digital services are electronically provided services relating to online management. New guidance on the ‘Bank regulatory requirements
marketplaces, search engines and cloud-computing applications; these relating to IT’ was published by BaFin. This guidance specifies MaRisk
are likewise regulated if they qualify as ‘critical’ in the aforesaid meaning requirements relating to IT risk and information security management
and provide the public with finance or insurance products. Specific guid- as well as the concrete IT operation, and, therefore, is also relevant to
ance on identifying critical infrastructure and services in practice is cloud computing in the financial services industry.
provided in form of legislative decrees of the German Federal Ministry
of the Interior. Operators of critical infrastructure are, inter alia, obliged INTELLECTUAL PROPERTY RIGHTS
to take appropriate organisational and technical precautions to avoid
disruptions to the availability, integrity, authenticity and confidentiality IP protection for software
of their IT systems, components or processes, as far as these are essen- 36 Which intellectual property rights are available to protect
tial for the functionality of their critical infrastructure (see section 8a, software, and how do you obtain those rights?
paragraph 1 BSI Act). The same accounts for critical service providers
in terms of IT security and network security (see section 8c BSI Act). As According to German copyright law, computer programs shall be
detailed by the BSI, both obligations require regulated entities to imple- protected if they represent individual works in the sense that they are
ment various measures to ensure network security. the result of the author’s own intellectual creation. No other criteria,
BaFin is conducting regular checks relating to the IT infrastruc- especially qualitative or aesthetic criteria, shall be applied. The protec-
ture of regulated entities. These aspects are likewise covered in audits tion granted shall apply to the expression in any form of a computer
performed by data protection supervisory authorities. Resulting from program. Ideas and principles underlying any element of a computer
latest amendments of the IT-SiG, BSI is furnished with information and program, including the ideas and principles underlying its interfaces,
audit rights. Furthermore, fintech businesses must comply with the IT shall not be protected. A copyrightable work is protected as of the
security requirements that are stipulated in any other applicable law, moment of creation, so no further administrative measures are needed.
such as the GDPR. The German Act on Copyright and Related Rights comprises specific
stipulations concerning various uses of software, including decompi-
lation and rearrangement of software. While software as such is not
patent-protectable, computer-implemented inventions may be if they • it is secret in the sense that it is not, as a body or in the precise
show a technical effect. configuration and assembly of its components, generally known
Business methods and software as such are not patent-eligible; among or readily accessible to persons within the circles that
both the German Patent Act and the European Patent Convention say so normally deal with the kind of information in question;
explicitly. However, for practical purposes the patent eligibility of soft- • it has commercial value because it is secret; and
ware very much depends on the claim drafting: if the invention can be • it has been subject to reasonable steps under the circumstances, by
presented as having a technical effect, patent protection may be avail- the person lawfully in control of the information, to keep it secret.
able. The case law of both the Federal Court of Justice and the EPO
Boards of Appeal provide useful guidance in this respect. The most important requirement for the applicability of the German
Trade Secrets Act is that the confidential information needs to be subject
IP developed by employees and contractors to adequate and traceable trade secret measures implemented by the
37 Who owns new intellectual property developed by an trade secret owner. The adequacy of the measures depends on the
employee during the course of employment? Do the same company and the usual confidentiality measures, the value and nature
rules apply to new intellectual property developed by of the trade secret in detail as well as the specific circumstances of its
contractors or consultants? use. Physical access restrictions and precautions as well as contractual
security mechanisms should be considered.
In Germany, intellectual property generated by an employee will not The still fairly new law protects trade secrets against direct
automatically become the gratuitous property of the employer as in most unlawful attainment, use and disclosure, as well as against indirect
other jurisdictions. Rather, the German Act on Employees’ Inventions infringements when third parties acquire trade secrets from a party and
provides a complex system according to which the employer merely has knew or should have known that a trade secret was used or disclosed
a right to claim an employee invention. In this case, the employer must in an unlawful way. In the event of an unlawful action, the holder of a
pay a certain amount, which is calculated in a complex manner based on trade secret can claim for cease and desist, destruction, surrender and
a number of factors and parameters. recall, disclosure, and, in the case of intentional or negligent violation,
These rules do not apply to independent contractors or consult- damages. A special feature of the German Trade Secrets Act is the legal
ants. If the intellectual property is based on true cooperation, this can basis for a right to information about infringing products. Thus, it can
lead to complex legal situations, including the factual foundation of a prove a powerful tool to protect confidential information when other
private partnership. Accordingly, any such potential issues should be intellectual property rights might not be applicable.
dealt with in a contract, clearly allocating the rights and obligations of However, the German Trade Secrets Act does not provide protec-
all parties arising under such a cooperation or R&D project. tion against reverse engineering. Rather, it is generally permitted if the
product or article has been made publicly available or if it is in the lawful
Joint ownership possession of the party who observes, tests, examines or dismantles it
38 Are there any restrictions on a joint owner of intellectual and is not subject to any (contractual) prohibition from obtaining the
property’s right to use, license, charge or assign its right in trade secret.
intellectual property? As for the protection of trade secrets in court proceedings, the
German Trade Secrets Act stipulates special regulations that apply to
Subject to contractual stipulations, co-ownership of inventions and trade secret litigation proceedings only and prevails through execution
patents are considered a simple company-like structure (Gemeinschaft). proceedings. At the request of a party, contentious information can be
This legal form is dealt with in the German Civil Code, though only in fully or partly classified as a trade secret. Parties to the proceedings
rudimentary form. Each owner may use the invention (as a rule, without and individuals with access to procedural documents can neither use
having to pay a licence fee to the others) or may sell its share in the nor disclose trade secrets. There is no in-camera proceeding, but the
invention. However, a licence may only be granted with the consent number of individuals gaining access to procedural documents can be
of all co-owners. Each co-owner can request that the Gemeinschaft limited to one natural person from each party and their respective liti-
be dissolved, which typically happens by way of selling the intellec- gant or legal representative. The court may, at the request of one of the
tual property asset. This is one reason why co-owners should devise a parties, impose a fine of up to €100,000 or imprisonment for up to six
contract early on rather than relying on statutory rights. months for failure to comply with the obligations; however, this might
In addition, the German trade secret law, unlike patent and copy- not be considered a very high fine compared to the value some trade
right law, does not regulate the legal relationship between joint owners secrets hold. The German Courts Constitution Act can also be applied
and can, therefore, cause difficulties if no contractual provisions are as it contains, inter alia, a confidentiality obligation subject to criminal
established. prosecution for the hearing itself.
After the proceedings it is relevant to know that the prevailing party
Trade secrets can request to (partly) publish the decision when it is legally binding and
39 How are trade secrets protected? Are trade secrets kept cannot be subject to appeals anymore.
confidential during court proceedings? As it is at the discretion of the court to decide which orders are
necessary for adequate protection during legal proceedings, it remains
Germany implemented the Trade Secrets Directive (EU) 2016/943 on to be seen how the still relatively new German Trade Secrets Act is
26 April 2019 with the civil law on the protection of trade secrets (ie, enforced in practice. In any event, care must be taken to ensure that
the German Trade Secrets Act), which first and foremost protects trade trade secrets are, firstly, categorised and documented as such and,
secrets. Trade secrets are also protected under criminal law as well as secondly, kept secret by adequate trade secret measures so that confi-
through general civil law, civil procedure law and unfair competition dential treatment is ensured and accidental disclosure is avoided.
law (against general passing-off). Contracting parties are also free to
protect individually defined trade secrets.
The German Trade Secrets Act protects information that meets all
the following requirements:
72 Fintech 2021
Branding hub-and-spoke practices. Even though it seems that no concrete action

40 What intellectual property rights are available to protect has been taken yet, the topic remains on the agenda of the FCO as well
branding and how do you obtain those rights? How can fintech as other authorities.
businesses ensure they do not infringe existing brands? A German particularity is the additional merger control threshold
based on the value of the consideration. In short, transactions must be
Before entering a market with a designation (importantly including a notified in Germany if the parties to the transaction achieved a combined
trade or company name), each new market entrant should conduct due worldwide turnover of more than €500 million, one participant had turn-
diligence on its brand. As a first step, this would include an internet over of more than €25 million in Germany and another participant had
search for identical designations. In a second step, the trademark regis- turnover of more than €5 million in Germany in the last complete busi-
ters and possibly commercial registers should be reviewed with regard ness year. Under the new rule, a transaction is also notifiable if one of
to the designation, at the very least as far as identical applications are the participants did not achieve a turnover of more than €5 million in
concerned. This can be done in-house but also via experienced search Germany, but the consideration is more than €400 million and the target
companies and law firms. has been active in Germany to a significant extent. This new threshold
could mean that transactions relating to highly valued start-up fintech
Remedies for infringement of IP companies can trigger merger control proceedings even if the target
41 What remedies are available to individuals or companies company did not have high turnover levels. This has been applied to the
whose intellectual property rights have been infringed? acquisition of Honey Science Corporation by PayPal Inc. The FCO found
that the transaction was notifiable as Honey Science Corporation had a
There are various measures against infringements of intellectual prop- significant local activity owing to its active user base despite not having
erty rights. The main goal of any action, including by way of preliminary turnover in excess of €5 million. Ultimately, the transaction was cleared
injunction, is to stop the infringer from continuing to infringe. An injunc- as the FCO found no competition concern. In particular, in relation to
tion or preliminary injunction will achieve this aim. Apart from this, all online payment services, various operators such as Klarna, WireCard
the established intellectual property remedies are available, including and, recently, Google Pay and Apple Pay are active on the market.
claims for damages (computed by lost profits, infringer’s profits or Section 57 of the Act on the Supervision of Payment Services,
licence analogy) and for rendering account. which is based on section 35 of PSD2, requires payment systems not to
impose on payment service providers, payment service users or other
COMPETITION payment systems any of the following: restrictive rules on the effective
participation in other payment systems; rules that discriminate between
Sector-specific issues authorised payment service providers or between registered payment
42 Are there any specific competition issues that exist with service providers in relation to the rights, obligations and entitlements
respect to fintech companies in your jurisdiction? of participants; or restrictions on the basis of institutional status.
Lastly, the German Federal Government published plans to revise
Fintech companies and the fintech sector are subject to the general its foreign direct investment regime. While some changes have already
competition law rules in Germany. There are no specific rules in compe- been implemented in the healthcare sector in response to the covid-19
tition law targeting the fintech sector. This means that the provisions outbreak, some changes will come later in the year. One particular
prohibiting cartels, abuse of dominance and the merger control rules, issue is that the acquisition of companies operating 'critical technology'
and the general principles developed in other industries, are applied. will become subject to a notification requirement. Even though details
The German Federal Cartel Office (FCO) used its competition law are not yet available, critical technology will most likely encompass
powers recently in relation to payment services. The FCO found provi- AI, robotics, semiconductors, biotechnology, and quantum and nuclear
sions in general banking terms and conditions introduced by the banking technology. Fintech companies may become subject to this according to
association that prevented customers from using their personal identi- the use of AI or if they meet the thresholds laid down in the regulation
fication numbers and tax deduction and collection account number in on critical infrastructure.
independent online payment procedures to infringe competition law in
order to cause revisions to these general terms and also enhance new TAX
(technological) developments. This decision has now been upheld by
the Federal Supreme Court ruling that the restrictions on third-party Incentives
payment providers were an unlawful restriction on competition. The 43 Are there any tax incentives available for fintech companies
immediate effect of the judgment is limited as the revised Payment and investors to encourage innovation and investment in the
Services Directive (Directive (EU) 2015/2366) (PSD2) requires banks to fintech sector in your jurisdiction?
grant online financial service providers (fintech companies) access to
payment and account information if the customer allows it. However, A new law came into force on 1 January 2020 supporting research and
some commentators think that the judgment heralds a broader payment development by granting a tax-exempt research and development allow-
service liberalisation as its reasoning can be applied to other services ance that will be available for all companies regardless of their size and
such as savings, investment and insurance accounts. business purposes provided they are subject to German income tax.
One issue that has arisen across sectors is the assessment of According to the new law, in general, research and development projects
digital pricing tools, especially in the form of pricing algorithms, which are supported to the extent they can be assigned to the categories:
are able to observe and evaluate a large amount of market-relevant • basic research;
information from competitors, customers and suppliers as well as other • industrial research; or
market conditions, thus enabling their users to react quickly with solu- • experimental development.
tions adapted to each individual case to these observations (dynamic
algorithm pricing). A potential competition concern that has been voiced According to the official reasoning of the new law, the administrative
is that pricing software may help to implement and increase the reli- practices of the European Commission regarding the European General
ability of cartel agreements or that pricing software can implement Block Exemption Regulation as well as the Frascati Manual of the
Organisation for Economic Cooperation and Development have to be IMMIGRATION

considered when describing these terms.
The assessment basis for the allowance is the eligible expenses. Sector-specific schemes
Eligible expenses are labour costs for employees and the employer's 45 What immigration schemes are available for fintech
expenditure to secure the employee's future who is entrusted with this businesses to recruit skilled staff from abroad? Are there any
research and development projects, including expenses for services special regimes specific to the technology or financial sectors?
rendered by a shareholder on the basis of an employment agreement
that are subject to wage withholding tax. Furthermore, eligible expenses Citizens of the European Union and the European Economic Area have
are also personal contributions of an individual entrepreneur regarding unrestricted access to the German labour market. Swiss nationals also
these research and development projects. In this case, each labour hour enjoy free movement within the EU but must apply for a special declara-
is valued at €40 up to a maximum of 40 hours per week. tory Swiss residence permit.
The assessment basis for the allowance are the eligible expenses. Third-country nationals who wish to work in Germany need a
However, the assessment basis for the allowance is capped at €2 million. residence permit that includes a work permit. There are no specific
The research and development allowance would be 25 per cent of this immigration schemes for fintech businesses.
assessment basis (ie, the maximum allowance is capped at €500,000 However, special regulations for highly qualified employees and job
per annum). For contract research for contractors established in the EU positions in ‘shortage occupations’ apply.
or an EEA State, 60 per cent of the remuneration paid to the contractor A privileged residence permit exists for highly qualified persons: the
is taken into account. The amount of state aid granted for a research EU Blue Card. The EU Blue Card is limited to a maximum term of four
and development project, including research allowances under the years when issued for the first time. Third-country nationals who are
new law, must not exceed €15 million per enterprise and research and entitled to hold an EU Blue Card can obtain a national visa for an entry
development project. The allowance shall be granted on application. The in advance at the relevant German diplomatic mission. This visa will be
application must be accompanied by an official certificate stating that replaced by an EU Blue Card after entry by the relevant immigration
research and development projects are eligible in the meaning of this authority.
law. The research and development allowance is not paid out immedi- To obtain a EU Blue Card, no priority examination (no preferential
ately after it has been determined, but is taken into account in the next workers available for the job) and no examination of working conditions
income or corporate income tax assessment by offsetting it against the are necessary (which would normally be required). The applicant needs
determined income or corporate income tax. If the research allowance to provide evidence of his or her qualifications, meet the labour market
exceeds the established income or corporate income tax, the excess requirements in Germany and provide a German employment agree-
amount will be paid out. ment with a German employer. In general, a university degree from a
Apart from this, there has, until now, been no specific tax incentives German university, a recognised degree from a foreign university or at
available regarding the fintech environment. However, the following least a foreign university degree comparable to a German university
should be noted. degree is required. A minimum salary of €53,600 gross per year (for
• The German Income Tax Act allows small and medium-sized 2019; the threshold differs annually) is required. For shortage occupa-
businesses (ie, taxpayers with business assets of not more than tions, the minimum annual gross salary is €41,808 (for 2019). Shortage
€235,000 if the taxable profit is calculated on an accrual basis; or occupations are, inter alia, natural scientists, mathematicians, architects,
taxpayers with profits of not more than €100,000 if the taxable engineers, engineering scientists and academic specialists in informa-
profit is calculated on a cash-flow basis) to deduct up to 40 per cent tion and communication technology. If those requirements are met, no
of the anticipated costs for future acquisitions or productions of approval of the employment agency is necessary.
depreciable moveable fixed assets from their taxable income up to In all other cases, the approval of the Federal Employment Agency
three fiscal periods before the capital asset is actually purchased is required, which will examine if any German employee of equal status
(investment deduction, see section 7g of the German Income Tax is available for employment. If this is the case, the job position must be
Act). The maximum investment deduction amount is €200,000. offered to a German employee and the residence permit is denied.
• Furthermore, the German Corporate Income Tax Act, in principle, After a residence of 33 months in Germany, holders of a EU Blue
foresees that the transfer of more than 50 per cent of the shares in Card can apply for an indefinite settlement permit. If sufficient knowl-
a German company results in an entire forfeiture of tax loss carry edge of the German language can be proven (at least level B1), an
forwards. However, according to an amendment of the German indefinite settlement permit can already be applied for after 21 months
Corporate Income Tax Act in 2016, tax loss carry forwards (as well of residence in Germany.
as interest carry forwards) will not be forfeited in the event of a For applicants without a university degree but who have completed
transfer of shares beyond these thresholds if the business opera- professional training, a temporary residence permit can be applied for
tion is maintained unchanged by the seller since the establishment if the applicant gets a job in a shortage occupation. This applies for job
of the company (or at least from the beginning of the third fiscal positions as an expert in IT system analysis, IT sales and an expert in
period preceding the year of the transfer) and also by the acquirer software development and programming. The applicant must provide a
until the end of the transfer year. Even though companies in all specific job offer, which corresponds to his or her completed training,
industries are entitled to benefit from this new rule according to a German qualification or a qualification recognised as equivalent, a
the official reasoning of the law, the amendment should serve in completed professional training (of at least two years) and a labour
particular to increase the chances of IT start-ups attracting capital. market examination that is less comprehensive than the Federal
Employment Agency. A priority examination is not required.
Increased tax burden After five years of holding a preliminary residence permit, it is
44 Are there any new or proposed tax laws or guidance that possible to obtain an indefinite residence permit. Proof is required that
could significantly increase tax or administrative costs for the living costs can be covered without using statutory benefits; that at
fintech companies in your jurisdiction? least 60 months of compulsory contributions to the statutory pension
insurance have been made; that the applicant has sufficient German
No. language skills; that he or she has basic knowledge of the legal and
74 Fintech 2021
social order as well as living conditions in Germany; that a permit for

employment is available; that no reasons of public safety and order
speak against the residence; and that sufficient housing space is avail-
able for the applicant and, as the case may be, for family members.
A new Immigration Act is currently planned, which has not yet been
passed. It is expected that the current privileges for skilled workers in
shortage occupations will be extended.
UPDATE AND TRENDS Christopher Götz

christopher.goetz@simmons-simmons.com
Current developments Dang Ngo
46 Are there any other current developments or emerging trends dang.ngo@simmons-simmons.com
to note? Elmar Weinand
elmar.weinand@simmons-simmons.com
The legislature and the regulatory authorities have taken unprecedented
Eva Heinrichs
measures to address the risks deriving from the covid-19 pandemic.
eva.heinrichs@simmons-simmons.com
These measures include, inter alia, those that are specifically targeted at
start-up companies and the fintech sector. Felix Biedermann
felix.biedermann@simmons-simmons.com
Coronavirus
Janine Marinello
47 What emergency legislation, relief programmes and other janine.marinello@simmons-simmons.com
Jochen Kindermann
jochen.kindermann@simmons-simmons.com
to address these concerns? What best practices are advisable Martin Gramsch
for clients? martin.gramsch@simmons-simmons.com
Sascha Kuhn
Extended deadlines for annual general meetings and general sascha.kuhn@simmons-simmons.com
meetings in 2020
The German legislature enacted the Act on Measures in Company,
MesseTurm
Cooperative, Association, Foundation and Home Ownership Law to
Friedrich-Ebert-Anlage 49
Combat the Effects of Covid-19 to provide temporary relief. In particular, 60308 Frankfurt am Main
for stock corporations (AGs), partnerships limited by shares (KGaAs) and Germany
cooperatives, some relief applies with regard to the form and deadline Tel: +49 69 90 74 54 0
for holding annual general meetings in 2020. For European compa- Fax: +49 69 90 74 54 54
nies (SEs) and European cooperative societies (SCE), this relief by the www.simmons-simmons.com
German legislature does not fully apply owing to the lack of legislative
competence. The European Parliament has taken action in this regard
and has resolved a temporary deviation from the SE and SCE Regulation.
Relief for annual general meetings
Support measures for start-ups in the covid-19 pandemic The German legislature has decided to simplify the holding of general
The German Ministries of Finance and Economy have prepared a €2 meetings and passed the Law to mitigate the consequences of the
billion package of measures for start-ups. Private investors, not the covid-19 pandemic in civil, insolvency and criminal proceedings. The
start-ups themselves, are entitled to apply. A prerequisite for the use aim of the regulation is to give companies the ability to act despite the
of the Corona Matching Facility is the successful completion of a due covid-19 crisis.
diligence by the private investor. The start-up in question must have In addition to regulations under civil, insolvency and criminal
experienced financial difficulties owing to the effects of covid-19. It is not procedural law, the draft provides for facilitations for the holding
yet clear what defines covid-19-related economic difficulties. of annual general meetings of, among others, AGs, KGaAs and SEs.
Therefore, these companies should be able to pass all necessary resolu-
More time for conversions tions and remain capable of acting even if holding in-person meetings is
The legislature has granted companies four months more to complete still restricted. Even without authorisation in the articles of association
conversions. In terms of taxation, however, the regulation does not apply or the rules of procedure, the management board can order the share-
in all cases. holders to participate and vote; order the members of the supervisory
Late financial reports are not sanctioned for a short period board to participate via electronic communication; and the meeting can
For now, listed companies are not threatened with penalties if they be held online by video and audio transmission.
report their financial results too late as a result of the covid-19 pandemic.
The economic uncertainties associated with the novel coronavirus Economic stabilisation fund
also affect the financial reporting of listed companies. The European To reduce the negative effects of the covid-19 pandemic on the German
Securities and Markets Authority, the supervisory authority for the economy, the German federal government set up a multibillion euro
European securities markets, therefore, has now issued a public state- economic stabilisation fund. This fund, which is to be managed by the
ment on the impact of the covid-19 pandemic on the deadlines for Finance Agency, is intended to serve to stabilise companies by over-
publishing financial reports, which apply to all issuers of securities. coming liquidity bottlenecks and by creating the framework conditions
for strengthening the capital base of companies whose existence would
be threatened by significant impacts on the economy, technological

sovereignty, supply security, critical infrastructure or the labour market.
As can be seen from the underlying Economic Stabilisation Fund Act,
which went through the legislative process within only one week, these
companies must have:
• a balance sheet total of more than €43 million;
• a turnover of more than €50 million; and
• an average number of employees that is more than 249.
Where it is sufficient that two of these three criteria are met, finan-
cial sector enterprises and credit institutions are excluded from these
measures.
Suspension of the obligation to file for insolvency

Under normal circumstances, in the event of insolvency or over-indebt-
edness, the CEO or board of directors of a limited liability company,
stock corporation or cooperative must take action at the latest after
three weeks before the insolvency court if the reason for the insolvency
cannot be eliminated out-of-court by then. In the covid-19 crisis, this is
different. As part of the Covid-19 Insolvency Act, the obligation to file for
insolvency will be suspended at least until 30 September 2020, possibly
even until 31 March 2021, but only for those cases in which the insol-
vency maturity is a direct consequence of the covid-19 pandemic and if,
in the event of insolvency, there is at least a chance of its elimina
76 Fintech 2021
Gibraltar
David Borge, Kunal Budhrani and Peter Howitt
Ince
FINTECH LANDSCAPE AND INITIATIVES Regulated activities

General innovation climate jurisdiction?
1 What is the general state of fintech innovation in your
jurisdiction? The following activities are licensable, regulated activities in Gibraltar:
• accepting deposits;
Gibraltar has taken a lead in the area of e-commerce and fintech inno- • issuing electronic money;
vation and is a world leader in the blockchain and distributed ledger • providing payment services;
technology economy, having been the first jurisdiction to regulate the • effecting and carrying out contract of insurance;
use of such technology. • insurance management;
Gibraltar’s strong track record in regulated e-commerce (particu- • insurance distribution;
larly e-gaming, e-money and payments and other electronically supplied • reinsurance distribution;
financial services) and its reputation for attracting quality operators • reception and transmission of order;
mean that it is well positioned to be a leading global hub. It also has • executing orders on behalf of clients;
local banks that have chosen to get involved in the sector and that can • dealing on own account;
support operators. • portfolio management;
The jurisdiction, through the Gibraltar Government’s Finance • providing investment advice;
Centre Department (the Finance Centre), actively encourages local and • underwriting or placing on a firm commitment basis;
external entities to establish financial services businesses and provide • placing without a firm commitment basis;
offerings in or from Gibraltar. • operating an multilateral trading facility;
Gibraltar’s financial regulator, the Gibraltar Financial Services • operating an organised trading facility;
Commission (GFSC) encourages fintech innovation via its Innovate and • sending, etc, dematerialised instructions;
Create Team. • selling or advising in relation to structured deposits;
• administering a benchmark;
Government and regulatory support • operating a regulated market;
2 Do government bodies or regulators provide any support • operating an approved publication arrangement;
specific to financial innovation? If so, what are the key • operating a certified treasury professional;
benefits of such support? • operating an adjustable-rate mortgage;
• managing an undertaking for collective investment in transferable
While the Finance Centre and the GFSC encourage financial innovation, securities (UCITS);
there is no specific support or benefits offered in relation to financial • acting as depositary of a UCITS;
innovation, which would not be available to other industries in the • acting as trustees of a UCITS;
jurisdiction. • acting as sole director of a UCITS;
There are, however, associations such as the Gibraltar Association • managing an alternative investment fund (AIF) (in-scope alternative
of New Technologies (GANT), of which the Gibraltar government is a investment fund manager (AIFM));
member and which receives government funding. GANT’s purpose is to • acting as depositary of an AIF with an in-scope AIFM;
encourage interest and participation of new technologies in the finance • managing an AIF (small scheme manager);
industry and to provide a forum for discussion between its members • acting as depositary of an AIF with a small scheme manager;
and the government. • establishing a collective investment scheme;
• acting as bank or broker, or both, of an experienced investor fund;
FINANCIAL REGULATION • acting as depositary of a private scheme;
• acting as administrator of a collective investment scheme;
Regulatory bodies • establishing a personal pension scheme;
3 Which bodies regulate the provision of fintech products and • advising on personal or occupational pension schemes;
services? • granting credit by means of a mortgage credit agreement;
• acting as a mortgage credit intermediary;
The Gibraltar Financial Services Commission (GFSC). • providing advisory services in connection with mortgage credit;
• company management;
• acting as a professional trustee or foundation councillor;
Gibraltar Ince
• acting as a bureau de change; and • Financial Services (Alternative Investment Fund Managers)
• providing distributed ledger technology services. Regulations 2020;
• Financial Services (Investment Services) Regulations 2020;
Consumer lending • Financial Services (UCITS) Regulations 2020;
5 Is consumer lending regulated in your jurisdiction? • Financial Services (Distance Marketing) Regulations 2006; and
• Financial Services (Experienced Investor Funds) Regulations 2020.
Consumer lending is a regulated activity in Gibraltar.
Directive 2014/17/EU (the Mortgage Credit Directive) created Fintech companies providing alternative finance products would fall
harmonised EU rules in the mortgage-credit market in respect of within the scope of the regulatory regime of collective investment
the provision of credit for residential properties. It is transposed schemes if the product or service being offered falls within the defini-
into Gibraltar law by way of the Financial Services (Mortgage Credit) tion of a collective investment scheme.
Regulations 2020 and does the following:
• sets out the requirement to provide precontractual information Alternative investment funds
through the European Standardised Information Sheet – a stand- 8 Are managers of alternative investment funds regulated?
ardised format – and the calculation of the Annual Percentage Rate
of Charge; Managers of alternative investment funds are regulated in Gibraltar.
• sets out principles for marketing and advertising; Gibraltar has implemented the EU regime applicable under the
• encourages the concept of responsible lending practices; Alternative Investment Fund Managers Directive (2011/61/EU) (AIFMD)
• includes provisions requiring the lender to assess the creditworthi- in respect of the regulation of investment advisers, arrangers and
ness of the consumer, and imposes disclosure obligations on the managers, as well as managers of collective investment schemes. It
part of the consumer; also has national legislation that covers a number of other areas outside
• requires the application of appropriate standards to valuations, the scope of EU law, which can largely be found in the Financial Services
where these are carried out; Act 2019 and the Financial Services (Collective Investment Schemes)
• provides standards for the provision of advisory services; Regulations 2020.
• provides minimum knowledge and competence requirements for The AIFMD has been implemented by way of several legislative
staff as well as remuneration requirements; changes, including those made to the following:
• establishes a regulatory regime for creditors and credit intermedi- • Financial Services (Alternative Investment Fund Managers)
aries, as well as containing provisions that allow for the regulation Regulations 2020;
and supervision of non-credit institutions; and • Financial Services (Alternative Investment Fund Managers) (Fees)
• permits tied credit intermediaries and appointed representatives. Regulations 2015;
• Financial Services (Alternative Investment Fund Managers
The lending of amounts between €200 and €75,000 (which are not (European Long-Term Investment Funds) Regulations 2020;
secured by way of mortgage) is governed by two distinct regimes: the • Financial Services (Alternative Investment Fund Managers)
Financial Services (Consumer Credit) Act 2011 and by the Financial (European Venture Capital Funds) Regulations 2020;
Services (Moneylending) Act 1917. • Financial Services (Alternative Investment Fund Managers)
Licences granted under the Financial Services (Consumer Credit) (European Social Entrepreneurship Funds) Regulations 2020; and
Act 2011 are issued and regulated by the GFSC, while licences granted • Financial Services (Experienced Investor Funds) Regulations 2020.
under the Financial Services (Moneylending) Act 1917 are issued by the
Gibraltar Finance Minister. The regime under the AIFMD applies to fund managers that manage
within the scope of alternative investment funds.
Secondary market loan trading Most funds in Gibraltar are either experienced investor funds (EIFs)
6 Are there restrictions on trading loans in the secondary (not available to retail investors) or private funds (limited to 50 inves-
market in your jurisdiction? tors and not capable of being publicly promoted).
Some investors take advantage of the private funds regime in
There are no restrictions on trading loans in the secondary market in Gibraltar, which is intended to be a vehicle to enable friends, family and
Gibraltar. close associates of a person to invest using a pooling structure without
the need for full authorisation of the fund. Private funds are limited to 50
Collective investment schemes investors and do not require licensed fund administrators (unlike EIFs).
7 Describe the regulatory regime for collective investment
schemes and whether fintech companies providing alternative Peer-to-peer and marketplace lending
finance products or services would fall within its scope. 9 Describe any specific regulation of peer-to-peer or
The regulatory framework for collective investment schemes is set out
in the Financial Services (Collective Investment Schemes) Act 2011, There is no specific regulation governing peer-to-peer lending in
which, among other things, transposes Directive 2009/65/EC on under- Gibraltar; however, any person or entity wishing to offer lending
takings for collective investment in transferable securities into national platform services must ensure that they comply with the Markets in
law. The Financial Services Act 2019, the Financial Services (Collective Financial Instruments Directive (MiFID) (if applicable) and with local
Investment Schemes) Regulations 2011 and Financial Services financial services and securities legislation, such as the Financial
(Collective Investment Scheme Administrators) Regulations 2020 are Services (Investment Services) Regulations 2020, which regulates
the main pieces of legislation governing all retail collective investment offering securities and investment services.
schemes in Gibraltar.
In relation to undertakings in collective investment schemes in
transferable securities, the following regulations are applicable:
78 Fintech 2021
Ince Gibraltar
Crowdfunding Credit references

10 Describe any specific regulation of crowdfunding in your 16 Are there any restrictions on providing credit references or
jurisdiction. credit information services in your jurisdiction?
Gibraltar does not have a specific crowdfunding regime. At present, No, but the EU General Data Protection Regulation is in effect in Gibraltar
MiFID does not provide a unified crowdfunding landscape in the EU and so European data protection laws apply.
and largely relies on specific local regimes. Operators in Gibraltar
also need to consider the applicability of local regulatory regimes of CROSS-BORDER REGULATION
the jurisdiction of the investor when seeking to raise finance by way of
crowdfunding. Passporting
Invoice trading
11 Describe any specific regulation of invoice trading in your Certain regulated activities that are subject to European harmonised
jurisdiction. financial services regulatory regimes, such as the Markets in Financial
Instruments Directive, the Alternative Investment Fund Managers
There is no specific regulation relating to invoice trading in Gibraltar. Directive, credit institutions, insurance and reinsurance intermediaries,
payments and e-money services can be passported into Gibraltar from
Payment services other EU member states.
Requirement for a local presence
The second Payment Services Directive (PSD2) applies in Gibraltar 18 Can fintech companies obtain a licence to provide financial
and has been transposed into national law by virtue of the Financial services in your jurisdiction without establishing a local
Services (Payment Services) Regulations 2020. presence?
Open banking It depends on the type of regulated financial service.

13 Are there any laws or regulations introduced to promote Regulated payment services that are passported into Gibraltar by
competition that require financial institutions to make way of a ‘freedom to provide services passport’ do not require a local
customer or product data available to third parties? presence as they rely on their home state licence.
To obtain any Gibraltar financial services licence, the licensed
The PSD2 provides for the authorisation of account information service entity must establish a local presence, which includes the ‘four eyes’ (ie,
providers (AISPs) and payment initiation service providers (PISPs). two individuals) principle, to be met on a continual basis. The principle
AISPs are authorised to initiate retrieve account data provided by banks is designed to ensure that at least two minds are applied both to the
and financial institutions. PISPs are authorised to initiate payments formulation and implementation of the firm’s policies and can be carried
into or out of a user’s account. Both these services require the explicit out by its senior management.
consent of the customer.
SALES AND MARKETING
Robo-advice
14 Describe any specific regulation of robo-advisers or other Restrictions
companies that provide retail customers with automated 19 What restrictions apply to the sales and marketing of
access to investment products in your jurisdiction. financial services and products in your jurisdiction?
There is no specific regulation of robo-advisers or other companies that The marketing of financial services and products is governed by the
provide retail customers with automated access to investment products Financial Services Act 2019. It requires that where financial products
in Gibraltar. and services are advertised the contents and the presentation are fair
and not misleading and the risks involved in that service or investment
Insurance products are disclosed and understood. It further provides that the issuer of the
15 Do fintech companies that sell or market insurance products advertisement has the appropriate expertise in relation to the invest-
in your jurisdiction need to be regulated? ment or service.
Distance sales are also covered by the Financial Services (Distance
Fintech companies that sell or market insurance products are regulated Marketing) Act 2006.
by the same national legislation that regulates traditional insurance
products. This includes the following: CHANGE OF CONTROL
• Financial Services Act 2019;
• Financial Services (Insurance Distribution) Regulations 2020; Notification and consent
• Financial Services (Insurance Management) Regulations 2020; 20 Describe any rules relating to notification or consent
• Financial Services (Insurance Companies) Regulations 2020; requirements if a regulated business changes control.
• Financial Services (Insurance Companies: Accounts Directive)
Regulations 2020; Changes in the control of a regulated business requires the Gibraltar
• Financial Services (Insurance Distribution) Regulations 2020; Financial Services Commission consent and approval.
• Financial Services (Insurance Business Transfer) (Saving)
Regulations 2020; and
• Insurance (Marine) Act 1960.
Gibraltar Ince
FINANCIAL CRIME In a novation, the transferee transfers both rights and obligations
to a third party: this is usually executed by way of deed, which requires
Anti-bribery and anti-money laundering procedures execution by all the parties involved.
21 Are fintech companies required by law or regulation to have Without a perfected deed of assignment or deed of novation, rights
procedures to combat bribery or money laundering? or obligations under a loan agreement will not be assigned. This would
prevent the new lender from enforcing its rights against the borrower
Fintech companies are subject to the same laws relating to money laun- and the borrower enforcing its rights against the new lender.
dering and bribery as any other financial services provider in the EU.
This derives from the fifth Anti-Money Laundering Directive and is trans- Securitisation risk retention requirements
posed into national law by way of the Proceeds of Crime Act 2015 (POCA). 25 Are securitisation transactions subject to risk retention
POCA requires fintech companies to have measures in place to requirements?
prevent the financial system from being used for money laundering or
terrorist financing purposes. Yes, securitisation transactions are subject to risk retention
The Crimes Act 2011 details rules related to anti-bribery require- requirements.
ments. In addition, Gibraltar is a British Overseas Territory and so various EU Regulation 2017/2404/EU (the Securitisation Regulation)
elements of the UK anti-bribery regime (Bribery Act 2010) are applicable. applies directly in EU member states, including Gibraltar, as of 1
January 2019.
Guidance The Securitisation Regulation applies to relevant securitisation
22 Is there regulatory or industry anti-financial crime guidance transactions, the securities of which are issued on or after 1 January 2019
for fintech companies? and to any securitisation in which a new securitisation position is created
on or after 1 January 2019, subject to certain transitional arrangements.
The Gibraltar Financial Services Commission has issued anti- Under the Securitisation Regulation, originators, sponsors and
money laundering guidance notes on its website (www.gfsc.gi/fsc/ original lenders (including corporates) are under a positive obligation to
financialcrime). retain a 5 per cent net economic interest in securitisation transactions.
The Gibraltar Association of Compliance Officers is among the
organisations that issue anti-financial crime guidance for fintech Securitisation confidentiality and data protection requirements
companies. 26 Is a special purpose company used to purchase and securitise
peer-to-peer or marketplace loans subject to a duty of
PEER-TO-PEER AND MARKETPLACE LENDING confidentiality or data protection laws regarding information
23 What are the requirements for executing loan agreements or Peer-to-peer and marketplace lending is not a specific regulated activity
security agreements? Is there a risk that loan agreements in Gibraltar.
marketplace lending platform will not be enforceable? ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
Loan agreements must be executed in writing in accordance with the
same formalities that govern regular contracts. Artificial intelligence
Security agreements must also be in writing. Mortgages and 27 Are there rules or regulations governing the use of artificial
charges that contain a power of attorney should be executed as deeds. intelligence, including in relation to robo-advice?
Executed documents and their corresponding charge should be regis-
tered at Companies House within 30 days. No.
Where mortgage or security relates to real estate, there is a further
requirement to register it at the Gibraltar Land Titles Registry (Land Distributed ledger technology
Property Services Limited). 28 Are there rules or regulations governing the use of
Peer-to-peer and marketplace lending is not a regulated activity distributed ledger technology or blockchains?
in Gibraltar.
Yes, the Financial Services (Distributed Ledger Technology Providers)
Assignment of loans Regulations 2020 (the DLT Regulations).
loans originated on a peer-to-peer or marketplace lending Crypto-assets
platform? What are the implications for the purchaser if the 29 Are there rules or regulations governing the use of crypto-
assignment is not perfected? Is it possible to assign these assets, including digital currencies, digital wallets and
loans without informing the borrower? e-money?
Ordinarily, rights or obligations under a loan can be assigned by way of E-money and payment services are governed by the Financial Services
assignment and by novation. (Electronic Money) Regulations 2020 and Financial Services (Payment
Under an assignment, a lender assigns its rights under a loan to a Services) Regulations 2020 respectively.
new lender. The original lender only transfers its rights, for example, to Subject to the below, the use of crypto-assets is regulated by
receive loan repayment and interest payments. The lender is still liable the DLT Regulations in relation to DLT. Entities that handle or store
for any obligations under the loan. Unless the original loan provides crypto-assets (specifically, such as collective investment schemes
otherwise, the borrower may need to be notified of the assignment or that are investing in crypto-assets) but that are not licensed under the
consent to it. An assignment is usually executed by deed. DLT Regulations are still expected to adhere to the Gibraltar Financial
80 Fintech 2021
Ince Gibraltar
Services Commission guidance to DLT providers in relation to safe- In the case of automated processing, each data controller and data
keeping of customer assets, cybersecurity and resilience. processor must, following an evaluation of the risks, implement meas-
Where an alternative financial services licence is applicable, alter- ures designed to:
native legislation would take precedence over the DLT Regulations. • prevent unauthorised processing or unauthorised interference
By way of example, under Gibraltar law an experienced investor fund with the systems used in connection with it;
(EIF) can contain crypto-assets and so might fall within EIF regulations. • ensure that it is possible to establish the precise details of any
Equally, a crypto-asset that represents a security may fall within the processing that takes place;
ambit of legislation governing securities. • ensure that any systems used in connection with the processing
function are used properly and may, in the case of interruption, be
Digital currency exchanges restored; and
30 Are there rules or regulations governing the operation of • ensure that stored personal data cannot be corrupted if a system
digital currency exchanges or brokerages? used in connection with the processing malfunctions.
The operation of digital currency exchanges or brokerages is governed Fintech businesses are also expected to adhere to Gibraltar Financial
by the DLT Regulations. The exception to this is when the exchange Services Commission guidance issued in relation to the safekeeping of
or brokerage offers a service that requires an alternative financial customer assets, cybersecurity and resilience that apply to distributed
services licence. ledger technology providers.
Initial coin offerings OUTSOURCING AND CLOUD COMPUTING

31 Are there rules or regulations governing initial coin offerings
(ICOs) or token generation events? Outsourcing
Draft regulations have been published in relation to initial coin offerings respect to the outsourcing by a financial services company of
(ICOs) and token generation events, and, following a consultation period, a material aspect of its business?
were expected to come into effect last year but to date have not.
The new token sale regime is intended to bring into scope all There is both legal and regulatory guidance with respect to the
token sales that fall outside existing financial services regimes so that outsourcing of certain material aspects of a financial services company’s
there are minimum standards in place for the sale of ‘utility tokens’ business. In terms of legal guidance, this includes:
that are otherwise outside of the scope of the DLT Regulations and • data processing (under EU General Data Protection
existing financial services and securities law. The new regime is likely Regulation (GDPR));
to require that any token sale be conducted and promoted by a regu- • cloud computing; and
lated sponsor firm. • carrying-out operational functions relating to the issuance, distri-
As it stands, ICOs relating to security tokens (also known as bution or redemption of electronic money or the provision of
tokenised securities) are governed by legislation governing securi- payment services under both the Financial Services (Electronic
ties, including the Markets in Financial Instruments Directive, the Money) Regulations 2020 and Financial Services (Payment
Prospectus Directive and the Alternative Investment Fund Managers Services) Regulations 2020.
Directive.
Further, investors and purchasers of tokens are subject to Under the GDPR, the outsourcing of data processing requires the
customer due diligence and anti-money laundering requirements under contracting data controller or data processor to ensure that any
the Proceeds of Crime Act 2015. person or entity engaged to carry out functions on their behalf
adheres to the requirements of the GDPR. This must be done by way
DATA PROTECTION AND CYBERSECURITY of a written contract that sets out the responsibilities and obligations
of each party.
Data protection When an electronic money institution or a payments services
32 What rules and regulations govern the processing and provider is intending to outsource operational functions relating to the
transfer (domestic and cross-border) of data relating to issuance, distribution or redemption of electronic money or the provi-
fintech products and services? sion of payment services, the company’s senior management will not
be discharged of its legal responsibilities – the buck still stops with the
The Data Protection Act 2004, the Communications (Personal Data senior management of the company.
and Privacy) Regulations 2006 and the EU General Data Protection The Gibraltar Financial Services Commission (GFSC) has issued
Regulation (GDPR) all govern the processing (including the transfer) of regulatory guidance on outsourcing and makes it clear that the
personal data held by fintech companies in relation to the fintech prod- outsourcing of functions does not discharge senior management of its
ucts and services they offer. ultimate responsibility over the company.
Cybersecurity Cloud computing

33 What cybersecurity regulations or standards apply to fintech 35 Are there legal requirements or regulatory guidance with
businesses? respect to the use of cloud computing in the financial services
industry?
Fintech businesses that are data controllers or data processors are
subject to article 32(1) of the GDPR, which provides that data controllers In addition to its guidance on outsourcing, which is taken to include
and data processors must implement appropriate technical and organi- outsourcing data storage requirements, in its guidance note to distrib-
sational measures to ensure a level of security appropriate to the risks uted ledger technology (DLT) providers on corporate governance the
arising from the processing of personal data. GFSC specifically states:
Gibraltar Ince
• there is no specific requirement for a DLT Provider to have their • it was made in the course of the employee’s duties and the employee
technology or servers physically located in Gibraltar; and similarly, has, because of the nature of the duties and the particular respon-
a DLT provider will not ordinarily be required to have their intel- sibilities arising from them, a special obligation to further the
lectual property held in Gibraltar as this may be held by an affiliate employer’s interests.
company outside Gibraltar;
• a DLT provider will be able to use cloud services to host their busi- Joint ownership
ness platforms and this can be outsourced to reputable and secure 38 Are there any restrictions on a joint owner of intellectual
cloud service providers locally or outside Gibraltar so long as the property’s right to use, license, charge or assign its right in
DLT provider can demonstrate it has access to and adequate over- intellectual property?
sight over cloud storage and processing; and
• a DLT provider should ensure that it has access to all relevant In Gibraltar, in the absence of some other agreement between them,
records, and can provide access to the GFSC on demand, at all co-owners will be able to exploit the jointly held rights themselves
times and have arrangements in place in the event of failure of but will not will not be able to assign or license them to third parties,
primary record storage systems. without the consent of the other co-owner.
While the guidance is specific to DLT providers, it is deemed to apply to Trade secrets
all financial service companies in Gibraltar. 39 How are trade secrets protected? Are trade secrets kept
confidential during court proceedings?
INTELLECTUAL PROPERTY RIGHTS
As with the ownership of IP rights, the confidentiality of trade secrets is
IP protection for software usually governed by confidentiality clauses in the employment contract
36 Which intellectual property rights are available to protect or service contract.
software, and how do you obtain those rights? In respect of court proceedings, upon application by one of the
parties, the courts will often embargo the reporting of such trade secrets.
Gibraltar follows English law in relation to the registration of IP rights
and the protection of registered and unregistered IP rights. Branding
The UK Patents Act 1977 operates in Gibraltar by virtue of the 40 What intellectual property rights are available to protect
Gibraltar Patents Act 1924. It is not possible to make an original applica- branding and how do you obtain those rights? How can
tion to register a patent in Gibraltar. The application must be made to fintech businesses ensure they do not infringe existing
the UK Intellectual Property Office and extended to include Gibraltar brands?
within three years of the UK patent’s date of issue and protection will
run for as long as the UK patent is valid. As with other IP, branding can be protected by way of trademark or
European trademarks may be registered from Gibraltar and a UK design registration. Further, there are instances in which even without
registration can be extended to cover Gibraltar. formal registration, the brand or trademark may have developed suffi-
Designs registered in the UK are automatically protected in cient goodwill to enable the brand owner to take action against another
Gibraltar by virtue of the Gibraltar Designs Act 1928. There is no Gibraltar person or entity for infringement or passing-off.
design registry and no need for an application to be made in Gibraltar. To avoid infringement, fintech companies should carry out the
Designs registered in the EU (by way of a registered community design) appropriate online searches and searches of IP registers when devel-
are also automatically protected in Gibraltar under the Treaty on the oping a brand or product to ensure that it does not infringe pre-existing
Functioning of the European Union. Further international protection is intellectual property rights of third parties.
available under the World Intellectual Property Office Hague Agreement
Concerning the International Deposit of Industrial Designs 1925. Remedies for infringement of IP
With regard to unregistered designs, protection arises automati- 41 What remedies are available to individuals or companies
cally when the design is recorded in a design document or an article whose intellectual property rights have been infringed?
is made to the design. Designs made in Gibraltar qualify for reciprocal
protection in UK (Design Right (Reciprocal Protection) Order 1989 (No. Remedies for IP infringement include the following:
2) 1989 (SI 1989/1294)). • interlocutory relief;
In Gibraltar, copyright protects the authors of works by preventing • order for delivering up;
others from copying or reproducing the work, with protection arising auto- • seizure of infringing copies and other articles;
matically on creation of the qualifying work: registration is not required. • forfeiture;
• injunctions;
IP developed by employees and contractors • damages; or
37 Who owns new intellectual property developed by an • an account of profits.
employee during the course of employment? Do the same
rules apply to new intellectual property developed by COMPETITION
Sector-specific issues
This is governed by the employment or service contract between the 42 Are there any specific competition issues that exist with
company and its employee or the contractor or consultant. Where respect to fintech companies in your jurisdiction?
there is no such contractual provision, the IP rights will belong to the
employer if: Fintech is viewed as generally pro-competitive in the financial services
• it was made in the course of the employee’s normal or specifically market. However, the EU competition regime applies to Gibraltar and
assigned duties; or is enshrined in articles 101 and 102 of the Treaty on the Functioning of
82 Fintech 2021
Ince Gibraltar
the European Union, which sets out the rules relating to anticompetitive
agreements and the abuse of dominance.
TAX
Incentives
fintech sector in your jurisdiction? David Borge
davidborge@incegd.com
Gibraltar has an attractive tax regime both for individuals and business, Kunal Budhrani
with businesses enjoying a 10 per cent corporate tax rate. There are, kunalbudhrani@incegd.com
however, no incentives specific to fintech companies. Peter Howitt
peterhowitt@incegd.com
Unit 6.20, World Trade Center
6 Bayside Road
Gibraltar GX11 1AA
Gibraltar
No. Tel: +350 200 68 450
www.incegd.com
IMMIGRATION
45 What immigration schemes are available for fintech Coronavirus
businesses to recruit skilled staff from abroad? Are there 47 What emergency legislation, relief programmes and other
any special regimes specific to the technology or financial initiatives specific to your practice area has your state
sectors? implemented to address the pandemic? Have any existing
A company can apply to the Gibraltar Government’s Finance Centre to address these concerns? What best practices are advisable
Department (the Finance Centre) director to have employees designated for clients?
as a high executives possessing specialist skills (HEPSS individual).
HEPSS individuals must: While the Gibraltar government was quick to implement measures
• possess specialist skills of exceptional economic value to Gibraltar; across the board to alleviate the general financial strain on employers
• have skills that are not available in Gibraltar; and and business tenants and has been extremely proactive in monitoring
• earn more than £100,000 a year. and modifying these measures on a daily basis.
No measures were introduced that were specific to the financial
Income tax liability is capped at the first £120,000 of taxable earnings. services and legal services industries.
The cap primarily applies to income from the designated employment, The Gibraltar Financial Services Commission is allowing finan-
but can extend to certain dividends, interest, pensions income and cial services licence fees to be paid over the course of 12 months as
foreign income. A HEPSS individual will be required to have residential opposed to upfront in advance as is usually required.
accommodation in Gibraltar that is suitable for HEPSS requirements.
The Finance Centre director must confirm suitability before a HEPSS
individual can enter into any residential property agreements.
UPDATE AND TRENDS
trends to note?
There is emerging interest in the regulation or facilitation of cannabis-

related industries in Gibraltar. In addition to the general appetite
within the jurisdiction for traditional ‘cannabusiness’ (eg, cultivation for
medical exportation), those in financial services and the legal profession
have noted the difficulty cannabusinesses have in obtaining financial
services, specifically banking at a larger, global level, funds derived
from the industry. Even if legal in the jurisdiction, funds can be treated
by the authorities as proceeds of crime given its illegal status in many
other jurisdictions. For this reason, many cannabusinesses have diffi-
culty banking their income or raising finances.
Hong Kong
Ian Wood
FINTECH LANDSCAPE AND INITIATIVES to these agreements, the SFC will cooperate to share information on
emerging fintech trends, developments and related regulatory issues, as
General innovation climate well as on organisations that promote innovation in financial services.
1 What is the general state of fintech innovation in your In September 2017, the Insurance Authority launched a fast-track
jurisdiction? scheme to expedite applications by insurance companies using solely
digital distribution channels as a means to promote the development of
Hong Kong is home to more than 600 fintech companies and start-ups, insurtech in Hong Kong.
covering services in the areas of payment, AI, wealthtech, blockchain The government also supports tech start-ups through the HK$2
and insurtech. As is fitting for an international financial centre, more billion Innovation and Technology Venture Fund.
than one-third of fintech founders are from other countries. Nearly half
of the established fintech companies have been in operation for more FINANCIAL REGULATION
than three years, and the market has begun to mature. Hong Kong has a
67 per cent consumer fintech adoption rate according to a recent Trade Regulatory bodies
Development Council report, which demonstrates consumer desire 3 Which bodies regulate the provision of fintech products and
for innovative approaches to serving their financial needs; although, services?
business-to-business services remain the biggest drivers of fintech
development in Hong Kong. The government supports the sector and The main regulatory bodies are the Hong Kong Monetary Authority
has strengthened cooperation with regulators in other jurisdictions to (HKMA), Securities and Futures Commission (SFC) and the Insurance
encourage cross-border fintech development. Authority.
In 2019, the Hong Kong Monetary Authority (HKMA) granted eight
new ‘virtual bank’ licences. A number of new virtual banking licence Regulated activities
holders are operating in joint ventures, bringing together strengths 4 Which activities trigger a licensing requirement in your
from traditional banking and online platforms to facilitate innovation. jurisdiction?
Government and regulatory support Pursuant to the Securities and Futures Ordinance, the following activi-
2 Do government bodies or regulators provide any support ties are regulated and trigger a licence requirement:
specific to financial innovation? If so, what are the key • Type 1: dealing in securities;
benefits of such support? • Type 2: dealing in futures contracts;
• Type 3: leveraged foreign exchange trading;
Fintech is identified by the government as a priority investment area. • Type 4: advising on securities;
In 2019, the Hong Kong Monetary Authority (HKMA) granted • Type 5: advising on futures contracts;
eight virtual bank licences. These licences were granted as part of the • Type 6: advising on corporate finance;
government’s Smart Banking Initiative and recipients included tech- • Type 7: providing automated trading services;
nology companies as well as more traditional banks. • Type 8: securities margin financing;
The Securities and Futures Commission (SFC) operates a Fintech • Type 9: asset management; and
Contact Point and the HKMA established a Fintech Facilitation Office • Type 10: providing credit rating services.
which, in each case, are intended to facilitate the fintech community’s
understanding of the current regulatory regime and for the regulators to For the purposes of the above categories, ‘securities’ are very widely
work with market participants to support the sustainable development defined and include stocks, shares, loan stock, bonds, debentures, all
of the fintech industry. Linked with the Fintech Supervisory Sandbox rights and interests in such securities, interests in collective investment
established by the HKMA, in 2017 the SFC launched a Regulatory schemes and structured products. However, shares and debentures of
Sandbox that permits new and existing licensed entities to carry out a private Hong Kong company do not constitute securities. Hong Kong
regulated activities within a confined regulatory environment prior to private companies are companies incorporated in Hong Kong that
launching on a wider scale. restrict members’ rights to transfer shares, limit the maximum number
The HKMA is one of the founding contributors of, and the SFC has of shareholders to 50 and prohibit the making of an invitation to the
joined as a coordination group member of, the Global Financial Innovation public to subscribe for shares or debentures.
Network. The SFC has also signed cooperation agreements with a number The licensing regime applies irrespective of whether the specified
of overseas regulators, including the UK’s Financial Conduct Authority activities take place in Hong Kong or, if a person is actively marketing
and the Australian Securities and Investments Commission. Pursuant these activities to the public in Hong Kong, from outside Hong Kong.
84 Fintech 2021
Simmons & Simmons LLP Hong Kong
The activities that are most relevant to fintech businesses are likely Collective investment schemes
to be dealing in securities and advising on securities. Dealing in securi- 7 Describe the regulatory regime for collective investment
ties includes making or offering to make an agreement with a person, or schemes and whether fintech companies providing alternative
inducing or attempting to induce another person to enter into an agree- finance products or services would fall within its scope.
ment to acquire, dispose, subscribe or underwrite securities. Advising
on securities includes giving advice on whether, and the terms on which, Broadly, a scheme is a collective investment scheme under Hong Kong
securities should be acquired or disposed of and issuing analyses or law if it has the following four elements:
reports for the purpose of facilitating decisions on whether to acquire • it is an arrangement in respect of property;
or dispose of securities. It is also possible that some fintech platforms • participants do not have day-to-day control over the management
could constitute automated trading services, the operation of which of the property even if they have the right to be consulted or to give
requires a licence. directions about the management of the property;
In addition to the above licensing requirements, if a business is • the property is managed as a whole by or on behalf of the person
undertaking banking activities, such as receiving money on a current, operating the arrangements or the contributions of the partici-
deposit, savings or similar account or paying or collecting cheques, pants, or both, and the profits or income from which payments are
such a business is required to be licensed as a bank by the HKMA. made to them are pooled; and
Certain other activities, such as moneylending, money exchange • the purpose of the arrangement is for participants to participate in
services, money remittance services and money broking services, or receive profits, income or other returns from the acquisition or
also require licences from the HKMA or the Commissioner of Customs management of the property.
and Excise.
The operation of stored value facilities (such as prepay cards or A collective investment scheme can cover any property and that prop-
prepay mobile apps) or designated retail payment systems is subject to erty does not need to be located in Hong Kong for the scheme to be a
a new licensing regime under the Payment Systems and Stored Value collective investment scheme. ‘Property’ in this context is not limited to
Facilities Ordinance. Operators of these facilities now require a licence real property.
from the HKMA. It is an offence in Hong Kong to issue any marketing material
that contains an offer to the Hong Kong public to acquire an interest
Consumer lending or participate in a collective investment scheme unless it has been
5 Is consumer lending regulated in your jurisdiction? authorised by the SFC or an exemption applies. Promoting a collective
investment scheme may also constitute a regulated activity for which a
Under Hong Kong law, the offering and provision of consumer lending is licence is required. It is possible that certain fintech activity could consti-
not distinguished from primary lending. tute a collective investment scheme where the business concerned is
Lending (consumer lending and primary lending) is a regulated managing assets on behalf of participants who have invested through a
activity in the jurisdiction and is governed by the Money Lenders fintech platform (eg, investing in real estate or debt securities). Careful
Ordinance. The Money Lenders Ordinance requires that all loans made analysis of the specific circumstances and the way in which the platform
available in Hong Kong are by licensed moneylenders or authorised permits investors to participate will be required to determine whether it
institutions (eg, licensed banks, restricted-licence banks and deposit- constitutes a collective investment scheme.
taking companies under the Banking Ordinance).
There are a number of exemptions that, if applicable, mean no formal Alternative investment funds
licence is required. The loan and lending entity would need to satisfy 8 Are managers of alternative investment funds regulated?
one of the specified categories of exempted lenders and exempted loans
in Schedule 1 of the Money Lenders Ordinance. Examples of exempted Management of securities or futures contracts or real estate investment
loans are: schemes constitutes a regulated activity as it falls under Type 9: asset
• a loan made bona fide for the purchase of immovable property on management of the Securities and Futures Ordinance. Accordingly,
the security of a mortgage of that property and a loan made bona managers of alternative investment funds that invest in real estate
fide to refinance such a mortgage; or securities (which are widely defined) or futures contracts require a
• a loan made by a company, firm or individual whose ordinary busi- licence to do so.
ness does not primarily or mainly involve the lending of money in The SFC confirmed in November 2018 that companies engaged in
the ordinary course of that business; the distribution to the Hong Kong public of funds that invest in virtual
• an intra-group loan; and assets are required to be licensed for Type 1 activity whether or not
• a loan made to a company that has a paid-up share capital of such virtual assets amount to ‘securities’. In addition, the SFC will now
not less than HK$1 million or an equivalent amount in any other apply additional conditions on licensed corporations that manage or
approved currency. distribute funds that invest, solely or partially, (more than 10 per cent
of the gross asset value) in, or that have a stated investment objective
Secondary market loan trading to invest in, virtual assets. These conditions include a restriction that
6 Are there restrictions on trading loans in the secondary such funds can only be invested in, or offered to, professional investors.
market in your jurisdiction?
Peer-to-peer and marketplace lending
Secondary market loan trading is not a regulated activity in itself but it 9 Describe any specific regulation of peer-to-peer or
constitutes primary lending regardless of whether the loan has been marketplace lending in your jurisdiction.
fully drawn and, therefore, the loan and lender are subject to the restric-
tions of the Money Lenders Ordinance. There are no specific regulations applicable to peer-to-peer (P2P)
However, secondary market loan intermediation is not a regulated or marketplace lending in Hong Kong. The SFC has issued a notice
activity, provided that it does not involve any lending or deposit-taking reminding potential P2P businesses that activity such as P2P lending
and provided that loans are not in the form of securities. might constitute a regulated activity, but much will depend on the
Hong Kong Simmons & Simmons LLP
precise structure of the platform. For example, it is likely that a platform Robo-advice
offering debentures or loan stocks would constitute a regulated activity 14 Describe any specific regulation of robo-advisers or other
of dealing in securities. companies that provide retail customers with automated
Additionally, it is an offence in Hong Kong to issue any marketing access to investment products in your jurisdiction.
material that contains an offer to the Hong Kong public to enter into
an agreement to acquire or dispose of securities, unless an exemp- Robo-advisers will usually need to be licensed by the SFC as they
tion applies. provide investment advice and services for dealing in securities.
In addition, the SFC has issued Guidelines on Online Distribution
Crowdfunding and Advisory Platforms that took effect on 6 July 2019 (the Guidelines).
10 Describe any specific regulation of crowdfunding in your The Guidelines set out requirements through the application of core
jurisdiction. principles concerning the proper design of the platform, clear disclo-
sure of information, risk management, governance, capabilities and
There are no specific regulations concerning crowdfunding. However, resources, review and monitoring of activities on the platform and
certain crowdfunding activity is likely to constitute a regulated activity. record-keeping. Specific guidance is also given concerning robo-advi-
For example, equity crowdfunding is likely to constitute dealing in secu- soes in respect of client profiling, system design and development,
rities and possibly advising on securities, both of which are regulated supervision and testing of algorithms and technology and staff resource
activities in Hong Kong. As such, the operator of these platforms would requirements.
need to be licensed by the SFC.
Additionally, it is an offence in Hong Kong to issue any marketing Insurance products
material that contains an offer to the Hong Kong public to enter into 15 Do fintech companies that sell or market insurance products
an agreement to acquire or dispose of securities unless an exemp- in your jurisdiction need to be regulated?
tion applies.
Yes, both insurance companies and insurance intermediaries (such as
Invoice trading agents) need to be authorised or registered, or both, with the Insurance
11 Describe any specific regulation of invoice trading in your Authority in Hong Kong.
jurisdiction.
Credit references
To the extent that an invoice is purchased, without risk of being re-char- 16 Are there any restrictions on providing credit references or
acterised as a loan for the purposes of the Money Lenders Ordinance, credit information services in your jurisdiction?
with true sale there is no specific regulation on the buying and selling
of invoices. This is common in factoring and invoice discounting The provision of credit ratings (opinions regarding the creditworthiness
arrangements. of entities other than an individual, securities and agreements to provide
However, if invoices are opened to the public and crowdfunded credit) is regulated, but the gathering, collating, dissemination or distri-
then the operator of the trading platform needs to follow certain regu- bution of information concerning the indebtedness or credit history of
lations. It is usually the case that if a platform investor is classed as a any person is not regulated (except under data protection law).
professional investor, then much of the regulation around crowdfunded
invoicing might not apply, depending on the platform structure. CROSS-BORDER REGULATION
Payment services Passporting

12 Are payment services regulated in your jurisdiction? 17 Can regulated activities be passported into your jurisdiction?
Payment services include a wide range of activities such as taking cash No.
deposits, making cash withdrawals, executing payment transactions,
issuing or acquiring of payment instruments, issuing and administering Requirement for a local presence
means of payment, making payments sent through the intermediary of a 18 Can fintech companies obtain a licence to provide financial
telecoms, IT system or network operator, or even providing stored value services in your jurisdiction without establishing a local
cards or devices. presence?
Payment services are regulated activities in Hong Kong and are
subject to the Banking Ordinance, the Anti-Money Laundering and It is unlikely that the SFC would grant a licence for regulated activities
Counter-Terrorist Financing Ordinance and the Payment Systems and to an entity that did not have a local presence. Equally, the Hong Kong
Stored Value Facilities Ordinance (as applicable). Monetary Authority is unlikely to provide a banking licence to an entity
that does not have a presence in Hong Kong as it would be difficult to
Open banking see how such an entity could comply with the obligations to which it
13 Are there any laws or regulations introduced to promote would be subject as a bank.
customer or product data available to third parties? SALES AND MARKETING
No. However, the HKMA published the Open Application Programming Restrictions
Interface (API) Framework for the Hong Kong Banking Sector in July 19 What restrictions apply to the sales and marketing of
2018. This is intended to encourage financial institutions to make financial services and products in your jurisdiction?
information available through open APIs within a staged time frame
depending on the type of information but this is not a regulatory The issuance of any marketing materials that contain an offer to the
requirement. Hong Kong public to enter into an agreement to acquire or dispose of
86 Fintech 2021
securities must be authorised by the Securities and Futures Commission, (eg, the persons authorised in the board resolutions to sign) is required
unless an exemption applies. (under section 121 of the Companies Ordinance).
A security agreement would typically be required to be executed as
CHANGE OF CONTROL a deed. As such, in respect of the execution by a Hong Kong company,
the deed should be executed either with the common seal affixed in
Notification and consent accordance with the requirements in the articles of association of the
20 Describe any rules relating to notification or consent company or, in accordance with the Companies Ordinance, without the
requirements if a regulated business changes control. common seal affixed but signed by, in the case of a Hong Kong company
with two or more directors, any two directors or any director and the
Different consent requirements apply to the acquisition of different company secretary or, in the case of a Hong Kong company with sole
types of regulated businesses. In general, where a person is to become director, its sole director.
a holder of a specified percentage of a regulated entity or will control a The key risk in respect of a peer-to-peer (P2P) marketplace lending
specified percentage of voting rights of that entity, prior consent must platform is that in respect of pure P2P lending involving companies or
be obtained from the relevant regulatory authority. For banks or enti- individuals lending via the lending platform, each such lending company
ties that hold a licence for regulated activity, before a person acquires a and individual may be regarded as carrying on a business as a money-
holding of more than 10 per cent of the issued shares, or prior to them lender and, thus, is subject to licensing and regulatory restrictions,
controlling, alone or with other associates, more than 10 per cent of the including the restrictions on the form of loan agreement, early payment,
voting rights in the bank or regulated entity, consent must be sought interest rate, moneylending advertisements and duty to provide infor-
from the Hong Kong Monetary Authority or Securities and Futures mation and so on under the Money Lenders Ordinance.
Commission respectively. Additional rules apply to persons becoming
majority holders of banks and to the acquisition of indirect sharehold- Assignment of loans
ings in regulated entities. Failure to obtain consent is a criminal offence. 24 What steps are required to perfect an assignment of
In all cases, advice should be sought as to the applicable requirements loans originated on a peer-to-peer or marketplace lending
and the process for obtaining consent. platform? What are the implications for the purchaser if the
assignment is not perfected? Is it possible to assign these
FINANCIAL CRIME loans without informing the borrower?
Anti-bribery and anti-money laundering procedures According to the Hong Kong Law Amendment and Reform (Consolidation)
21 Are fintech companies required by law or regulation to have Ordinance, the legal assignment of a loan by the assignor (ie, the lender)
procedures to combat bribery or money laundering? to the assignee (ie, the purchaser) will be perfected if:
• the assignor absolutely assigns the receivable to the assignee;
If the relevant entity is licensed for regulated activities, is licensed as • the assignment is in writing and signed by the assignor in favour
a bank, operates a money service or provides trust or company incor- of the assignee; and
poration services, it needs to comply with the Hong Kong legislation • a written notice of assignment is delivered to and received by the
in relation to anti-money laundering and counter-terrorist financing, party liable to pay the loan (the underlying debtor, in other words,
including establishing policies and procedures to identify clients and the borrower).
combat money laundering and terrorist financing. Whether these
requirements apply to companies that receive digital currencies or Regarding the written notice of assignment above, although there is no
launching ICOs will depend on whether they are carrying out a regu- time limit within which this notice of assignment has to be given, the
lated activity and are required to be licensed to do so. notice should be given as soon as possible to complete the perfection
The Hong Kong legislation in relation to the prevention of bribery of the assignment.
would also apply, and licensed companies should have in place policies If the assignment is not perfected, the assignment concerned may
and procedures to prevent bribery. still constitute an equitable assignment (in contrast to a legal assign-
ment), which is still recognised by the Hong Kong courts, although there
Guidance are some practical disadvantages that may affect enforcement.
22 Is there regulatory or industry anti-financial crime guidance The lender (as assignor) need not obtain the consent of the
for fintech companies? borrower unless the loan agreement between the lender and the
borrower contains a prohibition on the lender assigning certain or all of
There is no specific guidance for fintech companies, but there is guid- its rights under the loan agreement to a third party.
ance for licensed corporations and banks that would apply to fintech Notification to the borrower of the assignment is not mandatory
businesses that are licensed accordingly. for the assignment to be effective. However, there are a number of
practical and legal difficulties that arise from an assignment without
PEER-TO-PEER AND MARKETPLACE LENDING notice to the debtor (that is, an equitable assignment rather than a legal
assignment).
23 What are the requirements for executing loan agreements or Securitisation risk retention requirements
security agreements? Is there a risk that loan agreements 25 Are securitisation transactions subject to risk retention
or security agreements entered into on a peer-to-peer or requirements?
In June 2016, the Hong Kong Monetary Authority (HKMA) published the
A loan agreement does not need to be executed as a deed and, accord- Credit Risk Transfer Activities Module (the CRTA Module) for inclusion
ingly, in respect of a Hong Kong company entering into a loan agreement, in the HKMA Supervisory Policy Manual. The CRTA Module defines an
only the signature of the persons acting upon the company’s authority ‘originator’ as:
• a person who directly or indirectly originates the underlying expo- Crypto-assets

sures in a securitisation transaction; or 29 Are there rules or regulations governing the use of crypto-
• in relation to a securitisation transaction for which underlying assets, including digital currencies, digital wallets and
exposures are acquired from third-party entities, a person who e-money?
serves as a sponsor of the transaction by establishing, managing
and advising on the transaction or by providing any credit enhance- In respect of common ‘digital currencies’ or ‘digital wallets’, such as
ment or liquidity facility in respect of the transaction. bitcoin, the Hong Kong government considers that these are virtual
commodities and do not qualify as digital currencies with regard to
While there are no detailed risk retention requirements imposed on their nature and circulation in Hong Kong. In this regard, Hong Kong
originators, the CRTA Module provides that an originating authorised does not have any specific regulatory measures in respect of the use of
institution should ensure that investors have readily available access virtual commodities, but the existing laws provide for protection against
to all materially relevant data concerning the transaction, including, unlawful activities in general (eg, anti-money laundering, fraud and
where relevant and appropriate, the amount of risk retention by the terrorist financing).
authorised institution in the transaction and the manner in which the Financial institutions dealing with virtual commodities are required
risk is retained. to comply with regulations from time to time by the relevant financial
The CRTA Module also provides that an authorised institu- regulators, the Hong Kong Monetary Authority and the SFC. Additional
tion acting as an originator of a securitisation transaction should be requirements apply to companies engaged in distribution funds that
prepared to explain to the HKMA the possible impacts on its financial invest in virtual assets.
position, capital adequacy, liquidity and asset quality, with regard to the
risks incurred by it in the structure of the transaction including through Digital currency exchanges
retention of the first-loss tranche or provision of liquidity facilities. 30 Are there rules or regulations governing the operation of
The CRTA Module states that unless otherwise agreed with digital currency exchanges or brokerages?
the HKMA, an authorised institution should refrain from investing in,
or incurring an exposure to, a securitisation if the originator has not Basic digital currencies, such as bitcoin, are considered virtual commod-
disclosed its compliance with any risk retention requirements appli- ities, and, therefore, operating an exchange to trade these currencies is
cable to it (in any jurisdiction). not a regulated activity in Hong Kong. However, if a digital currency
falls within the definition of a ‘security’ in Hong Kong then trading
Securitisation confidentiality and data protection requirements these securities is a regulated activity and requires a licence. In addi-
26 Is a special purpose company used to purchase and securitise tion, investment products linked to digital currencies, such as bitcoin
peer-to-peer or marketplace loans subject to a duty of futures or funds linked to digital currencies, are considered securities,
confidentiality or data protection laws regarding information and offering or trading these products requires a licence.
relating to the borrowers? In November 2019, the SFC issued a position paper regarding the
regulation of asset trading platform operators that provide trading,
The Personal Data (Privacy) Ordinance governs the collection, use and clearing and settlement services for virtual assets where at least one of
dissemination of the personal data of living individuals. the virtual assets is a security. The SFC has confirmed that it can only
Data about or provided by obligors may also be protected by more regulate platform operators that provide services in relation to virtual
general Hong Kong legal and regulatory principles that require the assets that constitute securities and that these platform operators may
protection of confidential information. Largely, these apply irrespec- now apply for a licence. The SFC has adopted a set of regulatory stand-
tive of the legal structure of the obligor, but their precise application ards for virtual asset trading platforms that are comparable to those
depends on the circumstances. applicable to licensed security brokers and automated trading venues.
The SFC expects a number of platform operators to elect to be licensed
ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER by choosing to trade virtual assets that are securities. The SFC will
TECHNOLOGY AND CRYPTO-ASSETS apply licensing conditions, including conditions that the platform may
only offer services to professional investors, that stringent criteria be
Artificial intelligence applied for the inclusion of virtual assets to be traded and that services
27 Are there rules or regulations governing the use of artificial must only be provided to clients that have sufficient knowledge of
intelligence, including in relation to robo-advice? virtual assets. There are also requirements for the platform operator
to adopt a reputable external market surveillance system and have in
The provision of investment advice is a regulated activity irrespective of place an insurance policy covering the risks associated with the custody
the method of delivery of the advice. There are no specific regulations of virtual assets. Initially, any licensed platform will be placed in the
governing the use of artificial intelligence and the provision of robo- SFC Regulatory Sandbox and be subject to more frequent monitoring
advice. However, the Securities and Futures Commission (SFC) has and reviews.
issued guidelines on online distribution and advisory platforms, which
took effect from July 2019. The guidelines identify six core principles Initial coin offerings
that must be complied with by operators of online advice platforms and 31 Are there rules or regulations governing initial coin offerings
provide additional requirements for robo-advisers. (ICOs) or token generation events?
Distributed ledger technology The regulation of tokens offered in ICOs depends on the nature of the
28 Are there rules or regulations governing the use of tokens offered. Utility tokens that only provide membership or access to
distributed ledger technology or blockchains? a service or payment tokens that are only used as a means of payment
for goods or services (such as bitcoin) are not regulated. However,
There are no specific regulations or guidelines regarding the use of tokens that comprise securities under Hong Kong regulations are regu-
distributed ledger technologies. lated. For example, tokens that represent an asset such as a debt or a
88 Fintech 2021
claim on the issuer’s assets (such as a share in future earnings) or that Cybersecurity
amount to a collective investment scheme are securities. 33 What cybersecurity regulations or standards apply to fintech
Where the tokens involved in an ICO fall under the definition of businesses?
securities, dealing in or advising on these tokens, or managing or
marketing a fund investing in them, may constitute a regulated activity. There are no cybersecurity regulations or standards specifically
Persons engaging in a regulated activity targeting the Hong Kong public addressing fintech businesses in Hong Kong. Cybersecurity is covered
are required to be licensed by or registered with the SFC, irrespective under various laws and regulations, such as the Personal Data Privacy
of where they are located. In addition, investment products linked to any Ordinance and the Crimes Ordinance.
tokens (whether securities or not), such as futures or derivatives, are The Hong Kong Monetary Authority's (HKMA) Supervisory Policy
considered to be securities and offering, trading or advising on these Manual sets out the key regulatory standards that the HKMA expects
products is a regulated activity. authorised institutions to follow in relation to technology security and has
issued a circular on Cybersecurity Risk Management, requiring industry
DATA PROTECTION AND CYBERSECURITY players to establish appropriate governance frameworks. Several
frameworks were launched by HKMA to strengthen cyber resilience in
Data protection the banking sector, including the Enhanced Competency Framework on
32 What rules and regulations govern the processing and Cybersecurity and the Cybersecurity Assessment Framework.
transfer (domestic and cross-border) of data relating to The Securities and Futures Commission has issued the Guidelines
fintech products and services? for Reducing and Mitigating Hacking Risks Associated with Internet
Trading, and the Circular to All Licensed Corporations on Cybersecurity,
There are no specific regulations governing the processing and transfer setting out areas that licensed corporations should pay close attention
of data relating to fintech products and services in Hong Kong, but to when reviewing and mitigating their cybersecurity risks, as well as
fintech companies are required to comply with the Personal Data certain controls that these corporations should consider implementing
(Privacy) Ordinance (PDPO) when collecting or using the personal where applicable.
data of individuals. Personal data is information that relates to a living
person and can be used to identify that person, where the data is in a OUTSOURCING AND CLOUD COMPUTING
form in which access or processing is practicable. Organisations that
collect and use personal data must comply with, among other things, six Outsourcing
data protection principles, which include the following. 34 Are there legal requirements or regulatory guidance with
• DPP1: personal data can only be collected for a purpose directly respect to the outsourcing by a financial services company of
related to a function and activity of the data user in a lawful and a material aspect of its business?
fair manner, and the amount of data to be collected must not be
excessive. Data subjects have to be informed of the purpose of the The Securities and Futures Commission (SFC) has endorsed the
collection of data and how it will be used. Principles on Outsourcing of Financial Services for Market Intermediaries
• DPP2: data users must take all practicable steps to ensure published by the International Organisation of Securities Commission
personal data remains accurate and is deleted after the purpose of (the IOSCO Principles) but there are no specific regulations or guidance
collecting this data is fulfilled. issued by the SFC on outsourcing. There are specific requirements that
• DPP3: unless the data subject has given prior consent, personal regulated entities must comply with, such as record-keeping require-
data can only be used for the purpose for which it was originally ments, which are relevant to decisions to outsource parts of the business.
collected or a directly related purpose. The Hong Kong Monetary Authority (HKMA), which regulates
• DPP4: data users must take all practicable steps to ensure that authorised institutions, such as banks, includes in its supervisory policy
personal data is protected against unauthorised or accidental manual a chapter on outsourcing. The HKMA expects authorised insti-
accessing, processing, loss or erasure. tutions to be aware of their legal obligations to meet the minimum
• DPP5: data users should stipulate, publish and implement poli- authorisation criteria under the Banking Ordinance in relation to
cies in relation to personal data that can generally be achieved by outsourcing plans. In particular, authorised institutions need to have
having a data privacy policy in place. adequate accounting systems and systems of control and to conduct
• DPP6: individuals have rights of access to and correction of their their business with integrity, competence and in a manner not detri-
personal data. Data users should comply with data access or data mental to the interests of depositors.
correction requests within the requisite time limit, unless reasons
for rejection prescribed in the PDPO are applicable. Cloud computing
The Hong Kong Privacy Commissioner issued an information leaflet respect to the use of cloud computing in the financial services
in March 2019 explaining the privacy implications and risks of fintech industry?
applications. The publication also recommends good practices in rela-
tion to data privacy for fintech operators. The Hong Kong Privacy Commissioner, the HKMA and the SFC have
The Hong Kong Privacy Commissioner has also published an infor- published guidelines on outsourcing and data privacy in connection with
mation leaflet – ‘Matching Procedure: Some Common Questions’ – that cloud computing.
emphasises the importance of obtaining consent from all individual data The Hong Kong Privacy Commissioner has published various guide-
subjects or the Privacy Commissioner if the process of aggregation of lines, circulars and information leaflets providing guidance on measures
personal data for commercial gain constitutes a matching procedure and best recommended practices that are pertinent to cloud services.
under the PDPO, to ensure that the risk of potential harm to the relevant These include having contractual arrangements between providers and
data subjects is minimised. It also issued the ‘Guidance on the Proper customers of cloud services, to address the Privacy Commissioner’s key
Handling of Customers’ Personal Data for the Banking Industry’. concerns relating to loss of control, and the use, retention or erasure
and security, of personal data when it is stored in the cloud.
The HKMA’s Supervisory Policy Manual sets out the key regulatory IP developed by employees and contractors
standards that the HKMA expects authorised institutions to follow, or 37 Who owns new intellectual property developed by an
else be prepared to justify non-compliance, for managing technology employee during the course of employment? Do the same
risks and cybersecurity, covering topics such as: rules apply to new intellectual property developed by
• IT governance and oversight, system development and change contractors or consultants?
management;
• information processing; Copyright created by an employee in the course of his or her employ-
• communication network management; and ment is automatically owned by the employer unless otherwise agreed.
• management of technology service providers. An invention made by an employee belongs to the employer:
• if it was made in the course of the normal duties of the employee or
The SFC has endorsed the IOSCO Principles in relation to ‘licensed in the course of duties falling outside his or her normal duties, but
corporations’ outsourcing their activities. The SFC also issued guide- specifically assigned to him or her, and the circumstances in either
lines that require licensed corporations to establish policies and case were such that an invention might reasonably be expected to
procedures to ensure the integrity, security, availability, reliability and result from the carrying out of his or her duties; or
thoroughness of all information relevant to the licensed corporation’s • if the invention was made in the course of the duties of the employee
business, which extends to situations where data is stored in the cloud. and, at the time of making the invention, because of the nature of
Other best recommended practices relevant to cloud computing include: his or her duties and the particular responsibilities arising from
• reviewing policies and procedures to manage, identify and assess the nature of his or her duties, he or she had a special obligation to
cybersecurity threats and IT security controls; further the interests of the employer’s undertaking.
• considering the cybersecurity controls of third-party service
providers; and Copyright or inventions created by contractors or consultants in the
• ensuring continuity of critical activities and systems. course of their duties are owned by the contractor or consultant unless
otherwise agreed in writing. However, the person who commissions a
On 31 October 2019, the SFC issued a circular on the use of external copyrighted work has an exclusive licence to exploit the commissioned
electronic data storage by licensed corporations. The circular sets out work for all purposes that could reasonably have been contemplated by
various requirements in relation to licensed corporations' use of external the author and the person who commissioned the work at the time the
data storage providers (EDSPs). These include requirements to obtain work was commissioned, and the power to restrain any exploitation of
undertakings from EDSPs in favour of the SFC in certain circumstances the commissioned work for any purpose against which he or she could
and requirements regarding the management of risks and security with reasonably take objection.
regard to the use of EDSPs.
Joint ownership
INTELLECTUAL PROPERTY RIGHTS 38 Are there any restrictions on a joint owner of intellectual
IP protection for software intellectual property?
software, and how do you obtain those rights? If copyright is jointly owned (eg, copyright in respect of a computer
program that has been co-written by two people) then all joint owners
Computer programs (and preparatory design materials for computer must consent to any act restricted by copyright (such as its use, licensing
programs) are protected by copyright as literary works under the and assignment). As a result, the commercialisation of jointly owned
Copyright Ordinance. Copyright arises automatically as soon as the copyright can be a challenge unless all owners consent to its use. It is
computer program is recorded. Registration of copyright is not required advisable for the joint owners to enter into an agreement setting out
and is not possible in Hong Kong. how these rights should be exercised.
If the software code has been kept confidential, it may also be In respect of patents, each co-owner is entitled to an equal share in
protected as confidential information. No registration is required. the patent and can do anything in respect of the invention for his or her
Programs for computers, and schemes, rules or methods of doing own benefit without the consent or need to account to the other (in each
business ‘as such’, are expressly excluded from patentability under the case, subject to any other agreement reached between the co-owners).
Patents Ordinance.
Notwithstanding these exclusions, it is possible to obtain patents Trade secrets
for computer programs and business methods if it can be shown that 39 How are trade secrets protected? Are trade secrets kept
the underlying invention makes a ‘technical contribution’ over and confidential during court proceedings?
above that provided by the program or business method itself, such
as an improvement in the working of the computer. Accordingly, a Confidential information can be protected against misuse, provided
well-drafted patent may be able to bring a computer-based software the information in question has the necessary quality of confidence, is
or business method invention within this requirement, but this may be subject to an express or implied duty of confidence, and that no registra-
difficult to do and will not always be possible. Registration formalities tion is necessary (or possible).
must be followed to obtain protection. Confidential information can be kept confidential during civil
In particular, ‘standard’ patents are based on patents applied for proceedings with the permission of the court.
and granted by one of three designated patent offices, namely, in China,
the UK and the European Patent Office (where the UK is designated).
They have a maximum period of protection of 20 years from the filing
date of the designated application.
90 Fintech 2021
Branding
branding and how do you obtain those rights? How can
fintech businesses ensure they do not infringe existing
brands?
Brands can be protected as registered trademarks in Hong Kong. A

brand can also be protected under the common law tort of passing-off if
it has acquired sufficient goodwill. Certain branding, such as logos and Ian Wood
ian.wood@simmons-simmons.com
stylised marks, can also be protected by design rights and may also be
protected by copyright as artistic works.
The HK Registry trademark database can be searched to identify 30th Floor, One Taikoo Place
potentially problematic trademarks that have been registered or applied 979 King’s Road
for. It is highly advisable for fintech businesses to conduct trademark Hong Kong
searches to check whether earlier registrations exist that are identical China
or similar to their proposed brand names. It may also be advisable to Tel: +852 2868 1131
Fax: +852 2810 5040
conduct searches of the internet for any unregistered trademark rights
www.simmons-simmons.com
that may prevent use of the proposed mark.
Remedies for infringement of IP

41 What remedies are available to individuals or companies IMMIGRATION
Remedies include: 45 What immigration schemes are available for fintech
• preliminary and final injunctions; businesses to recruit skilled staff from abroad? Are there
• damages or an account of profits; any special regimes specific to the technology or financial
• delivery up or destruction of infringing products; sectors?
• disclosure orders; and
• costs. The Hong Kong government launched three schemes to recruit skilled
staff in areas including the technology and financial sectors.
COMPETITION The Talent List of Hong Kong was promulgated to attract people
around the world who specialise in the 11 professions most needed for
Sector-specific issues Hong Kong’s economic development, including ‘Experienced profes-
42 Are there any specific competition issues that exist with sionals in Fintech’, ‘Experienced data scientists and experienced cyber
respect to fintech companies in your jurisdiction? security specialists’ and ‘Innovation and technology experts’. These
candidates are potentially eligible for immigration via the Quality Migrant
There is a competition regime under the Competition Ordinance in Hong Admission Scheme, which does not require them to have secured an
Kong that applies to all entities carrying out business in Hong Kong. offer of local employment for settlement in Hong Kong.
There are no particular aspects of this regime that would affect fintech The Innovation and Technology Commission introduced the
businesses disproportionately to other businesses. Technology Talent Admission Scheme, a three-year scheme that
provides a fast-track arrangement for admission of overseas and main-
TAX land research and development talent. Eligible technology companies
and institutes, including those engaged in the areas of fintech, artifi-
Incentives cial intelligence and cybersecurity, may be granted quotas to sponsor
43 Are there any tax incentives available for fintech companies eligible persons to apply for employment visas or entry permits.
fintech sector in your jurisdiction? UPDATE AND TRENDS
There are no specific tax incentives applicable to fintech companies. Current developments
Increased tax burden trends to note?
could significantly increase tax or administrative costs for There is a particular focus on opening up banking and payment infra-
fintech companies in your jurisdiction? structure and services in Hong Kong and the roll-out of services by the
holders of the newly granted virtual bank licences. The industry is also
No. watching the effect of the recent developments regarding the regulation
of virtual assets platforms.
Coronavirus
for clients?
While there have not been any Hong Kong government support meas-
ures specifically targeted at the fintech sector, there are a number of
market-wide and industry programmes under which fintech business
may obtain support. These include low interest loans for small and
medium-sized enterprises (SMEs) and an SME financing guarantee
scheme, pre-approved loan principal payment holidays, employee wage
support, subsidies for Securities and Futures Commission-licensed indi-
viduals and waivers of business registration and annual return fees.
92 Fintech 2021
India
Anuj Kaila and Stephen Mathias
Kochhar & Co
FINTECH LANDSCAPE AND INITIATIVES banks, financial institutions and any other company partnering with or
providing support to financial services businesses, is eligible to qualify
General innovation climate under the regulatory sandbox. The relaxations extend to applicants
1 What is the general state of fintech innovation in your dealing with liquidity requirements, board composition, management
jurisdiction? experience, financial soundness and track record.
The Securities and Exchange Board of India, in May 2020, also
India has been the hub of fintech innovation over the past few years, released its own regulations on a regulatory sandbox for fintech compa-
and reports suggest there are over 2,000 fintech start-ups at present nies in relation to securities markets. This sandbox deals primarily with
in the country. seeking innovation in securities market-related data, which includes
India is the world’s second most populous country, but a large data from depositories (holding and KYC data), stock exchange data
percentage of the population has yet to take the benefit of true financial (transaction data, such as order logs and trade logs) and mutual
inclusiveness. Fintech companies have a unique opportunity to combine fund data.
finance and technology to offer more effective financial solutions than This regulatory acknowledgement of innovation comes as a boost
traditional institutions. for the industry, which has always been a few steps ahead of the regu-
Fintech innovation is taking place across various industry verti- latory framework. Many entities have already started testing their
cals, which include banking, payments, insurance, asset management, innovative products within these sandboxes.
brokerage, etc. Fintech companies also focus on machine learning The government has also, over the past few years, opened no-frills
that analyses customer expectations and matches them with appro- bank accounts for the majority of people without access to formal
priate services. banking. This has given direct access to millions of Indians to formal
With the advent of Aadhaar, a biometric-based identification project, banking solutions.
the government can directly transfer subsidy-based payments to the
bank accounts of holders without any third-party intervention. Aadhaar FINANCIAL REGULATION
is also being used to meet know-your-customer (KYC) requirements in a
cost-effective manner. However, a Supreme Court ruling in recent years Regulatory bodies
over fears of privacy breaches of data with Aadhaar has derailed many 3 Which bodies regulate the provision of fintech products and
fintech companies relying on the Aadhaar database for their businesses, services?
and the law is in the process of being amended to resolve this issue.
There is no universal regulatory body for fintech entities in India.
Government and regulatory support Depending on the product or service offered by the entity, the regula-
2 Do government bodies or regulators provide any support tory body governing the vertical would regulate those specific entities.
specific to financial innovation? If so, what are the key By and large, fintech products and services can be considered to fall
benefits of such support? under the purview of these regulators: the Reserve Bank of India (RBI);
the Securities Exchange Board of India (SEBI); the Ministry of Electronics
The Reserve Bank of India (RBI) set up an inter-regulatory working and Information Technology; the Ministry of Corporate Affairs; and the
group to look into the granular aspects of fintech and its implications so Insurance Regulatory and the Development Authority of India (IRDAI).
as to review the regulatory framework and to respond to the dynamics However, the RBI currently regulates the majority of fintech companies
of the rapidly evolving scenario of the market concerned. The working dealing with payment aggregation and gateways, account aggregation,
group recommended the introduction of an appropriate framework for peer-to-peer (P2P) lending, cryptocurrencies, payments, etc.
a regulatory sandbox and to provide an environment for developing
fintech innovations and testing applications and application program- Regulated activities
ming interfaces developed by banks and fintech companies. 4 Which activities trigger a licensing requirement in your
Accordingly, the RBI, in August 2019, released regulations on jurisdiction?
a regulatory sandbox for fintech entities to enable and encourage
innovation in the industry with minimum regulatory supervision. The Indian law regulates various types of financial services. Advisory
innovative products permitted to be tested within the sandbox include work relating to investments in Indian securities requires a licence
retail payments, money transfer services, digital KYC, smart contracts, as an investment adviser. Certain types of investment banking, such
marketplace lending, financial advisory services, wealth management as assisting private companies in obtaining funding, are considered to
services, digital identification services, financial inclusion products be outside the scope of the licence. There are also licensed merchant
and cybersecurity products. Any fintech company, including start-ups, bankers; for example, making a public issue on the stock exchanges or
India Kochhar & Co
a public offer under the Takeover Code would need the support of a Asset reconstruction companies or securitisation companies are
registered merchant banker. There are different categories of merchant permitted to securitise the acquired debt and sell the securitised debt
bankers, and the functions of each level of category vary. There are only to qualified institutional buyers, which include banks, insurance
other categories of agencies that require a licence, such as custodians, companies and foreign institutional investors.
stockbrokers, underwriters, portfolio managers, credit rating agencies, Risk participation, either funded or unfunded, is unregulated in
foreign institutional investors, venture capital funds, depositories and India, and banks and NBFCs rarely enter into domestic risk participation
stock exchanges. transactions.
There are various categories of institutions that can engage in In June 2020, the RBI released draft guidelines easing securitisa-
lending. These are banks that include scheduled commercial banks tion and loan sale guidelines.
and non-scheduled commercial banks, cooperative society banks,
small finance banks, non-banking financial companies (NBFCs) and Collective investment schemes
moneylenders. In respect of deposits, there are various categories of 7 Describe the regulatory regime for collective investment
institutions that can receive deposits. These are banks that include schemes and whether fintech companies providing alternative
scheduled commercial banks and non-scheduled commercial banks, finance products or services would fall within its scope.
cooperative society banks, small finance banks, NBFCs that are author-
ised to receive deposits and payment banks. There is also the concept There are several categories of collective investment schemes. These are,
of a chit fund, which receives contributions from members and periodi- broadly, mutual funds, alternative investment funds (AIFs) and collective
cally conducts a lottery to pay the winner. Post offices can also receive investment schemes, all of which must be registered with SEBI. Mutual
deposits. There is a provident fund that is a pension scheme operated funds are primarily focused on listed equity and debt instruments, and
by the government. Mutual funds are also regulated. anyone can participate in a mutual fund. AIFs are primarily focused on
Factoring can be undertaken by banks, NBFCs registered as factors unlisted instruments, and primarily institutional investors invest in AIFs
with the RBI and certain other government entities. owing to a significant minimum investment by an investor.
Invoice discounting can be undertaken by banks, NBFCs and The regulations on collective investment schemes cover all other
corporates. forms of collective investment schemes. The regulations are extremely
Bonds and debentures can be listed on stock exchanges as public stringent on collective investment management companies; for example,
offerings. Syndications of loans are generally not regulated unless they there are requirements for rating, insurance, appraisal, schemes to be
are converted into securitised instruments. closed-ended, no guaranteed returns and restrictions on advertise-
Payment services are also regulated and are particularly relevant ment materials. Units subscribed to collective investment schemes
to fintech. are freely transferable. A fintech company must be registered as a
Entities in India can deal in foreign exchange trading only with collective investment management company to deal with collective
permitted stock exchanges and banks in India. Other entities, such as investment schemes. However, alternative financial services, such as
fully fledged money changers, are also permitted to deal with foreign P2P or marketplace lenders, would not fall under the ambit of collective
exchange. Indian residents are not permitted to trade in foreign investment schemes. There are separate regulations governing these
exchange through overseas trading platforms. services, which a fintech company must comply with.
Consumer lending Alternative investment funds

5 Is consumer lending regulated in your jurisdiction? 8 Are managers of alternative investment funds regulated?
Yes, consumer lending is regulated. There are various types of insti- Yes, managers of AIFs are regulated. There are requirements regarding
tutions that are entitled to engage in consumer lending. These are their qualifications and minimum years of experience. The manager or
banks that include scheduled commercial banks and non-scheduled sponsor of an AIF is also required to have a minimum investment in the
commercial banks, NBFCs, cooperative society banks, small finance fund of not less than 2.5 per cent or 50 million rupees, whichever is lower.
banks, microfinance institutions and moneylenders. Regulations require There are requirements relating to disclosure of their investments.
lending agencies to maintain standards relating to capital adequacy,
prudential norms, cash reserve ratio, statutory liquidity ratio, credit Peer-to-peer and marketplace lending
ceiling, know-your-customer guidelines, etc, although each of these 9 Describe any specific regulation of peer-to-peer or
norms would apply to each category of lending agency in a different marketplace lending in your jurisdiction.
manner. Each agency plays a different role in terms of the type of
lending and the kind of borrower. For example, infrastructure NBFCs The RBI is the authority that regulates P2P lending in India. All P2P
can extend credit facilities to entities in the transport, energy, water and lending platforms must be registered with the RBI as an NBFC. The eligi-
sanitation, and communications sectors. Loans and advances of up to bility requirements for a company to register as a P2P lending platform
2.5 million rupees are required to constitute at least 50 per cent of the include, among other things:
loan portfolio of small finance banks. • a minimum capital of 20 million rupees;
• that the company applying for registration is incorporated in India;
Secondary market loan trading • that a robust and secure information technology system is in place;
6 Are there restrictions on trading loans in the secondary • that there is a viable business plan; and
market in your jurisdiction? • that the promoters and directors fulfil the fit and proper criteria laid
down by the RBI.
Issuance and listing of debt securities and public offer and listing of
securitised debt instruments are regulated in India. Trading of debt Although many analysts have cheered the steps taken by the RBI to
securities and securitised debt instruments in the secondary market is regulate the P2P industry, the regulations themselves are extremely
permitted after the debt securities or securitised debt instruments are stringent in respect of the scope of activities that can be undertaken by
listed on a recognised stock exchange. these entities. For example:
94 Fintech 2021
Kochhar & Co India
• P2P lending can only be done on an unsecured basis; The RBI, in March 2020, released regulations dealing with payment
• loan maturity is capped at 36 months; aggregators and payment gateways. Payment aggregators are enti-
• there is a limit of 50,000 rupees regarding exposure between the ties that facilitate the process for e-commerce sites and merchants to
same lender and borrower; accept various payment instruments from customers for the completion
• there is a limit of 1 million rupees in respect of exposure of a of their payment obligations, without the requirement for merchants to
borrower across all P2P lending platforms and 5 million rupees for create a separate payment integration system of their own. Payment
lenders across all P2P lending platforms; and aggregators make it easier for merchants to connect with acquirers,
• there must be quarterly reporting to the RBI. and, in the process, they receive payments from customers, and pool
and transfer them to the merchants.
Crowdfunding A payment aggregator must obtain a licence to carry on its busi-
10 Describe any specific regulation of crowdfunding in your ness, and it must strictly adhere to the technology specifications laid
jurisdiction. down in the regulations. Some of the conditions to be met by payment
aggregators are:
To the extent that crowdfunding involves investments in equity or debt • it must have a minimum net worth of 150 million rupees;
instruments, these would be regulated by company or securities law. • e-commerce entities engaging in payment aggregation should hive
A private company cannot access capital from the public and cannot off the payment aggregation business into a separate entity and
have more than 200 shareholders. It also cannot accept deposits from apply for a license;
the public. A public company must follow primary market processes for • it must follow stringent settlement timelines with merchants;
equity or debt funding. There are no regulations that deal directly with • it must adhere to know-your-customer and anti-money laundering
crowdfunding. guidelines prescribed by the government;
For other types of funding, that is, those that are not debt or equity • it must maintain an escrow account parking all merchant
based, the law is not settled at the moment as all kinds of crowdfunding proceeds; and
could be considered as ‘deposits’. We believe that crowdfunding that • it must do authenticity checks on merchants.
can be justified as an advance against purchase of a product would be
permitted in India. The regulations are only advisory in nature for payment gateways.
After the overnight demonetisation of the 500-rupee and 1,000-
Invoice trading rupee notes in circulation on 8 November 2016, digital payments have
11 Describe any specific regulation of invoice trading in your seen huge traction in the country. At the forefront of this traction are
jurisdiction. e-wallets; it is believed that e-wallet transactions have increased 40
times in the past five years. E-wallets are frequently used for online
To enhance the ease of financing micro, small and medium-sized enter- purchase of goods and services. They have also gained popularity
prises in India, the RBI has given approval to three companies to set because of the requirement of a second authentication (such as Visa
up invoice discounting platforms. The Trade Receivables Discounting Verify or MasterCard Secure Code) for ‘card not present’ credit card
System (TReDS) is a fintech platform where financers discount invoices and debit card transactions. This is difficult for services such as Uber.
due by corporates, government entities, etc. TReDS requires a minimum Accordingly, customers use payment wallets that allow for automatic
paid-up capital of 250 million rupees, and entities, other than the debit without the need for a second authentication.
promoters, are not permitted to maintain shareholding in excess of 10
per cent in TReDS. Open banking
13 Are there any laws or regulations introduced to promote
Payment services competition that require financial institutions to make
12 Are payment services regulated in your jurisdiction? customer or product data available to third parties?
Yes, payment services are regulated under the Payment and Settlement The laws regarding disclosure of customer data to third parties are
Systems Act 2007. A payment system is defined as ‘a system that enables not very well established in India. Banks are required to adhere to the
payment to be effected between a payer and a beneficiary, involving guidelines on information security, electronic banking, technology risk
clearing, payment or settlement service or all of them, but does not management and cyber fraud issued by the RBI to ensure the data
include a stock exchange’. These include credit cards, debit cards, smart protection of customers.
cards and money transfers. Any entity interested in commencing a Under normal circumstances, disclosure of customer data requires
payment system is required to obtain authorisation from RBI. prior written approval from the customer. This is usually obtained in
The categories of payment providers are payment aggregators and the account opening forms or provided for in the terms and condi-
payment gateways, prepaid payment instruments, financial market infra- tions. Under the current legal framework, financial institutions are only
structure (clearing houses), retail payment organisations, card payment obliged to share this information where the disclosure is required by a
networks (Visa, MasterCard, etc), cross-border money transfers, ATM court of law or where the disclosure is necessary for government agen-
networks, white-label ATM operators and instant money transfer. cies mandated under law to procure the information.
There are three types of prepaid payment instruments: open
payment instruments, which are payment instruments that can be used Robo-advice
to make a payment to any merchant; semi-closed, which are payment 14 Describe any specific regulation of robo-advisers or other
instruments that can be used to make payment to a defined set of companies that provide retail customers with automated
merchants; and closed, which are payment instruments of a merchant access to investment products in your jurisdiction.
for payment only to that merchant. Open payment instruments can be
issued only by banks. Cash withdrawal is permitted only in the case of SEBI, which regulates all public listed securities, has, in recent years,
open payment instruments. Only closed payment instruments do not directed all fund houses and asset management companies to report
require registration under the regulations. with SEBI all artificial intelligence and machine learning applications
India Kochhar & Co
and systems offered and used by mutual funds. SEBI intends to conduct SALES AND MARKETING
a survey and create an inventory of the robo-advisory landscape in the
Indian financial markets to gain an in-depth understanding of the adop- Restrictions
tion of those technologies in the markets and to ensure preparedness 19 What restrictions apply to the sales and marketing of
for any robo-advisory policies that may arise in the future. SEBI also financial services and products in your jurisdiction?
wants to ensure that any advertised financial benefit owing to these
technologies in investor facing financial products do not constitute Rules on marketing materials for financial services are fairly limited.
misrepresentation. Information in prospectus and letters of offer for public and public offers
respectively are regulated. The Reserve Bank of India also requires
Insurance products financial companies to use only registered telemarketers for telemar-
15 Do fintech companies that sell or market insurance products keting activity.
in your jurisdiction need to be regulated?
CHANGE OF CONTROL
Selling and marketing of insurance products is regulated in India. The
statutory authority regulating insurance products in India is IRDAI. An Notification and consent
insurer must justify the premium amount and terms and conditions 20 Describe any rules relating to notification or consent
of the insurance policy to be offered to customers to IRDAI. A fintech requirements if a regulated business changes control.
company cannot offer any insurance product for sale unless the fintech
company is duly certified by IRDAI. Most regulated entities require prior notification or consent for changes
IRDAI has also issued guidelines on the advertisement, promotion in control. For non-banking financial companies, including peer-to-peer
and publicity of insurance companies and insurance intermediaries. entities and account aggregators, prior approval from the Reserve Bank
Fintech companies must comply with these guidelines in respect of of India (RBI) is required for a change beyond 26 per cent shareholding.
marketing insurance products. For banks, RBI approval is required for foreign investment beyond 49
per cent shareholding. Foreign investment in banks is capped at 74 per
Credit references cent. For insurance companies, prior RBI approval is required when the
16 Are there any restrictions on providing credit references or transferee’s shareholding is likely to exceed 5 per cent shareholding of
credit information services in your jurisdiction? the insurance company, and if a transferor intends to transfer more than
1 per cent of its shareholding of the insurance company. For prepaid
Companies carrying on the business of credit information services are payment instrument entities and payment aggregators, any takeover,
regulated under the Credit Information Companies (Regulation) Act acquisition or change in management should be communicated to the
2005. Under the provisions of the Act, those companies must obtain a RBI within 15 days.
certificate of registration from the RBI. Credit information companies
are required to have a minimum issued capital of 200 million rupees. FINANCIAL CRIME
The RBI has set up a Central Repository of Information on Large Credits
to collect, store and disseminate credit data to lenders. Under the Anti-bribery and anti-money laundering procedures
Insolvency and Bankruptcy Code 2016, information utilities have been 21 Are fintech companies required by law or regulation to have
set up where all credit information is required to be reported by lenders procedures to combat bribery or money laundering?
and borrowers.
India has a law on the prevention of corruption that penalises
CROSS-BORDER REGULATION corrupt practices. There are no requirements on framing policies or
conducting training.
Passporting The Prevention of Money Laundering Act 2002 prescribes strict
17 Can regulated activities be passported into your jurisdiction? criminal penalties on entities indulging in money laundering. It covers
involvement with or concealment, possession, acquisition or use
No, India does not allow passporting of regulated activities; that is, a of proceeds of a claim or projecting or claiming such proceeds as
financial services provider registered in one country is not entitled to untainted property.
engage in regulated financial services in India purely based on regis- The Reserve Bank of India has also prescribed stringent know-
tration in a foreign jurisdiction and would need to obtain registration your-customer (KYC) norms, anti-money laundering standards and
separately in India. guidelines on combating the financing of terrorism to be adhered to by
all banks, non-banking financial companies, payment system operators,
Requirement for a local presence e-wallet companies, etc.
18 Can fintech companies obtain a licence to provide financial Companies or exchanges dealing with digital currencies are gener-
services in your jurisdiction without establishing a local ally not regulated in India.
presence?
Guidance
By and large, this would be difficult as obtaining a licence for a regu- 22 Is there regulatory or industry anti-financial crime guidance
lated financial service is available only to agencies incorporated in India for fintech companies?
or, in the case of banks, that have a presence in India. It is possible for a
fintech company outside India to provide services outside India to Indian India has fairly detailed laws with regard to the prevention of money
nationals, especially for investments outside India. However, the scope laundering, KYC requirements, insider trading and combating the
for this is limited because exchange control restrictions may come in the financing of terrorism. Depending on the services provided by the
way of making payments outside India for services rendered. fintech companies, they may be governed by some of or all these regu-
lations. There is also a heightened awareness of identity fraud, and most
96 Fintech 2021
Kochhar & Co India
financial institutions require a much higher level of identity proof from necessary to make the assignment binding against the borrower. For
customers than is the case in many developing countries. example, A owes money to B, who transfers the right to receive the
Given the slow court process and inefficiencies of the investigative dues to C. B then demands the debt from A, who, having not received
agencies, financial institutions also resort to a high level of protection notice of the transfer, pays B. The payment is valid, and C cannot sue A
compared with developed countries, such as through higher security for the debt.
cover, undated cheques, bank guarantees, personal guarantees and the In June 2020, the Reserve Bank of India released draft guidelines
appointment of nominee directors. Fintech companies must consider easing securitisation and loan sale guidelines.
the optimal mix of these options to balance obtaining sufficient protec-
tion with ensuring business efficiency. Securitisation risk retention requirements
PEER-TO-PEER AND MARKETPLACE LENDING requirements?
Execution and enforceability of loan agreements The transferor transfers the risk of the underlying asset to the trans-
23 What are the requirements for executing loan agreements or feree. It is not necessary for the transferor to retain the risk from the
security agreements? Is there a risk that loan agreements underlying asset. This is usually negotiated and specifically agreed to
or security agreements entered into on a peer-to-peer or during the transfer.
Loan agreements and security agreements must be executed in accord- 26 Is a special purpose company used to purchase and securitise
ance with the constitutional documents of the entity and the corporate peer-to-peer or marketplace loans subject to a duty of
authorisations executed by the entity. Under Indian law, a mortgage confidentiality or data protection laws regarding information
deed – that is, relating to immovable property – is executed by the relating to the borrowers?
mortgagor, attested by two witnesses and registered with the relevant
land registry. Most security arrangements involving immovable prop- Under Indian banking laws, there is a central register maintained by the
erty relate to mortgage by deposit of title deeds. A mortgage by deposit regulator relating to security being provided by borrowers. This register
of title deeds or an equitable mortgage encompasses a declaration is accessible by any person upon payment of the prescribed fees.
provided by the mortgagor and a memorandum of entry in the records Outside this law, general laws on data protection and privacy apply,
of the mortgagee that records the deposit of title deeds. There are other and a duty of confidentiality also applies. The law provides for payment
various formalities to ensure perfection of the security documents. This of compensation on failure to exercise reasonable security practices
includes filing a form with the company registry and registration of the and procedures to protect sensitive personal data or information (which
charge with a central registry for security interest. includes financial information) that results in wrongful loss or gain, and
As long as the peer-to-peer (P2P) lending contracts are prop- a criminal penalty for disclosure of personal information in breach of
erly executed, they would be enforceable. While Indian law broadly contract or without consent of the data subject where the breach is done
allows electronic contracts, a key issue relates to stamp duty. Indian with the intention of or knowing that it is likely to result in wrongful loss
state governments are yet to introduce digital stamping of documents. or wrongful gain.
There is, therefore, likely to be a need for contracts to be printed and
stamped to comply with laws on stamp duty and for those contracts to ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
be admitted as evidence in court. TECHNOLOGY AND CRYPTO-ASSETS
Assignment of loans Artificial intelligence

24 What steps are required to perfect an assignment of 27 Are there rules or regulations governing the use of artificial
loans originated on a peer-to-peer or marketplace lending intelligence, including in relation to robo-advice?
assignment is not perfected? Is it possible to assign these The Securities Exchange Board of India (SEBI), which regulates all public
loans without informing the borrower? listed securities, has, in recent years, directed all fund houses and asset
management companies to report with SEBI all artificial intelligence
While there are some distinctions between assignment of rights versus and machine learning applications and systems offered and used by
obligations under a contract, it is preferable to state expressly in the mutual funds. SEBI intends to conduct a survey and create an inventory
contract whether the rights and obligations under the contract can be of the robo-advisory landscape in the Indian financial markets to gain
assigned, with or without the consent of the other party. A notice on the an in-depth understanding of the adoption of those technologies in the
assignment to the counterparty is required in certain instances and is markets and to ensure preparedness for any robo-advisory policies that
generally considered to be good practice. may arise in the future. SEBI also wants to ensure that any advertised
There are certain contracts under which assignment is prohibited. financial benefit owing to these technologies in investor facing financial
Contracts where personal skill or qualifications are involved cannot be products do not constitute misrepresentation.
assigned. This primarily stems from common law.
The assigner and the assignee may have to bear significant stamp Distributed ledger technology
duty on the assignment. If a document is not duly stamped, the docu- 28 Are there rules or regulations governing the use of
ment will not be admissible as evidence in court. distributed ledger technology or blockchains?
P2P lending platforms will be required to adhere to the same
method of assignment as described above. There are no legal or regulatory rules currently in place in relation to
Under Indian law, for assignment of actionable claims, the assign- the use of distributed ledger technology in India. The Reserve Bank of
ment must be executed by an instrument in writing by the assigner in India (RBI) has, in recent years, formally acknowledged blockchain tech-
favour of the assignee. A notice of the assignment to the borrower is nology and is exploring ways to further use it in financial transactions.
India Kochhar & Co
In 2015, the RBI released a Financial Stability Report, detailing the Initial coin offerings
possible impact of blockchain technology. The report recognises the 31 Are there rules or regulations governing initial coin offerings
need for the regulators and authorities to keep pace with developments (ICOs) or token generation events?
as many of the world’s largest banks are said to be supporting a joint
effort to set up a ‘private blockchain’ and build an industry-wide plat- ICOs are not regulated in India. The regulatory sandbox set up by the RBI
form for standardising the use of the technology. specifically restricts ICOs from being tested in it.
The importance of blockchain and distributed ledger technologies
also finds specific mention in the report published by the working group DATA PROTECTION AND CYBERSECURITY
set up by the RBI on fintech and digital banking. The working group
recognises the importance of adopting these technologies in the finan- Data protection
cial sector. On numerous occasions, the government has also made 32 What rules and regulations govern the processing and
public statements in support of vast adoption of these technologies in transfer (domestic and cross-border) of data relating to
various government sectors. A prime example of where the technology fintech products and services?
could be extremely useful in India is for maintaining land records, which
the government recognises and hopes to implement in the near future. India does not have a specific law on data protection. Certain provi-
Certain Indian banks have successfully used blockchain technology sions of the Information Technology Act 2000 (the IT Act) deal with data
in trade finance transactions with foreign banks. There are also reports protection.
on Indian banks looking to use blockchain technology to share know- There are two provisions, civil and criminal, on the use of personal
your-customer information through a private blockchain. data. A body corporate that has access to sensitive personal data or
information (SPDI) will be liable to compensation if it is negligent in using
Crypto-assets reasonable security practices and procedures (RSPP) in protecting such
29 Are there rules or regulations governing the use of crypto- SPDI and it results in wrongful loss or wrongful gain. SPDI includes:
assets, including digital currencies, digital wallets and • passwords;
e-money? • financial information, such as bank account, credit or debit card or
other payment instrument details;
On 6 April 2018, the RBI issued a circular prohibiting any entity regu- • information on physical, physiological and mental health conditions;
lated by the RBI (including banks, financial institutions, payment • sexual orientation;
gateways and digital wallets) from dealing with digital currencies or • medical records and history; and
providing services that facilitate any person or entity in dealing with or • biometric information.
settling digital currencies. The prohibition on services included main-
taining accounts, registering, trading, settling, clearing, giving loans RSPP refers to procedures determined by any law in force (at present,
against virtual tokens, accepting them as collateral, opening accounts none) or as agreed between the parties and, in the absence of those, the
of exchanges dealing with them and transferring or receiving money rules of the central government. Accordingly, it is open to an organisa-
in accounts relating to the purchase or sale of digital currencies. tion to agree privacy policies and security standards with its customers,
Regulated entities were given until 6 July 2018 to discontinue providing service providers, employees, etc. The central government rules are
those services. more in the nature of cursory privacy rules on collection, storage,
This circular essentially crippled the digital currency market transfer, etc, of SPDI. They prescribe no specific security standard.
in India. Users were only able to trade in digital currencies and not Indian law also imposes criminal penalties on an organisation
exchange or redeem them for Indian rupees as the mode of payment of providing a service that is in possession of personal information if it
Indian rupees is usually through banking channels. discloses the information in breach of contract or without the consent
This notification was appealed in the Supreme Court, which struck of the data subject and does so with the intention of or knowing that it is
down this order of the RBI. Entities have only recently resumed offering likely to result in wrongful gain or wrongful loss.
virtual currencies in India. However, banks in India are still cautious in There are some general data protection and security require-
dealing with any virtual currency operators. The government has, on ments applicable to the financial sector. For example, credit information
various occasions, displayed its displeasure on any cryptocurrencies companies are governed by certain norms concerning protection and
or virtual currencies being traded in India. Any entity dealing in those disclosure of personal information. The card-issuing entity should not
currencies in India should be extremely cautious in doing so. reveal any information relating to customers obtained at the time of
opening the account or issuing the credit card to any other person or
Digital currency exchanges organisation without obtaining their specific consent. The purpose for
30 Are there rules or regulations governing the operation of which the information would be used and the organisations with which
digital currency exchanges or brokerages? the information would be shared must also be disclosed.
The Reserve Bank of India (RBI) has frowned upon credit companies
There are no rules or guidelines relating to the operation of digital that obtain the consent of the customer for sharing their information,
currency exchanges or brokerages in India. That being said, on 6 furnished while applying for the credit card with other agencies, as part
April 2018, the RBI issued a circular prohibiting any entity regulated of the terms and conditions. Credit companies must provide the customer
by the RBI (including banks, financial institutions, payment gateways with the option to decide whether he or she is in agreement with the
and digital wallets) from dealing with digital currencies or providing credit company sharing the information with other agencies. Credit
services that facilitate any person or entity in dealing with or settling companies are also required to explicitly state and explain clearly to the
digital currencies. This notification was appealed in the Supreme Court, customer the full meaning and implications of the disclosure clause.
which struck down this order of the RBI. Entities have only recently Separately, the regulations governing account aggregators
resumed offering virtual currencies in India. prescribe a consent architecture to be followed by aggregators while
Specific advice should be sought for the nature of the exchange. collecting personal and sensitive personal information from the data
subject. They also impose restrictions on the sharing of financial
98 Fintech 2021
Kochhar & Co India
information without the consent of the data subject and a use limitation, Cloud computing
and they require the conducting of periodical information security audits. 35 Are there legal requirements or regulatory guidance with
The RBI has instructed all payment systems operators to store respect to the use of cloud computing in the financial services
the entirety of the data relating to payment systems, including the full industry?
end-to-end transaction details and the information collected, carried or
processed as part of the message or payment instruction, on servers At present there are no legal requirements or statutory guidance for use
located in India. The data storage norms also apply to system partici- of cloud computing.
pants, service providers, intermediaries, payment aggregators and The Institute for Development and Research in Banking Technology,
gateways, third-party vendors and other entities (whatever they are established by the RBI, has a centre for cloud computing. The centre
called) in the payments ecosystem who are retained or engaged by the focuses on providing suitable cloud platforms to banks for testing,
authorised or approved entities for providing payment services. If the undertaking studies on security, scalability and building secure cloud
processing of the payment transaction is done abroad, the data should storage, among other things.
be deleted from the systems abroad and brought back to India not A working committee formed by the RBI published a report on the
later than the one business day or 24 hours from payment processing, use of cloud computing by urban cooperative banks in 2012. The report
whichever is earlier. The data must be stored only in India, other than in tried to lay down the existing issues and the way forward for urban
cross-border payment transactions in which case a copy of the domestic cooperative banks to establish a robust IT network that includes cloud
component of the payment data may be stored abroad. computing.
India proposes to enact a Personal Data Protection Bill. It is There are various private players in the market offering their cloud
currently being reviewed by a joint committee of Parliament. Thereafter, computing services to banks and non-banking financial companies
it will be revised if required and then introduced in Parliament. The Bill (NBFCs). Banks and NBFCs in India are slowly accepting and moving
is expected to come into force before the end of 2020. towards those services.
Cybersecurity INTELLECTUAL PROPERTY RIGHTS

businesses? IP protection for software
The law currently does not contemplate any specific cybersecurity regu- software, and how do you obtain those rights?
lation or security standards to be complied with by fintech businesses
in India. The rules framed by the government under the IT Act for regu- Software can be protected under copyright law. The patent laws of India
lating SPDI do recommend a security standard (ie, IS/ISO/IEC 27001 provide fairly limited protection for software as they cannot protect soft-
information security standards) to be complied with while processing ware per se; it requires something in addition to the mere software for it
SPDI (financial information is SPDI). It is not mandatory to comply with to be patentable (eg, an operating system is patentable).
those rules, and parties can agree on RSPP and exclude the application
of those rules. IP developed by employees and contractors
37 Who owns new intellectual property developed by an
OUTSOURCING AND CLOUD COMPUTING employee during the course of employment? Do the same
rules apply to new intellectual property developed by
Outsourcing contractors or consultants?
respect to the outsourcing by a financial services company of In the case of copyright law, this would be the employer. In the case
a material aspect of its business? of patent law, it would be the inventor, who could be the employee.
Copyrights and patents can be assigned to the employer. In the case of
Outsourcing of core management functions – including internal audit, patents, the application for a patent must be accompanied by the assign-
compliance function and decision-making functions, such as deter- ment deed executed by the employee.
mining compliance with know-your-customer norms for opening deposit
accounts, according sanction for loans (including retail loans) and Joint ownership
managing investment portfolio – are not permitted. Outsourcing of other 38 Are there any restrictions on a joint owner of intellectual
functions is permitted. The banking laws prescribe certain principles on property’s right to use, license, charge or assign its right in
the basis of which a bank can outsource its functions, where this results intellectual property?
in data being processed, stored or accessed overseas. This is permitted
provided that the following conditions are met: In the case of patents, the Patents Act 1970 provides that the share in
• the off-shore regulator does not obstruct the arrangement or the patent held by a co-owner cannot be licensed or assigned without
prevent inspections by the Reserve Bank of India (RBI) or auditors; the consent of the other owners. The same applies to all other intellec-
• the availability of records to the management and the RBI is tual property rights. The licensing, charge and right to use would be in
not affected by the liquidation of the off-shore provider or the accordance with the agreement entered into, or it will be equal among
bank in India; the joint owners.
• the offshore regulator does not have access to the data simply The Trademarks Act does not impose any such specific condition.
because the data is being processed overseas; and However, it envisages that jointly owned trademarks cannot be used
• the jurisdiction of the courts in the offshore location does not extend in rivalry or in competition against each other, and there can only be
to the operations of the bank in India. one joint source in respect of the trademarks. Therefore, in the event of
subsequent rivalry, if any, between the co-owners, there cannot be two
The outsourcing regulations also require customer data to be isolated different owners of the trademarks.
and clearly identified, and they prohibit any merging of data.
India Kochhar & Co
Trade secrets A unique aspect of Indian law is that individuals can file a case of
39 How are trade secrets protected? Are trade secrets kept copyright or trademark infringement not just where the cause of action
confidential during court proceedings? arose or where the defendant resides or does business, but also where
the plaintiff resides and does business. Individuals can obtain Anton
India does not have a specific law dealing with trade secrets. Trade Piller orders for appointment of a court commissioner to conduct an
secrets are protected under the common law remedy of breach of confi- inspection, and it is possible to obtain injunctions.
dentiality. Confidentiality may be protected under contract or implied,
depending on the nature of the service. COMPETITION
Trade secrets are to be kept secret unless it is an inherent part
of the court proceedings; in that case, disclosure for the purpose of Sector-specific issues
providing evidence is required. This has sometimes acted as a deterrent 42 Are there any specific competition issues that exist with
to many from enforcing their trade secrets through the judicial process. respect to fintech companies in your jurisdiction?
Branding There are none. Indian competition law in general relates to anticompet-
40 What intellectual property rights are available to protect itive practices, monopolistic practices and merger control requirements,
branding and how do you obtain those rights? How can which are across all industries.
brands? TAX
Branding is largely protected under trademark law, whereby the indi- Incentives
vidual would need to register a trademark. The individual can file an 43 Are there any tax incentives available for fintech companies
action for infringement in the case of a registered trademark or a and investors to encourage innovation and investment in the
passing-off action in the case of unregistered marks. Indian law also fintech sector in your jurisdiction?
recognises the concept of transnational reputation of international
trademarks. There are no tax incentives specifically aimed at fintech companies.
Trademark owners can also register their brands with customs However, the fintech companies that qualify as start-ups may avail
authorities that could enable authorities to intercept goods they believe themselves of various benefits under the Startup India initiative
are counterfeits. The trademark owner can also claim prior use and launched by the Indian government. Tax benefits are also extended to
strike down a registered owner’s right, by seeking cancellation of the units in a special economic zone.
mark. The trademark owner can also keep watch and seek to oppose
any new marks that are the same or similar to the one owned by it. It Increased tax burden
can also obtain a copyright registration over the copyright in a mark. 44 Are there any new or proposed tax laws or guidance that
However, registration is not mandatory for ownership of copyright. could significantly increase tax or administrative costs for
A new business can undertake a trademark search to determine fintech companies in your jurisdiction?
whether a similar trademark has been registered. The trademark
registry is online, and the business can search via the trademark There are no specific additional taxes or exemptions for fintech compa-
registry website. The business can also undertake market studies or nies. However, under the Startup India initiative, certain companies
test marketing to see if similar unregistered marks are in use. It can falling under the ambit of the start-up definition are provided with tax
also search domain name registries to determine if websites with breaks to encourage innovation.
similar domain names have been registered.
IMMIGRATION
41 What remedies are available to individuals or companies Sector-specific schemes
whose intellectual property rights have been infringed? 45 What immigration schemes are available for fintech
If a trademark, copyright or patent has been infringed, the individual any special regimes specific to the technology or financial
would file a suit for infringement. In the case of a trademark, the indi- sectors?
vidual can also file a passing-off action. In the case of copyright and a
trademark, the individual can also pursue criminal remedies in the case There are no specific limits applicable for immigrants seeking employ-
of infringement. ment in India. There are certain criteria that the applicant must meet;
The Copyright Act deals with offences of infringement of copy- for example, a minimum salary of US$25,000 per year, subject to certain
right or other rights conferred under it. It provides for imprisonment exemptions given only to individuals with skills that are unavailable in
that ranges from six months to three years and a fine that ranges from India (such as highly qualified technical experts, senior executives in a
50,000 to 200,000 rupees. The Trademarks Act 1999 also deals with managerial position, etc). Labour and employment law in India dealing
criminal remedies against infringement and passing-off actions. Search- with immigration is complex and specific advice should be sought.
and-seizure procedures can also be invoked to deal with infringement.
Individuals can also engage in opposition proceedings in respect
of trademarks and patents that are sought to be registered. There is
a procedure for the cancellation of marks. In addition, individuals can
file actions with the company authorities in respect of companies regis-
tered with names that are similar to trademarks or other company
name; however, a trade name registration in no way confers trademark
protection.
100 Fintech 2021

Kochhar & Co India
UPDATE AND TRENDS
trends to note?
There has been a large amount of activity in the fintech regulatory space
during the past year. The government has formally recognised the
importance of this niche industry by setting up committees to study the Anuj Kaila
anuj.kaila@bgl.kochhar.com
development and future of the industry. It has also passed regulations
on peer-to-peer lending platforms and account aggregators directly in Stephen Mathias
relation to fintech entities. stephen.mathias@bgl.kochhar.com
Although the Supreme Court struck down the notification of the
Reserve Bank of India (RBI) restricting cryptocurrencies, banks are 201 Prestige Sigma
reluctant to deal with any money arising from the proceeds of crypto- 3 Vittal Mallya Road
currencies. The financial industry will likely wait for an official go-ahead Bangalore 560001
from the government to commence full-fledged operations dealing with India
cryptocurrencies, which is extremely unlikely to happen. Tel: +91 80 4030 8000
On 6 April 2018, the RBI issued directives to all payment system Fax: +91 80 4112 4998
providers to store all data relating to payment systems operated by www.kochhar.com
them only in India no later than 15 October 2018. The data includes the
full end-to-end transaction details – the information collected, carried
and processed as part of the message or payment instruction. For the
foreign leg of the transaction, if any, the data can also be stored in the
foreign country, if required. This has given rise to India–US tensions,
with the US government threatening retaliatory measures affecting
Indian businesses.
In March 2020, the RBI issued regulations regulating payment
aggregators and payment gateways. The regulations are extremely
broad and vague in nature, and they may end up including entities within
the ambit of a regulated payment aggregator without the regulator
intending to do so; for example, educational institutions or companies
running cafeterias permitting third-party stalls to sell food from time to
time (through an e-commerce site) and where the educational institute
or company collects the proceeds of the sale of the third-party vendor
and settles the payment with the third-party vendor within mutually
agreed timelines.
India proposes to enact a Personal Data Protection Bill. It is
currently being reviewed by a joint committee of Parliament. Thereafter,
it will be revised if required and then introduced in Parliament. The Bill
is expected to come into force before the end of 2020. The Bill is India’s
first attempt towards a specific data protection and privacy statute in
India. A large portion of the Bill seems to have been adopted from the
recent global data protection regulations of the European Union, and it
includes concepts such as the right to be forgotten, privacy by design,
consent-based approach, data localisation requirements, data protec-
tion offices and data protection authorities, etc.
Coronavirus
for clients?
The RBI extended the statutory deadlines earlier imposed on multiple

payment operators by a period ranging from two to nine months on
account of the lockdown, which was imposed by the government to
deal with the pandemic. Other measures include reduction in interest
rates and credit guarantee schemes to micro, small and medium-sized
enterprises.
Indonesia
Winnie Rolindrawan and Harry Kuswara
SSEK Legal Consultants
FINTECH LANDSCAPE AND INITIATIVES fintech activities that require licensing or registration in relation to mone-
tary stability, financial system stability and payment systems, as follows:
General innovation climate • payment system activities, including authorisation, clearing, final
1 What is the general state of fintech innovation in your settlement and implementation of payment; for example, block-
jurisdiction? chain or distributed ledgers for the provision of fund transfers,
electronic money, electronic wallet and mobile payments;
Fintech innovation is developing rapidly in Indonesia and the government • market support (ie, activities that use information or electronic
has issued several regulations relevant to fintech in recent years and technology, or both, to facilitate the faster and more cost-efficient
has endeavoured to register new fintech activities to ensure they do not provision of information to the public on financial products and
cause losses to the public. New innovations and solutions are surfacing services; for example, the provision of information comparing avail-
that are boosting the business activities they support, with more roles able products or services in the financial services area);
available as, for example, aggregators, e-know your customer support, • investment management and risk management for the provision of
financing agents, financial planners, equity crowdfunding support, online investment and online insurance, among others; and
payment system support and market support. Among fintech busi- • lending, financing or funding and capital raising including peer-
nesses, peer-to-peer lending appears to have had the largest impact on to-peer lending or information technology-based fundraising
the market to date and has received the most media coverage. (crowdfunding).
Government and regulatory support Digital financial innovation, commonly referred to as fintech, is regu-
2 Do government bodies or regulators provide any support lated from a financial services perspective under OJK Regulation No.
specific to financial innovation? If so, what are the key 13/POJK.02/2018, dated 16 August 2018, regarding Digital Financial
benefits of such support? Innovation in the Financial Services Sector. This regulation covers:
• transaction settlement: this focuses on, among other things, invest-
The government is continuously trying to monitor and supervise fintech ment settlement;
activities and developments in the sector. To keep abreast of recent • capital raising, such as equity crowdfunding, virtual exchange,
developments in the market, support the players and at the same time smart contracts and alternative due diligence;
ensure Indonesian consumers are well protected, the Indonesian central • investment management; for example, advance algorithms, cloud
bank, Bank Indonesia, and the Financial Services Authority (OJK) each computing, capability sharing, open source information technology,
provide sandboxes for new innovations with the potential to have a long automated advice and management, social trading and retail algo-
reach and an impact on Indonesian consumers. Bank Indonesia focuses rithmic trading;
on the aspects of the fintech sector related to payment systems and • fundraising and fund disbursement: this includes activities such as
the OJK focuses on the aspects of the fintech sector related to financial peer-to-peer lending, alternative adjudication and third-party appli-
services, such as banking, investment and insurance. cation programming interface;
• provision of insurance; for example, sharing economy, autonomous
FINANCIAL REGULATION vehicles, digital distribution and securitisation and hedge funds;
• market support; for example, artificial intelligence or machine
Regulatory bodies learning, machine readable news, big data, social sentiment, market
3 Which bodies regulate the provision of fintech products and information platforms and automated data collection and analysis;
services? • other digital finance supporting activities, such as social and
eco-crowdfunding, Islamic digital financing, e-waqf, e-zakat, robo-
Fintech products and services in Indonesia are mainly regulated by advisers and credit scoring; and
two government bodies, Bank Indonesia and the Financial Services • other financial services activities; for example, invoice trading,
Authority (OJK). vouchers and products using blockchain-based applications.
Regulated activities The Indonesian government fairly recently issued Government

4 Which activities trigger a licensing requirement in your Regulation No. 80 of 2019 regarding Trade Through Electronic Systems,
jurisdiction? dated 25 November 2019 (GR 80/2019). It then issued Minister of Trade
(MOT) Regulation No. 50 of 2020 regarding Provisions on Business
Bank Indonesia Regulation No. 19/12/PBI/2017 regarding the Licensing, Advertisements, Guidance and Supervision of Business
Organisation of Financial Technology, dated 30 November 2017, regulates Practitioners in Trade Through Electronic System, dated 19 May 2020 as
102 Fintech 2021

SSEK Legal Consultants Indonesia
an implementing regulation for GR 80/2019. These regulations impose Alternative investment funds
new obligations for organisers of trade through electronic systems 8 Are managers of alternative investment funds regulated?
(PPMSE), which is any business practitioner that provides electronic
communication facilities used in trade transactions. A PPMSE operating Collective investment in the form of an equity crowdfunding platform
from outside Indonesia and that fulfils certain criteria is now required is described as the provision of share offering services whereby the
to appoint a representative in Indonesia and, consequently, must have a issuers sell shares directly to investors through an open electronic
foreign trade company representative office in the country. PPMSE that system network, as governed by OJK Regulation No. 37/POJK.04/2018
have completed transactions with more than 1,000 consumers in a year regarding Equity Crowdfunding, dated 31 December 2018. Collective
or have delivered more than 1,000 packages to consumers in a year, or investment undertakings through the internet, whereby capital is raised
both, are required to appoint a representative in Indonesia. from a number of investors and invested in accordance with a defined
investment policy for the benefit of those investors, are not specifically
Consumer lending regulated.
5 Is consumer lending regulated in your jurisdiction?
Consumer lending is regulated in Indonesia, with a particular focus on 9 Describe any specific regulation of peer-to-peer or
information technology-based money lending services (peer-to-peer marketplace lending in your jurisdiction.
lending), as regulated under OJK Regulation No. 77/POJK.01/2016
regarding Information Technology-Based Money Lending Services, Marketplace lending is not specifically regulated in Indonesia. Peer-
dated 29 December 2016. The OJK has the authority to regulate, register to-peer lending is specifically regulated under OJK Regulation No. 77/
and issue licences, as well as supervise the fintech consumer lending POJK.01/2016 regarding Information Technology-Based Money Lending
industry. A company engaging in the provision of peer-to-peer lending Services, dated 29 December 2016. It provides the OJK the right to regu-
activities can have a maximum foreign ownership of 85 per cent, which late and supervise peer-to-peer lending activities, including handling the
means at least 15 per cent of the ownership must be in the hands of registration and licensing of peer-to-peer lending platform providers.
Indonesian parties. A company that wishes to register with the OJK Peer-to-peer lending in Indonesia is described as the provision of finan-
is required to have a minimum issued and paid-up capital of 1 billion cial services whereby the lender meets the borrower in the framework
Indonesian rupiahs. Once an applicant is registered, it will have one of entering into a lending agreement in rupiahs directly through an elec-
year to apply for a licence from the OJK, and the company’s minimum tronic system by using the internet.
issued and paid-up capital must then be 2.5 billion rupiahs. A company
engaging in the provision of peer-to-peer lending is not allowed to Crowdfunding
engage in any other business activities. The regulation refers to infor- 10 Describe any specific regulation of crowdfunding in your
mation technology-based money lending services (peer-to-peer lending) jurisdiction.
as the provision of financial services that allow the lender to meet the
borrower in the framework of entering into a lending agreement in To date there is no specific regulation that deals with donation-based
rupiahs directly through an electronic system by using the internet. crowdfunding in Indonesia. Equity crowdfunding covers the provision
of share offering services conducted by issuers to sell shares directly
Secondary market loan trading to investors through an open electronic system network. Equity crowd-
6 Are there restrictions on trading loans in the secondary funding is regulated under OJK Regulation No. 37/POJK.04/2018
market in your jurisdiction? regarding Equity Crowdfunding, dated 31 December 2018. Under this
regulation, a licensed equity crowdfunding platform provider or organ-
Currently, the trading of loans in the secondary market in Indonesia iser is able to provide access for issuers (Indonesian limited liability
is not specifically regulated and there is no specific restriction on companies) to sell their shares to investors that are also using the plat-
this activity. form. An equity crowdfunding platform company is required to be an
Indonesian limited liability company or an Indonesian cooperative with
Collective investment schemes a minimum issued and paid-up capital of 2.5 billion rupiahs and to have
7 Describe the regulatory regime for collective investment registered with and received a licence from the OJK to provide, manage
schemes and whether fintech companies providing and operate the equity crowdfunding platform.
scope. Invoice trading
The prevailing regulations do not categorise activities into collective jurisdiction.
investment schemes. They only specifically regulate alternative finance
products in the form of equity crowdfunding platforms. Peer-to-peer The prevailing regulations do not specifically address invoice trading
lending is described as an information technology-based money lending in Indonesia.
service, which is specifically regulated under a different regulation.
Equity crowdfunding is regulated under the auspices of the OJK, through Payment services
OJK Regulation No. 37/POJK.04/2018 regarding Equity Crowdfunding, 12 Are payment services regulated in your jurisdiction?
dated 31 December 2018. The OJK has the authority to regulate, register
and issue licences, as well as supervise equity crowdfunding activities. Payment services in Indonesia are regulated mainly by Indonesia’s
central bank, Bank Indonesia, which is in charge of regulating payment
system activities in Indonesia.
Indonesia SSEK Legal Consultants
Open banking The Credit Bureau Regulation also specifically mentions that a credit
13 Are there any laws or regulations introduced to promote bureau must be in the form of an Indonesian limited liability company
competition that require financial institutions to make and is subject to applicable foreign shareholding restrictions. In addition,
customer or product data available to third parties? a credit bureau must obtain a business licence from the OJK to conduct
its business activities. While the total ownership of one or more foreign
To date there is no law or regulation that requires financial institutions parties in a credit bureau is limited to 20 per cent, if one foreign party
to make customer or product data available to third parties, unless to owns more than one credit bureau that foreign party’s total ownership in
the relevant government agency or for law enforcement purposes. all the credit bureaus combined is limited to 20 per cent.
In collecting and processing credit information, a licensed Indonesian
Robo-advice credit bureau obtains credit data from the OJK. The credit data from the
14 Describe any specific regulation of robo-advisers or other OJK consists of data submitted to it by financial institutions. A licensed
companies that provide retail customers with automated Indonesian credit bureau may also cooperate with financial institutions
access to investment products in your jurisdiction. to obtain credit data or financial institutions and non-financial institutions
for other data, or both. A credit bureau must make an effort to ensure
To date there is no specific law or regulation that addresses robo- that the source of the data informs the relevant debtor or customer of
advisers or other companies that provide retail customers with how the credit data and other data will be utilised. Credit data is defined
automated access to investment products. as data regarding the condition of funding facility, funding from non-
bank institutions and other facilities that can be deemed similar to the
Insurance products foregoing.
15 Do fintech companies that sell or market insurance products Other data in relation to a credit bureau is defined as data other than
in your jurisdiction need to be regulated? credit data that can be used to describe the capability of a certain party
in fulfilling the party’s financial obligations.
In principle, the selling and marketing of insurance products in
Indonesia is regulated and licensed by the OJK, although there seems CROSS-BORDER REGULATION
to be no differentiation yet between fintech companies and companies
that engage in the conventional selling and marketing of insurance Passporting
products. In practice, licensed insurance companies in Indonesia have 17 Can regulated activities be passported into your jurisdiction?
been selling their products over the internet, through their own plat-
forms or by cooperating with other parties (eg, e-commerce platforms The prevailing laws and regulations in Indonesia do not recognise the
or e-money platforms) to assist in facilitating the selling and marketing concept of passporting, and regulated activities cannot be passported
of their insurance products. The OJK is still in discussions over whether into Indonesia.
unit-linked products can continue to be sold without a face-to-face
meeting with the potential insured party. The prevailing regulations Requirement for a local presence
require unit-linked products to be sold with a face-to-face meeting that 18 Can fintech companies obtain a licence to provide financial
is used to explain the product to the potential insured party. services in your jurisdiction without establishing a local
presence?
Credit references
16 Are there any restrictions on providing credit references or No. To obtain a licence from the Indonesian government to provide finan-
credit information services in your jurisdiction? cial services in Indonesia, a party must establish a local presence.
There are restrictions on providing credit information services. SALES AND MARKETING
In Indonesia, credit reports can only be issued by a credit bureau
licensed by the Financial Services Authority (OJK). A credit report is Restrictions
defined under OJK Regulation 42/POJK.03/2019 regarding Credit 19 What restrictions apply to the sales and marketing of financial
Information Management Agencies dated 31 December 2019 and Bank services and products in your jurisdiction?
Indonesia Circular Letter No. 15/49/DPKL regarding Credit Information
Management Agencies dated 5 December 2013 (together, the Credit There are regulations for the sale and marketing of financial services and
Bureau Regulation) as a product or service generated by a credit bureau products in the traditional sense, such as conventional banking, invest-
in writing, verbally or by some other method, sourced from credit data ment and insurance. There is far less clarity regarding the organisation of
and other data owned by the credit bureau. The credit report generated the sale and marketing of unconventional financial services, for example,
by the credit bureau, among other things, contains information on: investments related to cryptocurrency and initial coin offerings. The main
• the feasibility of the debtor or customer to obtain funds; principle of sales and marketing by financial and fintech businesses is a
• the track record of the debtor or customer in fulfilling its fund prohibition on misleading information and causing loss for consumers.
provision obligations;
• the ability of the debtor or customer to fulfil its fund provision CHANGE OF CONTROL
obligations;
• the character of the debtor or customer; and Notification and consent
• other information that may be utilised to assess the abilities of the 20 Describe any rules relating to notification or consent
debtor or customer. requirements if a regulated business changes control.
Pursuant to the Credit Bureau Regulation, a credit bureau engages The rules relating to notification or consent requirements in a change
in the business activities of collecting credit data and other data, and of control depend on the specific licence held by the entity. As a matter
processing credit data and other data to generate a credit report. of general principle, entities holding a licence in the financial services
104 Fintech 2021

sector and the payment system services sector need to obtain prior • mechanism of dispute settlement; and
approval from the Indonesian central bank or the Financial Services • settlement mechanism if the provider is unable to continue its
Authority. operational activities.
FINANCIAL CRIME The provider is required to provide the lender with access to informa-
tion on the appropriation of funds. This information does not include
Anti-bribery and anti-money laundering procedures information related to the identity of the borrower. The information will
21 Are fintech companies required by law or regulation to have include, at least, the:
procedures to combat bribery or money laundering? • amount of loaned funds to the borrower;
• purpose of the use of the funds by the borrower;
In general, fintech companies are required to implement anti-money • amount of the loan interest; and
laundering procedures and also need to conform to anti-bribery regu- • tenor of the loan.
lations in Indonesia. Initial coin offering activities are not yet clearly
regulated in Indonesia. Commodity Futures Trading Regulatory Agency The lending agreement between the lender and borrower is made in
(Bappebti) Regulation No. 5 of 2019 (as amended by Bappebti Regulation electronic document format and must contain, at least, the:
No. 9 of 2019 regarding the Amendment of Bappebti Regulation 5/2019 • agreement number;
dated 26 July 2019; Bappebti Regulation No. 2 of 2020 regarding the • date of agreement;
Second Amendment of Bappebti Regulation 5/2019 dated 7 February • identities of the parties;
2020; and Bappebti Regulation No. 3 of 2020 regarding the Third • provisions on the rights and obligations of the parties;
Amendment of Bappebti Regulation 5/2019 dated 31 March 2020) • amount of the loan;
only deals specifically with the administration of the implementation • nterest rate of the loan;
of crypto-asset exchanges within Indonesia and does not address or • instalment value;
cover the implementation and operation of crypto-asset exchange plat- • tenor;
forms outside Indonesia offering products and services to customers in • object of guarantee (if any);
Indonesia on a cross-border basis. • breakdown of relevant expenses;
• provisions on fines (if any); and
Guidance • mechanism of dispute settlement.
22 Is there regulatory or industry anti-financial crime guidance
for fintech companies? The provider is required to provide the borrower with access to infor-
mation on the position of the received loan. This information will not
Currently, there is no specific regulatory or industry anti-financial crime include information related to the identity of the lender. The agreements
guidance for fintech companies. above are made by using electronic signatures in accordance with the
prevailing laws and regulations on electronic signatures. If the provider
PEER-TO-PEER AND MARKETPLACE LENDING uses a standard agreement (for any agreement between the provider
and the users of the platform, be it lenders or borrowers, the standard
Execution and enforceability of loan agreements agreement must not:
23 What are the requirements for executing loan agreements or • transfer the responsibilities or obligations of the provider to
security agreements? Is there a risk that loan agreements the user; or
or security agreements entered into on a peer-to-peer or • state that the user is subject to new regulations, addendums,
marketplace lending platform will not be enforceable? supplementary or amendments drawn up unilaterally by the
provider within the period during which the user uses the service.
Loan agreements in a peer-to-peer lending platform are acknowledged
and regulated. Based on Financial Services Authority Regulation No. 77/ A standard agreement or standard clause is described as a written
POJK.01/2016 regarding Information Technology-Based Money Lending agreement as set forth unilaterally by the provider and that contains
Services, dated 29 December 2016, there are two agreements in a peer- standard clauses regarding content, format, as well as method of
to-peer lending scheme: production, and is used to make a mass offer of service to users.
• an agreement between the provider of the peer-to-peer lending
service (the provider of the platform) and the lender; and Assignment of loans
• an agreement between the lender and the borrower. 24 What steps are required to perfect an assignment of
The agreement on the provision of peer-to-peer lending between a platform? What are the implications for the purchaser if the
provider and a lender is made in electronic document format and must assignment is not perfected? Is it possible to assign these
contain, at least, the: loans without informing the borrower?
• agreement number;
• date of agreement; Presently there is no specific fintech law or regulation that addresses
• identities of the parties; the assignment of loans on a peer-to-peer lending platform. Given this
• provisions on the rights and obligations of the parties; absence, the assignment of loans should be allowed under the freedom
• amount of the loan; of contract principle contained in the Indonesian civil law code. Any
• interest rate of the loan; assignment of a loan will need notification to the borrower.
• amount of commission;
• tenor;
• breakdown of relevant expenses;
• provisions on fines (if any);
Securitisation risk retention requirements ledgers are referred to as examples of other financial service activities,
25 Are securitisation transactions subject to risk retention which include such examples as invoice trading, vouchers and products
requirements? using blockchain-based applications.
This is not specifically regulated under the prevailing laws and regulations. Crypto-assets
29 Are there rules or regulations governing the use of crypto-
Securitisation confidentiality and data protection requirements assets, including digital currencies, digital wallets and
26 Is a special purpose company used to purchase and securitise e-money?
confidentiality or data protection laws regarding information Crypto-assets trade is specifically regulated in Indonesia by Bappebti,
relating to the borrowers? an agency under the Ministry of Trade, under the following regulations:
• Bappebti Regulation No. 5 of 2019 regarding the Technical Provisions
This is not specifically regulated under the prevailing laws and regula- for the Implementation of the Crypto Asset Physical Market in Futures
tions. However, to date, there is no exemption for business practitioners Exchange dated 8 February 2019 (Bappebti Regulation 5/2019);
for the implementation of data protection principles apart from for law • Bappebti Regulation No. 9 of 2019 regarding the Amendment of
enforcement and public interest purposes. Bappebti Regulation 5/2019, dated 26 July 2019;
• Bappebti Regulation No. 2 of 2020 regarding the Second Amendment
ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER of Bappebti Regulation 5/2019, dated 7 February 2020; and
TECHNOLOGY AND CRYPTO-ASSETS • Bappebti Regulation No. 3 of 2020 regarding the Third Amendment
of Bappebti Regulation 5/2019, dated 31 March 2020.
Artificial intelligence
27 Are there rules or regulations governing the use of artificial nder the regulations listed above, crypto-assets are deemed commodi-
intelligence, including in relation to robo-advice? ties that can be traded in a crypto-asset exchange. The regulations
describe crypto-assets as intangible commodities in the form of
Presently, there is no specific law or regulation that addresses the use digital assets, using cryptography, peer-to-peer network and distrib-
of artificial intelligence, including robo-advice. However, artificial intel- uted ledger to manage the creation of new units, verify transactions
ligence is mentioned in Financial Services Authority (OJK) Regulation and secure transactions without any intervention by other parties. In
No. 13/POJK.02/2018, dated 16 August 2018, regarding Digital Financial Indonesia, crypto-assets or cryptocurrencies are not recognised as a
Innovation in the Financial Services Sector as one of the examples of payment instrument and, therefore, are prohibited from being used as
digital financial innovation in the category of market support. Other a payment instrument.
examples of market support include artificial intelligence or machine Digital wallets in Indonesia are commonly viewed as part of the
learning, machine-readable news, big data, social sentiment, market payment system environment and, therefore, are regulated under the
information platform, and automated data collection and analysis. Robo- regulations of Bank Indonesia, which oversees payment system activi-
advice is also referred to in this OJK Regulation as a type of other digital ties in Indonesia. Digital wallets or electronic wallets as referred to
finance supporting activity. Other examples activities include social and in regulations in Indonesia are mainly regulated by Bank Indonesia
eco-crowdfunding, Islamic digital financing, e-waqf, e-zakat, robo-advice Regulation No. 18/40/PBI/2016 regarding the Provision of Payment
and credit scoring. The regulation is silent on any specific provisions Transaction Processing, dated 9 November 2016. This regulation
for artificial intelligence and robo-advice. Therefore, the principles and defines an electronic wallet (e-wallet) as an electronic service to store
provisions under OJK Regulation No. 13/POJK.02/2018 is generally all payment instrument data (among others, payment instruments
applicable to artificial intelligence and robo-advice used in the fintech using cards and electronic money) and an e-wallet is also able to store
sector in Indonesia. credits (funds) to conduct payments.
E-money in Indonesia is also viewed as part of the payment system
Distributed ledger technology environment and is, therefore, regulated under regulations of Bank
28 Are there rules or regulations governing the use of Indonesia. E-money is mainly regulated by Bank Indonesia Regulation
distributed ledger technology or blockchains? No. 20/6/PBI/2018 regarding Electronic Money, dated 4 May 2018. This
regulation defines e-money as a payment instrument:
There is no specific rule or regulation governing the use of distributed • that is issued based on the value of money that has been first
ledger technology or blockchains. Blockchain and distributed ledger tech- deposited to the
nology is referred to in Bank Indonesia Regulation No. 19/12/PBI/2017 • issuer;
regarding the Organisation of Financial Technology, dated 30 November • where the value of money is deposited electronically in a server
2017. The regulation refers to blockchain and distributed ledgers as one of or chip; and
the recognised examples of fintech activities within the payment system • where the value of electronic money managed by the issuer does
category. Payment system activities include authorisation, clearing, final not constitute savings as intended in banking laws.
settlement and implementation of payments, with examples such as
blockchain or distributed ledgers for the provision of fund transfers, elec- E-money issued in Indonesia is required to be issued in Indonesian rupiahs.
tronic money, electronic wallets and mobile payments. The regulation is
silent on any specific provisions for artificial intelligence and robo-advice; Digital currency exchanges
therefore, the principles and provisions under Bank Indonesia Regulation 30 Are there rules or regulations governing the operation of
No. 19/12/PBI/2017 is generally applicable to blockchain and distributed digital currency exchanges or brokerages?
ledgers used in the fintech industry in Indonesia.
From the perspective of financial services, under OJK Regulation There is a regulation in Indonesia that specifically deals with the
No. 13/POJK.02/2018, dated 16 August 2018, regarding Digital Financial trading of crypto-assets. The operation of a digital currency exchange
Innovation in the Financial Services Sector, blockchain and distributed is governed by Bappebti Regulation No. 5 of 2019 and its amendments.
106 Fintech 2021

Initial coin offerings INTELLECTUAL PROPERTY RIGHTS

(ICOs) or token generation events? IP protection for software
There is, to date, no specific regulation governing initial coin offer- software, and how do you obtain those rights?
ings (ICOs) in Indonesia. Bappebti Regulation No. 5 of 2019, which is
the main regulation for crypto-assets, explicitly states that it does not Under Indonesian laws and regulations on intellectual property rights, a
regulate ICOs. computer program, which, consequently, includes software, is regulated
under Law No. 28 of 2014 regarding Copyrights, dated 16 October 2014.
DATA PROTECTION AND CYBERSECURITY Copyright protection for computer programs is automatically provided
by this law, without requiring the registration of this computer program.
Data protection
32 What rules and regulations govern the processing and IP developed by employees and contractors
transfer (domestic and cross-border) of data relating to 37 Who owns new intellectual property developed by an
fintech products and services? employee during the course of employment? Do the same
The main laws and regulations relevant to personal data protection and contractors or consultants?
transfer are:
• Law No. 11 of 2008 regarding Electronic Information and In principle, the IP rights will remain with the creators, which in this
Transaction, dated 21 April 2008, as amended by Law No. 19 of instance is the employees or contractors or consultants, unless stated
2016, dated 25 November 2016; otherwise in an agreement. To avoid any uncertainty, it is common prac-
• Government Regulation No. 71 of 2019 regarding the Provision of tice in Indonesia for the employer to include a clause in the agreement
Electronic Systems and Transactions, dated 10 October 2019; and with the employees or contractors or consultants that clearly states
• Minister of Communication and Informatics Regulation No. 20 of that the IP rights of the creation will be solely owned by the employee.
2016 regarding Personal Data Protection In Electronic Systems,
dated 1 December 2016. Joint ownership
38 Are there any restrictions on a joint owner of intellectual
Cybersecurity property’s right to use, license, charge or assign its right in
33 What cybersecurity regulations or standards apply to fintech intellectual property?
businesses?
There is no such restriction under Indonesian law.
There is, to date, no specific cybersecurity regulations or standards
applicable across the fintech sector in Indonesia. However, the obliga- Trade secrets
tions to maintain system security and transaction security seem to be 39 How are trade secrets protected? Are trade secrets kept
principles that generally exist in the various regulations related to the confidential during court proceedings?
fintech business.
Law No. 30 of 2000, issued on 20 December 2000 (the Trade Secret Law),
OUTSOURCING AND CLOUD COMPUTING provides a very generic approach to the definition of a trade secret. A
trade secret is defined as information that is not publicly known in the
Outsourcing fields of technology or business, with an economic value owing to its
34 Are there legal requirements or regulatory guidance with usefulness in a business activity, and whose confidentiality is kept by
respect to the outsourcing by a financial services company of the owner of the trade secret. The Trade Secret Law indicates that trade
a material aspect of its business? secrets are inherently protected without needing to undergo a specific
procedure. Holders of trade secrets may bring a claim for compensation
There is no specific legal requirement or regulatory guidance with and a cease-and-desist action. Court proceedings involving trade secrets
respect to the outsourcing by a financial services company of a material may be held confidentially upon the request of a party in the case.
aspect of its business.
Branding
Cloud computing 40 What intellectual property rights are available to protect
35 Are there legal requirements or regulatory guidance with branding and how do you obtain those rights? How can
respect to the use of cloud computing in the financial services fintech businesses ensure they do not infringe existing
industry? brands?
There is no specific legal requirement or regulatory guidance with Under Law No. 20 of 2016 regarding Marks and Geographical
respect to the use of cloud computing in the financial services industry. Indications, a brand (mark) is protected once it is registered with the
relevant government IP office in Indonesia. As a precautionary action
a fintech business can check with the government IP office to see if
there are similar brands or trademarks already registered in Indonesia.
It can also conduct market monitoring of known brands in its industry
in Indonesia.

Individuals or companies whose intellectual property rights have been

infringed may bring claims to the counterparty for compensation and a
cease-and-desist action. These claims can go through commercial court,
arbitration or alternative dispute settlement.
COMPETITION
Winnie Rolindrawan
Sector-specific issues winnierolindrawan@ssek.com
42 Are there any specific competition issues that exist with Harry Kuswara
respect to fintech companies in your jurisdiction? harrykuswara@ssek.com
The prevailing regulations do not address competition issues particular

Mayapada Tower I, 14th Floor
to fintech companies. We have not identified any specific competition
Jalan Jend. Sudirman Kav. 28
issues in the fintech industry. Jakarta, 12920
Indonesia
TAX Tel: +62 21 521 2038 / +62 21 2953 2000
www.ssek.com
Incentives
fintech sector in your jurisdiction? IMMIGRATION
There are no specific tax incentives available for fintech companies and Sector-specific schemes
investors. 45 What immigration schemes are available for fintech
Increased tax burden any special regimes specific to the technology or financial
44 Are there any new or proposed tax laws or guidance that sectors?
fintech companies in your jurisdiction? There is no specific immigration scheme for fintech businesses, and,
therefore, the general immigration scheme is applicable. An Indonesian
The Indonesian Minister of Finance (MOF) recently issued a regulation on entity must act as the sponsor for any foreign national who will work in
VAT for digital goods and services: MOF Regulation No. 48/PMK.03/2020 Indonesia, and foreign workers can only fill positions that are allowed
regarding Procedures for the Appointment of Collectors and for the for foreign workers, as set out by the Ministry of Manpower.
Collection, Deposit and Reporting of VAT for the Use Inside the Customs
Area of Intangible Taxable Goods and/or Taxable Services from Outside UPDATE AND TRENDS
the Customs Area through Electronic System Trade Activities. This is an
implementing regulation for Government Regulation in Lieu of Law No. Current developments
1 of 2020 regarding State Financial Policy and Financial System Stability 46 Are there any other current developments or emerging
for the Management of the Coronavirus or COVID-19 Pandemic and/ trends to note?
or in Facing Threats to the National Economy and/or Financial System
Stability (GR 1/2020). GR 1/2020 has since been adopted into law, as We understand that the Financial Services Authority has introduced a
Law No. 2 of 2020. Starting 1 July 2020, a 10 per cent VAT will be appli- moratorium on the registration and licensing of peer-to-peer lending
cable to intangible taxable goods and services from outside Indonesia companies in Indonesia. The Financial Services Authority will no longer
that are utilised in Indonesia through electronic system trade activities receive applications for the registration of peer-to-peer lending compa-
(PMSE). These goods and services include digital goods and services. If nies. There has been no confirmation on how long the moratorium
the utilisation of goods and services from outside Indonesia is the result will last. There are also ongoing discussions of a draft Personal Data
of a transaction between foreign traders or foreign service providers Protection Law, but it is not clear when the law might be passed by the
and the Indonesian purchasers, the VAT will be directly collected, paid House of Representatives and issued by the government.
and reported by these foreign parties. The foreign traders or foreign
service providers will be appointed by the Directorate General on Coronavirus
Taxation (DGT) as the PMSE VAT Collector. 47 What emergency legislation, relief programmes and other
To qualify as a PMSE VAT Collector a party must have a transac- initiatives specific to your practice area has your state
tion value with Indonesian purchasers that exceeds a certain threshold implemented to address the pandemic? Have any existing
within 12 months; a traffic volume or number of persons who accessed government programmes, laws or regulations been amended
the party’s platform that exceeds a certain threshold within 12 months; to address these concerns? What best practices are advisable
or both. These thresholds will be further set out by the DGT. Indonesian for clients?
government officials have been quoted in various media reports saying
that they are targeting providers such as Spotify and Netflix that operate The Indonesian government has not issued any specific emergency
outside of Indonesia with a significant number of users in the country. legislation or relief programme for fintech businesses.
108 Fintech 2021

Ireland
Liam Flynn and Lorna Smith
Matheson
FINTECH LANDSCAPE AND INITIATIVES The main state business and employment promotion agencies, IDA
Ireland and Enterprise Ireland, provide a range of support for fintech
General innovation climate operations at all levels of development, and the state investment fund
1 What is the general state of fintech innovation in your has made multiple venture capital or equity investments in promising
jurisdiction? fintech start-ups.
On 20 April 2018, the Central Bank launched its Innovation Hub.
Ireland has a very active fintech scene and is one of the leading juris- This is a direct and dedicated point of contact for firms developing or
dictions for fintech start-ups and corporate innovation in Europe. In implementing innovations in financial services based on new technolo-
addition, with the impact of Brexit still to be determined, many payments gies. This was to accommodate greater interaction with the growing
and e-money firms that previously provided services across the EU via a number of fintech businesses looking to set up operations in Dublin, or
UK payments or e-money licence have sought to obtain authorisation by expand their existing operations both in the regulated and unregulated
the Central Bank of Ireland (the Central Bank) so as to ensure continuity space. According to the Innovation Hub: 2019 Update, the innovation hub
of operations. This has led to a very significant increase in the number has facilitated 166 engagements.
of licensed payments and e-money firms, to 18 and 12 respectively, and
there are multiple further licence applications in the pipeline. Examples FINANCIAL REGULATION
of some of these companies that have chosen Ireland as their EU hub
are Stripe, Google Payments, Western Union, Currency Fair, Paysafe, Regulatory bodies
Coinbase and Facebook International Payments Limited. 3 Which bodies regulate the provision of fintech products and
Ireland has won an outsized share of European investment in services?
corporate innovation labs, with many global financial services groups
establishing their innovation labs in Ireland. Accelerator programmes There is only one financial services regulator in Ireland, the Central
are also expanding their activities in Ireland, with Dublin being added Bank of Ireland (the Central Bank), which is responsible for author-
as one of two accelerator locations by the NadiFin FinTech accelerator ising and supervising all providers of regulated financial services. The
programme and the National Digital Research Centre expanding its Central Bank is responsible for both prudential supervision and conduct
activities outside Dublin to Waterford and Galway. Dublin remains the of business supervision of regulated entities that it has authorised.
hub for fintech activities in Ireland, but other regional centres are also Where a regulated firm has been authorised by a supervisory authority
seeing growth. in another EU or EEA jurisdiction, the home state regulator will be
Notwithstanding the burgeoning start-up scene, digital challenger responsible for prudential supervision, but the Central Bank will be
banks are only now penetrating the Irish market to any significant extent responsible for conduct of business supervision in Ireland. The Single
and there are currently no home-grown challenger banks. European Supervisory Mechanism at the European Central Bank also directly
digital operators have passported their services into Ireland but do not supervises significant credit institutions and has exclusive competence
yet pose an existential threat to traditional Irish banking houses. Robo- for the authorisation of credit institutions (other than branches of third-
advice has yet to make an appearance in the mainstream investments country credit institutions).
market. Many life and health insurers are now investigating the poten-
tial incorporation of wearable devices into insurance underwriting, and Regulated activities
some of the main motor insurers have launched safe driving apps that 4 Which activities trigger a licensing requirement in your
provide telematics-based discounts for drivers. jurisdiction?
Government and regulatory support Whether a fintech business needs to hold a financial services authori-
2 Do government bodies or regulators provide any support sation will depend on the nature of the activities that the firm engages
specific to financial innovation? If so, what are the key in. As far as investment-related activities are concerned, Directive
benefits of such support? 2014/65/EU (MiFID II) was transposed into Irish law by the European
Union (Markets in Financial Instruments) Regulations 2017 (the Irish
The government of Ireland is strongly supportive of fintech and in its MiFID II Regulations). Engaging in any of the investment services and
recently revised Strategy for the International Financial Services Sector activities listed in MiFID II, such as providing investment advice or
(‘Ireland for Finance 2025’) has stated its commitment to developing executing client orders, is a regulated activity requiring authorisation.
Ireland as a global leader in the financial services sector, creating an Other parts of the MiFID II package also have direct effect in Ireland.
environment in which both indigenous and multinational firms can draw Engaging in banking business requires authorisation under the
on key government incentives and supports to grow their businesses. Central Bank Act 1971. The European Union (Capital Requirements)
Ireland Matheson
Regulations 2014 transposed the Capital Requirements Directive Collective investment schemes
2013/36/EU (CRD IV) into Irish law, and the requirements for obtaining 7 Describe the regulatory regime for collective investment
an Irish banking licence are based on the transposition of the CRD IV schemes and whether fintech companies providing
package. Other parts of the CRD IV package also have direct effect in alternative finance products or services would fall within its
Ireland. Banking business means taking deposits or other repayable scope.
funds from members of the public and granting credit for own account.
There is a restriction in the 1971 Act, in the absence of an exemption Investment funds are authorised and regulated by the Central Bank, and
from the Central Bank, which prohibits anyone from using the term may be regulated as:
‘bank’ in their name or holding themselves out as a bank without • undertakings for collective investment in transferable securi-
holding the necessary authorisation. Ireland also has a regime for ties (UCITS) in accordance with the European Communities
authorising branches of credit institutions established in third countries (Undertakings for Collective Investment in Transferable Securities)
(third country branches) under section 9A of the Central Bank Act 1971. Regulations 2011, which implement the UCITS Directives into Irish
law, and the Central Bank (Supervision and Enforcement) Act
Consumer lending 2013 (Section 48(1)) (Undertakings for Collective Investment in
5 Is consumer lending regulated in your jurisdiction? Transferable Securities) Regulations 2019 (collectively the UCITS
Regulations); or
Subject to very limited exceptions, providing cash loans to individuals • retail investor alternative investment funds (RIAIFs) or qualifying
(not just consumers) in Ireland is a regulated activity requiring authori- investor alternative investment funds (QIAIFs) in accordance with
sation as a retail credit firm under the Central Bank Act 1997, unless the requirements of the Central Bank and of the European Union
the lender is otherwise authorised to provide such credit, for example, (Alternative Investment Fund Managers) Regulations 2013 (as
a bank. This is an Irish domestic licensing regime and does not derive amended) (the AIFM Regulations), which implement the Alternative
from an EU law obligation. Investment Fund Managers Directive 2011/61/EU (AIFMD) into
Multiple aspects of consumer lending are also regulated (at a Irish law.
conduct-of-business level) under the Consumer Credit Act 1995 and
the European Communities (Consumer Credit Agreement) Regulations UCITS, RIAIFs and QIAIFs may be organised through a number of legal
2010, which regulate the form and content of credit agreements. The structures, the most popular of which are the Irish collective asset-
1995 Act and the 2010 Regulations implement the provisions of Directive management vehicle (ICAV), the investment public limited company
87/102/EEC as amended, and Directive 2008/48/EC. (investment company) and authorised unit trusts. It is an offence to
The Central Bank’s Consumer Protection Code 2012 and asso- carry on business as an ICAV, investment company or authorised unit
ciated addenda (the CPC) are also relevant. The CPC applies to all trust unless authorised by the Central Bank.
financial services providers who are authorised, registered or licensed Fintech companies, whether providing alternative finance prod-
by the Central Bank, as well as financial services providers author- ucts or otherwise, would not typically fall to be regulated as investment
ised, registered or licensed in another EU or EEA member state when funds. However, fintech firms that fall within the definition of alterna-
providing services in Ireland on a branch or cross-border basis. The tive investment funds would require authorisation. Fintech companies
CPC essentially requires regulated entities to adhere to a set of general that provide services to investment funds may require authorisation
requirements such as to provide terms of business to consumers, if they are providing regulated depositary or administration services.
conduct know-your-customer, to establish the suitability of the product Depositaries and administrators to investment funds may also engage
and adhere to lending and advertisement requirements. fintech firms, in which case applicable Central Bank outsourcing require-
There are also separate requirements for mortgage lending ments may apply, although in general, the fintech service providers
to consumers, including the housing loan requirements under the would not themselves require authorisation.
Consumer Credit Act 1995, European Union (Consumer Mortgage
Credit Agreements) Regulations 2016, implementing the provisions Alternative investment funds
of Directive 2014/17/EU and the Central Bank’s Code of Conduct on 8 Are managers of alternative investment funds regulated?
Mortgage Arrears.
The Central Bank authorises and regulates Irish alternative investment
Secondary market loan trading fund managers (AIFMs) under the AIFM Regulations, as well as regu-
6 Are there restrictions on trading loans in the secondary lating UCITS management companies in accordance with the UCITS
market in your jurisdiction? Regulations, and non-UCITS management companies (a residual cate-
gory post-AIFMD). Most fintech companies would be expected to fall
Part V of the Central Bank Act 1997 regulates credit servicing, which outside the scope of the AIFM Regulations and the UCITS Regulations.
includes holding the legal title to loans made by regulated financial
services providers to individuals and small to medium-sized enterprises Peer-to-peer and marketplace lending
(SMEs). Credit servicing is a regulated activity requiring authorisation 9 Describe any specific regulation of peer-to-peer or
by the Central Bank of Ireland. Acquiring the beneficial interest in such marketplace lending in your jurisdiction.
loans is not, however, a regulated activity, although there are associated
licensing requirements applicable to entities that provide administra- There is currently no distinct regulatory regime for peer-to-peer or
tion or servicing in respect of such loans. Trading in non-SME corporate marketplace lending in Ireland. Some of the regimes described in this
loans is not, generally, a regulated activity in Ireland. chapter (eg, retail credit) may, however, be relevant depending on the
There may also be data protection issues and general contractual nature of the specific activities engaged in and a regulatory analysis of
issues that need to be addressed, irrespective of the nature of the loans the proposed process flow is therefore always advisable.
being traded.
110 Fintech 2021

Matheson Ireland
Crowdfunding Open banking

10 Describe any specific regulation of crowdfunding in your 13 Are there any laws or regulations introduced to promote
jurisdiction. competition that require financial institutions to make
customer or product data available to third parties?
Crowdfunding is not currently specifically regulated in Ireland,
assuming it does not involve deposit-taking, which may attract banking Yes. One of the main aims of PSD2 was to increase competition in the
regulation, or the promotion of equity investments, which may attract payment sector, introduce open banking and facilitate access by third-
prospectus regulation. However, some of the other regimes described in party providers to a user’s account held with their account servicing
this chapter (eg, payment services) may also be relevant depending on payment service provider (usually a bank). The Strong Customer
the nature of the specific activities engaged in and a regulatory analysis Authentication requirements came into effect in September 2019 and
of the proposed process flow is therefore always advisable. this has required account servicing payment service providers to
In March 2018, the European Commission presented a proposal develop and test APIs to facilitate open access by third-party providers.
for a regulation setting out a regulatory regime for crowdfunding
service providers, which would apply to crowdfunding service providers Robo-advice
involved in either peer-to-peer business lending where the investor has 14 Describe any specific regulation of robo-advisers or other
an expectation of a financial return or the investment crowdfunding companies that provide retail customers with automated
model, where investors receive shares or bonds in return for their access to investment products in your jurisdiction.
investments. If adopted, the regulation will allow in-scope platforms to
apply for an EU passport based on a single set of rules. To complement Robo-advice has yet to make a substantial impact on the Irish fintech
the new regulation on crowdfunding, the European Commission has landscape. In 2016, the Joint Committee of the European Supervisory
also proposed a directive amending MiFID II. These proposed instru- Authorities noted that while there had been growth in the use of robo-
ments are currently awaiting review by the European Parliament. advisers across the EU, the majority of advice provided is at least a
The Irish Department of Finance published a Consultation Paper hybrid of automated and human interaction, rather than fully auto-
on the Regulation of Crowdfunding in April 2017, followed by a feedback mated. In June 2017, the Central Bank published a discussion paper
statement. The government’s Ireland for Finance 2025 Strategy Paper on the Consumer Protection Code and the Digitalisation of Financial
in March 2019 included a proposal to regulate crowdfunding in Ireland Services. It identified an upward trend in the use of automated advice
and enact a domestic regulatory regime, in parallel with the European in the onboarding of new clients. These allow clients to input their risk
regulation, to ensure sufficient consumer protection for unsophisticated profile into the system and then view a series of potential outcomes
investors and to facilitate the growth of crowdfunding as an alternative based on their objectives and appetite for risk.
source of finance for Irish SMEs. In the same discussion paper, the Central Bank noted the risks
to customers stemming from robo-advice. It highlighted that there is
Invoice trading frequently reduced consumer awareness and understanding of the
11 Describe any specific regulation of invoice trading in your complexity of the underlying technologies and systems involved in
jurisdiction. the provision of the financial products and services such as the use
of algorithms. Despite these concerns, there was no update made to
Holding title to loans advanced to consumers and SMEs can constitute the Consumer Protection Code in light of the discussion paper. Robo-
credit servicing, requiring licensing under the Central Bank Act 1997 advisers in Ireland will be subject to the usual regulatory rules that
in certain circumstances. At a conduct of business level, the Central would apply to that financial product (eg, the Insurance Distribution
Bank (Supervision and Enforcement) Act 2013 (Section 48) (Lending to Directive (EU) 2016/97 as transposed into Irish law).
Small and Medium-Sized Enterprises) Regulations 2015 apply to regu-
lated financial services providers and regulate the provision of credit Insurance products
by a regulated entity to micro, small and medium-sized enterprises in 15 Do fintech companies that sell or market insurance products
Ireland. ‘Credit’ is broadly defined as a deferred payment, cash loan or in your jurisdiction need to be regulated?
other similar financial accommodation, including hire purchase, invoice
discounting and the letting of goods. There are no regulations specific Any entity that carries on insurance or reinsurance business in Ireland
to invoice trading, described as such, in Ireland. (ie, an insurance or reinsurance underwriter) requires an authorisation
in accordance with the requirements of Directive 2009/138/EC as imple-
Payment services mented in Ireland by the European Union (Insurance and Reinsurance)
12 Are payment services regulated in your jurisdiction? Regulations 2015.
The European Union (Insurance Distribution) Regulations 2018
Yes. The provision of payment services is a regulated activity requiring (the IDD Regulations) came into force on 1 October 2018 and transpose
authorisation under the European Union (Payment Services) Regulations the Insurance Distribution Directive (EU) 2016/97 into Irish law. The
2018 (the PSD Regulations), which transpose Directive 2015/2366/EU IDD Regulations set out authorisation and ongoing regulatory require-
(PSD2) into Irish law. Ireland’s implementation of PSD2 through the ments for any person engaged in ‘insurance distribution’ in Ireland.
PSD Regulations was consistent with the principle of maximum harmo- This is broadly defined to include advising on, proposing, or carrying
nisation and as such the PSD Regulations reflect the requirements of out other work preparatory to the conclusion of contracts of insurance,
PSD2 itself. of concluding such contracts, or of assisting in the administration and
Where PSD2 does not apply, there is a domestic regime under performance of these contracts. Any fintech firm that sells or markets
Part V of the Central Bank Act 1997 that regulates ‘money transmis- insurance products in Ireland (as a broker or agent) is likely to require
sion business’. Money transmission business is defined as a business authorisation in accordance with the IDD Regulations.
that comprises or includes providing a money transmission service to
members of the public.
Ireland Matheson
Credit references or the Irish Markets in Financial Instruments Directive Regulations.

16 Are there any restrictions on providing credit references or These regimes set out rules in relation to offering financial services and
credit information services in your jurisdiction? products, disclosure and transparency requirements for advertising
and rules relating to incentives for the sale of financial products and
The provision of third-party credit referencing or credit information services to customers in Ireland, among other matters.
services is not specifically regulated in Ireland, but historically this
activity has not been widespread – credit checking was conducted CHANGE OF CONTROL
directly by lenders themselves. Reflecting the fragmented credit infor-
mation formerly available in Ireland, the Credit Reporting Act 2013 and Notification and consent
associated regulations provide for the establishment and operation of a 20 Describe any rules relating to notification or consent
statutory central credit register (CCR) system, established and operated requirements if a regulated business changes control.
by the Central Bank. Credit providers in Ireland are required to provide
information to the Central Bank for entry to the CCR and are also obliged Most regulated businesses operating in Ireland are subject to change
to make an enquiry in respect of relevant credit applications. of control regimes that require direct and indirect acquisitions and
disposals of ‘qualifying holdings’ (10 per cent or more) to be notified
CROSS-BORDER REGULATION to the relevant competent authority. For firms authorised in Ireland the
notification is made to the Central Bank, which then has a specific time
Passporting period to review the change of control and request further information,
17 Can regulated activities be passported into your jurisdiction? confirm no objection, or object to the change. For credit institutions, the
European Central Bank also has a role in the assessment of change of
Yes, where the regulated activity is covered by relevant EU legislation, control notifications.
the provider is authorised in another EU or EEA member state and
subject to compliance with the applicable notification procedures under FINANCIAL CRIME
relevant legislation.
As a general principle, where a financial institution authorised Anti-bribery and anti-money laundering procedures
in another EU or EEA member state (the home state) passports its 21 Are fintech companies required by law or regulation to have
services into Ireland through the establishment of a branch in Ireland, procedures to combat bribery or money laundering?
or by providing its services on a cross-border services basis, the home
state regulator retains responsibility for the prudential supervision of The Criminal Justice (Corruption Offences) Act 2018 overhauled Irish
that entity. The regulator of the member state into which passporting anti-corruption laws and introduced a number of new offences, including
is undertaken (the host state), in this case the Central Bank of Ireland a corporate liability offence that allows for a corporate body to be held
(the Central Bank), will supervise the passported entity’s conduct of liable for corrupt actions committed for its benefit by any director,
business in Ireland. The Central Bank does not in general adopt a gold- manager, secretary, employee, agent or subsidiary. The single defence
plating approach, and in general local conduct of business rules are not available is demonstrating that the company took all reasonable steps
excessively onerous. and exercised all due diligence to avoid the offence being committed.
Many firms are now implementing robust procedures and delivering
Requirement for a local presence training to staff on anti-bribery and corruption rules as a result.
18 Can fintech companies obtain a licence to provide financial Any fintech company that is a ‘designated body’ for the purposes
services in your jurisdiction without establishing a local of the Criminal Justice (Money Laundering and Terrorist Financing)
presence? Act 2010 (CJA) will be subject to anti-money laundering (AML) and
counter-terrorist financing (CFT) requirements. Certain entities that are
Where a fintech company wishes to provide a regulated service, then, designated bodies for the purposes of the CJA, such as leasing compa-
subject to the ability to passport into Ireland on a services basis where nies, or those providing factoring services, do not require authorisations
the fintech company is authorised in another EU or EEA member state, or licences from the Central Bank of Ireland (the Central Bank), but are
it is not possible to provide regulated financial services in Ireland unless nevertheless subject to AML and CFT obligations under the CJA and
the fintech company establishes a presence in Ireland. are required to register with the Central Bank for that purpose. Fintech
The Central Bank, as the regulatory body responsible for author- providers that are not regulated should therefore check on a case-by-
ising firms providing regulated financial services in Ireland, applies case basis whether they are subject to the CJA.
minimum substance requirements depending on the nature, scale, The current position is that digital currencies or assets are not
complexity and risk profile of the firm and the proposed activities and generally recognised as being ‘money’ for AML purposes, which trig-
customers. gered the amendments set out in the Fifth Money Laundering Directive
(EU) 2018/843 (MLD5), to bring digital currency custodian wallet
SALES AND MARKETING providers, and providers engaged in exchange services between digital
currencies and fiat currencies, within its scope. MLD5 has not yet been
Restrictions transposed into Irish law and in May 2020, the European Commission
19 What restrictions apply to the sales and marketing of formally named Ireland, along with seven other member states, as in
financial services and products in your jurisdiction? default in this regard.
There is no cross-industry financial promotions regime under Irish law

and the promotion, sale and marketing of particular financial services
and products are governed by sector-specific requirements, for example
under the European Union (Insurance Distribution) Regulations 2018, the
Central Bank’s Consumer Protection Code 2012 and associated addenda
112 Fintech 2021

Matheson Ireland
Guidance to a third party. This obligation only applies to a regulated entity, which
22 Is there regulatory or industry anti-financial crime guidance would include regulated lenders and also regulated credit servicing
for fintech companies? firms appointed to hold the legal title to, or service, the loans. Assuming
there is no prohibition on assignment without the consent of the
There is nothing specific to fintech companies. In line with other regula- borrower under the terms of the loan, Irish law would not otherwise
tors, the Central Bank has generally increased its focus on AML/CFT require the borrower to be informed of the assignment. However, any
and cyber risks across all regulated financial services. The Central Bank such assignment without notice would take effect as an equitable
issued best practice guidance on cybersecurity within the investment assignment.
firm and fund services industry in September 2015, followed by cross-
industry guidance on information technology and cybersecurity risks in Securitisation risk retention requirements
September 2016. The Central Bank will also expect relevant firms to 25 Are securitisation transactions subject to risk retention
apply European Banking Authority guidelines and technical standards requirements?
published under Directive 2015/2366/EU and other specific regimes,
as applicable. There are also AML/CFT guidelines applicable to fintech The Securitisation Regulation (Regulation EU 2017/2402), which
business that are ‘designated persons’ for the purposes of the CJA. became directly applicable across the EU on 1 January 2019, applies in
Ireland. It requires institutional investors to ensure that the originator,
PEER-TO-PEER AND MARKETPLACE LENDING sponsor or original lender of a securitisation retains at least a 5 per cent
net economic interest in the securitisation.
23 What are the requirements for executing loan agreements or Securitisation confidentiality and data protection requirements
security agreements? Is there a risk that loan agreements 26 Is a special purpose company used to purchase and securitise
or security agreements entered into on a peer-to-peer or peer-to-peer or marketplace loans subject to a duty of
marketplace lending platform will not be enforceable? confidentiality or data protection laws regarding information
For a loan agreement or security agreement to be binding, there has to
be an offer, acceptance, consideration, intention to create legal relations Where the special purpose vehicle is established in Ireland and
and certainty as to terms. The application of these principles does not controls personal data, it will be subject to the full scope of Ireland’s
depend on the particular technology that is being used so that accept- data processing laws. Irish incorporated companies, partnerships or
ance can be evidenced by clicking in a designated box on a peer-to-peer other unincorporated associations formed under the law of Ireland, and
or marketplace lending platform website. persons not falling within the foregoing but who maintain in Ireland
There are additional requirements for specific types of loan an office, branch or agency, or a regular practice will be established in
agreement, for example under the European Communities (Consumer Ireland for these purposes. Data controllers that make use of equipment
Credit Agreements) Regulations 2010, the Consumer Credit Act 1995 in Ireland for processing data can also fall within the scope of Ireland’s
and the European Union (Consumer Mortgage Credit Agreements) data processing laws in certain circumstances. Broader confidentiality
Regulations 2016. provisions applicable to a special purpose vehicle would typically arise
A deed is necessary for certain types of transactions, including as a matter of contract, and the implied banker’s duty of confidentiality
property-related transactions. Deeds made by individuals must be at common law is unlikely to apply.
signed, and Irish law recognises electronic contracts and signatures in
accordance with the requirements of the Electronic Commerce Act 2000 ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
and Regulation 910/2014 on electronic identification and trust services TECHNOLOGY AND CRYPTO-ASSETS
for electronic transactions.
Assignment of loans 27 Are there rules or regulations governing the use of artificial
24 What steps are required to perfect an assignment of intelligence, including in relation to robo-advice?
platform? What are the implications for the purchaser if the There are no specific rules governing the use of artificial intelligence,
assignment is not perfected? Is it possible to assign these including in relation to robo-advice, in Ireland. However, a regulated
loans without informing the borrower? financial service provider would need to comply with applicable conduct
and regulatory requirements in applying artificial intelligence (and robo-
There are two main types of assignments of legal rights under Irish law: advice) to its regulated activities and would also need to ensure that
a legal assignment and an equitable assignment. Irish law is similar it complies with Irish equality legislation (the Equal Status Acts 2000–
to English law in this regard. The distinction can be important at point 2015) when using such technology to determine access to services.
of enforcement and in general terms, a legal assignment is prefer-
able. To create a legal assignment of a debt, the assignment must be in Distributed ledger technology
writing and signed by the assignor; the assignment must be absolute (ie, 28 Are there rules or regulations governing the use of
unconditional and not merely by way of security); and express notice in distributed ledger technology or blockchains?
writing must be given to the borrower from whom the assignor would
have been entitled to receive the debt. Part of a debt, or other legal There are no specific rules governing the use of distributed ledger
chose in action, may not be legally assigned; only the whole debt may technology or blockchain in Ireland, but a regulated financial service
be legally assigned. provider would need to comply with applicable conduct and regulatory
The Central Bank’s Consumer Protection Code 2012 and associ- requirements in applying such technologies to its regulated activities.
ated addenda requires a regulated entity to provide two months’ notice
before transferring any part of its regulated activities (including loans)
Ireland Matheson
Crypto-assets Cybersecurity
29 Are there rules or regulations governing the use of crypto- 33 What cybersecurity regulations or standards apply to fintech
assets, including digital currencies, digital wallets and businesses?
e-money?
The Central Bank of Ireland (the Central Bank) issued best practice
Assuming the crypto-assets are not financial instruments or other guidance on cybersecurity within the investment firm and fund services
forms of collective investment, there is no regulatory framework industry in September 2015, followed by cross-industry guidance on
governing crypto-assets in Ireland. When Fifth Money Laundering information technology and cybersecurity risks in September 2016. The
Directive (EU) 2018/843 (MLD5) is transposed into Irish law, this will Central Bank will also expect relevant firms to apply relevant European
impose anti-money laundering and counter-terrorist financing (AML/ Supervisory Authority guidelines, whether issued by the European
CFT) requirements on crypto-asset exchanges and wallet providers. In Banking Authority or the European Securities and Markets Authority
April 2020, the Central Bank of Ireland published a response to the EU (such as the Guidelines on security measures for operational and secu-
consultation on an EU framework for markets in crypto-assets. rity risks under Directive 2015/2366/EU and other specific regimes, as
applicable).
Digital currency exchanges
30 Are there rules or regulations governing the operation of OUTSOURCING AND CLOUD COMPUTING
Outsourcing
Assuming the digital currency is not linked to any financial instruments 34 Are there legal requirements or regulatory guidance with
and the exchange is not engaging in any other regulated activity, there respect to the outsourcing by a financial services company of
is no regulatory framework governing the operation of digital currency a material aspect of its business?
exchanges or brokerages. When MLD5 is transposed into Irish law, this
will impose AML/CFT requirements on digital currency exchanges and There are multiple sector-specific requirements governing outsourcing,
providers who exchange fiat currencies for digital currencies. for example, under the Directive 2014/65/EU and Directive 2009/138/
EC regimes. For credit institutions, payments and e-money firms, the
Initial coin offerings European Banking Authority (EBA) has issued extensive Guidelines as
31 Are there rules or regulations governing initial coin offerings of February 2019. The Central Bank of Ireland takes an active interest
(ICOs) or token generation events? in compliance by regulated firms with outsourcing requirements and in
November 2018, published a paper ‘Outsourcing – Findings and Issues
There are no laws specific to ICOs and offerings of digital assets in for Discussion’, highlighting the most obvious and minimum super-
Ireland, and it is possible, depending on the nature of the digital assets, visory expectations for regulated firms around the management of
that the offering, holding or trading of these assets may fall outside outsourcing risks.
current securities or prospectus law, financial services regulation and
other laws. Cloud computing
DATA PROTECTION AND CYBERSECURITY respect to the use of cloud computing in the financial services
industry?
Data protection
32 What rules and regulations govern the processing and The EBA published its ‘Guidelines on Outsourcing Arrangements’ in
transfer (domestic and cross-border) of data relating to February 2019 (the Outsourcing Guidelines). When the Outsourcing
fintech products and services? Guidelines entered into force on 30 September 2019, the EBA’s
‘Recommendations on outsourcing to cloud service providers’, which
The General Data Protection Directive (Regulation 2016/679) (GDPR) had been published in December 2017, were repealed.
has had effect in Ireland since 25 May 2018, and is supplemented by the
Data Protection Act 2018. The GDPR is intended to harmonise further the INTELLECTUAL PROPERTY RIGHTS
data protection regimes within the EU and a full account of its impact
is outside the scope of this chapter. For fintech operators, anonymisa- IP protection for software
tion and aggregation of data for commercial gain may be important. 36 Which intellectual property rights are available to protect
Aggregation of data for commercial gain will only be permissible where software, and how do you obtain those rights?
the collection, aggregation and commercial use of the data meets GDPR
requirements. There may be somewhat greater flexibility in the use of The principal intellectual property right that protects software is copy-
anonymised data for commercial gain. However, it is generally accepted right (the right to prevent others from, among other things, copying the
that the standard required for data to be truly anonymised (and therefore software). Under the Copyright Act 2000 (as amended), copyright vests
not be personal data) is a high one, and that anonymisation techniques in the author on creation. Organisations should ensure that they have
can only provide privacy guarantees if appropriate techniques are used appropriate copyright assignment provisions in place in all agreements
and the application of those techniques is engineered appropriately. they have with employees or contractors to ensure that they obtain
This is a complex area and any fintech operator considering engaging in these rights.
such techniques should seek appropriate specialist advice.
114 Fintech 2021

Matheson Ireland
IP developed by employees and contractors Branding

37 Who owns new intellectual property developed by an 40 What intellectual property rights are available to protect
employee during the course of employment? Do the same branding and how do you obtain those rights? How can
rules apply to new intellectual property developed by fintech businesses ensure they do not infringe existing
contractors or consultants? brands?
The default position under Irish law is that the employer owns intel- The main intellectual property rights available to protect branding are
lectual property developed by an employee during the course of registered and unregistered trade and service marks.
employment, unless it is otherwise stated in an agreement with the Registered trade and service mark rights only arise through regis-
employee. However, this default position does not extend to intellectual tration, and can be applied for either in Ireland (in respect of Ireland
property generated by an employee outside their employment (such as only) or more broadly in the EU (as an EU trademark) or internationally.
out of hours or off premises). Trade and service mark rights give registered owners certain rights to
Contractors and consultants (who are not employees) are gener- prevent others using identical or confusingly similar trademarks to their
ally not subject to the default position described above and, unless registered mark.
the agreement between the contractor or consultant includes an Brand owners can also rely on unregistered trademark rights
assignment or other transfer of intellectual property to the customer, through the common law tort of passing-off. This allows the owner to
the contractor or consultant will own any intellectual property rights prevent others from damaging their goodwill with customers by using
generated during the course of the work. Ownership of such intellec- branding or get up that is identical or confusingly similar to their own.
tual property, if related to the subject matter of employment, should be For certain branding (particularly complex branding with artistic
addressed through the relevant contract. elements), copyright protection may also be available.
Joint ownership Remedies for infringement of IP

38 Are there any restrictions on a joint owner of intellectual 41 What remedies are available to individuals or companies
property’s right to use, license, charge or assign its right in whose intellectual property rights have been infringed?
intellectual property?
The exact remedies available to individuals or companies depend on
Yes. Joint owners of patents cannot assign or grant a licence of an the intellectual property right that has been infringed, but generally,
interest in a patent or a design right without the consent of all other for infringements of trademarks, patents, copyright and design rights
joint owners. Under the Trade Marks Act 1996 (as amended) a joint under Irish law, the owner of the right may seek an injunction against
owner may sue another joint owner for trademark infringement where further infringement, damages, an account of any profit made by the
the trademark is used in relation to goods or services for which all joint infringer from any articles incorporating the infringed intellectual prop-
owners have not been connected in the course of trade. On the basis of erty, and delivery up or destruction of those articles.
this legislation, we would expect that the consent of all joint owners is
required for a licence of the trademark to be given. COMPETITION
Although the Copyright Act 2000 (as amended) is silent as to the
rights of joint copyright owners, the current common law position Sector-specific issues
appears to suggest that the consent of all co-owners is required for the 42 Are there any specific competition issues that exist with
grant of a licence to third parties. respect to fintech companies in your jurisdiction?
Trade secrets There are no competition issues that are specific to fintech companies
39 How are trade secrets protected? Are trade secrets kept in Ireland.
TAX
Trade secrets are not a standalone right and are not protected sepa-
rately from confidential information under Irish law. Confidential Incentives
information is protected either through a contractual agreement to 43 Are there any tax incentives available for fintech companies
keep certain information confidential, or through the common law obli- and investors to encourage innovation and investment in the
gation to keep information confidential (because of the nature of the fintech sector in your jurisdiction?
relationship between the discloser and disclosee, the nature of the
communication or the nature of the information itself). In addition to Irish corporation tax rate of 12.5 per cent, there are a
There is no general rule that requires confidential information that number of further Irish tax provisions that encourage innovation and
is revealed during court proceedings to be kept secret. It is possible investment in fintech in Ireland, including:
to obtain an order from a court limiting access to such confidential • a 25 per cent tax credit for qualifying R&D expenditure carried on
information, but such orders are given on a case-by-case basis and are within the EEA. This tax credit is in addition to the normal business
typically considered difficult to obtain. deduction for such R&D expenditure (at the 12.5 per cent rate), thus
providing relief for expenditure on R&D at an effective rate of 37.5
per cent. These credits may also be surrendered by the company to
key employees actively involved in R&D activities, thereby reducing
the effective rate of Irish income tax for such employees;
• a best-in-class ‘knowledge development box’ that complies with
the OECD’s ‘modified nexus’ standard. This can reduce the rate
of Irish corporation tax to 6.25 per cent for profits derived from
certain IP assets, where qualifying R&D activity is carried on in
Ireland Matheson
Ireland. This relief can also be claimed in conjunction with the R&D
tax credit;
• tax depreciation for certain intangible assets. Such assets can be
amortised for Irish corporation tax purposes either in line with
their accounting treatment or on a straight basis over 15 years;
• the Employment and Investment Incentive (EII) and Start-up
Refunds for Entrepreneurs schemes, which allow individual inves-
tors in fintech companies to obtain Irish income tax relief (of up to
41 per cent) on investments made, in each tax year, into certified
Liam Flynn
qualifying companies. Relief under the EII is available in respect of
liam.flynn@matheson.com
funding of up to €15 million and is available until 2020;
• entrepreneur relief, which allows for a capital gains tax rate of 10 Lorna Smith
per cent on the disposal of certain qualifying business assets up to lorna.smith@matheson.com
a lifetime amount of €1 million;
• an extensive double tax treaty network, totalling 74 treaties, that 70 Sir John Rogerson’s Quay
prevents the taxation of the same portion of a company’s income Dublin 2
by multiple jurisdictions; Ireland
• start-up relief, which provides for a reduction in corporation tax Tel: +353 1 232 2000
liability for the first three years of trading for companies of a Fax: +353 1 232 3333
certain size provided the company was incorporated on or after www.matheson.com
14 October 2008 and began trading between 1 January 2009 and
31 December 2021. This relief can be claimed on both profits from
trading and on capital gains; and
• a stamp duty exemption for transfers of intellectual property. Coronavirus
Increased tax burden initiatives specific to your practice area has your state
44 Are there any new or proposed tax laws or guidance that implemented to address the pandemic? Have any existing
could significantly increase tax or administrative costs for government programmes, laws or regulations been amended
fintech companies in your jurisdiction? to address these concerns? What best practices are advisable
for clients?
There are currently no proposals at Irish national level to significantly
increase tax or administrative costs for fintech companies in Ireland. The Irish Government announced a €5 billion stimulus package for busi-
The OECD has launched a new project on the tax challenges of digi- ness in July 2020, which is to be implemented in legislation shortly. The
talisation. Proposals in respect of this project should be made by the package will include enterprise supports to employers and enterprise-
end of 2020. focused tax reliefs.
The Central Bank has introduced certain initiatives in regulated
IMMIGRATION sectors more generally including the following.
• Countercyclical capital buffer (CCYB): the Central Bank has
Sector-specific schemes released the CCYB from 0 to 1 per cent to assist banks and support
45 What immigration schemes are available for fintech lending to households and businesses.
businesses to recruit skilled staff from abroad? Are there • Mortgage payment breaks: the Central Bank in conjunction with the
any special regimes specific to the technology or financial retail banks implemented a six-month payment break for mortgage
sectors? holders in difficulty as a result of covid-19.
• The Central Bank has established a COVID-19 Crisis Response
There are no specific immigration schemes available for fintech busi- Task Force, with a series of work streams covering subjects such
ness, or the technology and financial sectors, in Ireland. The ordinary as financial and operational resilience, funds and bank liquidity,
rules in relation to employment permit requirements apply. forbearance, and consumer-related issues.
• The Central Bank has announced a series of regulatory flexibility
UPDATE AND TRENDS measures for credit institutions, credit unions, insurers and rein-
surers, securities markets, investment management, investment
Current developments firms and fund service providers to assist with the pressures of the
46 Are there any other current developments or emerging covid-19 pandemic.
trends to note?
In terms of best practices, we are currently advising fintech clients to
We expect Ireland to continue to develop as a leading domicile in this ensure that operational risks continue to be managed, including busi-
area. We also expect the Central Bank of Ireland (the Central Bank) to ness continuity arrangements, and that they continue to ensure robust
follow best EU practice in its regulation of the sector and to adopt a governance and oversight remains in place over any outsourced func-
relatively accommodating approach to fintech innovation, but we do tions in the current environment, and that any changes to business
not necessarily expect the Central Bank to introduce a specific sandbox models and engagement models with customers as a result of covid-19
regime in Ireland. do not create any risks from a consumer protection perspective in terms
of transparency and disclosure, and treating customers fairly.
116 Fintech 2021

Japan
Akihito Miyake, Ken Kawai, Tomoyuki Tanaka and Asako Matsuo
Anderson Mori & Tomotsune

In Japan, fintech innovation has been quite active in almost every area The Financial Services Agency (FSA) is the main regulatory body of
of finance. In particular cryptocurrency-based businesses, cashless fintech products and services that are regulated under the various
payment or mobile payment services, financial account aggregation financial regulations. The Ministry of Economy, Trade and Industry is
services, robo-advisers and crowdfunding are well known to the public. also the regulatory body for certain payment services (eg, credit cards
In 2018 and 2019, an increasing number of companies entered or other advanced payment services).
into or expanded their businesses in the mobile payment market, and
several companies have launched QR code payment services. As a Regulated activities
result, this market sector has become highly competitive. 4 Which activities trigger a licensing requirement in your
In 2020, security tokens, or digital securities, have become a focus. jurisdiction?
Because of amendments to the relevant laws and regulations, a number
of financial institutions are entering into this new market. The arrangement of investment deals for an investment fund that
Additionally, on 6 March 2020, the Financial Services Agency invests mainly in securities or derivative transactions, constitutes a
submitted a bill to the Diet for: ‘financial instruments business’ under the Financial Instruments and
• the establishment of a financial services intermediary business that Exchange Act (FIEA), and registration under the FIEA is required.
is capable of intermediating the cross-sectoral financial services of To arrange transactions for investments that mainly comprise
banking, securities and insurance under a single license; and securities or derivatives, registration under the FIEA is also required.
• the classification of funds transfer services into three categories, Dealing in investments as principal or agent, under which invest-
based on staggered maximum limits on remittance amounts. ments are made mainly in securities or derivative transactions, may also
The bill was passed by the Diet on 5 June 2020. constitute a financial instruments business under the FIEA (in certain
circumstances); thus, registration under the FIEA may also be required.
Government and regulatory support Giving advice on investments in relation to the value of securities
2 Do government bodies or regulators provide any support or investment decisions on financial instruments under a contract for
specific to financial innovation? If so, what are the key a fee may constitute an ‘investment advisory business’ under the FIEA,
benefits of such support? and registration is required.
Lending money is regarded as a ‘moneylending business’,
Yes. Financial regulators and policymakers in Japan are supportive of which generally requires registration as a moneylender under the
fintech innovation and new technology-focused entrants in the regu- Moneylending Business Act.
lated financial services markets. For instance, the Ministry of Economy, There is no specific licensing requirement for factoring transac-
Trade and Industry has been supportive of the blockchain industry, tions and invoice discounting.
and it hosted the Blockchain Hackathon in February 2019 as part of a Secondary market loan trading does not trigger a licensing
broader effort for the social implementation of blockchain technologies. requirement.
In June 2018, the Japan Economic Revitalisation Bureau, under Acceptance of deposits is generally prohibited without a banking
the auspices of the Cabinet Secretariat, opened a cross-government licence under the Banking Act.
one-stop desk for the regulatory sandbox in Japan (the Regulatory There is no licensing requirement for foreign exchange transactions.
Sandbox). The Regulatory Sandbox can be used by both Japanese and A bank licensed under the Banking Act may conduct funds transfer
overseas companies, enabling them to apply and receive approval for services (which will generally include payment services). Other than
projects, not yet covered by present laws and regulations, to conduct banks, registration under the Payment Services Act as a funds transfer
demonstrations under certain conditions without the need for a legal service provider is required before conducting payment services. If the
amendment to cover the project. payment service is provided as a later payment option using a credit
card, then registration under the Instalment Sales Act is required for
the issuers.
Japan Anderson Mori & Tomotsune
Consumer lending individuals and distributes the funds as dividends and returns to inves-
5 Is consumer lending regulated in your jurisdiction? tors. In this structure, the operator is required to be registered both as
a moneylender under the Moneylending Business Act (to provide the
A lender conducting consumer lending activities must register as a loans) and as a financial services provider under the FIEA to solicit the
moneylender under the Moneylending Business Act. The total permis- purchase of interests in TK partnerships to investors.
sible lending amount is generally limited to one-third of the borrower’s
annual income if the borrower is an individual. The cap of the interest Crowdfunding
falls between 15 and 20 per cent per annum depending on the principal 10 Describe any specific regulation of crowdfunding in your
amount of the loan pursuant to the Interest Rate Restriction Act. jurisdiction.
Secondary market loan trading In Japan, crowdfunding is categorised as donation-based crowdfunding,

6 Are there restrictions on trading loans in the secondary reward-based crowdfunding and investment-based crowdfunding.
market in your jurisdiction? Investment-based crowdfunding is further categorised as equity-based
crowdfunding, fund-based crowdfunding and social-lending.
There is no specific licensing requirement for trading loans. If a money- Reward-based crowdfunding involves sales and purchase agree-
lender transfers loan claims, the transferee will be subject to the same ment of the reward. It is not regulated under the FIEA.
restrictions under the Moneylending Business Act that are applicable to Equity-based crowdfunding and fund-based crowdfunding are
the original moneylender, and the transferor must notify the operating regulated under the FIEA, which defines certain internet-based solicita-
transferee of the applicability of the restrictions. tions, such as ‘electronic solicitation handling services’. Certain special
provisions apply to electronic solicitation handling services compared
Collective investment schemes with those that apply to ordinary solicitation handling services for
7 Describe the regulatory regime for collective investment securities.
schemes and whether fintech companies providing
alternative finance products or services would fall within its Invoice trading
scope. 11 Describe any specific regulation of invoice trading in your
jurisdiction.
Under the FIEA, the solicitation of subscription of shares in collective
investment schemes or investment management of assets of collective There is no specific regulation that applies to invoice trading in Japan.
investment schemes, in principle, are regarded as financial instruments If invoice-trading is with recourse to a supplier (ie, the seller of the
businesses. Therefore, business operators who conduct those activities invoice) when no repayment is forthcoming from the buyer, those trans-
must be registered as financial instruments business operators. actions may be characterised as secured lending, and the business
If a crowdfunding company raises funds for investment in a would be required to obtain a moneylending business licence under the
company through a form of tokumei kumiai (TK) partnership, or if a Moneylending Business Act.
social lending company raises funds for lending money to a company
seeking funds through that form of partnership, the solicitation to invest Payment services
in the partnership would, in principle, be considered as falling within 12 Are payment services regulated in your jurisdiction?
the scope of a financial instruments business activity and must, thus, be
registered under the FIEA. Payment services fall within the scope of funds remittance transactions,
which generally require a banking licence under the Banking Act. The
Alternative investment funds Payment Services Act permits non-banking entities registered there-
8 Are managers of alternative investment funds regulated? under to engage in funds remittance transactions in the course of their
business, provided that the amount of each exchange transaction is not
In Japan, there are no regulations that particularly focus on alterna- greater than ¥1 million.
tive investment fund managers. Under the FIEA, investment managers
acting for alternative investment funds, such as hedge funds, private Open banking
equity funds and real estate funds, are regulated in the same manner 13 Are there any laws or regulations introduced to promote
as those acting for investment funds similar to undertakings for the competition that require financial institutions to make
collective investment in transferable securities, which means they are customer or product data available to third parties?
not subject to the augmented regulations under the FIEA. However,
additional licences may be required under other laws (apart from the The Banking Act regulates electronic payment intermediate service
FIEA) for such alternative investment fund managers who conduct the providers in relation to the open application programming interface.
business of managing investors’ funds by investing in real estate (not Electronic payment intermediate service providers are defined to
the beneficiary rights therein). include intermediaries between financial institutions and customers,
such as entities using IT to communicate payment instructions to banks
Peer-to-peer and marketplace lending based on entrustment from customers, or entities using IT to provide
9 Describe any specific regulation of peer-to-peer or customers with information of their financial accounts held by banks.
marketplace lending in your jurisdiction. Entities providing financial account aggregation services are also cate-
gorised as electronic payment intermediate service providers. They are
Marketplace lending in Japan generally takes the form of a TK part- required to register with the FSA.
nership, under which a social-lending business provider collects funds
from TK partnership investors. The social-lending business provider
advances the funds to enterprises or individuals as loans. The operator
then receives principal and interest payments from the enterprises or
118 Fintech 2021

Anderson Mori & Tomotsune Japan
Robo-advice SALES AND MARKETING

companies that provide retail customers with automated Restrictions
access to investment products in your jurisdiction. 19 What restrictions apply to the sales and marketing of
A robo-adviser that provides retail customers with automated access
to investment products must be registered as an investment manager Providers of financial products and services should pay attention not
(if it provides discretionary investment management services) or an only to their respective regulating laws and regulations and the guide
investment adviser (if it provides non-discretionary investment advisory lines issued by their regulatory or self-regulatory bodies, but also to
services) under the FIEA. If the robo-adviser accepts the customers’ the general customer protection legislation, such as the Act against
assets, it must also be registered as a Type I financial instruments busi- Unjustifiable Premiums and Misleading Representations, the Consumer
ness operator under the FIEA. Contract Act and the Act on Specified Commercial Transactions, when
advertising, selling and marketing financial products and services.
Insurance products In respect of investment products and services, such as securi
15 Do fintech companies that sell or market insurance products ties, derivatives, ‘deemed securities’ (eg, limited partnership interests)
in your jurisdiction need to be regulated? and investment advisory and management services, only registered
financial instruments business operators or financial institutions
Yes. In Japan, when a company (including a fintech company) conducts (FIBOs) are permitted to sell and market such investment products or
insurance solicitation (ie, acts as an agency or intermediary for insur- services under the Financial Instruments and Exchange Act (FIEA). As
ance contracts), it must be registered as an insurance agent or insurance a general rule, a FIBO is prohibited from soliciting investment products
broker under the Insurance Business Act. or services that are not suitable for an investor in light of his or her
knowledge, experience, financial conditions and purpose of investment.
Credit references A FIBO is required to deliver an explanatory document on the details of
16 Are there any restrictions on providing credit references or investment products or services to investors in advance.
credit information services in your jurisdiction? In respect of insurance products, only insurance agents or brokers
are permitted to sell and market insurance products for their affiliated
In general, while credit references of individuals are subject to the Act insurance company under the Insurance Business Act. As a general
on Protection of Personal Information, credit references of corpora- rule, an insurance company, agent or broker must provide information
tions are subject to confidentiality obligations under financial services regarding insurance contracts to customers. An insurance company,
regulations (such as the Corporate Information under the Moneylending agent or broker must understand each customer’s intention, recom-
Business Act) and confidentiality agreements between financial institu- mend and explain the insurance product meeting the customer’s
tions and corporations. intention, and offer to the customer an opportunity to reconfirm whether
In Japan, personal credit information agencies collect information the recommended product meets the customer’s intention. The rules on
on the ability of persons to make credit repayments and provide the advertising, sales and marketing of investment products and services
information to financial institutions that are members of those agencies. under the FIEA apply mutatis mutandis in respect of variable annuity
Financial institutions (banks or moneylenders) may not use information and insurance products and certain foreign currency-denominated
on the ability of individuals to meet repayments (personal credit infor- insurance products.
mation) for purposes other than the investigation of the ability of fund
users to make repayments. CHANGE OF CONTROL
CROSS-BORDER REGULATION Notification and consent

Passporting requirements if a regulated business changes control.
A shareholder holding more than 5 per cent but less than 20 per cent of
In most cases, no. the voting rights held by all the bank’s shareholders (a major holder of
Japan is a member of the Asia Region Funds Passport (ARFP), bank’s voting rights) must file a notification with the Financial Services
which allows for a fund to be ‘exported’ to another participating economy, Agency (FSA) within five business days. A shareholder who intends to
provided that it complies with the regulations of the jurisdiction in which hold, whether individually, jointly or as a group, 20 per cent or more of
the fund is registered, the applicable regulations relating to the offer in the voting rights (a bank’s major shareholder) must obtain authorisa-
the host jurisdiction and the ARFP passport rules. tion from the FSA in advance. Moreover, a bank’s major shareholder
holding more than 50 per cent may be ordered to submit the relevant
Requirement for a local presence bank’s business improvement plan.
18 Can fintech companies obtain a licence to provide financial A shareholder of an insurance company is subject to substantially
services in your jurisdiction without establishing a local the same rules as those applicable to a major holder of bank’s voting
presence? rights and a bank’s major shareholder, as outlined above.
A shareholder holding, in principle, 20 per cent or more of the voting
It depends on the nature of the services that the foreign fintech company rights held by all of the Type I financial instruments business operator’s
intends to provide; however, generally speaking, foreign fintech compa- or investment manager’s shareholders (a major shareholder) must file
nies will be required to have a subsidiary or a business office to obtain a notification with the competent Local Finance Bureau without delay. A
a licence under applicable laws. major shareholder who comes to hold 50 per cent or more of the voting
rights (a Specified Major Shareholder) must file a further notification
without delay.
FINANCIAL CRIME Assignment of loans

Anti-bribery and anti-money laundering procedures loans originated on a peer-to-peer or marketplace lending
21 Are fintech companies required by law or regulation to have platform? What are the implications for the purchaser if the
procedures to combat bribery or money laundering? assignment is not perfected? Is it possible to assign these
A person who gives, or offers or promises to give, a bribe to a domestic
or foreign public officer can be subject to a criminal penalty under the As a general rule, a loan claim may be assigned by an agreement
Criminal Code or, as the case may be, the Unfair Competition Prevention between the transferor and the transferee and can be perfected by
Act. Although fintech companies are not explicitly required by law to put notice to or acknowledgement by the borrower with an instrument
in place anti-bribery procedures, they are expected to do so as a part of bearing a fixed date stamp.
their effective internal control. However, it is less likely that the loan claims are assigned or
The Act on Prevention of Transfer of Criminal Proceeds (APTCP) perfected in a peer-to-peer or marketplace lending platform.
requires ‘specified business operators’ (most financial service providers
are included therein) to: Securitisation risk retention requirements
• verify each customer’s identity, purpose of transaction, occupation 25 Are securitisation transactions subject to risk retention
and, in the case of a corporate customer, identity of its representa- requirements?
tives and ultimate owners and its purpose of business;
• verify each customer’s financial condition in the case of a high-risk Financial institutions subject to the Basel Capital Accord in Japan are
transaction; subject to risk retention requirements in respect of their securitisation
• create and keep a record of verification and transaction reports; and exposures, while the originators or sponsors are not directly subject to
• report any suspicious transaction to the competent authority. the same requirements. The financial institution is required to apply an
increased regulatory capital risk weighting (ie, three times higher than
A fintech company falling under a specified business operator is that otherwise applied to the compliant securitisation exposure, up to
required to put in place anti-money laundering procedures under the 1,250 per cent) to its securitisation exposure unless it can confirm that:
APTCP and the Financial Services Agency’s Guidelines for Anti-Money • the originator retains at least 5 per cent of the aggregate credit risk
Laundering and Combating the Financing of Terrorism. of the relevant securitised assets in any of the prescribed ways; or
• the relevant securitised assets are not inappropriately originated
Guidance based on the originator’s involvement in or the quality of the rele
22 Is there regulatory or industry anti-financial crime guidance vant assets, or any other circumstances.
for fintech companies?
However, it is less likely that the risk retention requirements should be
No. considered in a peer-to-peer or marketplace lending platform.
PEER-TO-PEER AND MARKETPLACE LENDING Securitisation confidentiality and data protection requirements
26 Is a special purpose company used to purchase and securitise
Execution and enforceability of loan agreements peer-to-peer or marketplace loans subject to a duty of
23 What are the requirements for executing loan agreements or confidentiality or data protection laws regarding information
security agreements? Is there a risk that loan agreements relating to the borrowers?
marketplace lending platform will not be enforceable? While it is less likely that a special purpose company is used to
purchase and securitise peer-to-peer or marketplace loans, a lending
In terms of a peer-to-peer or marketplace lending platform in Japan, platform operator extending loans to the borrowing participants must
it had been construed that each lending participant would be required comply with the Personal Information Protection Act, which is one of the
to be registered as a moneylender under the Moneylending Business primary data protection laws in Japan.
Act unless there were multiple anonymised borrowing participants.
However, the Financial Services Agency published its interpretation that ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
each lending participant is not required to be so registered if: TECHNOLOGY AND CRYPTO-ASSETS
• all the borrowing participants are corporations;
• the platform is formed as a tokumei kumiai, which is an agree- Artificial intelligence
ment under the Commercial Code to be entered between the 27 Are there rules or regulations governing the use of artificial
platform operator registered as a moneylender and each lending intelligence, including in relation to robo-advice?
participant; and
• the agreement prohibits each lending participant from contacting No. A robo-adviser using artificial intelligence is regulated under the
any borrowing participants for the purpose of collecting money. Financial Instruments and Exchange Act (FIEA), generally in the same
way as an ordinary investment adviser or manager.
In terms of enforceability of loans, the portion of any interests (including
lending-related fees) exceeding 15 per cent or higher (or up to 20 per Distributed ledger technology
cent) of the loan principal amount shall be null and void under the 28 Are there rules or regulations governing the use of
Interest Rate Restriction Act. distributed ledger technology or blockchains?
No.
120 Fintech 2021

Crypto-assets On the other hand, tokens that do not fall under the definition of
29 Are there rules or regulations governing the use of crypto- ERTRs but are used as payment instruments are likely to constitute
assets, including digital currencies, digital wallets and crypto-assets or prepaid payment instruments governed by the PSA.
e-money?
DATA PROTECTION AND CYBERSECURITY
While the use of crypto-assets is not directly regulated, a service
provider who deals with digital currencies, digital wallets or e-money Data protection
may be regulated as a crypto-asset exchange service provider, a prepaid 32 What rules and regulations govern the processing and
payment instruments issuer or, as the case may be, a fund transfer transfer (domestic and cross-border) of data relating to
service provider under the Payment Services Act (PSA). fintech products and services?
A crypto-asset exchange service provider is defined as an entity
that, as a business: The Personal Information Protection Act (PIPA) applies to a person who
1 purchases, sells and exchanges crypto-assets; processes and transfers personal data. The general and industry-specific
2 acts as a broker, intermediary or agent with regard to the transac- (including the financial services industry) guidelines regarding protec-
tions listed in (1); tion of personal information are issued by the Personal Information
3 maintains users’ money or crypto-assets in relation to the transac Protection Committee and the relevant government authority (including
tions listed in (1) or (2); or the Financial Services Agency (FSA)), although they do not particularly
4 holds crypto-assets in custody for and on behalf of another person, focus on the fintech industry.
unless otherwise licensed to do so under the applicable laws. The PIPA requires a person who handles a personal information
database in the business (a personal information handling business
A prepaid payment instruments issuer is a person who issues prepaid operator (PIHBO)), as a general rule:
payment instruments for its own or a third party’s business. • not to handle any personal information beyond the scope neces
A fund transfer service provider is an entity that transfers users’ sary for achieving the purpose of use;
funds (not exceeding ¥1 million per transaction) as a business. • not to transfer any personal data to a third party without obtaining
The amended PSA is expected to be implemented in the first prior consent of the relevant data subject;
half of 2021. The amended PSA has refined the regulatory framework • to keep the personal data accurate and updated;
surrounding fund transfer service providers to categorise them into the • to put in place necessary and appropriate measures to maintain
three categories to take into account the amount of funds contemplated the personal data in a safe manner;
in their fund transfer businesses. • to disclose the personal data in hand to the relevant data subject
whenever requested; and
Digital currency exchanges • to correct and delete or cease to use the personal data in hand
30 Are there rules or regulations governing the operation of if the relevant data subject so requests with reasonable grounds.
In the case of the transfer of personal data within Japan, as an excep
Yes. It is regulated as a crypto-asset exchange service. tion to the general rule, a PIHBO may transfer personal data (excluding
sensitive personal information) to a third party without obtaining prior
Initial coin offerings consent of the relevant data subject, if the PIHBO notifies the matters
31 Are there rules or regulations governing initial coin offerings prescribed by the PIPA to the relevant data subject and the Personal
(ICOs) or token generation events? Information Protection Committee.
In the case of the transfer of personal data to a third party
It had not been clear whether initial coin offerings or any other methods located overseas, as a special rule, a PIHBO may not transfer personal
of token generation were governed by the PSA or the FIEA, or both. data unless:
The amended FIEA, which came into effect in May 2020, introduces the • the PIHBO obtains the relevant data subject’s prior consent to the
concept of electronically recorded transferable rights (ERTRs) to clarify transfer of personal data to a third party located overseas;
the scope of tokens governed by the FIEA. The amended PSA clarifies • the relevant third party is located in a jurisdiction having an equiva
that ERTRs do not fall under the category of ‘crypto-assets’ governed lent personal information protection framework to the PIPA; or
by the PSA. • the relevant third party puts in place equivalent personal infor
Tokens generated in security token offerings will constitute ERTRs mation protection measures to those required of a PIHBO
if they meet the three requirements of ‘collective investment scheme under the PIPA.
interests’ under the FIEA (mentioned below) and are represented
by proprietary value transferable by means of an electronic data The aforementioned general rules do not apply in respect of anonymised
processing system. Collective investment scheme interests are deemed data. Instead, the PIPA requires a PIHBO to comply with the standard
to be formed if: prescribed by the PIPA and the relevant government guidelines when
• investors contribute cash or other assets (including crypto-assets) creating and handling anonymised data to ensure that nobody can iden-
to a business; tify any specific individual or recover personal information from such
• the cash or other assets so contributed are invested in the data. A person who handles anonymised data in its business shall, when
business; and transferring it to a third party, publish the items of information relating
• investors have the right to receive dividends of profits generated to individuals contained in it and clearly state that the information to be
from investments in the business. transferred is anonymised.
ERTRs may be subject to the disclosure rules under the FIEA. Offering
of ERTRs will need to be handled by a Type I financial instruments busi-
ness operator registered under the FIEA.
Cybersecurity obtain a patent may be assigned to an employer in accordance with the

33 What cybersecurity regulations or standards apply to fintech rules established by the employer.
businesses? Under the Copyright Act, the authorship of a work that is created
by an employee during the performance of his or her duties for his or
The Centre for Financial Industry Information Systems publishes ‘FISC her employer is attributed to the employer. An author retains its moral
Security Guidelines on Computer Systems for Banking and Related rights to the subject matter of the copyright. Contractors and consult-
Financial Institutions’ (the FISC Guidelines). The FSA refers to the FISC ants can usually acquire the right to obtain a patent or copyright for
Guidelines when inspecting and monitoring fintech business operators. inventions developed by them.
The FSA’s inspection manuals and supervisory guidelines show the
points of focus in connection with cybersecurity risk management. Joint ownership
38 Are there any restrictions on a joint owner of intellectual
OUTSOURCING AND CLOUD COMPUTING property’s right to use, license, charge or assign its right in
Outsourcing
34 Are there legal requirements or regulatory guidance with Under the Patent Act, when a patent is jointly held, each of the joint
respect to the outsourcing by a financial services company of owners may independently use the patent. However, the assignment
a material aspect of its business? or grant of the patent requires the consent of the other joint patent
holders. On the other hand, under the Copyright Act, the assignment,
Broadly speaking, financial services companies may outsource a part licensing and use of the copyrighted work by one of the joint copyright
of their business to a third party but are required, for those purposes, holders cannot be made without the consent of all the other joint copy-
to put in place any necessary measures to ensure the outsourced busi right holders.
ness will be appropriately performed pursuant to the relevant laws and
regulations. Such measures include, without limitation, the: Trade secrets
• selection of an appropriate service provider that is eligible to 39 How are trade secrets protected? Are trade secrets kept
perform the outsourced business; confidential during court proceedings?
• monitoring and supervision of outsourced service provider’s
performance of duties; and Trade secrets can be protected under the Unfair Competition Prevention
• replacing or ceasing to retain the outsourced service provider if it Act. Under the Act, a trade secret means a production method, sales
is found that the outsourced service provider does not appropri method, or any other technical or operational information useful for
ately perform its duties. business activities that is controlled as a secret and is not publicly
known. During court proceedings, the court may, upon motion of a
Cloud computing party, issue orders for protecting trade secrets, including prohibiting
35 Are there legal requirements or regulatory guidance with parties and their counsel from disclosing relevant trade secrets to any
respect to the use of cloud computing in the financial services other persons.
industry?
Branding
No. 40 What intellectual property rights are available to protect
branding and how do you obtain those rights? How can fintech
INTELLECTUAL PROPERTY RIGHTS businesses ensure they do not infringe existing brands?
IP protection for software Brands may be protected by a trademark. A trademark must be regis-
36 Which intellectual property rights are available to protect tered as a result of successful application with the JPO. Also, protection
software, and how do you obtain those rights? under the Unfair Competition Act may be available for brands, regard-
less of whether they are registered. It must be proven that the product,
Patent or copyright may be available to protect software. Software may or indications, is well known or famous.
be registered as a patent under the Patent Act if it can be deemed as a For fintech businesses to ensure that they do not infringe existing
‘computer program, etc’. Business methods themselves are not patent- brands, they must conduct research of existing trademarks. They can
able; however, a patent may be granted for business methods that are utilise J-PlatPat, the database operated by the National Centre for
combined with computer systems or other devices. Productions in Industrial Property Information and Trading, for initial screening.
which thoughts or ideas are expressed in creative ways (and that fall
within the literary, scientific, artistic or musical domain) are protected Remedies for infringement of IP
by copyright. 41 What remedies are available to individuals or companies
Patent protection must be registered as a result of successful whose intellectual property rights have been infringed?
application with the Japan Patent Office (JPO).
A patent holder or the exclusive licensee or copyright holder can claim
IP developed by employees and contractors for actual damages for losses incurred as a consequence of the infringe-
37 Who owns new intellectual property developed by an ment, and the Patent Act and the Copyright Act provide presumptive
employee during the course of employment? Do the same provisions for the damages. The holder can also seek injunctions
rules apply to new intellectual property developed by against infringing third parties, as well as actions required to prevent
contractors or consultants? the infringement. In addition, it can make claims for unjust enrichment
and licence fee equivalents, and it can seek to restore honour or credit,
Under the Patent Act, a patent for an invention is owned by the inventor. for example, by publication of an apology. Infringing third parties may be
If the inventor is an employee, he or she will own the patent. The right to subject to criminal penalties under the Patent Act and the Copyright Act.
122 Fintech 2021

COMPETITION
respect to fintech companies in your jurisdiction?
In April 2020, the Japan Fair Trade Commission published fintech-

related market research reports, including the Account Aggregation
Service Report and the Cashless Payment Service Report, based on its Akihito Miyake
akihito.miyake@amt-law.com
extensive research through questionnaire surveys and hearing surveys.
The Account Aggregation Service Report found, among other Ken Kawai
things, that if a bank in a superior position unjustly refuses applica- ken.kawai@amt-law.com
tion programming interface access from an account aggregation service Tomoyuki Tanaka
provider, then in light of normal business practice, the bank’s conduct tomoyuki.tanaka@amt-law.com
would be in violation of the Anti-monopoly Act (AMA).
Asako Matsuo
The Cashless Payment Report identified the following potential
asako.matsuo@amt-law.com
issues, among others.
• Banks and fund transfer service providers are competitors in cash-
less payment, but such non-bank players must be connected to the Otemachi Park Building
user's bank account to provide their service. Accordingly, if a bank in 1-1-1 Otemachi, Chiyoda-ku
a superior position unjustly refuses fund transfer service providers Tokyo 100-8136
access, the bank’s conduct would be in violation of the AMA. Japan
Tel: +81 3 6775 1000
• Interbank settlement charges when using Zengin System, a nation-
www.amt-law.com
wide online network system for banks, have been fixed at high rate
for many years. Banks must reconsider whether the level of the
charges are reasonable.
• At present, Zengin-Net, the Zengin System operator, does not IMMIGRATION
allow fund transfer service providers to access Zengin System.
Zengin-Net should set reasonable conditions for access by fund Sector-specific schemes
transfer service providers. 45 What immigration schemes are available for fintech
TAX any special regimes specific to the technology or financial
sectors?
Incentives
43 Are there any tax incentives available for fintech companies Foreign nationals recognised as ‘highly skilled foreign professionals’
and investors to encourage innovation and investment in the will be given preferential immigration treatment. There are three cate-
fintech sector in your jurisdiction? gories of activities of highly skilled foreign professionals:
• advanced academic research activities;
There are no tax incentives specifically targeting fintech companies • advanced specialised or technical activities; and
and investors. That being said, the Japanese tax system provides angel • advanced business management activities.
investors with the following tax incentives:
• reduction of income tax; or A person who is recognised as a highly skilled foreign professional can
• reduction of the capital gains from the transfer of shares in the enjoy preferential treatment, including permission for multiple purposes
target company. of activities and grant of a five-year period of stay.
Following recent tax reforms, a tax incentive to promote open innova- UPDATE AND TRENDS
tion is available from April 2020 to the end of March 2022. Under this
new system, a 25 per cent income deduction will apply to investments of Current developments
at least ¥100 million by domestic entities and corporate venture capital 46 Are there any other current developments or emerging
in unlisted venture companies that are less than 10 years old. trends to note?
In addition, the research and development tax incentive system
has been adopted and is often revised with the aim of maintaining and At present, Japanese labour laws do not allow wages and salaries
strengthening initiatives that support Japan’s global competitiveness. to be wire transferred to any account other than bank accounts. The
Japanese government is now considering lifting the limitation so that
Increased tax burden wages and salaries can be paid to users’ accounts held in fund transfer
44 Are there any new or proposed tax laws or guidance that service providers.
No.
Coronavirus
for clients?
At the time of writing, no emergency legislation, relief programmes

or other initiatives specific to fintech that have been implemented to
address the pandemic.
124 Fintech 2021

Kenya
John Syekei, Dominic Indokhomi, Irene Muthoni and Mercy Mwaniki
Coulson Harney Advocates
FINTECH LANDSCAPE AND INITIATIVES a position to support innovators to develop capital market-related inno-
vative ideas to a level of maturity that can be admitted to the sandbox.
General innovation climate The Insurance Regulatory Authority has set up a regulatory
1 What is the general state of fintech innovation in your sandbox to facilitate the testing of new ideas and innovations in the
jurisdiction? insurance sector. The Insurance Regulatory Authority is currently
receiving applications for the first cohort of applicants.
The fintech space in Kenya is vibrant. Investment in the sector has The Central Bank of Kenya has signed a fintech cooperation
been focused on digital-based lenders, peer-to-peer payment providers, agreement with the Monetary Authority of Singapore to support digital
crowdfunding platforms, initial coin offerings and the spread of the use infrastructure development in Kenya and has agreed to collaborate in
of cryptocurrency. Across the globe, Kenya is gaining a reputation as developing basic digital infrastructure services in Kenya, based on a
a leading fintech hub and was recently ranked as number 63 in the set of common standards. The two authorities also launched the Global
global top 100 rankings in the 2020 report of the Findexable Global Fintech Hackcelerator, a platform for start-ups to showcase sustainable
Fintech Rankings. financial services innovations. In addition, they organised the Afro-
The steady growth of fintech in Kenya can be largely attributed to Asia Fintech Festival, a first of its kind in the region, which seeks to
not only market forces but also the interaction and cooperation between explore sustainable financial services innovations from emerging Afro-
industry players, end users and an enabling regulatory framework. Asian markets.
There has also been an increase in the use of fintech in the delivery The Central Bank of Kenya partnered with five commercial banks
of public services; for instance, the Kenyan government has issued to facilitate the launch of a mobile application dubbed Stawi, which is a
mobile-based treasury bonds and has set up a taskforce to explore how lending platform targeted towards small and medium-sized enterprises.
Kenya can leverage blockchain and internet of things technology. It will offer loans of up to 250,000 Kenyan shillings at a preferential
lending rate.
2 Do government bodies or regulators provide any support FINANCIAL REGULATION
specific to financial innovation? If so, what are the key
benefits of such support? Regulatory bodies
3 Which bodies regulate the provision of fintech products and
Regulators and government bodies provide support to financial innova- services?
tion balanced against consumer protection. For example, the Ministry
of Information Communication and Technology set up the Distributed They include the following:
Ledgers Technology and Artificial Intelligence Taskforce, which deliv- • the Ministry of ICT is generally responsible for setting policy to
ered a report on how the emerging technological revolution could be govern the fintech landscape;
leveraged to enhance ICT adoption and development in Kenya. The • the Central Bank of Kenya, established under the Central Bank of
government also collaborates with other governments and mone- Kenya Act 1984 (revised edition 2019), is primarily responsible for
tary agencies. formulating and implementing monetary policy and regulates the
The Capital Markets Authority has signed a cooperation agree- banking and payments sectors;
ment with the Abu Dhabi Global Market and the Australian Securities • the Capital Markets Authority, established under the Capital
and Investments Commission, which provides a framework for coop- Markets Act 2012 is responsible regulating and maintaining capital
eration to support financial innovation between Kenya and the United markets in Kenya;
Arab Emirates and between Kenya and Australia. The Capital Markets • the Communications Authority of Kenya, established under the
Authority is also a member of the Global Financial Innovation Network, Kenya Information and Communication Act 1998 is in charge
an international network of 29 financial services regulators and related of overseeing and developing the information and communica-
organisations that is committed to supporting financial innovation. tion sectors;
The Capital Markets Authority has also set up a regulatory sandbox • the Competition Authority, established under the Competition Act
to test innovative products and services relevant to capital markets in 2010, is purposed with promoting and maintaining fair competition
Kenya in a controlled and monitored environment under a more flex- in markets within Kenya; and
ible regulatory regime. The Authority is currently receiving applications • other regulators, such as the Insurance Regulatory Authority, regu-
for admission to the sandbox from innovators whose ideas have been late fintech products to the extent they are used in connection with
developed to a level of operational testing. Moreover, the Authority is the activities regulated by those regulators.
also working with existing innovation or incubation centres that are in
Kenya Coulson Harney Advocates
Regulated activities • the platform or marketplace collects and pools funds from
4 Which activities trigger a licensing requirement in your the public or a section of the public in Kenya for the purpose of
jurisdiction? investment; and
• the funds collected are managed by or on behalf of the scheme by
The following activities trigger a requirement to be licensed by the the promoter.
Capital Markets Authority if the investments in question relate to securi-
ties issued to the public: Considering the above definition, there is a greater likelihood of a
• arranging (bringing about) deals in investments; crowdfunding platform being deemed a collective investment scheme
• making arrangements with a view to transact in investments; than a peer-to-peer or marketplace lending platform. To the extent
• dealing in investments as principal or agent; and that the fintech innovation will be regarded as a collective investment
• advising on investments. scheme, it must be registered with the Capital Markets Authority, which
will regulate the activities of the scheme if approved.
Foreign exchange trading also requires a licence issued by the Capital The Capital Markets Authority, on 28 May 2020, published a note
Markets Authority. titled ‘Guidance for Collective Investment Schemes on Valuation,
Deposit-taking business and provision of payment services require Investment Performance Measurement Reporting and other Related
licensing and authorisation by the Central Bank of Kenya. Lending, Matters’ in recognition of the need to standardise practices in the
factoring and invoice discounting do not require licensing. sector. The Guidance is in draft form and is awaiting public participation.
It seeks to ensure that fund managers of collective investment schemes
Consumer lending have developed comprehensive investment policies and procedures to
5 Is consumer lending regulated in your jurisdiction? govern the valuation of assets. In addition, the fund manager would be
required to prepare and submit to the Authority a performance measure-
Consumer lending constitutes a financial service that does not require ment report quarterly in addition to the existing reporting obligations.
licensing in Kenya. However:
• if the funds used for lending constitute deposits held from Alternative investment funds
members of the public, a license issued by the Central Bank of 8 Are managers of alternative investment funds regulated?
Kenya is required;
• persons undertaking consumer lending must comply with the Yes. If the alternative investment fund is a collective investment scheme
business set-up requirements in Kenya, including the obligation to as defined in the Capital Markets Act 2012, it may only appoint a person
obtain a business permit from the applicable county government who is licensed by the Capital Markets Authority as a fund manager to
where their business premises are located; and manage it.
• persons undertaking consumer lending must comply with the If the alternative investment fund does not constitute a collec-
requirements of the Consumer Protection Act 2012, which include tive investment scheme and is, therefore, not regulated by the Capital
disclosure requirements and restrictions against imposition of Markets Authority, the manager may still have to be regulated as a
penalty charges and prepayment penalties licensed investment adviser or fund manager, depending on the amount
of the portfolio managed on behalf of the fund. An investment adviser
There have been a number of statements by the Central Bank of Kenya may manage a portfolio of up to 10 million Kenyan shillings, whereas
on the issue of regulating consumer lending by digital platforms. The a fund manager’s licence would be required to manage a portfolio
first attempt to do this was through the Financial Markets Conduct Bill exceeding 10 million Kenyan shillings.
2018, which sought to introduce a new prudential regulator in the finan-
cial services sector. The Bill went through public participation but is yet Peer-to-peer and marketplace lending
to be introduced to Parliament. 9 Describe any specific regulation of peer-to-peer or
Secondary market loan trading
6 Are there restrictions on trading loans in the secondary Except to the extent that peer-to-peer or marketplace lending constitute
market in your jurisdiction? collective investment schemes, these are not generally regulated activi-
ties in Kenya.
There are no regulatory restrictions on trading loans in the secondary If these activities are provided in conjunction with a regulated entity
market. If the loans constitute debt securities issued to the public, (such as banks, financial institutions or payment service providers), the
however, the requirements of the capital markets legislation with product may be subject to approval by the relevant regulator (being
regard to issuance of securities to the public apply. These include the the Central Bank of Kenya), as well as compliance with regulations or
need to obtain the approval of the Capital Markets Authority. guidelines issued by the regulator.
Collective investment schemes Crowdfunding

7 Describe the regulatory regime for collective investment 10 Describe any specific regulation of crowdfunding in your
schemes and whether fintech companies providing alternative jurisdiction.
finance products or services would fall within its scope.
There are no specific laws or regulations concerning crowdfunding in
Collective investment schemes are regulated by the Capital Markets Kenya. However, the laws governing the financial services sector are,
Authority under the Capital Markets Act 2012 and the Capital Markets in many instances, broadly drafted. Consequently, crowdfunding may be
(Collective Investment Schemes) Regulations 2001 issued thereunder. considered a regulated activity thereunder. For instance:
These laws regulate any alternative financial products or services • dealing in securities, offering securities to the public or a section
that fall within the definition of a CIS. This means that any platform or thereof, and marketing securities are regulated activities under
marketplace that satisfies the following would be considered a CIS: the Capital Markets Act 2012 and the subsidiary legislation
126 Fintech 2021

Coulson Harney Advocates Kenya
issued thereunder; thus, equity crowdfunding and, depending on The Act requires persons carrying out insurance or reinsurance
the nature of the rewards, reward-based crowdfunding would be business to be licensed by the Commissioner of Insurance. Insurance
regulated; and intermediaries, such as agents, motor assessors, insurance investiga-
• by virtue of the fact that crowdfunding facilitates the transfer of tors and loss adjusters, must also be registered under the Act. There is
value, it may fall within the regulatory ambit of the anti-money no distinction or exemption in place for fintech companies that carry on
laundering and countering the financing of terrorism regulator, the any of these regulated activities.
Financial Reporting Centre, and would be subject to the Proceeds
of Crime and Anti-Money Laundering Act 2009 and the Prevention Credit references
of Terrorism Act 2012. 16 Are there any restrictions on providing credit references or
Invoice trading
11 Describe any specific regulation of invoice trading in your Yes, only entities that are licensed by the Central Bank of Kenya under
jurisdiction. the Banking Act (Credit Reference Bureau) Regulations 2020 to conduct
credit reference business may provide credit reference checks.
There is no specific regulation that governs invoice trading in Kenya.
CROSS-BORDER REGULATION
Payment services
12 Are payment services regulated in your jurisdiction? Passporting
Yes. Payment services are regulated by the Central Bank of Kenya
under the National Payment System Act 2011 and the regulations issued No, regulated activities cannot be passported into Kenya.
thereunder.
These laws require individuals to obtain the authorisation of the Requirement for a local presence
Central Bank of Kenya to carry on a payment services provider business 18 Can fintech companies obtain a licence to provide financial
in Kenya. The laws also empower the Central Bank of Kenya to desig- services in your jurisdiction without establishing a local
nate a payment system, which will be subject to regulation. presence?
Open banking No. To provide regulated financial services in Kenya, a fintech company
13 Are there any laws or regulations introduced to promote must establish a local presence in Kenya. In addition, as part of the
competition that require financial institutions to make licensing process and ongoing compliance requirements, they
customer or product data available to third parties? often require a confirmation of the physical address of the applicant
or licensee.
No. Local laws do not require the mandatory sharing of information by Additionally, the Companies Act 2015 prohibits a company from
financial institutions to make customer or product data available to third carrying out business in Kenya unless it has been registered as a
parties. However, there is a credit referencing framework set up under foreign company.
the Central Bank of Kenya Act 1984 (revised edition 2019).
Kenya passed the Data Protection Act 2019, which requires data SALES AND MARKETING
controllers and processors (in this case, financial institutions), as far as
practicable before collecting personal data, to inform the data subject Restrictions
of, among other things, the third parties with whom their personal 19 What restrictions apply to the sales and marketing of
data may be shared. Customers should be notified of any anticipated financial services and products in your jurisdiction?
sharing of their data, including for purposes of open banking or credit
referencing. The marketing of financial services in Kenya is generally restricted to
licensed entities. Various prudential regulators have sector-specific
Robo-advice restrictions on marketing. For instance, the Central Bank of Kenya
14 Describe any specific regulation of robo-advisers or other requires marketing communication issued by its licensees to indicate
companies that provide retail customers with automated that they are regulated by the Central Bank of Kenya. On the other hand,
access to investment products in your jurisdiction. the Capital Markets Authority grants prior approval of public communi-
cation by its licensees and issuers of securities.
There is no specific regulation pertaining to robo-advisers or other The Consumer Protection Act 2012 also sets out criteria for the
companies that provide retail customers with automated access to marketing of products and services, which require that communication
investment products in Kenya. be clear and true.
However, where the investments in question relate to securities
issued to the public, the company must comply with the capital market CHANGE OF CONTROL
legislation and must obtain a licence.
Insurance products 20 Describe any rules relating to notification or consent
15 Do fintech companies that sell or market insurance products requirements if a regulated business changes control.
The consent of the Competition Authority is required if the acquisition of
Yes. The Insurance Act (revised edition 2020) and the subsidiary legisla- shares, business or other assets results in a change of control of a busi-
tion issued thereunder regulates all persons carrying out insurance or ness under the Competition Act 2010. The Rules of the Determination
reinsurance business. of Merger Notification Thresholds and Method of Calculation provide
guidelines on the transactional limits that require a merger notifica- • National Payment System (Anti-money Laundering Guidelines for
tion and an application for the exclusion or approval of the Competition the Provision of Mobile Payment Services) Guidelines 2013, which
Authority. provide guidance to mobile payment services on the monitoring
In addition to the approval of the Competition Authority, if certain and reporting of suspected money laundering activities on their
regulated entities change control, they must obtain approval or notify platforms; and
the relevant regulator. For example: • Guidelines on the Prevention of Money Laundering and Terrorism
• a regulated telecommunications entity must notify the Financing in the Capital Markets (Gazette Notice 1421), which
Communications Authority of any change of control, and where the emphasise the need for due diligence, record-keeping, the estab-
change of control affects at least 15 per cent of the shareholding, lishment of policies and procedures to address specific risks
the approval of the Communications Authority must be sought; associated with the use of new technology and business rela-
• a person who intends to acquire at least 5 per cent of the share tions or transactions conducted at a distance, and reporting to the
capital of any licenced bank must obtain the approval of the Central Financial Reporting Centre.
Bank of Kenya;
• any amalgamation of a bank or financial institution, or arrange- Fintech businesses that fall within the definition of reporting institutions
ment to transfer any part of the assets or liabilities, must obtain under the Proceeds of Crime and Anti-Money Laundering Act 2009 and
the written approval of the Cabinet Secretary of National Treasury the Prevention of Terrorism Act, 2012 should register with the Financial
and Planning; Reporting Centre, actively exercise due diligence and conduct legal
• a transfer of more than 10 per cent of a deposit-taking micro compliance audits to avoid violating the law.
finance institution requires the prior approval of the Central Bank
of Kenya; PEER-TO-PEER AND MARKETPLACE LENDING
• a person who intends to acquire or dispose of 10 per cent or more
of the share capital of an insurance company must obtain the Execution and enforceability of loan agreements
approval of the Insurance Regulatory Authority; 23 What are the requirements for executing loan agreements or
• for listed entities, the takeover regime requires the purchaser to security agreements? Is there a risk that loan agreements
notify the Capital Markets Authority, the target and the Nairobi or security agreements entered into on a peer-to-peer or
Securities Exchange if it intends to acquire effective control of the marketplace lending platform will not be enforceable?
target entity; and
• every company carrying out business in Kenya must inform the Under the general Contract Law, it is advisable for parties to execute an
Kenya Revenue Authority of any changes in the case of persons with agreement that is valid, certain and provable. Execution formalities in
a shareholding of 10 per cent or more of the issued share capital. relation to corporate entities largely depend on the constitutive docu-
ments and applicable laws. For instance, the Companies Act provides
FINANCIAL CRIME that in respect of companies and for any agreement to be validly
executed, it must be either signed by a director in the presence of a
Anti-bribery and anti-money laundering procedures witness or by any two authorised signatories.
21 Are fintech companies required by law or regulation to have Additional execution requirements, such as attestation, may apply,
procedures to combat bribery or money laundering? particularly for security documents. Pursuant to recent changes under
the law, electronic signatures are acceptable as valid signatures to
Yes. Fintech companies, as is the case of all other companies offering the extent that they meet the requirements regarding the reliability of
regulated financial services in Kenya, must have procedures to combat advanced electronic signatures. These requirements are set out under
bribery or money laundering, including procedures to maintain robust the Kenya Information and Communications Act 2010.
know-your-customer procedures and to report any suspicious activity An internet agreement should comply with the provisions of the
by customers that may be indicative of money laundering activities. Consumer Protection Act 2012. An internet agreement is defined as an
agreement that is formed by text-based internet communications. The
Guidance Act requires full disclosure of all prescribed information to a customer.
22 Is there regulatory or industry anti-financial crime guidance However, it is not clear what prescribed information is to be provided as
for fintech companies? this has not been provided under the Act. An online loan agreement will
be enforceable if a customer is given an opportunity to accept, decline
Kenya does not have an industry anti-financial crime guidance. or correct any errors before concluding the agreement. Moreover, the
Nonetheless, all entities operating in Kenya and their officers fall internet agreement will be validly executed by the use of an electronic
under the purview of laws relating to anti-financial crime, including signature.
fintech companies. The anti-financial crime laws require entities to In addition, unless exempted from payment of stamp duty, agree-
comply with the: ments must be stamped with the relevant stamp duty to be enforceable.
• Bribery Act 2016, which requires private entities to put in place Stamp duty payment and assessment may be done using the online
procedures appropriate to their size and nature of their operations Kenya Revenue Authority platform. Failure to stamp the agreements
for the purposes of preventing bribery and corruption; does not render them invalid, but the lack of stamping means that
• Proceeds of Crime and Anti-Money Laundering Act 2009 and the they may not be admissible before the Kenyan courts as evidential
Prevention of Terrorism Act 2012, which prohibit the use of prop- documents. Further, security agreements should be registered at the
erty for money laundering purposes. They specifically target money relevant registries in accordance with applicable laws.
laundering, tax evasion, theft, fraud, terrorist financing, drug traf-
ficking, piracy, bribery and corruption;
• Anti-Corruption and Economic Crimes Act 2003, which provides
for the prevention, investigation and punishment of corruption,
economic crime and related offences;
128 Fintech 2021

Assignment of loans solely on automated processing, including profiling, that produces legal
24 What steps are required to perfect an assignment of effects concerning or significantly affecting the data subject.
platform? What are the implications for the purchaser if the Distributed ledger technology
assignment is not perfected? Is it possible to assign these 28 Are there rules or regulations governing the use of distributed
loans without informing the borrower? ledger technology or blockchains?
The assignment of loans that originated on a peer-to-peer or marketplace There are no rules or regulations governing the use of distributed ledger
lending platform should be registered on the online collateral registry, technology or blockchains.
in accordance with the Movable Property Security Rights Act 2017, for
the assignment to be effective against third parties. The registration is Crypto-assets
done online on the eCitizen online platform. It is fairly straightforward, 29 Are there rules or regulations governing the use of crypto-
and it requires the registrant to have a user account, that is, an eCitizen assets, including digital currencies, digital wallets and
account that allows access to the eCitizen online platform. e-money?
Where registration is not undertaken, the assignment may
not be enforceable against a receiver or creditors of the assignor or There are currently no regulations that regulate the use of crypto-assets
other parties. in Kenya. However, the Central Bank of Kenya has warned the Kenyan
It is also necessary to inform or notify the borrowers or debtors public against dealing in virtual currencies, and the Capital Markets
about the assignment to ensure that they are bound to channel repay- Authority has cautioned that it has not approved any initial coin offerings
ments in accordance with the assignee’s instructions. Borrowers or because of the perceived volatility and the lack of specific regulation.
debtors who have been notified can only be discharged by making The notice by the Central Bank of Kenya stated that virtual currencies
payment as instructed in the notification. are not acceptable since they are not legal tender in Kenya. However, it is
unclear what the legal position is in respect of virtual currencies that have
Securitisation risk retention requirements been designated as legal tender in foreign jurisdictions as they would fall
25 Are securitisation transactions subject to risk retention within the definition of foreign currency, which is acceptable in Kenya.
requirements? Digital wallets and e-money constitute payment instruments under
the National Payment System Act 2011, which defines a payment instru-
The regulation governing securitisation transactions requires that, as ment as an instrument that enables a person to obtain money, goods or
key features of asset-backed securities, the special purpose vehicle services or to otherwise make payments. Accordingly, the use of digital
used in the securitisation be bankruptcy or insolvency-remote, and that wallets and e-money is regulated and governed by the Act and would
there should be a true sale of the assets to the special purpose vehicle need to comply with the conditions contained within it, including the
or a direct origination of assets into the special purpose vehicle. Other requirement of the digital wallet or e-money provider to register with
than those, there are no risk retention requirements. the Central Bank of Kenya.
Securitisation confidentiality and data protection requirements Digital currency exchanges

26 Is a special purpose company used to purchase and securitise 30 Are there rules or regulations governing the operation of
peer-to-peer or marketplace loans subject to a duty of digital currency exchanges or brokerages?
relating to the borrowers? There are no rules or regulations governing the operation of digital
currency exchanges or brokerages. However, the Central Bank of
Yes. Article 31 of the Constitution of Kenya 2010 guarantees the right Kenya has issued a press release noting that those currencies are not
to privacy for every Kenyan, including the right not to have information legal tender in Kenya and warning the public against dealing in digital
relating to a person’s family or private affairs be required unnecessarily currencies.
or the privacy of their communications be infringed.
The Data Protection Act 2019 is the overarching legislation in Initial coin offerings
Kenya that regulates collection, processing and related actions in the 31 Are there rules or regulations governing initial coin offerings
handling, use and storage of personal data. It applies to the processing (ICOs) or token generation events?
of personal data by resident and non-resident data controllers and
processors where the data subjects are located in Kenya. A special There are no rules or regulations governing initial coin offerings or
purpose company used to purchase and securitise peer-to-peer or token generation events. However, the Capital Markets Authority has
marketplace loans must comply with the provisions of the data protec- cautioned the public that it has not approved any initial coin offerings.
tion legislation if it collects or processes any personal data.
ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
TECHNOLOGY AND CRYPTO-ASSETS Data protection
32 What rules and regulations govern the processing and
Artificial intelligence transfer (domestic and cross-border) of data relating to
27 Are there rules or regulations governing the use of artificial fintech products and services?
intelligence, including in relation to robo-advice?
Article 31 of the Constitution guarantees the right to privacy for every
There are no specific rules governing the use of artificial intelligence, Kenyan, including the right not to have information relating to a person’s
including in relation to robo–advice. However, under the Data Protection family or private affairs be required unnecessarily or the privacy of their
Act 2019, a data subject has a right not to be subject to a decision based communications be infringed.
The Data Protection Act 2019 is the overarching legislation in Kenya instance, the National Payment System Act 2011 requires prior approval
that regulates collection, processing and related actions governing of the Central Bank of Kenya for material outsourcing and prior notifica-
the handling, use and storage of personal data. The Act applies to the tion where the outsourcing is not material. The Banking Act (revised
processing of personal data by resident and non-resident data control- edition 2019) also requires that licensees apply for the prior approval of
lers and processors where the data subjects are located in Kenya. the Central Bank of Kenya for any material outsourcing.
There are certain restrictions related to the processing of sensitive
personal data. Cloud computing
Fundamentally, all processing of personal data should only be 35 Are there legal requirements or regulatory guidance with
carried out in accordance with the data protection principles under the respect to the use of cloud computing in the financial services
Data Protection Act 2019. A data controller or processor is not permitted industry?
to process personal data unless it has a lawful basis for the processing,
such as consent or necessity, or the processing is for the performance The ICT Authority of Kenya published the Cloud Computing Standard
of a contract. However, where the data constitutes sensitive personal 2019 (the Standard), which outlines various considerations for minis-
data, it should only be processed if the processing is necessary for the tries, counties or agencies in the selection of services and models for
purpose of carrying out the obligations and exercising specific rights of online storage services, applications and data, such as software as a
the controller or the data subject. A data controller or processor must service, infrastructure as a service, public cloud, private cloud, commu-
obtain the personal data directly from the data subject and may only nity cloud and hybrid cloud. It is recommended that fintech service
collect the data from a third party in accordance with the provisions of providers model their products in accordance with the Standard to
the Data Protection Act 2019. allow for the use of the products and solutions by government agencies.
A data controller or processor that transfers personal data outside In addition, where cloud computing involves the transfer of personal
Kenya should ensure that it obtains the data subject’s consent or have data to data servers located outside Kenya, fintech companies should
in place appropriate safeguards for the protection of the data that is ensure compliance with the Data Protection Act 2019.
subject to the transfer. Where the personal data being transferred
constitutes sensitive personal data, the consent of the data subject INTELLECTUAL PROPERTY RIGHTS
must be obtained, and adequate data protection safeguards must be
put in place. IP protection for software
Cybersecurity software, and how do you obtain those rights?
businesses? Copyright
The ownership of copyright to a computer program belongs to the
All companies in Kenya, including fintech businesses, are subjected to creator of the software. Subject to the provisions of the Copyright
the Computer Misuse and Cybercrimes Act 2018, which aims to protect Act 2001, the copyright holder enjoys the right to copy the software,
the confidentiality, integrity and availability of computer systems, create derivative or modified versions of it and distribute copies to the
programs and data, as well as facilitate the prevention, detection, inves- public for sale or licence. The rights come into existence immediately
tigation, prosecution and punishment of cybercrimes. The Act provides upon the production of the work in a tangible medium of expression.
for various offences including, inter alia, system interference; unlawful However, it is recommended to register the copyright with the Kenya
interception of computer data, traffic data or signals; unlawful intercep- Copyright Board.
tion of electronic messages or money transfers; and wilful misdirection
of electronic messages. Patent
In addition, the Central Bank of Kenya issued the Guideline on Patent protection is available for inventions of novel software that,
Cybersecurity for Payment for Service Providers 2019. The Guideline beyond being novel, also disclose an inventive step that is machine
sets out the minimum requirements that payment service providers linked and is industrially applicable. Patent protection is not available
should build on in the development and implementation of strategies, for software that comprises business methods or results in a score. A
frameworks, policies and procedures to mitigate cyber risk and enhance patent holder will enjoy the right to exclusive use, sale and distribution
cybersecurity governance and risk management. This Guideline builds of the software.
on a 2017 guidance note issued by the Central Bank of Kenya in August An eligible applicant should submit their claims and the prescribed
2017, which set the minimum requirements that regulated institutions Form IP3 to the Registrar of Patents at the Kenya Industrial Property
must factor into their standards, policies and procedures. Institute, requesting the Registrar to grant a patent under the Industrial
For fintech businesses that are also telecommunications licensees, Property Act 2001. Kenya operates a substantive examination process
they are mandated, at all times, to ensure the integrity of their commu- that includes a worldwide novelty search. Patent holders’ rights may be
nications infrastructure and to desist from unlawful interception of any subject to compulsory licensing where certain conditions under the Act
messages or correspondence between users. are met for reasons of public interest or are based on the interdepend-
ence of patents.
OUTSOURCING AND CLOUD COMPUTING Patent holders are prohibited from including unjustified restrictions
in licences on the licensee where the restrictions are harmful to the
Outsourcing economic interests of Kenya. The restrictions are put in place to ensure
34 Are there legal requirements or regulatory guidance with that the terms of licensing are fair, reasonable and non-discriminatory.
a material aspect of its business? Trademarks
Although trademarks do not protect the software or technology itself,
Yes, where financial services companies are regulated, various pruden- they can be used to protect the names or symbols used to distinguish a
tial statutes have legal requirements in respect of outsourcing. For particular software or product in the marketplace.
130 Fintech 2021

IP developed by employees and contractors of the right, the proprietor can institute a claim for damages and may
37 Who owns new intellectual property developed by an obtain an injunction preventing future use of the infringing mark.
employee during the course of employment? Do the same A fintech business seeking to avoid infringing on any existing
rules apply to new intellectual property developed by brands should conduct a search of the particular mark they propose to
contractors or consultants? use at the trademarks registry to determine whether a brand is avail-
able for use or registration prior to use in Kenya.
The Industrial Property Act 2001 and the Copyright Act 2001 provide
that intellectual property developed by an employee during the course Remedies for infringement of IP
of employment belongs to the employer. This notwithstanding, where an 41 What remedies are available to individuals or companies
invention is exceptionally important, an employee is entitled to equitable whose intellectual property rights have been infringed?
remuneration.
Intellectual property developed by a contractor or consultant while In terms of copyright infringement under the Copyright Act 2001, an
executing a commission belongs to the person who commissioned the aggrieved party should alert the Kenya Copyright Board to seize the
work unless otherwise agreed between the parties in writing infringing materials and initiate appropriate criminal proceedings. Civil
proceedings may also be initiated by aggrieved parties, and some of the
Joint ownership remedies that may be sought include injunctions and damages.
38 Are there any restrictions on a joint owner of intellectual In respect of trademarks, enforcement proceedings should be
property’s right to use, license, charge or assign its right in filed against any infringing action before the High Court of Kenya.
intellectual property? If successful, the aggrieved party may be entitled to an injunction to
prevent the future use of the trademark, damages, an account for profits
Yes, a joint owner must obtain the consent of the other joint owner of by the infringer, delivery up and destruction of goods, products or mate-
the intellectual property right to use, license, charge or assign its right rial bearing the infringing marks.
in the intellectual property. Patent infringement proceedings are instituted before the
It is recommended that joint owners set out each party’s rights and Industrial Property Tribunal, which sits within the Kenya Industrial
obligations in an agreement. Property Institute. The aggrieved party may be entitled to an injunction
to prevent the future use of the patent and damages.
Trade secrets
39 How are trade secrets protected? Are trade secrets kept COMPETITION
In Kenya, protection of trade secrets is mostly by way of common law 42 Are there any specific competition issues that exist with
and equity (and there are a few judicial decisions on this topic). Some respect to fintech companies in your jurisdiction?
form of protection of trade secrets can also be found in various pieces of
legislation, such as those relating to employment and contracts. The Competition Act 2010 provides the statutory framework governing
Kenya does not have a statute dedicated to the protection of trade competition within Kenya. Specific to fintech companies, the Act
secrets. However, Kenya is a signatory to the Agreement on Trade- provides that in the provision of banking, microfinance, insurance and
Related Aspects of Intellectual Property Rights, which regulates the other services, the services provider is not permitted to impose unilat-
unauthorised use and disclosure of trade secrets. eral charges and fees if these have not been brought to the attention
To protect trade secrets, non-disclosure agreements may be used, of the consumer prior to their imposition or prior to the provision of
and information that is confidential should be marked as such and kept the service.
confidential, and its circulation should be limited to restricted persons. In addition, fintech companies must ensure not to engage in restric-
tive trade practices that are prohibited by the Competition Act, including
Branding entering into any agreements or undertakings, the effect of which
40 What intellectual property rights are available to protect prevent or weaken competition in the trade of any goods and services.
fintech businesses ensure they do not infringe existing TAX
brands?
Incentives
Branding is protected in Kenya by registration of a brand as a trademark 43 Are there any tax incentives available for fintech companies
under the Trade Marks Act 1982 (revised edition 2012). A trademark and investors to encourage innovation and investment in the
is defined as a mark, which includes a guise, slogan, device, brand, fintech sector in your jurisdiction?
heading, label, ticket, signature, word, letter or numeral or any combi-
nation of these, that is used to distinguish a product or service. There are currently no tax incentives specifically available to fintech
To be afforded protection under the Act, an applicant is required companies in Kenya.
to register the trademark with the Registrar of Trademarks at the
Kenya Industrial Property Institute, using the prescribed Form TM2 and Increased tax burden
providing a specimen of the trademark. Trademark protection is avail- 44 Are there any new or proposed tax laws or guidance that
able for product names, logos, dress, certification marks and collective could significantly increase tax or administrative costs for
marks. Trademarks must be distinctive for them to be registrable fintech companies in your jurisdiction?
and enforceable against third parties unless acquired distinctiveness
through use can be proven. Under the Income Tax Act (revised edition 2019), income that is derived
Upon registration of a trademark, the proprietor of the trademark from or that accrues in Kenya through a digital marketplace is subject
will enjoy the right to exclusive use of the trademark. Upon infringement to income tax at the prescribed rates, namely 25 per cent for Kenya
tax residents and 37.5 per cent for permanent establishments for non-
resident persons. A digital marketplace has been defined as a platform
that enables the direct interaction of buyers and sellers though elec-
tronic means.
The Finance Bill, 2020 (the Bill) proposes to amend the Income Tax
Act (revised edition 2019) by introducing a digital services tax (DST) that
will be payable by a person whose income is derived from or that is
accrued in Kenya through a digital marketplace. The DST will be payable
at the time of transfer of the payment for the services to the services John Syekei
john.syekei@bowmanslaw.com
provider. The rate of DST is 1.5 per cent of the gross transactional
value. For residents and permanent establishments of a non-resident Dominic Indokhomi
person (foreign companies), the DST is proposed to be an advance tax dominic.indokhomi@bowmanslaw.com
that can be utilised towards offsetting a taxable person’s tax liability Irene Muthoni
for that year of income. The Bill also provides for the appointment of a irene.muthoni@bowmanslaw.com
digital services agent by the Kenya Revenue Authority for purposes of
Mercy Mwaniki
collecting the DST.
mercy.mwaniki@bowmanslaw.com
Under the Value Added Tax Act 2013, services in relation to the
issue, transfer, receipt and any other dealing with money, including
money transfer services and telegraphic money transfer services, are 5th Floor, West Wing
exempt from value added tax (VAT). ICEA Lion Centre Riverside Park
For the supply of electronic services, these are subject VAT at the Chiromo Road Nairobi
standard rate, which is 14 per cent. Electronic services comprise the Kenya
Tel: +254 20 289 9000
following services when offered through a telecommunications network:
Fax: +254 20 289 9100
• websites, web-hosting, or remote maintenance of programs and
www.bowmanslaw.com
equipment;
• software and the updating of software;
• images, text and information;
• access to databases; UPDATE AND TRENDS
• self-education packages;
• music, films and games, including games of chance; and Current developments
• political, cultural, artistic, sporting, scientific and other broadcasts 46 Are there any other current developments or emerging
and events, including broadcast television. trends to note?
Additionally, VAT is chargeable on supplies made through a digital The mainstream use of fintech is gaining traction in Kenya, and both
marketplace. The implementation of the provision is subject to the issu- commercial enterprises and government entities are exploring the
ance of regulations by the Cabinet Secretary in charge of the National adoption of fintech to improve service delivery; for instance, blockchain
Treasury and Planning. The Cabinet Secretary recently issued the VAT solutions are being explored to streamline and update the land registra-
(Digital Market Supply) Regulation (the Draft Regulations) for public tion process.
comment. The Draft Regulations provide for a number of matters, At the same time, fintech innovation has led to the development
including taxable services chargeable to VAT when supplied through of various platforms, such as Kopa Link, that aim to bridge the finan-
a digital marketplace and registration of non-resident digital services cial gap by making financial products more accessible to a larger
providers under a simplified registration regime or appointment of a tax population.
representative where necessary. An emerging trend is the taxation of the digital economy with the
The proposed taxes target both the parties transacting in a digital introduction and proposal of digital taxes on supplies of digital services
marketplace as well as the operator of the digital marketplace platform. and the revenues of digital services providers.
The growth of the fintech industry is likely to be accelerated by the
IMMIGRATION covid-19 pandemic as the Kenyan government has discouraged cash
transactions, leading to an increase in use of other payment services,
Sector-specific schemes especially mobile-based payment solutions.
businesses to recruit skilled staff from abroad? Are there Coronavirus
any special regimes specific to the technology or financial 47 What emergency legislation, relief programmes and other
sectors? initiatives specific to your practice area has your state
There are no immigration schemes available for fintech businesses to government programmes, laws or regulations been amended
recruit skilled staff from abroad. There is also no special regime specific to address these concerns? What best practices are advisable
to the technology or financial sectors. Any person can apply under the for clients?
Kenya Citizenship and Immigration Act 2011 for a work permit. However,
ICT experts require clearance from the ICT Ministry to support their Some of the measures implemented by the government to contain the
application for a work permit from the Immigration Department. spread of the coronavirus and cushion the economy against the adverse
effects of the pandemic include those listed below.
• The government has discouraged the use of physical cash. Through
the Central Bank of Kenya in partnership with licensed banks, the
132 Fintech 2021

government announced the waiver of certain transaction fees in

respect of mobile money transfers.
• Commercial Banks, in conjunction with the Central Bank of Kenya,
initiated and have been implementing the restructuring of loans to
provide relief and free up liquidity for businesses and individuals.
• The Central Bank of Kenya amended the existing credit referencing
regulations to restrict financial services providers from listing
individuals whose loans fall overdue or in arrears during the
pandemic. In addition, the amendments bar digital credit providers
from providing the financial information of their borrowers to
credit referencing bureaus.
• The president assented to the Tax Laws Amendment Act 2020,
which provides for a reduction in income tax rates for individuals,
a reduction of the corporation tax rate for resident companies, a
reduction in the turnover levy for small and medium-sized busi-
nesses and an exemption from income tax to individuals whose
income is below 24,000 Kenyan shillings.
• The government also reduced the VAT rate from 16 per cent to 14
per cent, a measure aimed at reducing the prices of basic goods
and, thus, offering relief for low-income individuals.
Liechtenstein
Thomas Nägele and Thomas Feldkircher
NÄGELE Attorneys at Law
FINTECH LANDSCAPE AND INITIATIVES Government and regulatory support

General innovation climate specific to financial innovation? If so, what are the key
1 What is the general state of fintech innovation in your benefits of such support?
jurisdiction?
Communication with the FMA's fintech department is excellent.
Many reputable players on the blockchain scene have come to Therefore, any new projects may be introduced in a personal meeting
Liechtenstein to establish businesses. For example, Yanislav Malahov with the FMA. A legal opinion examining the business model and the
(who was closely involved in the creation of Ethereum) has founded token functionality (if a token is issued) will usually be filed with the
Aeternity – the first blockchain-based project in Liechtenstein with a FMA to receive a preliminary evaluation. If no regulation applies, the
market capitalisation of more than US$1 billion (on 8 May 2018, making FMA will issue a statement indicating that the intended business does
it the first Liechtenstein blockchain unicorn). Ultimately, Aeternity is a not fall under its jurisdiction if it is exercised in the way presented to
project focused on smart contracts, allowing for the execution of cred- the FMA in the set of facts of a legal opinion. The FMA has a department
ible transactions through blockchain technology without the help of that is wholly dedicated to the analysis of fintech projects; therefore, it
third-party intermediaries. has amassed extensive knowledge in this field and operates in a time-
Communications with the local regulator – the Financial Market efficient manner.
Authority (FMA) – are efficient, as the FMA established its own fintech The FMA has also issued a factsheet on virtual currencies such as
department in June 2018. Moreover, a ‘regulation laboratory’ has been bitcoin, which was published on 16 February 2018. The fact sheet stated
established to further the proliferation of fintech businesses. that a ‘virtual currency’ is generally defined as a ‘digital representation
In addition to these local projects and advancements in favour of of a (cash equivalent) value that is neither issued by a central bank or a
fintech innovation, the Law on Tokens and TT Service Providers (the public authority. Further, the factsheet states that these tokens do not
Blockchain Act) came into force on 1 January 2020. In general, the constitute fiat currency (legal tender). However, it points out that virtual
government is open-minded when it comes to fintech projects. In addi- currencies are similar to fiat currencies when they are used as a means
tion, the Crypto Country Association has been founded, which deals with of payment or traded on an exchange.
various topics relating to the Liechtenstein crypto-ecosystem. The FMA also issued a fact sheet on initial coin offerings (ICOs) on
The success of established and young companies has been aided by 10 September 2017 (last updated on 1 October 2018). Depending on the
general state conditions, which are especially favourable to blockchain- specific design and function of the tokens, the guidance explains that
based projects. The Ministry of Presidential and Finance has created tokens may constitute financial instruments if they have characteristics
innovation clubs, enabling companies to contribute ideas for improving of securities or other investments. Further, activities relating to finan-
the framework of conditions in an unbureaucratic manner. Moreover, the cial instruments are subject to licensing by the FMA, which assesses
ministry offers all market participants from Liechtenstein and overseas token offerings (ie, ICOs, token generation events or security token
the ability to engage in a transparent process for implementing ideas to offerings) on a case-by-case basis. The FMA’s administrative practice
improve the conditions of the local framework. Ultimately, successfully on token regulation has since developed, and the general opinion in
tested ideas are supported in direct contact with the ministry until they Liechtenstein is that a token will follow the underlying (substance over
are implemented. form). Therefore, the following applies:
The ability to build new disruptive business models is crucial • If the token represents e-money, it will be classified as e-money.
to the strategic competence of an economy. At the same time, while • If the token represents a financial instrument, the supervisory
financing start-ups poses great challenges, so does the question of what regulations regarding financial instruments apply.
constitutes an optimal level of support. Through favourable business • If the token represents ownership rights of tangible chattel (right in
conditions and state support, the government has created an incubator rem), supervisory regulation does not apply, but general civil law is
in cooperation with private partners, which has led to the successful applicable (eg, on the transfer of commodities).
establishment of numerous start-ups in Liechtenstein.
In addition, the FMA is responsible for the supervision and the imple-
mentation as well the registration of trustworthy technologies service
providers under the Blockchain Act.
134 Fintech 2021

NÄGELE Attorneys at Law Liechtenstein
FINANCIAL REGULATION assignment price paid for the purchased receivables without the possi-
bility of a redemption. The retailer is only liable for the legal existence of
Regulatory bodies its assigned customer claim.
3 Which bodies regulate the provision of fintech products and However, if loans (in the sense of a lending business) are traded (ie,
services? a new creditor is entering the agreement), then this will likely constitute
a banking business. This must be differentiated on a case-by-case basis.
The Financial Market Authority (FMA) is the supervisory authority in the
fintech sector, as well as the Liechtenstein financial market in general. Collective investment schemes
The FMA has an entire department solely dedicated to the fielding of 7 Describe the regulatory regime for collective investment
fintech-related inquiries. schemes and whether fintech companies providing
Regulated activities scope.
jurisdiction? The Liechtenstein Collective Investment Scheme Regulation is mainly
based on the Undertakings for the Collective Investment in Transferable
As Liechtenstein is a member of the EEA, general EU regulations and Securities (UCITS) Directive (2009/65/EC) and the Alternative
directives apply (with an EEA Joint Committee decision required). All Investment Fund Managers Directive (2011/61/EU) (AIFMD) and is
banking activities (deposit and loan business), as well as investment therefore harmonised within the European Union and the EEA.
services pursuant to Annex I of Markets in Financial Instruments An ‘alternative investment fund’ (AIF) is broadly defined as an
Directive II are regulated. In addition, payment services pursuant to the undertaking collecting capital to invest it pursuant to a defined invest-
Payment Services Directive (2015/2366/EC) (PSD2) and the E-money ment strategy on behalf of the investors.
Directive (2009/110/EC) are regulated. This represents an advantage A ‘UCITS’ refers to an undertaking that raises capital from the
for start-ups based in Liechtenstein that benefit from the EU passport, public and invests this capital collectively in specific transferable secu-
a system allowing providers of financial services already licensed in the rities on the principle of risk spreading.
EEA to offer their services in other EEA countries (and, thus, including
the EU) without additional approval requirements. Alternative investment funds
Since 1 January 2020, legal and natural persons with headquar- 8 Are managers of alternative investment funds regulated?
ters (registered office) or a place of residence in Liechtenstein who wish
to professionally act as trustworthy technologies service providers (TT With funds, it is crucial to distinguish between the investment portfolio
service providers) must apply to be entered into the TT Service Provider and the shares of the fund. Since a fund pursuant to the UCITS Directive
Register in writing with the FMA before beginning their activity. This may invest only in specific types of financial product, a true crypto-fund
also applies to token issuers that issue tokens in their own name or is not feasible and only the shares of the fund may be tokenised. In that
in the name of a client in a non-professional capacity if tokens in the sense, a true crypto-fund can only be achieved under the AIFMD, as this
amount of 5 million Swiss francs or more are issued within a 12-month is primarily a fund-manager regulation, rather than an investment-fund
period. According to the transitional provisions of the Law on Tokens regulation. An AIF mainly targets professional investors.
and TT Service Providers (the Blockchain Act), however, persons who, Hence, a fund pursuant to the AIFMD may invest in a crypto-port-
on the date the Act entered into force, had already provided TT services, folio and its shares may be tokenised. A central aspect of an AIF is the
were required to register within a 12-month period of the Blockchain Act pooling of capital or assets. These criteria must be broadly construed to
entering into force. mean any assets. Thus, a fund may hold yachts in its portfolio or other
commodities, such as tokens.
Consumer lending
5 Is consumer lending regulated in your jurisdiction? Peer-to-peer and marketplace lending
9 Describe any specific regulation of peer-to-peer or
Regulation of consumer lending depends on the concrete business marketplace lending in your jurisdiction.
model. Taking deposits (in legal tender) and lending this money to
others (deposit and lending business) are considered to be banking No specific regulation applies to peer-to-peer lending. EU legislation
activities, which are both reserved to licensed banking institutions. If a applies and it should be analysed if banking business is conducted.
platform is operated that enables users to provide these kinds of activi-
ties to other participants, then this could be an illegal business model. Crowdfunding
However, it depends on the exact use case. In addition, if loans are given 10 Describe any specific regulation of crowdfunding in your
in the form of tokens (which neither represent e-money nor financial jurisdiction.
instruments), then the Banking Act is not applicable, as it deals with
legal tender (fiat) only. An EU directive on crowdfunding is due to be enacted in the future, which
will affect Liechtenstein jurisprudence owing to the country’s harmoni-
Secondary market loan trading sation with the European Union as an EEA member state. At present, an
6 Are there restrictions on trading loans in the secondary initial coin offering (ICO) or a token generation event may be regulated
market in your jurisdiction? in Liechtenstein if security tokens are being issued. In general, there is
no singular act specific to ICOs that regulates crowdfunding, but several
If obligations from a debtor to a creditor are purchased (eg, if the retail- laws may apply.
er's receivables are purchased by a company) and the risk of insolvency Moreover, the Blockchain Act directly applies to token generating
(eg, of the customer as debtor) is assumed by the buyer upon conclu- events, ICOs and security token offerings.
sion of the assignment agreement (credit risk function), there is no
requirement for special financial licences. The retailer may retain the
Liechtenstein NÄGELE Attorneys at Law
Invoice trading Insurance products

11 Describe any specific regulation of invoice trading in your 15 Do fintech companies that sell or market insurance products
jurisdiction. in your jurisdiction need to be regulated?
Factoring is not regulated as a financial market activity if the risk of The Liechtenstein Insurance Act is based on the Insurance Distribution
insolvency is assumed by the buyer. Only a commercial business licence Directive (2016/97/EC) and the distribution of insurance products is a
is required from the Office of Economic Affairs. If a TT service is offered, regulated activity.
registering under the Blockchain Act is required. Depending on the
use case, the registration under the Blockchain Act may supersede the Credit references
requirement for a business licence. 16 Are there any restrictions on providing credit references or
Payment services
12 Are payment services regulated in your jurisdiction? Credit references and information services may constitute account
information services pursuant to PSD2.
The revised Liechtenstein Payment Service Act, which is based on PSD2,
entered into force on 1 October 2019. The E-money Act, which is based CROSS-BORDER REGULATION
on the EU E-money Directive, is also relevant to payment services.
For a variety of business models, the application of PSD2 could Passporting
trigger the need for a payment services licence. 17 Can regulated activities be passported into your jurisdiction?
Open banking Since Liechtenstein is a member of the EEA, the financial market –
13 Are there any laws or regulations introduced to promote along with the licensed financial intermediaries – is generally fully
competition that require financial institutions to make harmonised. This allows passporting (notification) throughout the
customer or product data available to third parties? European Union and the EEA, which enables companies to make use
of the freedom of services and the freedom of establishment within the
PSD2 introduces the new roles of a payment initiation service provider European single market.
and an account information provider. In this regard, banking institutions
must, to a certain extent, make customer or product data available to Requirement for a local presence
third parties. 18 Can fintech companies obtain a licence to provide financial
Robo-advice presence?
companies that provide retail customers with automated Companies can make use of the freedom of services to provide financial
access to investment products in your jurisdiction. services without establishing a local presence. In contrast to services
provided under the freedom of services, when establishing a branch,
The automated distribution of financial instruments (robo-advice) can, supervision may be split between the home and target jurisdiction
depending on the business model, meet the definition of investment supervisory authority.
advice and may require a banking or investment firm licence or a licence
under the Asset Management Act – provided, however, that financial SALES AND MARKETING
instruments are issued or services in relation to them are offered.
Article 4 (1) (1) of the AIFMD provides that an AIF is any collective Restrictions
investment undertaking, including the sub-funds thereof, that raises 19 What restrictions apply to the sales and marketing of
capital from a number of investors with the intention of investing it financial services and products in your jurisdiction?
to benefit of these investors in accordance with a defined investment
strategy, and is not a UCITS as defined in the UCITS Directive nor an The provision of financial services (investment or ancillary services)
investment undertaking as defined in the Investment Undertakings is regulated under the Markets in Financial Instruments Directive II.
Act. In this context, the term ‘capital’ is very broad, including not only Likewise, the marketing of financial services may be deemed to be an
traditional assets (such as equity or real estate) but also assets such investment service.
as ships, forests and wine. Thus, conventional commodities are also
included, which include cryptocurrencies, unless they are already CHANGE OF CONTROL
covered in another manner by financial market regulations. A collective
investment is a necessary characteristic of an AIF. Collective investment Notification and consent
means that capital raised from investors is pooled together and invested 20 Describe any rules relating to notification or consent
for the benefit of the investors, in line with the predefined investment requirements if a regulated business changes control.
strategy. However, if capital is raised to be invested according to an
unchangeable algorithm, which could be the case with a robo-advice, it Licensed intermediaries and institutions must notify the Financial
can be argued that the fund regulations do not apply as long as there is Market Authority of any qualified holdings (10 per cent or more).
no discretion in the investment of the collected capital.
136 Fintech 2021

FINANCIAL CRIME Securitisation risk retention requirements

Anti-bribery and anti-money laundering procedures requirements?
21 Are fintech companies required by law or regulation to have
procedures to combat bribery or money laundering? Securitisation transactions (securitisation special purpose vehicles)
are not subject to any risk retention requirements. However, such an
As an EEA member, Liechtenstein has implemented the 4th Money investment vehicle must be differentiated from collective investment
Laundering Directive 2015/849/EU as well as the Regulation on infor- schemes, such as an alternative investment fund.
mation accompanying transfers of funds 2015/847/EU.
The relevant implementing provisions are found especially in Securitisation confidentiality and data protection requirements
the Law on Professional Due Diligence to Combat Money Laundering, 26 Is a special purpose company used to purchase and securitise
Organised Crime, and Terrorist Financing (DDA) and the Ordinance on peer-to-peer or marketplace loans subject to a duty of
Professional Due Diligence to Combat Money Laundering, Organised confidentiality or data protection laws regarding information
Crime, and Terrorist Financing (DDO). relating to the borrowers?
Since 1 January 2020, the following companies have been super-
vised by the Financial Market Authority under the DDA and the DDO: Data protection applies to any personal data pursuant to the EU General
• trustworthy technologies service providers subject to regis- Data Protection Regulation. However, there may be a legitimate interest
tration; and (in order to carry out the duties under the agreement) or even a consent
• token issuers not subject to registration that are domiciled or that personal data is being processed.
resident in Liechtenstein and that issue tokens in their own name
or not professionally on behalf of the principal, to the extent that ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
they process transactions of 1,000 francs or more, irrespective of TECHNOLOGY AND CRYPTO-ASSETS
whether the transaction is carried out in a single operation or in
several operations between which there appears to be a connection. Artificial intelligence
27 Are there rules or regulations governing the use of artificial
Guidance intelligence, including in relation to robo-advice?
22 Is there regulatory or industry anti-financial crime guidance
for fintech companies? Depending on the designated business plan, robo-advice or AI may
constitute a form of asset management (ancillary securities service).
In 2002, 2007 and 2014 the International Monetary Fund (IMF) and Ultimately, the regulation surrounding any automated platform
Moneyval assessed the extent to which the Liechtenstein anti-money depends on the type of token being traded. Bitcoin itself is not a secu-
laundering and combating the financing of terrorism provisions meet the rity; however, the government is moving towards classifying initial coin
Financial Action Taskforce standards (FATF 40+9 Recommendations). offerings (ICOs) that meet certain requirements as securities, thus
The IMF and Moneyval attested to Liechtenstein's high standards in subjecting those particular tokens to regulation.
combating money laundering and the financing of terrorism. Therefore, any kind of AI applied to the trading of officially recog-
nised securities is subject to regulation by the authorities. Conversely,
PEER-TO-PEER AND MARKETPLACE LENDING AI that is applied to the trading of utility or commodity tokens does
not require a licence by the Financial Market Authority (FMA). Again,
Execution and enforceability of loan agreements whether the AI is regulated depends on the underlying business case.
23 What are the requirements for executing loan agreements or AI itself is not regulated.
or security agreements entered into on a peer-to-peer or Distributed ledger technology
marketplace lending platform will not be enforceable? 28 Are there rules or regulations governing the use of
distributed ledger technology or blockchains?
Contracts are generally enforceable through the Liechtenstein courts.
Enforcement may be difficult if the debtor is domiciled in a foreign On the regulatory front, the government enacted the Law on Tokens
jurisdiction. and TT Service Providers (the Blockchain Act), which regulates certain
business projects based on trusted technologies (eg, distributed ledger
Assignment of loans technology and blockchain technology). Through this regulation, the
24 What steps are required to perfect an assignment of government is aiming to support and to monitor the use of trusted
loans originated on a peer-to-peer or marketplace lending technology while regulating it. This ensures assistance, while avoiding
platform? What are the implications for the purchaser if the uncontrollable growth. Ultimately, this serves to attract crypto-projects,
assignment is not perfected? Is it possible to assign these while also providing legal certainty.
Crypto-assets
Assignment may take place through sign (cession by sign); written 29 Are there rules or regulations governing the use of crypto-
form is not required. If the borrower is not informed of the assignment, assets, including digital currencies, digital wallets and
they may discharge their debt (liberation) by repaying the debt to the e-money?
assignor (former creditor).
Virtual currencies were included in one of the latest amendments to
the Law on Professional Due Diligence to Combat Money Laundering,
Organised Crime, and Terrorist Financing (DDA), pursuant to the EU
Anti-money Laundering Directive. The due diligence obligations codified
in the act serve to combat money laundering, organised crime and Digital currency exchanges
terrorist financing, and apply to providers of exchange services, among 30 Are there rules or regulations governing the operation of
others. An ‘exchange office’ is defined as any natural or legal person digital currency exchanges or brokerages?
whose activities consist of the exchange of legal tender at the official
exchange rate or of virtual currencies against legal tender and vice As there are various forms of crypto-exchanges, varying regulations
versa. ‘Virtual currencies’ are defined as ‘digital monetary units, which apply in certain cases. Exchanges that match the buying and selling
can be exchanged for legal tender, used to purchase goods or services interests (matched principal trading; multilateral) with regard to utility
or to preserve value and thus assume the function of legal tender’. tokens against fiat and cryptocurrencies are deemed to be unregulated
Pursuant to the Report and Motion 2016/159, 31, the most famous and may only require a trade licence from the Office of Economic Affairs
example of such a virtual currency is bitcoin. to conduct an operating business or a registration under the Blockchain
‘E-money’ is defined as any electronically or magnetically stored Act (eg, if providing services as trustworthy technologies (TT) service
monetary value in the form of a claim against the issuer of electronic provider). In both cases, the exchange is required to comply with the
money issued against the payment of a sum of money to effect payment obligations under the DDA. However, the settlement in fiat is considered
transactions within the meaning of the Payment Service Act, and that to be a regulated payment service (especially as the commercial broker
is accepted by natural or legal persons other than the issuer of elec- exemption is no longer applicable under PSD2 when acting both on the
tronic money. In that sense, there are five characteristics or attributes buyer and seller side).
of e-money: However, if these tokens are traded against the own book for fiat
• having electronic or magnetic monetary value; payments, it may be deemed to be a ‘TT exchange service provider’
• involving a claim against the issuer (central issuance); pursuant to the Blockchain Act. This type of exchange must be regis-
• being obtained by money (legal tender and e-money itself); tered with the FMA.
• being suitable to conduct payments; and There are also security token exchanges. These kinds of exchange
• being accepting by third parties. are fully regulated pursuant to the Markets in Financial Instruments
Directive II and require an investment firm with a multilateral trading
Cryptocurrencies such as bitcoin are mined; therefore, they cannot be facility (MTF) or an organised trading facility (OTF). The main differ-
classified as e-money, because there is no claim against the issuer. In ences between an MTF and an OTF are that all financial instruments
addition, if tokens (eg, in an ICO) can only be obtained through the use may be traded on an MTF, whereas only certain debt instruments may
of other cryptocurrencies (non-regulated tokens), then the E-Money Act be traded on an OTF (the OTF may also act on a bilateral basis regarding
is not applicable. With regard to the payment function and acceptance government bonds). Therefore, an MTF has participants while an OTF
by third parties, two major exemptions may be relevant. If only a limited has customers (also owing to the discretionary execution). Another
product range or range of services can be obtained with a newly gener- difference between the two trading facilities is that an OTF allows
ated and issued token, then an exemption from the e-money regime discretionary trading and matching rules, compared to the non-discre-
applies. The same applies if only a restricted service provider network tionary nature of an MTF.
accepts the tokens as a means of payment (this is especially relevant Lastly, it is possible to set up fully decentralised peer-to-peer
for franchises). security exchanges without any regulation requirements. With a
However, the e-money regime is generally not suitable for block- decentralised network operating an exchange, there is no entity to be
chain and crypto-technology. Most of the stablecoins (coins pegged to regulated and the exchange itself does not fall under the definition of
fiat) should probably be deemed e-money, which has been implemented an MTF or OTF (trading venues). Depending on the services rendered in
incorrectly, as certain restrictions apply to e-money and its distribution connection with such a peer-to-peer exchange, certain licence require-
(although the territorial scope of the E-Money Directive may not apply ments may apply. In any event, prospectus requirements must be
to jurisdictions outside the European Union and the European Economic adhered to. Both matching and settlement are usually carried out in a
Area). For example, e-money must be exchanged back to fiat at all times decentralised manner on these exchanges and associated aspects, such
at par value (Cp EFTA Court Decision in Case E-9/17 Falkenhahn AG as the order book and custodial or escrow services (smart contracts),
v Liechtenstein FMA) and no or only minimal fees may apply for this are also decentralised.
service (this is not a criterion for e-money to come into existence, but the
re-exchange is merely the logical and legal consequence of e-money). Initial coin offerings
E-money also cannot be used for savings purposes and no interest may 31 Are there rules or regulations governing initial coin offerings
be granted. In addition, problems may arise with token holders storing (ICOs) or token generation events?
their e-money token on a wallet to which they have access to the private
key. Lastly, the money collected in exchange for e-money must be placed The rules and regulations governing ICOs or token generation events
in deposit-protected accounts, which means that – contrary to popular depend on the token being offered. If the token offered constitutes a
belief – these funds may not be used by the entity that collected them financial instrument or e-money, the respective regulation applies (eg,
for their operating business. it is necessary to apply for an e-money licence or to prepare a securi-
However, even if a token was deemed ‘electronic money’ as ties prospectus). Under the Blockchain Act, the issuer of tokens needs
defined in article 2(2) of the E-Money Directive, it would be exempt from to register with the FMA and publish the ‘basic Information’ defined in
the applicability of the E-Money Directive if it was issued outside the article 30 seq of the Blockchain Act.
European Economic Area, namely in a country that is not subject to the
E-Money Directive.
With regard to the variety of business models in the sector, the
Payment Services Directive (2015/2366/EC) (PSD2) may also apply;
therefore, it may be necessary to apply for a payment service licence.
138 Fintech 2021

DATA PROTECTION AND CYBERSECURITY Cloud computing

Data protection respect to the use of cloud computing in the financial services
32 What rules and regulations govern the processing and industry?
fintech products and services? There are no specific regulations on cloud computing. The general
provisions – in particular, the EU General Data Protection Regulation –
In general, the EU General Data Protection Regulation (GDPR) is must be adhered to.
directly applicable in Liechtenstein. In addition, the Liechtenstein Data However, the European Banking Authority published guidelines
Protection Act, which has undergone a complete revision in view of the for credit institutions and investment firms (as defined in article 4(1)
GDPR, covers regulations based on enabling clauses and the implemen- of Regulation 575/2013/EU) on outsourcing to cloud service providers
tation requirements under the GDPR. There is no specific regulation for (EBA/REC/2017/03).
fintech companies, but any processing of personal data is subject to the In addition, some laws state specific retention requirements; for
GDPR and the Liechtenstein Data Protection Act. If the prerequisites for example, the due diligence records must be stored in a place within
processing personal data are fulfilled (eg, processing personal data is the country that is accessible at all times and various laws stipulate
necessary to carry out duties under an agreement or imposed by the a retention period of 10 years (eg, the Blockchain Act or the Law on
law, or for the purposes of legitimate interests of the processor or a Professional Due Diligence to Combat Money Laundering, Organised
third party) or if the concerned person’s consent to process personal Crime, and Terrorist Financing).
data is given, the processing is generally allowed. In connection with
processing personal data, the processor is bound to a duty of informa- INTELLECTUAL PROPERTY RIGHTS
tion towards the individual concerned, who has a right to know how, by
whom, in what way and for how long their data is processed. It may be IP protection for software
necessary to appoint a data protection officer and prepare internal data 36 Which intellectual property rights are available to protect
protection concepts to implement the right to be forgotten, the right software, and how do you obtain those rights?
to information and the right to data portability and procedures in the
case of a data breach, among other things. It may also be necessary The Liechtenstein Copyright Act provides a wide range of IP protections
to conclude a data processing contract with service providers. Lastly, (eg, copyright protection, trademark protection and patents). Computer
processing data in countries that do not have the same level of data programs or code may be copyrighted in certain circumstances, which
protection is generally prohibited. The relevant assessment on whether may be particularly interesting for developers of a blockchain or smart
the same level of data protection applies is provided in an adequacy contracts.
decision by the European Commission.
IP developed by employees and contractors
Cybersecurity 37 Who owns new intellectual property developed by an
33 What cybersecurity regulations or standards apply to fintech employee during the course of employment? Do the same
businesses? rules apply to new intellectual property developed by
Similar to other ventures, fintech businesses must be GDPR compliant,
as well as compliant with the due diligence regime if they are subject According to paragraph 1173a article 41 litera E of the Civil Code, inven-
to it (if not, it is still recommended to coordinate due diligence concepts tions and designs that the employee makes in performance of his or
with involved banking partners or other intermediaries). her duties and in fulfilment of his or her contractual obligations belong
The Financial Market Authority published a guideline on cyber- to the employer. By written agreement, the employer may request the
security in Communication 2019/1 (see https://www.fma-li.li/de/ acquisition of inventions and designs that are produced by the employee
regulierung/cyber-security.html). while exercising his or her official duties but not in the performance of
his or her contractual obligations.
OUTSOURCING AND CLOUD COMPUTING According to article 19 of the Copyright Act, if the employee creates
a work protected by copyright while performing official duties and in
Outsourcing fulfilment of contractual obligations, the right to this work shall pass to
34 Are there legal requirements or regulatory guidance with the employer unless otherwise agreed.
respect to the outsourcing by a financial services company of These provisions do not apply to contractors or consultents.
a material aspect of its business? In general, it is advisable to stipulate comprehensive ownership
and transfer clauses in employment and contractual relationships.
Key functions (personnel-wise) may not be outsourced. It is possible
to outsource due diligence, but the financial intermediary will continue Joint ownership
to be responsible for the upkeep of the necessary compliance stand- 38 Are there any restrictions on a joint owner of intellectual
ards. According to the Law on Tokens and TT Service Providers (the property’s right to use, license, charge or assign its right in
Blockchain Act), the outsourcing of important operational tasks is intellectual property?
permitted if: the quality of the trustworth technologies (TT) service
provider's internal control is not significantly impaired; the TT service Aside from any agreements providing otherwise, joint owners of intel-
provider's obligations under the Blockchain Act remain unchanged; lectual property can use a work only with every other joint owner’s
and it does not undermine the registration requirements under the consent. Denial of consent must not go against good faith (paragraph 3,
Blockchain Act. article 7 of the Copyright Act). In the case of copyright infringement, each
joint owner can individually assert a claim against the party committing
the infringement; however, the claim for remedy must be paid to all TAX
joint owners (paragraph 4, article 7 of the Copyright Act).
Incentives
Trade secrets 43 Are there any tax incentives available for fintech companies
39 How are trade secrets protected? Are trade secrets kept and investors to encourage innovation and investment in the
confidential during court proceedings? fintech sector in your jurisdiction?
Employees are prohibited from sharing or exploiting trade secrets of As a member of the European Economic Area, Liechtenstein is also
which they acquire knowledge while being employed. If it is necessary subject to the prohibition of state aid. For this reason, specific tax
to protect the employer’s legitimate interests, the employee remains concessions for the fintech sector are prohibited.
bound to secrecy even after the employment contract is terminated. Overall, Liechtenstein is attractive for innovative business models
The confidentiality of other information is subject to the employment because of its liberal tax law and the direct exchange with the tax
agreement. administration.
Trade secrets can be kept confidential in civil court proceedings.
If the presentation of a document would lead to a breach of a trade Increased tax burden
secret, the document does not have to be presented. Likewise, if, during 44 Are there any new or proposed tax laws or guidance that
a witness statement, answering a question would reveal a trade secret, could significantly increase tax or administrative costs for
the witness can refuse to answer the question. fintech companies in your jurisdiction?
In addition, the Directive 2016/943/EU on the protection of undis-
closed know-how and business information (trade secrets) against their No.
unlawful acquisition, use and disclosure (Directive on the Protection of
Trade Secrets) is relevant for Liechtenstein as a member of the EEA. IMMIGRATION
Branding Sector-specific schemes

40 What intellectual property rights are available to protect 45 What immigration schemes are available for fintech
branding and how do you obtain those rights? How can businesses to recruit skilled staff from abroad? Are there
fintech businesses ensure they do not infringe existing any special regimes specific to the technology or financial
brands? sectors?
According to Liechtenstein law, branding and trademarks must be regis- Immigration to Liechtenstein is generally restricted. However, members
tered for the corresponding rights to emerge. The rights include the of the European Union or European Economic Area can locate near
exclusive right to use the branding or trademark to denote the holder’s the Liechtenstein border in Switzerland, Austria or Germany. In addi-
goods or services and the right to dispose of it. Thus, others can be tion, a short-term permit can generally be granted for up to 12 months.
prohibited from using the branding or trademark for their own goods or Further, there are exceptions from this restrictive regime for highly
services. The registration of a brand or trademark is valid for 10 years skilled individuals.
and can be extended by filing a corresponding application. Further, As the fintech area generally requires specialist knowledge, there
branding and trademarks can also be registered on an EU level; regis- is potential to have these work permits granted to promote the growth
trations in the EU trademark registry are valid in all EU member states. of fintech businesses within the country.
There is no method that is specifically designed for fintech compa- In addition, if a person is unable to achieve residency in Liechtenstein,
nies to ensure that existing brands are not infringed. The most reliable they can seek residency in Switzerland, Austria or Germany and then be
way to avoid infringement is to check the national and EU trademark granted a cross-border commuter card for the purposes of employment
registries regularly during the initiation process to determine whether within the country.
the envisioned brand has already been registered.
UPDATE AND TRENDS
41 What remedies are available to individuals or companies Current developments
whose intellectual property rights have been infringed? 46 Are there any other current developments or emerging
trends to note?
Available remedies include:
• a declaratory action regarding the breach of IP rights; In the past year, the market has shifted from a focus on initial coin offer-
• an injunction regarding an imminent breach; ings for utility tokens to a focus on security token offerings and the goal
• a claim for remedying a present breach; and of creating crypto-exchanges with the ability to support the secondary
• a claim for damages and reparation; if applicable, compensation market for security tokens.
for pain and suffering, as well as compensation for lost profits, can
also be asserted.
COMPETITION
No competition issues are known.
140 Fintech 2021

Coronavirus
for clients?
The 2nd Covid-19 Act was passed by the Liechtenstein Parliament in Thomas Nägele
tn@naegele.law
April 2020. As a result of a financial ordinance by the Liechtenstein
government, financial support is available to those individual and micro- Thomas Feldkircher
enterprises that have been able to maintain their business activities tf@naegele.law
but are affected by a loss of earnings owing to regulations concerning
the covid-19 pandemic and are not entitled to receive compensa- Dr. Grass Strasse 12
tion for short-time work or other support measures. This applies, in FL-9490 Vaduz
particular, to companies whose customers or suppliers have been shut Principality of Liechtenstein
down by the authorities or that are experiencing a decreasing number Tel: +423 237 60 70
of customers. Eligible for support are self-employed persons whose Fax: +423 237 60 71
main occupation is that of sole proprietor or manager or shareholder www.naegele.law
of a microenterprise. Also eligible for support are persons who are not
entitled to short-time work compensation and who are employed by a
company, such as co-directors or spouses.
Employers that have made wage payments to employees who are
prevented from working for a long and unforeseeable period of time
owing to official measures in connection with the covid-19 pandemic are
compensated for continued wage payments through the covid-19 daily
allowance.
Additionally, the possibility of taking out an emergency loan from
the National Bank of Liechtenstein, for which the Liechtenstein govern-
ment grants a 100 per cent default-in-payment guarantee, is very
popular. The loans will be granted interest-free until 30 June 2022.
Financial intermediaries must continue to comply with their regula-
tory obligations. However, there may be eased requirements or special
obligations as a result of the pandemic. These are based on the integra-
tion of the Financial Market Authority (FMA) in the European System of
Financial Supervision. The FMA supports the recommendations of the
European supervisory authorities and intends to implement them.
Malta
Leonard Bonello and James Debono
Ganado Advocates
FINTECH LANDSCAPE AND INITIATIVES The Malta Digital Innovation Authority (MDIA) is a relatively new
regulator established to act as:
General innovation climate • a fintech promoter that incentivises ‘investment’ in ‘innovative
1 What is the general state of fintech innovation in your technology arrangements’, as such terms are defined under the
jurisdiction? MDIAA; and
• a supervisory authority that ensures the reliability of these tech-
Malta’s reputation as the ‘blockchain island’ is a testament to its positive nologies and the integrity of the market.
approach to the fintech industry. Malta was a pioneer in regulating distrib-
uted ledger technologies and cryptocurrencies through the enactment of: FINANCIAL REGULATION
• the Virtual Financial Assets Act (Chapter 590 of the Laws of Malta);
• the Malta Digital Innovation Authority Act (Chapter 591 of the Laws Regulatory bodies
of Malta) (MDIAA); and 3 Which bodies regulate the provision of fintech products and
• the Innovative Technology Arrangements and Services Act (Chapter services?
592 of the Laws of Malta).
The Malta Financial Services Authority (MFSA) and the Malta Digital
Other prominent fintech areas attracting investment in Malta relate to Innovation Authority are the main competent authorities regulating the
e-payment services and insurtech. Furthermore, the Malta Financial provision of fintech products and services.
Services Authority (MFSA) is also buttressing this technology revolution
by setting up a dedicated FinTech and Innovation function. The MFSA is Regulated activities
also driving the long-term fintech strategy targeting both start-ups and 4 Which activities trigger a licensing requirement in your
industry scale-ups with the aim of establishing Malta as an international jurisdiction?
fintech hub while promoting the infusion of technology solutions in the
financial world. The local financial services regulatory framework comprises:
• the Investment Services Act (Chapter 370 of the Laws of Malta) (ISA),
Government and regulatory support which outlines the regulatory requirements of operators wishing
2 Do government bodies or regulators provide any support to set up investment services undertakings and collective invest-
specific to financial innovation? If so, what are the key benefits ment schemes. It transposes the Markets in Financial Instruments
of such support? Directive (2014/65/EU) (MiFID II) into Maltese law and regulates
services outlined therein when they are carried out in or from Malta
The Maltese government has always given the fintech industry priority in and in relation to one or more ‘instruments’, as defined therein;
policy formation. The MFSA has launched a standalone FinTech Strategy • the Banking Act, Chapter 371 of the Laws of Malta, which is the
aimed at providing legal and regulatory certainty and ensuring market law regulating credit institutions that carry out the ‘business of
integrity and financial soundness while safeguarding investor rights in banking’, defined as:
the fintech sphere. This strategy is based on six main pillars, namely: • accepting deposits of money from the public that are with-
• a suite of regulations to support regulatory efficiency; drawable or repayable on demand, after a fixed period or
• a holistic all-encompassing ecosystem to enhance access to finance after notice;
and foster innovation; • borrowing or raising money from the public with the purpose
• implementing an open architecture to support the use of application of using all or some of such money to lend to others; or
programme interfaces in financial services; • otherwise investing for the account and at the risk of the
• fostering international links to enhance bilateral cooperation and person accepting this money; and
cross-border fintech knowledge, adoption and investment; • the Financial Institutions Act, Chapter 376 of the Laws of Malta, (FIA),
• cultivating knowledge by the attracting and retaining talent and which sets out the licensing and ongoing obligations of non-banking
carrying out extensive research; and institutions. These can be classified in two categories – namely,
• security through implementing robust systems, plans and tech- institutions that carry out:
niques to counteract threats and exposure. • payment services or the issuance of electronic money; and
• activities such as lending, financial leasing, the provision of
The strategy also features a regulatory sandbox that enables financial guarantees and commitments, foreign exchange services and
service providers to test the viability of their products within the regula- money brokering.
tory framework, while keeping in direct contact with the regulators.
142 Fintech 2021

Ganado Advocates Malta
The FIA, the subsidiary legislation and the regulations promulgated A de minimis AIFM will be exempt from complying with certain provisions
under the FIA transpose the Payment Services Directive (2015/2366/EU) of the AIFMD but does not enjoy the use of the EU passporting rights.
(PSD2) and the second EU Electronic Money Directive (2009/110/EC).
Consumer lending 9 Describe any specific regulation of peer-to-peer or
5 Is consumer lending regulated in your jurisdiction? marketplace lending in your jurisdiction.
Lending is a regulated activity under the FIA, irrespective of whether it is The FIA stipulates that any person that, as a lender, regularly lends
provided to consumers. Article 5 of the FIA outlines the requirements for money in or from Malta is carrying out a regulated activity and requires
the authorisation of an institution to carry out lending activities, including: an MFSA licence prior to commencing operations. However, there is no
• an initial capital in the amount established by the MFSA; specific regulation on P2P platforms or marketplaces lending under the
• at least two individuals effectively directing the business of the insti- local financial services framework.
tution in Malta;
• all qualifying shareholders, controllers and all persons effectively Crowdfunding
directing the institution’s business are suitable persons to ensure 10 Describe any specific regulation of crowdfunding in your
its prudent management; and jurisdiction.
• sound and prudent management and robust governance
arrangements. While reward-based and donation-based crowdfunding platforms
remain unregulated, the MFSA has introduced a framework under the
Secondary market loan trading ISA applicable to investment-based crowdfunding services. Measures
6 Are there restrictions on trading loans in the secondary under this regime include a licensing requirement under the ISA, which,
market in your jurisdiction? in addition to capital requirements, encompasses mandatory disclosure
obligations. In the case of offers of securities that fall within the scope
There are no particular restrictions applicable to trading loans in the of the EU Regulation 2017/1129 (in which case, the EU regime would
secondary market in Malta. apply), the issuer must provide an information document, which will,
however, not be approved or verified by the MFSA.
Collective investment schemes
7 Describe the regulatory regime for collective investment Invoice trading
schemes and whether fintech companies providing alternative 11 Describe any specific regulation of invoice trading in your
finance products or services would fall within its scope. jurisdiction.
Collective investment schemes (CIS) are regulated under the ISA. CIS Invoice trading falls within the scope of the FIA. Factoring and invoice
which fall within the scope of the local regulations are: discounting are listed as two types of lending activity that in turn trigger
• retail collective investment schemes, primarily undertaking in a licensing obligation under the FIA if and when they are carried out in
collective investment transferable securities; or from Malta on a regular basis.
• professional investor funds;
• alternative investment funds (AIFs); and Payment services
• notified alternative investment funds. 12 Are payment services regulated in your jurisdiction?
Investment-based crowdfunding is regulated under a separate regime. The FIA includes a list of the payment services that are regulated in Malta
With respect to peer-to-peer (P2P) or marketplace lenders, it is and reflects the services outlined in the PSD2. Institutions engaging in
pertinent to refer to the FIA, which regulates ‘money broking’, defined these payment activities must obtain authorisation from the MFSA prior
as the activity of introducing counterparties that wish to deal at mutually to the provision of these services in or from Malta on a regular basis.
agreed terms with respect to wholesale and retail financial products.
This regulation may have implications for both marketplace lenders and Open banking
P2P platforms. 13 Are there any laws or regulations introduced to promote
Alternative investment funds customer or product data available to third parties?
8 Are managers of alternative investment funds regulated?
There are no laws or regulations promoting competition among finan-
Managers of alternative investments funds (AIFMs) that operate in or cial institutions through the use of available data. However, the concept
from Malta fall within the scope of the ISA and the Alternative Investment of open banking has been locally introduced under the FIA through the
Fund Managers Regulations (Subsidiary Legislation 370.23 of the laws regulation of third-party payment service providers, namely, payment
of Malta), which transpose the Alternative Investment Fund Managers initiation service providers and account information service providers.
Directive (2011/61/EU) (AIFMD) into Maltese law. An AIFM may be
subject to a lite regime akin to the regime under the MiFID II if it quali- Robo-advice
fies as a de minimis AIFM. This will be the case where the assets under 14 Describe any specific regulation of robo-advisers or other
management are worth less than: companies that provide retail customers with automated
• €100 million; or access to investment products in your jurisdiction.
• €500 million and the portfolio consists of AIFs that are unleveraged
and have no redemption rights in the first five years following the No laws or regulations specific to robo-advisers or the automated
date of initial investment. access to investment products have been issued in Malta.
Malta Ganado Advocates
Insurance products Requirement for a local presence

15 Do fintech companies that sell or market insurance products 18 Can fintech companies obtain a licence to provide financial
in your jurisdiction need to be regulated? services in your jurisdiction without establishing a local
presence?
Entities that undertake insurance or reinsurance, (re)insurance distri-
bution activities or market (re)insurance services in or from Malta are Fintech companies cannot obtain a licence without establishing a local
regulated by two legislative instruments, namely: presence in Malta. While local presence and substance requirements
• the Insurance Business Act, Chapter 403 of the Laws of Malta; and vary across the different regulatory regimes applicable to the specific
• the Insurance Distribution Act, Chapter 487 of the Laws of Malta. services being provided by a fintech company, a decree of substance in
Malta is always required.
These acts impose requirements from or with the MFSA depending on
the nature of the insurance business activity being provided in or from SALES AND MARKETING
Malta. These acts, which implement EU Directive 2009/138/EC and EU
Directive 2016/97/EU respectively, are supplemented by regulations Restrictions
promulgated under these two laws and by rules and guidelines issued 19 What restrictions apply to the sales and marketing of
by the MFSA. financial services and products in your jurisdiction?
Credit references The Malta Financial Services Authority (MFSA) has the discretional
16 Are there any restrictions on providing credit references or authority to issue marketing guidelines and restrictions that apply to
credit information services in your jurisdiction? various financial services sectors and to prohibit or alter any kind of
promotional activity carried out by any financial services institution.
‘Credit reference agency’ is defined under the Trading Licence Act, Specific restrictions apply to licence holders that market their services
Chapter 441 of the laws of Malta, as any undertaking licensed by the and products to ensure that all information including marketing
Trade Licensing Unit, whose main business is to prepare, assemble communications addressed to retail investors or potential retail inves-
and evaluate credit information and related credit and risk manage- tors is fair, clear and not misleading. The Investment Services Act states
ment services concerning legal and natural persons for the purpose that no collective investment schemes, licensed or otherwise, can
of issuing credit scores to be furnished to third parties, provided that issue or cause to be issued a prospectus in or from Malta unless it has
the agency is not precluded from carrying out other related tasks. been approved by the MFSA. The marketing of retail financial services
The definition of ‘credit reference agencies’ pursuant to the draft law in Malta also falls within the scope of the EU Distance Selling (Retail
falls outside the scope of EU Regulation 1060/2009 and, therefore, the Financial Services) Regulation (Subsidiary Legislation 330.07), which
European Securities and Markets Authority would not have supervisory implements EU Directive 2002/65/EC.
powers over these entities. Further, credit reference services are listed
under the Banking Act as one of the additional activities exercisable by CHANGE OF CONTROL
credit institutions.
On 7 November 2018, the European Central Bank received a Notification and consent
request from the Central Bank of Malta (CBM) for an opinion on a draft 20 Describe any rules relating to notification or consent
law amending the Central Bank of Malta Act and on Draft Directive 15 on requirements if a regulated business changes control.
the supervision of credit reference agencies, which:
• gives the CBM new supervisory powers with respect to credit The Investment Services Act imposes a notification requirement for
reference agencies; and persons who, directly or indirectly, acquire a ‘qualifying shareholding’
• designates the CBM as the supervisory authority of credit refer- (as defined therein) in an investment services licence holder or increase
ence agencies solely for the purpose of overseeing and regulating their qualifying shareholding to an extent that the proportion of the
the issuance of credit scores. voting rights or the capital held would reach or exceed 20 per cent, 30
per cent or 50 per cent or so that the investment services licence holder
CROSS-BORDER REGULATION would become its subsidiary. The Malta Financial Services Authority
(MFSA) can object to such an acquisition. A notification obligation is
Passporting also triggered in the case of disposal or reduction of such qualifying
17 Can regulated activities be passported into your jurisdiction? shareholding. Licence holders must obtain written consent from the
MFSA before acquiring 10 per cent or more of the voting share capital
Regulated activities emanating from EU directives transposed into of another company before agreeing to sell or merge all or any part of
Maltese law can, subject to regulatory and procedural formalities, its undertaking.
be passported into Malta. Credit and financial institutions, invest- In the context of credit institutions, Banking Rule 13/2009,
ment services providers, collective investment schemes and issuers ‘Prudential assessment of acquisitions and increase of qualifying
that are legally established in one member state may passport their shareholdings in credit institutions authorised under the Banking Act’,
services through the establishment of a branch or otherwise, as may provides a blueprint of the procedural rules and evaluation criteria for
be applicable. Conversely, ‘homegrown’ services that are regulated by a the prudent assessment of acquisitions and holdings increases in the
standalone legislative framework in EU member states cannot be pass- financial sector and determines the criteria to be applied by the MFSA
ported into Malta. in the assessment process of a proposed acquirer. These rules reflect
the Joint Guidelines JC/GL/2016/01, which were issued by the Joint
Committee of the European Supervisory Authorities in 2016.
144 Fintech 2021

FINANCIAL CRIME pledge of shares, special rules contained in the Companies Act Chapter
386 of the laws of Malta, will also apply, which requires the pledge to
Anti-bribery and anti-money laundering procedures be constituted by an instrument in writing and notified to the Malta
21 Are fintech companies required by law or regulation to have Business Registry.
procedures to combat bribery or money laundering? Given that loan and security agreements are determined by
contract between the parties, enforcement depends on the provisions
The regulatory framework that governs anti-money laundering (AML) of the respective contracts; however, parties are not precluded from
procedures in Malta falls under the Prevention of Money Laundering Act, enforcing an agreement before the Maltese courts or by instituting arbi-
Chapter 373 of the laws of Malta (PMLA) and the Prevention of Money tration proceedings in Malta.
Laundering and Funding of Terrorism Regulations, which implements
EU Directive 2015/849/EU. The European Union extended the scope of Assignment of loans
its AML regime to digital currencies through EU Directive 2018/8432/ 24 What steps are required to perfect an assignment of
EU. Entities that must abide by the AML regulations include those that: loans originated on a peer-to-peer or marketplace lending
• provide services to safeguard private cryptographic keys on platform? What are the implications for the purchaser if the
behalf of its customers, or to hold, store and transfer virtual assignment is not perfected? Is it possible to assign these
currencies; and loans without informing the borrower?
• engage in exchange services between virtual currencies and fiat
currencies. The assignment of loans and other rights is generally dealt with in the
Civil Code, Chapter 16 of the laws of Malta. The Civil Code provides
Malta has acknowledged the risks associated with digital currencies that an assignment is complete and the ownership of the thing being
and has taken the initiative to anticipate this framework. The new assigned is acquired by the assignee as soon as the thing is transferred,
Implementing Procedures issued by the Financial Intelligence Analysis the price has been agreed and when the deed of assignment (which
Unit (FIAU) now also cover issuers of virtual financial assets (VFAs), must be in writing) is made. The assignee may not exercise the rights
VFA service providers and the activities of safe custody services, even assigned to them, except against third parties after due notice of the
when provided by any person or institution other than those licensed assignment (by judicial act) has been given to the debtor; however,
or authorised under the Banking Act or the Investment Services Act. notice is not necessary if the debtor has acknowledged the assignment.
Digital currency exchanges and issuers of VFAs are deemed to be However, Malta’s securitisation framework, based on the
subject persons and must have measures, policies and procedures in Securitisation Act, Chapter 484 of the laws of Malta, operates as an
place to address the identified risks. These measures, policies, controls opt-in regime whereby legal entities entering into securitisation trans-
and procedures must include, inter alia: actions may style themselves as securitisation vehicles subject to the
• customer due diligence, record-keeping procedures and reporting Securitisation Act, which aims to facilitate securitisation transactions by,
procedures; and among other things, relaxing some of the requirements regarding the
• risk management measures. assignment of rights as set out in the Civil Code. An assignment of rights
(to a securitisation vehicle) made pursuant to the Securitisation Act:
Guidance • does not require the assignment to have a price;
22 Is there regulatory or industry anti-financial crime guidance • is complete as soon as the assignment is written; and
for fintech companies? • allows notice to be given to debtors by a simple written notice (ie,
not a judicial act) or by publication of a notice in a daily newspaper.
The FIAU has issued a specific rulebook applicable to VFA agents,
issuers and licence holders with sector-specific guidance on how these An assignment made properly under the Securitisation Act is considered
issuers and operators can meet their AML obligations under the PMLA. a true sale as the Act provides that such an assignment will be treated
These procedures complement the Implementing Procedures that are as final, absolute and binding on the assignor (the originator), the
applicable across all other sectors, and apply to VFA service providers, assignee (securitisation vehicle) and all third parties and is not subject
VFA agents and issuers of initial VFA offerings, as well as to unlicensed to clawback. This implies that an assignment that is not perfected under
subject persons operating within the VFA space. the Securitisation Act may not be considered a true sale and may be
subject to annulment, rescission, revocation or termination.
Securitisation risk retention requirements
Execution and enforceability of loan agreements 25 Are securitisation transactions subject to risk retention
23 What are the requirements for executing loan agreements or requirements?
or security agreements entered into on a peer-to-peer or The Securitisation Regulation (Regulation 2017/2402/EU) became
marketplace lending platform will not be enforceable? directly applicable to all EU member states as of 1 January 2019.
Article 6 of the Securitisation Regulation directly tackles risk retention,
Loan and security agreements are contracts that are generally providing that, subject to any exceptions set out therein, the originator,
governed by Maltese contract law. In this respect, the parties entering sponsor or original lender of a securitisation must retain, on an ongoing
into such an agreement must have the capacity to do so, which, in the basis, a material net economic interest in the securitisation of no less
case of companies, means that the agreement is signed by a director than 5 per cent. In the circumstance that the retainer of this risk was not
after having obtained proper authorisation from the board. In the case of agreed, the originator must by law retain the risk.
natural persons, contracts can generally be entered into by anyone over
the age of 18, provided that they have not previously been interdicted
or incapacitated. Depending on the type of loan or security agreement
that is being entered into, special laws may apply. In the context of a
Securitisation confidentiality and data protection requirements • a virtual financial asset (VFA); or
26 Is a special purpose company used to purchase and securitise • a virtual token.
confidentiality or data protection laws regarding information If a person provides any of the services listed in the VFAA in relation
relating to the borrowers? to a DLT asset that qualifies as a VFA, licensing obligations apply. The
issuance of e-money also mandates a Malta Financial Services Authority
The Securitisation Act provides that the transfer of any data or informa- (MFSA) authorisation pursuant to the Financial Institutions Act.
tion made in the context of a securitisation transaction must remain
subject to professional secrecy, confidentiality and data protection laws. Digital currency exchanges
However, transfers of personal data made in the context of a securitisa- 30 Are there rules or regulations governing the operation of
tion are deemed to have been made for the legitimate interest of the digital currency exchanges or brokerages?
transferee and transferor unless it is shown that this interest is over-
ridden by the interest to protect the fundamental rights and freedoms of The VFAA imposes a licensing requirement on service providers in the
the data subject. Transfers of personal data made to a third country that VFA space, including VFA exchanges, custodians of VFAs (including
does not ensure an adequate level of protection within the meaning of wallet providers) and VFA advisers and brokers that are operating in or
the Data Protection Act, Chapter 586 of the laws of Malta, will not require from Malta. The MFSA has issued a Virtual Financial Assets Rulebook,
the authorisation of the data protection commissioner, provided that the which is divided into three main chapters. The requirements for a VFA
controller of this data can provide adequate safeguards for the protec- service provider licence include:
tion of the data subjects’ privacy and fundamental rights and freedoms. • the setting up of a Maltese entity;
• the holding of minimum capital;
ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER • the appointment of various functionaries; and
TECHNOLOGY AND CRYPTO-ASSETS • undergoing assessments by the MFSA into (among other things)
the entity’s ultimate beneficial owners and board of administration.
27 Are there rules or regulations governing the use of artificial Initial coin offerings
intelligence, including in relation to robo-advice? 31 Are there rules or regulations governing initial coin offerings
(ICOs) or token generation events?
AI is not yet a regulated area. A Malta AI task force, commissioned
by the government launched the Strategy and Vision for Artificial The VFAA states that no issuer can:
Intelligence in Malta 2030, to put the island among the foremost juris- • offer a VFA to the public in or from Malta; or
dictions with the highest-impact national AI programme. The strategy • apply for a VFA’s admission to listing on a DLT exchange unless the
rests on three vertical pillars that direct efforts towards investment, issuer draws up a white paper that:
innovation and private and public sector adoption; and three horizontal • is dated;
enablers, namely education and workforce, the legal framework and • states the matters specified in the first schedule to the VFAA;
infrastructure. • includes a statement by the board of administration confirming
that the white paper complies with the Act; and
Distributed ledger technology • is registered with the MFSA.
distributed ledger technology or blockchains? The white paper must enable investors to make an informed assessment
of the prospects of the issuer, the proposed project and the features of
The Innovative Technology Arrangements and Services Act (ITAS) the VFA. Issuers must appoint a number of functionaries, including a
outlines the framework of designated innovative technology arrange- VFA agent, a custodian and a systems auditor, and must ensure that an
ments (including blockchain platforms and smart contracts) while investor does not invest more than €5,000 in its initial VFA offerings over
catering for the Malta Digital Innovation Authority (MDIA) and its regula- a 12-month period.
tory functions with regards thereto. Under the ITAS, any person may on
a voluntary basis request the MDIA to certify eligible arrangements or DATA PROTECTION AND CYBERSECURITY
services on the basis of a number of conditions, including that, among
other things, the arrangement is fit and proper for the purposes for Data protection
which it was set up and its underlying software has been reviewed by a 32 What rules and regulations govern the processing and
registered systems auditor. transfer (domestic and cross-border) of data relating to
fintech products and services?
Crypto-assets
29 Are there rules or regulations governing the use of crypto- There is no specific law or guidance regulating fintech companies’ use
assets, including digital currencies, digital wallets and of personal data. The processing and transfer of data is regulated by
e-money? the Data Protection Act (DPA), which implements the EU General Data
Protection Regulation, alongside any subsidiary legislation that supple-
Crypto-assets in Malta are regulated by the Virtual Financial Assets Act ments the DPA, and regulates the processing of personal data with
(VFAA), which spearheads the implementation of a bespoke financial regards to the e-communications sector, thereby implementing EU
instrument test, applicable to issuers, agents and licence holders, for Directive 2002/58/EC.
the purpose of determining whether a distributed ledger technology The European Commission has issued draft proposals for an
(DTL) asset qualifies as: e-privacy regulation to supersede the current Directive (2002/58/EC),
• electronic money; which would be directly applicable in all member states, harmonising
• a financial instrument; data protection laws. On the 21 February 2020, the revised test of the
146 Fintech 2021

Proposal for a Regulation of the European Parliament and of the Council INTELLECTUAL PROPERTY RIGHTS
concerning the respect for private life and the protection of personal
data in electronic communications and repealing Directive 2002/58/EC IP protection for software
(Regulation on Privacy and Electronic Communications) was published. 36 Which intellectual property rights are available to protect
software, and how do you obtain those rights?
Cybersecurity
33 What cybersecurity regulations or standards apply to fintech Software constitutes literary work, which enjoys automatic copyright
businesses? protection under the Copyright Act, Chapter 415 of the laws of Malta,.
A copyright is a non-registrable right that arises as soon as a work
Different cybersecurity standards apply across different business considered eligible for copyright protection (which under Maltese law,
sectors within the financial industry. In the digital assets space, which includes artistic works, audiovisual works, databases, literary works
is regulated by the Virtual Financial Assets Act, licence holders must and musical works) is created. No formal registration of copyright
establish various management policies within their cybersecurity (voluntary or otherwise) in Malta is required. Further, in accordance
framework. Further, acknowledging that the financial services industry with the Patents and Designs Act, Chapter 417 of the laws of Malta
is experiencing a digital and technological transformation, the Malta (PDA), schemes, rules and methods for doing business and computer
Financial Services Authority has proposed a new set of guidance notes programs are not considered to constitute inventions that are capable
on cybersecurity, which will apply to key players in this industry, setting of patent protection.
out a minimum set of best practices and risk management procedures
to be followed in order to effectively mitigate cyber risks. IP developed by employees and contractors
OUTSOURCING AND CLOUD COMPUTING employee during the course of employment? Do the same
Outsourcing contractors or consultants?
respect to the outsourcing by a financial services company of In terms of works that are eligible for copyright protection, the Copyright
a material aspect of its business? Act dictates that such protection shall vest initially in the author or joint
authors of the particular work. Particularly in the case of computer
In general, the outsourcing of material activities of a financial services programs and databases, however, where a work is made in the course
company would lead to the regulatory intervention and oversight of the of the author’s employment, the economic rights arising therefrom will
Malta Financial Services Authority (MFSA). For example, the Banking Act be deemed to be transferred to the author’s employer – subject to an
provides that no credit institution shall outsource its material services agreement between the parties to the contrary. Other works eligible for
or activities, unless the outsourcing service provider is granted recog- copyright (ie, barring computer programs and databases) shall always
nition by the MFSA. To obtain this recognition, the outsourcing service vest in the author or joint authors of the particular work, provided that
provider must make a written request providing information on: an agreement to the contrary has not been entered into.
• its name and address; With reference to patentable inventions, the PDA holds that any
• the material services or activities to be outsourced; invention occurring under a contract of employment belongs to the
• the reasons for outsourcing the service or activities; and employer; however, the creator of that work (ie, in this context, the
• the regulatory status, if any, if it is authorised or licensed in a employee) would have a right to equitable remuneration for their inven-
foreign jurisdiction. tion. In the absence of an agreement between the parties as to the
remuneration due, this must be ascertained by the Maltese courts.
Cloud computing In view of the various nuances highlighted above, it is always advis-
35 Are there legal requirements or regulatory guidance with able to incorporate a clause regulating the ownership, or otherwise, of
respect to the use of cloud computing in the financial services intellectual property into a company’s standard contract of employment
industry? and service agreements with its contractors or consultants. However,
when developing or making use of intellectual property in the course of
Various initiatives at both a local and European level seek to govern employment or engagement, there is an argument to be made that the
the evolution of cloud computing. However, these are not neces- employee or the contractor or consultant engaged to render a particular
sarily specific to the financial services sector. Locally, the Malta service must be considered a fiduciary in accordance with article 1124
Communications Authority has issued a guidance document enti- et seq of the Civil Code, and must therefore abide by the various obliga-
tled ‘Cloud Computing Guidelines for SMEs & Microenterprises’ that tions specified therein.
highlights considerations to be taken by small and medium-sized enter-
prises and microenterprises when assessing the suitability of the use of Joint ownership
cloud computing in their firm. This guidance document provides further 38 Are there any restrictions on a joint owner of intellectual
details as to the contractual implications that may arise between small property’s right to use, license, charge or assign its right in
and medium-sized enterprises, microenterprises and cloud computing intellectual property?
service providers. Transposing EU Directive 2016/1148/EU, Subsidiary
Legislation 460.35 sets out cybersecurity standards and establishes The Trademarks Act, Chapter 597 of the laws of Malta, states that where
a Critical Information Infrastructure Protection Unit (CIIP Unit). In a registered trademark is subject to co-ownership, each joint owner is
Malta the CIIP Unit falls under the remit of the Critical Infrastructure entitled, subject to an agreement stating the contrary, to an equal undi-
Protection Directorate, which also oversees the National Computer vided share in the registered trademark. Each co-owner is also entitled,
Security Incidence Response Team. personally or otherwise, to perform for their own benefit, without the
other co-owner’s consent, any act that would otherwise amount to an
infringement of the registered trademark. A co-owner may not grant a
licence over the registered trademark or assign or cede control of their This liability attaches to any person who, with a view to gain for them-
share in the trademark without the other co-owner’s consent. selves or another, or with intent to cause loss to another, uses or applies
The aforementioned is also applicable in the case of co-ownership without the consent of the trademark owner an infringing sign or else
of a registered design under the Patents and Designs Act. Conversely, has in their possession or control or offers for sale, hire or distribu-
in the case of joint proprietors of a patent, the law specifies that either tion goods that bear infringing marks. The Enforcement of Intellectual
party may separately assign or transfer by succession their share of the Property Rights (Regulation) Act, Chapter 488 of the laws of Malta,
patent with or without the other patent owner’s agreement. However, provides for measures that may be requested by IP rights holders to
to surrender the patent or conclude a licensing agreement with third enforce their IP rights or to preserve evidence and request information
parties, the co-owners must act jointly. from alleged infringers.
In terms of copyright, a joint author can assign or license copyright
unilaterally, provided that where any other joint author is not satisfied COMPETITION
with the manner in which this assignment or licence has been granted,
they can resort to the Copyright Board within three months from the Sector-specific issues
day on which the terms of the assignment or licence have been commu- 42 Are there any specific competition issues that exist with
nicated to them in writing. respect to fintech companies in your jurisdiction?
Trade secrets There are no competition issues that specifically affect fintech compa-
39 How are trade secrets protected? Are trade secrets kept nies in Malta. However, in 2019 the European Commission published
confidential during court proceedings? its Competition Policy for the Digital Era, which tackles competition
issues that arise from the digital industries and states how regulations
The Trade Secrets Act, Chapter 589 of the laws of Malta, (TSA) provides should be tailor-made to cater for the specific issues that might arise.
for measures to be taken against the unlawful acquisition, use and The report identified the following characteristics of the industry that
disclosure of trade secrets. The TSA allows the competent court to might give rise to incentives for dominant digital firms to act in an anti-
issue precautionary acts against the alleged infringer for the cessation competitive manner:
or prohibition of the use or disclosure of the trade secret on a provi- • the extreme returns to scale that the industry brings with it;
sional basis. The court may also issue precautionary acts to prohibit the • the convenience of the product being dependant on a large
production, offering, placing on the market or use of infringing goods user base; and
or the seizure of these infringing goods to prevent their entry into or • the pivotal role of data.
circulation on the market. Once the court has determined that there
has been unlawful acquisition, use or disclosure of a trade secret, it TAX
can order the cessation of the unlawful behaviour, apply injunctive and
corrective measures or impose damages that are appropriate to the Incentives
actual prejudice suffered as a result of the unlawful acquisition, use or 43 Are there any tax incentives available for fintech companies
disclosure of the trade secret. The TSA also states that should an appli- and investors to encourage innovation and investment in the
cation be submitted by an interested party, it shall be unlawful for any fintech sector in your jurisdiction?
of the parties participating within the legal proceedings to disclose the
nature or any details relating to the trade secret in question. This obli- While the Maltese corporate tax environment is very attractive to
gation shall remain in force even after legal proceedings have ended. businesses establishing a local presence, there do not seem to be tax
incentives specifically available for fintech companies. Malta offers
Branding several fiscal schemes and incentives in the form of tax credits to
40 What intellectual property rights are available to protect companies deemed as being innovative enterprises according to the
branding and how do you obtain those rights? How can fintech rules and regulations set out by the Malta Enterprise.
businesses ensure they do not infringe existing brands?
Trademarks create a distinctive brand and can be obtained by lodging 44 Are there any new or proposed tax laws or guidance that
an application with the Malta IP rights directorate outlining the trade- could significantly increase tax or administrative costs for
mark name or image (or combination thereof), as well as the goods and fintech companies in your jurisdiction?
service that this trademark will protect. It is also possible to apply for
an EU trademark, which will grant pan-European protection over the Without prejudice to the regulatory fees payable to the competent
trademark. On an international level, it is also possible to lodge an appli- authorities in relation to any new licensing obligations imposed on
cation with the World Intellectual Property Organisation, designating the fintech companies, there are no new or proposed tax laws or guidance
countries in which trademark protection is sought. specific to fintech business that will amplify tax and administrative costs.
Remedies for infringement of IP IMMIGRATION

whose intellectual property rights have been infringed? Sector-specific schemes
The remedies available are enshrined in the acts that regulate specific businesses to recruit skilled staff from abroad? Are there any
IP rights. The Trademarks Act provides that a person found guilty of special regimes specific to the technology or financial sectors?
trademark infringement under this act may be liable for:
• imprisonment for up to three years; At present, in Malta there are no immigration regimes specifically
• a fine of up to €23,293.73; or targeting fintech businesses aspiring to recruit skilled staff from abroad,
• both. which means that the immigration schemes that are available to fintech
148 Fintech 2021

businesses are no different from the schemes that are available to other
business sectors. There are two regimes available, distinguishing EU,
EEA and Swiss nationals from non-EU nationals. EU, EEA and Swiss
nationals aspiring to work in Malta’s fintech business must apply for
residence via CEA Form A submitted on the basis of employment or self-
employment pursuant to the Free Movement of EU Nationals and their
Family Members Order (LN 191/2007) and the Immigration Regulations
(LN 205/2004). The non-EU, EEA and Swiss regime grants two appli-
cations to third-country nationals – namely, CEA Form B and the key Leonard Bonello
lbonello@ganadoadvocates.com
employee initiative, which is a single work permit for managerial or
highly technical posts. James Debono
jdebono@ganadoadvocates.com
UPDATE AND TRENDS
171, Old Bakery Street
Valletta VLT1455
46 Are there any other current developments or emerging Malta
trends to note? Tel: +356 21 23 54 06
Fax: +356 21 22 59 08
The main current development in Malta is the drive and effort with www.ganadoadvocates.com
which the Malta Financial Services Authority, as a proactive financial
services regulator, is promoting the idea of Malta becoming a global
fintech hub. Throughout its long-term fintech strategy, the regulator is
not only supporting the financial services industry to harness the oppor- Guarantee Scheme), which mainly provides guarantees to commer-
tunities presented by innovation and technology, but is also geared up to cial banks that facilitate access to bank financing for businesses
harness as much legal and regulatory certainty as possible for industry established and operating in Malta (both small and meduim-sized
players to operate in an environment with effective investor protection, enterprises with up to 250 employees and large enterprises with
market integrity and financial soundness. more than 250 employees) that are facing liquidity and cash flow
problems because of the pandemic.
Coronavirus • To complement the Guarantee Scheme, the government also
47 What emergency legislation, relief programmes and other announced a second measure to further alleviate the terms
initiatives specific to your practice area has your state relating to working capital loans extended by banks under the
implemented to address the pandemic? Have any existing Scheme. Through the Interest Rate Subsidy Scheme, which is also
government programmes, laws or regulations been amended targeted towards businesses facing unprecedented disruptions
to address these concerns? What best practices are advisable owing to the covid-19 outbreak, businesses may avail themselves
for clients? of a subsidy of up to 2.5 per cent on the interest rate charged by
banks during the first two years of working capital loans guaran-
The covid-19 pandemic has triggered a number of legislative and regu- teed by the Guarantee Scheme.
latory initiatives within the financial services world that the Maltese
government, regulators and competent authorities have implemented
to lessen and mitigate the negative impacts to the relevant institutions
and the general public. Among other measures relating to borrower-
based measures or the timing of supervisory reporting, some of the
initiatives launched to counteract the risks posed by the pandemic
include the following.
• Eurozone institutions have been granted a one-month extension
by the Malta Financial Services Authority for the submission of
specific supervisory reporting modules with remittance dates
between March 2020 and May 2020. A further extension may be
granted, but this will only be given on a case-by-case basis and
provided that exceptional circumstances exist.
• The government of Malta issued the Moratorium on Credit Facilities
in Exceptional Circumstances Regulations to mandate credit and
financial institutions licensed under the laws of Malta to grant
a six-month moratorium on capital and interest for borrowers
with respect to credit facilities satisfying the eligibility criteria
established under Directive No. 18 issued by the Central Bank of
Malta. Foreign banks do not fall within the scope of the Directive
unless they have a branch, agency or office in Malta. The mora-
torium has been extended by a further six months in an effort to
continue providing assistance for borrowers negatively affected by
the pandemic.
• The Malta Development Bank (MDB) has launched the EU
Commission-approved MDB Covid-19 Guarantee Scheme (the
Netherlands
Aron Berket, Jeroen Bos and Marline Hillen
FINTECH LANDSCAPE AND INITIATIVES the DNB to adopt a more data-driven approach and focus on the use of
digital technologies in its supervision.
General innovation climate Furthermore, in April 2020, the DNB stated that it has a favourable
1 What is the general state of fintech innovation in your attitude towards central bank digital currency (CBDC). CBDC is money
jurisdiction? issued by a central bank and is generally accessible to households and
businesses. Therefore, DNB does not only support financial innovation,
Fintech innovation in the Netherlands continues to develop. There has but also intends to play a leading role in certain financial innovation,
been a high level of activity in the fields of artificial intelligence, machine such as the development of CBDC.
learning, blockchain, mobile and advanced analytics. The Dutch market There are no formal arrangements with foreign regulators that
is also adopting other innovations, such as open banking (as a result relate specifically to fintech companies. However, the AFM and DNB
of the Revised Payment Services Directive). Generally, diversification maintain contact with other regulators in the Netherlands (such as the
in the Dutch financial services sector is increasing as new companies ACM and the Dutch Data Protection Authority), the EU and globally (such
enter the market and incumbents (such as large Dutch banks) progress as the International Organization of Securities Commissions).
their own fintech initiatives. However, some market participants are
concerned that the new registration regime for certain crypto-service FINANCIAL REGULATION
providers that entered into force on 21 May 2020 will deter potential
new entrants from entering the market owing to additional administra- Regulatory bodies
tive and compliance costs. 3 Which bodies regulate the provision of fintech products and
services?
2 Do government bodies or regulators provide any support There is no specific regulatory framework applicable to the provision of
specific to financial innovation? If so, what are the key fintech products and services.
benefits of such support? Furthermore, it is unlikely that such a specific Dutch regulatory
framework will be established now that the Dutch Authority for the
In 2016, the Dutch Authority for the Financial Markets (AFM) and the Financial Markets (AFM) and Dutch Central Bank (DNB) have issued the
Dutch Central Bank (DNB) set up the InnovationHub to provide new recommendation to regulate cryptos at an international level. As such,
and existing firms with support in answering queries related to the depending on the nature and scope of products and services offered,
regulation of innovative financial products and services. Within the the AFM and DNB supervise compliance with conducts of business rules
InnovationHub, the AFM and DNB cooperate with the Dutch Authority and prudential requirements respectively.
for Consumers and Markets. The InnovationHub aims to offer easy
access to supervisors and regulators for companies that provide inno- Regulated activities
vative services or products, remove any unnecessary barriers to entry, 4 Which activities trigger a licensing requirement in your
gain more insight into the rapidly developing technological innova- jurisdiction?
tion within the financial sector, and improve knowledge, sharing and
dialogue with all relevant stakeholders. The InnovationHub enables Depending on the nature and scope of services offered, licensing
fintech companies to obtain a temporary banking licence, among requirements under the Dutch Financial Supervision Act (FSA) and
other things. secondary legislation may apply.
The AFM and DNB have also set up a ‘regulatory sandbox’ for The following activities are regulated under the FSA.
fintech companies to test and develop new products. If certain criteria • Deposit-taking and granting credits for one's own account: credit
are met, the regulatory sandbox can provide bespoke solutions for institutions (ie, institutions that attract repayable funds from the
financial services companies that cannot reasonably meet specific poli- public in the Netherlands and that extend credit for own account)
cies, rules or regulations when marketing an innovative product, service require a banking licence.
or business model, and that do meet the underlying rationale of these • Consumer lending: the extension of credit to consumers requires
policies, rules or regulations. a licence.
Furthermore, the DNB periodically organises a seminar, ‘Fintech • Factoring, to the extent this would constitute consumer lending.
meets the Regulators’, during which relevant market participants and • Invoice discounting, to the extent this would constitute consumer
DNB share thoughts on current developments. lending.
Additionally, in November 2019, the DNB launched a joint partner- • Payment services: all institutions carrying out payment services as
ship of banks, insurers and partnerships, the iForum, which enables described in the Annex to the Revised Payment Services Directive
150 Fintech 2021

Simmons & Simmons LLP Netherlands
(PSD2), require a licence. A licence to act as a credit institution may investment scheme can be an undertaking for collective investment in
also cover carrying out payment services. transferable securities, as defined in the Undertakings for Collective
• Investment services: a financial institution is required to have a Investment in Transferable Securities Directive.
licence if it intends to provide investment services. These can be Whether a fintech company would qualify as a collective invest-
split into the following services, carried out in pursuit of a business ment scheme will depend on the exact nature of its business. For
or profession: example, fintech companies that manage assets on a pooled basis on
• receiving and transmitting client orders relating to financial behalf of investors should give particular consideration as to whether
instruments (which includes bringing about deals in financial they qualify as a collective investment scheme. On the other hand,
instruments); fintech companies that provide advice or payment services may be
• executing client orders relating to financial instruments; less likely to constitute a collective investment scheme. Peer-to-peer
• managing an individual’s assets; lenders, marketplace lenders or crowdfunding platforms could poten-
• providing advice regarding financial instruments; tially fall within the scope of the AIFMD, to the extent they would qualify
• underwriting or placement with a firm commitment basis of as (managers of) collective investment schemes. Currently, the AFM’s
financial instruments; and register ‘Crowdfunding platforms’ indicates that no crowdfunding
• placement without a firm commitment basis of financial platform holds a licence for managing or offering units in collective
instruments. investment schemes.
• Investment activities: a financial institution is required to have a
licence if it intends to perform an investment activity. Investment Alternative investment funds
activities can be split into three activities: 8 Are managers of alternative investment funds regulated?
• dealing on one's own account (including foreign exchange
trading); Managers of alternative investment funds are regulated under the
• operating an organised trading facility; and AIFMD, which has been implemented in the FSA.
• operating a multilateral trading facility.
• Clearing and settlement: acting as a clearing and settlement insti- Peer-to-peer and marketplace lending
tution requires a licence. 9 Describe any specific regulation of peer-to-peer or
• Secondary market loan trading. marketplace lending in your jurisdiction.
Consumer lending There is no specific regulation of peer-to-peer (P2P) or marketplace

5 Is consumer lending regulated in your jurisdiction? lending in the Netherlands. However, this activity might constitute a
regulated activity under the FSA. For instance, if a platform facilitating
Under the FSA, consumer lending requires a licence and is consid- P2P lending receives and transmits orders in financial instruments, it
ered a financial product. Advising a consumer on a financial product or may be subject to a licensing obligation as an investment firm.
providing intermediary services in relation to such a financial product
is only allowed if the institution has obtained a licence from the AFM. Crowdfunding
Financial institutions may be exempted if they have another licence that 10 Describe any specific regulation of crowdfunding in your
permits consumer lending or advising consumers on financial products. jurisdiction.
Before entering a loan agreement with a consumer, the finan-
cial institution must provide the consumer with relevant information Loan-based and equity-based crowdfunding may trigger certain require-
relating to the financial product, so that the consumer is able to prop- ments under the FSA, such as the requirement to publish a prospectus
erly assess the product. In addition, credit assessment rules exist to or to obtain a banking, consumer credit or investment firm licence.
prevent consumer over-indebtedness. These rules are part of the over- Much will depend on the exact activities and model.
arching requirement that lenders exercise due care when providing Crowdfunding platforms may apply for certain exemptions under
these services. specific circumstances, which can allow them to perform activities as an
intermediary to attract or obtain the disposal of repayable funds from
Secondary market loan trading the public or, if the platform holds a licence to operate as an investment
6 Are there restrictions on trading loans in the secondary firm, they may be exempted from the prohibition on receiving commis-
market in your jurisdiction? sions from third parties.
However, crowdfunding platforms should be aware that the AFM
Secondary market loan trading is only a regulated activity where it may attach certain conditions to licences or individual exemptions. For
constitutes consumer lending. instance, the AFM may require that consumers have the right to reclaim
their investment within 24 hours. Additionally, exempted crowdfunding
Collective investment schemes platforms may still be subject to certain requirements in relation to
7 Describe the regulatory regime for collective investment governance and business operation policies.
schemes and whether fintech companies providing Where a consumer invests in total more than €500 in a crowd-
alternative finance products or services would fall within its funding platform, the platform is required to administer a ‘crowdfunding
scope. investment test’ that meets certain preconditions in relation to that
consumer. The outcome of this test is not strictly binding; however, in
In the FSA, collective investment schemes can be an alternative invest- the case of a negative outcome, the crowdfunding platform is required to
ment fund, as defined in the Alternative Investment Fund Managers inform the customer on the related risks. The AFM also applies certain
Directive (AIFMD). Under the AIFMD, an alternative investment fund is investment limits for consumers, ranging from €40,000 to €80,000 per
a vehicle with or without legal personality, which raises capital from platform, depending on the type of crowdfunding.
investors with a view to investing it in accordance with a defined invest-
ment policy for the benefit of those investors. Alternatively, a collective
Netherlands Simmons & Simmons LLP
Invoice trading companies providing traditional investment advice. Additionally, the

11 Describe any specific regulation of invoice trading in your AFM has issued guidelines regarding the (‘technique-neutral’) duty of
jurisdiction. care of asset managers who offer semi-automatic investment advice.
These guidelines are not legally binding but they do bring clarity for
There is no specific regulation of invoice trading in the Netherlands. asset managers. The guidelines are aligned with Dutch law, Markets in
However, depending on the exact services provided and the status of Financial Instruments Directive II and suitability guidelines published
the parties involved, invoice trading may lead to either party qualifying by the European Securities and Markets Authority and set out, among
as an intermediary of consumer credit or may amount to the extension other things, guidance on safety and the provision of information.
of consumer credit. The AFM has published its views on robo-advice more generally,
stating that while robo-advice could be an opportunity to improve both
Payment services access to and the quality of investment advice, there are also specific
12 Are payment services regulated in your jurisdiction? points of attention to consider There is no specific regulation of other
companies that provides retail customers with automated access to
Yes. In the Netherlands, payment services are regulated on the basis of investment products in the Netherlands. There is no legal distinction
PSD2, which has been implemented in the FSA. A licence is required to between companies providing automated access to investment prod-
carry out all payment services listed in the Annex to PSD2. ucts and companies that offer investment products in a traditional way.
Payment services include:
• services enabling cash to be placed on a payment account or Insurance products
cash withdrawals from a payment account and all the operations 15 Do fintech companies that sell or market insurance products
required for operating a payment account; in your jurisdiction need to be regulated?
• the execution of the following types of payment transactions:
• direct debits, including one-off direct debits; The sale of insurance products is regulated under the FSA and requires
• payment transactions executed through a payment card or a a licence.
similar device; and
• credit transfers, including standing orders; Credit references
• the execution of the following types of payment transactions where 16 Are there any restrictions on providing credit references or
the funds are covered by a credit line for the payment service user: credit information services in your jurisdiction?
• direct debits, including one-off direct debits;
• payment transactions executed through a payment card or a The rules on credit rating agencies laid down in Regulation (EC)
similar device; and No. 1060/2009 on credit rating agencies (as amended) apply in the
• credit transfers, including standing orders; Netherlands. A credit rating agency is required to adopt, implement and
• issuing payment instruments or acquiring payment transactions; enforce adequate measures to ensure that the credit ratings it issues
• money remittance; are based on a thorough analysis of all the information that is available
• payment initiation services (initiating a payment order at the to it and is relevant to its analysis according to its rating methodologies.
request of a payment service user with respect to an account held
with another payment service provider); and CROSS-BORDER REGULATION
• account information services (online services to provide consoli-
dated information on one or more payment accounts held by the Passporting
payment service user with another one (or more) payment service 17 Can regulated activities be passported into your jurisdiction?
provider).
An EEA firm that has been authorised under one of the EU single
Open banking market directives (the Capital Requirements Directive, Solvency II, the
13 Are there any laws or regulations introduced to promote Markets in Financial Instruments Directive II, the Insurance Distribution
competition that require financial institutions to make Directive, the Mortgage Credit Directive, the Undertakings for Collective
customer or product data available to third parties? Investment in Transferable Securities Directive, the Alternative
Investment Fund Managers Directive and the Revised Payment Services
The implementation in the FSA of the access-to-account rules, as Directive) may, in principle, provide cross-border services into or estab-
included in the PSD2, requires financial institutions to provide access lish a branch in the Netherlands. To exercise this right, in general, the
to the payment accounts of consumers to payment initiation service firm must first provide notice to its home state regulator. The relevant
providers and account information service providers. In general, data directive under which the EEA firm is seeking to exercise its passporting
protection and privacy regulations should be considered prior to making rights as implemented in the Dutch Financial Supervision Act (FSA) will
customer data available to third parties. determine the conditions and processes that the EEA firm must follow.
Robo-advice Requirement for a local presence

14 Describe any specific regulation of robo-advisers or other 18 Can fintech companies obtain a licence to provide financial
companies that provide retail customers with automated services in your jurisdiction without establishing a local
access to investment products in your jurisdiction. presence?
There is no specific regulatory framework for robo-advisers in the To obtain a licence for any of the activities regulated pursuant to the
Netherlands. FSA, in general, a local presence must be established, unless a firm can
Furthermore, there is no legal distinction between robo-advice benefit from a European passport.
and traditional investment advice in the Netherlands. As such, compa-
nies providing robo-advice must fulfil the same legal requirements as
152 Fintech 2021

SALES AND MARKETING FINANCIAL CRIME
Restrictions Anti-bribery and anti-money laundering procedures

19 What restrictions apply to the sales and marketing of 21 Are fintech companies required by law or regulation to have
financial services and products in your jurisdiction? procedures to combat bribery or money laundering?
Depending on the regulatory status of the financial institution, different There is no general framework under which fintech companies are
marketing rules may apply, including clientele restrictions. Advice required to have in place procedures to combat bribery or money laun-
should be sought on the specific circumstances of any particular case. dering. However, as of 21 May 2020, certain crypto-service providers
The Dutch Financial Supervision Act (FSA) states that, in general, fall with scope of the Money Laundering and Terrorist Financing
relevant marketing activities: (Prevention) Act. This concerns companies, legal entities or natural
• must be correct, clear and not misleading; persons that provide:
• must be recognisable as being of a commercial nature (where • services for the exchange between virtual and fiat currencies; and
applicable); and • services offering custodian wallets (ie, services to safeguard
• may not contradict the information that is required to be made private cryptographic keys on behalf of customers; consequently,
available pursuant to the FSA. ‘soft wallets’ do not fall within the scope).
In addition, specific rules apply depending on the type of product These crypto service providers are also required to register with the
offered or service provided and, in some cases, also on the type of client Dutch Central Bank (DNB). Requirements for registration include having
targeted. Some of these are summarised below. in place an adequate integrity policy to ensure ethical operation manage-
Marketing materials for complex products (eg, participation rights ment. In this policy, an analysis of integrity risks, compliance with the
in an open-ended collective investment scheme and investment objects) Sanctions Act 1977, transaction monitoring, reporting of unusual trans-
should include a risk indicator as prescribed by the Further Regulation actions to the Financial Intelligence Unit-Netherlands and customer
on Conduct of Business Supervision of Financial Undertakings (the due digilence must be discussed. Other requirements for registration
Further Regulation). include, among others, that:
Marketing materials for credit offerings to consumers that refer to • the policymakers of crypto-service providers are trustworthy; and
debit interest rates or other information regarding costs should include • the (directors of) holders of a qualifying holding (at least 10 per
(at a minimum) information regarding floating or fixed interest rates cent of the shares or voting rights, or both) in crypto-service
and other costs that form part of the total costs of the credit for the providers are trustworthy.
consumer, the total credit amount, the yearly cost percentage, identity
and address of the provider or intermediary, and certain other informa- Guidance
tion depending on the type of credit, all as prescribed in the Decree 22 Is there regulatory or industry anti-financial crime guidance
on Conduct of Business Supervision of Financial Undertakings. In addi- for fintech companies?
tion, certain risk warnings are prescribed and certain prohibitions apply,
such as the prohibition on including any references to the speed or ease There is no regulatory or industry anti-financial crime guidance specifi-
with which the credit may be obtained. cally for fintech companies. However, the Dutch Authority for the
For products other than complex products, the more general Financial Markets and DNB have set up the InnovationHub to support
marketing rules included in the Further Regulation apply, including the market operators, such as fintech companies. Furthermore, the DNB
obligation to include a warning that the value of an investment may has published a brochure entitled ‘Good practices fighting corruption’
fluctuate and that historical returns offer no guarantee for the future. and the DNB website provides answers to questions about DNB’s integ-
Depending on the medium used for marketing (print, TV, radio or rity supervision of crypto-companies. As regards anti-money laundering
internet) further rules apply, such as the relevant information to be and combating financing of terrorism, DNB issued a comprehensive
included at a minimum (ie, the name of the provider, the regulatory guidance that also relates to trade sanctions on 18 December 2019.
status of provider, and where and how further information relating to
the product or service can be obtained). Specific marketing rules have PEER-TO-PEER AND MARKETPLACE LENDING
been introduced to facilitate marketing on social media.
CHANGE OF CONTROL 23 What are the requirements for executing loan agreements or
Notification and consent or security agreements entered into on a peer-to-peer or
20 Describe any rules relating to notification or consent marketplace lending platform will not be enforceable?
requirements if a regulated business changes control.
Loan agreements are not restricted to a certain form and can there-
If a qualifying holding (at least 10 per cent of the shares or voting rights, fore be entered into and executed electronically. To create a security
or both) is obtained in certain Dutch financial firms (such as settlement right (ie, a right of pledge or mortgage) a deed is required, which has to
institutions, banks, managers of UCITS, investment firms, entities for be in writing. Dutch law distinguishes between authentic deeds, which
risk acceptance, premium pension institutions and insurers and rein- require the involvement of a civil-law notary (and can therefore not be
surers), prior approval by the Dutch Central Bank (DNB) is required. executed in electronic form), and private deeds.
The DNB grants approval by way of a ‘Declaration of No Objection’. In A private deed can be executed electronically provided its contents
specific cases, increases of qualifying holdings above certain thresholds are stored for future reference during a minimum relevant period
are also notifiable to or subject to approval from DNB. (depending on the nature of the deed) in such a way that they can be
reproduced without alteration. For example, a deed of pledge can be
executed electronically provided that the pledgee can store the deed
during the duration of the loan agreement for which the pledge was firms and alternative investment fund managers) will be subject to higher
issued. In addition, the deed still needs to be printed as the tax authori- regulatory capital charges where they invest in securitisation positions
ties do not accept electronic copies of a deed. that do not comply with the risk retention rules. Those rules require that
An electronic deed will require an electronic signature. An electronic either the sponsor, originator or original lender in respect of the securiti-
signature can constitute proof of the intention of the signatory to agree sation explicitly discloses to the investor that it will retain, on an ongoing
with the contents of a certain document in the same way a written signa- basis, a material net economic interest in the securitisation (which in any
ture does if the method used to authenticate the electronic signature is event is not less than 5 per cent) using one of five prescribed retention
sufficiently reliable. The Dutch courts asses the reliability of this method methods. Those methods include (among others) retention of:
in view of all the circumstances of the relevant case. There is no specific • the most subordinated tranche or tranches, so that the retention
risk that loan agreements or security agreements will not be enforce- equals no less than 5 per cent of the nominal value of the securi-
able when entered into on a P2P or marketplace lending platform. tised exposures;
• 5 per cent of the nominal value of each of the tranches sold to
Assignment of loans investors; or
24 What steps are required to perfect an assignment of loans • randomly selected exposures equivalent to no less than 5 per cent
originated on a peer-to-peer or marketplace lending platform? of the nominal value of the securitised exposures.
What are the implications for the purchaser if the assignment
is not perfected? Is it possible to assign these loans without Definitions of ‘sponsor’, ‘originator’ and ‘original lender’ are set out in
informing the borrower? the EU Securitisation Regulation. Furthermore, there is a direct require-
ment on the sponsor, originator and original lender to agree on an
Under Dutch law, there is a distinction between the transfer of loans entity that will act as retention holder and to ensure compliance with
(ie, the receivables and the liabilities under a loan) and the sole assign- the retention requirement. In the absence of agreement as to who will
ment of receivables under the loans. As securitisations require that be the retention holder, the originator shall be the retention holder.
only the receivable is assigned, only the assignment of receivables is The EU Securitisation Regulation does not explicitly set out the juris-
discussed here. dictional scope of the ‘direct’ retention obligation, but there is a helpful
Assignment always requires that: (1) the receivable is transferable; note in the Explanatory Memorandum to the European Commission’s
(2) the seller holds legal title to the receivable; (3) there is a valid title for original proposal for the EU Securitisation Regulation that the intention
the assignment (an agreement usually); and (4) the receivable is deliv- is that the ‘direct’ approach would not apply to securitisations (including
ered. Delivery can be perfected by way of an undisclosed assignment or P2P securitisations) where none of the originator, sponsor or original
disclosed assignment. lender is ‘established in the EU’. The European Banking Authority (EBA)
An undisclosed assignment requires an executed deed, either in has stated in the Draft Regulatory Standards to the EU Securitisation
notarial form or in private form, to be registered with the Dutch Tax Regulation (dated 31 July 2018) that the ‘direct’ obligation should apply
Authority. Perfection takes place the moment the deed is executed by the only to originators, sponsors and original lenders established in the EU
notary or at the time of registration with the Tax Authority. Receivables as suggested by the Commission in the explanatory memorandum.
may only be transferred by way of undisclosed assignment if they: (1) ‘Establishment’ is typically described by reference to the jurisdic-
exist at the date of registration or execution of the deed of assignment; tion in which the legal entity is incorporated or has its registered office.
or (2) are future receivables directly resulting from a legal relationship Therefore, the non-EU subsidiary of an EU entity may not be subject
existing at the date of assignment. to the ‘direct’ retention obligation because a subsidiary is typically a
A disclosed assignment requires that notification of the assignment separate legal entity, whereas a non-EU branch of an EU entity may be
is given to the debtor. caught within this provision because a branch is typically not a separate
If the (delivery of the) assignment is not perfected, the receiv- legal entity. Market participants are still seeking clarity on this and it is
able has not been successfully assigned to the assignee. If the seller expected that this point will be raised as part of the ongoing EBA consul-
becomes insolvent before all conditions for the assignment have been tation on risk retention.
perfected, the receivables can no longer be assigned and the insolvent
seller remains the owner. Securitisation confidentiality and data protection requirements
Until notification of the assignment, borrowers can only validly pay 26 Is a special purpose company used to purchase and securitise
to the assignor in order to validly discharge their payment obligations, peer-to-peer or marketplace loans subject to a duty of
and payments made prior to notification of the assignment but after the confidentiality or data protection laws regarding information
assignor has been declared insolvent will fall in the estate of the assignor. relating to the borrowers?
Assignment of receivables does not require the consent of the
borrower or informing the borrower. Assignment of receivables only Yes, a special purpose vehicle that is based in the Netherlands will fall
requires notification to the borrower in the case of a disclosed assign- under the scope of these laws if it processes personal data in relation to
ment. A contractual non-assignment clause may prevent the transfer of activities in the Netherlands.
receivables, depending on the exact wording of the clause.
Securitisation risk retention requirements TECHNOLOGY AND CRYPTO-ASSETS
requirements? Artificial intelligence
As of 1 January 2019, the risk retention rules as set out in the EU intelligence, including in relation to robo-advice?
Securitisation Regulation will apply to P2P securitisations that are offered
to European banks, investment firms, alternative investment funds or There is no specific regulatory framework for the use of artificial
insurers. Under these risk retention rules, certain investors (such as intelligence. Furthermore, there is no legal distinction between robo-
credit institutions, Markets in Financial Instruments Directive-regulated advice and traditional investment advice in the Netherlands. As such,
154 Fintech 2021

companies providing robo-advice must fulfil the same legal require- Initial coin offerings
ments as companies providing traditional investment advice. 31 Are there rules or regulations governing initial coin offerings
There is no specific regulation on automated investment advice. (ICOs) or token generation events?
However, the Dutch Authority for the Financial Markets (AFM) has issued
guidelines regarding the duty of care of asset managers who offer semi- The tokens that are used with an initial coin offering (ICO) are typically
automatic investment advice. These guidelines are not legally binding drawn up in a way so as not to qualify as securities or units in an alter-
but they do bring clarity for asset managers. The guidelines are aligned native investment funds. Therefore, they fall outside the scope of the
with Dutch law, the Markets in Financial Instruments Directive II and FSA. This means that ICOs are not regulated by the FSA or supervised
suitability guidelines published by the European Securities and Markets by the AFM or DNB. Theoretically, the ICO tokens could be drawn up in
Authority and set out, among other things, guidance on safety and the a way that qualifies them as securities or units in an alternative invest-
provision of information. ment fund. If that is the case, the FSA applies to the ICOs and there is
The AFM has published its views on robo-advice more generally, supervision by the AFM and DNB.
stating that while robo-advice could be an opportunity to improve both The AFM and DNB have issued multiple warnings about the risks
access and the quality of investment advice, there are also specific of investing in ICOs and digital tokens. The AFM considers investing in
points of attention to consider. ICOs as not suitable for retail investors.
Distributed ledger technology DATA PROTECTION AND CYBERSECURITY

distributed ledger technology or blockchains? Data protection
Other than the General Data Protection Regulation, there is no specific transfer (domestic and cross-border) of data relating to
legislation on blockchain or other distributed ledger technology (DLT). fintech products and services?
The use of DLT is subject to the existing regulatory legislation depending
on its application in any particular case. DLT is a subject that has led to On 25 May 2018, the General Data Protection Regulation (GDPR) came
many questions in the InnovationHub . into force with direct effect across the entire EU. It governs the storage,
viewing, use of, manipulation and other processing by businesses of
Crypto-assets data that relates to a living individual. In summary, the GDPR requires
29 Are there rules or regulations governing the use of crypto- that businesses may only process personal data where that processing
assets, including digital currencies, digital wallets and is done in a lawful, fair and transparent manner, as further described
e-money? in the GDPR.
The GDPR requires that any processing of personal data must
The Dutch Central Bank (DNB) and the AFM have stated that digital be done pursuant to one of six lawful bases for processing. The most
currencies do not constitute a financial product (such as e-money or commonly used lawful basis for processing is the consent of the data
a financial instrument) and do not qualify as legal tender. Therefore, in subject to that processing – in relying on this lawful basis, the busi-
principle, the Dutch Financial Supervision Act (FSA) does not apply to ness must ensure that the consent is freely given, specific, informed
digital currencies. However, digital currencies may fall within the scope and unambiguous, and capable of being withdrawn as easily as it is
of the FSA on the basis of activities provided in relation to these curren- given. This places a significant burden on businesses to ensure that
cies. For example, this would be the case when the holder of a digital their customers are fully informed on what their personal data is being
wallet is able to convert its digital currency holdings into cash hold- used for, which is a crucial change to the previous regime under which
ings held with the crypto-service provider. Furthermore, depending on disclosure did not need to be so transparent. Other lawful bases for
the structure and the specific characteristics of the digital currency or processing data include where that processing is necessary for the
digital wallet, the relevant services could be considered to constitute business to perform a contract it has with the data subject, or where
payment services or services provided by electronic money institu- required to comply with the legal obligations of the business.
tions. In these circumstances, unless an exemption applies, the relevant The GDPR further differs from the previous regime in that it
activities trigger a licence requirement and certain prudential and places a significantly increased compliance burden on businesses,
conduct-of-business rules will apply. including, for example, mandatory requirements to notify regulators
Furthermore, certain crypto-service providers are required to of data breaches, obligations to keep detailed records on processing
register with the DNB. and requirements for most entities to appoint a data protection officer.
Businesses that infringe the GDPR may be subject to administrative
Digital currency exchanges fines of an amount up to €20 million or 4 per cent of global turnover,
30 Are there rules or regulations governing the operation of whichever is higher.
digital currency exchanges or brokerages? Recital 26 of the GDPR states that where data has been processed
such that it is truly anonymised, the principles within the GDPR do not
The DNB and the AFM have stated that digital currencies do not consti- apply to the processing of that data. However, for the data to have been
tute a financial product (such as e-money or a financial instrument) and effectively anonymised, the data subject must no longer be identifiable
do not qualify as legal tender. Therefore, in principle, the FSA does not – which is a question of how far businesses have to go to ensure true
apply to digital currencies. However, digital currencies may fall within anonymisation.
scope of the FSA on the basis of activities provided in relation to these The Article 29 Working Party has released Opinion 05/2014 on
currencies. Anonymisation Techniques (in the context of the previous EU data
Furthermore, certain crypto-service providers are required to protection regime). This Opinion discusses the main anonymisation
register with the DNB. techniques used – randomisation and generalisation (including aggre-
gation). The Opinion states that when assessing the robustness of an
anonymisation technique, it is necessary to consider:
• if it is still possible to single out an individual; OUTSOURCING AND CLOUD COMPUTING

• if it is still possible to link records relating to an individual; and
• if information can be inferred concerning an individual. Outsourcing
In relation to aggregation, the Opinion further states that aggregation respect to the outsourcing by a financial services company of
techniques should aim to prevent a data subject from being singled out a material aspect of its business?
by grouping them with other data subjects. While aggregation will avoid
the risk of singling out, it is necessary to be aware that linkability and Where a financial services company outsources a material aspect
inferences may still be a risk with aggregation techniques. of its business, it remains responsible for the outsourced activities.
The position on anonymisation taken from the Article 29 Working Furthermore, outsourcing must not obstruct supervision by the authori-
Party’s Opinion is broadly unchanged in the GDPR. The GDPR itself ties, and outsourcing by financial firms of critical or important functions
also gives limited guidance on anonymisation in Recital 26, requiring must be notified to the regulator. If a financial service provider plans
data controllers to consider a number of factors in deciding if personal on using a third party for activities for which a licence is required, this
data has been truly anonymised, including the costs and time required can only be done where both parties have a licence for these activities.
to de-anonymise, the technology available at the time to attempt For certain activities (such as fund management, investment services,
de-anonymisation and further technological developments that may payment services and required activities under the Money Laundering
take place. and Terrorist Financing (Prevention) Act) further detailed outsourcing
There are no legal requirements or regulatory guidance relating to provisions apply.
personal data that are specifically aimed at fintech companies.
Cloud computing
Cybersecurity 35 Are there legal requirements or regulatory guidance with
33 What cybersecurity regulations or standards apply to fintech respect to the use of cloud computing in the financial services
businesses? industry?
The Revised Payment Services Directive (PSD2) includes provisions If a financial institution wants to make use of cloud computing, it must
relating to measures that should be implemented by payment institu- notify the Dutch Central Bank (DNB) of its intention to do so. Before
tions, such as securing the payment service user’s personal security using cloud computing, the financial institution is required to develop
data and agreeing on how to manage operational and security risks. a risk analysis, which must be presented to the DNB. Because the DNB
In addition to the PSD2, there are cybersecurity related provisions qualifies cloud computing as a specific type of outsourcing, the rules
in the following regulations. on outsourcing apply. Outsourcing is not allowed in cases where it
The GDPR includes a few provisions relating to the security of would obstruct the supervision of the outsourced activities or where the
processing, such as the requirement for the controller to, both at the time internal audit function would be negatively affected by the outsourcing
of the determination of the means for processing and at the time of the of the activities. Furthermore, the financial institution is required to have
processing itself, implement appropriate technical and organisational adequate policies and proper procedures to manage outsourcing risks.
measures that are designed to implement data protection principles in
an effective manner and to integrate the necessary safeguards into the INTELLECTUAL PROPERTY RIGHTS
processing to meet the requirements of the GDPR and protect the rights
of data subjects. The controller and the processor must also implement IP protection for software
these measures to ensure a level of security appropriate to the risk, 36 Which intellectual property rights are available to protect
which may include, among other things: software, and how do you obtain those rights?
• the pseudonymisation and encryption of personal data;
• the ability to ensure the ongoing confidentiality, integrity, avail- Computer programs (and preparatory materials) are protected by copy-
ability and resilience of processing systems and services; right. Copyright arises automatically as soon as the computer program
• the ability to restore the availability and access to personal data in is created, registration is not required. Copyrighted works are protected
a timely manner in the event of a physical or technical incident; and until 70 years after the death of the creator.
• a process for regularly testing, assessing and evaluating the effec- Databases underlying software programs may also be protected by
tiveness of technical and organisational measures for ensuring the copyright and, in certain circumstances, by database right. A database
security of the processing. right is a stand-alone right that protects databases that have involved
a substantial investment in obtaining, verifying or presenting their
Furthermore, the Network and Information Security Act (NIS) applies contents. The right automatically comes into existence upon creation
to so-called ‘vital’ providers. The vital providers are designated by the and expires after 15 years.
Network and Information Security Decree. Fintech companies might fall Software may also be protected as confidential information or as a
under the definition of vital providers and, if so, they might be subject to trade secret by keeping the software code secret. There are no formal
certain requirements. For instance, vital providers are – in short – obliged (registration) requirements other than that a trade secret holder needs
to report a breach of the security or loss of integrity of their information to take reasonable measures to protect its secret and it needs to have
systems. Moreover, the NIS includes obligations relating to taking meas- commercial value.
ures to control the security of network and information systems. Programs for computers and schemes, rules or methods of doing
Finally, not having implemented any organisational and technical business as such are expressly excluded from patentability under the
security measures could possibly lead to criminal liability. Any person Dutch Patent Act 1995 and the European Patent Convention. However,
who by negligence or carelessness is responsible for, among other patent protection for software may be possible if the inventor is able to
things, wrongful changes or losses of data that lead to serious damage demonstrate that the software makes a novel and inventive technical
to that data, may be punished with a maximum prison sentence of one contribution over and above that provided by the program or business
month or a fine. method itself. To obtain patent protection, registration is required with
156 Fintech 2021

the relevant Dutch and European patent offices and the registration hand down decisions in which confidential information is redacted. The
requirements must be followed. Patent protection is limited to 20 years current Trade Secrets Act proposal includes a new rule introducing the
starting from the date of filing the application. option for the court to impose a confidentiality club, limiting the access
to trade secrets.
37 Who owns new intellectual property developed by an Branding
employee during the course of employment? Do the same 40 What intellectual property rights are available to protect
rules apply to new intellectual property developed by branding and how do you obtain those rights? How can
contractors or consultants? fintech businesses ensure they do not infringe existing
brands?
Copyrights and databases created by an employee during the course of
his or her employment are automatically owned by the employer unless Brands can be protected as registered trademarks either in the Benelux
the parties have agreed otherwise. Patents protecting inventions made alone (as a Benelux trademark) or across the EU (as an EU trade-
by an employee in the course of his or her normal duties are owned mark). Certain branding, such as logos and stylised marks, can also
by the employer. Any other patented inventions will be owned by the be protected by design rights and may also be protected by copyright.
employee unless agreed otherwise. Design rights and trademarks are obtained by registering the design
Inventions or copyrights created by contractors or consultants in or trademark with the relevant authority (eg, the Benelux Office for
the course of their duties are owned by the contractor or consultant Intellectual Property, World Intellectual Property Organization or
unless otherwise agreed. By contrast, database rights are owned by the European Union Intellectual Property Office).
person who takes the initiative and assumes the risk of investing in The Benelux and EU trademark databases can be searched to iden-
obtaining, verifying and presenting the data in question. Depending on tify registered trademarks or applications for a trademark with effect in
the circumstances, this is likely to be the business that has retained the the Netherlands. It is highly advisable for new businesses to conduct
contractor or consultant. trademark searches to check whether earlier registrations exist that are
identical or similar to their proposed brand names.
Joint ownership
38 Are there any restrictions on a joint owner of intellectual Remedies for infringement of IP
property’s right to use, license, charge or assign its right in 41 What remedies are available to individuals or companies
intellectual property? whose intellectual property rights have been infringed?
Where two or more persons jointly own an intellectual property right, Remedies include:
any one of them may use and enforce the right, unless otherwise • preliminary and final injunctions (preliminary injunctions are avail-
agreed. Each joint owner may assign or charge its share of the intel- able cross-border);
lectual property right without the other owners’ consent. Exploitation • damages or surrender of profits;
of the intellectual property right, including the granting of licences and • delivery up or destruction of infringing products;
charging or assigning the intellectual property right, can only be done • orders to disclose certain information that relates to the
by the joint owners of the intellectual property right. infringement;
• publication orders; and
Trade secrets • reimbursement of costs, including court fees and costs of (patent)
39 How are trade secrets protected? Are trade secrets kept attorneys and experts (cost orders in Dutch intellectual property
confidential during court proceedings? litigation are typically between 80 per cent and 100 per cent of
actual costs).
In the Netherlands, trade secrets are protected by the general law of
tort (such as breach of the rules of fair competition) and by the Dutch COMPETITION
Trade Secrets Act, which entered into force on 23 October 2018 and
implements the EU Trade Secrets Directive (Directive 2016/943/EU). Sector-specific issues
The Trade Secrets Act provides more specific rules for the protection 42 Are there any specific competition issues that exist with
for trade secrets. The Trade Secrets Act defines a trade secret as infor- respect to fintech companies in your jurisdiction?
mation that:
• is secret, in the sense that it is not generally known among, or The Dutch Authority for Consumers and Markets (ACM) continuously
readily accessible to, persons within the circles that normally deal monitors compliance with competition law by companies active in the
with the kind of information in question; financial sector. It has established a specifically designated research
• has commercial value because it is secret; and body, the Financial Sector Monitor (FSM). The FSM carries out economic
• has been subject to reasonable steps by the holder of the informa- research into the operation of the financial markets and analyses the
tion to keep it secret. risks to competition. Furthermore, the ACM has specific regulatory by
payment system providers and interchange fees.
The Trade Secrets Act contains measures and remedies to enforce trade In 2016, the ACM called for public input on how it can help to boost
secrets. The secret holder can claim an injunction against further use or fintech companies’ contribution to competition in the financial sector,
disclosure of a trade secret. The Trade Secrets Act includes the possi- whereby it indicated it would pay special attention:
bility for the court to grant the winning party a full cost award of all • to barriers to entry that prevent the fintech sector from reaching
reasonable and equitable legal and other costs. its full potential; and
Measures are available in the Netherlands to prevent public • to risks involved with rapid technological change that may have
disclosure of trade secrets during court procedures. For example, the adverse effects on competition and innovation.
court may order oral hearings be conducted ‘behind closed doors’ and In addition, the ACM considered:
• being more actively involved in the national implementation of • Innovation box: it allows companies to have profits derived from
European regulation, such as the Revised Payment Services qualifying IP taxed at an effective corporate income tax rate of 7
Directive (PSD2), whereby it would try to make sure that the per cent instead of the regular corporate income tax rate of 16.5
competition perspective stays in focus; and per cent to 25 per cent.
• conducting a market study. • Costs incurred in connection with the development of intangible
assets may immediately be fully depreciated, instead of capitalised
In this context, the ACM mentioned various competitive risks it identified and depreciated over a number of years.
in the form of:
• anticompetitive behaviour; In general, directors or majority shareholders of a company are deemed
• high concentration and entry barriers; and to receive an annual salary from their company of at least €46,000 (in
• consumer inertia. respect of which payroll taxes are payable) unless it can be demon-
strated that others performing similar activities earn less. For directors
Following this communication, the ACM has, to date, looked into the or majority shareholders of a start-up company, the deemed salary may
following two specific issues. be lowered to the minimum wage in the Netherlands (€1,680.00 a month
• Whether regulatory costs constitute barriers to entry for fintech as of 1 July 2020) as a result of which less payroll taxes are payable. A
companies. The ACM ordered a study from EY that concluded that number of conditions must be met to qualify for each incentive.
such regulatory costs do not constitute obstacles for new providers
in the financial sector. Increased tax burden
• Whether banks are limiting access of fintech companies – fron- 44 Are there any new or proposed tax laws or guidance that
tend providers and end-to-end providers – to bank accounts and could significantly increase tax or administrative costs for
thereby hinder competition in the payment market. fintech companies in your jurisdiction?
The ACM conducted a study and identified a risk of foreclosure of front- No.
end providers. As a result, the ACM announced that it will actively
monitor the behaviour of banks and how they deal with requests for IMMIGRATION
access. In addition, the ACM:
• proposed that, where possible in light of the PSD2 and the Sector-specific schemes
European Commission’s Regulatory Technical Standards, further 45 What immigration schemes are available for fintech
national implementation of EU law regarding access to bank businesses to recruit skilled staff from abroad? Are there any
accounts should enable this access; special regimes specific to the technology or financial sectors?
• indicated that a system of free access could result in the banks
refusing access (which implies that the ACM proposes to allow the The following are the most common corporate immigration schemes
banks to ask for compensation for the costs related to providing in and to the Netherlands (which are only relevant for those who are
access); and not EU, EEA or Swiss nationals – third-country nationals – as all EU,
• proposed that a light version of the banking licence could be EEA and Swiss nationals are free to reside and perform any activities in
created for fintech companies so that they can offer payment the Netherlands for as long as they wish owing to the rules on the free
accounts. movement of workers within the EU, which is expanded to the EEA and
Switzerland).
As regards end-to-end providers, the ACM considered that the risks of • Knowledge migrant scheme: this relates to the gross monthly
foreclosure were limited. Nevertheless, it proposed to cut the red tape – salary (exclusive of holiday allowance, normally 8 per cent of the
in addition to the above-mentioned light banking licence: salary) that is consistent with Dutch salary standards and with
• by defining objective permit criteria that are related to the actual thresholds that vary from €2,423 to €4,612, depending on age and
risks posed by end-to-end providers; and specific education (for the lowest threshold). Additionally, the formal
• by making sure that, in the development of instant payments employer in most cases needs to be recognised as a sponsor. If the
infrastructures in Europe, fintech companies are able to directly employer is not a sponsor, one can apply to become one or can make
participate in the systems and arrangements for clearing and use of a recognised payroll company to fill up that gap, or both.
settlement of payments under non-discriminatory and objective • Intra-corporate transfer scheme (Directive 2016/66/EU): if the
conditions. employee is a specialist, manager or trainee and remains on the
payroll of his or her employer outside the EU, he or she may be
TAX transferred to the Netherlands under that scheme for up to three
years (after which he or she can return to his or her home country
Incentives or the residence permit can be prolonged, for example, under the
43 Are there any tax incentives available for fintech companies knowledge migrant scheme). No salary thresholds and no recog-
and investors to encourage innovation and investment in the nised sponsorship is required, but, nevertheless, it is advisable for
fintech sector in your jurisdiction? a faster procedure. Some form of intra-EU mobility is possible. This
scheme is compulsory unlike other schemes if the application or
There are no specific tax incentives applicable to fintech companies. situation falls within the scope of the Directive.
However, there are some tax incentives available to ‘innovative’ compa- • Blue card scheme (Directive 2009/50/EC): the EU version of the
nies. The key incentives are: US Green Card, but much more limited. Specific education require-
• WBSO (R&D payroll tax credit): it allows an employer a payroll tax ments apply. The salary threshold in the Netherlands is now
refund of 16 per cent to 40 per cent of the salary costs for the part €5.403,00 gross per month exclusive of holiday allowance. No
of the salary costs that an employer has paid to its employees who recognised sponsorship is necessary but, nevertheless, is advis-
conduct R&D activities. able. It is unpopular in the Netherlands owing to the much more
158 Fintech 2021

flexible national knowledge migrant scheme and the intra-corpo-

rate transfer scheme.
• International trade regulation: it is a relatively new scheme that may
be used in certain situations where larger and mostly lower-paid
groups of third-country nationals have come to the Netherlands
owing to a certain project that has been assessed and approved by
the Dutch authorities. The salary threshold is currently the Dutch
statutory minimum wage of €1,653.60 gross per month, which will
increase to €1,680 on 1 July 2020, excluding the 8 per cent holiday Aron Berket
aron.berket@simmons-simmons.com
allowance. Specific conditions apply, and no recognised sponsor-
ship is necessary. Jeroen Bos
• Short-term knowledge migrant scheme: it has the same salary jeroen.bos@simmons-simmons.com
criteria as above, but it varies from €3,381 to €4,612 gross per Marline Hillen
month, excluding holiday allowance. In the line with employers in marline.hillen@simmons-simmons.com
the meaning of the Dutch Foreigners Employment law, a recognised
sponsor can apply for a permit for short-term assignments (for a
Claude Debussylaan 247
maximum of three out of nine months spent in the Netherlands, and
1082 MC
limited by visa and free term requirements of 90 out of 180 days).
Amsterdam
• Work or residence permit in the context of the delivery of goods,
Netherlands
including software: specific conditions apply. There are no salary Tel: +31 20 722 2500
criterion but that the salary should be consistent with Dutch sala- Fax: +31 20 722 2599
ries for the specific work and position. www.simmons-simmons.com
• Researcher (Directive 2016/801/EU): this is mostly for researchers
and scientists working at universities and other research insti-
tutions and companies. A specific, recognised sponsorship is
necessary. The Netherlands has implemented specific immigration law to
• Intra-EU service provision: people are exempted from the work ensure that UK nationals who were already living in the Netherlands
permit obligation in the Netherlands if intra-EU service provision is before Brexit up to the transition period of 31 December 2020, will be
performed under articles 56 and 57 of the Treaty on the Functioning able to continue their residency in the Netherlands relatively easily
of the EU. A residence permit obligation is necessary after 90 out based on the Withdrawal Agreement. After 31 December 2020, UK
of 180 days has been spent in the Netherlands. It is a very specific nationals will need to fulfill the same criteria as any other non-EU, EEA
scheme for third-country nationals that are living and working citizen or Swiss national, as they will become third-country nationals
legally in an EU member state and are temporarily performing themselves, except for in cases of applications for family reunification.
services or work for their employer in a different member state. This situation is still subject to ongoing negotiations, and, therefore, may
There is no salary threshold, and no recognised sponsorship is change in the near future.
needed. As of 1 March 2020, all cross-border service providers
need to notify all their employees, including EU, EEA and Swiss UPDATE AND TRENDS
nationals (via www.postedworkers.nl) before starting work in the
Netherlands. Failure to complete the notification on time will lead Current developments
to a fine. For EU, EEA and Swiss nationals, a grace period applies 46 Are there any other current developments or emerging
up to 1 September 2020 in which no fine will be imposed. This grace trends to note?
period does not apply on third-country nationals.
• There are also several specific training and trainee schemes. Significant current developments relating to fintech are currently being
driven by the Dutch Authority for the Financial Markets (AFM) and the
These are only the most common schemes for corporate migration out Dutch Central Bank (DNB).
of about 40 schemes available in the Netherlands, some are based on On 16 January 2020, the AFM published its agenda that includes
EU-law and some are purely based on national law. Every case needs key developments over the last year, one of which is the digitalisation
to be assessed by an immigration specialist on an individual basis as of the financial sector. In this context, the AFM states that new forms
a different scheme may suit better than one of the above-mentioned of financial service provisions or activities, such as crowdfunding and
schemes. Additionally, there are several short-term work permit exemp- initial coin offerings, will continue to be of interest to the AFM.
tions (incidental labour in the Netherlands), for example for business On 22 January 2020, the DNB published its Supervision Outlook
meetings and installing software and instructions. Being legally in the 2020, in which the DNB confirms that it will continue to strengthen its
Netherlands is totally different to working legally in the Netherlands; cooperation with the sector in relation to technological innovations via
it is forbidden for every third-country national – including American, the iForum.
Canadian, Australian, Japanese, etc, nationals – to perform any work
in the Netherlands without a work permit, a work permit exemption or
a Dutch residence permit with the suitable labour market annotation,
very specific exemptions left aside. Sanctions in the case of non-compli-
ance are high – normally €8,000 per illegal working foreigner and per
employer in the meaning of the Dutch Foreigners Employment Act – but
are in most cases of an administrative rather than a criminal nature.
Additional sanctions may include shutting down the operations of the
company in the Netherlands for up to three months.
Coronavirus
for clients?
Numerous emergency laws, programmes and other initiatives have

been implemented to address the covid-19 crisis. However, these do
not specifically concern fintech companies. For example, a recent devel-
opment in intellectual property is the update of the procedural rules
for conducting appeal proceedings to allow for repeated extensions for
filing deadlines. First instance courts now provide the option for hear-
ings via videoconferencing.
160 Fintech 2021

New Zealand
Derek Roth-Biester and Megan Pearce
Anderson Lloyd Lawyers

Fintech in New Zealand is in a very healthy state, driven largely by the There are several regulators, depending on the type of products and
country’s strong start-up ecosystem, a broad base of industry partici- services being offered. The Financial Markets Authority (FMA) is the
pants and a push from both the government and industry to develop a securities regulator, which supervises offers of financial products in New
stronger technology export sector. The industry association FinTechNZ Zealand and is responsible for licensing the provision of certain financial
acts as a focal point for the fintech community in New Zealand, services and the enforcement of certain prudential and fair dealing stand-
connecting banks, insurers and managers with investors, innovators ards. The Reserve Bank of New Zealand is responsible for the supervision
and regulators and promoting NZ fintech to the world. This promotion and prudential regulation of banks, non-bank deposit takers and insurers,
is made easier because of New Zealand’s excellent international reputa- as well as generally maintaining the robustness of New Zealand’s finan-
tion for being a good place to do business and for having: cial system. Other regulators include the Department of Internal Affairs
• a strong financial system; (anti-money laundering) and the Commerce Commission (competition).
• low corruption; and
• open and approachable regulators. Regulated activities
specific to financial innovation? If so, what are the key Under the Financial Markets Conduct Act 2013 (FMCA) and subsidiary
benefits of such support? regulations, if a person provides to retail investors any financial advice,
crowdfunding services, ‘robo advice’, discretionary investment manage-
Government departments (eg, the Ministry of Business and Innovation) ment services or peer-to-peer (P2P) lending services, or if they operate
and regulators (eg, the Financial Markets Authority) have demonstrated a managed investment scheme for, issue derivatives (eg, a contract for
their strong support for NZ fintech through proactively engaging with difference or forex futures) to or take deposits from retail investors, they
industry participants and associations, such as FinTechNZ and its must be licensed by the FMA. Further, any person who carries on insur-
FinTech Regulatory Roundtable. ance business in New Zealand must be licensed by the Reserve Bank of
New Zealand's Innovation Fund, an initiative set up as a joint New Zealand. Any business that provides financial services (whether in
programme by the New Zealand government and Westpac bank, New Zealand or from New Zealand to other countries) is also required
provides funding to participants in the fintech sector to support initia- by the Financial Service Providers (Registration and Dispute Resolution)
tives with a focus on the fund's themes, being digital identity, digital Act 2008 (FSP(RDR)A) to be registered on the Financial Services
inclusion, optimising payment systems, and processes and data. Provider Register (FSPR). With registration comes certain obligations,
Otherwise, the Reserve Bank of New Zealand, while striking a note including joining a dispute resolution scheme (if the business has retail
of caution about fintech, has nevertheless recognised the efficiencies clients) and filing an annual confirmation of its details and services.
that it might bring to NZ banking and payments systems. However,
government regulators have stopped short of creating a sandbox, and Consumer lending
fintech companies are encouraged to engage with them early on to 5 Is consumer lending regulated in your jurisdiction?
inform their thinking about potential routes through the regulatory
environment. Consumer lending is regulated primarily under the Credit Contracts and
Consumer Finance Act 2003 (CCCFA), which applies to a range of trans-
actions where money is loaned for personal use, such as consumer
credit contracts, consumer leases and buy-back transactions. Among
other things, the CCCFA:
• requires those to whom it applies to act responsibly and disclose
certain information to borrowers; and
• provides general rules for credit contracts.
New Zealand Anderson Lloyd Lawyers
Notwithstanding the overhaul of the CCCFA by the Credit Contracts Crowdfunding

Legislation Amendment Act 2019 (which received Royal Assent in 10 Describe any specific regulation of crowdfunding in your
December 2019), the CCCFA still does not apply to buy now, pay later jurisdiction.
companies, such as Afterpay, Laybuy and Partpay. However, the new Act
includes a ‘call-in’ provision (despite strong protests at bill submission The FMCA regulates equity-based crowdfunding (ie, where companies
stage from Afterpay and others) that came into force on 1 June 2020, raise money from retail investors through the issuance of shares) as a
which allows new credit products such as these to be brought within the financial market service. Reward-based crowdfunding is not covered,
remit of the CCCFA through new regulations. nor is any fundraising for charitable or philanthropic purposes if donors
do not receive shares. Under the FMCA, companies may raise up to
Secondary market loan trading NZ$2 million in any 12-month period on a licensed crowdfunding service
6 Are there restrictions on trading loans in the secondary provider’s platform with minimal regulatory hurdles (eg, not having to
market in your jurisdiction? issue a product disclosure statement). Licensed crowdfunding plat-
forms, in addition to meeting certain minimum standards and conditions
There are no specific restrictions on trading loans, other than in relation for their licence, have several ongoing obligations, including notifying
to P2P lending. Traders of lending books must ensure that they: the FMA of certain events (as well as providing an annual regulatory
• contractually have the right to assign the loans; and return) and relating to financial reporting, fair dealing and anti-money
• comply with the applicable data privacy obligations. laundering.
P2P lending markets such as Harmoney and Squirrel must be licensed Invoice trading
providers of a P2P lending service. 11 Describe any specific regulation of invoice trading in your
jurisdiction.
7 Describe the regulatory regime for collective investment There is no specific regulation of invoice trading; however, under the
schemes and whether fintech companies providing FSP(RDR)A, invoice trading will likely constitute a financial service
alternative finance products or services would fall within its (being a creditor under a credit contract) and invoice traders will be
scope. required to register on the FSPR as financial services providers. With
registration comes certain obligations, including joining a dispute reso-
Collective investment schemes, in which money from several investors lution scheme (if the business has retail clients) and filing an annual
is pooled together and those investors are reliant on the investment confirmation of its details and services.
expertise of a scheme manager, are regulated chiefly as managed
investment schemes. The FMCA’s definition of these schemes is broad Payment services
enough to capture most open and closed-ended collective investment 12 Are payment services regulated in your jurisdiction?
schemes and those involving participatory securities. Fintech compa-
nies providing P2P lending or crowdfunding platforms are not regulated There is no specific regulation of payment services along the lines of
as managed investment schemes, but instead are regulated under the the revised EU Payment Services Directive (2015/2366/EU); however,
relevant licensing regimes for those platforms. under the FSP(RDR)A, such services will constitute financial services (as
they involve issuing and managing a means of payment) and payment
Alternative investment funds services providers will be required to register on the FSPR as finan-
8 Are managers of alternative investment funds regulated? cial services providers. With registration comes certain obligations,
including joining a dispute resolution scheme (if the business has retail
Yes, managed investment scheme managers must register on the FSPR clients) and filing an annual confirmation of its details and services.
as a provider of financial services and (where they will make a regu-
lated offer to retail investors) be licensed by the FMA. Managers must Open banking
also meet and maintain certain minimum standards (including fitness 13 Are there any laws or regulations introduced to promote
and propriety of directors and senior managers) and have obligations competition that require financial institutions to make
relating to financial reporting, fair dealing and anti-money laundering. customer or product data available to third parties?
Peer-to-peer and marketplace lending Not yet, as the government has preferred to allow the industry to take
9 Describe any specific regulation of peer-to-peer or the lead. The implementation of open banking is being spearheaded by
marketplace lending in your jurisdiction. Payments NZ (a company formed in 2010 by ANZ, ASB, BNZ, Citibank,
HSBC, Kiwibank, TSB Bank and Westpac with the support of the
P2P lending is regulated by the FMA as a financial market service under Reserve Bank of New Zealand), which launched its API Centre in May
the FMCA. Anyone wishing to operate in such a market must be licensed 2019. This is a suite of industry-standardised application program inter-
as a provider of P2P lending services. Borrowers that use a licensed faces (APIs) for payment-related services, which is designed to manage
service are exempt from the requirement to issue a product disclosure a move to greater openness in banking and payments and to create an
statement (which they would otherwise be required to do, as it would be API-enabled ecosystem in New Zealand. Payments NZ is responsible
seen as the issue of a debt security to the public). In addition to meeting for the governance of the API Centre but has delegated it to an API
certain minimum standards and conditions for their licence, licensed Council comprising banks, non-bank third parties and independent
P2P platforms have several ongoing obligations, including notifying members. The API Council gets recommendations from a business and
the FMA of certain events (as well as providing an annual regulatory a technical group, and has an independent subcommittee to handle
return) and relating to financial reporting, fair dealing and anti-money sensitive issues.
laundering. Payments NZ published version 2.0 of their API standards for
Payment Initiation and Account Information in May 2020, and these
162 Fintech 2021

Anderson Lloyd Lawyers New Zealand
standards were added to their API Centre sandbox in July 2020. This • entitling individuals to a free credit score (if the credit reporter has
will allow users and community contributors to first test their fintech a practice of releasing such scores to subscribers);
innovations against the API standards to ensure that their solutions • reducing the time limit for access to credit information from 20 to
function as expected without having to first negotiate terms of access 10 working days; and
with a bank. Payments NZ continues to work on a broader develop- • giving reporters the right to charge for expedited access requests
ment pipeline of other API standards and iterations, including customer (ie, within three working days).
experience guidelines to support the use of the standardised APIs in
the market. CROSS-BORDER REGULATION
Robo-advice Passporting
14 Describe any specific regulation of robo-advisers or other 17 Can regulated activities be passported into your jurisdiction?
companies that provide retail customers with automated
access to investment products in your jurisdiction. Overseas issuers of financial products wishing to extend offers to New
Zealand must do so under an official recognition scheme or an exemp-
Robo-advice is expressly permitted under the Financial Advisers tion from the Financial Markets Authority (FMA). There are two such
(Personalised Digital Advice) Exemption Notice 2018. Robo-advisers schemes in place:
must apply to the FMA for approval under that exemption – currently • the Trans-Tasman Mutual Recognition Arrangement with Australia,
there are nine approved, including NZ fintech company Sharesies. The which allows an Australian issuer to extend its offers into New
application process typically involves an assessment of the applicant's Zealand, provided that they comply with Australian laws and
adherence to certain minimum standards, including the good character certain reporting and filing obligations in New Zealand; and
of the directors and senior managers of the applicant, their skills and • with effect from July 2019, the Asia Region Funds Passport, under
experience, and the applicant's risk management processes and IT which a managed fund in the participating countries (ie, Australia,
systems. For some of these criteria the standards might be relaxed for Japan, South Korea and Thailand) may extend the offer to New
smaller applicants. The exemption notice will be revoked when the new Zealand provided that they:
financial advice regime, which will be brought into effect in April 2021 • register in their home jurisdiction as a passport fund;
by the Financial Services Legislation Amendment Act 2019, comes into • apply to the FMA for authorisation; and
force. Therefore, there may be additional requirements relating to the • comply with certain initial and ongoing requirements
provision of robo-advice under the new regime. (including registering on the Financial Services Provider
Register (FSPR), joining a dispute resolution scheme and
Insurance products appointing an agent for service in New Zealand).
15 Do fintech companies that sell or market insurance products
in your jurisdiction need to be regulated? As of the date of writing, no foreign passport funds have been approved
for NZ entry.
Fintech companies that carry on insurance business in New Zealand
are subject to the supervision of the Reserve Bank of New Zealand Requirement for a local presence
and must be licensed. Whether this applies to an insurtech entity will 18 Can fintech companies obtain a licence to provide financial
depend on its business activities – under Section 8(1) of the Insurance services in your jurisdiction without establishing a local
(Prudential Supervision) Act 2010 (IPSA) it will be held to be carrying presence?
on insurance business if it acts as an insurer either in or outside New
Zealand or is otherwise liable as an insurer under a contract of insur- Any fintech company that provides financial services to New Zealand
ance to a NZ policy holder. Regulation takes the form of a risk-based from overseas is required to register on the FSPR. If its activities in New
supervisory regime established under the IPSA, requiring the licensee Zealand constitute ‘carrying on business’ within the meaning of section
to meet certain criteria relating to: 332 of the Companies Act 1993, it must register with New Zealand’s
• governance; Registrar of Companies as an overseas company (effectively a NZ branch
• the fitness and propriety of their officers and managers; of the foreign company). Registration imposes obligations on the company
• capital adequacy; and to submit annual financial statements to the Companies Office and may
• liquidity. bring it within the remit of New Zealand’s anti-money laundering laws.
Credit references SALES AND MARKETING

16 Are there any restrictions on providing credit references or
credit information services in your jurisdiction? Restrictions
19 What restrictions apply to the sales and marketing of
Under the Privacy Act 1993, the privacy commissioner has promulgated financial services and products in your jurisdiction?
the Credit Reporting Privacy Code to apply specific privacy rules to
credit reporters that sell personal credit information (the three credit Part 2 of the Financial Markets Conduct Act 2013 contains several fair
reporters operating in New Zealand are Centrix, Equifax and Illion). The dealing requirements that apply to such sales and marketing. Financial
Code aims to provide individuals with greater assurances around the service providers must not engage in misleading conduct or make
use of their personal credit information by these credit reporting agen- any false, deceptive or unsubstantiated statements about the financial
cies. Since its inception in 2004, the Code has been amended 14 times, product or service, irrespective of the type of investor that they are
with a series of amendments in 2019 (Amendment 14 took effect on offering to or where they are located. Further, the Fair Trading Act 1986
1 October 2019) following a major review by the commissioner. These (FTA) prohibits misleading and deceptive conduct in trade and applies
recent amendments were designed (among other things) to keep the to the trading of assets, commodities and other goods and services.
system fair and give enhanced rights to consumers, including by: Obligations under the FTA are enforced by the Commerce Commission.
Other general consumer laws that prohibit fraudulent conduct (eg, • to assess and mitigate money laundering and terrorism financing
obtaining money by deception) may apply. risks.
CHANGE OF CONTROL The other two supervisors (ie, the Financial Markets Authority and the
Reserve Bank of New Zealand) to whom the AMLCFTA gives respon-
Notification and consent sibility for providing industry guidance have also given more general
20 Describe any rules relating to notification or consent guidance on several other anti-money laundering topics, including:
requirements if a regulated business changes control. • risk assessment;
• enhanced customer due diligence;
Persons or entities that wish to provide a financial market service in New • beneficial ownership; and
Zealand (ie, peer-to-peer lending or crowdfunding) must be licensed as • suspicious activity reporting.
providers of such services under the Financial Markets Conduct Act
2013 (FMCA). Each regulated business holding a market service licence Other guidelines published by the Police Financial Intelligence Unit may
issued under the FMCA must notify and report to the Financial Markets also be relevant.
Authority (FMA) on the occurrence of ‘a material change in circum-
stances’. This is defined under the FMCA as including any change in PEER-TO-PEER AND MARKETPLACE LENDING
the licensee’s directors and senior managers or the fulfilment of the
eligibility criteria in respect of which the licence was originally granted. Execution and enforceability of loan agreements
Holders of a market service licence must report to the FMA as soon as 23 What are the requirements for executing loan agreements or
is practical if the relevant licensee proposes to (among other things): security agreements? Is there a risk that loan agreements
• change its legal structure; or security agreements entered into on a peer-to-peer or
• enter into any major transaction; or marketplace lending platform will not be enforceable?
• enter into a transaction that has the effect of a person obtaining or
losing control of the licensee. Simple loan agreements require only the signature of the parties, while
security documents such as a general or specific security agreement are
On receipt of such reporting, the FMA may suspend, vary or revoke the executed as deeds and require individuals‘ signatures to be witnessed.
licensee’s market services licence if it considers that, in light of the Secured parties should register a financing statement for their security
relevant change, the licensee can no longer meet its licence conditions interests on the Personal Property Securities Register to maximise the
or any of the minimum criteria in respect of which the original licence priority to be given to that security, as the order of registration determines
was granted. priority. Provided that these basic criteria are met, the NZ courts will
generally give effect to and enforce such loan and security documents.
FINANCIAL CRIME
Assignment of loans
Anti-bribery and anti-money laundering procedures 24 What steps are required to perfect an assignment of
21 Are fintech companies required by law or regulation to have loans originated on a peer-to-peer or marketplace lending
procedures to combat bribery or money laundering? platform? What are the implications for the purchaser if the
assignment is not perfected? Is it possible to assign these
Yes, if fintech companies carry on one of the many specified activities loans without informing the borrower?
(including issuing or managing means of payment, such as electronic
money) that would bring them within the definition of a ‘financial insti- Under the Property Law Act 2007, notice to a borrower is not required
tution’ under the Anti-money Laundering and Countering Financing of for an absolute assignment to be effective as a true sale; however, notice
Terrorism Act 2009 (AMLCFTA), they must have procedures to combat must be given to the borrower to perfect such assignment. If there is any
bribery or money laundering. If it is a financial institution, a fintech underlying security assigned, further steps might be required to perfect
company has certain obligations under the AMLCFTA, including: that security. If the assignment is not perfected, it will be subject to any
• conducting a review and assessment of the risk of money laun- further equities that may have arisen in priority to the purchaser’s claim.
dering specific to its business;
• implementing a compliance programme; Securitisation risk retention requirements
• undertaking due diligence on its customers (which could be simpli- 25 Are securitisation transactions subject to risk retention
fied, standard or enhanced); requirements?
• monitoring transactions; and
• filing suspicious activity reports. Non-bank issuers are not subject to any specific NZ laws or regulations
relating to credit risk retention.
Guidance
22 Is there regulatory or industry anti-financial crime guidance Securitisation confidentiality and data protection requirements
for fintech companies? 26 Is a special purpose company used to purchase and securitise
The Department of Internal Affairs, which is the lead AMLCFTA contact confidentiality or data protection laws regarding information
for virtual asset service providers (VASPs), published guidance in relating to the borrowers?
November 2019 stating that financial services provided by VASPs fall
within the existing definition of a ‘financial institution’ in the AMLCFTA. Any person that processes personally identifiable information (PII) will
As a result, VASPs have AMLCFTA responsibilities, including: be an agency under the Privacy Act 1993 and must therefore comply
• to report suspicious activities and certain transactions; with the 12 information privacy principles set out in the Act. There are
• to verify the identity of customers in certain circumstances; and no specific restrictions under the Privacy Act on an agency’s ability to
164 Fintech 2021

disclose PII, beyond a general restriction against disclosure for any apply to international transfers of digital assets. BlockchainNZ
purpose that is not one of the purposes in connection with which the understands that the DIA will nevertheless take a pragmatic
information was obtained. The current Privacy Act will be replaced by approach to VASP’s implementation of this rule, particularly in light
the Privacy Act 2020 in December 2020, which will introduce further of current business disruptions that many are facing; and
restrictions against the disclosure of PII to overseas persons (other • an international delegation from the Financial Action Task Force
than cloud storage providers or other overseas processors). visited New Zealand in March 2020 to undertake a review of New
Zealand’s approach to preventing money laundering and terrorist
ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER financing. The delegation met with representatives of BlockchainNZ
TECHNOLOGY AND CRYPTO-ASSETS to discuss the approaches taken in New Zealand. The outcome of
the evaluation is expected to result in changes to New Zealand’s
Artificial intelligence anti-money laundering regulations.
intelligence, including in relation to robo-advice? Further developments in this area are expected as blockchain and DLT
become more widespread.
There are no specific rules or regulations governing the use of artifi-
cial intelligence. In relation to robo-advice, however, applicants must Crypto-assets
describe their digital advice service as part of the application – including 29 Are there rules or regulations governing the use of crypto-
any use of artificial intelligence – and the Financial Markets Authority assets, including digital currencies, digital wallets and
(FMA) will assess the service against certain minimum standards e-money?
around functionality and cyber resilience.
Robo-advice is expressly permitted under the Financial Advisers In October 2017 the FMA issued guidance on cryptocurrencies, initial
(Personalised Digital Advice) Exemption Notice 2018. Robo-advisers coin offerings (ICOs) and related services. The FMA’s view is that any
must apply to the FMA for approval under that exemption – currently provision of a financial service relating to cryptocurrencies in New
there are nine approved, including NZ fintech company Sharesies. The Zealand will require compliance with the fair dealing requirements
application process typically involves an assessment of the applicant's under the Financial Markets Conduct Act 2013 (FMCA) and (potentially)
adherence to certain minimum standards, including the good character with obligations under the Financial Service Providers (Registration
of the directors and senior managers of the applicant, their skills and and Dispute Resolution) Act 2008 (FSP(RDR)A). The guidance states that
experience, and the applicant's risk management processes and IT wallet providers that store cryptocurrency or money on behalf of others,
systems. For some of these criteria the standards might be relaxed for or that facilitate exchanges between cryptocurrencies or between fiat
smaller applicants. The exemption notice will be revoked when the new and crypto, will be operating a value transfer service. This is a type
financial advice regime, which will be brought into effect in April 2021 of financial service within the meaning of the FSP(RDR)A and requires
by the Financial Services Legislation Amendment Act 2019, comes into providers to register under that Act. Further, if a person holds money
force. Therefore, there may be additional requirements relating to the for depositors, they may be offering debt securities (which are financial
provision of robo-advice under the new regime. products regulated under the FMCA). Although, if those funds are held
in trust, the wallets may not be debt securities.
Distributed ledger technology The DIA confirmed in November 2019 that the Anti-money
28 Are there rules or regulations governing the use of Laundering and Countering Financing of Terrorism Act 2009 (AMLCFTA)
distributed ledger technology or blockchains? imposes certain anti-money laundering checks and obligations on VASPs.
These responsibilities include:
Not as yet. However, it is on the regulatory radar – for example, the • to report suspicious activities and certain transactions;
Reserve Bank of New Zealand (which has responsibility for providing • to verify the identity of customers in certain circumstances; and
critical payment system infrastructure and maintaining the soundness • to assess and mitigate money laundering and terrorism financing
of New Zealand’s financial system) has considered the role of distributed risks.
ledger technology (DLT) in improving payments processes and how the
use of DLT could affect the stability of payment systems. Furthermore, Digital currency exchanges
Crown innovation entity Callaghan Innovation published a report in 30 Are there rules or regulations governing the operation of
December 2018 (funded in part by Ministry of Business and Innovation) digital currency exchanges or brokerages?
exploring the opportunities for DLT and blockchain in New Zealand.
The industry association, BlockchainNZ, has been engaging with Under the FMA’s guidance, if a person arranges cryptocurrency transac-
NZ government agencies such as the Financial Markets Authority, the tions, they are also operating a value transfer service and are regulated
Department of Internal Affairs and the Reserve Bank, to discuss regula- under the FSP(RDR)A. Further, if a person provides transaction services
tory approaches to blockchain. It is clear there is much interest from the relating to cryptocurrencies or tokens that also qualify as financial prod-
regulators and a desire to work together to ensure New Zealand has the ucts under the FMCA, they may have obligations as a broker under the
right structures in place. For example: Financial Advisers Act 2008.
• the Inland Revenue Department issued a consultation paper in early Exchanges or brokerages would be considered to be VASPs,
2020 to seek input on a proposal to exclude cryptocurrencies (crypto- which the DIA confirmed in November 2019 are covered by the anti-
assets) from goods and services tax and the financial arrangement money laundering checks and obligations on VASPs required under
rules to ensure these rules do not impose barriers to developing the AMLCFTA.
new products, raising capital or investing through crypto-assets; These responsibilities include:
• the Department of Internal Affairs (DIA) has published guidance for • to report suspicious activities and certain transactions;
the virtual asset service provider (VASP) sector (including cryptocur- • to verify the identity of customers in certain circumstances; and
rency exchanges, brokers and token issuers). Under the guidance, • to assess and mitigate money laundering and terrorism
the existing rules applying to international wire transfers will also financing risks.
Initial coin offerings Further, the Financial Markets Authority conducted a thematic review
31 Are there rules or regulations governing initial coin offerings of cyber resilience in New Zealand’s financial services, culminating
(ICOs) or token generation events? in a report issued in July 2019 containing guidance for regulated
entities where they identified the need for improvement. The report
There are no specific rules or regulations relating to ICOs, as the FMA recommended that market participants make use of a recognised cyber-
has instead preferred to analyse offers of tokens under the current security framework to assist in planning, prioritising and managing their
FMCA regulation of financial products. How an ICO will be regulated will cyber resilience.
depend on whether:
• the token on offer is a financial product (which will depend on the OUTSOURCING AND CLOUD COMPUTING
characteristics and economic substance of the token);
• the entity is providing a financial service (which will depend on the Outsourcing
structure and features of the ICO); and 34 Are there legal requirements or regulatory guidance with
• the investor is retail or wholesale and based in New Zealand respect to the outsourcing by a financial services company of
or overseas. a material aspect of its business?
Tokens cannot be offered through crowdfunding platforms. The FMA’s The Reserve Bank of New Zealand has published an outsourcing policy
guidance on cryptocurrencies specifically addresses both ICOs and how (last revised in April 2020), to which large banks (ie, those incorporated
the fair dealing obligations apply to them. as a company in New Zealand with net liabilities exceeding NZ$10 billion)
ICO providers are considered to be VASPs, which the DIA confirmed must comply as a condition of their registration. The policy aims to:
in November 2019 are covered by the anti-money laundering checks and • ensure that the outsourcing does not compromise a bank’s ability
obligations on VASPs required under the AMLCFTA. to be effectively administered and operated;
These responsibilities include: • facilitate the carrying on of basic banking services by any new
• to report suspicious activities and certain transactions; owner of all or part of a bank; and
• to verify the identity of customers in certain circumstances; and • address the impact that the failure of an outsourced service
• to assess and mitigate money laundering and terrorism provider may have on a bank’s ability to carry on all or part of
financing risks. its business.
DATA PROTECTION AND CYBERSECURITY The Financial Markets Authority (FMA) also has certain rules relating
to outsourcing (eg, by requiring certain licensees to ensure that their
Data protection outsourced functions are adequate, effective and comply with their
32 What rules and regulations govern the processing and licence obligations).
fintech products and services? Cloud computing
There are no specific restrictions under the Privacy Act 1993 on an agen- respect to the use of cloud computing in the financial services
cy’s ability to transfer personally identifiable information (PII) outside industry?
New Zealand. However, the Privacy Act will be replaced in December
2020 by the new Privacy Act 2020, which introduces further restrictions There are no legal requirements or regulatory guidance with respect to
against the disclosure of PII to overseas persons. Under the Privacy Act cloud computing, although any outsourcing arrangements that imple-
2020, agencies would be able to disclose PII to an overseas person only if: ment cloud computing must comply with the Reserve Bank of New
• the individual concerned authorised the disclosure; Zealand’s policy and any requirements imposed by the FMA.
• the overseas person was a prescribed country; or Cyber risk (eg, that arises from the use of cloud computing) was
• the agency believed on reasonable grounds that the overseas one of the issues stemming from fintech that was identified in 2017 by
person was required to protect the PII in a manner comparable to the Financial Stability Board as meriting closer attention. In July 2019
that required by the agency under NZ law. the FMA published guidance on cyber resilience in FMA-regulated finan-
cial services, which, among other things, strongly encouraged market
The new Act will also provide that the proposed restrictions against the participants to use a recognised cybersecurity framework to assist with
disclosure of PII to overseas persons should not apply to transfers to planning, prioritising and managing their cyber resilience.
cloud storage providers or other overseas processors. Furthermore, in light of the move to remote working for much of the
New Zealand workforce caused by covid-19, the New Zealand National
Cybersecurity Cyber Security Centre published a cybersecurity guide in March 2020 to
33 What cybersecurity regulations or standards apply to fintech help organisations consider the specific risks around staff working from
businesses? remote locations, including the deployment at pace and use of cloud-
computing as part of a remote working solution.
The Crimes Act 1961 provides for several cybersecurity regulations that Further developments in this area are expected.
apply to all business operating in New Zealand. These include:
• the criminal offences of accessing a computer system for a
dishonest purpose or without authorisation;
• damaging or interfering with a computer system;
• making, selling, distributing or possessing software for committing
a crime; and
• using an interception device.
166 Fintech 2021

INTELLECTUAL PROPERTY RIGHTS infringement of the trade secret constituted a breach of that contract)
or for the tort of breach of confidence. The courts recognise an obliga-
IP protection for software tion on a person that unlawfully receives confidential information not
36 Which intellectual property rights are available to protect to take unfair advantage of it and can grant injunctions to give effect to
software, and how do you obtain those rights? these obligations.
Software is principally protected by NZ copyright laws. Under the Branding

Copyright Act 1994, a computer program is a literary work and 40 What intellectual property rights are available to protect
protected as such on creation. Subject to special rules for authors who branding and how do you obtain those rights? How can
are employees or contractors, the person who is the author of the work fintech businesses ensure they do not infringe existing
is the first owner of the copyright in that work and may freely licence or brands?
assign that copyright. Copyright protection is 50 years from the end of
the calendar year in which the author dies. The Trademarks Act 2002 provides for a system of registration of trade-
Under the Patents Act 2013, computer programs as such are not marks. These are not limited to words or logos, but can include symbols,
patentable in New Zealand. However, if a claim in an application imple- phrases, shapes or sounds. There is no requirement to register a mark
ments software in the invention, it may be patentable. The issue will – unregistered marks can be protected using the common law tort of
depend largely on whether the actual contribution made to the inven- passing off. However, registration gives the owner the exclusive right
tion lies solely in it being a computer program – if so, no patent can to use the mark in New Zealand in the class in which it is registered
be granted. and a defence against infringement claims. Fintech companies looking
to avoid brand infringement can do an online search of the trademark
IP developed by employees and contractors register maintained by the IP Office of New Zealand (IPONZ) or ask
37 Who owns new intellectual property developed by an IPONZ to conduct a clearance search before registering their own trade-
employee during the course of employment? Do the same mark. Domain name searches and searches of the Companies Office
rules apply to new intellectual property developed by register can also be conducted to determine if the desired domain and
contractors or consultants? company name are registerable.
Under Section 21(2) of the Copyright Act, if an employee creates protect- Remedies for infringement of IP
able work in the course of their employment, their employer is the first 41 What remedies are available to individuals or companies
owner of the copyright in that work. A similar but narrower provision whose intellectual property rights have been infringed?
is contained in Section 21(3) in relation to contractors and consult-
ants. This section provides that if a person commissions and pays or The usual civil remedies are available, including:
agrees to pay for one of the artistic works specified in that section (ie, • monetary damages;
a computer program, photograph, painting, drawing, diagram, map, • summary judgment;
chart, plan, engraving, model, sculpture, film or sound recording) and • injunctive relief (including ex parte);
the work is made in pursuance of that commission, the commissioner is • specific performance (eg, delivery up of infringing articles and
the first owner of the copyright in that work. For any other kind of work corrective advertising); and
capable of copyright protection, provision regarding IP ownership must • civil search and seizure orders.
be made in the applicable consulting agreement.
Rights holders may also plead misleading and deceptive conduct in
Joint ownership trade in breach of the Fair Trading Act 1986. The Copyright Act also
38 Are there any restrictions on a joint owner of intellectual provides for criminal liability for the infringement of copyright works for
property’s right to use, license, charge or assign its right in commercial gain.
COMPETITION
This will depend on the type of intellectual property in question. For
example, under the Copyright Act, an exclusive licence of a copyrighted Sector-specific issues
work is required to be in writing signed by or on behalf of all of the joint 42 Are there any specific competition issues that exist with
owners, but otherwise the joint owners are free to use, licence, charge respect to fintech companies in your jurisdiction?
or assign their rights in that work. Under Section 24 of the Patents Act,
without any agreement to the contrary, co-owners of patents are each There is no fintech-specific competition regulation in New Zealand.
entitled to exercise the exclusive rights given by the patent for their own However, if fintech and open banking take off in New Zealand it will have
benefit without accounting to the others, but cannot assign or grant a competition law implications, which will be of interest to New Zealand’s
patent licence without the consent of all of the co-owners. competition regulator, the Commerce Commission. Competition law in
New Zealand is governed by the Commerce Act 1986 and its subsid-
Trade secrets iary regulations and is already applied by the commission to regulate
39 How are trade secrets protected? Are trade secrets kept behaviour in the sector. In early July 2019 the commission indicated
confidential during court proceedings? that it would commence High Court proceedings against payday
lender NZ Fintech Limited (trading as Moola), alleging breaches of the
Trade secrets are not protected by statute but by common law prin- lender responsibility principles in the Credit Contracts and Consumer
ciples of breach of confidence and the laws of contract (including Finance Act 2003.
under contracts of employment). Trade secret owners do not need to
– and cannot – register their trade secrets for them to be protected.
Instead, they must bring an action for breach of contract (where the
TAX
Incentives
Starting with the 2019/20 tax year, fintech and other businesses can
take advantage of the research and development (R&D) tax incen- Derek Roth-Biester
tive, which was brought in by the coalition government to grow New derek.roth-biester@al.nz
Zealand’s investment in R&D. This is a tax credit equal to 15 per cent of Megan Pearce
eligible R&D spending up to NZ$120 million. To be eligible, businesses megan.pearce@al.nz
must spend more than NZ$50,000 per year on ‘eligible R&D’, although
spending under this level may still be eligible if the R&D is done through
Level 3
an approved research provider on a business’s behalf. The eligible R&D
Australis Nathan Building
must be carried out in New Zealand, subject to a 10 per cent cap on the 37 Galway Street
total eligible R&D spending being carried out outside New Zealand. Britomart
Auckland 1010
Increased tax burden New Zealand
44 Are there any new or proposed tax laws or guidance that Tel: +64 9 338 8300
could significantly increase tax or administrative costs for www.al.nz
In February 2019 the coalition government outlined a draft implementa-

tion of a new digital services tax, intended to capture what is thought remote working arrangements, and consumers' purchase of goods and
to be lost revenue from online platforms, social networks and content services (including financial services) is shifting online. Furthermore,
sharing platforms. One of the suggestions was a flat 2 to 3 per cent tax New Zealand's traditional revenue sources such as tourism and primary
on the gross turnover of these digital businesses; however, the final industries have been greatly negatively affected by the effects of covid-
form will become clear only if (and when) the tax comes into force. 19, driving the narrative that the country now needs to diversify our
economy so that it is not as reliant on these traditional powerhouse
IMMIGRATION industries. The coalition government has made no secret of its desire
for New Zealand to become a technology centre of excellence and can
Sector-specific schemes be expected to proactively push tech as part of its agenda for the next
45 What immigration schemes are available for fintech three years. All of these developments are expected to have flow-on
businesses to recruit skilled staff from abroad? Are there implications for fintech in New Zealand.
sectors? Coronavirus
Immigration New Zealand maintains lists of skill shortages and there are initiatives specific to your practice area has your state
many technology-related jobs on those lists. Depending on the particular implemented to address the pandemic? Have any existing
role and a person’s age, qualifications and post-graduate work experi- government programmes, laws or regulations been amended
ence, immigrants may be able to enter New Zealand on a Skilled Migrant to address these concerns? What best practices are advisable
Category Resident Visa (which is points based and allows an indefinite for clients?
length of stay) or under the Long Term Skill Shortage List Work Visa
(which is a temporary work to residence visa valid for up to 30 months The coalition government and regulators have been very busy imple-
and requires that the applicant has an existing offer of one of the jobs on menting legislation and regulations and guidance to address the
the list). Other visas may be available for jobs that are not listed. impacts of the covid-19 pandemic. For example:
• the government has implemented a number of financial pack-
UPDATE AND TRENDS ages, including two wage subsidy schemes and a business debt
hibernation scheme, which allows businesses affected by covid-19
Current developments to manage their debts by placing them into hibernation for up to
46 Are there any other current developments or emerging seven months; and
trends to note? • the Financial Markets Authority has published various guidance
notes on their expectations for financial services firms in light of
New Zealand’s legislative and regulatory environment is constantly the covid-19 crisis, including:
changing. There are upcoming law changes, including a new Privacy Act • prioritising a review of customer vulnerability practices;
2020 and changes to the regime for the regulation of financial advisers • providing ‘no-action’ relief where a market participant
to retail clients in April 2021. Further, through its global cooperation breaches, or expects to breach, a regulatory obligation as a
with other financial regulators and membership of the International result of covid-19;
Organisation of Securities Commissions, the Financial Markets • ensuring insurers' continued good conduct in responding to
Authority is keeping a keen eye on developments in the regulation of the needs of their customers during the crisis;
fintech overseas. The wide-ranging impact of the covid-19 pandemic is • providing temporary regulatory relief in respect of certain
also relevant, with many employers transitioning their employees to reporting deadlines;
168 Fintech 2021

• providing guidance on hardship withdrawals from Kiwisaver

accounts; and
• deferring certain regulatory initiatives affecting the financial
services sector, such as the new financial advisors regime
(the commencement is now delayed to April 2021).
There is a general acknowledgement that New Zealand is merely in the

first phase of the crisis, so further legislation and regulation is expected
to be passed in this area on an as-needed basis.
Singapore
Grace Chong, Jason Valoti, Calvin Tan, Benedict Tan, Marcus Teo, Ng Aik Kai, Sun Zixiang, Low Si Rong
and Seah Ern Xu
Simmons & Simmons JWS
FINTECH LANDSCAPE AND INITIATIVES firms to embark on experiments more quickly without needing to go
through the existing bespoke sandbox application and approval process,
General innovation climate if the intended activities entail risks that are generally low or could be
1 What is the general state of fintech innovation in your reasonably contained within the specific predefined sandbox with its
jurisdiction? predetermined boundaries, expectations and regulatory reliefs.
MAS has encouraged engagement with the industry and has been
Singapore provides a conducive fintech ecosystem with supporting open to discuss the support it can provide in forms such as financial
regulations, customer demand, strong investments and the potential support, training and mentorship. In 2016, MAS opened a fintech inno-
for high returns. The government considers a vibrant fintech sub-sector vation lab, Looking Glass@MAS, to provide a platform for the fintech
key to Singapore’s vision for a Smart Financial Center – a subset of the community to connect, collaborate, and co-create with one another, and
Smart Nation initiative. MAS also regularly publishes sets of data as application programming
According to a study by Accenture, fintech investments in Singapore interfaces (APIs) on its website to encourage and facilitate development
more than doubled to hit US$861 million in 2019 from US$365 million of innovative solutions.
in 2018, placing it among the top five fintech markets by funds raised MAS has also launched the Financial Sector Technology and
in the Asia-Pacific in 2019. About 40 per cent of the total funds raised in Innovation scheme to support innovation initiatives in the finance
Singapore in 2019 went to payments start-ups, while insurtechs took 25 industry. Under the scheme, MAS set aside S$225 million over five years
per cent and those in lending took 13 per cent. for the development of fintech, to attract financial institutions to estab-
Based on the Innovation page of the Monetary Authority of lish their research and development and innovation hubs in Singapore,
Singapore (MAS), there are currently more than 1,100 fintech start-ups to support the construction of industry-wide technological infrastruc-
operating in Singapore, and there are more than 50 innovation labs in ture to deliver innovative integrated services and to catalyse financial
Singapore. The Singapore FinTech Association, the industry association, institutions to develop creative solutions promoting growth, efficiency
has enabled the development of the ecosystem by facilitating collabora- and competitiveness.
tion between market participants and stakeholders.
2 Do government bodies or regulators provide any support Regulatory bodies
specific to financial innovation? If so, what are the key 3 Which bodies regulate the provision of fintech products and
benefits of such support? services?
MAS is a member of the Global Financial Innovation Network (GFIN), Generally, the provision of fintech products and services is predominantly
which was formally launched in January 2019 by an international group regulated by the Monetary Authority of Singapore (MAS), Singapore’s
of financial regulators and related organisations. The GFIN is committed central bank and financial regulatory authority. Particular aspects
to supporting financial innovation in the interests of consumers and relating to competition and data privacy issues may be specifically regu-
helping innovative firms navigate between countries as they look to lated by the Competition and Consumer Commission of Singapore and
scale new ideas. A cross-border testing pilot programme was launched the Personal Data Protection Commissioner. The Intellectual Property
in 2019 to allow firms to simultaneously trial and scale new technologies Office of Singapore has also launched a fintech fast-track initiative to
in multiple jurisdictions, gaining real-time insight into how a product or expedite the file-to-grant process for fintech patent applications.
service might operate in the market. MAS has launched various initiatives pertaining specifically
As of November 2019, MAS had signed 33 fintech cooperation to fintech, such as the FinTech and Innovation Group and FinTech
agreements with other countries, including Abu Dhabi, Australia, China, Regulatory Sandbox. MAS has also promulgated regulations relating to
Canada, France and the United Kingdom, to foster closer cooperation on aspects of fintech.
fintech and to promote innovation in financial services in their respec-
tive markets.
MAS released a consultation paper on 14 November 2018 to
propose the creation of predefined sandboxes, known as Sandbox
Express, to complement the existing FinTech Regulatory Sandbox
launched in 2016. The proposed predefined sandboxes would enable
170 Fintech 2021

Simmons & Simmons JWS Singapore
Regulated activities business carries on a business of providing any type of payment service
4 Which activities trigger a licensing requirement in your in Singapore, it must have a licence that entitles it to do so in respect of
jurisdiction? that type of payment service or be an exempt payment service provider
with respect to that type of payment service. Each of the following
Depending on the nature and scope of services or products offered, services is a payment service for the purposes of the PS Act:
licensing requirements under the Securities and Futures Act (Chapter • account issuance;
289) (SFA) or the Financial Advisers Act (Chapter 110) (FAA), or both, • domestic money transfer;
may apply. • cross‑border money transfer;
The following activities are regulated under the SFA: • merchant acquisition;
• dealing in capital markets products; • e-money issuance;
• advising on corporate finance; • digital payment token; and
• fund management; • money‑changing.
• real estate investment trust management;
• product financing; In general, licensing requirements may differ depending on the nature
• providing credit rating services; and and scope of activities contemplated, and advice should be sought on
• providing custodial services. the specific circumstances of any particular case.
The following activities are regulated under the FAA: Consumer lending
1 advising others, either directly or through publications or writ- 5 Is consumer lending regulated in your jurisdiction?
ings, and whether in electronic, print or other form, concerning any
investment product, other than: Under Singapore law, the offering and provision of consumer lending
• in the manner set out in (2); or is not distinguished from primary lending. Lending (consumer lending
• advising on corporate finance within the meaning of the SFA; and primary lending) is a regulated activity in the jurisdiction and is
2 advising others by issuing or promulgating research analyses governed by the Moneylenders Act (Chapter 188) of Singapore.
or research reports, whether in electronic, print or other form, The Moneylenders Act requires that all loans made available in
concerning any investment product; and Singapore are by licensed moneylenders or excluded moneylenders.
3 arranging any contract of insurance in respect of life policies, other Examples of excluded moneylenders are:
than a contract of reinsurance. • any person regulated by MAS under any other written law who is
permitted or authorised to lend money or is not prohibited from
The licensing requirements under the SFA and the FAA have extrater- lending money under that other written law;
ritorial effect. Section 339 of the SFA and section 90 of the FAA provide • any person who lends money solely to his or her employees as a
that where a person does an act partly in and partly outside Singapore, benefit of employment;
which, if done wholly in Singapore, would constitute an offence against • any person who lends money solely to accredited investors within
any provision of the SFA or the FAA (as the case may be), that person the meaning of section 4A of the SFA of Singapore; and
shall be guilty of that offence as if the act were carried out by that • any person carrying on any business not having as its primary
person wholly in Singapore, and may be dealt with as if the offence was object the lending of money in the course of which and for the
committed wholly in Singapore. In addition, section 339 of the SFA also purposes whereof he or she lends money.
provides that where a person does an act outside Singapore that has
a substantial and reasonably foreseeable effect in Singapore and that Secondary market loan trading
act would, if carried out in Singapore, constitute an offence under the 6 Are there restrictions on trading loans in the secondary
relevant provisions of the SFA, that person shall be guilty of that offence market in your jurisdiction?
as if the act were carried out by that person in Singapore, and may be
dealt with as if the offence were committed in Singapore. The acquisition of a (funded) loan receivable and the holding of that
The activity most relevant to fintech businesses is likely to be loan receivable does not constitute moneylending unless, following the
‘dealing in capital markets products’ under the SFA. ‘Dealing in capital acquisition, additional loans are extended.
markets products’ means (whether as principal or agent) making or Secondary market loan intermediation is not a regulated activity,
offering to make with any person, or inducing or attempting to induce provided that it does not involve any lending or deposit taking and
any person to enter into or to offer to enter into any agreement for or provided that loans are not in the form of securities.
with a view to acquiring, disposing of, entering into, effecting, arranging,
subscribing for, or underwriting any capital markets products. ‘Capital Collective investment schemes
markets products’ means any securities, units in a collective investment 7 Describe the regulatory regime for collective investment
scheme, derivatives contracts, spot foreign exchange contracts for the schemes and whether fintech companies providing
purposes of leveraged foreign exchange trading, and such other prod- alternative finance products or services would fall within its
ucts as MAS may prescribe as capital markets products. scope.
In addition to the above licensing requirements, where a fintech busi-
ness undertakes banking business, such as receiving money on current Broadly, ‘collective investment schemes’ are arrangements in respect of
or deposit accounts, this business is required to be licensed as a bank any property that exhibit the following features:
by MAS pursuant to the Banking Act (Chapter 19). Similarly, if the fintech • the participants do not have day-to-day control over the manage-
business undertakes the business of moneylending or promotes doing ment of the property (Control Limb);
so, it will require a licence pursuant to the Moneylenders Act (Chapter • the property is managed as a whole by or on behalf of a manager
188), unless it is an excluded moneylender or an exempt moneylender. (Management Limb) or the contributions of the participants, or
Since 29 January 2020, the Payment Services Act (No. 2 of 2019) both, and the profits or income out of which payments are to be
(the PS Act) has come into force. Under the PS Act, where a fintech made to the participants are pooled (Pooling Limb); and
Singapore Simmons & Simmons JWS
• the purpose or effect (or purported purpose or effect) of the Generally, securities-based fundraising from the public through
arrangement is to enable participants to participate in or receive equity-based crowdfunding is regulated by MAS under the SFA and the
profits, income, or other payments or returns arising from the FAA. Therefore, such activity might constitute a regulated activity that
acquisition, holding, management, disposal, exercise, redemption requires a licence, but much will depend on the precise model.
or expiry of, any right, interest, title, or benefit in the property or Such a licensed crowdfunding operator must comply with the
any part of the property or to receive sums paid out of such profits, controls and disclosures required of it under the MAS Circular No. CMI
income, or other payments or returns (Purpose Limb). 27/2018 (issued 23 August 2018) (the Securities-Based Crowdfunding
Circular). Under the Securities-Based Crowdfunding Circular, an
Previously, it was a requirement that both the Management Limb and operator must:
the Pooling Limb be satisfied. However, following certain amendments • disclose to investors the scope of due diligence that it has
to the laws in October 2018, arrangements can now qualify as a ‘collec- performed on issuers;
tive investment scheme’ if they fulfil either the Management Limb or the • institute policies and procedures to handle issuer defaults (particu-
Pooling Limb, or both, in addition to the Control Limb and Purpose Limb. larly lending-based operators);
Generally, unless an exemption applies, it is an offence to make an • put in place a proper business cessation plan; and
offer of units in a collective investment scheme to the Singapore public • if offering auto-allocation tools, have a proper governance and
unless the scheme is authorised or recognised by MAS and the offer is management framework over the design, monitoring, testing and
made in or accompanied by an SFA-compliant prospectus. operation of the tools.
It is possible that certain fintech activity could involve a collective
investment scheme where the business concerned is managing assets As for lending-based crowdfunding in particular, it is specifically regu-
on behalf of participants who have invested through a fintech platform. lated by the MAS’s FAQ on Lending-Based Crowdfunding (issued 8
Careful analysis of the specific circumstances and the way in which the October 2018). While the FAQs do not introduce new rules, the FAQs
platform permits investors to participate will be required to determine do clarify the applicability of the SFA or the FAA to lending-based
whether it constitutes a collective investment scheme. crowdfunding.
If applicable, the SFA would require a lending-based crowdfunder
Alternative investment funds to register a prospectus with MAS, unless exempted. It would only be
8 Are managers of alternative investment funds regulated? exempted if the crowdfunding offer is:
• a personal offer (made only to pre-identified entities) below S$5
Managing the property of or operating a collective investment scheme million per 12-month period;
or undertaking on behalf of a customer (whether on a discretionary • a private placement to 50 or fewer investors within a 12-month
authority granted by the customer or otherwise) is regulated as ‘fund period; or
management’ under the SFA if it involves: • an offer made only to institutional or accredited investors.
• the management of a portfolio of capital markets products; or
• the entry into spot foreign exchange contracts for the purpose The SFA would also require the operator to obtain a capital markets
of managing the customer’s funds, but not including real estate services licence. Separately, if the operator provides financial advice to
investment trust management. interested investors, the operator would also need to comply with the
requirements of the FAA.
Accordingly, unless an exemption applies, managers of alternative The FAQs also clarify that crowdfunding with promissory notes are
investment funds generally require a licence to conduct business not exempted from the requirements under the SFA. Some of the peer-
involving these activities. to-peer lending companies in Singapore engage with MAS-regulated
trustees to hold escrow funds.
9 Describe any specific regulation of peer-to-peer or Invoice trading
marketplace lending in your jurisdiction. 11 Describe any specific regulation of invoice trading in your
jurisdiction.
There are no specific regulations applicable to peer-to-peer or market-
place lending in Singapore. Fundraising from the public through To the extent that an invoice is purchased, without risk of being rechar-
lending-based crowdfunding, or peer-to-peer lending, is regulated by acterised as a loan for the purposes of the Moneylenders Act, with true
MAS under the SFA and the FAA. Therefore, such activity might consti- sale there is no specific regulation on the buying and selling of invoices.
tute a regulated activity that requires a licence, but much will depend This is common in factoring and invoice discounting arrangements.
on the precise model. However, if invoices are opened to the public and crowdfunded, the
Furthermore, in Singapore, any invitation to lend money to an operator of the trading platform will need to follow certain regulations,
entity is deemed to be an offer of debentures, which is a type of security. including the SFA, FAA, the Securities-Based Crowdfunding Circular and
The entity offering the debentures is required to prepare and register the MAS’s FAQ on Lending-Based Crowdfunding. The extent to which
an SFA-compliant prospectus with MAS unless an exemption applies. each of these regulations apply will depend on the precise nature of the
crowdfunding scheme and the manner in which it is carried out.
Crowdfunding
10 Describe any specific regulation of crowdfunding in your Payment services
jurisdiction. 12 Are payment services regulated in your jurisdiction?
There are specific regulations applicable to crowdfunding in Singapore. Payment services include a wide range of activities, such as taking cash
These regulations apply to securities-based crowdfunding operators deposits, making cash withdrawals, executing payment transactions,
and lending-based crowdfunding. issuing or acquiring payment instruments, issuing and administering
means of payment, money remittance, making payments sent through
172 Fintech 2021

the intermediary of a telecoms, IT system or network operator, or even MAS has also implemented the Financial Industry API Register,
providing stored value facilities. which is updated semi-annually and designed to serve as the initial
Since 29 January 2020, certain payment services are now regu- landing site for Open APIs in the Singaporean finance industry. These
lated in Singapore under, inter alia, the PS Act. These regulated payment APIs fall under the following functional categories:
service activities are: • product APIs that provide information on financial product details,
• account issuance; rates and branch or ATM locations;
• domestic money transfer; • sales and marketing APIs for product sign-ups, sales or cross-
• cross‑border money transfer; sales and leads generation;
• merchant acquisition; • servicing APIs for managing customer profiles or account details
• e-money issuance; and customer queries or feedback;
• digital payment token; and • transaction APIs that support customer instructions for payments,
• money‑changing funds transfers, settlements, clearing, trade confirmations
and trading;
To carry on the business of providing any of the above-mentioned • other APIs for common services, such as authentication, authorisa-
payment services, the entity will require one of three types of licence: tion, reporting, market data and compliance; and
money-changing, standard payment institution or major payment • regulatory APIs that enable extraction of data sets related to the
institution. financial industry as a whole.
Different regulatory conditions apply to each type of licence, with
the extent of regulatory conditions increasing from standard payment On 14 May 2020, the Personal Data Protection Commission and the
institutions to major payment institutions. For instance, major payment Ministry of Communications and Information launched a public consul-
institutions must safeguard customer money with an undertaking by tation paper where it proposed to introduce a new Data Portability
a bank or prescribed financial institution, a guarantee by a bank or Obligation to give individuals greater choice and control over their
prescribed financial institution or segregate customer money in a trust personal data, prevent consumer lock-in and enable switching to new
account maintained by a bank or prescribed financial institution. On the services. Data portability allows individuals to request an organisation
other hand, standard payment institutions are not subjected to these to transmit a copy of their personal data to another organisation.
safeguarding measures, although they must alert customers so they
can make informed decisions. Robo-advice
Correspondingly, each type of licence authorises the licensee to 14 Describe any specific regulation of robo-advisers or other
conduct different types and different quantums of each type of payment companies that provide retail customers with automated
service. For example, licensees holding a money-changing licence may access to investment products in your jurisdiction.
only conduct money-changing services. By contrast, standard payment
institutions may conduct any type of payment service, so long as the Robo-advisoes and other companies that provide retail customers
monthly transactions for any activity type do not exceed S$3 million, with automated access to investment products in Singapore are regu-
the monthly transactions for two or more activity types do not exceed lated under the SFA or the FAA, or both, and must adhere to the MAS’s
S$6 million and, where relevant, the total amount of daily outstanding Guidelines on Provision of Digital Advisory Services (CMG-G02) (the
e-money does not exceed S$5 million. By extension, major payment Advisory Guidelines), including the requirement to be appropriately
institutions may conduct any type of payment services, and the quantum licensed unless they qualify for relevant exemptions.
limits applicable to standard payment institutions do not apply. However, as MAS is keen not to stifle digital innovation, the
The PS Act includes provisions to mitigate the risks of loss of Advisory Guidelines provide for a lower bar for licensing in certain
customer monies, money laundering and terrorism financing risks, frag- circumstances. For example, digital advisers that seek to offer fund
mentation and lack of interoperability across payment solutions, and management services to retail investors will be eligible for licensing
technology risks including cyber risks. MAS has also proposed tech- even if they do not meet the SFA corporate track record requirements,
nology risk management requirements, including cybersecurity risk provided they meet other specified safeguards.
management guidelines. Under the Advisory Guidelines, digital advisers will be exempted
from the FAA requirement to collect the full suite of information on
Open banking the financial circumstances of a client, such as income and financial
13 Are there any laws or regulations introduced to promote commitments. This is on the condition that they put in place measures to
competition that require financial institutions to make mitigate the risks of providing unsuitable investment recommendations
customer or product data available to third parties? owing to limited client information.
While MAS is making it easier for digital advisers to set up in
MAS has published a comprehensive application programming interface Singapore, the business model carries unique risks, such as faulty
(API) playbook in its bid to encourage more banks to participate in open algorithms and cyber threats. To mitigate these risks, the Advisory
banking. This document outlines and standards framework for: Guidelines set out MAS’s expectations for digital advisers to establish
• API governance; robust frameworks to govern and supervise their algorithms, as well as
• API lifecycle governance; to manage technology and cyber risks.
• governance of API risk; and
• regulatory considerations for partner API operating models. Insurance products
15 Do fintech companies that sell or market insurance products
The result of MAS’s push towards open banking can be clearly seen in your jurisdiction need to be regulated?
with businesses such as Citibank, DBS, OCBC, Standard Chartered and
payments service provider NETS running their own Open API portals The marketing and sale of insurance products are regulated under the
comprising over 272 API sets. Insurance Act (Chapter 142) of Singapore and the FAA.
Credit references FINANCIAL CRIME

credit information services in your jurisdiction? Anti-bribery and anti-money laundering procedures
Credit bureaus are recognised by the MAS under the Banking Act procedures to combat bribery or money laundering?
(Chapter 19) of Singapore to collect and disclose credit data to their
members. A credit bureau bill was passed in Parliament on 9 November Under the Payment Services Act, digital payment token service providers
2016 but has not yet come into force. Once in force, there will be a frame- that facilitate the exchange of or that deal in digital payment tokens
work in place to subject credit bureaus to formal supervision by the MAS (DPT), commonly known as digital currencies or cryptocurrencies, will
as credit bureaus collect increasing (and more specifically detailed) have to be licensed. The Monetary Authority of Singapore (MAS) has
amounts of data to facilitate more comprehensive credit assessments issued a consultation on an anti-money laundering and combating the
by their members. The bill will also allow consumers the right to access, financing of terrorism (AML/CFT) notice for regulating DPT services.
review and rectify their credit records. The provision of credit ratings In its consultation paper, MAS reiterated that it considers DPT
(opinions primarily regarding the creditworthiness of entities other than transactions to carry higher inherent money laundering and terrorism
individuals, governments or securities) is also regulated under the SFA. financing (ML/TF) risks owing to the anonymity, speed and cross-border
nature of the transactions, a view that is consistent with the position
CROSS-BORDER REGULATION taken by the Financial Action Task Force in its standards for virtual
asset services providers.
Passporting MAS intends to require that AML/CFT measures also be applied
17 Can regulated activities be passported into your jurisdiction? for providers that facilitate the transfer of DPT or provide custodian
wallet services, and asks for suggestions on other types of DPT-related
No. services that could also pose ML/TF risks.
The AML/CFT requirements will make licensees obliged to take
Requirement for a local presence appropriate steps to identify, assess and understand their ML/TF risks,
18 Can fintech companies obtain a licence to provide financial and develop and implement policies, procedures and controls for the
services in your jurisdiction without establishing a local effective management of these risks.
presence? This includes policies, procedures and controls in relation to
customer due diligence, transaction monitoring, screening, suspicious
It is unlikely that the Monetary Authority of Singapore would grant a transactions reporting and record-keeping. Enhanced measures should
licence to an entity for carrying on business in any regulated activity if be performed where higher ML/TF risks are identified.
that entity did not have a local presence. The requirements also include monitoring the implementation of
policies, procedures and controls, and enhancing them if necessary.
SALES AND MARKETING
Guidance
Restrictions 22 Is there regulatory or industry anti-financial crime guidance
19 What restrictions apply to the sales and marketing of for fintech companies?
There is no specific guidance for fintech companies, but there is guid-
This will depend on many factors, including but not limited to, the regula- ance for regulated companies and banks that would apply to fintech
tory status of the financial institution (eg, whether the financial institution businesses that are regulated similarly.
is licensed or exempt and the type of licence held or exemption being Specifically for digital asset exchanges, the Association of
relied upon) and the types of services and products being marketed. Cryptocurrency Enterprises and Start-ups Singapore has developed a
Depending on the facts, different rules and restrictions may need to be ‘Code of Practice’ under its Standardisation of Practice In Crypto Entities
taken into account, including, for example, clientele restrictions. initiative.
Advice should be sought on the specific circumstances of any
particular case. PEER-TO-PEER AND MARKETPLACE LENDING
CHANGE OF CONTROL Execution and enforceability of loan agreements

Notification and consent security agreements? Is there a risk that loan agreements
20 Describe any rules relating to notification or consent or security agreements entered into on a peer-to-peer or
requirements if a regulated business changes control. marketplace lending platform will not be enforceable?
Different consent requirements apply to the acquisition of different Loan agreements governed by Singapore law and evidencing appropriate
types of regulated businesses. In general, where a person is to become consideration for the loan can be executed in the form of agreements by
a holder of a specified percentage of a regulated entity or will control a signatories of the respective parties having due authority.
specified percentage of voting rights of that entity, prior consent must Moneylending in Singapore is a regulated activity under the
be obtained from the relevant regulatory authority. Moneylenders Act of Singapore and, accordingly, any person or entity
In all cases, advice should be sought as to the applicable require- lending money to a person or entity in Singapore must either be licensed
ments and the process for obtaining consent. in Singapore, exempted or excluded. Any lending to individuals resident
in Singapore would customarily require a licence.
The execution requirements for a Singapore law security agree-
ment will depend on the form of security agreement. However, most
174 Fintech 2021

Singapore law security agreements will be executed in the form of a enforcement action being taken and held, by the purchaser, pending
deed to ensure that no challenge can be made on the grounds of consid- any enforcement event occurring, at which time the notice of assign-
eration or owing to the form of property being secured. The execution ment could be delivered to the borrower, giving rise to a legal security
requirements for deeds allow for three options: assignment.
• signing by a director of the company and a secretary of the company; Any assignment, by way of security or otherwise, will be subject
• signing by at least two directors of the company; or to the general provisions of the loan agreement, including, without
• signing by a director of the company in the presence of a witness limitation, confidentiality restrictions, restrictions on the granting of
who attests the signature. security or transfers to third parties. As such, loan agreements for P2P
or marketplace lending platforms that contemplate ease of assignment
The enforceability of peer-to-peer (P2P) loan agreements and security or transfer must be drafted to ensure that any such restrictions are kept
agreements will depend on the precise model being applied. However, as to a minimum or excluded to the extent possible and subject to regula-
a general observation, provided that any P2P model complies with any tory constraints applicable to lending to specific classes of borrowers.
regulatory requirements as outlined above in Singapore (and in any other
relevant jurisdiction), there should be no specific issues regarding the Securitisation risk retention requirements
enforceability of the loan agreement or security agreement in Singapore. 25 Are securitisation transactions subject to risk retention
requirements?
Assignment of loans
24 What steps are required to perfect an assignment of The Monetary Authority of Singapore Notice 637 (the MAS Notice) (last
loans originated on a peer-to-peer or marketplace lending revised on 31 March 2020) requires a reporting bank (being a bank
platform? What are the implications for the purchaser if the incorporated in Singapore) to ensure that the originator of the credit
assignment is not perfected? Is it possible to assign these claims or receivables being securitised retains a material net economic
loans without informing the borrower? exposure and demonstrates a financial incentive in the performance of
these assets following their securitisation. As such, the reporting bank
A legal assignment by way of security of the rights of the lender of a is required to ensure that this originator does retain such applicable risk
loan under a P2P or marketplace lending platform, under which the in the exposures.
purchaser of that loan would be entitled to directly sue the borrower for Pursuant to MAS Notice 637, reporting banks are also subject to
repayment of the debt under the loan, requires notice of this assignment maximum retention thresholds in respect of securitisation exposures to
by way of security to be given by the assigning lender to the borrower the extent that this reporting bank is looking to apply regulatory capital
under the loan agreement. relief in respect of these exposures, as set out in more detail in MAS
The ability to transfer rights and obligations in a loan under Notice 637.
Singapore law (whether in respect of a P2P or marketplace lending
platform or otherwise) will depend on the terms of the loan. Securitisation confidentiality and data protection requirements
In the absence of any specific provisions regarding transfer of both 26 Is a special purpose company used to purchase and securitise
rights and obligations of a lender’s position in a loan in the loan agree- peer-to-peer or marketplace loans subject to a duty of
ment, the borrower’s consent would be required to transfer the lender’s confidentiality or data protection laws regarding information
rights and obligations under a loan (although, in the absence of any relating to the borrowers?
express provisions to the contrary, an assignment of a lender’s rights
only (and not the lender’s obligations) would not require the giving of Possibly. In addition, loan agreements may contain confidentiality provi-
notice to, or the receipt of consent from, the borrower although any lack sions that any purchaser, including any special purpose company, is
of notice may affect the nature of any assignment by way of security of bound by. These would need to be carefully reviewed or drafted as part
these rights). of any securitisation structure.
It is quite common, however, for specific transfer provisions to be
included in loan agreements to allow a lender to transfer its rights and ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
obligations in their position in a loan to a third party without borrower TECHNOLOGY AND CRYPTO-ASSETS
consent. Customarily, criteria will be specified as to what constitutes an
eligible transferee. Except in certain structures, it would be necessary Artificial intelligence
to notify the borrower of the transfer in order for the transfer to take 27 Are there rules or regulations governing the use of artificial
effect even in circumstances where borrower consent was not required. intelligence, including in relation to robo-advice?
Any transfer would also need to comply with any related restric-
tions imposed under the terms of the loan agreement and under The Monetary Authority of Singapore (MAS) has issued a set of principles
regulations applicable to particular classes of borrower. to promote fairness, ethics, accountability and transparency (FEAT) in
In connection to any assignment of a lender’s rights under a loan the use of AI and data analytics in finance. Known as the FEAT Principles,
by way of security, where notice of the assignment by way of security the document provides guidance to firms offering financial products and
is not given by the assigning lender to the borrower under the loan services on the responsible use of AI and data analytics, to strengthen
agreement, the security assignment would, in ordinary circumstances internal governance around data management and use.
(and subject to due execution and other formalities), be characterised as MAS has said that this is intended to foster greater confidence and
an equitable assignment. An equitable assignment is still characterised trust in the use of AI and data analytics, as firms increasingly adopt tech-
as a security interest. However, any action by the purchaser to enforce nology tools and solutions to support business strategies and in risk
rights under the loan agreement needs to be taken by the lender on management.
behalf of the purchaser. This may delay the taking of action and have an With regard to robo-advice, MAS has issued the Guidelines on
impact on recoveries. Provision of Digital Advisory Services (the Advisory Guidelines) to facili-
In the case of an equitable assignment, it may be possible to have tate the provision of robo-advice in Singapore. Digital advisers that seek
a notice of security assignment executed by the lender prior to any to offer fund management services to retail investors will be eligible for
licensing even if they do not meet the Securities and Futures Act (SFA) Digital currency exchanges
corporate track record requirements, provided they meet other specified 30 Are there rules or regulations governing the operation of
safeguards. digital currency exchanges or brokerages?
Under the Advisory Guidelines, digital advisers will be exempted
from the Financial Advisers Act (FAA) requirement to collect the full suite Yes, digital currency exchanges or brokerages that allow token trading
of information on the financial circumstances of a client, such as income constituting capital markets products will need to seek MAS’s approval,
and financial commitments. This is on the condition that they put in recognition or exemption under the SFA.
place measures to mitigate the risks of providing unsuitable investment Additionally, under the PS Act, digital payment token service
recommendations owing to limited client information. providers that facilitate the exchange of or that deal in digital payment
While MAS is making it easier for digital advisers to set up in tokens, commonly known as digital currencies or cryptocurrencies, will
Singapore, the business model carries unique risks, such as faulty algo- have to be licensed.
rithms and cyber threats. To mitigate these risks, the Advisory Guidelines
set out MAS’s expectations for digital advisers to establish robust frame- Initial coin offerings
works to govern and supervise their algorithms, as well as to manage 31 Are there rules or regulations governing initial coin offerings
technology and cyber risks. (ICOs) or token generation events?
In May 2020, MAS announced the first phase of its Veritas initiative.
Veritas outlines a framework for the responsible adoption of AI and data The regulation in Singapore of tokens offered in initial coin offerings
analytics by financial institutions. MAS will commence with the develop- (ICOs) depends on the nature of the tokens offered. Utility tokens that
ment of metrics to measure the fairness of deployment of this technology. only provide membership or access to a service or payment tokens that
MAS has identified credit risk scoring and customer marketing as the are only used as a means of payment for goods or services (such as
first two workstreams in which it would like to introduce the metric. bitcoin) are not at present regulated. Digital payment tokens are regu-
lated under the PS Act. However, if a digital token constitutes a capital
Distributed ledger technology markets product (eg, securities, futures contracts and contracts or
28 Are there rules or regulations governing the use of distributed arrangements for purposes of leveraged foreign exchange trading), the
ledger technology or blockchains? offer or issue of these digital tokens will be regulated under the SFA and
(in certain cases) the FAA. For example, digital tokens may represent
There are no specific regulations or guidelines in relation to the use of ownership or a security interest over an issuer’s assets or property.
distributed ledger technology (DLT) in Singapore. MAS has been encour- These tokens may, therefore, be considered an offer of shares or units
aging the industry to look at DLT in relation to the financial system in in a collective investment scheme (as defined in the SFA). Digital tokens
Singapore. For example, in early 2017, MAS announced the successful may also represent a debt owed by an issuer and be considered a
conclusion of the proof-of-concept project to conduct domestic interbank debenture under the SFA.
payments using DLT, and in late 2017 an industry consortium led by In this regard, MAS has issued ‘A Guide to Digital Token Offerings’
MAS and the Association of Banks in Singapore released source-codes (updated May 2020), which provides general guidance on the applica-
of successful DLT prototypes publicly to encourage innovation in inter- tion of the securities laws administered by MAS in relation to offers or
bank payments. issues of digital tokens in Singapore. MAS recommends that all issuers
of digital tokens, intermediaries facilitating or advising on an offer of
Crypto-assets digital tokens and platforms facilitating trading in digital tokens should
29 Are there rules or regulations governing the use of crypto- seek independent legal advice to ensure they comply with all applicable
assets, including digital currencies, digital wallets and laws, and consult MAS where appropriate.
e-money? On 24 May 2018, MAS warned eight digital token exchanges in
Singapore not to facilitate trading in digital tokens that are securities
Singapore’s parliament has passed the new Payment Services Act (the or futures contracts without MAS’s authorisation. It also warned an
PS Act) to regulate the following activities in relation to digital curren- ICO issuer to discontinue the proposed offering of its digital tokens in
cies, digital wallets and e-money: Singapore (the tokens in question would be considered as securities
• account issuance; under the SFA and the offer had been made without a MAS-registered
• electronic money issuance; and prospectus). While it is unclear how much was raised from inves-
• digital payment tokens. tors in Singapore, the ICO issuer has since ceased the offer and is
taking remedial actions to comply with the local laws and regulations,
The PS Act repeals the Payment Systems (Oversight) Act. A multipur- including returning all funds received from Singapore-based investors.
pose stored value facility (ie, one that is or is intended to be used for the Ultimately, MAS’s position in respect of digital token exchanges and
payment of goods or services provided by a service provider apart from ICOs is indicated clearly in the following statement: ‘We do not see a
the holder of that stored value facility) is now subject to the licensing need to restrict them if they are bona fide businesses. But if any digital
requirements under the PS Act. token exchange, issuer or intermediary breaches our securities laws,
Singapore does not otherwise have any specific regulatory meas- MAS will take firm action.’
ures in respect of digital currencies or digital wallets, but the existing Under the new PS Act, entities will require licences to provide
laws provide for protection against unlawful activities in general, for payment services, including the issuance of electronic money and
example, anti-money laundering, fraud and terrorism financing. digital payment tokens. Based on the definition of digital payment token
as well as e-money found in the PS Act, many tokens in the market
today can be viewed as either e-money or digital payment tokens, and
any service provider who issues tokens falling within these categories
through an ICO can be deemed as providing a digital payment token
service or e-money issuance by the PS Act.
176 Fintech 2021

There is an exception applicable for tokens that have a limited financial institutions must put in place to manage cyber threats, which
purpose (ie, non-monetary consumer loyalty or reward points, in-game could include:
assets or similar digital representations of value that cannot be returned • addressing system security flaws in a timely manner;
to the issuer or sold, transferred or exchanged for money). • establishing and implementing robust security for systems; and
• deploying security devices to secure system connections.
OUTSOURCING AND CLOUD COMPUTING
Data protection
32 What rules and regulations govern the processing and Outsourcing
transfer (domestic and cross-border) of data relating to 34 Are there legal requirements or regulatory guidance with
fintech products and services? respect to the outsourcing by a financial services company of
There are no legal requirements or regulatory guidance relating to
personal data that are specifically aimed at fintech businesses. However, On 5 October 2018, the Monetary Authority of Singapore (MAS) issued
fintech companies must have regard to Chapter 6 on Online Activities revised Guidelines on Outsourcing. Various industry guidelines on
of the Personal Data Protection Commissioner's (PDPC) Advisory outsourcing have also been issued by the Investment Management
Guidelines on the PDPA for Selected Topics. Association of Singapore and the Association of Banks in Singapore.
The PDPC has recently announced new initiatives to facilitate The MAS Guidelines on Outsourcing set out risk management
the movement and use of data to support innovation, and strengthen practices to be complied with when a regulated entity has entered into
accountability among organisations. The first is the PDPC’s response any outsourcing or is planning to outsource its business services to a
note to the public consultation on proposed data portability and data service provider (whether this outsourcing is done on an intra-group
innovation provisions, as part of the review of the PDPA. The proposed or a third-party basis, or a material or non-material basis). Certain key
data portability provision will provide individuals with greater control requirements in the Outsourcing Guidelines include maintaining an
over their personal data and enable greater access to more data by Outsourcing Register and ensuring that all outsourcing contracts are
organisations to facilitate data flows and increase innovation, while the written agreements containing the minimum prescribed clauses. The
proposed data innovation provision makes it clear that organisations can Outsourcing Guidelines also detail the responsibilities of the board
use data for appropriate business purposes without individuals’ consent. and senior management in this regard (eg, approving a risk evalua-
The second is the PDPC’s introduction of new guides, such as: the tion framework, setting a suitable risk appetite statement, laying down
Guide on Active Enforcement, as part of its drive for organisations to appropriate approval authorities, assessing management competencies
shift from compliance to accountability; an updated Guide to Managing to develop sound and responsive outsourcing risk management poli-
Data Breaches 2.0, to help organisations manage and respond to data cies and procedures that are commensurate with the nature, scope and
breaches more effectively; and a new Guide to Notification, which illus- complexity of the outsourcing arrangements).
trates good notification practices for organisations to comply with their Moving forward, in a consultation paper issued 7 February 2019,
Notification Obligations under the PDPA . MAS has proposed to issue Outsourcing Notices that set out require-
ments for banks and merchant banks in relation to material outsourcing
Cybersecurity arrangements. These changes include:
33 What cybersecurity regulations or standards apply to fintech • introducing a new section in the Banking Act (Chapter 19)
businesses? to empower MAS to impose requirements relating to banks’
outsourcing arrangements; and
While there is a new cybersecurity law, the Cybersecurity Act 2018, that • introducing identical powers to impose requirements relating to
came into force in August 2018, it is unlikely to directly affect unregu- merchant banks’ outsourcing arrangements.
lated fintech start-ups as it is intended to regulate systems involved in
the provision of essential services within Singapore. The Cybersecurity As for the proposed new Outsourcing Notices, they will impose
Act provides an overarching legislative framework for the regulation of requirements on banks and merchant banks relating to their material
owners of critical information infrastructure and cybersecurity service outsourcing arrangements in the areas of:
providers. • management of these arrangements;
With regard to regulated fintech companies, the Monetary Authority • assessment of service providers;
of Singapore (MAS) issued a consultation in March 2019 seeking feed- • accessing information by MAS and the bank or merchant bank;
back to expand the Technology Risk Management Guidelines to include • protection of customer information;
guidance for the following: • audit; and
• technology risk governance and oversight; • termination of these arrangements.
• best practices for software development;
• additional guidance for new technologies (ie, application program- MAS published its response to the consultation paper on 5 November
ming interfaces, smart electronic devices and virtualisation); and 2019 and intends to seek feedback on the draft Outsourcing Notices in
• effective cyber surveillance, secure software development, adver- due course.
sarial attack simulation and management of cyber risks posed by
the internet of things. Cloud computing
In September 2018, MAS also sought to strengthen the rules on cyber respect to the use of cloud computing in the financial services
security through its Notice on Cyber Hygiene in view of the deep- industry?
ening cyber threat landscape and to further strengthen the overall
cyber resilience of financial institutions. It intends to eventually Yes, financial institutions regulated by MAS should have regard mainly
prescribe a set of legally binding essential cyber security practices that to the MAS Guidelines on Outsourcing. MAS considers cloud services
operated by service providers to be a form of outsourcing. In this Joint ownership

respect, MAS also considers that the types of risks in cloud services 38 Are there any restrictions on a joint owner of intellectual
that confront institutions are not necessarily distinct from that of other property’s right to use, license, charge or assign its right in
forms of outsourcing arrangements. Accordingly, institutions should intellectual property?
still perform the necessary due diligence and apply sound governance
and risk management practices required by the Outsourcing Guidelines Yes, unless amended by agreement, joint owners of a copyright hold their
when subscribing to cloud services. shares as tenants in common. Any use, licence, charge or assignment of
Nevertheless, to the extent that cloud services have certain typical the copyright must, therefore, be done by the joint owners as a whole
characteristics, such as multi-tenancy, data commingling and the higher or by one of the joint owners with the consent of the other joint owners.
propensity for processing to be carried out in multiple locations, insti- However, this position is different for patents notwithstanding
tutions should take measures to address those risks, bearing in mind that these co-owners hold the ownership of the patent as tenants-in-
the materiality of those risks specific to each institution. In this regard, common. Except where the statutory provisions have been amended by
the institution would have to deal with risks associated with data, to agreement between the joint owners, the Patents Act provides that a
ensure the service provider can identify and segregate customer data, co-owner is entitled to do any otherwise infringing act for his or her own
and robust access controls to protect customer information. benefit, by him or herself or by his or her agents, without requiring the
consent of (or the need to account to) any of the other co-owners.
INTELLECTUAL PROPERTY RIGHTS Nevertheless, a co-owner may not, without the consent of the other
co-owners, grant a licence under the patent or assign or charge a share
IP protection for software in the patent.
software, and how do you obtain those rights? Trade secrets
39 How are trade secrets protected? Are trade secrets kept
Computer programs (and preparatory design materials for computer confidential during court proceedings?
programs) are protected by copyright as literary works under the
Copyright Act (Chapter 63). Copyright arises automatically as soon Confidential information can be protected against misuse, provided
as the computer program is recorded. Registration of copyright is not the information in question has the necessary quality of confidence, is
required and is not possible in Singapore. subject to an express or implied duty of confidence, or no registration is
If the software code has been kept confidential it may also be necessary (or possible). Confidential information can be kept confiden-
protected as confidential information. No registration is required. tial during civil proceedings with the permission of the court.
Patents for software (source code) are not currently applicable
for patent registration and protection. The Intellectual Property Office Branding
of Singapore (IPOS) has issued the Examination Guidelines for Patent 40 What intellectual property rights are available to protect
Applications at IPOS, which takes the view that ‘claims to software that branding and how do you obtain those rights? How can
are characterised only by source code, and not by any technical features, fintech businesses ensure they do not infringe existing
is unlikely to be considered an invention on the basis that the actual brands?
contribution would be a mere presentation of information’.
Brands can be protected as registered trademarks in Singapore. A
IP developed by employees and contractors brand can also be protected under the common law tort of passing-off if
37 Who owns new intellectual property developed by an it has acquired sufficient goodwill.
employee during the course of employment? Do the same Certain branding, such as logos and stylised marks, can also be
rules apply to new intellectual property developed by protected by design rights and may also be protected by copyright as
contractors or consultants? artistic works.
The IPOS trademark database can be searched to identify poten-
Copyright created by an employee in the course of his or her employ- tially problematic trademarks that have been registered or applied for.
ment is automatically owned by the employer unless otherwise agreed. It is highly advisable for new businesses to conduct trademark
An invention made by an employee belongs to the employer if it was searches to check whether earlier registrations exist that are identical
made in the course of the normal duties of the employee or in the course or similar to their proposed brand names. It may also be advisable to
of duties falling outside his or her normal duties, but specifically assigned conduct internet searches for any unregistered trademark rights that
to him or her, and the circumstances in either case were such that an may prevent the use of the proposed mark.
invention might reasonably be expected to result from the carrying out of
his or her duties; or if the invention was made in the course of the duties Remedies for infringement of IP
of the employee and, at the time of making the invention, because of 41 What remedies are available to individuals or companies
the nature of his or her duties and the particular responsibilities arising whose intellectual property rights have been infringed?
from the nature of his or her duties, he or she had a special obligation to
further the interests of the employer’s undertaking. Remedies include:
Except in certain narrow circumstances, copyright or inventions • preliminary and final injunctions;
created by contractors or consultants in the course of their duties • damages or an account of profits;
are owned by the contractor or consultant unless otherwise agreed • delivery up or destruction of infringing products;
in writing. • disclosure orders; and
• costs.
178 Fintech 2021

COMPETITION Increased tax burden

Sector-specific issues could significantly increase tax or administrative costs for
42 Are there any specific competition issues that exist with fintech companies in your jurisdiction?
Yes; the Goods and Services Tax Act was amended in 2020 to require
There is a competition regime in Singapore that applies to all entities overseas digital service providers with a yearly global turnover of
carrying out business in Singapore unless otherwise exempted. There more than S$1 million, which sell more than S$100,000 worth of digital
are no particular aspects of this regime that would affect fintech busi- services to customers in Singapore in a 12-month period, to register for
nesses disproportionately to other businesses. and charge goods and services tax (GST).
With effect from 1 January 2020, the Inland Revenue Authority of
TAX Singapore has required these digital services providers, who are regis-
tered under this Overseas Vendor Registration regime, to charge GST on
Incentives their sale of digital services to Singapore consumers.
and investors to encourage innovation and investment in the IMMIGRATION
At present, there are no tax incentives specifically targeted at fintech 45 What immigration schemes are available for fintech
companies. However, new start-up companies in general can benefit businesses to recruit skilled staff from abroad? Are there
from a tax exemption scheme. All companies are eligible for the exemp- any special regimes specific to the technology or financial
tion except companies whose principal activity is investment holding sectors?
and companies that undertake property development for sale, invest-
ment or both. To qualify for the exemption, an eligible company must: There are no sector-specific immigration schemes available for busi-
• be incorporated in Singapore; nesses in Singapore to recruit skilled foreign employees. The rules on
• be tax-resident in Singapore for the relevant tax year of assess- hiring staff from abroad apply to all companies operating in Singapore;
ment; and prior to applying for an Employment Pass, companies will need to
• have its share capital held by no more than 20 persons (all of advertise the vacancy on the National Jobs Bank for at least 14 days
whom must be individuals) throughout the period of that tax year unless a specific exemption applies.
of assessment, where at least one shareholder is an individual
holding at least 10 per cent of the shares in the company, typically UPDATE AND TRENDS
a founder.
The exemption applies for the company’s first three consecutive tax 46 Are there any other current developments or emerging
years of assessment. With effect from tax year of assessment 2020, trends to note?
companies will benefit from a reduced 75 per cent exemption from tax
on the first S$100,000 of normal chargeable income and then a 50 per On 28 June 2019, the Monetary Authority of Singapore (MAS) announced
cent exemption on the next S$100,000 of normal chargeable income. that it will issue up to five new digital banking licences, welcoming appli-
Under the Angel Investors Tax Deduction Scheme, investors who cations from both traditional banking groups and non-bank players. The
are able to commit a minimum of S$100,000 of investment to a qualifying move has been recognised as marking the next chapter in Singapore’s
start-up can, subject to approval and satisfaction of certain conditions, banking liberalisation journey.
benefit from a tax deduction of 50 per cent of the amount of their invest- On 7 January 2020, the MAS announced that it received 21 appli-
ment at the end of a two-year holding period. This scheme lapsed after cations for digital bank licences. The majority of the applicants are
31 March 2020, and investors can no longer obtain new approvals or consortiums, with entities seeking to combine their individual strengths
renewal of the ‘angel investor’ status for any period commencing after to enhance the digital bank’s value proposition.
31 March 2020. However, angel investors will continue to enjoy tax As at the time of writing, MAS has extended the assessment period
deduction in respect of qualifying investments made during the period for the award of digital bank licences, and successful applicants will
of the approved status, subject to existing conditions of the scheme. be informed in the seond half of 2020 instead of June 2020 as it was
For institutional investors, section 13H of the Income Tax Act originally intended.
(S13H) allows approved venture capital and private equity funds to
benefit from zero-rated tax relief for up to 10 years in respect of gains Coronavirus
from the divestment of approved portfolio holdings, dividend income 47 What emergency legislation, relief programmes and other
from approved foreign portfolio holdings and interest income arising initiatives specific to your practice area has your state
from approved foreign convertible loan stock. In addition, the Fund implemented to address the pandemic? Have any existing
Management Incentive (FMI) gives an approved fund management government programmes, laws or regulations been amended
company tax relief at a concessionary rate of 5 per cent for a period of to address these concerns? What best practices are advisable
up to 10 years in respect of both management fees and performance for clients?
bonus received from an approved venture capital fund. Tto benefit from
both S13H and FMI, the venture capital or private equity funds and On 31 March 2020, MAS, together with the Association of Banks in
fund management companies must, at a minimum, be incorporated and Singapore, the Life Insurance Association, the General Insurance
based in Singapore and otherwise approved or licensed by the Monetary Association, and the Finance Houses Association of Singapore,
Authority of Singapore to conduct their activities. announced a package of measures to help ease the financial strain on
small and medium-sized enterprises (SMEs) caused by the covid-19

pandemic. A second package was also announced on 30 April 2020.
The package will support SMEs with access to bank credit and
insurance cover. First, MAS announced that SMEs may opt to defer prin-
cipal payments on their secured term loans up to 31 December 2020,
subject to banks’ and finance companies’ assessment of the quality
of the SMEs’ security. SMEs will also be able to extend the tenure of
their loans by up to the corresponding principal deferment period if
they wish. Grace Chong
grace.chong@simmons-simmons.com
Second, MAS also announced that banks and finance companies
may apply for low-cost funding through a new MAS Singapore Dollar Jason Valoti
Facility for loans granted under Enterprise Singapore’s SME Working jason.valoti@simmons-simmons.com
Capital Loan scheme and Temporary Bridging Loan Programme. Calvin Tan
Third, MAS announced that corporates, including SMEs, holding calvin.tan@simmons-simmons.com
general insurance policies that protect their business and property risks
Benedict Tan
may apply to their insurer for instalment payment plans.
benedict.tan@simmons-simmons.com
Additionally, on 8 April 2020, MAS rolled out a S$125 million
covid-19 support package to bolster the financial and fintech sectors Marcus Teo
and buttress their recovery and future growth. The package features marcus.teo@simmons-simmons.com
three broad pillars: Ng Aik Kai
• support for worker costs (in the form of a Training Allowance aikkai.ng@simmons-simmons.com
Grant, jobs support scheme and salary subsidy for polytechnic
Sun Zixiang
graduate hires);
zixiang.sun@simmons-simmons.com
• support for operational costs (including a Digital Acceleration
Grant designed specifically for fintech companies, a 90 per cent Low Si Rong
course fee subsidy and discounts on rental costs); and Seah Ern Xu
• support for access to business opportunities (six months free
access to the API Exchange (APIX), a digital self-assessment tool
168 Robinson Road, #11-01
and a Digital Acceleration Grant for financial institutions).
Capital Tower
Singapore 068912
Finally, on 13 May 2020, the MAS announced the launch of a S$6 million
Singapore
MAS-Singapore FinTech Association-AMTD Fintech Solidarity Grant Tel: +65 6831 5600
to support Singapore-based fintech firms amid the challenging busi- Fax: +65 6831 5688
ness climate. The Grant comprises two components. First, as part of www.simmons-simmons.com
the S$1.5 million Business Sustenance Grant, eligible Singapore-based
fintech firms can receive a one-time grant for up to S$20,000 to cover
day-to-day working capital expenditures, such as salaries and rental
costs. The short-term assistance will help fintech firms sustain their
operations and retain their employees. Second, as part of the S$4.5
million Business Growth Grant (BGG), eligible Singapore-based fintech
firms can receive up to S$40,000 for their first Proof of Concept (POC)
with financial institutions on the APIX platform and S$10,000 for each
subsequent POC, subject to a total cap of $80,000 per firm for the entire
duration of the grant. The BGG will also provide funding for the salaries
of undergraduate interns, capped at S$1,000 per month per intern.
This situation is subject to change. The latest information on
the MAS response to covid-19 can be accessed at: www.mas.gov.sg/
regulation/covid-19.
180 Fintech 2021

South Africa
David Geral, Kirsten Kern, Livia Dyer, Claire Franklyn, Xolani Nyali and Bright Tibane
Bowmans
FINTECH LANDSCAPE AND INITIATIVES industry. The IFWG Innovation Hub was launched in April 2020. At this
stage, it is too early to assess and comment on its efficacy.
General innovation climate In January 2019, the CARWG published a consultation paper
1 What is the general state of fintech innovation in your containing policy proposals for the development of regulatory
jurisdiction? responses, proposing its intended regulatory approach in respect of
priority areas and heralding an initial focus on anti-money laundering,
South Africa has a vibrant fintech environment, including: token-based transacting, capital raising, cryptographic derivative prod-
• fintech start-ups as well as product development teams at tradi- ucts and market provisioning.
tional, established financial institutions, primarily in remittances, In January 2020, the IFWG published its first fintech landscaping
microfinance, personal and commercial insurance, investment, report (‘Fintech Scoping in South Africa'), the object of which was to
mobile payments, peer-to-peer lending offerings and virtual token obtain a ‘clearer understanding of the Fintech market to enable policy-
exchanges; makers and regulators to better manage risk and enable innovation’.
• funders servicing the spectrum from venture capital through to In April 2020, the IFWG issued a policy position paper on crypto-
more traditional equity and debt funding arrangements; assets that aimed to provide recommendations for the development of a
• a range of incubation and acceleration facilities, some independent regulatory framework for crypto-assets.
(including commercial and academic providers) and some hosted
by established financial institutions; and FINANCIAL REGULATION
• relatively transparent efforts at developing a coherent regulatory
framework involving most of the relevant regulatory authorities. Regulatory bodies
3 Which bodies regulate the provision of fintech products and
Government and regulatory support services?
specific to financial innovation? If so, what are the key There are currently no fintech product and services-specific laws or
benefits of such support? regulatory bodies.
However, certain fintech products and services may fall within the
In 2016, the Intergovernmental FinTech Working Group (IFWG) was scope and ambit of general financial services regulatory frameworks
established (comprising members from the South African Reserve and, thus, will be subject to the supervision of regulatory bodies charged
Bank, the National Treasury, the Financial Sector Conduct Authority, the with the monitoring of those frameworks. As such, the Financial Sector
Financial Intelligence Centre and the South African Revenue Service) Conduct Authority (FSCA), the Prudential Authority (PA), the National
with the purpose of developing a common understanding among Credit Regulator (NCR), the South African Reserve Bank (SARB) and
regulators and policymakers of financial technology developments the Financial Intelligence Centre may each have regulatory over-
as well as policy and regulatory implications for the financial sector sight in respect of various aspects of the offering of fintech products
and economy. and services.
In early 2018, a joint working group was formed under the auspices
of the IFWG to specifically review the position on cryptocurrencies. Regulated activities
The working group is called the Crypto Assets Regulatory Working 4 Which activities trigger a licensing requirement in your
Group (CARWG). jurisdiction?
The IFWG Innovation Hub comprises a regulatory guidance unit,
a regulatory sandbox unit and an innovation accelerator. The regula- Financial services
tory guidance unit helps market innovators resolve specific questions The Financial Advisory and Intermediary Services Act 2002 (FAIS)
regarding the policy landscape and regulatory requirements and requires any person who seeks to market or provide financial services
provides a central point of entry for market innovators to submit to clients or investors, whether from within South Africa or on a cross-
enquiries related to fintech and innovation-oriented policies and regu- border basis from offshore, as a regular feature of its business, to be
lations. The regulatory sandbox unit provides market innovators with appropriately authorised under FAIS (as a financial services provider or,
an opportunity to test new products and services that challenge the under certain circumstances, as a representative). The term ‘financial
formulation or application of existing regulation under the supervision services’, for the purposes of FAIS, comprises ‘advice’ and ‘intermediary
of relevant regulators. The innovation accelerator exists to provide a services’ in relation to ‘financial products’. In turn, the term ‘financial
collaborative, exploratory environment for financial sector regulators products’ is broadly defined to include, among other things, shares,
to learn from and work with each other on emerging innovations in the derivatives, money market instruments, bonds, participatory interests
South Africa Bowmans
in collective investment schemes, certain investment instruments, includes in its definition of a credit provider a person who acquires the
deposits as well as ‘any other product similar’. Therefore, depending on rights of a credit provider under an NCA-regulated credit agreement
its specific characteristics and function, it is possible for a virtual token after that agreement has been entered into. Secondary market loan
to meet one or more of the criteria for a financial product, accordingly trading will be subject to the NCA under circumstances where the orig-
triggering the relevant regulation and supervision. inal loan being traded was subject to the NCA (in other words, where an
FAIS falls under the purview of the FSCA. Services that are currently exemption from the NCA applied to the original loan, secondary market
subject to licensing by the FSCA under FAIS (as intermediary services) trading in respect of that loan will also be exempt from the NCA). The
include (but are not limited to) arranging investment deals, making NCA falls under the purview of the NCR.
arrangements with a view to investment transactions and dealing in
investments as an agent. Acting as an agent or intermediary in rela- Banking and deposit-taking activities
tion to forex investments by local clients or investors is also licensable The Banks Act 1990 (the Banks Act) requires any person seeking to
under FAIS. At present, dealing in investments or financial products as conduct ‘the business of a bank’ in South Africa to be registered as a
principal is not licensable under FAIS, although an amendment to the local bank or to be licensed as a local branch of a foreign banking insti-
definition of an intermediary service, brought about in 2018 (but which is tution. Two of the key activities included in the concept of the business of
not yet in force), will subject principal dealing in investments with local a bank are the marketing or solicitation of deposits (which would include
clients to FAIS licensing requirements in future. the promotion of bank deposit accounts) and the acceptance of deposits,
Services that are subject to licensing under FAIS (as ‘advice’) among other things. The Banks Act falls under the purview of the PA,
include (but are not limited to) advising on investments and advising from a prudential perspective, and the FSCA, from a market conduct
on forex trades. In terms of FAIS, a FAIS-unlicensed financial services perspective. Licensing under the Banks Act is considered by the PA.
provider may not promote or market its business or capabilities to any
South African-resident person, whether onshore in South Africa or from Payment services
offshore on a cross-border basis. The National Payment System Act 1998 (NPSA) provides for the manage-
ment, administration, operation, regulation and supervision of payment,
OTC derivatives clearing and settlement systems in South Africa. It also provides for the
Regarding over-the-counter (OTC) derivatives as investment instru- establishment of the Payments Association of South Africa (PASA) as
ments, Regulations under the Financial Markets Act 2012 (the FMA the body mandated by the SARB to organise, manage and regulate the
Regulations) provide that a person who, as a regular feature of business participation of its members in the payment system. The NPSA makes
and transacting as principal, originates, issues, sells or makes a market provision for various role players (both bank and non-bank) in the
in an OTC derivative must be registered as an OTC derivative provider. payment system and requires the role players seeking to participate in
The FMA Regulations fall under the purview of the FSCA. the payment system to be formally authorised to do so. The NPSA falls
under the purview of the SARB and PASA.
Credit and lending activities
The provision of loans or any form of credit is regulated under South Trading in currencies
African law by the provisions of the National Credit Act 2005 (NCA), Where forex trading involves the buying and selling of foreign currency,
which requires lenders in respect of whose credit agreements the NCA those activities can be performed only by authorised dealers in South
applies, to formally register as ‘credit providers’ with South Africa’s Africa (generally, commercial banks in South Africa that have been
NCR. The NCA generally applies to every credit agreement between appointed as such by the SARB) or, to a limited extent, by authorised
parties dealing at arm’s length and made within, or having an effect in, dealers with limited authority. This falls under the purview of the SARB
South Africa. in terms of South Africa’s legislated exchange control regime.
The NCA provides for certain general exemptions from its applica-
tion (the NCA Exemptions). In this regard, the NCA will not apply to: Consumer lending
• a credit agreement in respect of which the credit receiver (borrower) 5 Is consumer lending regulated in your jurisdiction?
is a juristic or legal person (as opposed to a natural person or indi-
vidual) whose net asset value or annual turnover, together with the Credit and lending activities
combined net asset value or annual turnover of all persons related The provision of loans or any form of credit is regulated under South
to the juristic person credit receiver, equals or exceeds 1 million African law by the NCA, which requires lenders in respect of whose
rand at the time of conclusion of the credit agreement; credit agreements the NCA applies, to formally register as ‘credit
• a ‘large’ credit agreement (eg, a credit transaction, in respect of providers’ with South Africa’s NCR. The NCA generally applies to every
which the principal debt under that transaction falls at or exceeds credit agreement between parties dealing at arm’s length and made
250,000 rand, where the consumer for the purposes of the NCA is a within, or having an effect in, South Africa.
juristic person having a net asset value or annual turnover falling The NCA does provide for certain general exemptions from its
below 1 million rand); and application. In this regard, the NCA will not apply to:
• a local applicant credit receiver can formally apply to the Ministry • a credit agreement in respect of which the credit receiver (borrower)
of Trade and Industry for a credit agreement that the credit receiver is a juristic or legal person (as opposed to a natural person or indi-
seeks to enter into with an offshore (foreign) credit provider to be vidual) whose net asset value or annual turnover, together with the
formally exempt from the application of the NCA. combined net asset value or annual turnover of all persons related
to the juristic person credit receiver, equals or exceeds 1 million
Lending will be subject to the NCA unless an exemption from the NCA rand at the time of conclusion of the credit agreement;
applies. While there is no specific licensing regime for factoring or • a ‘large’ credit agreement (eg, a credit transaction, in respect of
invoice discounting, where the NCA applies to the underlying agree- which the principal debt under that transaction falls at or exceeds
ments in respect of which the factoring or discounting takes place, the 250,000 rand, where the consumer for the purposes of the NCA is a
person acquiring the rights to the debts under those underlying agree- juristic person having a net asset value or annual turnover falling
ments must also be licensed under the NCA. This is because the NCA below 1 million rand); and
182 Fintech 2021

Bowmans South Africa
• a local applicant credit receiver can formally apply to the Ministry established as companies, bewind trusts (in which the trust founder
of Trade and Industry for a credit agreement that the credit receiver transfers ownership of the trust assets to the beneficiaries with control
seeks to enter into with an offshore (foreign) credit provider to be vested in the trustees) or en commandite partnerships (a form of limited
formally exempt from the application of the NCA. partnership) and are, therefore, subject to the laws that govern those
arrangements. AIFs could trigger the application of CISCA; however, as
Lending will be subject to the NCA unless an exemption from the NCA no express carve-out for them is provided for in CISCA, AIFs should be
applies. While there is no specific licensing regime for factoring or carefully structured and marketed discriminatively to selected (sophis-
invoice discounting, where the NCA applies to the underlying agree- ticated) local investors. The application (or non-application) of CISCA to
ments in respect of which the factoring or discounting takes place, the an AIF must be considered on a case-by-case basis.
person acquiring the rights to the debts under those underlying agree- Where CISCA is triggered, the manager or operator of a foreign CIS
ments must also be licensed under the NCA. This is because the NCA will be indirectly regulated by the FSCA. Where CISCA does not apply
includes in its definition of a credit provider a person who acquires the to an AIF, the manager of the AIF is likely to be caught by the licensing
rights of a credit provider under an NCA-regulated credit agreement provisions of FAIS, in that investments in AIFs constitute financial prod-
after that agreement has been entered into. Secondary market loan ucts for the purposes of FAIS.
trading will be subject to the NCA under circumstances where the orig- In its policy position paper on crypto-assets (the Crypto Position
inal loan being traded was subject to the NCA (in other words, where an Paper), the Intergovernmental FinTech Working Group made a recom-
exemption from the NCA applied to the original loan, secondary market mendation that the pooling of crypto-assets be regarded as constituting
trading in respect of that loan will also be exempt from the NCA). The an AIF, which should, therefore, become a licensable activity in terms of,
NCA falls under the purview of the NCR. and following the enactment of, the Conduct of Financial Institutions Bill.
The Crypto Position Paper indicates, however, that a CIS should not be
Secondary market loan trading allowed to include crypto-assets in its portfolios.
6 Are there restrictions on trading loans in the secondary
market in your jurisdiction? Peer-to-peer and marketplace lending
9 Describe any specific regulation of peer-to-peer or
Secondary market loan trading will be subject to the NCA under circum- marketplace lending in your jurisdiction.
stances where the original loan being traded was subject to the NCA
(in other words, where an exemption from the NCA applied to the orig- There is no specific regulation of peer-to-peer or marketplace lending
inal loan, secondary market trading in respect of that loan will also be in South Africa. Activities in relation to peer-to-peer lending, however,
exempt from the NCA). are likely to trigger licensing or regulatory requirements under South
Africa’s general financial services regulatory frameworks (eg, the NCA,
Collective investment schemes the Banks Act, CISCA or the NPSA), where the offering entails engage-
7 Describe the regulatory regime for collective investment ment in regulated activities or regulated ancillary activities.
schemes and whether fintech companies providing In the main, peer-to-peer or marketplace lending will be regu-
alternative finance products or services would fall within its lated under the NCA unless an exemption from the NCA applies. The
scope. NCA requires lenders in respect of whose credit agreements the NCA
applies, to formally register as ‘credit providers’ with South Africa’s
The solicitation of investments in foreign collective investment schemes NCR. The NCA generally applies to every credit agreement between
(CISs) from local investors (including institutional investors) is governed parties dealing at arm’s length and made within, or having an effect in,
by the Collective Investment Schemes Control Act 2002 (CISCA), South Africa. The NCA provides for the following general exemptions:
together with the regulations and notices promulgated under CISCA. • a credit agreement in respect of which the credit receiver (borrower)
In terms of CISCA, no person may market, or solicit investments in, is a juristic or legal person (as opposed to a natural person or indi-
a foreign CIS unless the foreign CIS has itself been formally approved in vidual) whose net asset value or annual turnover, together with the
accordance with CISCA’s requirements by the FSCA. This prohibition is combined net asset value or annual turnover of all persons related
strictly enforced (such that even the naming of an unapproved foreign to the juristic person credit receiver, equals or exceeds 1 million
CIS to a South African prospect of any classification is strictly prohib- rand at the time of conclusion of the credit agreement;
ited). Breach of the prohibition constitutes a criminal offence. • a ‘large’ credit agreement (eg, a credit transaction, in respect of
The definition of a CIS includes an open-ended investment company, which the principal debt under that transaction falls at or exceeds
and it provides for a scheme where members of the public are invited to 250,000 rand, where the consumer for the purposes of the NCA is a
invest money or other assets in a portfolio where investors hold partici- juristic person having a net asset value or annual turnover falling
patory interests (any interest, shares, units, etc) and share pro rata in below 1 million rand); and
terms of their investment in the risks and benefits of the scheme. • a local applicant credit receiver can formally apply to the Ministry
The applicability (or non-applicability) of CISCA depends entirely of Trade and Industry for a credit agreement that the credit receiver
on whether the definition of a CIS under CISCA is met. As such, certain seeks to enter into with an offshore (foreign) credit provider to be
fintech product offerings could trigger the application of CISCA (eg, formally exempt from the application of the NCA.
crowdfunding offerings could trigger CISCA in circumstances where
investments are pooled in a portfolio as defined under CISCA). The offering and structure of the service would also generally need to
be assessed for compliance with the Banks Act, CISCA or the NPSA to
Alternative investment funds ensure that those frameworks are not inadvertently breached (ie, to
8 Are managers of alternative investment funds regulated? ensure that the offering does not involve the business of a bank, the
pooling of investments or the processing of payments in the regu-
Alternative investment funds (AIFs) themselves, including private equity lated space).
funds (but excluding hedge funds, which have been declared to be CISs),
are not currently specifically regulated in South Africa. AIFs are usually
Crowdfunding Open banking

10 Describe any specific regulation of crowdfunding in your 13 Are there any laws or regulations introduced to promote
jurisdiction. competition that require financial institutions to make
customer or product data available to third parties?
Crowdfunding is not specifically regulated in South Africa. However,
crowdfunding activities may be subject to existing regulation under No.
South Africa’s general financial services regulatory frameworks. For
example, the activities may fall within the ambit of: Robo-advice
• the Banks Act, where activities could be seen as deposit-taking 14 Describe any specific regulation of robo-advisers or other
(which constitutes the business of a bank); companies that provide retail customers with automated
• the Companies Act 2008 (the Companies Act), where the business access to investment products in your jurisdiction.
in question is a company, and the crowdfunding activities amount
to offers to the public of securities, which would necessitate compli- The Determination of Fit and Proper Requirements for Financial Services
ance with certain requirements, including the filing of a Companies Providers 2017 (the Fit and Proper Requirements), published under
Act-compliant prospectus; FAIS, specifically regulates ‘automated advice’, which is defined as ‘the
• CISCA, where investments are pooled; furnishing of advice through an electronic medium that uses algorithms
• FAIS, where the crowdfunding platform can be seen to provide an and technology, without the direct involvement of a natural person’. A
intermediary service or advice in relation to a financial instrument person that provides robo-advice is expected to be licensed under FAIS
or product; as a financial services provider (FSP) to do so and to meet certain criteria.
• the Financial Markets Act 2012 (FMA), where the online platform In addition to the standard governance requirements applicable to
can be seen to operate as an exchange, matching investors with an FSP in the Fit and Proper Requirements, an FSP that provides auto-
issuers or product providers; and mated advice must meet additional requirements relating to, among
• the NCA, where crowdfunding is based on a lending model (inter- other things, human resources, policies and procedures relating to the
mediation of loans is not regulated per se). monitoring and reviewing of algorithms, the testing of algorithms and
technological resources.
Invoice trading
11 Describe any specific regulation of invoice trading in your Insurance products
jurisdiction. 15 Do fintech companies that sell or market insurance products
While there is no specific licensing regime for invoice discounting or
trading per se, where the NCA applies to the underlying agreements Yes. Insurers and underwriters must be licensed under the Insurance
in respect of which the discounting or trading takes place, the person Act 2017, while persons seeking to broker or market insurance products
acquiring the rights to the debts under those underlying agreements on behalf of an insurer or underwriter require authorisation under FAIS
must also be licensed under the NCA. This is because the NCA includes (as insurance products constitute financial products under FAIS and
in its definition of a credit provider a person who acquires the rights of broking insurance constitutes an intermediary services).
a credit provider under an NCA-regulated credit agreement after that Insurers and underwriters are supervised, in the main, by the PA
agreement has been entered into. (with the FSCA supervising insurers on market conduct). Insurance
brokers (regulated under FAIS) are supervised by the FSCA.
Payment services
12 Are payment services regulated in your jurisdiction? Credit references
Yes. The NPSA provides for the management, administration, opera- credit information services in your jurisdiction?
tion, regulation and supervision of payment, clearing and settlement
systems in South Africa. It also provides for the establishment of PASA Yes. These services are likely to trigger registration requirements under
as the body mandated by the SARB to organise, manage and regulate the NCA as being the services of a credit bureau.
the participation of its members in the payment system. Although not expressed in the NCA itself, from a practical perspec-
The National Payment System Department of the SARB has formally tive, the NCR permits persons seeking to pull credit information from
clarified that the South African payment system encompasses the entire existing registered credit bureaux (as opposed to maintaining that infor-
payment process from a payer to a beneficiary and ‘. . . includes all mation themselves, on their own database) to register as ‘reseller credit
the tools, systems, mechanisms, institutions, agreements, procedures, bureaux’. Reseller credit bureaux are subject to a lighter-touch regu-
rules or laws applied or utilised to effect payment’. latory regime than that to which credit bureaux are subject, and are
The NPSA makes provision for various role players (both bank exempt from compliance with certain obligations imposed by the NCA
and non-bank) in the payment system, and requires the role players on credit bureaux proper.
seeking to participate in the payment system to be formally authorised
to do so. Fintech companies that seek to provide mobile money-type CROSS-BORDER REGULATION
products are likely to be subject to licensing under one of the roles
provided for under the NPSA. Electronic money is also regulated in Passporting
South Africa (albeit under a position paper published by the SARB), and 17 Can regulated activities be passported into your jurisdiction?
only a registered South African bank is permitted to issue e-money. This
requirement often means that fintech companies will need to partner No. The relevant licences and authorisations must be obtained under
with a bank to provide certain services within South Africa. each relevant regulatory framework. The applicable legislation also
applies to services provided on a cross-border basis from offshore into
South Africa.
184 Fintech 2021

Requirement for a local presence • holds more than 15 per cent of the shares in the company;
18 Can fintech companies obtain a licence to provide financial • is able to exercise or control the exercise of more than 15 per cent
services in your jurisdiction without establishing a local of the voting rights associated with securities of the company; or
presence? • has the right to appoint or elect, or control the appointment or elec-
tion of, directors of that company who control more than 15 per
The Collective Investment Schemes Control Act 2002, the Financial cent of the votes at a meeting of the board.
Advisory and Intermediary Services Act 2002 and the National Payment
System Act 1998 allow the acquisition of licences by foreign entities Acquisition of shares or any other interest in excess of 49 per cent in
without having a physical, staffed presence in South Africa. a market infrastructure requires the prior approval of the Minister
of Finance.
SALES AND MARKETING A CIS manager requires the prior approval of the FSCA where there
is a change in its shareholding, irrespective of the extent or materiality
Restrictions of the change.
19 What restrictions apply to the sales and marketing of Changes to the direct shareholding of a financial services provider
financial services and products in your jurisdiction? requires formal, post-notification to the FSCA, within 15 business days
after the change has occurred.
The marketing or offering of financial products (including collective A registered credit provider must notify the National Credit
investment schemes, insurance and deposit-taking, among other things) Regulator of a change to its shareholding post-registration, in accord-
requires the appropriate licences from the Financial Sector Conduct ance with the conditions attached to its registration.
Authority to be held. The marketing of lending products regulated by
the National Credit Act 2005 (NCA) is also prohibited unless a person FINANCIAL CRIME
is registered as a credit provider by the National Credit Regulator. The
marketing of payment services is not regulated or restricted per se, Anti-bribery and anti-money laundering procedures
but a person will not be permitted to provide the relevant regulated 21 Are fintech companies required by law or regulation to have
services in the absence of the required licence or registration with the procedures to combat bribery or money laundering?
Payments Association of South Africa.
No anti-corruption, anti-money laundering or other financial crime regu-
CHANGE OF CONTROL lations specifically govern fintech products and services in South Africa.
The Prevention and Combating of Corrupt Activities Act 2004 is the
Notification and consent primary law governing bribery and corruption prevention and enforce-
20 Describe any rules relating to notification or consent ment in South Africa. The Act criminalises public and private corruption
requirements if a regulated business changes control. (ie, corruption committed between private parties) and criminalises both
the payment and receipt of a bribe (referred to as ‘gratification’ under
In relation to banks, a person who seeks to acquire 15 to 49 per cent South African legislation). The Act may also apply extraterritorially where
of shares in a bank requires prior approval of the Prudential Authority there is a sufficiently close connection. The Act does not prescribe any
(PA), and seeking to acquire 49 per cent or more of shares in a bank specific anti-bribery procedures that would apply to fintech companies.
requires prior approval of the Minister of Finance. The two most significant pieces of anti-money laundering legisla-
Prior approval must be obtained by a person who seeks to be a tion in South Africa are the Prevention of Organised Crime Act 1998
‘significant owner’ of a bank, an insurer, a collective investment scheme (POCA) and the Financial Intelligence Centre Act 2001 (FICA). In broad
(CIS) manager or a market infrastructure (such as a stock exchange terms, POCA creates statutory money laundering offences, and FICA
or central securities depository). In respect of insurers and banks, establishes the broad legal and administrative framework for combating
approval must be obtained from the PA, and in respect of CIS managers anti-money laundering in South Africa.
and market infrastructures approval, approval must be obtained from FICA’s anti-money laundering provisions are more stringent for
the Financial Sector Conduct Authority (FSCA). A person is regarded as companies that are ‘accountable institutions’ in terms of the Act. A
a significant owner if the person, directly or indirectly, alone or together fintech company may have to register as an accountable institution
with a related or interrelated person, has the ability to control or influ- under FICA and would be subject to the anti-money laundering (AML)
ence materially the business or strategy of the institution. In turn, a regime set up by that Act, for example, where a particular fintech-based
person has the ability to control or influence materially the business or product meets the definition of a financial product under the Financial
strategy of an institution if: Advisory and Intermediary Services Act 2002.
• the person, directly or indirectly, alone or together with a related Fintech businesses that fall under the definition of accountable
or interrelated person, has the power to appoint 15 per cent of the institutions in FICA are subject to demanding compliance obligations,
members of the board of directors; including:
• the consent of the person, alone or together with a related or inter- • ensuring that there are measures being taken to identify and verify
related person, is required for the appointment of 15 per cent of the their clients;
board members; or • conducting due diligence on clients;
• the person, directly or indirectly, alone or together with a related • filing suspicious transactions reports; and
or interrelated person, holds a qualifying stake in the institution. • conducting enhanced ongoing monitoring procedures on clients
that fall under the definition of ‘foreign prominent public official’ or
Any acquisition of shares or any other instrument in a market infra- ‘domestic prominent influential person’.
structure that will entitle that person to exercise direct or indirect
control over the institution requires the prior approval of the FSCA. For South Africa also belongs to the Financial Action Task Force (FATF) and
this purpose, a person exercises control if that person, alone or with the Eastern and Southern Africa Anti-money Laundering Group. In 2019,
associates: the FATF amended FATF Recommendation 15 (on new technologies). The
amendment requires jurisdictions to regulate crypto-assets and crypto- quotation, pre-agreement statement and loan agreement, and adhere to
asset service providers (CASPs) for anti-money laundering and combating several pre- and post-agreement rules and restrictions).
the financing of terrorism (AML/CFT). Jurisdictions must ensure that A credit agreement regulated by the NCA entered into on a peer-
CASPs are licensed or registered and subject to AML/CFT systems. to-peer or marketplace lending platform may be declared void and
In addition to the above, the Intergovernmental FinTech Working unenforceable in certain instances (eg, where a lender who is required to
Group’s policy position paper on crypto-assets (the Crypto Position be registered as a credit provider in terms of the NCA is not registered).
Paper) recommends that Schedule 1 of the Financial Intelligence Centre It is probably unlikely that peer-to-peer and marketplace lending
Act 2001 (FICA) be amended to include CASPs to the list of accountable arrangements will fall under any of the general NCA exemptions, but the
institutions (that is, for CASPs to be listed as their own category). This NCA will not apply in those cases. The exemptions are:
would encompass CASPs becoming accountable institutions in respect • a credit agreement in respect of which the credit receiver (borrower)
of those CASPs that are not already accountable institutions (by virtue is a juristic or legal person (as opposed to a natural person or indi-
of being, for example, an FSP). vidual) whose net asset value or annual turnover, together with the
No single law enforcement agency is charged with the investigation combined net asset value or annual turnover of all persons related
of corruption and money laundering offences in South Africa. Agencies to the juristic person credit receiver, equals or exceeds 1 million
with investigation powers include the South African Police Service, the rand at the time of conclusion of the credit agreement;
National Prosecuting Authority and Asset Forfeiture Unit, the Public • a ‘large’ credit agreement (eg, a credit transaction, in respect of
Protector and the Special Investigations Unit. The circumstances of which the principal debt under that transaction falls at or exceeds
each case determine who investigates it. 250,000 rand, where the consumer for the purposes of the NCA is a
juristic person having a net asset value or annual turnover falling
Guidance below 1 million rand); and
22 Is there regulatory or industry anti-financial crime guidance • a local applicant credit receiver can formally apply to the Ministry
for fintech companies? of Trade and Industry for a credit agreement that the credit receiver
seeks to enter into with an offshore (foreign) credit provider to be
There is currently no specific regulatory or industry anti-financial formally exempt from the application of the NCA.
crime guidance for fintech companies in South Africa. In January 2019,
however, the Crypto Assets Regulatory Working Group, in a consultation Assignment of loans
paper containing policy proposals for the development of regulatory 24 What steps are required to perfect an assignment of
responses, proposed that crypto-asset service providers be required to: loans originated on a peer-to-peer or marketplace lending
• register as accountable institutions with the Financial platform? What are the implications for the purchaser if the
Intelligence Centre; assignment is not perfected? Is it possible to assign these
• conduct customer due diligence; loans without informing the borrower?
• file reports on suspicious and unusual transactions; and
• implement appropriate record keeping. Where the loan agreement is regulated under the NCA (ie, where an
The Crypto Position Paper recommends, among other things: exemption from the NCA does not apply), the assignee must be regis-
• the implementation of an anti-money laundering and counterter- tered as a credit provider in terms of the NCA for the assignment to
rorism financing regime; and be lawful. This is because the NCA includes in its definition of a ‘credit
• a regulatory regime for the monitoring of cross-border finan- provider’ any person who acquires the rights of a credit provider under
cial flows. an NCA-regulated agreement after the agreement has been entered into.
Fintech companies should also be aware of how the compliance provi- Securitisation risk retention requirements
sions of the Cybercrimes and Cybersecurity Bill may affect them in 25 Are securitisation transactions subject to risk retention
future. The Bill has not yet been promulgated and, at present, has no requirements?
legal effect, but it is currently before the relevant South African legisla-
tive authority. The Bill aims to create a number of new offences relating Currently, no risk retention requirements are applicable in the South
to cybercrime and to assist in the prosecution and investigation of African market. However, given that South Africa has implemented the
those offences. For example, the present draft of the Bill would oblige Basel III requirements via regulations to the Banks Act 1990 (the Banks
financial institutions and electronic communications service providers Act), it is likely that securitisation transactions in South Africa may soon
to report offences implicating its computer system within 72 hours of be subject to similar risk retention requirements as those promulgated
the commission of the offence, taking steps to preserve any evidence across the European Union, including the Securitisation Regulation
related to the offence. (Regulation (EU) 2017/2402) and the Counterparty Credit Risk Amending
Regulation (Regulation (EU) 2017/2401), requiring, among other things,
PEER-TO-PEER AND MARKETPLACE LENDING securitising entities to have a new direct obligation to retain risk and the
implementation of the revised Basel securitisation framework.
23 What are the requirements for executing loan agreements or Securitisation confidentiality and data protection requirements
security agreements? Is there a risk that loan agreements 26 Is a special purpose company used to purchase and securitise
or security agreements entered into on a peer-to-peer or peer-to-peer or marketplace loans subject to a duty of
marketplace lending platform will not be enforceable? confidentiality or data protection laws regarding information
Loan agreements (and, indirectly, related security agreements) regu-
lated under the National Credit Act 2005 (NCA) as credit agreements must In South Africa, a special purpose vehicle that is set up to issue
comply with the onerous prescripts of the NCA to be valid (eg, a regis- commercial paper, as well as to acquire, own and deal in the under-
tered credit provider must provide a borrower with an NCA-compliant lying receivables acquired by the originator (the issuer SPV), may only
186 Fintech 2021

issue commercial paper if it complies with certain conditions set out in Crypto-assets
the Securitisation Regulations issued in terms of the Banks Act 1990, 29 Are there rules or regulations governing the use of crypto-
which exempts a securitisation structure from falling under the regula- assets, including digital currencies, digital wallets and
tory framework for banks. The issuer SPV can be formed in South Africa e-money?
or another jurisdiction, depending on the location of the securitisation
originator and other applicable commercial factors. It is well established (and confirmed by the relevant regulators) that
In cases where the SPV is set up in South Africa and is subject crypto-assets are currently not regulated. Accordingly (in very broad
to South Africa laws and regulations, there are no specific rules and terms), any activities in respect of those types of assets are not regu-
regulations governing confidentiality and data protection as it relates lated in South Africa. However, crypto-assets may have a different
to issuer SPVs in relation to the borrower in the context of securiti- regulatory treatment if they have characteristics similar to those of
sation (peer-to-peer or marketplace loans). However, the Protection existing regulated financial instruments or products in the South African
of Personal Information Act 2013 (POPIA) governs the processing and landscape. Whether crypto-assets have characteristics similar to those
transfer of personal data relating to securitisation transactions. The of existing regulated financial instruments or products in South Africa is
operative provisions and related regulations of POPIA were due to come a factual question and can be determined only on a case-by-case basis.
into effect on 1 April 2020, but this was delayed owing to the covid-19 In our experience, some crypto-assets constitute collective invest-
pandemic. The operative provisions and related regulations of POPIA ment schemes (CISs) under the Collective Investment Schemes Control
came into effect on 1 July 2020. Act 2002 (CISCA). In light of this, the key considerations in determining
In South Africa, there are also common law and constitutional whether a crypto-asset is a regulated instrument under CISCA are as
rights to privacy, including privacy of personal information. In practice, follows: whether the crypto-asset involves the pooling of investors’
South African institutions (including financial institutions and Issuer funds for investment in crypto-assets; whether the investors hold partic-
SPVs) already comply with POPIA in the treatment of personal data and ipatory interests (howsoever called); and whether the investors share
confidentiality because POPIA enshrines the common law and constitu- the risk and the benefit of investment in proportion to their participatory
tional rights to privacy already in place. interests. The Intergovernmental FinTech Working Group’s policy posi-
tion paper on crypto-assets (the Crypto Position Paper) recommends
ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER that the pooling of crypto-assets be regarded as constituting an alterna-
TECHNOLOGY AND CRYPTO-ASSETS tive investment fund, which should become a licensable activity in terms
of the Conduct of Financial Institutions Bill. The Crypto Position Paper
Artificial intelligence indicates that a CIS should not be allowed to include crypto-assets in
27 Are there rules or regulations governing the use of artificial its portfolios.
intelligence, including in relation to robo-advice? Some crypto-assets, such as stablecoins, have the potential to be
seen as derivative instruments (forex derivatives), which are regulated
Yes, in respect of certain products. The National Payment System Act by both the Financial Markets Act 2012 (FMA) (regulating securities
1998 (NPSA) regulates system operators whose business is to assist traded on a stock exchange) and the Financial Advisory and Intermediary
participants in the South African payment system with the sending or Services Act 2002 (FAIS) (regulating the provision of financial services
receiving of instructions in respect of payment transactions, mainly in respect of listed and unlisted financial products). Similarly, owner-
through the provision of technical infrastructure. The NPSA regulates ship tokens that meet the functional definition of securities could be
such technical infrastructure. regulated under the FMA and FAIS.
The Determination of Fit and Proper Requirements for Financial E-money is not dealt with in any legislation, including the Banks Act
Services Providers 2017 (the Fit and Proper Requirements), published 1990 (the Banks Act), but it has been addressed in the E-Money Position
under the Financial Advisory and Intermediary Services Act 2002 Paper, issued by the South African Reserve Bank (SARB). According to
(FAIS), specifically regulates ‘automated advice’, which is defined as the E-Money Position Paper, the SARB will allow only registered South
‘the furnishing of advice through an electronic medium that uses algo- African banks to issue e-money, subject to section 52 of the Banks Act,
rithms and technology, without the direct involvement of a natural which allows for non-banks to enter into arrangements with banks
person’. A person that provides robo-advice is expected to be licensed that may permit those non-banks to offer payment-related services in
under FAIS as a financial services provider (FSP) to do so and to meet relation to e-money, in conjunction with the bank. Some digital wallets
certain criteria. qualify as e-money, and the activities surrounding those wallets are
In addition to the standard governance requirements applicable to subject to the E-Money Position Paper.
an FSP in the Fit and Proper Requirements, an FSP that provides auto-
mated advice must meet additional requirements relating to, among Digital currency exchanges
other things, human resources, policies and procedures relating to the 30 Are there rules or regulations governing the operation of
monitoring and reviewing of algorithms, the testing of algorithms and digital currency exchanges or brokerages?
technological resources.
Virtual currencies are not specifically regulated in South Africa. South
Distributed ledger technology Africa is, however, a common law-based jurisdiction that follows a princi-
28 Are there rules or regulations governing the use of ples-based, conduct-centric approach to financial regulation; therefore,
distributed ledger technology or blockchains? some of the activities relating to virtual currencies may be subject to
regulation if they have characteristics similar to the vanilla instru-
No. ments that are currently regulated in South Africa. The FMA applies
to all exchanges that facilitate transactions in ‘securities’ as defined;
therefore, the functional characteristics of each of the digital currencies
traded on an exchange must be considered to determine whether the
exchange should be licensed under the FMA.
Initial coin offerings including the unlawful accessing of data using software or hardware
31 Are there rules or regulations governing initial coin offerings tools. The intention is that new cybersecurity legislation will also be
(ICOs) or token generation events? made, although there is no firm timing on this and draft legislation has
not yet been released for comment.
There are no such rules specifically referring to ICO’s or other token The Intergovernmental FinTech Working Group’s policy position
generation events. However, to the extent that the tokens issued, gener- paper on crypto-assets (the Crypto Position Paper) notes the increased
ated or sold meet the functional definition of equity securities or debt cybersecurity risk in relation to crypto-assets and recommends that
securities under the Companies Act 2008, their issuance and sale may crypto-asset service providers (CASPs) ensure they meet the interna-
be subject to the existing (and complex and onerous) rules for initial tional cybersecurity standards for the safeguarding of crypto-assets.
public offerings, or for primary or secondary offerings of equity or debt. The Crypto Position Paper recommends implementing a regulatory
framework with guidelines to ensure that proper cybersecurity controls
DATA PROTECTION AND CYBERSECURITY are adopted by CASPs.
Data protection OUTSOURCING AND CLOUD COMPUTING

transfer (domestic and cross-border) of data relating to Outsourcing
fintech products and services? 34 Are there legal requirements or regulatory guidance with
Subject to the South African Reserve Bank’s Directive D3/2018 a material aspect of its business?
and Guidance Note G5/2018 addressing cloud computing and data
offshoring, there are no specific rules and regulations governing the Yes, depending on the nature or activities of the financial services
processing and transfer (domestic and cross-border) of data relating to company. Outsourcing by insurers and underwriters is subject to
fintech products and services, or specifically aimed at fintech companies. Prudential Standard GOI 5 ‘Outsourcing by Insurers’, which requires
There are also no sector-specific rules relating to the anonymisation an insurer to have an outsourcing policy for the outsourcing of mate-
and aggregation of personal data. rial business activities to comply with prescribed requirements and for
However, the Protection of Personal Information Act 2013 (POPIA) the outsourcing be notified to the Prudential Authority at least 30 days
will govern the processing and transfer of personal data relating to before it takes place.
fintech products and services. Although certain provisions of POPIA Outsourcing by banks is subject to Guidance Note 5/2014 issued
have been in effect for some time, the operative provisions (such as by the South African Reserve Bank (SARB), which requires a bank to
when and how personal data may be lawfully processed) only came into have an outsourcing policy and for the outsourcing of material busi-
effect on 1 July 2020. That said, it is already common practice for business activities of a bank to comply with certain requirements. Further,
nesses in South Africa to comply, given that POPIA gives effect to the Directive 8/2016 specifies reporting requirements regarding banks
existing common law and constitutional rights protecting personal data. outsourcing material functions.
Any data controller processing personal data in South Africa will The Determination of Fit and Proper Requirements for Financial
be bound by the provisions of POPIA, which may include fintech compa- Services Providers 2017 requires the outsourcing of certain func-
nies if they are responsible for determining the purpose of and means tions (such as functions that are integral to the nature of the financial
for processing the personal data (ie, if they act as a data controller). services for which the financial services provider is authorised or any
In terms of POPIA, personal data may be collected only for a specific, material important operational function of the FSP) to be compliant with
explicitly defined and lawful purpose, processed on the basis of a valid prescribed requirements.
justification for the processing (eg, consent and necessity for pursuing In certain limited circumstances, the outsourcing by a company
the legitimate interests of the data controller) and kept only until that of a material aspect of its business may trigger merger notification
purpose has been served. obligations under the Competition Act 1998 (the Competition Act) if
There are also restrictions on using personal data collected for the outsourcing arrangement constitutes the ‘acquisition of control of
direct marketing by electronic communications, including via email the whole or part of a business’ of the company for purposes of the
and text. Data subjects have the right to know who is processing their Competition Act, and if the thresholds for mandatory notification are met.
personal data and why, and to prevent it from being used for direct
marketing without their consent. Cloud computing
POPIA also specifically prohibits the transfer of personal data by a 35 Are there legal requirements or regulatory guidance with
data controller to a third party in a foreign country unless, among other respect to the use of cloud computing in the financial services
grounds, that country has an ‘adequate’ level of protection or that third industry?
party is subject to binding corporate rules or a binding agreement that
provides an adequate level of protection. In 2018, the SARB issued Directive D3/2018 and Guidance Note G5/2018
addressing cloud computing and data offshoring. In particular, the
Cybersecurity Directive and Guidance Note detail items that banks must consider when
33 What cybersecurity regulations or standards apply to fintech choosing to adopt cloud computing as a service or any offshoring of data.
businesses? In short, the SARB requires that banks elect a risk-based and mitiga-
tion approach, having consideration to the bank’s risk profile, size and
South Africa does not have a single, overarching legal and regulatory operations; for example, banks are directed to ensure that a formal board-
framework for cybersecurity. Instead, cybersecurity is dealt with in approved data strategy and governance framework is in place, ensure
various pieces of legislation, some with overlapping mandates. that the offshoring of data and use of cloud computing does not inhibit
New legislation dealing specifically with cybercrimes, the any regulators’ ability to fulfil their duties, and ensure that any cloud
Cybercrimes Bill, is currently before Parliament. The Bill updates the computing arrangement does not prevent the bank’s ability to conduct
current regulatory framework and creates various cybercrime offences, forensic audits or investigations. Banks are also required to consider the
188 Fintech 2021

classification of data, the materiality of the activity outsourced, the level • the intention of the parties to conclude a contract of employment;
of risk, the mode and form of cloud computing and the offshoring of data. • the existence of a relationship of authority (whether the employer
No such similar directives or guidance notes have been issued in exercises control and supervision over the employee);
respect of any other financial services providers in South Africa at present. • the remuneration of the employee (including an assessment of
economic dependence on the alleged employer);
INTELLECTUAL PROPERTY RIGHTS • the period of the contract of employment; and
• the rendering of personal services by the employee. An agreement
IP protection for software to the contrary can, however, be concluded between the employer
36 Which intellectual property rights are available to protect and the employee.
Importantly, the above exception does not apply to independent contrac-
If it complies with the relevant requirements, software (or a computer tors (ie, contractors or consultants). Independent contractors retain
program) is afforded protection in South Africa as a ‘work’ eligible for ownership of all intellectual property rights attaching to their work,
copyright under the Copyright Act 1978 (the Copyright Act). unless agreed otherwise. Therefore, where an independent contractor
Copyrights cannot be registered, but their protection arises auto- is creating software for payment, it is important to confirm that the
matically in law. As soon as a work comes into existence and meets the contract makes provision for the assignment of the copyright to the
requirements set out in the Copyright Act, it is protected in terms of person commissioning the work. For the assignment to be valid, it must
South African common law as a copyright work. be in writing and must show the necessary animus to transfer and
Copyright protects the product of an idea, or the ‘work’, rather receive ownership of the copyright on both sides of the transaction.
than an idea itself and entitles the copyright holder to prevent any All other forms of intellectual property do not automatically vest
other person from doing, directly or indirectly, any act in relation to the in the employer and must be assigned. Therefore, employment agree-
relevant work that the copyright owner has the exclusive right to do or ments (and independent contractor agreements) must include an
authorise. assignment of all intellectual property rights developed in the course
There are a number of types of works that are eligible for copyright and scope of employment.
under the Copyright Act, including, but not limited to, literary works and
computer programs. A program only constitutes a computer program Joint ownership
in terms of the Copyright Act if it is a finished product that is capable of 38 Are there any restrictions on a joint owner of intellectual
directing the operation of a computer to bring about an intended result. property’s right to use, license, charge or assign its right in
It is commonly understood that, until the time the program is capable of intellectual property?
doing so, it constitutes a literary work. As a result, software is afforded
protection under the Copyright Act. The protection of intellectual property software is only dealt with in
An important consideration for copyright protection is the identity terms of the Copyright Act. According to the Copyright Act, a ‘work
of the author. As a general rule, copyright automatically vests in the of joint ownership’ means a work produced by two or more authors
author of a work (although there are exceptions). In addition, to qualify in which the contribution of each author is not separable from the
for protection under the Copyright Act, the author must be an ‘eligible contribution of the other author or authors. The inseparability of the
person’, which means either a South African citizen or an entity incor- authors’ contributions gives rise to joint authorship (ie, co-ownership).
porated according to South African laws, and the work must be original Co-ownership may also arise where the copyright is assigned to more
and reduced to material form. than one assignee. In South African law, each co-owner obtains an indi-
Certain forms of copyright are subject to ‘moral rights’, which belong visible share in the copyright and may not use or dispose of such share
to the author. These are rights of paternity (ie, the right to claim owner- without the consent of the other co-owner.
ship) and integrity (ie, the right to object to any distortion, mutilation
or other modification of the work). However, the author of a computer Trade secrets
program or a work associated with a computer program may not prevent 39 How are trade secrets protected? Are trade secrets kept
or object to modifications that are absolutely necessary on technical confidential during court proceedings?
grounds or for the purpose of commercial exploitation of the work.
The Patents Act 1978 expressly excludes a program for a computer Confidential information
from being a patentable invention in South Africa. Confidential information is information that has the necessary quality of
confidentiality to justify legal protection, where confidentiality is more
IP developed by employees and contractors than value or usefulness of the information. To be treated as confidential
37 Who owns new intellectual property developed by an information, information must be:
employee during the course of employment? Do the same • capable of application in trade and industry;
rules apply to new intellectual property developed by • secret or confidential, that is, it must be known only to certain people
contractors or consultants? or be something that is not public property or public knowledge; and
• the information must have economic value to the person trying to
The protection of intellectual property software is only dealt with in protect it. Whether information is confidential is a question of fact,
terms of the Copyright Act. Generally, copyright automatically vests and information may lose its confidential nature over time.
in the author of the work. One of the exceptions in the Copyright Act
is in the case of an employment relationship, in which case the copy- Legal framework
right in any work made during the course of the author’s employment There is no specific legislation or regulation that deals directly with
under a contract of service or apprenticeship will vest in the employer. confidential information in South Africa. Confidential information is,
‘Employment’ is not specifically defined in the Copyright Act, so it is accordingly, regulated under the common law. In certain instances,
generally understood to have the meaning given to it under applicable confidential information may be protected under the Copyright Act where
law. In this regard, the following criteria are generally taken into account: the information constitutes a literary work and is reduced to writing.
Protections and remedies • marks that exclusively comprise a sign or indication that designates
The common law provides various mechanisms that can be used to various characteristics of goods or services; or
protect confidential information, trade secrets and know-how, including: • marks that exclusively comprise a sign or an indication that has
• contractual protection (this may either be express or implied); become customary in the current language or bona fide established
• delictual protection, comparable to tort under English law (specifi- practices in the trade.
cally protection from unlawful competition);
• interdict (equivalent to an injunction under English law); and The process of registering a trademark involves making an application,
• protection arising from a fiduciary relationship (eg, an agent, which is then examined.
mandatory or director). Examination first considers the formal requirements (ie, that the
mark is distinctive and capable of registration), and second considers
Most importantly, the person wishing to protect confidential information whether any conflict or third-party rights based on prior applications
must take practical steps to keep the information confidential. or registrations would be contravened using the trademark. The regis-
trar may accept the application unconditionally, or the registrar may
Trade secret accept the application subject to conditions, amendment or modification.
A trade secret is essentially a sub-category of confidential information Conversely, the registrar may also refuse the application provisionally,
in that it is a formula, practice, process, design, instrument, pattern, or the registrar may refuse the application altogether.
commercial method or compilation of information not generally known If the application is accepted, the acceptance must be advertised
or reasonably ascertainable by others by which a business can obtain in the Patent Journal. Any interested person may, within three months
an economic advantage or competitive edge over competitors or following the advertisement of the trademark application in the Patent
customers. Usually, only a strategic and limited number of persons hold Journal, lodge an opposition to the registration of the trademark. An
such information. opposition can be lodged on any of the grounds that the trademark is
not capable of registration under the Trade Marks Act.
Legal framework If the application is advertised and no objection is raised, the regis-
There is no specific legislation or regulation that deals directly with trar will register the trademark and issue a certificate of registration.
trade secrets in South Africa. Trade secrets are, accordingly, regulated Trademark registration is effective for an initial period of 10 years
under the common law. from the date of filing the application and, thereafter, is renewable
for similar periods in perpetuity. A trademark that has lapsed may be
Protection and remedies restored upon payment of a fine or additional fee and provided that the
The protection and remedies for trade secrets are the same as those registrar is satisfied that it is just to do so.
discussed above for confidential information. The general rule is that A trademark may be infringed in the following circumstances:
confidential information will be disclosed during court proceedings. The 1 the unauthorised use in the course of trade in relation to the same
exception would be that the information would not be disclosed if it falls goods or services in respect of which the mark is registered, of an
within the ambit of legal privilege. In addition, a witness can be subpoe- identical mark or a mark so nearly resembling the registered mark
naed to provide confidential information. The only ground for refusing as to be likely to deceive or cause confusion;
to provide documents or information in terms of a subpoena is legal 2 the unauthorised use in the course of trade of a mark that is iden-
privilege. tical or similar to the registered trademark, in relation to goods or
services so similar to the goods or services in respect of which the
Branding mark is registered that such use has a likelihood of deception or
40 What intellectual property rights are available to protect confusion;
branding and how do you obtain those rights? How can fintech 3 the unauthorised use in the course of trade in relation to any goods
businesses ensure they do not infringe existing brands? or services of a mark that is identical or similar to the registered
trademark if the registered trademark is well known in South Africa
Branding may be protected through the use of trademarks, which are and the use of the mark is likely to take unfair advantage of, or be
regulated in terms of the Trade Marks Act 1993 (the Trade Marks Act). A detrimental to, the distinctive character or repute of the well-known
trademark provides the owner thereof with the exclusive rights to use registered trademark, notwithstanding the absence of confusion or
the mark. Trademarks are registerable; however, registration is not a deception; and
requirement for the holder to have a remedy in the event of infringe- 4 the unauthorised use of a trademark that constitutes, or the
ment. The registration of a trademark, nevertheless, provides a clear and essential part of which constitutes, a reproduction, imitation or
enforceable right to that trademark. Accordingly, it is recommended that translation of a trademark that is entitled to protection under the
trademarks be registered as the remedies in respect of infringement of Paris Convention as a well-known mark (even though not registered
a registered trademark are more comprehensive and easily enforceable in South Africa), if the use is in relation to goods or services that are
than those under common law in respect of an unregistered trademark. identical or similar or to goods or services for which the mark is
In terms of the Trade Marks Act, a trademark can be registered if: well known, and the use is likely to cause deception or confusion.
• the trademark is capable of distinguishing between goods and
services of one person from those of another; and The Trade Marks Act sets out the following defences to an infringement
• a mark is capable of making a distinction as it is either inherently claim (with an exception to point (4) above):
capable of distinguishing between goods and services of one trader • any bona fide use by a person of his or her own name, the name of
from another, or capable of making a distinction through prior use. his or her place of business, the name of any of his or her prede-
cessors in business, or the name of any such predecessor’s place
The Trade Marks Act excludes certain trademarks from registration, of business;
including without limitation: • the use by any person of any bona fide description or indication of
• marks that do not constitute a trademark; the kind, quality, quantity, intended purpose, value, geographical
• marks that lack the general or inherent ability to make a distinction; origin or other characteristics of his or her goods or services, or
190 Fintech 2021

the mode or time of production of the goods or the rendering of TAX

the services;
• the bona fide use of the trademark in relation to goods or services Incentives
where it is reasonable to indicate the intended purpose of those 43 Are there any tax incentives available for fintech companies
goods, including spare parts and accessories, and such services; and investors to encourage innovation and investment in the
• the importation into or the distribution, sale or offering for sale in fintech sector in your jurisdiction?
South Africa of goods to which the trademark has been applied by
or with the consent of the proprietor thereof; No.
• the bona fide use by any person of any utilitarian features embodied
in a container, shape, configuration, colour or pattern that is regis- Increased tax burden
tered as a trademark; 44 Are there any new or proposed tax laws or guidance that
• the use of a trademark in any manner in respect of or in rela- could significantly increase tax or administrative costs for
tion to goods to be sold or otherwise traded in, or services to be fintech companies in your jurisdiction?
performed, in any place, or in relation to goods to be exported to
any market, or in any other manner in relation to which, having No.
regard to any conditions or limitations entered in the register, the
registration does not extend; and IMMIGRATION
• the use of any identical or confusingly or deceptively similar trade-
mark that is registered. Sector-specific schemes
Remedies for infringement of IP businesses to recruit skilled staff from abroad? Are there
41 What remedies are available to individuals or companies any special regimes specific to the technology or financial
whose intellectual property rights have been infringed? sectors?
The protection of confidential information, trade secrets and know-how Foreign nationals require work permits to work in South Africa. The
is almost exclusively governed by common law; hence, there are protec- Immigration Act 2002 provides for various permits. The most commonly
tive mechanisms that provide for common law remedies. In addition to used permits are general work permits and intra-company transfer
the common law protective mechanisms that are available, legislation permits. General work permits are typically only granted if no suitable
also provides protection of intellectual property rights. South African is available to perform the work concerned.
In terms of the Copyright Act and the Trade Marks Act, the infringe-
ment of certain provisions is a criminal offence, the penalty for which UPDATE AND TRENDS
is a fine or imprisonment. In addition, both the Copyright Act and the
Trade Marks Act provide for civil proceedings to be instituted where Current developments
intellectual property rights have been infringed, affording the following 46 Are there any other current developments or emerging
possible relief: trends to note?
• in the case of copyright:
• damages (but only where the defendant was aware or had Financial regulatory
reasonable grounds for suspecting that copyright subsisted In January 2019, the Crypto Assets Regulatory Working Group (CARWG)
in the work); published a consultation paper containing policy proposals for the
• an interdict; development of regulatory responses. The paper points out that a
• delivery of infringing copies or plates used for making useful starting point for regulatory intervention is through registration.
infringing copies; The objective of the registration process is specifically to gain further
• in lieu of damages, at the option of the plaintiff, a reasonable insights from market participants. According to the proposals, the
royalty; or crypto-asset service providers that will require registration are:
• additional damages as the court may deem fit, in certain • crypto-asset trading platforms or any other entity facilitating
exceptional circumstances; and crypto-asset transactions;
• in the case of trademarks: • crypto-asset digital wallet providers (custodial wallets);
• an interdict; • crypto-asset safe custody service providers (custodial services);
• an order for the removal of the infringing mark from all mate- • crypto-asset payment service providers; and
rial and where inseparable or incapable of being removed • merchants and service providers accepting payments in
from the material, an order that all such material be delivered crypto-assets.
to the proprietor;
• damages; or The policy position paper of the Intergovernmental FinTech Working
• in lieu of damages and at the option of the proprietor, a Group (IFWG) on crypto-assets (the Crypto Position Paper) recommends
reasonable royalty. the development of a regulatory framework for crypto-assets, including
recommending that crypto-assets remain without legal tender status
COMPETITION and not be recognised as electronic money.
The Crypto Position Paper recommends that the Financial Sector
Sector-specific issues Conduct Authority (FSCA) should become the responsible authority for
42 Are there any specific competition issues that exist with the licensing of ‘services related to the buying and selling of crypto-
respect to fintech companies in your jurisdiction? assets’ and that Schedule 1 of the Financial Intelligence Centre Act 2001
(FICA) be amended to include crypto-asset service providers (CASPs) to
No. the list of accountable institutions.
In terms of Recommendation 1 of the Crypto Position Paper, the

following entities and activities are classified within CASP functions:
• crypto-asset trading platforms (or any other entity facilitating or
providing the mentioned services);
• crypto-asset vending machine providers;
• crypto-asset token issuers;
• crypto-asset funds or derivative service providers;
• crypto-asset digital wallet providers (custodial wallet); and
• crypto-asset safe custody service providers (custodial service). David Geral
david.geral@bowmanslaw.com
The Crypto Position Paper also outlines the principle-based approach Kirsten Kern
that should be adopted by South Africa’s regulatory response, which kirsten.kern@bowmanslaw.com
includes: Livia Dyer
• adopting a risk-based approach; livia.dyer@bowmanslaw.com
• adopting a unified regulatory approach:
Claire Franklyn
• adopting a phased approach;
claire.franklyn@bowmanslaw.com
• being technology-neutral and primarily principles-based; and
• being resilient and adaptive. Bright Tibane
bright.tibane@bowmanslaw.com
The implementation plan provided in the Crypto Position Paper provides
estimated timelines ranging from six to twelve months to implement the 11 Alice Lane
theme outlined in the recommendations. Most notable is the implemen- Sandton
tation of a regulatory regime for anti-money laundering and combating Johannesburg 2146
the financing of terrorism, which the IFWG and CARWG estimate will South Africa
take six to nine month, noting, however, the possibilities of delays in the Tel: +27 11 669 9000
administrative process. www.bowmanslaw.com
The Conduct of Financial Institutions Bill provides (following its
enactment) for the requirements for the granting of a financial product
or service licence to be adapted to ‘facilitate financial inclusion’ or to
promote ‘innovative technology, processes and practices’. specific frameworks. The PA has also provided relief to the banking
sector in the form of minimum capital requirements for banks relating
Intellectual property to credit risk and temporary capital relief to alleviate risks posed by
The Copyright Amendment Bill was tabled in Parliament in May 2017 the pandemic.
and aims to provide greater protection to South African performers
and authors by ensuring that they receive fair remuneration. The Bill Competition law
has been criticised for not achieving this desired purpose, particu- The Minister of Trade, Industry and Competition (the Minister) published,
larly because it introduces a ‘fair use’ clause that is critiqued as being among other things, the Covid-19 Block Exemption for the Banking
too broad, thereby weakening the protection afforded to authors and Sector 2020 Regulations on 23 March 2020 (the Banking Exemption).
publishers. The Banking Exemption was published in terms of sections 10(10) and
78(1) of the Competition Act 1998 (the Competition Act), which permit
Coronavirus the Minister to issue regulations exempting a category of agreements
47 What emergency legislation, relief programmes and other or practices from the application of Chapter 2 of the Competition Act.
initiatives specific to your practice area has your state Chapter 2 of the Competition Act deals with prohibited conduct
implemented to address the pandemic? Have any existing (ie, horizontal and vertical restraints and abuse of dominance). The
government programmes, laws or regulations been amended Banking Exemption exempts, in coordination with or at the request of
to address these concerns? What best practices are advisable the Minister or, if applicable, the Minister of Finance, certain agreements
for clients? or practices between banks (as registered in terms of the Banks Act)
that would otherwise constitute contraventions of section 4 (horizontal
Financial regulatory prohibited conduct) and section 5 (vertical prohibited conduct) of the
As at the time of writing, no emergency legislation has been promul- Competition Act for the duration of the declaration of a state of national
gated to address the pandemic; however, the FSCA and the Prudential disaster in terms of the Disaster Management Act, and only for the
Authority (PA) have published a number of communications and notices purpose of responding to the disaster (eg, providing payment holidays
to mitigate the strain on resources and the financial and operational to debtors or maintaining the functioning and integrity of the national
capacity of financial institutions owing to the pandemic. These commu- payment system). The scope of the Banking Exemption was extended
nications and notices have provided relief in a number of ways, such as on 5 May 2020 to include all financial institutions registered as such in
providing relaxations and extensions to regulatory and filing deadlines terms of the FSRA.
in terms of the FSRA, the Financial Advisory and Intermediary Services
Act 2002, the Financial Markets Act 2012 and FICA. Tax law
The FSCA and PA have also provided relief by communicating Various tax measures have been introduced to provide relief to
expectations of regulated entities, such as insurers and collective taxpayers, including the measures set out below. These measures are
investment schemes, as well as publishing implementation dates for only applicable for a specific time period:
specific regulatory frameworks in advance to provide certainty and • qualifying employers may defer a percentage of their employees’
allow financial institutions to prepare for the implementation of the tax payments in respect of remuneration paid to employees during
192 Fintech 2021

April to July 2020. The deferred portion must be settled in six equal
instalments, with repayment commencing with the August payroll;
• qualifying taxpayers may defer a percentage of their provisional
tax payments. The deferred portion must be settled by way of a
top-up payment within six months after year end;
• payment of excise taxes on alcoholic beverages and tobacco prod-
ucts for May and June 2020 were deferred by 90 days;
• the first carbon tax payments would have been due by 31 July
2020, but were postponed until 31 October 2020;
• various tax administrative time periods were extended during the
initial lockdown period;
• covid-19 disaster relief organisations qualify for exemptions in
respect of income tax and donations tax, and donations to those
organisations are tax deductible subject to certain limits;
• the normal limits applicable to the deductibility of donations to
approved non-profit organisations were relaxed in respect of dona-
tions to the government’s solidarity fund;
• from April to July 2020, employers may claim an employment tax
incentive in respect of all employees earning less than 6,500 rand
per month;
• employers do not have to pay skills development levies for the
period from May to August 2020, although there was subsequently
a request by the Department of Higher Education for this to be a
deferral rather than an exemption;
• smaller businesses that normally file value added tax (VAT) returns
on a bimonthly basis, could submit VAT returns on a monthly basis
to accelerate VAT refunds;
• various anti tax-avoidance measures, which were announced in
February 2020, will be deferred until at least January 2021; and
• individuals who receive annuity income from living annuities can
generally only increase or decrease their annuity income once
a year, on the anniversary date of the annuities; however, these
rules were relaxed to allow for increases or decreases from May
to August 2020.
Securitisation
With regard to securitisation structures in particular, there has been
no new legislation or relief programme specifically enacted to address
the covid-19 pandemic. However, as the South African economy suffers
from the effects of the pandemic, some types of assets underlying South
African securitisation structures (ie, auto and equipment lease and
debtor books) will similarly be affected. As such, some types of secu-
ritisations will suffer some degree of credit weakening. Advisable best
practice for clients is to re-examine covenant headroom in the trans
action documentation as well as material adverse change provisions.
Spain
Alfredo De Lorenzo, Álvaro Muñoz, Carlos Jiménez de Laiglesia, Ignacio González, Juan Sosa and
María Tomillo

The Spanish fintech community is one of the biggest in Europe. In The regulator in charge of supervision of fintech products and services
this regard, Spain continues to promote this type of business, and the is the Spanish Securities Market Commission (CNMV) together with the
number of companies that use innovation and technology in the financial Bank of Spain and the General Directorate for Insurance and Pension
industry increases each year. Recent studies show that 70 per cent of Funds, depending on the type of entity intending to provide services in
the total number of fintech companies provide services linked to credit Spain and the exact nature of those services.
activities. The number of companies focused on electronic payments is
increasing as well as those dedicated to investment solutions. Regulated activities
specific to financial innovation? If so, what are the key There are a large number of activities that, when carried out in Spain on
benefits of such support? a professional and ongoing basis in respect of specified financial instru-
ments, trigger licensing requirements. These are set out in a number
The Spanish Securities Market Commission (CNMV) has set up a of different regulations, including those implementing the second
point of contact for business initiatives related to financial innovations Markets in Financial Instruments Directive in Spain as well as legisla-
currently available on the online portal of the CNMV (the CNMV Fintech tion that governs activities carried out by financial institutions, such as
Portal). This site gives online support to promote fintech initiatives that credit entities.
deliver better outcomes for consumers and that improve the efficiency The most common activities that may require a licence with respect
and competitiveness of the Spanish financial markets. Through this site, to specified financial instruments include:
the CNMV collaborates with fintech businesses and financial institu- • the reception and transmission of orders;
tions, providing guidance regarding the interpretation and application of • the execution of orders on behalf of clients;
rules and regulations where appropriate. In February 2020, the draft act • portfolio management;
that regulates a fintech sandbox in Spain, following the models already • providing investment advice (which requires that specific recom-
established in other jurisdictions, was approved. Under this draft act, mendations are made as opposed to providing generic advice only);
among others, the following objectives are met: financial sustainability • the underwriting or placing of financial instruments, or both;
control and risk minimisation, mitigation and adaptation of the regu- • dealing in investments as the principal or agent;
latory burden, creation of an space to boost the development of open • arranging or bringing about deals in investments; and
financial innovation and attraction of international investment. The final • making arrangements with a view to transactions in investments.
implementation will create opportunities for this country and important
advantages to better the position of the Spanish fintech sector. The To carry on any of these activities in relation to specified financial instru-
Spanish Association of Fintech and Insurtech actively participated in the ments on a professional and ongoing basis in Spain, the relevant entity or
creation of this fintech sandbox. The sandbox is designed to position natural person must obtain the appropriate authorisation or passport. In
Spain as a leader in financial innovation. addition to this authorisation, registration is a requirement to operate in
Spain. Authorisation is also required to carry out marketing or canvassing
of clients on a professional basis, as well as prior or preliminary activities
related to investment services and offering of financial instruments.
A similar regime applies to the provision of services that are typical
activities carried out by credit entities. The Spanish implementing text of
the Capital Requirements Directive expressly states that the activity of
taking repayable funds from the public (whether in the form of deposits,
loans or temporary transfers of financial assets or other analogous
194 Fintech 2021

Simmons & Simmons LLP Spain
actions) is a licensable activity that can only be carried out by credit CISs are a regulated product in Spain and must be locally regis-
entities that are authorised to operate in Spain and duly registered with tered. Management and distribution of CISs (ie, marketing, promotion
the Bank of Spain. Taking repayable funds from the public using capital and advertising) may only be carried out by licensed entities in Spain
markets through the issuance and placement of instruments with the as these activities trigger licensing requirements. Marketing of CISs is
aim of giving credit is a reserved activity. defined as those activities aimed at raising funds from clients by way
Notably, the provision of loans does not trigger licensing require- of any advertising activity for their investment into the CIS. Advertising
ments, even though it is a typical activity of credit entities. However, activity consists of targeting the public through telephone calls initi-
while the activity of extending credit is not a reserved activity, it is ated by the CIS or its management company, home visits, personalised
usually connected to other regulated activities that trigger licensing letters, emails or any other electronic media forming part of a dissemi-
requirements. nation, promotional or marketing campaign.
Regarding payment services, it is prohibited for entities or natural Whether a fintech company falls within the scope of this regulatory
persons who are not payment service providers (apart from certain regime will depend on the exact nature of its business and the type of
exceptions derived from the second Payment Services Directive (PSD2)) activities being carried out.
to provide payment services in Spain on a professional basis.
Alternative investment funds
Consumer lending 8 Are managers of alternative investment funds regulated?
Managers of alternative investment funds are regulated in Spain
Although it has traditionally been an activity carried out in Spain by under the AIFMD, which was implemented in Spain by Act 22/2014,
credit institutions and financial credit establishments, in the case of a of 12 November, governing private equity entities, other closed-ended
non-financial institution (ie, neither a credit institution nor a financial collective investment undertakings, and the management companies of
credit establishment) that is dedicated solely to the activity of granting closed-ended collective investment undertakings, which amended Act
consumer loans, this non-credit institution (formed as a company) may 35/2003, of 4 November, on Collective Investment Schemes.
carry out this activity without a licence. The number of persons who tend
to get credit from non-financial institutions offering personal loans rather Peer-to-peer and marketplace lending
than other traditional means (eg, banking credit cards and banking loans) 9 Describe any specific regulation of peer-to-peer or
is increasing. marketplace lending in your jurisdiction.
The regulatory regime for consumer credit is governed by Act
16/2011, of 24 June, on Credit Agreements for Consumers. This regula- Peer-to-peer lending is considered a crowd-lending activity under
tory regime applies to all contracts where entities or natural persons in Spanish legislation and is regulated by Act 5/2015, of 27 April, on the
the course of their business activity, profession or craft, grant or promise Promotion of Business Financing.
to grant a consumer credit in the form of a deferred payment, loan,
opening credit or any other equivalent means of financing, with the aim Crowdfunding
of covering personal needs outside of his or her professional or busi- 10 Describe any specific regulation of crowdfunding in your
ness activity and amounting to at least €200. This regulation broadly sets jurisdiction.
out the requirements that lenders need to comply with in relation to the
provision of information, documents and statements, and the detailed Crowdfunding is regulated by Act 5/2015, of 27 April, on the Promotion
requirements as to the form and content of the credit agreement itself, of Business Financing. This law affects reward-based crowdfunding,
including advertising, information to consumers, content, form of the equity crowdfunding and crowd lending, and governs, among other
contracts, cases of null-and-void contracts, right of withdrawal and costs. things, the normal operating model and regime of the platforms, the
In addition, Spanish Legislative Decree 1/2007, of 16 November, accreditation of the investor and the limits established for the amount
for the Protection of Consumers and Users also applies to consumer of the investment. These limits, which are some of the most restrictive
lending. Depending on the circumstances, other Spanish supplementary elements established in the law, include limitations on:
regulations may also be relevant. • raising funds for start-ups that amount to €5 million for accredited
investors (ie, professional investors) and to €2 million for non-
Secondary market loan trading accredited investors;
6 Are there restrictions on trading loans in the secondary • equity crowdfunding projects, which cannot exceed 125 per cent of
market in your jurisdiction? the project’s projected target; and
• platforms and projects to be invested in by non-accredited inves-
Provided that the loan itself is being traded, and not the loan instrument tors, which are capped at €10,000 and €3,000 respectively.
(the financial instrument creating or acknowledging indebtedness), there
are no restrictions on trading loans in the secondary market. It is expressly established that these types of investments are not
covered by the guarantee fund.
The general regulatory regime for collective investment schemes (CISs) There is no specific regulation of invoice trading in Spain. As a general
in Spain consists of the transposition of the Undertakings for Collective rule, there are no restrictions on invoice trading; however, the activities
Investment in Transferable Securities Directive and the Alternative and structure of a firm engaged in invoice trading should be analysed
Investment Fund Managers Directive (AIFMD), in addition to the regime to determine whether a regulated activity that requires permission or
that applies specifically to Spanish CISs. authorisation is taking place.
Spain Simmons & Simmons LLP
Payment services Robo-advice

12 Are payment services regulated in your jurisdiction? 14 Describe any specific regulation of robo-advisers or other
companies that provide retail customers with automated
Payment services are regulated by Royal Decree 736/2019, of 20 access to investment products in your jurisdiction.
December, on the legal regime on payment services and payment enti-
ties, which completes the transposition of PSD2 in Spain, which was There is no specific regulation of robo-advisers or other companies that
partially implemented by means of the Royal Decree 19/2018, of 23 provide retail customers with automated access to investment products
November, on payment services and other financial measures. in Spain. In terms of licensing requirements, Spanish legislation does
Payment services include: not distinguish based on the profiles of targeted investors, whether
• services enabling cash to be placed on a payment account, as well professional or retail. Automated access to investment products
as all the operations required for operating a payment account; through fintech companies in Spain is only possible if relevant licences
• services enabling cash withdrawals from a payment account, as are duly obtained. Fintech companies may provide automated activities
well as all the operations required for operating a payment account; related to investment advice (when referred to specific financial instru-
• execution of payment transactions; ments taking into account the personal circumstance of the investor)
• transfers of funds on a payment account with the user’s payment and portfolio management in Spain, but these activities imply the provi-
service provider or with another payment service provider; sion of certain services that trigger licensing requirements. In any
• execution of payment transactions where the funds are covered by case, authorisation and registration with the CNMV will be mandatory.
a credit line for a payment service user; In Spain, there are a number of entities providing this type of service,
• issuing and acquiring of payment instruments; most of them being investment firms exclusively dedicated to providing
• money remittance; and investment advice.
• execution of payment transactions where the consent of the payer
to execute a payment transaction is given by means of any tele- Insurance products
communication, digital or IT device, and a payment is made to the 15 Do fintech companies that sell or market insurance products
telecommunication, IT system or network operator, acting only in your jurisdiction need to be regulated?
as an intermediary between the payment service user and the
supplier of the goods and services. Selling or marketing insurance products in Spain is a regulated activity
and entities providing this service fall under the relevant Spanish regu-
To provide payment services in Spain, a firm must fall within the defini- lation. In this regard, a fintech company must act under the form of
tion of a ‘payment service provider’, which includes: a regulated entity (eg, insurance company or insurance intermediary
• credit institutions; as broker or agent). The Association of Fintech and Insurtech has
• electronic money institutions; published a white paper on fintech regulation in Spain, aimed at creating
• the national postal service of Spain; an adequate framework for these types of entities and to encourage
• the Bank of Spain; and alternatives to the existing Spanish regulations for financial services
• the Spanish general government administration, autonomous providers in Spain, including insurance services providers. In addi-
communities and local bodies. tion, there is draft legislation relating to the distribution of insurance
products in Spain, which will make significant changes to the insurance
A firm that provides payment services in or from Spain as a regular product market sector.
occupation or business activity (and is not exempt) must apply for
registration as a payment institution. Sanctions may be imposed Credit references
on any natural or legal person providing payment services without 16 Are there any restrictions on providing credit references or
authorisation. Since December 2019, entities wishing to act as payment credit information services in your jurisdiction?
institutions must follow the specific procedure established under the
aforementioned Royal Decree 736/2019, of 20 December, and submit The rules on credit ratings laid down in Regulation (EC) 1060/2009 (as
a request with the Bank of Spain to obtain relevant authorisation. The amended) apply in Spain. A credit-rating agency is required to adopt,
cross-border business of payment institutions will be possible in Spain implement and enforce adequate measures to ensure that its credit
as far as relevant passports to set up a local branch or agents have ratings are based on a thorough analysis of all the information that
been received by the Bank of Spain from entities located within the is available and that is relevant to its analysis according to its rating
territory of the European Union. The provision of services without the methodologies. At present, there are only two credit-rating agencies
presence of these entities in Spain will be also available if relevant noti- domiciled in Spain and included in the official register of the CNMV.
fications are received by the Bank of Spain. Spanish entities will provide
services abroad if the Bank of Spain has received relevant notifications. CROSS-BORDER REGULATION
In the case of the provision of activities in or from entities located out of
the European Union, express authorisation is needed. In certain cases, Passporting
the Bank of Spain may reject this authorisation. 17 Can regulated activities be passported into your jurisdiction?
Open banking An EEA firm may exercise passport rights to provide services in Spain
13 Are there any laws or regulations introduced to promote and may provide services through a local branch, agent or on a cross-
competition that require financial institutions to make border basis without presence in the territory. A non-EEA firm or an
customer or product data available to third parties? EEA firm that is not undertaking an activity that can be passported into
Spain, must establish a local presence, obtain an appropriate licence
No. or, in some cases, receive authorisation from the relevant regulator to
operate on a cross-border basis
196 Fintech 2021

Requirement for a local presence legal provision is complemented by Circular 6/2010, of 28 September,
18 Can fintech companies obtain a licence to provide financial for Credit and Payment Entities, on Advertising of Banking Services
services in your jurisdiction without establishing a local and Products.
presence? This Circular determines general principles and criteria to be
followed when preparing marketing materials and procedures and
An EEA firm may exercise passport rights to provide services in Spain. controls that entities must have in place in connection with banking
A non-EEA firm or an EEA firm that is not undertaking an activity that services and products. Other rules such as Order EHA/2899/2011, of 28
can be passported into Spain, must establish a local presence, obtain October, on Transparency and Protection of Clients of Banking Services
an appropriate licence or, in some cases, receive authorisation from the may also apply.
relevant regulator to operate on a cross-border basis. Although this regime is still in place (this regime basically follows
ex post control of advertising material), it is clear that a review of this
SALES AND MARKETING system is needed to adapt it to digital technology and guarantee compli-
ance. In this regard, on 1 July 2019, a draft of a new Circular of the Bank
Restrictions of Spain was published in respect of advertising of banking services
19 What restrictions apply to the sales and marketing of and products, which will give clarity to the advertising of these type
financial services and products in your jurisdiction? of services and products and will enhance client protection. This new
regulation, if finally enacted, may lead to significant changes in adver-
Investments tising as it would be the first time that social networks and audiovisual
Although general rules on marketing and advertising shall apply to the media are regulated in Spain.
investment business, there are specific regulations covering the sales The CNMV has supervisory functions in respect of the marketing
and marketing of investment services and products in Spain. In accord- and advertising of investment services and products.
ance with the Spanish Securities Market Act (which transposes the
second Markets in Financial Instruments Directive (MiFID II) in Spain), CHANGE OF CONTROL
this activity must be only carried out by entities that are authorised or
passported to provide the relevant investment service. Notification and consent
Although the sales and marketing of financial services is not an 20 Describe any rules relating to notification or consent
investment service itself, the activity consisting of marketing as well as requirements if a regulated business changes control.
the canvassing of clients triggers licensing requirements in Spain.
Advertising and marketing of investment services and prod- There are specific rules relating to change of control of regulated enti-
ucts are covered under sectorial regulations, in particular the Order ties. Where a person (whether acting separately or with others) decides
EHA/1717/2010, of 11 June, of Regulation and Control of Advertising to acquire, directly or indirectly, shares in a credit institution, insurance
of Investment Services and Products covers this type of advertising in company or investment firm that imply acquiring a significant holding
Spain and includes a definition of advertising activity. In this regard, or taking control of the entity, the relevant regulators (the Bank of
advertising activity includes a communication to the general public Spain, Spanish Securities Market Commission or General Directorate
aimed to promote, directly or indirectly through third parties, the for Insurance and Pension Funds) must first be notified and provide
contracting of a specific investment service or product (covering finan- their consent. The notification must be accompanied by documents and
cial instruments under MiFID), as well as those communications made information that will enable the relevant regulator to analyse the suit-
in the course of a public offer with the aim of impacting its result. It is ability of the potential acquirer. Once the relevant regulator expressly
expressly contemplated that advertising activity shall exist in respect states that there are no grounds to prevent the acquisition, the acquisi-
of communications to the general public on management or marketing tion may take place.
of collective investment schemes, private equity schemes or securitisa- A prior request must always be sent to the relevant supervisory
tion vehicles, although these communications do not refer to a specific authority and the acquisition may not take place before receiving rele-
product. This legal provision determines those procedures and controls vant authorisations. There are specific procedures and standardised
that entities must have in place when producing advertising materials forms that must be used in these circumstances.
in connection with investment services and products.
The content of the advertising material in no case may contradict FINANCIAL CRIME
or play down the importance contained in the prospectus and the key
investor information document. Advertising materials must be clearly Anti-bribery and anti-money laundering procedures
recognisable as such and the promotional character of the message 21 Are fintech companies required by law or regulation to have
must be explicit and evident. All information included in the materials procedures to combat bribery or money laundering?
must be fair, clear and not misleading, with the ultimate goal of abiding
by the general obligation to act in an honest, loyal and professional There is no specific legal or regulatory requirement for fintech
manner and in the best interests of clients while rendering invest- companies to have anti-money laundering procedures. The Spanish
ment services. Anti-Money Laundering Act applies to a number of regulated entities
The Spanish Securities Market Commission (CNMV) has supervi- and persons carrying out certain activities. Compliance with the Anti-
sory functions in respect of marketing and advertising of investment Money Laundering Act is compulsory and includes an obligation to have
services and products. appropriate policies and procedures in place to combat money laun-
dering and terrorism financing.
Banking Spanish legislation does not regulate anti-bribery and corruption
In respect of banking activities, Order EHA/1718/2010, of 11 June, on separately. The relevant regulation establishes monitoring mechanisms
the Regulation and Control of Advertising of Banking Services and to avoid illicit activity in organisations while also providing a range of
Products regulates this type of advertising in Spain. In addition, this sanctions, including the suspension of the activities and the dissolu-
tion of the company engaged in illegal activities. Regardless of whether
they are regulated, fintech companies should adopt a proactive position Assignment of loans
to establish preventive criminal monitoring measures and appropriate 24 What steps are required to perfect an assignment of
policies and procedures as a matter of good governance and risk loans originated on a peer-to-peer or marketplace lending
management. platform? What are the implications for the purchaser if the
Where initial coin offerings (ICOs) fall under the classification of a assignment is not perfected? Is it possible to assign these
public offer, procedures to combat bribery or money laundering should loans without informing the borrower?
be in place.
In May 2018, the EU approved new anti-money laundering legisla- Under Spanish law, the transfer of a loan originated on a peer-to-peer
tion targeting anonymity in the cryptocurrency market. (P2P) marketplace lending platform requires only the agreement of the
In September 2018, Spanish Royal Decree Act 11/2018 was transferor and the transferee. The loan agreement could impose addi-
published to partially implement the EU’s fourth Anti-Money Laundering tional requirements that would then be required for the effectiveness
Directive and this new text is now in force, although further regulations of the assignment in relation to the borrower, but this is not customary
are still pending approval. except in large loans. The transfer is valid even if no notice is given
to the borrower. However, until this notice is given, or the borrower is
Guidance aware of the transfer, the transfer is not effective against the borrower
22 Is there regulatory or industry anti-financial crime guidance and he or she may discharge his or her obligations by payment to the
for fintech companies? transferor, without any liability to the transferee. In addition, the transfer
will not be fully effective against third parties (including the transferor’s
There is no anti-financial crime guidance specifically for fintech firms. creditors) unless the transfer agreement is executed and notarised with
However, firms that are subject to the Anti-Money Laundering Act for the intervention of a public notary. As a result, transfer agreements are
carrying out certain types of activities subject to anti-money laundering usually notarised, and the parties notify the transfer to the borrower as
checks should comply with it. In addition, these entities should follow soon as it is effective.
the general recommendations for internal monitoring to prevent money Any security interest that secures the loan will transfer auto-
laundering and terrorism financing issued by the Spanish Executive matically with the loan and will secure the new creditor. In practice,
Service of the Commission for the Prevention of Money Laundering. however, it is necessary to carry out certain additional acts to put the
Regulatory and financial crime rules apply as far as the entities security under the name of the new lender. In the case of mortgages, it
are subject to these regulations considering the type of activity or the is necessary to register the transfer in the land registry and in the case
type of entity (banks, insurance companies, asset managers, investment of pledges over shares, claims or bank accounts, notice should be given
firms, etc). In this regard, there is an initiative proposing the creation of to the company, the debtor or the account bank respectively.
a specific regulatory framework for the fintech sector.
PEER-TO-PEER AND MARKETPLACE LENDING 25 Are securitisation transactions subject to risk retention
requirements?
23 What are the requirements for executing loan agreements or Application of the EU risk retention rules to securitisations
security agreements? Is there a risk that loan agreements of loans originated on a peer-to-peer or marketplace lending
or security agreements entered into on a peer-to-peer or platform (P2P securitisations)
marketplace lending platform will not be enforceable? The risk retention requirements set out in the sectoral EU legislation will
apply to P2P securitisations that are offered to European banks, invest-
Spanish law does not generally impose any formal requirements for ment firms, alternative investment funds or insurers. Under the current
executing loans. An exception to this is in respect of consumer loans for sectoral EU risk retention rules, certain investors (such as credit insti-
which there is a requirement that the agreement has to be drawn up tutions, Markets in Financial Instruments Directive-regulated firms and
on paper or another durable medium. Electronically signed documents alternative investment fund managers) will be subject to higher regula-
are recognised and are enforceable. The market practice, however, is tory capital charges where they invest in securitisation positions that do
that loan agreements are generally made in writing and are notarised not comply with the risk retention rules. Those rules require that either
by a Spanish public notary for the lenders to be able to enforce the loan the sponsor, originator or original lender in respect of the securitisa-
through certain special summary foreclosure procedures for notarised tion explicitly discloses to the investor that it will retain, on an ongoing
agreements. Only loans of small amounts are not executed in this way. basis, a material net economic interest in the securitisation (which in
Security agreements, on the other hand, are subject to strict any event is not less than 5 per cent) using one of five prescribed reten-
formalities and they will not be enforceable if these formalities are not tion methods. Those methods include (among other things) retention of:
met. All security agreements (with the exception of financial collateral • the most subordinated tranche or tranches, so that the retention
arrangements) have to be notarised and certain other formalities are equals no less than 5 per cent of the nominal value of the securi-
required depending on the type of security. Real estate mortgages have tised exposures;
to be registered with the land registry. In the case of ordinary pledges, • 5 per cent of the nominal value of each of the tranches sold to
the possession of the charged asset has to be delivered to the creditor investors; or
or to someone acting on its behalf. Pledges over shares, claims or bank • randomly selected exposures equivalent to no less than 5 per cent
accounts have to be notified to the company, the debtor or the account of the nominal value of the securitised exposures. The definitions
bank, respectively. of ‘sponsor’ and ‘originator’ as used in the sectoral EU legislation
are set out in the legislation. The term ‘original lender’ is undefined.
The risk retention rules set out in the sectoral EU legislation have been
replaced as of 2 January 2019 with the risk retention rules set out in
the EU Securitisation Regulation. The retention requirement and the
198 Fintech 2021

methods of retention remain the same under the EU Securitisation want to ensure that there are no restrictions in the loan documents that
Regulation. However, there is now a direct requirement on the sponsor, would prevent it from complying with its disclosure obligations under
originator and original lender to agree on an entity that will act as reten- Spanish and EU law (such as those set out in the Credit Rating Agency
tion holder and to ensure compliance with the retention requirement. Regulation). Again, if these restrictions are included in the underlying
In the absence of agreement among the originator, sponsor or original loan documents, the SPV would be required to obtain the relevant
lender as to who will be the retention holder, the originator will be borrower’s consent to this disclosure. In addition, if the borrowers
the retention holder. Definitions of ‘sponsor’, ‘originator’ and ‘original are individuals, the SPV, its agents and the P2P platform will each be
lender’ are set out in the EU Securitisation Regulation. required to comply with the statutory data protection requirements
The EU Securitisation Regulation does not explicitly set out the juris- under Spanish law.
dictional scope of the ‘direct’ retention obligation, but there is a helpful
note in the Explanatory Memorandum to the European Commission’s ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
original proposal for the EU Securitisation Regulation that the intention TECHNOLOGY AND CRYPTO-ASSETS
is that the direct approach would not apply to securitisations (including
P2P securitisations) where none of the originator, sponsor or original Artificial intelligence
lender is ‘established in the EU’. ‘Establishment’ is typically described 27 Are there rules or regulations governing the use of artificial
by reference to the jurisdiction in which the legal entity is incorporated intelligence, including in relation to robo-advice?
or has its registered office. Therefore, the non-EU subsidiary of an EU
entity may not be subject to the direct retention obligation because a The Spanish Securities Market Commission (CNMV) has stated that the
subsidiary is typically a separate legal entity, whereas a non-EU branch fact that the investment advice or portfolio management is automated
of an EU entity may be caught within this provision because a branch is does not make a difference in the way that the service is regulated and
typically not a separate legal entity. Market participants are still seeking that the relevant conduct of business rules, suitability assessments and
clarity on this and it is expected that this point will be raised as part other rules apply in the normal way. In this regard, there are no specific
of the ongoing European Banking Authority (EBA) consultation on risk rules or regulations governing the use of artificial intelligence.
retention.
Distributed ledger technology
Possible retaining entities in respect of P2P securitisations 28 Are there rules or regulations governing the use of
Typically, a P2P lending platform will not qualify as the sponsor, origi- distributed ledger technology or blockchains?
nator or original lender of a P2P securitisation, and another entity with
the capacity to retain will therefore need to be identified. The range of No.
entities with capacity to retain is broader under the EU Securitisation
Regulation than under the current EU sectoral legislation and, there- Crypto-assets
fore, the ability of an entity to retain will depend on the rules that apply 29 Are there rules or regulations governing the use of crypto-
at the time the securitised notes are issued. Any entity that retains in assets, including digital currencies, digital wallets and
the capacity of originator is expected to be an entity of substance, and e-money?
the EU Securitisation Regulation expressly provides that an entity shall
not be considered to be an originator where it has been established Although not a regulation, the CNMV has published a joint warning with
or operates for the sole purpose of securitising exposures. The EU the Bank of Spain regarding the risks of investing in cryptocurrencies
Securitisation Regulation does not specify in what circumstances an and initial coin offerings (ICOs).
entity will be considered to have been established for the sole purpose
of securitising exposures but, in December 2017, the EBA published a Digital currency exchanges
consultation paper that proposed that an originator will not be consid- 30 Are there rules or regulations governing the operation of
ered to have been established with the ‘sole purpose’ of securitising digital currency exchanges or brokerages?
exposures if it satisfies certain conditions, including that:
• it has a broader business enterprise and strategy; No.
• it has sufficient decision makers with the required experience; and
• its ability to make payment obligations depends neither on the Initial coin offerings
exposures to be securitised nor on any exposures retained for the 31 Are there rules or regulations governing initial coin offerings
purposes of the risk retention regulations. (ICOs) or token generation events?
Securitisation confidentiality and data protection requirements Given the complexity of the phenomenon, criteria in this regard
26 Is a special purpose company used to purchase and securitise are subject to review in light of the experience accumulated and the
peer-to-peer or marketplace loans subject to a duty of debate that is currently taking place at an international level and, in
confidentiality or data protection laws regarding information particular, within the European Securities and Markets Authority. The
relating to the borrowers? CNMV and Bank of Spain are jointly working on this topic, setting out
criteria applying in relation to ICOs. There is an official document that
The entity assigning loans to the special purpose vehicle (SPV) must provides guidance on, mainly, the consideration of tokens as transfer-
ensure that there are no confidentiality requirements in the loan docu- able securities, the need and scope of intervention of entities authorised
ments that would prevent it from disclosing information about the loans to provide investment services, as well as representation of tokens and
and the relevant borrowers to the SPV and the other securitisation the consequence of their trading on trading platforms, and, finally, the
parties. If there are these restrictions in the underlying loan documen- requirement for a prospectus.
tation, the assignor will require the consent of the relevant borrower
to disclose to the SPV and other securitisation parties the information
they require before agreeing to the asset sale. In addition, the SPV will
DATA PROTECTION AND CYBERSECURITY OUTSOURCING AND CLOUD COMPUTING
Data protection Outsourcing

32 What rules and regulations govern the processing and 34 Are there legal requirements or regulatory guidance with
transfer (domestic and cross-border) of data relating to respect to the outsourcing by a financial services company
fintech products and services? of a material aspect of its business?
On 25 May 2018, the EU General Data Protection Regulation (GDPR) There are no regulations specific to the outsourcing of IT systems,
came into force with direct effect across the entire EU. The GDPR including in relation to cloud computing and the internet of things.
governs the storage, viewing, use of, manipulation and other However, depending on the activities contemplated, consideration
processing by businesses of data that relates to a living individual. In will need to be given to restrictions on the processing of personal
summary, the GDPR requires that businesses only process personal data under the General Data Protection Regulation, aspects of the
data where that processing is done in a lawful, fair and transparent Intellectual Property Act approved by Royal Legislative Decree
manner, as further described in the GDPR. 1/1996, of 12 April, and parts of the General Telecommunications Act
The GDPR requires that any processing of personal data be 9/2014, of 9 May.
done pursuant to one of six lawful bases for processing. The most Financial services companies planning to outsource certain
commonly used lawful basis for processing is to obtain the consent services or activities may be subject to specific regulations. In general,
of the data subject to that processing – in relying on this lawful basis, credit institutions may delegate the provision of certain services and
the business must ensure that the consent is freely given, specific, the carrying on of certain functions to a third party provided that:
informed and unambiguous, and capable of being withdrawn as easily • there is no resulting void in the credit institution’s functions or
as it is given. This places a significant burden on businesses to ensure reduction in its internal control capacities; and
that their customers are fully informed as to what their personal data • supervisory authorities can continue to perform their supervisory
is being used for, which is a crucial change to the previous regime responsibilities.
under which disclosure did not need to be so transparent. Other lawful
bases for processing data include where that processing is necessary Importantly, outsourcing does not reduce a credit institution’s liability
for the business to perform a contract it has with the data subject, or for its legal obligations.
where required to comply with an obligation the business has at law Additional restrictions apply to the delegation by a credit institu-
(not a contractual obligation). tion of essential services or essential functions. Generally, a service or
The GDPR further differs from the previous regime in that it function is considered essential if it could affect compliance with the
places a significantly increased compliance burden on businesses, terms of a credit institution’s authorisation, financial results, solvency
including, for example, mandatory requirements to notify regulators or the continuity of banking activity. Financial institutions must notify
of data breaches, obligations to keep detailed records on processing any agreements delegating essential services or functions to the
and requirements for most entities to appoint a data protection officer. Bank of Spain, the Spanish Securities Market Commission or both one
Businesses that infringe the GDPR may be subject to adminis- month in advance.
trative fines of an amount up to €20 million or 4 per cent of global Bank of Spain Circular 2/2016 sets out further details regarding
turnover, whichever is higher. the extent to which outsourcing is permitted.
The Spanish parliament approved the Organic Act 3/2018, of 5 Credit institutions providing investment services must comply
December, to implement the measures and sanctions developing the with additional requirements set out in Royal Legislative Decree
GDPR. The main topics included in the new law are: 4/2015, of 23 October.
• data inspection and the appointment of an agency with responsi-
bility for inspections; Cloud computing
• penalties, including some exemptions from fines under the GDPR; 35 Are there legal requirements or regulatory guidance with
• proceedings in the case of a breach with different conditions respect to the use of cloud computing in the financial
depending on whether the breach is solely within Spain or services industry?
whether other jurisdictions are involved; and
• setting new digital rights as net neutrality, universal access to Not at the national level.
the internet, rights to security and digital education, right of The EU Agency for Network and Information Security (ENISA)
digital disconnection, digital last will, portability and right to be guidance entitled ‘Secure Use of Cloud Computing in the Finance
forgotten. Sector’ contains analysis of the security of cloud computing systems
in the finance sector and provides recommendations. Cooperation
Likewise, Organic Act 3/2018, of 5 December, also covers the rights of between financial institutions, national financial supervisory authori-
freedom of speech on the internet and the right to reply or clarify in ties and cloud service providers is encouraged. ENISA advocates a
relation to online news. risk-based approach to developing cloud computing systems in the
Oversight of compliance with the GDPR and related legislation is finance sector.
carried out by the Spanish Data Protection Agency.
Cybersecurity
33 What cybersecurity regulations or standards apply to IP protection for software
fintech businesses? 36 Which intellectual property rights are available to protect
There are no local rules on cybersecurity for fintech companies,
although Directive (EU) 2016/1148 on cybersecurity has been trans- Computer programs are protected by copyright as literary works.
posed by means of Royal Decree Act 12/2018, of 7 September. Registration is recommended.
200 Fintech 2021

IP developed by employees and contractors TAX

employee during the course of employment? Do the same Incentives
rules apply to new intellectual property developed by 43 Are there any tax incentives available for fintech companies
contractors or consultants? and investors to encourage innovation and investment in the
Copyright and database rights created by an employee in the course
of his or her employment are owned by the employer. Contractors or No specific tax incentives are available for fintech companies. General
consultants are also governed by the same disposition. R&D tax credits are available, amounting to 25 per cent (up to 42 per
cent under certain scenarios) for expenses incurred for R&D activities.
Joint ownership Further tax credits available for R&D staff expenses (17 per cent), tech-
38 Are there any restrictions on a joint owner of intellectual nological innovation (12 per cent) and R&D fixed assets and properties
property’s right to use, license, charge or assign its right in (8 per cent). For R&D, outsourcing is permitted (only with EU companies)
intellectual property? as long as the economic risk of the innovation project can be supported.
Spanish law differentiates between works made in a collaborative way Increased tax burden
and collective works. The first is made by the collaboration of different 44 Are there any new or proposed tax laws or guidance that
authors and its division must be agreed by all the authors, although no could significantly increase tax or administrative costs for
author can unreasonably hold his or her consent for any exploitation fintech companies in your jurisdiction?
once division has been agreed. Each author is able to exploit his or her
part of the work unless it prejudices the common work. The collective Yes; the new government proposed in the last budget bill some tax
work is made by different authors but under the initiative and coordina- measures that were not finally approved. However, it is expected that in
tion of another person, who has the rights over it. the coming year these measures will be introduced. Among others we
can highlight the following.
Trade secrets
39 How are trade secrets protected? Are trade secrets kept Digital services tax
confidential during court proceedings? A digital services tax was pre-drafted as an indirect tax assessed on
a quarterly basis. The taxable event would be the provision of certain
Confidentiality is mainly protected under the agreements or contracts digital services in Spain such as the sale of online advertising space,
that pertain to it, although its breach can be construed in certain cases online intermediary services and the transfer of user-related data
as a criminal offence. The Trade Secrets Directive has been implemented gathered from digital platforms. The tax rate would be 3 per cent of
in Spain by means of Act 1/2019, of 20 February, on trade secrets. gross revenue.
Branding Financial transaction tax

40 What intellectual property rights are available to protect The Spanish government decided to unilaterally propose a local finan-
branding and how do you obtain those rights? How can fintech cial transaction tax (FTT) given the lack of real progress of the enhanced
businesses ensure they do not infringe existing brands? cooperation procedure for the adoption of an FTT. It was pre-drafted
as an indirect tax. The taxable events for the financial transactions
Brands can be protected as registered trademarks either in Spain alone tax would be:
(as a Spanish trademark) or across the EU (as an EU trademark). Certain 1 the acquisition of qualifying shares of Spanish companies (ie,
branding, such as logos and stylised marks, can also be protected by shares listed on a regulated Spanish or EU stock exchange with
design rights and may also be protected by copyright as artistic works. a market capitalisation as at 1 December of the year before the
The Spanish Patent and Trademark Office has a database that can acquisition exceeding €1 billion);
be searched to identify which trademarks are already registered. In 2 the acquisition of securities corresponding to depositary receipts
addition, the EU trademark database can be searched to identify regis- representing qualifying shares; and
tered or applied-for trademark rights with effect in Spain. 3 the acquisition of qualifying shares or securities (as provided in (1)
or (2) above) derived from the execution or settlement of convert-
Remedies for infringement of IP ible or exchangeable notes or bonds, financial derivatives, any
41 What remedies are available to individuals or companies financial instruments or certain financial agreements.
The tax basis would be defined as the consideration for acquisitions
The main remedy is legal action with interim measures or preliminary subject to the tax. The tax rate would be 0.2 per cent.
measures. Both measures can be taken before filing a legal action, but
this has to be filed within a certain period of time to keep the protection Modification of participation exemption regime
granted by them. There are no injunctions in Spanish law. Currently, corporate income tax law provides for a full participation
exemption for domestic and foreign dividends and capital gains derived
COMPETITION by Spanish corporations, provided certain holding requirements are
met. The participation exemption regime would be revised so that only
Sector-specific issues 95 per cent of the relevant income is exempt.
No.
IMMIGRATION
sectors?
EEA nationals do not require a work or residence permit. Alfredo de Lorenzo

alfredo.delorenzo@simmons-simmons.com
Non-EEA nationals must obtain work and residence permits to live
and work in Spain. A range of licences can be issued by employers, each Álvaro Muñoz
licence has its own specific requirements. alvaro.munoz@simmons-simmons.com
As a general rule, for the technology and financial sectors, the Carlos Jiménez de Laiglesia
quickest and easiest way to recruit skilled staff from abroad is through carlos.jimenezlaiglesia@simmons-simmons.com
the highly qualified foreign professionals (HQP) permit. This type of
Ignacio González
permit is for professionals who are graduates or postgraduates of
ignacio.gonzalez@simmons-simmons.com
universities and prestigious business schools who will be employed in
Spain and whose fixed annual salary will be set at least at €45,000. The Juan Sosa
HQP permit has a streamlined process: according to the law, an applica- juan.sosa@simmons-simmons.com
tion for a residence permit must be resolved by the Spanish authorities María Tomillo
within a maximum of 20 working days from when it was duly registered, maria.tomillo@simmons-simmons.com
attaching all necessary documents. Once the permit has been granted,
the candidate will need to request a visa at the Spanish consulate of the
Calle Miguel Ángel 11
candidate’s country of residence.
5th floor
28010 Madrid
UPDATE AND TRENDS Spain
Tel: +34 91 426 2640
Fax: +34 91 578 2157
46 Are there any other current developments or emerging www.simmons-simmons.com
trends to note?
There are no relevant developments to note currently. From time to

time, the Spanish Securities Market Commission updates a question-
and-answer document answering the most relevant questions raised by
the industry in Spain.
Coronavirus
for clients?
In view of the covid-19 pandemic, from 14 March 2020 (the date of the
declaration of the state of alarm in Spain), the Spanish government
and the majority of regional and local authorities approved several
sets of legal measures to mitigate the adverse effects that this situ-
ation is having on the Spanish economy. Emergency legislation and
relief programmes have been published that impact the financial sector;
however, no specific measures have been put in place for the fintech
sector. In addition, fintech associations at a global level are working
together to propose a series of measures in the regulatory, legislative
and political environment to improve the ability of clients to access
financial digital services and improve the financing of fintech compa-
nies. The objective is to offer solutions in view of covid-19 to boost
the digital market and harmonise the legislative measures, creating a
unique market for digital financial services. The main purpose of these
proposed measures, and, specifically, financing solutions, is to protect
fintech companies from collapse as they may greatly help the economy
to recover.
202 Fintech 2021

Sweden
Emma Stuart-Beck, Caroline Krassén, Anton Sjökvist, Mikaela Lang, Henrik Schön, Trine Osen Bergqvist,
Nicklas Thorgerzon, Karl-Hugo Engdahl, Maria Schultzberg, Viveka Classon and Malin Malm Waerme
Vinge
FINTECH LANDSCAPE AND INITIATIVES All marketing activities that have the purpose of furthering the
sale of any product in Sweden, including fintech products of various
General innovation climate nature, are subject to the Swedish Marketing Practices Act (2008:486
1 What is the general state of fintech innovation in your (MPA)), which requires, for example, that marketing is carried out in
jurisdiction? accordance with generally accepted marketing practices. The Swedish
Consumer Agency, which includes the Consumer Ombudsman, is the
During its long history of fintech innovation, Sweden has produced primary authority responsible for ensuring that marketing material is
companies such as Klarna, iZettle, Trustly, Lendify, BehavioSec and compliant with the MPA.
Safello, just to name a few. Innovation is diverse, and fintech products
span areas such as banking services, payment and payment settle- Regulated activities
ment services, lending, biometrics and cryptocurrency. The Swedish 4 Which activities trigger a licensing requirement in your
fintech industry is still growing rapidly, and multiple fintech companies jurisdiction?
have emerged in, inter alia, the Swedish housing credit market. This
phenomenon may indicate a structural change for housing loan origi- The following activities trigger a licensing requirement:
nation in Sweden and a reduced market share for Sweden’s largest • consumer lending;
banks. However, the Swedish Financial Supervisory Authority (SFSA) • mortgage lending;
has indicated plans to introduce additional regulations in this area, and • consumer credit mediation;
the longevity of the new market actors remains to be seen. • lending in combination with accepting repayable funds from
the public;
Government and regulatory support • factoring and invoice discounting (when combined with accepting
2 Do government bodies or regulators provide any support repayable funds from the public);
specific to financial innovation? If so, what are the key • deposit taking (for deposits over 50,000 kronor);
benefits of such support? • management of alternative investment funds (AIFs) or undertak-
ings for collective investment in transferable securities (UCITS);
The Minister for Financial Markets has expressed interest in setting up • foreign exchange trading;
regulatory sandboxes where fintech start-ups may develop in an unreg- • insurance mediation;
ulated environment or only comply with a regulation-light regime, but • provision of payment services; and
the SFSA disagreed in a report published on 1 December 2017. In the • activities under the Capital Requirements Regulation No. 575/2013
same report, the SFSA proposed the introduction of the SFSA Innovation (the Capital Requirements Regulation).
Centre. The Innovation Centre was opened on 16 March 2018 and serves
to act as a point of contact for fintech companies and to facilitate a A licence is, furthermore, required for offering the services and products
dialogue with the SFSA. Furthermore, the Innovation Centre is intended covered by the Markets in Financial Instruments Directive 2014/65/EU
to provide guidance on applicable regulations for new financial services (MiFID II), such as the reception and transmission of orders in relation
products and fintech start-ups. to one or more financial instruments, the execution of orders on behalf
of clients, dealing on own account, portfolio management, advising on
FINANCIAL REGULATION investments in financial instruments, underwriting of financial instru-
ments or placing of financial instruments on a firm commitment basis,
Regulatory bodies and placing of financial instruments without a firm commitment basis.
3 Which bodies regulate the provision of fintech products and The following activities trigger a registration requirement:
services? • currency exchange;
• management or trading in virtual currencies;
The Swedish Financial Supervisory Authority (SFSA) generally acts as • deposit taking (for deposits up to 50,000 kronor); and
the competent regulator responsible for ongoing supervision of fintech • lending and credit mediation to non-consumers (if not combined
products and services and for the issuance of supplementary regula- with deposit taking).
tions and formal guidance. The SFSA is responsible for ensuring that
the business of (regulated) fintech companies is carried out in accord-
ance with applicable laws and regulations.
Sweden Vinge
Consumer lending neutral and factual as possible and may not be intrusive (by way of,
5 Is consumer lending regulated in your jurisdiction? for example, targeting certain types of possible consumers via digital
means). The marketing should also be balanced in the sense that certain
Yes, consumer lending is regulated through, inter alia, the Swedish terms of the credit should not be disproportionately highlighted, thereby
Consumer Credit Act (2010:1846), which includes relevant provisions reducing the consumer’s ability to make a well-founded decision.
relating to, among other things, sound lending practices, marketing of
consumer loans, credit assessments, information prior to the conclu- Secondary market loan trading
sion of and in relation to documentation of loan agreements, interest, 6 Are there restrictions on trading loans in the secondary
fees and repayment of loans. market in your jurisdiction?
To offer or provide consumer loans, the relevant company
is required to be authorised by the SFSA under, for example, the There are no particular restrictions on trading loans in the secondary
Swedish Consumer Credit (Certain Operations) Act (2014:275 (CCCOA)) market in Sweden.
(should the company solely provide or act as intermediary in relation
to consumer loans), the Swedish Banking and Financing Business Collective investment schemes
Act (2004:297) (should the company instead, given the operations 7 Describe the regulatory regime for collective investment
carried out, be considered a credit institution (as defined in the Capital schemes and whether fintech companies providing
Requirements Regulation)) or the Swedish Housing Credit Operations alternative finance products or services would fall within its
Act (2016:2014 (HCOA)) (should the company solely provide, act as an scope.
intermediary in relation to or provide advice regarding consumer loans
in the form of mortgages). Collective investment undertakings are regulated through the Swedish
Since 1 September 2018, new rules regarding high-cost credits UCITS Act (2004:46), stipulating that the management of a Swedish
apply, defined as credits granted to consumers that have an interest UCITS, the sale and redemption of units in the fund and administra-
rate of 30 percentage points above the reference rate according to the tive measures relating thereto may only be conducted following
Swedish Interest Act (1975:635), as determined by the Swedish Central authorisation from the SFSA (with foreign EEA management companies
Bank, and that do not primarily relate to a credit purchase or residential authorised in their respective home state being able to rely on pass-
immovable property. porting regulations to carry out operations in Sweden).
Pursuant to the new rules, certain caps have been introduced Fintech companies would generally not fall within the scope of the
whereby: (1) the maximum amount of interest, as well as any default above-mentioned regulatory regime.
interest, that may be charged under a credit agreement may not exceed
40 percentage points above the aforementioned reference rate; and (2) Alternative investment funds
the maximum amount of fees under a credit agreement may not exceed 8 Are managers of alternative investment funds regulated?
the credit amount.
For the purposes of (2), fees are defined as costs for the credit Yes, managers of AIFs (AIFMs) are regulated through the Swedish
(comprising the aggregate amount of interest rate, credit fees and other Alternative Investment Fund Managers Act (2013:561 (AIFMA)), imple-
costs that the consumer is obliged to pay under the loan, inclusive of menting the Alternative Investment Fund Managers Directive 2011/61/
necessary costs for valuation but excluding notarisation fees), default EU (AIFMD). Small AIFMs (ie, AIFMs managing AIFs below the thresh-
interest and costs pursuant to the Swedish Compensation for Collection olds specified in article 3(2) of the AIFMD) may be exempted from the
Costs Act (1981:739), comprising costs that the creditor has incurred for licensing requirements but must register with the SFSA and may not
measures taken for the purposes of obtaining payment including, for passport the registration into any other EU member state.
example, payment reminders and collection demands. Similar to the case in relation to UCITS, fintech companies would
The marketing of consumer credits has previously been subject generally not fall within the scope of the AIFMA.
to certain requirements regarding moderation and restraint. The new
rules also include an explicit requirement for all such marketing to be Peer-to-peer and marketplace lending
moderate. The new requirement is applicable to all types of consumer 9 Describe any specific regulation of peer-to-peer or
credits and, thus, not solely to high-cost credits (as defined above). marketplace lending in your jurisdiction.
It is not entirely clear what the meaning of moderation entails, and it
remains to be seen how this requirement will be applied by Swedish Companies facilitating peer-to-peer or marketplace lending, comprising
courts and authorities in practice. loan intermediation or brokering, are regulated by and require authori-
The authorities have paid more attention to the moderation sation pursuant to the CCCOA (if the borrowers are consumers) or the
requirement recently, and it is clear that a comprehensive assessment HCOA (if the borrowers are consumers and the loans relate to purchases
of all relevant circumstances will be made. In particular, the authorities of residential immovable property). Both the CCCOA and the HCOA
and courts will assess: contains regulations on, for example, anti-money laundering measures,
• whether the credit is presented in a way that misleads the sound practices for loan intermediation operations, and ownership and
consumer about the financial consequences of the credit or brings management assessments.
the consumer to make an unfounded decision to enter into a credit Business operators providing those services to borrowers that are
agreement; not consumers are required to register its operations with the SFSA
• whether the credit is presented as a carefree solution to the (by way of notification to the SFSA) in accordance with the Swedish
consumer’s financial problems; and Certain Financial Operations (Reporting Duty) Act (1996:1006) and
• whether the credit is neutral in a way that enables the consumer to comply with provisions relating to, for example, anti-money laundering,
decide whether the credit is favourable or not. as well as undergo ownership and management assessments. Should
the relevant company also be responsible for the transactions of funds
Pursuant to the Swedish government preparatory works implementing between lenders and borrowers (including keeping funds on a client
the above changes, it is stipulated that the marketing should be as account, or similar), the operations would instead fall under and require
204 Fintech 2021

Vinge Sweden
authorisation pursuant to the Swedish Payment Services Act (2010:751 Payment services
(PSA)), which imposes additional requirements relating to, for example, 12 Are payment services regulated in your jurisdiction?
own funds and information and technical processes relating to the
execution of payment transactions. Yes. Payment services are regulated under the Second Payment
Services Directive (EU) 2015/2366 (PSD2), which has been imple-
Crowdfunding mented into Swedish law through the PSA. Money remittance, execution
10 Describe any specific regulation of crowdfunding in your of payment transactions, acquisition of payment instruments, payment
jurisdiction. initiation and account information services are among the services
currently regulated under the PSA.
There is currently no specific regulation of crowdfunding under Swedish
law. Certain crowdfunding schemes may, however, fall within the scope Open banking
of the general financial services framework. In the case of equity-based 13 Are there any laws or regulations introduced to promote
crowdfunding, the Swedish Companies Act (2005:551) prohibits a private competition that require financial institutions to make
company or a shareholder thereof from attempting to sell shares or customer or product data available to third parties?
subscription rights in the company or debentures or warrants issued by
the company to the public. The obligation for financial institutions to make customer or product
In July 2016, the Swedish government appointed a special data available to third parties under PSD2 has been implemented
committee to analyse the need for further regulations with regard to, and without change in Sweden.
to improve the legal and regulatory opportunities for, peer-to-peer and
grassroots financing in Sweden. A legislative proposal was published Robo-advice
in February 2018 that proposes the introduction of a new Swedish 14 Describe any specific regulation of robo-advisers or other
Financing Mediation Act (SFA). The proposed SFA includes licensing companies that provide retail customers with automated
requirements for the activities that fall within the scope of the SFA and access to investment products in your jurisdiction.
provisions on operational requirements, supervision and sanctions. The
SFSA would be the authority responsible for licensing, registration and There is no specific regulation of automated investment advice in
supervision, and companies authorised under the proposed SFA would Sweden. The SFSA defines automated investment advice as personal
be subject to the provisions of the Money Laundering and Terrorist advice regarding financial instruments that is provided without, or with
Financing Prevention Act (2017:630), implementing the Fourth Anti- limited, human interaction. In Sweden, automated investment advice
Money Laundering Directive 2015/849/EU, as amended. The proposed (eg, robo-advice) constitutes regulated investment advice under the
SFA would apply to business activities where the purpose is to – in Swedish Securities Markets Act (2007:528), implementing MiFID II, and
exchange for payment – bring together natural or legal persons who is consequently subject to all the substantive provisions of the Swedish
intend to acquire financing from other natural or legal persons, where MiFID II implementation, including the SFSA’s regulations regarding
the financing is in the form of: investment services and activities (2017:2).
• loan-based crowdfunding (credit granted by companies in exchange
for payment, where the creditor is not licensed by the SFSA to Insurance products
conduct lending or loan mediation); 15 Do fintech companies that sell or market insurance products
• share-based crowdfunding (financing through the transfer of debt in your jurisdiction need to be regulated?
or ownership rights in the legal person seeking financing);
• reward-based crowdfunding (financing through the offer to provide Yes, if the selling and marketing is classified as ‘insurance distribu-
a service or commodity by the person seeking financing); or tion’. Insurance distribution is regulated under the Swedish Insurance
• donation-based crowdfunding (financing without an obliga- Distribution Act (2018:1219 (IDA)) implementing Directive (EU) 2016/97
tion for the person seeking financing to provide any payment or on Insurance Distribution (IDD). The IDA entered into force in Sweden on
performance). 1 October 2018. The IDD is a minimum harmonisation directive, enabling
member states to impose stricter regulation. The IDA includes the same
Licensing will mainly be required for share-based and loan-based definition of ‘insurance distribution’ and the same exemptions from
crowdfunding. Companies that receive authorisation to mediate share- regulation as the IDD. Sweden has, however, imposed stricter regula-
based or loan-based crowdfunding will be referred to as licensed capital tions regarding third-party remunerations, conditions for providing
mediators. The proposal has, however, not yet been adopted into law. advice on a fair and personal analysis, certain marketing prohibitions
and information to a customer on remuneration. The stricter regulatory
Invoice trading framework introduced by the IDD regarding insurance-based invest-
11 Describe any specific regulation of invoice trading in your ment products also applies to the distribution of pension insurance that
jurisdiction. is exposed to market volatility.
In accordance with the Certain Financial Operations (Reporting Duty) Credit references
Act, a company participating in financing, for example, by acquiring 16 Are there any restrictions on providing credit references or
claims (invoice trading), is required to register its operations with the credit information services in your jurisdiction?
SFSA (by way of notification to the SFSA), and it is further obliged to
comply with provisions relating to, for example, anti-money laundering, Yes. Credit references and credit information services are regulated
and to undergo ownership and management assessments. under the Swedish Credit Information Act (1973:1173) and the Swedish
Credit Information Regulation (1981:955). A licence from the Swedish
Data Protection Authority is required when carrying out credit-rating
operations in Sweden.
Sweden Vinge
CROSS-BORDER REGULATION In addition, marketing of funds is further specifically regulated through

the Swedish Investment Fund Association’s guidelines, which – albeit
Passporting not being hard law – are considered as codifying good marketing prac-
17 Can regulated activities be passported into your jurisdiction? tice in Sweden in respect of the marketing of undertakings for collective
investment in transferable securities.
Yes. An undertaking that has been authorised in its home EU member
state may, as a general rule, passport such authorisation into Sweden, CHANGE OF CONTROL
where the Swedish legislation is based on EU law.
Requirement for a local presence 20 Describe any rules relating to notification or consent
18 Can fintech companies obtain a licence to provide financial requirements if a regulated business changes control.
presence? Consent from the Swedish Financial Supervisory Authority (SFSA) is
required where a legal or natural person intends to directly or indirectly
An undertaking that has been authorised in its home EU member state acquire a qualified holding in a regulated business.
may, as a general rule, passport such authorisation into Sweden, where The holding is considered qualified when the acquirer directly or
the Swedish legislation is based on EU law. However, in relation to indirectly receives 10 per cent or more of the votes or shares, or other-
activities that fall under the Consumer Credit (Certain Operations) Act, a wise is enabled to exercise significant influence over the management
Swedish licence is required (ie, passporting is not available). of the regulated business. Additional consent is required if the owner-
ship amounts to or exceeds 20, 30 or 50 per cent of the votes or shares.
SALES AND MARKETING The consent requirement, generally referred to as an ‘ownership
assessment’, means that the SFSA will examine all qualified owners in
Restrictions the envisaged ownership chain. The process is rather extensive, and
19 What restrictions apply to the sales and marketing of the exercise involves collating and producing a substantial amount
financial services and products in your jurisdiction? of information (including documentation that supports the financing
of the transaction). Each person included in the management body
Marketing of financial services falls under the Marketing Practices (comprising board members, the CEO and the deputies thereof) of an
Act (2008:486 (MPA)), which applies to all marketing activities that entity subject to assessment must complete and sign an application,
have the purpose of furthering the sale of any product or service in including responding to questions regarding, for example, previous
Sweden, including, for example, the distribution of brochures and other criminal proceedings.
marketing materials and electronic marketing activities (if primarily SFSA consent must be obtained prior to the transaction. The SFSA
directed to Swedish entities or individuals). The MPA provides that all has an expected processing period of the applications of 60 business
marketing must be consistent with good marketing practice and be fair days, with a possible extension of 20 business days if the SFSA requests
and reasonable towards the person to whom or which it is directed. additional information during the assessment process.
Good marketing practice is defined in the MPA as generally accepted
business practices or other established norms aimed at protecting FINANCIAL CRIME
consumers and traders in the marketing of products. Thus, all marketing
must be designed and presented in such a way as to make it apparent that Anti-bribery and anti-money laundering procedures
it constitutes marketing and the party responsible for the marketing shall 21 Are fintech companies required by law or regulation to have
be clearly indicated. Statements or other descriptions that are or may be procedures to combat bribery or money laundering?
misleading may not be used. Marketing that contravenes good marketing
practice is regarded as unfair if it appreciably affects or probably affects Companies licensed by or registered with the Swedish Financial
the recipient’s ability to make a well-founded transaction decision. Supervisory Authority (SFSA) and a significant number of companies
In relation to financial services, and to comply with ‘good marketing and other professionals outside the financial sector are obliged to
practice’ for the purposes of the MPA, among other things: prevent money laundering and financing of terrorism by complying
• placements of capital or returns should not be described in terms with the Money Laundering and Terrorist Financing Prevention Act and
such as ‘safe’, ‘guaranteed’ or similar value judgements if it cannot subsequent regulations. Pursuant to the anti-money laundering (AML)
be verified that it is guaranteed that an investor’s capital will be regulations, companies are required to adopt internal AML procedures.
repaid or that a given return will be earned; Companies launching initial coin offerings would be subject to these
• the return earned during a particular successful period on an requirements to the extent their operations would be covered by any of
investment product should not be highlighted in a way that gives the relevant rules under, for example, the Certain Financial Operations
a distorted overall impression of the performance of the invest- (Reporting Duty) Act and the Securities Markets Act.
ment product; The SFSA is tasked with ensuring that the financial companies
• words such as ‘secure’ and similar value judgements should not adhere to the AML regulations. The County Administrative Board super-
be used for marketing purposes if they are not placed in a rele- vises companies and professionals outside the financial sector.
vant context; Bribery is criminalised under the Swedish Penal Code (1962:700),
• unconditional words expressing value, such as ‘best’, ‘biggest’ and which is applicable to all types of Swedish companies. Most financial
‘leading’, should not be used if the claim is not capable of verifi- companies are required to adopt ethical guidelines setting out, inter alia,
cation; and the company’s procedures to combat bribery.
• if an investment product involves risk, it should always be made
clear when marketing the product that an investment in the
product involves risk.
206 Fintech 2021

Vinge Sweden
Guidance Provided that the company processes personal data as part of its
22 Is there regulatory or industry anti-financial crime guidance operations, it would further, in respect of borrowers’ personal data, be
for fintech companies? subject to the EU General Data Protection Regulation and Swedish data
protection laws.
Yes. The SFSA has adopted regulations and guidelines in respect of AML,
setting out the detailed provisions applicable for relevant companies. ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
Execution and enforceability of loan agreements 27 Are there rules or regulations governing the use of artificial
23 What are the requirements for executing loan agreements or intelligence, including in relation to robo-advice?
or security agreements entered into on a peer-to-peer or There is no specific regulation of automated investment advice in Sweden.
marketplace lending platform will not be enforceable? The Swedish Financial Supervisory Authority (SFSA) defines automated
investment advice as personal advice regarding financial instruments
Loan origination is regulated under the Banking and Financing Business that is provided without, or with limited, human interaction. In Sweden,
Act as well as in subsequent regulations and guidelines issued by the automated investment advice (eg, robo-advice) constitutes regulated
Swedish Financial Supervisory Authority (SFSA) and the Swedish investment advice under the Securities Markets Act (SMA), implementing
Consumer Agency (SCA). The SFSA and the SCA have recently raised the EU Markets in Financial Instruments Directive (MiFID II), and is conse-
demands on lenders’ investigation of creditworthiness prior to entering quently subject to all the substantive provisions of the Swedish MiFID II
into loan agreements with consumers. Furthermore, the loan agree- implementation, including the SFSA’s regulations regarding investment
ments are subject to the Consumer Credit Act. services and activities (2017:2). If the use of artificial intelligence would
The risk that loan agreements entered into on a peer-to-peer or include decisions based solely on automated processing of personal
marketplace lending platform would not be enforceable under Swedish data, including profiling, this would be subject to the requirements in
law is minimal. article 22 of the EU General Data Protection Regulation (GDPR).
Assignment of loans Distributed ledger technology

24 What steps are required to perfect an assignment of 28 Are there rules or regulations governing the use of
loans originated on a peer-to-peer or marketplace lending distributed ledger technology or blockchains?
assignment is not perfected? Is it possible to assign these There are no rules or guidelines specifically addressing the use of
loans without informing the borrower? distributed ledger technology, but general rules and regulations, such
as anti-money laundering regulations and consumer protection, where
Perfection of an assignment against third parties depends on whether applicable, must be complied with. The SFSA has, in a report from March
the loan is represented by a negotiable (physical) promissory note or 2016, identified distributed ledger or blockchain technology as an area
a non-negotiable promissory note. In the former scenario, the prom- of interest for the supervisor and where it is expected that rules and
issory note must be transferred to the assignee, whereas in relation regulations need to be adopted in the future. If the distributed ledger
to non-negotiable promissory notes, the borrower must be notified of technology or blockchains include personal data, general requirements
the assignment so that the debtor can solely make its payments to the under the GDPR and Swedish data protection laws will be applicable.
assignee with discharging effect.
In the event the assignment is not perfected, the loan would be Crypto-assets
included in the bankruptcy estate of the assignor, in relation to which 29 Are there rules or regulations governing the use of crypto-
the assignee would only have a non-secured claim. assets, including digital currencies, digital wallets and
e-money?
25 Are securitisation transactions subject to risk retention Digital currencies, digital wallets and e-money are regulated under
requirements? the Payment Services Act, the Swedish Electronic Money Act (2011:755
(EMA)), the SFSA’s regulations regarding institutions for electronic
Loans originated on a peer-to-peer lending platform may only be trans- money and registered issuers (2011:49), the SFSA’s regulations and
ferred without informing the borrower where the loan is represented by general guidelines regarding institutions for electronic money and regis-
a negotiable promissory note. tered issuers (2010:3) and the Swedish Certain Financial Operations
(Reporting Duty) Act for cryptocurrencies.
26 Is a special purpose company used to purchase and securitise Digital currency exchanges
peer-to-peer or marketplace loans subject to a duty of 30 Are there rules or regulations governing the operation of
confidentiality or data protection laws regarding information digital currency exchanges or brokerages?
Although digital currencies, as a rule of thumb, do not constitute financial
Yes. Provided that the company’s operations comprise providing credit instruments subject to the provisions of trading venues and brokerages
to consumers (by way of purchasing loans), the company would gener- under the SMA implementing MiFID II in Sweden, an operator of a digital
ally have to be authorised by the SFSA, in accordance with, for example, currency exchange or brokerage may be subject to the provisions of the
the Consumer Credit (Certain Operations) Act, which would entail that a Certain Financial Operations (Reporting Duty) Act to the extent their oper-
duty of confidentiality (similar to bank secrecy) would be imposed. ations would constitute management or trading in virtual currencies.
Sweden Vinge
Initial coin offerings Cybersecurity

31 Are there rules or regulations governing initial coin offerings 33 What cybersecurity regulations or standards apply to fintech
(ICOs) or token generation events? businesses?
Business operators conducting ICOs would be subject to the provisions Under the GDPR, controllers must have ‘appropriate technical and
of the Certain Financial Operations (Reporting Duty) Act to the extent organisational measures’ in place to ensure a level of security appro-
their operations constitute management or trading in virtual currencies. priate to the risk. There is, therefore, no prescribed level of security, but
Moreover, should the coins or tokens qualify as financial instruments an analysis must be carried out to ascertain what level of security is
under the SMA, the issuers may become subject to, inter alia, the SMA, appropriate to the type of processing of personal data being carried out.
the Alternative Investment Fund Managers Act, the Swedish imple- The EU Directive on security of network and information systems
mentation of the Prospectus Directive (2003/71/EC) and the Money (the NIS Directive) has been implemented into Swedish law (2018:1174)
Laundering and Terrorist Financing Prevention Act. and supplemented by a regulation (2018:1175). These Acts impose
cybersecurity requirements for digital services providers and opera-
DATA PROTECTION AND CYBERSECURITY tors of essential services. Companies in the financial industry that are
deemed as operators of essential services within the banking or finan-
Data protection cial market infrastructure are covered by the Acts and are, therefore,
32 What rules and regulations govern the processing and obliged, among other things, to:
transfer (domestic and cross-border) of data relating to • notify the Swedish Financial Supervisory Authority immediately;
fintech products and services? • demonstrate a systematic and risk-based approach to matters
regarding information security, and
The EU General Data Protection Regulation (GDPR) and the Swedish Act • report incidents to the Swedish Civil Contingencies Agency.
on Supplementary Provisions to the GDPR (2018:218) generally apply
to the processing of personal data by data controllers established in OUTSOURCING AND CLOUD COMPUTING
Sweden. The main requirements relating to the processing of personal
data include the following. Outsourcing
• Personal data may only be processed (ie, collected, used and 34 Are there legal requirements or regulatory guidance with
stored) if there are legal grounds (ie, consent) for the processing. respect to the outsourcing by a financial services company of
However, there are several exemptions from the requirement of a material aspect of its business?
consent (eg, where the processing is necessary to fulfil a contract
or a legal obligation or is necessary to pursue a legitimate interest There are multiple legal and regulatory requirements in respect of
of the data controller, unless this interest is overridden by the outsourcing by financial services companies, including, inter alia, the
interest of the registered person to be protected against undue Banking and Financing Business Act, the Consumer Credit (Certain
infringement of privacy). Operations) Act, the Securities Markets Act, the Electronic Money Act,
• Certain fundamental requirements must be met (eg, personal the Payment Services Act, the regulations of the Swedish Financial
data must be adequate, relevant and non-excessive in relation to Supervisory Authority (SFSA) (2010:3) and (2011:49), detailed provisions
the purpose of the processing and must not be kept longer than set out in the Markets in Financial Instruments Directive Commission
necessary). Delegated Regulation 600/2014/EU and the European Banking Authority
• Data subjects must, as a general rule, be informed of the processing (EBA) Guidelines on Outsourcing Arrangements (EBA/GL/2019/02), as
of their personal data, and data subjects have certain rights (eg, well as questions and answers provided by the SFSA on the application
right of access, rectification, erasure and data portability). of the EBA Guidelines.
• Processing of sensitive personal data and criminal offence data The provisions are subject to some variation, but in general impose
may only be performed in limited circumstances. In general, that financial services companies are required to exercise the requisite
consent from the person concerned is required for sensitive data. skill, care and diligence when entering into, managing and terminating
As a general rule, it is prohibited to process criminal offence data outsourcing arrangements. Furthermore, the rights and obligations
(there are a few exemptions, for example, regarding whistle- of the financial services company and the services provider must be
blowing systems, where it is permitted to process criminal offence clearly documented in an outsourcing agreement. If the financial
data under certain conditions). services company intends to outsource a significant part of the licensed
• There are specific requirements that must be met in case of export operations, or activities that have a natural connection with financial
of personal data to countries outside the European Union or the operations or their support functions, the financial services company
European Economic Area (eg, consent or model clause agreements is required to notify the SFSA thereof in advance and also provide the
may justify such export). SFSA with a copy of the relevant outsourcing agreement.
• A data controller must take appropriate technical and organi- The SFSA requires outsourcing agreements to be in writing and
sational measures to protect personal data. Data processing to regulate clearly the rights and obligations of the financial services
agreements must be entered into with data processors. company and the third-party service provider. The SFSA further expects
• The GDPR also includes requirements regarding, inter alia, the financial services company to be able to assess and monitor how
appointment of data protection officers, personal data breaches, well the third-party service provider is carrying out its duties and to
data protection by design and by default, records of processing terminate the agreement should the third-party service provider lack
activities, data protection impact assessments, consultation and the skills, capacity and authorisations required by law to reliably and
cooperation with the data national protection authority. professionally perform the outsourced duties and manage risks related
• The GDPR applies to pseudonymised data but not to fully to these duties.
anonymised data (ie, where it is not possible to directly or indirectly
identify an individual by any means).
208 Fintech 2021

Vinge Sweden
Cloud computing • inventions developed within the employer’s line of business

35 Are there legal requirements or regulatory guidance with but developed by an employee that is not employed to conduct
respect to the use of cloud computing in the financial services research and development work may be utilised by the employer,
industry? and the employer has priority over others in acquiring ownership
of the invention; and
The EBA Guidelines, applicable for credit institutions and investment • inventions developed within the employer’s line of business but
firms subject to Directive 2013/36/EU, as amended, electronic money developed without any connection to the employment may be
institutions and payment institutions, offer guidance in respect of acquired by the employer, with priority over others, if agreed upon
outsourcing to cloud service providers and have integrated and replaced with the employee.
the previously issued EBA Recommendations on Outsourcing to Cloud
Service Providers (EBA/REC/2017/03). Collective bargaining agreements (if applicable) may also contain
On 3 June 2020, the European Securities and Markets Authority provisions on employers’ rights to intellectual property developed by
issued Draft Guidelines on Outsourcing to Cloud Service Providers for, employees similar to the three categories described above.
inter alia, investment firms and credit institutions that carry out invest- In relation to contractors and consultants, the main rule is that all
ment services and activities. They are expected to be implemented in rights in results vest in the originator. This means that a company must
the fourth quarter of 2020 or the first quarter of 2021. explicitly acquire the rights in those results through agreements with
the originator. The inclusion of appropriate intellectual property clauses
INTELLECTUAL PROPERTY RIGHTS in the agreement with contractors and consultants are, thus, essential.
IP protection for software Joint ownership

36 Which intellectual property rights are available to protect 38 Are there any restrictions on a joint owner of intellectual
software, and how do you obtain those rights? property’s right to use, license, charge or assign its right in
Computer programs are protected as copyrighted works in accordance
with the Swedish Copyright Act (1960:729 (CA)). The copyright protec- The Swedish legislation does not fully regulate the matter of joint
tion arises automatically, and there is, thus, no registration procedure ownership of intellectual property. Only the CA regulates the matter
for obtaining copyright protection. explicitly, whereby the main rule is that co-authors have a joint
Software-implemented inventions and business methods can right to the copyright-protected work. The same should reason-
be registered and protected as patents if they meet all the necessary ably also apply to the other categories of intellectual property.
requirements. Program code or mere business methods, however, Unless agreed otherwise between the co-owners, the Swedish Act
cannot be patented in Sweden, but a technical invention that includes a on Joint Ownership (1904:48 (AJO)) is applicable. The AJO states that
business method, or which is implemented or can be implemented by a consent from all co-owners is necessary for all decisions concerning the
computer program, can be patentable. management of the jointly owned property. All co-owners are, however,
entitled to sell their share in the jointly owned intellectual property
IP developed by employees and contractors without consent from the other owners.
37 Who owns new intellectual property developed by an In light of this, co-owners of intellectual property are restricted
employee during the course of employment? Do the same from utilising, licensing, charging or assigning the intellectual property
rules apply to new intellectual property developed by in whole without the other co-owner’s consent. The co-owners must,
contractors or consultants? thus, settle the joint ownership and agree on how to use and manage
the intellectual property to avoid uncertainty.
In general, intellectual property developed during the course of employ-
ment vests with the employee unless explicitly transferred to the Trade secrets
employer. However, the employer has a more or less extensive right to 39 How are trade secrets protected? Are trade secrets kept
acquire or utilise the intellectual property depending on the category of confidential during court proceedings?
intellectual property and the category of invention (see below) as well
as the provisions in the applicable employment or collective bargaining Protection for trade secrets is granted through the Swedish Trade Secrets
agreements. There are also specific statutory provisions concerning Act (2018:558 (TSA)). For the purposes of the TSA, trade secrets are
certain intellectual property. Below is a summary of the general prin- defined as information concerning business or operational circumstances
ciples regarding an employer’s rights to inventions developed by its in a trader’s business, which is secret in the sense that it is not, as a body
employees. or in the precise configuration and assembly of its components, gener-
According to the CA, copyright in a computer program created in ally known among or readily accessible to persons within the circles that
the course of employment is automatically transferred to the employer normally deal with the kind of information in question, which the trader
unless otherwise agreed in, for example, the employment agreement. has taken reasonable measures to keep confidential and the disclosure
However, the scope of the concept of ‘computer program’ is not clear of which is likely to cause damage to the trader from a competition
under Swedish law. Therefore, it is recommended that employers perspective. Trade secrets cannot be registered for protection, and the
include an appropriate clause in the employment agreement that explic- only statutory protection for such information is granted under the TSA.
itly transfers all rights to the employer. Court proceedings, as well as all evidence and other information
An employer has certain rights to patentable inventions developed submitted to the court, are generally public in Sweden. However, for
by its employees. Those inventions are divided into three categories, information concerning business or operational circumstances, the
and the employer’s rights differ between the categories: parties may request secrecy when submitting information or during
• inventions developed by employees that are employed to conduct the proceedings as well as afterwards. However, a Swedish court is not
research and development work, and which are developed within the required to adhere to such request, and there is no way of knowing
scope of employment, may be acquired or utilised by the employer; whether the court will grant a request of secrecy in advance.
Sweden Vinge
Branding
brands?
The general provisions for protection of trademarks and trade symbols

are provided in the Swedish Trademark Act (2010:1877). A trade symbol
can be registered for protection in Sweden if it is distinctive (ie, capable Emma Stuart-Beck
emma.stuart-beck@vinge.se
of distinguishing goods or services of one business activity from those
of another). A trademark registered for protection in the European Union Caroline Krassén
also grants protection in Sweden. Exclusive rights to a trade symbol caroline.krassen@vinge.se
may also be obtained, without registration, if the symbol is considered Anton Sjökvist
established on the market. A trade symbol is deemed established on anton.sjokvist@vinge.se
the market if it is known by a significant part of the relevant public as
Mikaela Lang
an indication for the goods or services that are being offered under it.
mikaela.lang@vinge.se
New businesses can either perform searches themselves in relevant
public databases for trademarks identical or similar to the trademarks Henrik Schön
they intend to use (eg, in the Swedish Patent and Registration Office’s henrik.schon@vinge.se
database, which covers both Swedish and EU trademarks) or engage a Trine Osen Bergqvist
trademark attorney to assist with such preliminary investigations. trine.osenbergqvist@vinge.se
General branding can be protected by the Marketing Practices Act.
Nicklas Thorgerzon
The Act protects unfair competition and can, thus, inter alia, protect a
nicklas.thorgerzon@vinge.se
business against other business taking unfair advantage of the reputa-
tion associated with the first business, including its trademark, business Karl-Hugo Engdahl
name or other distinctive marks. karl-hugo.engdahl@vinge.se
Maria Schultzberg
Remedies for infringement of IP maria.schultzberg@vinge.se
Viveka Classon
whose intellectual property rights have been infringed? viveka.classon@vinge.se
There are numerous remedies available when suing an alleged infringer Malin Malm Waerme
malin.malmwaerme@vinge.se
in court. For example, preliminary injunctions and prohibitions under
penalty of fine as well as damages for infringement, loss of profit and
impaired goodwill are available in all Swedish intellectual property Stureplan 8
laws. Infringements committed intentionally or through gross negli- Box 1703
gence can also result in fines or imprisonment. 111 87 Stockholm
Sweden
COMPETITION Tel: +46 10 614 3000
Fax: +46 10 614 3190
Sector-specific issues www.vinge.se

There are no specific competition rules for fintech companies. The Increased tax burden
general Swedish competition rules, which are based on EU competition 44 Are there any new or proposed tax laws or guidance that
law, apply. The rapid growth of the Swedish fintech industry in recent could significantly increase tax or administrative costs for
years has given rise to many new payment solutions and increased fintech companies in your jurisdiction?
competition between the old and the new. Although we have seen
issues relating, inter alia, to the interoperability between the traditional No.
banking systems and the new digital solutions, case law regarding the
application of the competition rules in the fintech industry is still limited. IMMIGRATION
TAX Sector-specific schemes

Incentives businesses to recruit skilled staff from abroad? Are there
43 Are there any tax incentives available for fintech companies any special regimes specific to the technology or financial
and investors to encourage innovation and investment in the sectors?
There are no specific immigration schemes available for fintech busi-
There are no special Swedish tax incentives for fintech companies or nesses to recruit skilled staff, nor are there any special regimes specific
investors to encourage innovation and investment in the fintech sector to the technology or financial sectors. Whether a work permit is required
in Sweden. for the specific role is subject to a case-by-case assessment. The main
210 Fintech 2021

Vinge Sweden
rule under Swedish law is that for a citizen of a non-EU country to be The Swedish government, the Swedish Financial Supervisory
able to work and reside in Sweden, a work permit and a residence permit Authority and the Swedish Central Bank have, furthermore, presented
is required. EU citizens are, however, entitled to work in Sweden without a number of initiatives to avoid credit supply problems and to support
any kind of permit. Swiss citizens are entitled to work in Sweden without business, including but not limited to the Central Bank making avail-
a work permit, but are still required to apply for a residence permit. able up to 500 billion kronor in loans for Swedish banks to be used
Certain other categories of employees may also temporarily for on-lending to Swedish non-financial companies, the Central Bank’s
work in Sweden without a specific work permit, provided that certain purchase of up to 300 billion kronor of securities (in government and
requirements are fulfilled. For example, a work permit is not required municipal bonds, covered bonds and securities issued by non-finan-
for individuals employed by a multinational corporate group where the cial companies) and state guarantees for 70 per cent of new bank
employees will undergo practical training, on-the-job training or other financing of up to 75 million kronor in each case to otherwise viable
in-service training at a company in Sweden that is part of the group (a small and medium-sized enterprises facing difficulties owing to the
maximum aggregate period of three months). In the absence of any of covid-19 pandemic.
the aforementioned exemptions, all non-EU citizens must obtain a work
permit to be entitled to work in Sweden.
The application procedure is generally the same for all applicants
regardless of occupation or industry. Applications are assessed by the
Swedish Migration Agency (MA), and the application processing time
varies. It currently takes up to four months for the MA to examine a
complete first-time application registered through the regular queue.
There are, however, particular certified firms (such as certain law
firms) with access to the MA’s fast-track system when applying for
work permits on behalf of a client company and its employees. Certified
firms are entitled to a significantly shorter turnaround time (10 days for
complete first-time applications). In cases where the employer is not
bound by a collective bargaining agreement and the concerned Swedish
trade union does not oppose the absence thereof, the official fast-track
turnaround time is 60 days.
UPDATE AND TRENDS
trends to note?
According to the Stockholm Fintech Guide, Stockholm received 18

percent of all private placements in fintech companies across Europe
between 2013 and 2018, and around 400 fintech companies are active in
Stockholm, as compared to the end of 2017 when there were around 150.
The Swedish National Bank has, furthermore, owing to the margin-
alisation of cash usage in Sweden, initiated a pilot project to construct
a technical platform for the e-krona, based on distributed ledger tech-
nology, and while no decision on the issuing of an e-krona has been
made, the project is expected to run until February 2021 and explore the
possibility of a digital currency to complement cash in society. Sweden
in general – and Stockholm in particular – are vibrant for fintech compa-
nies, and the coming years will likely provide for further developments
on the Stockholm fintech scene.
Coronavirus
for clients?
Sweden has introduced several measures to mediate the negative

effects for business operators owing to the pandemic; however, none are
specifically tailored to the fintech industry. The measures include finan-
cial support and lower requirements for companies whose employees
are on sick leave or on temporary short-term work, the lowering of
employer’s social security contributions and the easing of the rules to
carry out general meetings without physical attendance.
Switzerland
Clara-Ann Gordon and Thomas A Frick
Niederer Kraft Frey
FINTECH LANDSCAPE AND INITIATIVES conclusion of such contracts). Various other changes to the relevant laws
were already made or initiated to further enhance the fintech ecosystem.
General innovation climate
1 What is the general state of fintech innovation in your FINANCIAL REGULATION
jurisdiction?
Regulatory bodies
Switzerland strongly supports innovation both at the government and 3 Which bodies regulate the provision of fintech products and
corporate level. This includes fintech innovation. The country has a services?
strong and mature financial market and strong service industries that
support such initiatives. Well-known internationally is the Crypto Valley, The provision of fintech products and services is governed by the general
a fintech hub focused on crypto offerings located in Zug, a small canton laws and regulations applicable to the financial market, which in general
close to the financial centre of Zurich. Google, IBM, Disney, Thomson is supervised by the Financial Market Supervisory Authority (FINMA).
Reuters and the Federal Institute of Technology ETH have all established FINMA regulates the provision of these products and services in more
research laboratories in and around Zurich, adding to the technical detail by issuing circulars and guidelines, such as the guideline for initial
innovation network. Zurich University is in the process of creating 18 coin offerings (ICOs). FINMA is the competent supervisory authority for
new chairs for digital innovation studies; Zurich University also intends banks, insurance companies and asset managers managing assets of
to further enhance its research on artificial intelligence. There are collective investment schemes.
numerous companies focusing on digital offerings, specialised ones such Financial intermediaries, which were not prudentially supervised
as Swissquote, Temenos and Avaloq, and others providing IT support prior to 1 January 2020, became subject to prudential supervision (in
and IT-focused financial services. In addition, major Swiss banks such as particular, asset managers). They must join a self-regulatory organisa-
UBS and Credit Suisse both have fintech innovation laboratories. Banks tion (SRO) for the purpose of anti-money laundering (AML) compliance
focused on crypto offerings (eg, SEBA and Sygnum) received a banking and one of the newly set up special supervisory bodies for asset
licence in summer 2019; other projects are currently aiming to set up managers. These in turn are supervised by FINMA but are privately run
trading platforms and exchanges (eg, SIX Swiss Exchange and its SDX organisations.
project) and to obtain a licence from the Financial Market Supervisory Finally, certain ICOs were made by foundations domiciled in
Authority (FINMA). FINMA also recently granted the first two of the new Switzerland and these foundations are supervised by separate supervi-
fintech licenses. sory authorities at the communal, cantonal and federal level; foundations
set up for the purpose of making an ICO are usually supervised by the
Government and regulatory support Federal Authority for Foundation Supervision.
specific to financial innovation? If so, what are the key benefits Regulated activities
of such support? 4 Which activities trigger a licensing requirement in your
jurisdiction?
There are numerous initiatives by government bodies and regulators
to provide support to financial innovation. The most comprehensive FINMA provides on its website (www.finma.ch) an overview of activi-
one is the Digital Switzerland initiative that coordinates various private ties that may trigger a licensing requirement. Fintech companies are
initiatives and provides government support to them. FINMA set up a particular likely to fall within the scope of the Banking Act, the Financial
special fintech desk as a competence centre for fintech applications and Institutions Act, the Financial Market Infrastructure Act (FMIA) and the
enquiries. Through this desk, FINMA issued, for instance, guidelines Anti-money Laundering Act (AMLA).
for initial coin offerings (ICOs) in 2018 and confirmed its willingness to Anyone who accepts deposits from the public on a commer-
review submissions for ICOs and provide clearance letters for these cial basis is subject to banking licence requirements. This is the case
offerings confirming that an ICO will not be in breach of Swiss regu- if either deposits of more than 20 investors are actually held or if the
lations. Through the state agency Innosuisse, the Swiss Federation entity publicly announces to a non-limited number of persons that it is
supports technology-based innovation in Swiss enterprises. Innosuisse willing to accept these deposits. Bond issues do not qualify as deposits
offers coaching, thereby helping start-ups to raise capital. and capital contributions that do not entail a repayment obligation also
Furthermore, the government initiated various changes to Swiss do not qualify as deposits. Since 1 August 2017, the holding of client
law. Among others, relevant rules for the on-boarding of clients or for funds no longer triggers banking licence requirements if the funds do
entering into asset management agreements were adapted to render not at any time exceed 1 million Swiss francs, the funds are neither rein-
them technology neutral (ie, to enable online on-boarding and online vested nor interest-bearing and the depositors have been informed in
212 Fintech 2021

Niederer Kraft Frey Switzerland
writing prior to making the deposits that their funds are not covered by FINMA. Collective investment schemes are highly regulated in
by the Swiss depositor protection regime and that the institution is not Switzerland and subject to investment and borrowing restrictions as
supervised by FINMA. On 1 January 2019, a special licence was intro- well as to strict rules applicable to the sales of its units in or from
duced whereby undertakings accepting deposits from the public of up to Switzerland. No specific regulations apply for fintech companies.
100 million Swiss francs may qualify for a banking licence light, a licence There is a project pending for a change of law, which could intro-
that subject these undertakings to rules less stringent than the rules duce a non-licensed fund structure for professional investors only.
applicable to banks, providing no interest is paid on such deposits and
the funds are not reinvested (fintech licence). Alternative investment funds
An entity that commercially buys and sells securities on the primary 8 Are managers of alternative investment funds regulated?
market for its own account for short term resale or for the account of
third parties, which offers them publicly on the primary market or create Switzerland not being a member state of the European Union, the
or publicly offers derivatives, may require a securities house licence. Alternative Investment Fund Managers Directive is not applicable. As
The term ‘securities’ is now defined in the FMIA and is understood as a rule, an asset manager domiciled in Switzerland of a Swiss or foreign
meaning ‘standardised certified and uncertified securities, derivatives collective investment scheme requires a licence from FINMA. However,
and intermediated securities, which are suitable for mass trading’. if the investment fund is open to qualified investors only, the asset
Further clarification is provided by the ordinance on financial market manager may not fall under the licence requirement if the assets under
infrastructures and market conduct in securities and derivatives trading, management do not exceed 100 million Swiss francs, or if the assets do
which clarifies that only such securities that are publicly offered for sale not exceed 500 million Swiss francs, provided that the portfolio is not
in the same structure and denomination or are placed with more than leveraged and the investors do not have a redemption right for a period
20 clients, insofar as they have not been created especially for individual of five years, or if the investor is part of the same financial group as the
counterparties, will fall under the regulation. asset manager.
While advising on investments will not be subject to licence
requirements, asset management based on a power of attorney subjects Peer-to-peer and marketplace lending
the asset manager to the obligation to join a SRO, to comply with the 9 Describe any specific regulation of peer-to-peer or
relevant rules of the Swiss AMLA and to obtain a licence from FINMA. marketplace lending in your jurisdiction.
AMLA regulations also extend to persons who carry out credit trans-
actions, such as consumer loans or mortgages, factoring, commercial If the fintech company organising the marketplace is acting as a mere
financing or financial leasing, and persons who provide services relating marketplace and does not accept or forward any funds, it will not be
to payment transactions. subject to any specific regulation. However, if the fintech organising the
Payment systems may under certain conditions require a licence marketplace or the peer-to-peer lending accepts funds or controls the
under the FMIA. forwarding of these funds to another party of the marketplace, it will be
subject to AML regulations and will need to join an SRO to comply with
Consumer lending the AML regulations.
Crowdfunding
Consumer lending activities will require membership in a SRO and 10 Describe any specific regulation of crowdfunding in your
compliance with the applicable AML rules. Furthermore, consumer jurisdiction.
lending may fall under the Consumer Credit Act; a consumer lending
company must obtain a licence (from a cantonal authority, unless it Crowdfunding is not specifically regulated under Swiss law, but FINMA
holds a banking licence), must hold own assets in the amount of 8 per issued a fact sheet outlining the applicable rules. Therefore, the general
cent of the issued consumer loans and is subject to various rules on rules apply to crowdfunding systems. As a rule, crowdfunding platforms
providing transparency on the terms of the consumer loan and the obli- will not be subject to prudential supervision. If the crowdfunding plat-
gation to verify the creditworthiness of the counterparty. form only organises the funding but does not control the flow of funds,
it will not be subject to licensing requirements. If the crowdfunding
Secondary market loan trading platform accepts funds and forwards these funds to the recipient within
6 Are there restrictions on trading loans in the secondary a time period of up to a maximum of 60 days without paying interest
market in your jurisdiction? on the funds, the crowdfunding platform will be subject to AML regula-
tions and will need to become a member of an SRO. If a crowdfunding
There is no licence requirement for trading loans in the secondary platform holds funds for a period longer than 60 days, it may require a
market. However, if an investment company is buying and selling securi- fintech licence under the Banking Act, if the funds held do not exceed
ties for their own account with the intent of reselling them within a short the amount of 100 million Swiss francs. If the funds held exceed this
time period or for the account of third parties, these companies must amount or if interest is paid on the amount held, a banking licence will be
obtain a securities house licence from FINMA. required. Not only the platform may require a licence, but also the project
developer, if it accepts deposits or advertises that it will accept deposits.
As a rule, peer-to-peer lenders, marketplace lenders or crowdfunding Invoice trading and factoring is not specifically regulated in Switzerland
platforms will not fall under the rules applicable to collective investment and does not require a prudential licence. However, trading in invoices
schemes. Collective investment schemes and companies managing qualifies the fintech company as a financial intermediary and the fintech
collective investment schemes are subject to prudential supervision company will have to comply with AML regulations and join an SRO.
Switzerland Niederer Kraft Frey
Payment services basis, this activity may trigger reporting obligations to the Swiss
12 Are payment services regulated in your jurisdiction? Foreign Department under the Federal Act on private Security
Services Abroad.
Switzerland not being a member of the European Union, the European
Payment Services Directive 2 (PSD2) does not apply and Switzerland CROSS-BORDER REGULATION
does not have a corresponding regulation. Therefore, no prudential
licence is required for payment services. However, any provider of Passporting
payment services will need to comply with AML rules and will have 17 Can regulated activities be passported into your jurisdiction?
to join an SRO. If a payment system is deemed to be of systemic rele-
vance, or if FINMA is of the opinion that supervision is required for the No passporting of regulated activities into Switzerland is possible.
protection of the participants of a payment system, FINMA can at its
discretion require a payment system to obtain a licence under the FMIA Requirement for a local presence
and such systems will furthermore be subject to reporting obligations 18 Can fintech companies obtain a licence to provide financial
to the Swiss National Bank. The Swiss National Bank has the compe- services in your jurisdiction without establishing a local
tence to subject foreign payment systems that are of systemic relevance presence?
to Switzerland to its supervision. However, most payment systems are
not subject to prudential supervision or licence requirements. FINMA As a rule, a licence will only be granted to a company established in
declared that the LIBRA stablecoin, Facebook’s project, would be of Switzerland (ie, if it has local presence either in the form of a company
systemic relevance. or in the form of a branch of a foreign legal entity). Product offerings,
however, are possible on a cross-border basis provided that the prod-
Open banking ucts (such as investment funds) are approved in Switzerland. While
13 Are there any laws or regulations introduced to promote the distribution of insurance products, collective investment schemes,
competition that require financial institutions to make derivatives and securities is regulated, general banking services may
customer or product data available to third parties? be offered by foreign banks in Switzerland without licensing require-
ments; however, since 1 January 2020, client advisers working for
The PSD2 does not apply in Switzerland and no equivalent regulation foreign financial service providers need to register in a Swiss advisory
exists. Swiss banks are sceptical and, at the time of writing, do not open register. Exempt from this are client advisers working for banks, securi-
up interfaces to their client data. However, as banks are criticised for ties houses and asset managers and client advisers working for other
that approach and as banks usually also provide cross-border services, foreign prudentially supervised financial institutions if they only advice
it is expected that certain banks will in the future start to apply the PSD2 professional or institutional clients.
rules voluntarily by granting third parties access to certain data, subject When marketing financial products, such as investment funds and
to customer consent. structured products, the local Swiss rules on the marketing of such
products must be complied with (eg, prospectus requirements under
Robo-advice Swiss law).
companies that provide retail customers with automated SALES AND MARKETING
Restrictions
There are several robo-advisers active on the Swiss market. The 19 What restrictions apply to the sales and marketing of
rules applicable to them are the same as those that apply to normal financial services and products in your jurisdiction?
asset managers.
When marketing financial products, such as investment funds and struc-
Insurance products tured products, the local Swiss rules on the marketing of such products
15 Do fintech companies that sell or market insurance products must be complied with (eg, prospectus requirements under Swiss law).
CHANGE OF CONTROL
Insurance companies operating in Switzerland must obtain a licence
for their specific activities from FINMA. As the sale and marketing of Notification and consent
insurance products is highly regulated, any marketing of these products 20 Describe any rules relating to notification or consent
(including cross-border marketing into Switzerland) needs to be evalu- requirements if a regulated business changes control.
ated in detail prior to any marketing activities.
If a prudentially supervised legal entity changes control, the legal entity
Credit references and the new controlling shareholder must obtain an additional licence
16 Are there any restrictions on providing credit references or from the Financial Market Supervisory Authority. The same applies if
credit information services in your jurisdiction? 10 per cent or more of the capital or of the voting rights in a foreign-
controlled prudentially supervised legal entity are transferred. In the
There is no general licensing requirement for providing credit refer- application, full information must be provided on the new shareholder
ences or credit information services. However, any company providing and on the persons controlling this new shareholder up to the ultimate
this information must comply with the Swiss Federal Act on Data beneficial owner.
Protection, which applies not only to natural persons but also to legal
entities. Furthermore, the gathering of information from non-public
sources may qualify as activity of private detective, which is subject
to licensing requirements in certain cantons. If done on a cross-border
214 Fintech 2021

FINANCIAL CRIME A security assignment of rights will also only be valid if entered
into in writing by the assignee. Mortgages can only be entered into in
Anti-bribery and anti-money laundering procedures the form of a public deed.
procedures to combat bribery or money laundering? Assignment of loans
There are no specific rules applicable to fintech companies. All Swiss loans originated on a peer-to-peer or marketplace lending
legal entities and persons are subject to the anti-bribery rules of the platform? What are the implications for the purchaser if the
Swiss Criminal Code and need to comply with these provisions. For assignment is not perfected? Is it possible to assign these
prudentially supervised companies, compliance with such anti-bribery loans without informing the borrower?
rules is part of the supervisory concept and any breaching of these
rules may endanger the licence. An assignment of a claim can be done unilaterally without informing the
Anti-money laundering (AML) provisions apply as soon as a debtor under the loan. However, such assignment of a claim must be
company controls foreign assets or issues a currency. In the framework done in writing. An assignment of a contract is possible without such
of an initial coin offering (ICO), therefore, a company launching an ICO formal requirements (unless the contract itself requires a certain form,
and issuing currency tokens will have to comply with AML provisions. which is not the case for loan agreements) but needs the consent of the
A company issuing pure utility tokens or security tokens may not have counterparty (ie, of the debtor under the loan).
to comply with AML provisions, provided that the tokens are operative.
Even if a company issuing tokens may not be under strict obligations to Securitisation risk retention requirements
comply with AML provisions, it may find it difficult if not impossible to 25 Are securitisation transactions subject to risk retention
find a Swiss bank willing to provide a bank account unless it identifies its requirements?
investors (in the case of the issuing of security tokens) according to AML
standards compatible with the AML standards applied by Swiss banks. The EU Securitisation Regulation does not apply in Switzerland and its
Digital currency exchanges may be subject to AML requirements rules are not part of the Swiss regulatory framework.
as exchanges from one cryptocurrency to the other are deemed to be
monetary transactions. Securitisation confidentiality and data protection requirements
In a recent major legislative project, new rules on the application of 26 Is a special purpose company used to purchase and securitise
Swiss AML law to crypto-assets have been proposed. The new proposals peer-to-peer or marketplace loans subject to a duty of
are pending in Parliament but may not become effective until 2021. confidentiality or data protection laws regarding information
Guidance
22 Is there regulatory or industry anti-financial crime guidance Switzerland has strong confidentiality and data protection laws appli-
for fintech companies? cable to client relationships. However, the well-known banking secrecy
and similar secrecy obligations of financial intermediaries apply to rela-
There is no general regulatory or industry anti-financial crime guidance tionships with banks, securities traders and fund administrators only and
for fintech companies. However, the Swiss Bankers Association (www. not to each and every company. Therefore, the duty of confidentiality may
swissbanking.org) recently issued guidelines for banks on the applica- depend on the origin of the loans: if such loans originate from a bank,
tion of AML rules to crypto-assets and to accounts of bank customers the bank must ensure that the SPV complies with the relevant secrecy
dealing in crypto-assets (such as in the case of an ICO). Furthermore, obligations (unless the bank customers consented and gave a waiver of
private associations such as the Capital Markets and Technology their secrecy rights). However, a special purpose company domiciled in
Association are currently working on guidelines on how AML rules Switzerland will be subject to the Swiss Data Protection Act and will need
should be applied to crypto-assets, in particular tokenised shares and to treat the data received in accordance with these provisions, which do
non-voting shares. Finally, the Financial Market Supervisory Authority not only protect natural persons but also legal entities. Furthermore, a
issued interpretative guidelines relating to cryptocurrency transfers. transfer of data abroad may be subject to additional limitations.
PEER-TO-PEER AND MARKETPLACE LENDING ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER

23 What are the requirements for executing loan agreements or Artificial intelligence
security agreements? Is there a risk that loan agreements 27 Are there rules or regulations governing the use of artificial
or security agreements entered into on a peer-to-peer or intelligence, including in relation to robo-advice?
Switzerland currently does not have special rules regarding the applica-
A loan agreement may be executed without formal requirements (ie, tion of artificial intelligence. Different institutions are conducting studies
an oral agreement is valid). Therefore, a loan agreement can also be to answer questions regarding topics such as ethics or the risks and
entered into by, for example, email. Hence, a loan agreement entered opportunities of AI innovation (State Secretariat for Economic Affairs
into on a peer-to-peer or marketplace lending platform will be enforce- press release ‘The pros and cons of artificial intelligence’, www.seco.
able provided that the party wishing to enforce the agreement can admin.ch/seco/en/home/seco/nsb-news.msg-id-71639.html). In addi-
provide sufficient evidence that the agreement was entered into by the tion, the Swiss federal government funded research programmes on
counterparty. the effective and appropriate use of big data and has incorporated a
Regarding security agreements, form requirements apply. A pledge new federal working group specialised in artificial intelligence (see the
under Swiss law is valid only if entered into in writing (ie, in the written Swiss Confederation on ‘The Swiss Digital Action Plan’, 5 September
form with an original (or valid electronic) signature of the pledgor). 2018; also see the Swiss Confederation on ‘Digital Switzerland Strategy’,
September 2018). On 13 December 2019, the report ‘Challenges of prudential licence requirement. However, if not only digital currencies
Artificial Intelligence’ was published, but without specific requests for but also security tokens will be traded on the exchange; the exchange
changes to Swiss law. may qualify as an organised or a multilateral trading facility under the
A company providing robo-advice may qualify as an asset manager Financial Market Infrastructure Act and must comply with the rules
if the company automatically implements the advice on a client portfolio, applicable to these institutions.
may be subject to anti-money laundering (AML) rules and may have to
become a member of a self-regulatory organisation. Initial coin offerings
Distributed ledger technology (ICOs) or token generation events?
distributed ledger technology or blockchains? Switzerland has a technology-neutral approach to digital assets.
Blockchain projects fall under the regulatory regimes of the industries
There are no special rules or regulations governing the use of such they apply to, such as the finance industry. On 16 February 2018, FINMA
technology and the general laws apply. published ‘Guidelines for enquiries regarding the regulatory framework
for initial coin offerings’ wherein it describes in detail how it deals with
Crypto-assets the supervisory and regulatory framework for ICOs under Swiss law. On
29 Are there rules or regulations governing the use of crypto- 26 August 2019, further specifications were given relating to payments
assets, including digital currencies, digital wallets and on the blockchain (Supervisory Notice 02/2019). FINMA will consider,
e-money? among other things, the investor categories and ICO targets, compliance
with AML regulations and the functionalities of the token generated but
Switzerland has a technology-neutral approach to digital assets. also the technologies used, the technical standards and wallets and
Blockchain projects fall under the regulatory regimes of the industries technical standards to transfer tokens. In its guidelines, FINMA distin-
they apply to, such as the finance industry. On 16 February 2018, the guishes three token categories, namely payment tokens, which are
Financial Market Supervisory Authority (FINMA) published ‘Guidelines intended to be used as a means of payment and do not grant any claims
for enquiries regarding the regulatory framework for initial coin offer- against the issuer of the token, utility tokens, which grant access to an
ings’ wherein it describes in detail how it deals with the supervisory application or service, and asset tokens, which represent assets such as
and regulatory framework for initial coin offerings (ICOs) under Swiss a debt or equity claim against the issuer or that enable physical assets
law. On 26 August 2019, further specifications were given relating to to be traded on the blockchain. If a token combines functions of more
payments on the blockchain (Supervisory Notice 02/2019). FINMA will than one of these categories, it is considered a hybrid token and has to
consider, among other things, the investor categories and ICO targets, comply with the requirements of all categories concerned.
compliance with AML regulations and the functionalities of the token
generated but also the technologies used, the technical standards and DATA PROTECTION AND CYBERSECURITY
wallets and technical standards to transfer tokens. In its guidelines,
FINMA distinguishes three token categories, namely payment tokens, Data protection
which are intended to be used as a means of payment and do not grant 32 What rules and regulations govern the processing and
any claims against the issuer of the token, utility tokens, which grant transfer (domestic and cross-border) of data relating to
access to an application or service, and asset tokens, which represent fintech products and services?
assets such as a debt or equity claim against the issuer or that enable
physical assets to be traded on the blockchain. If a token combines func- There are no specific rules and regulations that would apply to fintech
tions of more than one of these categories, it is considered a hybrid token products and services. Hence, the existing data protection law and the
and has to comply with the requirements of all categories concerned. guidelines from the Swiss Federal Data Protection and Information
The issuance of digital currencies will render the issuer subject Commissioner (FDPIC) apply. The Swiss Federal Data Protection Act is
to AML regulations. The offering of digital wallets, as a rule, will also currently being revised.
subject the provider to AML regulations. The safekeeping of digital
currencies in a wallet will, as a rule, not be considered as an activity Cybersecurity
requiring a banking licence by FINMA, provided that the private keys 33 What cybersecurity regulations or standards apply to fintech
do not fall into the bankrupt estate of the custodian. However, if the businesses?
custodian had control over the wallet (ie, is capable of disposing of the
currencies therein without interference of the beneficiary), the holding There are no specific cybersecurity regulations or standards that apply
of the wallet may render the custodian subject to banking licence to fintech businesses. Hence, the existing data protection law and the
requirements. In the recent proposals submitted by the Federal Council guidelines from the FDPIC apply. In particular the ‘Guide on Technical
for discussion, further clarifications regarding the treatment of digital and Organisational Measures’ (see file://srvzhfile02/users$/cgo/VDI/
wallets in the bankruptcy of the custodian are proposed. Downloads/guideTOM_en_2015%20(1).pdf).
Digital currency exchanges OUTSOURCING AND CLOUD COMPUTING

30 Are there rules or regulations governing the operation of
digital currency exchanges or brokerages? Outsourcing
A broker providing services for the conversion of fiat currencies into respect to the outsourcing by a financial services company of
cryptocurrencies, cryptocurrencies into cryptocurrencies or cryp- a material aspect of its business?
tocurrencies into fiat currencies will need to become a member of a
self-regulatory organisation and be subject to AML rules. If it wishes to Any company outsourcing part of its business must comply with the
operate a digital currency exchange, this can usually be done without the Swiss Data Protection Act.
216 Fintech 2021

Furthermore, if a financial services company subject to pruden- Joint ownership

tial supervision outsources part of its business, it will need to comply 38 Are there any restrictions on a joint owner of intellectual
with the guidelines provided by the Financial Market Supervisory property’s right to use, license, charge or assign its right in
Authority (FINMA) in its outsourcing circular (2018/3 FINMA ‘Guideline intellectual property?
on Outsourcing – banks and insurers’) and in Annex 3 of the Operational
Risk Circular (dealing with customer identification data). Under these No, there are no restrictions in this respect. In Switzerland, one is very
rules, outsourcing of material aspects of a business is generally flexible and free to agree on rules. However, if nothing is agreed on,
permitted, provided that the financial service provider is capable of then the general provisions of the applicable laws (eg, the Swiss Code
supervising the outsourcing provider, is safeguarding security rights of Obligations and the Copyright Act) apply. In particular, with regard to
of its clients, is securing in its contracts with the outsourcing provider joint ownership, it is advisable to set out the applicable rules in writing
that itself, its auditing company and FINMA will at all time be capable of in a contract, because the rules set out in the applicable laws usually
inspecting compliance by the outsourcing provider with the Swiss finan- are not specific enough for each individual case.
cial market rules and that it properly selects, instructs and supervises
the outsourcing provider. Furthermore, the cybersecurity measures of Trade secrets
the outsourcing provider need to be adequate and in line with the rele- 39 How are trade secrets protected? Are trade secrets kept
vant measures of the financial intermediary. confidential during court proceedings?
Cloud computing In Switzerland, trade secrets are mainly protected by non-disclosure

35 Are there legal requirements or regulatory guidance with agreements or confidentiality clauses in contracts. There is, unlike in
respect to the use of cloud computing in the financial services the EU, no specific law in Switzerland dealing with the protection of
industry? trade secrets. There are provisions in individual laws dealing with trade
secret protection (eg, in the Criminal Code or in the Unfair Competition
There are no specific rules on cloud computing, but financial services Act). In court proceedings, a party can request the court keep trade
companies need to secure confidentiality of their client data and, as secrets confidential and not disclose them to the counterparty.
a rule, comply with the outsourcing circulars. In addition, the Swiss
Federal Data Protection and Information Commissioner’s ‘Guideline on Branding
Cloud Computing’ applies (see www.edoeb.admin.ch/edoeb/en/home/ 40 What intellectual property rights are available to protect
data-protection/Internet_und_Computer/cloud-computing/guide-to- branding and how do you obtain those rights? How can
cloud-computing.html) . fintech businesses ensure they do not infringe existing
brands?
In Switzerland trademarks can be applied for fintech services and
IP protection for software products. An application for a trademark must be filed with the Swiss
36 Which intellectual property rights are available to protect Federal Institute of Intellectual Property. By first conducting a trade-
software, and how do you obtain those rights? mark research in online databases or with special trademark agents,
fintech businesses can check whether prior identical or similar trade-
Under Swiss copyright law, only works that are considered an intel- marks exist.
lectual creation with an individual character are protected by copyright
(article 2, paragraph 1 of the Swiss Copyright Act). AI as software gener- Remedies for infringement of IP
ally meets these requirements. However, works created by AI cannot 41 What remedies are available to individuals or companies
be considered intellectual creations as they are not made by humans. whose intellectual property rights have been infringed?
These works currently cannot be copyrighted and the author cannot
acquire copyright derivatively. Copyrighted works are protected for 70 There are civil and criminal law remedies. Under the applicable laws
years after the death of the author (50 years with regard to computer (eg, the Swiss Code of Conduct, Copyright Act, Patents Act, Trademark
programs). As a rule, computer programs cannot be patented under Act and Unfair Competition Act) a party whose intellectual property
Swiss law. rights are infringed can file for injunctive relief, a claim for damages,
etc. Under the Criminal Code the party can file a criminal complaint for
IP developed by employees and contractors an offence relating to intellectual property infringements.
employee during the course of employment? Do the same COMPETITION
contractors or consultants? Sector-specific issues
As long as the intellectual property is developed by an employee during respect to fintech companies in your jurisdiction?
the course of employment and in fulfilment of his or her working tasks,
then the intellectual property belongs by virtue of law to the employer. No specific rules have been issued under competition law applicable
With regard to contractors or consultants, these rules do not apply. Here to fintech companies, so that the general rules of Swiss competition
it is decisive that the respective rights are transferred and assigned to law apply. Swiss competition law is to a large extent aligned with EU
the principal. competition law and the discussion in the EU relating to completion law
in the digital economy is closely followed in Switzerland. Therefore, it
can be expected that once the EU applies additional rules to the digital
economy, Switzerland will follow and apply similar rules. With respect
to certain business set-ups involving the exchange of data between
various parties, Switzerland follows the approach of the EU on the

applicability of competition law rules to the exchange of data between
competitors or potential competitors, and a company intentionally facili-
tating this exchange of market relevant data may be held to be in breach
of competition law as well, even if it is not active on the same market.
TAX
Incentives Clara-Ann Gordon

clara-ann.gordon@nkf.ch
and investors to encourage innovation and investment in the Thomas A Frick
fintech sector in your jurisdiction? thomas.a.frick@nkf.ch
There are no tax incentives specifically designed for fintech companies Bahnhofstrasse 53
and investors. However, both companies and investors benefit from the 8001 Zurich
generally favourable Swiss tax environment. The corporate tax rate Switzerland
depends on the exact location of the company but may be as low as 12 Tel: +41 58 800 8000
per cent, the VAT rate is significantly lower than in most EU member Fax: +41 58 800 8080
states and individual investors resident in Switzerland do not pay taxes www.nkf.ch
on gains realised on the sale of equity investments. Very low taxes apply
to capital gains from the sale of equity investments by corporate share-
holders if the participation was held for at least one year and was 10 per
cent or more of the equity of the company. UPDATE AND TRENDS
Increased tax burden Current developments

44 Are there any new or proposed tax laws or guidance that 46 Are there any other current developments or emerging
could significantly increase tax or administrative costs for trends to note?
There are various developments in Switzerland regarding fintech.
There are no new or proposed tax laws that will significantly increase On the regulatory site, an act on establishing a legal and a distribu-
tax. On the contrary, it is envisaged that corporate taxes will be lowered tion framework for a generally accepted digital identity was proposed
significantly in connection with the abolition of certain privileges and may be in a final form by the end of 2019. Furthermore, a draft of a
currently granted to holding companies. Administrative costs for fintech new Data Protection Act, which is currently on hold, will be discussed in
companies may increase to a certain extent for fintech companies quali- Parliament in 2020. But, first and foremost, the proposal for a federal act
fying as an asset manager as asset managers will become prudentially on adapting the federal law to developments of the distributed ledger
supervised under the new Financial Institutions Act, which is expected technology was submitted for discussion in spring 2019; after initial feed-
to become effective by 1 January 2020. back was positive, the final proposal of the government to Parliament was
submitted by the end of 2019. It is currently pending in Parliament but
IMMIGRATION will not become effective prior to 2021. In this draft act, various proposals
for changes to existing Swiss laws are made, in particular regarding new
Sector-specific schemes (integrated) financial infrastructures enabling integrated token trading
45 What immigration schemes are available for fintech platforms, clarifications regarding the law applicable to the transfer of
businesses to recruit skilled staff from abroad? Are there tokens, clarifications and provisions of the anti-money laundering rules
any special regimes specific to the technology or financial and various provisions on the treatment of digital assets in a bankruptcy.
sectors? On the commercial side, there are various initiatives that focus
on establishing wallet providers, trading platforms and other projects
There are no special immigration schemes available for fintech busi- in Switzerland. Two banks obtained a banking licence focused on
nesses or regimes specific to the technology or financial sector. However, digital assets in 2019; a third application is pending, and a number of
citizens of EU member states are entitled to receive a work permit in other banks publicly announced that they will target crypto-markets.
Switzerland under the bilateral agreements between Switzerland and Therefore, 2020 will again see massive developments in connection with
the EU. Furthermore, Switzerland and the United Kingdom prepared the setting-up of infrastructures for the crypto and fintech industry in
a treaty to ensure that UK and Swiss nationals will continue to benefit Switzerland.
from the privileges granted to EU member state citizens after Brexit. There are now also various projects to enable the issuance of secu-
Nationals of a country outside the European Economic Area will require rity tokens and to set up companies with tokenised shares. It is generally
a work permit, which may be subject to quotas. As a rule, work permits expected that 2020 and 2021 will be the years of the asset token.
for highly qualified persons, such as senior managers or technical Various Swiss universities (EPFL, ETH, Basle University and Zurich
experts, will always be available. University) have initiatives regarding further development of research
on fintech. Among others, the Swiss Fintech Innovation Lab at Zurich
University brings together researchers from banking and finance, busi-
ness informatics, management, social sciences, etc.
While the crypto boom of 2017 may be history, the future has only
started for the Swiss financial industry and it can be expected that the
Swiss ecosystem will remain highly dynamic.
218 Fintech 2021

Coronavirus
for clients?
The covid-19 pandemic has brought about some emergency legisla-

tion, in particular government guarantees for bank loans to enterprises.
As the amount of the loan available was linked to turnover, for many
startups the loans were not available. However, several cantons have
special initiatives to secure access to capital, in particular for start-ups
in the tech sector. It is advisable for any start-up to enquire with the
local authorities about what support is available.
Taiwan
Abe T S Sung and Eddie Hsiung
Lee and Li Attorneys at Law
FINTECH LANDSCAPE AND INITIATIVES and explore the possibility of amending the existing rules that pose
obstacles to the experimented financial innovation if put in the real
General innovation climate world. However, depending on the review result of the FSC, the sandbox
1 What is the general state of fintech innovation in your entity or individual might still be required to apply for a relevant licence
jurisdiction? or approval from the FSC to formally conduct the activities as previously
tested in the sandbox.
Taiwan’s law for the fintech regulatory sandbox, the FinTech
Development and Innovation and Experiment Act (the Sandbox Act), was FINANCIAL REGULATION
promulgated on 31 January 2018 and took effect on 30 April 2018. At the
time of writing, seven applications have been approved by the Financial Regulatory bodies
Supervisory Commission (FSC) to enter into the sandbox, as summa- 3 Which bodies regulate the provision of fintech products and
rised below: services?
• to facilitate digital banking business (eg, online credit (credit
card, credit facility)) by means of a mobile phone identity verifica- In Taiwan, the Financial Supervisory Commission (FSC) is the govern-
tion system; ment body regulating all financial products and services. There are
• the outbound remittance by foreign workers through local conveni- four bureaux established under the FSC: the Banking Bureau (BB), the
ence stores (two cases); Securities and Futures Bureau (SFB), the Insurance Bureau (IB) and the
• to use blockchain technology for the transmission of fund transfer Financial Examination Bureau (EB) (collectively the Bureaux). Each of
information between financial institutions; the BB, SFB and IB is separately responsible for regulating the banking,
• to enable customers to purchase travel insurance through the securities and insurance industries. The EB is in charge of financial
website of a travel agency by means of API connections; inspection and audits of financial institutions regulated by the FSC.
• to provide the ‘fund exchange’ service by means of blockchain tech- Currently, none of the four bureaux has been specifically designated to
nology; and regulate fintech products and services. Therefore, it should depend on
• to shorten the fund transmission gap by means of ‘T+0 contract the nature of such products and services to determine which bureau
mechanism’. would be the body regulating the relevant fintech products or services.
As to the mechanism of the regulatory sandbox, the FSC is the
In addition to the sandbox mechanism described above, in 2018, the competent authority; nonetheless, if the tested fintech product and
Taiwan government also supported fintech developments by, for service relates to the regulatory regime of other competent authorities
example, establishing a ‘FinTechSpace’, which is a physical location situ- (such as the Central Bank), the opinion of these relevant authority will
ated in the city of Taipei with an aim to provide relevant assistance to also be consulted by the FSC.
fintech start-ups, such as acting as an intermediary between fintech
start-ups and financial services entities (with respect to potential coop- Regulated activities
eration between the parties), a ‘regulatory clinic’ (ie, free preliminary 4 Which activities trigger a licensing requirement in your
advice provided by government officials regarding regulations), etc. jurisdiction?
Government and regulatory support In Taiwan, conducting finance-related activities generally requires a
2 Do government bodies or regulators provide any support licence from the FSC. These activities include the following, without
specific to financial innovation? If so, what are the key limitation.
benefits of such support? • Securities-related activities: securities underwriting, securities
brokerage, securities dealing (ie, proprietary trading), securities
The regulatory sandbox offers a platform to test new applications of investment trust (ie, asset management) and securities investment
fintech technologies. According to the Sandbox Act, an applicant (who consulting.
can be an entity or individual) needs to obtain an approval from the FSC • General consulting business, such as acting as financial advisers
before entering the sandbox and beginning the experiment. During the or agents to arrange investments or bring about merger or acqui-
experiment period, the experimental activities may enjoy exemptions sition deals, does not require any licence. In addition, acting as
from certain laws and regulations (such as FSC licensing requirements principal in an investment deal does not require any licence (except
and certain legal liability exemptions). After completion of the approved for if a foreign investor should need a foreign investment approval
experiments, the FSC will analyse the results of them. If the result is and investment in regulated industries needs special approvals).
positive, the FSC may review the existing financial laws and regulations • Bank-related activities:
220 Fintech 2021

Lee and Li Attorneys at Law Taiwan
• lending: lending activities do not fall within the business to Offshore funds
be exclusively conducted by a local licensed bank. However, Offshore funds with the nature of a securities investment trust fund
as no financing company may be registered in Taiwan, it is may also be publicly offered (subject to FSC prior approval) or privately
currently not possible for an entity to register as a financing placed (subject to post-filing with the FSC or its designated institution)
company to carry on lending activities in Taiwan; to Taiwan investors, subject to certain qualifications and conditions. An
• factoring and invoice, discounting and secondary market offshore fintech company, which does not have the nature of a securities
loan trading; investment trust fund, will not be allowed to be offered in Taiwan.
• deposit taking;
• foreign exchange trading; Alternative investment funds
• remittance; and 8 Are managers of alternative investment funds regulated?
• electronic payment, credit cards and electronic stored-value
cards. Currently, only securities investment funds, real property trust funds
and futures trust funds (which focus on investment in futures and deriv
Consumer lending atives) are permitted in Taiwan (except that SITEs and securities firms
5 Is consumer lending regulated in your jurisdiction? are now permitted to set up a subsidiary to act as the general partner of
a private equity fund under the structure of limited partnership). These
A local licensed bank may carry on consumer lending activities. funds may only be offered and managed by FSC-licensed entities, such
Although lending activities do not fall within the business to be exclu- as SITEs, banks or futures trust enterprises. A fintech company, which
sively conducted by a local licensed bank, carrying out lending activities is not a SITE, a bank or a future trust enterprise, will not be allowed to
as one of a company’s registered business activities is still not permitted manage these funds in Taiwan.
in Taiwan.
Secondary market loan trading 9 Describe any specific regulation of peer-to-peer or
6 Are there restrictions on trading loans in the secondary marketplace lending in your jurisdiction.
market in your jurisdiction?
While to date there are no laws or regulations specifically regulating or
The general principle under Taiwan’s Civil Code is that any receivable is governing peer-to-peer lending, the Bankers Association of the Republic
assignable unless (1) the nature of the receivable does not permit this of China (the Bankers Association), the self-disciplinary organisation of
transfer; (2) the parties to the loan have agreed that the receivable shall the banking industry, has promulgated the Self-Disciplinary Rules of
not be transferred; or (3) the receivable, in nature, is not legally attach- Business Cooperation between Member Banks of Bankers Association
able. The receivables under loan, subject to (2) above, are generally and Peer-to-Peer Lending Operators (the P2P Self-Disciplinary Rules)
transferable. However, a bank is subject to stricter rules that, gener- and such P2P Self-Disciplinary Rules have been filed with the FSC
ally, loans that remain performing cannot be transferred by a bank, for record.
with some limited exceptions (such as for the purpose of securitisation). According to the P2P Self-Disciplinary Rules, banks may work
For this reason, Taiwan does not currently have an active secondary together with the peer-to-peer lending operators on the following
loan market. matters:
• providing fund custodian services;
Collective investment schemes • providing cash-flow services;
7 Describe the regulatory regime for collective investment • providing credit review and rating services;
schemes and whether fintech companies providing • extending facility by a bank to the customer (ie, the people-to-busi-
alternative finance products or services would fall within its ness model);
scope. • advertising and marketing activities; and
• providing credit document custody services.
Local funds (securities investment trust funds)
The most common form of collective investment scheme in Taiwan is Crowdfunding
securities investment trust funds, which may be offered to the general 10 Describe any specific regulation of crowdfunding in your
public or privately placed to specified persons. Public offering of a jurisdiction.
securities investment trust fund needs prior approval or effective regis
tration with the FSC or the institution designated by the FSC. No prior Equity-based crowdfunding
approval is required for a private placement of a securities investment The following two ways of fundraising are generally known as the
trust fund; however, it can only be placed to eligible investors and within equity-based crowdfunding platforms in Taiwan. These ways of crowd
five days after the payment of the subscription price for initial invest funding are exempted from the prior approval or effective registration
ment offering, a report on the private placement shall be filed with normally required under the Securities and Exchange Act (SEA).
the FSC or the institution designated by the FSC. Generally, the total
number of qualified non-institutional investors under a private place The Go Incubation Board for Startup and Acceleration Firms of the
ment shall not exceed 99. Under current laws and regulations, public Taipei Exchange
offering and private placement of securities investment trust funds may The Taipei Exchange (TPEx), one of the two securities exchanges in
only be conducted by FSC-licensed securities investment trust enter Taiwan, established the Go Incubation Board for Startup and Acceleration
prises (SITEs). Currently, the paid-in capital of a SITE should not be Firms (GISA) in 2014 for the purpose of assisting innovative and creative
lower than NT$300 million, and there exist certain qualifications for the small non-public companies in capital raising.
shareholders of a SITE. A fintech company, which is not a SITE, will not A company with innovative or creative ideas with the potential for
be able to raise funds as a SITE does. development is qualified to apply for GISA registration with the TPEx.
After the TPEx approves the application, the company will first start
Taiwan Lee and Li Attorneys at Law
receiving counselling services from the TPEx regarding accounting, In 2015, the Act Governing Electronic Payment Institutions (the
internal control, marketing and legal affairs. After the counselling E-Payment Act) was enacted. This E-Payment Act regulates the activities
period, there is another TPEx review to examine, among other things, of an electronic payment institution, acting in the capacity of an interme-
the company’s management teams, the role of board of directors, diary between payers and recipients to engage, principally, in (1) collecting
accounting and internal control systems, and the reasonableness and and making payments for real transactions as an agent; (2) accepting
feasibility of the plan for raising capital, and if the TPEx deems appro- deposits of funds as stored value funds; and (3) transfer ring funds
priate, the company may raise capital on the GISA. The amount raised between e-payment accounts. According to the E-Payment Act, an elec-
by the company through the GISA may not exceed NT$30 million unless tronic payment institution should obtain approval from the FSC unless it
otherwise approved. In addition, an investor’s annual maximum amount engages only in (1) above and the total balance of funds collected, paid and
of investment through the GISA should not exceed NT$150,000, except for kept by it as an agent does not exceed the specific amount set by the FSC.
in the case of angel investors defined by the TPEx or wealthy individuals In July 2019, the FSC announced a proposed amendment to the
with assets exceeding an amount set by the TPEx and with professional E-Payment Act. The amendment will merge the E-Payment Act and
knowledge regarding financial products or trading experience. E-Card Act. In addition, according to the proposed amendment, if
approved by the FSC, an electronic payment institution or non-elec-
Equity-based crowdfunding on the platforms of securities firms tronic payment institution would be able to provide limited remittance
A securities firm may also establish a crowdfunding platform and services, which is currently a service exclusive to banks. With the expan-
conduct equity crowdfunding business. Currently, a company with sion of the services that electronic payment institutions can provide, it
paid-in capital of less than NT$50 million may enter into a contract with is anticipated that this amendment will promote the development of the
a qualified securities firm to raise funds through the crowdfunding plat electronic payment market in Taiwan. The amendment to the E-Payment
form maintained by the securities firm, provided that the total amount of Act is expected to be discussed in the Legislative Yuan of Taiwan and will
funds raised by the company through all securities firms’ crowdfunding hopefully be passed in 2020.
platforms in a year may not exceed NT$30 million. The amount of invest-
ment made by an investor on a securities firm’s platform may not exceed Open banking
NT$50,000 for each subscription, and may not exceed NT$100,000 in 13 Are there any laws or regulations introduced to promote
aggregate in a year, except for in the case of angel investors as defined competition that require financial institutions to make
in the relevant regulations. customer or product data available to third parties?
Non-equity-based crowdfunding While the FSC has the general power to request the provision of
In 2013, the TPEx established the ‘Gofunding Zone’ on its official website. customer or product data by financial institutions to the FSC, in practice,
This mechanism allows the non-equity-based crowdfunding platform the FSC's relevant regulations, directions or guidelines also require that
operators, once approved by the TPEx, to post information regarding financial institutions provide relevant customer and product data (such
their proposals and projects on the Gofunding Zone. However, in May as data relating to credit extensions, credit cards and derivatives) to the
2018, the TPEx announced that owing to the significant developments Joint Credit Information Center (JCIC) for banks' use of credit check in
in the crowdfunding business, the phased task of the TPEx to support terms of credit extension.
this business had been completed, and, thus, it decided to close the In addition, in response to support of 'open banking' from some
Gofunding Zone and annulled relevant rules. industry experts and market players, the FSC has demanded that the
Bankers Association set out relevant self-regulatory rules to implement
Invoice trading the concept of open banking in Taiwan. The FSC did not wish to set
11 Describe any specific regulation of invoice trading in your out mandatory disclosure rules for banks and, instead, asked the self-
jurisdiction. regulatory organisation (ie, the Bankers Association) and the Financial
Information Service Company to set out relevant rules and information
The general principle under Taiwan’s Civil Code is that any receivable is security standards for banks to follow. The first stage of open banking
assignable unless (1) the nature of the receivable does not permit this was launched in late 2019, which allowed public product information
transfer; (2) the parties to the loan have agreed that the receivable shall to be searchable by third parties (ie, third-party service providers).
not be transferred; or (3) the receivable, in nature, is not legally attach- According to relevant news reports, the newly appointed FSC chair-
able. The receivables under loan, subject to (2) above, are generally person, Mr Huang, announced that the second stage of open banking
transferable. However, a bank is subject to stricter rules that, gener- (which involves customer-related information) will be launched in 2020.
ally, loans that remain performing cannot be transferred by a bank, with
some limited exceptions (such as for the purpose of securitisation). Robo-advice
In general, no company may carry out the activities of receivable 14 Describe any specific regulation of robo-advisers or other
transfer for business. Purchase of accounts receivable may only be companies that provide retail customers with automated
conducted by a licensed bank. access to investment products in your jurisdiction.
Payment services In June 2017, the Securities Investment Trust and Consulting Association
12 Are payment services regulated in your jurisdiction? of Taiwan, the self-disciplinary organisation of the asset manage-
ment industry, issued the Operating Rules for Securities Investment
Yes. Traditionally, payments by wire transfer can only be made through Consulting Enterprises Using Automated Tools to Provide Consulting
a licensed bank. Payments via cheques and credit cards are also run Service (Robo-Adviser) (the Robo-Adviser Rules), which was approved
through banks. by the FSC. Pursuant to the Robo-Adviser Rules, securities invest-
Non-banks engaging in credit card-related business and issuance ment consulting enterprises may provide online securities investment
of electronic stored-value cards should also obtain approval from the consulting services by using automated tools through an algorithm
FSC, pursuant to the Act Governing Issuance of Electronic Stored Value (Robo-Advisor Services) and they must comply with certain rules, which
Cards (the E-Card Act). include, among others, the following:
222 Fintech 2021

• periodical review of the algorithm; SALES AND MARKETING

• relevant know-your-customer procedures should be conducted
before the provision of advice; Restrictions
• a special committee should be established to supervise the 19 What restrictions apply to the sales and marketing of
adequacy of the Robo-Adviser Services; and financial services and products in your jurisdiction?
• customers should be informed of precautions before using Robo-
Adviser Services. The Financial Consumer Protection Act (FCPA) and its related regula-
tions provide for the general marketing rules applicable to the marketing
Insurance products materials for financial services. In general, under the FCPA, when
15 Do fintech companies that sell or market insurance products carrying out advertising, promotional or marketing activities, financial
in your jurisdiction need to be regulated? services providers should not falsify, conceal, hide or take any action
that would mislead financial consumers and they should ensure the
In Taiwan, selling insurance products will be considered conducting truthfulness of the advertisements. In addition to the general marketing
insurance business, which requires an insurance licence from the rules under the FCPA, the financial service providers may also be
FSC. A fintech company is not permitted to sell any insurance products subject to additional marketing rules as specified in the laws and regu-
without an insurance licence from the FSC. lations governing the specific types of financial services or products.
Credit references CHANGE OF CONTROL

credit information services in your jurisdiction? Notification and consent
Yes. Pursuant to the Banking Act and relevant regulations, an entity requirements if a regulated business changes control.
collecting credit-related information from financial institutions,
processing this information and maintaining the relevant database and The rules relating to notification or approval requirements for change of
providing credit-related information and records to financial institu- control of a financial services company vary among the types of compa-
tions for credit-checking purposes must obtain prior approval from the nies. For example:
FSC. Currently, the JCIC is the only FSC-authorised entity that offers • bank: a prior approval must be obtained from the Financial
these services. In practice, a bank would normally review the credit Supervisory Commission (FSC) if an investor or its related parties
information or records provided by the JCIC as part of the bank’s credit has individually, jointly or collectively acquired or held more than
investigation on an applicant for a credit extension. 10 per cent, 25 per cent or 50 per cent of the voting shares of a bank;
If an entity does not offer these services, no FSC approval is • securities firm: no prior approval from the FSC is required;
required, but it will still be subject to the Personal Data Protection Act • securities investment trust enterprise (SITEs): if the professional
regarding its collection and use of any personal data. shareholder of a SITE intends to transfer its shareholding in the
SITE, the SITE should report to the FSC the transfer of shares
CROSS-BORDER REGULATION before the transfer is conducted; and
• securities investment consulting enterprise: no prior approval
Passporting from the FSC is required.
17 Can regulated activities be passported into your
jurisdiction? FINANCIAL CRIME
There is no concept of passporting right in Taiwan. To engage in regu- Anti-bribery and anti-money laundering procedures
lated financial activities, a company needs to apply for the relevant 21 Are fintech companies required by law or regulation to have
licences to the Financial Supervisory Commission (FSC). Depending on procedures to combat bribery or money laundering?
the types of regulated activities, the applicant must meet certain qualifi-
cations as required under relevant laws and FSC regulations. Money laundering activities are mainly regulated by the Money
Laundering Control Act (MLCA) (last amended on 7 November 2018) and
Requirement for a local presence its related regulations. Under the MLCA, in order to prevent money laun-
18 Can fintech companies obtain a licence to provide financial dering activities, financial institutions are required to implement their
services in your jurisdiction without establishing a local own internal anti-money laundering guidelines and procedures and
presence? submit them to the Financial Supervisory Commission (FSC) for record.
With respect to digital currency platform operators or transac-
No. Foreign companies cannot carry on regulated business (which tions, it was reported that, according to Mr Koo, the ex-chairperson of
include financial services) without a licence, and the FSC licences the FSC, the FSC will regulate the anti-money laundering activities of
required for providing financial services are not issued to foreign cryptocurrency trading platforms or exchanges under the MLCA after
companies without establishing a subsidiary or a branch in Taiwan. the Executive Yuan officially authorises the FSC as the regulator. As at
the time of writing, the Executive Yuan has not granted this authorisa-
tion to the FSC. In addition, it is unclear at this stage what requirements
will be imposed by the FSC on anti-money laundering activities of cryp-
tocurrency trading platforms or exchanges.
Guidance Securitisation confidentiality and data protection requirements

22 Is there regulatory or industry anti-financial crime guidance 26 Is a special purpose company used to purchase and securitise
for fintech companies? peer-to-peer or marketplace loans subject to a duty of
No. relating to the borrowers?
PEER-TO-PEER AND MARKETPLACE LENDING Personal information is protected by the Personal Data Protection Act
(PDPA) and the collection and use of any personal data is subject to
Execution and enforceability of loan agreements notice and consent requirements. If a special-purpose company, when
23 What are the requirements for executing loan agreements or purchasing and securitising loans, acquires any personal data, it will be
security agreements? Is there a risk that loan agreements subject to the obligations under the PDPA.
marketplace lending platform will not be enforceable? ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER
There are no particular formality requirements for executing loan agree-
ments. As to security agreements, under Taiwan law, different types of Artificial intelligence
asset are subject to different formality requirements for perfection of a 27 Are there rules or regulations governing the use of artificial
security interest created over them. The formality requirements for the intelligence, including in relation to robo-advice?
most commonly seen security interests are as follows.
• Chattels: there must be a written agreement to create a chattel The Taiwan government announced the 5+2 Industrial Innovation Plan
mortgage. The mortgagor needs not deliver the possession thereof (the 5+2 Plan) in 2008, in which artificial intelligence played an impor-
to the mortgagee; however, a registration with the competent tant role. The 5+2 Plan mainly focuses on seven industries (ie, intelligent
authority will be necessary for the mortgagee to claim the chattel machinery, Asia Silicon Valley, green energy, biomedicine, national
mortgage against a bona fide third party. defence and aerospace, new agriculture and the circular economy),
• Real properties: security interest over real properties is taken by and is considered the core generator for Taiwan’s next generation of
way of a mortgage registered with the relevant land registration industrial development. To facilitate the 5+2 Plan, the government also
offices. The parties must enter into a written agreement to agree launched the AI Talent Programme, which aims to:
on the creation of the mortgage and apply for registration of the • cultivate 1,000 high-calibre talents in intelligent technologies;
mortgage before the mortgage can take effect. • train 5,000 talents in practical intelligent technologies; and
• Shares: to create a pledge over shares, the pledgor and pledgee • attract foreign professionals by the year 2021.
should enter into a written agreement. If the shares are repre-
sented by physical certificates, the pledged share certificates Nevertheless, the development of application of artificial intelligence in
should also be duly endorsed by the pledgor and physically deliv financial business in Taiwan is still at a preliminary stage. The main
ered into the pledgee’s possession. A notice of pledge to the issuing application involves correspondence with clients, such as through
company is also required. If the shares are listed and deposited to Chatbot and Robo-Adviser Services.
or registered with the local securities depository (ie, the Taiwan
Depositary and Clearing Corporation (TDCC)), the above endorse- Distributed ledger technology
ment, physical delivery of the shares and notification to the issuing 28 Are there rules or regulations governing the use of
company are not required; instead, a pledge registration of the distributed ledger technology or blockchains?
shares in the TDCC’s book-entry system in accordance with the
TDCC’s regulations will suffice. No.
No different rules apply to cases of peer-to-peer lending.
Crypto-assets
Assignment of loans 29 Are there rules or regulations governing the use of crypto-
24 What steps are required to perfect an assignment of assets, including digital currencies, digital wallets and
loans originated on a peer-to-peer or marketplace lending e-money?
assignment is not perfected? Is it possible to assign these Digital currencies (such as virtual currencies or cryptocurrencies with
loans without informing the borrower? the applications of blockchain technology) that are not linked or tied to
the currency of any nation are currently not accepted by the Central
An assignment will not be effective against the borrower until the Bank of the Republic of China (Taiwan) (the Central Bank) as currencies.
borrower has been notified of this assignment. If the borrower is not In December 2013, both the Central Bank and the Financial Supervisory
notified of the assignment, the borrower may still make the repayment Commission (FSC) expressed the government’s position toward bitcoin
to the assignor and discharge its repayment obligation by doing so. by issuing a joint press release (the 2013 Release). According to the
2013 Release, the two authorities held that bitcoin should not be consid-
Securitisation risk retention requirements ered a currency, but a highly speculative digital virtual commodity. In
25 Are securitisation transactions subject to risk retention another FSC press release in 2014 (the 2014 Release), the FSC ordered
requirements? that local banks must not accept bitcoin or provide any other services
related to bitcoin (such as exchange bitcoin for fiat currency). The FSC
There are no mandatory risk retention requirements for securitisation further issued a press release on 19 December 2017 (the 2017 Release),
as prescribed for in the Financial Asset Securitisation Act of Taiwan. in which the FSC reiterated the government’s positions as specified in
the 2013 Release and 2014 Release. Other than the above, no laws, regu-
lations or rulings have been officially issued, promulgated or amended
224 Fintech 2021

to specifically deal with the rise of digital currencies, except for the Regulations on issuance (primary market):
regulations governing tokens with the nature of securities. • Qualifications of the issuer: the issuer must be a company limited by
Non-banks engaging in credit card-related business and issuance shares incorporated under the laws of Taiwan and not a company
of electronic stored-value cards should also obtain approval from the listed on the Taiwan Stock Exchange, the TPEx or traded on the
FSC, pursuant to the Act Governing Issuance of Electronic Stored Value Emerging Stock Market. This indicates that a foreign entity may not
Cards. Banks providing mobile payment services must comply with act as an issuer of an STO programme.
relevant FSC rules on, among others, security control. • Types of security tokens that can be issued: the issuer can only
issue profit-sharing or debt tokens without shareholders’ rights,
Digital currency exchanges meaning that shares, being a type of securities under SEA, with
30 Are there rules or regulations governing the operation of regular shareholders’ rights of an issuer cannot be issued in the
digital currency exchanges or brokerages? form of security tokens, while bonds can be issued as debt tokens.
• Eligible investors and amount limits: only professional inves-
So far no Taiwanese laws or regulations have been promulgated tors are eligible to participate in STOs; where the professional
or amended to formally regulate the operation of digital currency investor is a natural person, the maximum subscription amount is
exchanges or brokerages in Taiwan, except for the regulations governing NT$300,000 per STO.
ICO tokens with the nature of securities as well as the platform operator • Issuance process: issuers must conduct STOs on a single plat-
for these tokens. form, and the platform operator has the obligation to ensure
that the issuer meets the qualification requirements and that the
Initial coin offerings prospectus is well prepared. Where the platform operator itself is
31 Are there rules or regulations governing initial coin offerings an STO issuer, this issuer should not launch an STO without a prior
(ICOs) or token generation events? review by the TPEx.
Regulations on trading (secondary market):
In response to the rising amount of ICOs and other investment activi- • Trading mechanism for security tokens: the platform oper-
ties regarding digital currencies and cryptocurrencies, the FSC also ator should obtain a securities dealer licence and handle the
expressed the following views on ICOs through the 2017 Release. trading by way of price negotiation. The platform operator
• The classification of an ICO should be determined on a case-by-case should be the counterparty to every transaction and should
basis. If an ICO involves offering and the issuance of securities, it offer a reasonable reference quotation based on the market
should be subject to the Securities and Exchange Act (SEA). The conditions. In addition, each security token under an STO
issue of whether tokens in an ICO would be deemed securities programme may be traded only on a single platform.
under the SEA would depend on the facts of each individual case. • Maximum transaction amount: where the professional investor
• If any misrepresentations with respect to technologies or their is a natural person, the maximum amount of holding under
outcomes or promises of unreasonably high returns are used by an STO programme is NT$300,000. In addition, the maximum
the issuer of virtual currencies or an ICO to attract investors, the daily transaction limit for each STO is 50 per cent of the total
issuer would be deemed as committing fraud or illegal fundraising. issuance amount under such STO programme.
On 3 July 2019, the FSC issued a ruling that officially designated cryp- An STO platform operator:
tocurrencies the nature of securities, (ie, security tokens, described • Qualifications of the platform operator: the platform operator
as 'securities' under the SEA (the 2019 Ruling)). According to the 2019 should obtain a securities dealer licence, have minimum paid-in
Ruling, security tokens refer to those that: capital of NT$100 million and provide an operation bond in the
• utilise cryptography, distributed ledger technology or other similar amount of NT$10 million.
technology to represent the value that can be stored, exchanged or • Total offering amount capacity: the total offering amount of all STOs
transferred through digital mechanisms; on a single platform should not exceed NT$100 million. A platform
• are transferable; and can accept to process a second STO only one year after the security
• encompass all of the following attributes of an investment: tokens of the first STO have been traded on the platform.
• funding is provided by investors; • Transfer and record keeping: the platform operator should enter
• funding provides for a common enterprise or project; into an agreement with the Taiwan Depository and Clearing
• investors expect to receive profits; and Corporation (TDCC) and transmit the trading information, such as
• profits are generated primarily from the efforts of the issuer balance changes and the balance statement, to the TDCC for its
or third parties. record on a daily basis. The TDCC should provide an STO balance
inquiry service to investors.
In addition to the 2019 Ruling, the FSC issued a press release on 27 June
2019 to illustrate the key points of the FSC's policy on security token Subscription and trading
offerings (STOs). Since then, the FSC and the Taipei Exchange (TPEx) Subscription and trading of security tokens should be conducted on a
have set out the regulations governing STOs (the STO Rules), and the real-name basis and the transactions must be conducted in New Taiwan
STO Rules were finalised in January 2020. Specifically, the FSC differ- Dollar under the same name as the account name of the bank account.
entiates the regulation of different STOs using the threshold of NT$30
million. For an STO of NT$30 million or less, the STO may be conducted
in compliance with the STO Rules; an STO above NT$30 million must
first apply to be tested in the ‘financial regulatory sandbox’ pursuant to
the FinTech Development and Innovation and Experiment Act and, if the
experiment has a positive outcome, should be conducted pursuant to
SEA. Below is a summary of certain other major provisions of the STO
Rules (ie, for STOs of NT$30 million or less).
DATA PROTECTION AND CYBERSECURITY As for other financial services companies, there exists no single
regulation that governs their outsourcing activities, and, generally,
Data protection outsourcing is allowed only if the FSC has issued any ruling permitting
32 What rules and regulations govern the processing and it. For example, a securities investment trust enterprise is permitted to
transfer (domestic and cross-border) of data relating to outsource its operation of evaluating fund assets, calculation of a fund’s
fintech products and services? net worth and fund accounting to a professional institution, subject to
applicable requirements specified under the relevant FSC rulings.
In Taiwan, personal data is generally protected by the Personal Data When the use of cloud computing involves outsourcing the
Protection Act (PDPA). Under the PDPA, unless otherwise specified operations of a financial institution, relevant laws and regulations
under law, a company is generally required to give notice to (notice governing outsourcing activities should be complied with. In general,
requirement) and obtain consent from (consent requirement) an indian outsourcing activity should follow the internal rules and procedures
vidual before collecting, processing or using any of this individual’s of the financial institutions, and in certain circumstances, prior approval
personal information, subject to certain exemptions. To satisfy the from the FSC would be required. The use of cloud computing should
notice requirement, certain matters must be communicated to the indi- also comply with the Personal Data Protection Act.
vidual, such as the purposes for which his or her data is collected, the
type of the personal data and the term, area and persons authorised to Cloud computing
use the data. 35 Are there legal requirements or regulatory guidance with
respect to the use of cloud computing in the financial services
Cybersecurity industry?
businesses? When the use of cloud computing involves outsourcing the opera-
tions of a financial institution, relevant laws and regulations governing
Different cybersecurity regulations or standards may apply to different outsourcing activities should be complied with. In general, an
types of financial service entities or their products or services. For outsourcing activity should follow the internal rules and procedures of
example, if a type of fintech business is considered to fall within the the financial institutions, and, in certain circumstances, prior approval
scope of electronic banking business, in addition to the relevant licensing from the FSC would be required. The use of cloud computing should
requirements under certain financial regulations, it should also comply also comply with the Personal Data Protection Act.
with the rules governing the security control for this business. According to the Regulations Governing Internal Operating Systems
With respect to the 'regulatory sandbox' under the FinTech and Procedures for the Outsourcing of Financial Institution Operation as
Development and Innovation and Experiment Act, relevant description last amended on 30 September 2019, a prior approval from the FSC is
regarding the information system and security control is required for an required if an outsouring of operations by a financial institution involves
application for entering the sandbox. cloud-based services and the outsourcing of operations is consid-
The Cyber Security Management Act (CSMA) was enacted in June ered ‘material’ or the operation is outsourced to an overseas service
2018. According to the CSMA, financial services firms would be required provider. Further, when the outsourcing involves cloud-based services,
to comply with relevant obligations (including, among other things, the financial institution must, among other things: ensure appropriate
requirements for meeting a specific security level, setting up relevant diversification of cloud service providers; retain full ownership of the
internal rules for implementing plans for maintaining information data outsourced to cloud service providers; and ensure the location for
security and reporting to the government in case of any cyber security processing and storage is within Taiwan (with certain exceptions).
incident) under the CSMA if they are designated by the Taiwan govern-
ment as the ‘critical infrastructure provider’ (CIP) under the CSMA. INTELLECTUAL PROPERTY RIGHTS
While we think that no specific fintech business would be designated
as a CIP, the CSMA would still apply to fintech businesses if the types IP protection for software
of financial service entities carrying out these fintech business activities 36 Which intellectual property rights are available to protect
are considered Financial Supervisory Commission-regulated entities software, and how do you obtain those rights?
and are designated as CIPs by the Taiwan government.
Software can be protected by intellectual property rights such as patent,
OUTSOURCING AND CLOUD COMPUTING copyright or trade secret. As to patent, an inventor may file an applica
tion with Taiwan’s Intellectual Property Office, and the patent right will
Outsourcing be obtained once the application is approved. For copyrights and trade
34 Are there legal requirements or regulatory guidance with secrets, there are no registration or filing requirements for a copyright
respect to the outsourcing by a financial services company of or a trade secret to be protected by law. However, there are certain
a material aspect of its business? features that qualify a copyright or trade secret, such as ‘originality’
and ‘expression’ for copyrights, and ‘economic valuable’ and ‘adoption
The legal requirements with respect to the outsourcing by a financial of reasonable protection measures’ for trade secrets.
services company vary among the types of companies. For example, According to the Patent Act of Taiwan, the subject of a patent right
a bank’s outsourcing must comply with the Regulations Governing is ’invention’ and an invention means the creation of technical ideas,
Internal Operating Systems and Procedures for the Outsourcing of utilising the laws of nature. As a general rule, business methods are
Financial Institution Operation (the Banks Outsourcing Regulations), regarded as using social or business rules rather than laws of nature,
under which only the activities enumerated in the Banks Outsourcing and therefore may not be the subject of a patent right. As for software-
Regulations can be outsourced (subject to relevant requirements, implemented inventions, if it coordinates the software and hardware to
such as supervision of the outsourced party and the contract with the process the information, and there is a technical effect in its operation, it
outsourced party), and outsourcing of some activities would require might become patentable. For instance, a ‘method of conducting foreign
prior approval from the Financial Supervisory Commission (FSC). exchange transaction’ would be deemed as a business method and thus
226 Fintech 2021

unpatentable; however, a ‘method of using financial information system order should not use the trade secrets for purposes other than those
to process foreign exchange transactions’ might be patentable. related to the court trial or disclose the trade secrets to those who are
not subject to the order.
37 Who owns new intellectual property developed by an Branding
employee during the course of employment? Do the same 40 What intellectual property rights are available to protect
rules apply to new intellectual property developed by branding and how do you obtain those rights? How can fintech
contractors or consultants? businesses ensure they do not infringe existing brands?
Intellectual property developed by an employee during the course The Trademark Act in Taiwan provides for the protection of brands. The
of employment rights of trademarks can be obtained through registration with Taiwan’s
With regard to a patent, the right of an invention made by an employee Intellectual Property Office. The term of protection is 10 years from the
during the course of performing his or her duties under employment date of publication of the registration and may be renewed for another
will be vested in his or her employer and the employer should pay 10 years by filing a renewal application.
the employee reasonable remuneration unless otherwise agreed by Every registered trademark will be published on the official website
the parties. maintained by the Intellectual Property Office and the trademark search
A trade secret is the result of research or development by an system is accessible by the general public. On the search system, a
employee during the course of performing his or her duties under fintech business may check whether an identical or similar trademark
employment and it will belong to the employer unless otherwise agreed exists and who the proprietor of a registered trademark is.
by the parties.
For copyright, where a work is completed by an employee within Remedies for infringement of IP
the scope of employment, the employee is the author of the work but 41 What remedies are available to individuals or companies
the economic rights to this work will be enjoyed by the employer unless whose intellectual property rights have been infringed?
otherwise agreed by the parties.
Patent
Intellectual property developed by contractors or consultants With regard to infringement of an invention patent, the patentee may
In respect of patent rights and trade secrets, the agreement between claim for damage suffered because of the infringement. The amount
the parties will prevail, or these rights will be vested in the inventor or of damages may be calculated by the damage suffered and the loss of
developer in the absence of such agreement. However, if there is a fund profits as a result of the infringement; profit earned by the infringer as
provider, the funder may use this invention. a result of patent infringement; or the amount calculated on the basis
In respect of copyright, the contractor or the consultant who actu of reasonable royalties. If the infringement is found to be caused by the
ally makes the work is the author of the work unless otherwise agreed infringer’s wilful act of misconduct, the court may triple the damages to
by the parties; the enjoyment of the economic rights arising from the be awarded. Patent infringements have been decriminalised since 2003.
work should be agreed by the parties, or these rights will be enjoyed
by the contractor or the consultant in the absence of such agreement. Copyright
However, the commissioning party may use the work. The damage suffered because of copyright infringement may be claimed
in the process of civil procedure. As for criminal liabilities, there are
Joint ownership different levels depending on different types of infringement, ranging
38 Are there any restrictions on a joint owner of intellectual from imprisonment, of no more than three years, and detention to a fine
property’s right to use, license, charge or assign its right in of no more than NT$750,000.
Trademark
In respect of patents and trademarks, each joint owner may use the The damage suffered because of trademark infringement may be
jointly owned rights at his, her or its discretion; however, a joint owner claimed in the process of civil procedure. As for criminal liabilities, any
may not license or assign the jointly owned rights without consent of all person shall be liable to imprisonment for a period not exceeding three
the other joint owners. In respect of copyrights and trade secrets, each years or a fine not exceeding NT$200,000, or both, if he or she:
joint owner may not use, license or assign the rights without unanimous • uses a trademark that is identical to the registered trademark in
consent of the other joint owners, while the other joint owners may not relation to identical goods or services;
withhold the consent without reasonable cause. • uses a trademark that is identical to the registered trademark in
relation to similar goods or services and hence there exists a likeli
Trade secrets hood of confusion for relevant consumers; or
39 How are trade secrets protected? Are trade secrets kept • uses a trademark that is similar to the registered trademark in
confidential during court proceedings? relation to identical or similar goods or services and there exists a
likelihood of confusion for relevant consumers.
Trade secrets are protected if they satisfy the following constituent
elements: information that may be used in the course of production, Trade secrets
sales or operations; having the nature of secrecy; economic value; and The damage suffered because of infringement of trade secrets may be
adoption of reasonable protection measures. claimed in the process of civil procedure. As for criminal liabilities, a
To keep the trade secrets confidential during court proceedings, person may be sentenced to a maximum of five years imprisonment and,
the court trial may be held in private if the court deems it appropriate in addition, a fine between NT$1 million and NT$10 million if he or she:
or it is otherwise agreed upon by the parties. The parties and a third 1 acquires a trade secret by an act of theft, embezzlement, fraud,
party may also apply to the court for issuing a ‘confidentiality preserva threat, unauthorised reproduction or other wrongful means, or
tion order’, and the person subject to this confidentiality preservation uses or discloses a trade secret that has been acquired;
2 carries out an unauthorised reproduction of, or uses or discloses, a

trade secret that he or she has knowledge or possession of;
3 fails to delete or destroy a trade secret in his or her possession as
the trade secret holder orders, or disguises it; or
4 knowingly acquires, uses or discloses a trade secret known or
possessed by others that is under the circumstances specified in
points (1) to (3) above.
COMPETITION Abe T S Sung

abesung@leeandli.com
Sector-specific issues Eddie Hsiung
42 Are there any specific competition issues that exist with eddiehsiung@leeandli.com
8F, No. 555, Sec 4, Zhongxiao E Road
In April 2016, the Financial Supervisory Commission (FSC) issued a Taipei 11072
press release pointing out the regulatory issues that may arise from Taiwan
peer-to-peer lending activities. According to this and other sources, the Tel: +886 2 2763 8000
FSC is of the view that: Fax: +886 2 2766 5566
• if it is arranged that the lender (as a member of the platform) www.leeandli.com
splits the original credit into several parts and in turn allocates
and ‘sells’ the divided parts to other ‘members’ for investment with
high return, it might involve regulatory issues regarding multilevel
marketing; or IMMIGRATION
• if the platform operators claim that the transaction has the nature
of high return, low cost and low risk, it might constitute false or Sector-specific schemes
misleading advertising and would result in a violation of the Fair 45 What immigration schemes are available for fintech
Trade Act. businesses to recruit skilled staff from abroad? Are there
The above two issues are under the supervision of the Fair Trade sectors?
Commission.
The Act for the Recruitment and Employment of Foreign Professionals,
TAX as enacted in 2017, aims to attract foreign talents to increase Taiwan’s
competitiveness. Although this Act was not specifically enacted for the
Incentives area of fintech, we believe that fintech talents would be among those that
43 Are there any tax incentives available for fintech companies Taiwan wants to attract. The key measures proposed under this Act are:
and investors to encourage innovation and investment in the • the relaxation of regulations on work, visa and residence;
fintech sector in your jurisdiction? • the easing of provisions concerning the stay or residence of
parents, spouses and children; and
Currently, there are no tax incentives specifically provided for fintech • providing benefits regarding retirement, insurance and tax.
companies.
Generally, a company may choose to credit either up to 15 per UPDATE AND TRENDS
cent of its total expenditure on research and development against its
corporate income tax payable for that year; or up to 10 per cent of its Current developments
total expenditure on research and development against its corporate 46 Are there any other current developments or emerging
income tax payable for each of the three years starting from that year, trends to note?
provided that the deduction amount did not exceed 30 per cent of the
corporate income tax payable for the company in that year and that it did Digital-only banks
not commit any material violation of any law on environmental protec- In 2018, the Financial Supervisory Commission (FSC) promulgated
tion, labour or food safety and sanitation in the past three years. To relevant regulations governing the application for establishment of
apply such tax credits, a company must apply to and receive approval digital-only banks (ie, banks without physical branches). Three applica-
from the government. tions were filed with the FSC by 15 February 2019 and all of them were
approved 30 July 2019, and they are expected to start operating in 2020.
Increased tax burden The establishment of digital-only banks is anticipated to encourage
44 Are there any new or proposed tax laws or guidance that cross-industry combinations and fintech applications for everyday life
could significantly increase tax or administrative costs for by building a fintech ecosphere.
Currently there are no such new tax laws or guidance and, to our under-
standing, currently there are no such proposals.
228 Fintech 2021

Coronavirus
for clients?
No. There is no covid-19-related emergency legislation nor are there

measures with respect to fintech in Taiwan.
Turkey
Cigdem Ayozger Ongun and Begum Erturk
SRP-Legal Law Firm
FINTECH LANDSCAPE AND INITIATIVES Law No. 4691 and its implementing regulation. This law provides lower
corporate income tax, withholding tax, income tax exemptions, employer
General innovation climate social security contribution support payments and value-added tax
1 What is the general state of fintech innovation in your exemptions for fintech start-ups. Moreover, the Presidential Decree on
jurisdiction? State Incentives Provided to Investments, which entered into force on 7
August 2019, saw a recent amendment that scrapped large-scale infra-
There is a dynamic fintech climate in Turkey and all areas of the market structure project investments from the incentive regime and introduced
are ripe for investment. The fintech ecosystem in Turkey in 2019 was increased incentives for R&D activities and value-added technology
one of the most important areas, as eight fintech companies (ie, credit production.
scoring, payment and e-money institutions) were launched, and, accord- Besides this, government support may be seen in the 11th
ingly, they were partially or totally acquired by local and foreign fintech Development Plan of Turkey (the 11th Plan), which was published in
or technology companies. the Official Gazette on 23 July 2019. The 11th Plan includes objectives
In the Turkish fintech ecosystem there are services (ie, payment directly related to the Turkish financial technology ecosystem.
and e-money services, money transfer and remittance, bill payment Finally, the Amendment to the Law on Payment and Securities
and system operator services) that are regulated under Turkish law, Settlement Systems, Payment Services and Electronic Money
while others (ie, lending and credit scoring, digital wallet and applica- Institutions (the Amendment), in line with the requirements of the
tion programming interface providers) are not. However, in less than a Payment System Services Directive II (Directive 2015/2366), entered
year, new regulations with regard to open banking, equity and lending- into force on 1 January 2020. The Amendment set forth a provision
based crowdfunding entered into force. Therefore, the upcoming years of the establishment of the Turkish Payment Services and Electronic
are expected to contain more new developments in Turkish fintech law. Money Association (the Association), which entered into force on 22
May 2020. Accordingly, all payment and electronic money institutions
Government and regulatory support are required to become members of the Association. The duties of the
2 Do government bodies or regulators provide any support Association include, among other things, carrying out professional
specific to financial innovation? If so, what are the key training, research and advertising activities, establishing standards for
benefits of such support? the industry and helping ensure coordination among members and with
the regulator.
In Turkey, investments have been supported pursuant to the Decision
on State Aid in Investments brought into force with Decision of the FINANCIAL REGULATION
Council of Ministers No. 2012/3305 and its Implementing Communiqué
No. 2012/1; the Decision on Providing Project Based State Aid to Regulatory bodies
Investments brought into force with Decision of the Council of Ministers 3 Which bodies regulate the provision of fintech products and
No. 2016/9495; and Communiqué No. 30892 on the Code of Practice of services?
Technology-Oriented Industrial Movements Programme (Communiqué
No. 30892). Latest developments concern the Communiqué No. 30892: The Legislative Proposal to Amend the Law on Payment and Security
its amendments were published in the Official Gazette No. 30969 on, and Settlement Systems, Payment Services, and Electronic Money
were effective from, 5 December 2019. Institutions and Other Laws (the Amending Law) was published in
Investment incentives are provided to all entities that meet the the Official Gazette No. 30956 on 22 November 2019 and entered
requirements pursuant to the above-mentioned laws and regulations. into force on 1 January 2020. On the effective date of the Amending
One of the purposes of the incentives is supporting high and medium-high Law, the powers of the Banking Regulation and Supervision Agency
technology investments that will provide technological transformation. (BRSA) set forth under the Law on Payment and Securities Settlement
Unlike many other information technology or e-commerce projects, Systems, Payment Services and Electronic Money Institutions (Law No.
fintech projects are more likely to benefit from R&D incentives because 6493) were transferred to the Central Bank of the Republic of Turkey
of the nature of fintech and its requirements, such as security, payment (CBRT). Accordingly, the CBTR has the authority to monitor legal rela-
infrastructure, user experience and mobility. tions to which the payment service providers are a party owing to their
During the establishment phase of fintech start-ups, there are activities in order to determine issues and areas for development. The
alternatives, such as private incubation centres, techno-centres and Amending Law also grants the CBTR the authority to determine the
collaboration offices, that may allow fintech start-ups to benefit from tax rules and procedures of the legal relations therein and form working
advantages. In addition to these investment incentive-focused regula- committees if it deems the relevant activities harmful to the area of
tions, fintech start-ups may also benefit from Technology Development payments. Finally, the CBRT is entitled to issue payments, e-money and
230 Fintech 2021

SRP-Legal Law Firm Turkey
system operator licences pursuant to the Law No. 6493, the Regulation There are no registration requirements with the authorities in Turkey
on Payment Services and Electronic Money Issuance and Payment for a transfer or assignment to be effective.
Institutions and the Communiqué on the Management and Supervision On the other hand, debt instruments, which can only be provided
for Information Systems of the Payment E-Money Institutions. by the above-mentioned institutions, can be purchased and sold in the
In addition to the CBRT, the Turkish Financial Crimes Investigation secondary market under the Capital Markets Law and regulations.
(MASAK), which acts as Turkey's financial intelligence unit, effectively As the secondary regulation regarding lending-based crowdfunding
fights money laundering and terrorist financing (AML). MASAK checks has not yet been prepared by the Turkish Capital Markets Board (CMB),
whether financial institutions meet the requirements of AML regula- the situation of the trading of the funds in the secondary market, which
tions and laws. Therefore, fintech companies, such as payment service will be provided through a lending-based crowdfunding platform, has
providers, cryptocurrency trading platforms and crowdfunding plat- not been determined yet.
forms, must fulfil their AML obligations.
Regulated activities 7 Describe the regulatory regime for collective investment
4 Which activities trigger a licensing requirement in your schemes and whether fintech companies providing alternative
jurisdiction? finance products or services would fall within its scope.
A large number of financial services and activities are regulated in In Turkey, the general rules and principles regarding investment funds
Turkey. Some of these activities, which trigger licensing, authorisation are mainly regulated under the Capital Markets Law and regulations. In
or registration requirements in Turkey, include, and are regulated by, this respect, further details regarding the establishment and activities of
the following. investment funds are regulated under the Communiqué on the Principles
• The Central Bank of the Republic of Turkey authorises payment of Investment Funds (III.52.1). Accordingly, the Investment Funds Guide
services, invoicing services, e-money services and system oper- clarifies the rules and principles stipulated in this Communiqué.
ator services. The regulatory regime for collective investment schemes is new,
• The Banking Regulatory and Supervisory Agency issues licences and equity and lending-based crowdfunding platforms have been highly
for banking and finance activities, such as banking services, regulated under Turkish Capital Markets Law. The Communiqué on
factoring and financial leasing services. Equity Based Crowdfunding III-35/A.1 was issued by the CMB and was
• The Capital Market Authority is responsible for authorising equity published in the Official Gazette No. 30907 on 3 October 2019. As per
and lending-based crowdfunding platform services, trading and this Communiqué, only the platforms authorised and listed by the CMB
carrying out intermediation activities in securities and other capital may carry out equity-based crowdfunding activities. On the other hand,
markets instruments. a communiqué for lending-based crowdfunding platforms, has not yet
• The Ministry of Treasury and Finance authorises insurance been prepared and, accordingly, carrying out lending-based crowd-
activities. funding activities is not yet allowed.
• The Central Securities Depository of the Turkish Capital Markets
provides its members with registration (public offering, etc), settle- Alternative investment funds
ment and custody services. 8 Are managers of alternative investment funds regulated?
Consumer lending Alternative investment funds (AIFs) are operated and managed by port-
5 Is consumer lending regulated in your jurisdiction? folio management companies on behalf of their investors in exchange
for a consideration, namely ‘a participation share’. Managers of AIFs are
Consumer lending is regulated within the scope of the Banking Law, subject to the Communiqué on Portfolio Management Companies and
the Law on Bank Cards and Credit Cards, the Regulation on Credit Activities of Such Companies (III-55.1) issued by the CMB.
Operations of Banks and by the Ministry of Commerce through the Portfolio management companies are required to be established
Consumer Law, the Regulation on Consumer Loan Agreements and the as joint-stock companies with the main objective of operating and
Regulation on Housing Finance Agreements. managing investment funds. Compliance with certain conditions and
obtaining the CMB licence as set forth under the above Communiqué
Secondary market loan trading are required for establishing and operating a portfolio management
6 Are there restrictions on trading loans in the secondary company (PMC). The manager can either be the founder (founding a
market in your jurisdiction? PMC or real estate PMC (REPMC)) or hold another role in the PMC or
REPMC pursuant to a portfolio management contract. Fintech compa-
In Turkey, in principle, loans can only be provided by bank and credit nies do not fall under the scope of the legislation concerning alternative
institutions, which do not include payment service or e-money insti- investment fund managers.
tutions. These banks and credit institutions must be established
and authorised by the Banking Regulation and Supervision Agency. Peer-to-peer and marketplace lending
Additionally, loan-based transactions are subject to the Turkish Banking 9 Describe any specific regulation of peer-to-peer or
Law and regulations. Transferring a loan by way of novation (ie, marketplace lending in your jurisdiction.
discharging the original debt) will have the effect of extinguishing the
Turkish law-governed security. In these cases, there is a requirement Lending activities are highly regulated by the BRSA. For instance,
to re-establish the security for the new lender. A parallel debt struc- according to the Banking Law or the Financial Leasing Law, only the
ture may be a way of preventing the fall of the accessory security as a entities with a licence granted by the BRSA can legally conduct lending
result of novation. The transfer of debts is also possible and made by an activities. According to the Turkish Criminal Code No. 5237, money
agreement between the transferor, the transferee and the debtor. The lending and earning interest from that money without holding a licence
agreement does not have to be in writing. However, security providers is a crime, defined as usury, that is subject to imprisonment between two
for these debts should provide their consent in written form as well. to five years and a monetary fine of an amount up to 500,000 Turkish lira.
Turkey SRP-Legal Law Firm
In addition, lending-based crowdfunding platforms, which can Open banking

be considered peer-to-peer lending, have just been regulated under 13 Are there any laws or regulations introduced to promote
Turkish Capital Markets Law. However, a communiqué for these plat- competition that require financial institutions to make
forms has not been prepared yet by the CMB. Accordingly, carrying out customer or product data available to third parties?
lending-based crowdfunding activities is not yet allowed.
The Amending Law was published in the Official Gazette No. 30956 and
Crowdfunding dated 22 November 2019 and entered into force on 1 January 2020.
10 Describe any specific regulation of crowdfunding in your The Amending Law extended the list of payment services to include
jurisdiction. ‘payment initiation services’ and ‘account information services’, which
were introduced by the Directive (EU) 2015/2366 on payment services
Reward-based crowdfunding platform activities are not regulated in (PSD2). However, unlike the PSD2, banks are not legally required to
Turkey. Donation-based crowdfunding platforms may be subject to offer third-party providers access to their customers’ accounts via
certain regulations. Both reward- and donation-based crowdfunding open application programming interfaces (APIs), at least until the CBRT
platform activities have been performed by several companies in Turkey. issues its secondary legislation on data-sharing practices; although, a
In addition, equity and lending-based crowdfunding platforms are number of Turkish banks already publish their APIs to promote third-
highly regulated under Turkish Capital Markets Law. The Communiqué party developers. Foreign exchange buying and selling transactions in
on Equity Based Crowdfunding III-35/A.1 was issued by the CMB and was cash, without the use of a payment account, are not considered payment
published in the Official Gazette No. 30907 on 3 October 2019. According services under the scope of Law No. 6493. Therefore, to conduct these
to this Communiqué, only the platforms authorised and listed by the kind of transactions, there is no need to obtain any licence from the CBRT.
CMB may carry out equity-based crowdfunding activities. On the other In addition, the Banking Regulatory and Supervisory Authority laid
hand, a communiqué for lending-based crowdfunding platforms has not down the legal infrastructure of open banking with the Regulation on
been prepared yet by the CMB. Accordingly, carrying out lending-based Banks’ Information Systems and Electronic Banking Services, issued on
crowdfunding activities is not yet allowed. 15 March 2020. Under this regulation, which entered into force on 1 July
2020, Turkish banks will be able to utilise open banking to carry out
Invoice trading many activities to provide an unprecedented user experience.
jurisdiction. Robo-advice
The accounts receivable are usually, but not always, in the form of companies that provide retail customers with automated
cheques or cashier’s cheques assigned or transferred to the assignee access to investment products in your jurisdiction.
by the assignor in return for immediate payment. The Law on Financial
Leasing, Factoring, and Financing Companies and its secondary regula- In Turkey, unlike other countries, there is no legal regulation specifi-
tions are the primary pieces of legislation that govern this field in Turkey. cally regarding robo-advisory or automatic consultancy. For this reason,
In addition, establishing a platform to provide information and there is no automated consultancy company that serves in an open
services regarding electronic invoices to merchants, is not regulated in architectural structure, can provide investment consultancy services
Turkish jurisdiction. However providing services for mediating invoice to its customers and can act on their behalf. The institutions that are
payments is subject to Law No. 6493. allowed to conduct consultancy activities regarding fund allocation and
to provide fund advice to the participant, are portfolio management
Payment services companies subject to the Turkish Capital Markets Law.
12 Are payment services regulated in your jurisdiction? Even though automatic consultancy services are not directly
available to the participant, currently, Turkish automatic consultancy
Payment services are regulated in Turkey under Law No. 6493. According products are used by companies such as pension companies.
to Law No. 6493, the following activities are defined as payment services:
• all the operations required for operating a payment account, Insurance products
including the services enabling cash to be placed on a payment 15 Do fintech companies that sell or market insurance products
account and cash withdrawals from a payment account; in your jurisdiction need to be regulated?
• payment transactions, including transfers of funds from the
payment account of a payment service user before the payment Insurance services and, accordingly, selling insurance products are
service provider; direct debits, including one-off direct debits, highly regulated under the Turkish Insurance Law and regulations.
execution of payment transactions through a payment card or a Companies that decide to perform these activities must obtain authori-
similar device; and the execution of money transfers, including sation from the Ministry of Treasury. As the activities of insurance
regular standing orders; companies are restricted, they are not allowed to perform activities
• issuing or acquiring payment instruments; other than providing insurance services. In this respect, fintech compa-
• money remittance; nies must pay attention not to be considered insurance companies by
• executing payment transaction where the consent of the payer to facilitating activities in the insurance market.
execute a payment transaction is given by means of any informa-
tion technology or electronic telecommunication device and the Credit references
payment is made to the information technology or electronic tele- 16 Are there any restrictions on providing credit references or
communication operator, acting only as an intermediary between credit information services in your jurisdiction?
the payment service user and the supplier of the goods and
services; and Kredi Kayıt Bürosu (KKB) offers its services not only to financial insti-
• services for mediating invoice payments. tutions, but also to individuals and the real sector through the cheque
report, risk report and electronic report systems launched in January
232 Fintech 2021

2013. As of September 2014, KKB gathered its services aimed at indi- FINANCIAL CRIME
viduals and the real sector under the umbrella of Findeks, the consumer
service platform of KKB. Anti-bribery and anti-money laundering procedures
Providing credit references or credit information services in Turkey 21 Are fintech companies required by law or regulation to have
is a regulated activity under the Banking Law (Law No. 5411). The Risk procedures to combat bribery or money laundering?
Centre was established within the Banks Association of Turkey (TBB) for
the purpose of collecting the risk data and information of clients of credit Turkish money laundering and terrorist financing legislation, namely the
institutions and other financial institutions to be deemed eligible by the Law for Preventing Laundered Criminal Income (Law No. 5549) and its
Banking Regulatory and Supervisory Board and ensuring that this infor- supplementary regulation, requires that fintech companies implement
mation is shared with these institutions or with the relevant persons or procedures to combat bribery. The appointment of a compliance officer,
entities themselves or with real persons and 61 private law legal enti- identity verification of account holders and reporting of suspicious
ties if approved and consented to. The KKB was founded in accordance transactions are commonplace requirements the regulation imposes
with article 73/4 of the Banking Law and it conducts all operational and on fintech companies. The Turkish Financial Crimes Investigation Board
technical activities through its own organisation as an agency of the Risk (MASAK), also regulates fintech products and services in terms of
Centre of the TBB and provides data collection and sharing services to money laundering proceedings for crime and terrorist financing.
the 180 financial institutions that are members of the Risk Centre.
Guidance
CROSS-BORDER REGULATION 22 Is there regulatory or industry anti-financial crime guidance
Passporting
17 Can regulated activities be passported into your jurisdiction? Yes, both industry and regulatory authorities provide assistance to enti-
ties active in regulated industries. MASAK, mandated by Ministry of
Regulated activities cannot be passported into Turkey as regulated Treasury and Finance, provides guidance and education. MASAK has
in the Markets in Financial Instruments Directive II for the European issued Sectoral Guidance Notes addressing Financial Institutions and
Economic Area. Banks but not specifically addressing the fintech companies.
Requirement for a local presence PEER-TO-PEER AND MARKETPLACE LENDING

services in your jurisdiction without establishing a local Execution and enforceability of loan agreements
presence? 23 What are the requirements for executing loan agreements or
A fintech company is required to be incorporated and licensed in the local or security agreements entered into on a peer-to-peer or
Turkish jurisdiction. Apart from being licensed by the Banking Regulation marketplace lending platform will not be enforceable?
and Supervisory Authority, it needs to be incorporated as a corporation,
with minimum capital requirements (approximately US$170,000) and Transferring loans is possible and is done by entering into an agree-
limitations on the controlling ownership of shares and share transfers. ment between the transferor, the transferee and the debtor. The
agreement does not have to be in writing. However, security providers
SALES AND MARKETING for these debts should provide their consent in written form as well.
The Compulsory Use of Turkish Language Law No. 805, dated 10 April
Restrictions 1926, requires all agreements by Turkish parties to be made in Turkish.
19 What restrictions apply to the sales and marketing of Loan agreements or security agreements are not allowed to be
financial services and products in your jurisdiction? entered into on peer-to-peer or marketplace lending platforms, which
have not been regulated or allowed to run yet.
The sale and marketing of financial services and products may fall under
the surveillance of the Capital Markets Board (CMB) or the Banking Assignment of loans
Regulation and Supervision Agency (BRSA). The CMB’s Principles on 24 What steps are required to perfect an assignment of
Investment Services and Activities and Ancillary Services No. III-37.1 loans originated on a peer-to-peer or marketplace lending
and the BRSA’s Regulation on Bank’s Procurement of Support Services platform? What are the implications for the purchaser if the
impose certain restrictions on financial service providers and on the assignment is not perfected? Is it possible to assign these
vendors providing the sale and marketing of financial services in Turkey. loans without informing the borrower?
CHANGE OF CONTROL There are no registration requirements with the authorities in Turkey for
a transfer or assignment of loans to be effective. However, peer-to-peer
Notification and consent or marketplace lending platforms have not been allowed to run yet.
requirements if a regulated business changes control. Securitisation risk retention requirements
Some companies performing in the banking and finance sector, such as requirements?
payment service providers, crowdfunding platforms, banks and financial
institutions, that are supposed to be parties to business transactions The primary piece of legislation that governs asset-backed securities
(ie, mergers, acquisitions or share transfers) must notify the relevant and the risk retention system and requirements that must be put in
authorities (ie, the Banking Regulation and Supervision Agency, the place is the Communiqué on Asset Backed Securities No. III-59.1. The
Central Bank of the Republic of Turkey and the Capital Market Authority). originator must retain the risk.
Securitisation confidentiality and data protection requirements Digital currency exchanges

26 Is a special purpose company used to purchase and securitise 30 Are there rules or regulations governing the operation of
peer-to-peer or marketplace loans subject to a duty of digital currency exchanges or brokerages?
relating to the borrowers? The Turkish Capital Markets Law and regulations govern the opera-
tion of digital currency exchanges and brokerages. However, neither
There are two distinct regulations regarding the duty of confidentiality. cryptocurrencies nor crypto-assets can benefit from these rules and
The first piece of legislation that governs the confidentiality of banking regulations.
and financial information is the Banking Law (Law No. 5411). Additionally,
the Personal Data Protection Law (Law No. 6698), codified on 24 March Initial coin offerings
2016, bars and sets limitations on the disclosure, processing and transfer 31 Are there rules or regulations governing initial coin offerings
of personal information, which also includes borrower information. (ICOs) or token generation events?
In relation to special purpose vehicles (SPVs) being utilised for secu-
ritisation confidentiality, with the Communiqué on Principles of Venture Neither initial coin offerings nor security token offerings are allowed in
Capital and Private Equity Investment Companies (III-48.3) there are no Turkey. However, cryptocurrency trading platforms are allowed.
limitations on using these entities, but the scope of their confidentiality
duties is limited to the duty of confidentiality provisions found within the DATA PROTECTION AND CYBERSECURITY
Turkish Commercial Code, the Turkish Criminal Code and any bilateral
agreement barring disclosure that the SPV involved in the securitisation Data protection
transaction may be party to. Consequently, SPVs are not awarded any 32 What rules and regulations govern the processing and
special status, and any applicable duties, including the duty of confiden- transfer (domestic and cross-border) of data relating to
tiality, still remain intact. fintech products and services?
ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER The Personal Data Protection Law, the Regulation on the Erasure,
TECHNOLOGY AND CRYPTO-ASSETS Destruction, or Anonymisation of Personal Data and the other secondary
regulations are the main laws that regulate personal data processing
Artificial intelligence activities (ie, collection, domestic and cross-border transfers, destruc-
27 Are there rules or regulations governing the use of artificial tion and protection) for all sector players, including fintech companies.
intelligence, including in relation to robo-advice? On the other hand, payment service providers must obtain a
Payment Card Industry Data Security Standard certificate and comply
There are neither rules nor regulations governing the use of artificial with its principles and procedures, which also include rules regarding
intelligence in Turkey. data erasure, transfer, destruction and processing. Moreover, they must
keep all data in Turkey under the Communiqué on the Administration
Distributed ledger technology and Auditing of Payment Institutions and Electronic Money Institutions’
28 Are there rules or regulations governing the use of distributed Information Systems.
ledger technology or blockchains? Finally, there are personal data protection and privacy-specific
provisions in other laws and regulations, such as the Turkish Banking
There are neither rules nor regulations governing the use of distributed Law and Turkish Capital Markets Law.
ledger technology or blockchains. However, distributed ledger technology
and blockchains have recently started to be used in various sectors, Cybersecurity
including banking and finance sector. Therefore, they are not forbidden. 33 What cybersecurity regulations or standards apply to fintech
businesses?
Crypto-assets
29 Are there rules or regulations governing the use of crypto- Article 31 of Law No. 6493 on Payment and Securities Settlement
assets, including digital currencies, digital wallets and Systems, Payment Services and Electronic Money Institutions levies
e-money? the duty to uphold a secure information technology system on the
licensed payment service provider. Additionally, the Communiqué on
There are neither rules nor regulations governing the use of crypto- the Administration and Auditing of Payment Institutions and Electronic
assets, cryptocurrencies or digital wallets. However, the Turkish Money Institutions’ Information Systems sets clear regulatory stand-
Financial Crimes Investigation Board published an updated guidebook ards applicable to fintech businesses.
that states that fund transfers made to intermediary institutions for the The Communiqué on Principles Applicable to Banking Information
purpose of purchasing crypto-assets (ie, bitcoin) will no longer automati- Systems Management published by the Banking Regulation and
cally be considered a suspicious movement of funds and will be analysed Supervision Agency also regulates the field of cybersecurity appli-
on a know your customer basis. This represents a more flexible approach cable to financial institutions, however, it does not govern payment
towards crypto-assets. In addition, the Turkish Banking Regulation and service providers and e-money institutions. Additionally, the Electronic
Supervision Agency explicitly states within its public announcement No. Communications Law also governs the issue of cybersecurity pertinent
2013/32 that crypto-assets are not to be considered as e-money. to businesses active in the fintech industry, namely with its supple-
The use of digital wallets is allowed, but there are no rules or regula- mental Regulation titled Network and Information Security in the
tions governing this tool. Electronic Communications Industry published in the Official Gazette
Finally, e-money, which is regulated under Law No. 6493 on No. 29059 on 13 July 2014.
Payment and Securities Settlement Systems, Payment Services and
Electronic Money Institutions, can only be issued by e-money institu-
tions authorised by the Central Bank of the Republic of Turkey.
234 Fintech 2021

OUTSOURCING AND CLOUD COMPUTING INTELLECTUAL PROPERTY RIGHTS
Outsourcing IP protection for software

34 Are there legal requirements or regulatory guidance with 36 Which intellectual property rights are available to protect
respect to the outsourcing by a financial services company of software, and how do you obtain those rights?
Unlike common law jurisdictions that offer patent protection to software-
Outsourcing limitations exist in two areas. One is related to outsourcing implemented inventions and upon the fulfilment of certain criteria, even
where the outsourcing also needs to carry the qualifications and stand- business methods, Turkey does not afford patent protection to software-
ards that are required from the entity (the licensed outsourcer, in other implemented inventions and business methods. Copyright protection is
words, the payment service provider) that is being licensed. This is the method that can be utilised for protecting the ownership of rights
detailed within the Law No. 6493 on Payment and Securities Settlement over software.
Systems, Payment Services and Electronic Money Institutions and its If a copyrighted work such as a piece of software is created, it
secondary regulations. is not compulsory to register it, and one owns the copyright and the
The second legal requirement concerns outsourcing services protection at the time it is created or made public. Nevertheless, there
pertinent to personal data and transferring personal data abroad. There is a non-compulsory registry system at the General Directorate of
exists red tape for transfers abroad: practically a de facto rule requiring Copyright of the Ministry of Culture and Tourism that requires little
all processing activities be performed within Turkey. proof. The general protection period is the lifetime of the author
plus 70 years.
Cloud computing There is no application similar to that of a patent application that is
35 Are there legal requirements or regulatory guidance with required of a copyright holder.
respect to the use of cloud computing in the financial services Software and programs are classified in the class 09 in the Turkish
industry? Classification System published on the Turkish Patent and Trademark
Authority’s website; however, each piece of software may contain char-
There are no specific requirements focused on the use of cloud acteristics of more than one specific class and this should be taken into
computing. However, depending on where the cloud data is physically consideration.
located, the use of cloud computing may be restricted, forbidden or
conditioned. IP developed by employees and contractors
For instance, the Personal Data Protection Law (Law No. 6698) 37 Who owns new intellectual property developed by an
regulates the personal data transfer in two subsections concerning employee during the course of employment? Do the same
transfers within Turkey and transfers out of Turkey, respectively. rules apply to new intellectual property developed by
Therefore, depending on where cloud data is physically located, the contractors or consultants?
relevant requirements and conditions must be fulfilled. For instance, if
there is a cross-border personal data transfer generated from the use In principle, pursuant to the Industrial Property Law (Law No. 6769),
of cloud computing, the data controller may be obliged to enter into an unless otherwise agreed upon because of special contracts made
agreement with the cloud computing service provider and apply to the between the parties (employer and employee) or the nature of work,
Personal Data Protection Board to get its authorisation. the rights to designs made by employees shall belong to the employer
According to the Communiqué on the Management and Supervision according to employees’ job descriptions and obligations arising from
for Information Systems of the Payment Institutions and E-Money the labour contract; or owing to the experiences and operations of busi-
Institutions, institutions are obliged to have their information systems ness organisation.
located in Turkey and cloud computing must be within the scope of For an invention to qualify as an ‘employee service invention’, it
these systems. must be realised during the course of employment. The employee is
In addition, pursuant to the Information Systems Management obliged to report the invention to his or her employer in writing without
Communiqué No VII-128.9 published by the Capital Markets Board, delay. Additionally, free inventions that are the employee’s inventions
companies, institutions and other legal entities are obliged to have their outside the scope of employee service inventions are also subject to
information systems located in Turkey (cloud computing is included in reporting obligations for employees, who must make a declaration of
the scope of these systems). The legal entities listed in the Communiqué the invention to their employer if the invention is made during their
include publicly held companies, stock markets and capital markets employment contract.
institutions.
Finally, according to the Regulation on Bank Information Systems Joint ownership
and Electronic Banking Services, customer data may not be transferred 38 Are there any restrictions on a joint owner of intellectual
abroad without the explicit request of the customer. Owing to this regu- property’s right to use, license, charge or assign its right in
lation, the use of cloud computing services that have servers located intellectual property?
abroad may be problematic in terms of banking services, as the use of
cloud computing services with servers located abroad is regarded as Certain restrictions and joint ownership provisions exist, both for
data transfer abroad by Law No. 6698. copyright and patents. For copyright, joint ownership provisions and
restrictions find form within the Law on Intellectual and Industrial
Rights (Law No. 5846). For patents, Law No. 6769 provides that joint
ownership is permissible and imposes restrictions upon the patent
holders of IP rights.
Pursuant to Law No. 6769, if an invention is made by more than one
person, each of the inventors may apply for a patent and these inventors
shall be granted joint ownership.
If the design application or design belongs to more than one Remedies for infringement of IP
person, the partnership claim on the right shall be determined pursuant 41 What remedies are available to individuals or companies
to the agreement concluded between the parties, and if there is no such whose intellectual property rights have been infringed?
agreement between the parties, it is determined in accordance with the
provisions related to joint ownership in the Turkish Civil Code No. 4721. According to Law No. 5846, authors whose intellectual property rights
For a patent licence to be granted to third parties in relation to have been violated may:
the use of an invention, each of the right owners must grant permis- • file a civil lawsuit regarding the prohibition of the infringement;
sion unanimously. Even in the case of joint ownership, the rights of the • file a civil lawsuit regarding the prevention of infringement;
owners may not be separated in relation to patent application or patent • request compensation; or
assignment. Additionally, in the case of joint ownership, the right owners • file a criminal lawsuit.
may assign a joint representative.
Finally, according to Law No. 5846, if a work is created by more than According to Law No. 6769, persons whose rights are being violated may:
one author and if the work is of an inseparable nature, joint ownership • file a civil lawsuit regarding probable infringement;
shall be assumed and the provisions regarding ordinary partnerships • file a civil lawsuit to cease infringement;
stipulated under Turkish Obligations Law No. 6098 shall apply. • file a civil lawsuit regarding the removal of infringement and
request compensation; or
Trade secrets • request for necessary precautions to be taken.
39 How are trade secrets protected? Are trade secrets kept
confidential during court proceedings? COMPETITION
Trade secrets are protected under several Turkish regulations, including Sector-specific issues
the Turkish Criminal Code. 42 Are there any specific competition issues that exist with
Duties of confidentiality are established for a variety of parties, respect to fintech companies in your jurisdiction?
including but not limited to, board members, shareholders, proxies,
auditors, employees and contractors. Trade secrets, such as technical Since 2018, Turkish Competition Authority (TCA) has rendered decisions
production secrets, production methods, and research and development in favour as well as against fintech companies. Recently, the TCA made
plans, are protected also under Law No. 6769. a series of decisions that may potentially affect the market structure
According to Turkish Commercial Law No. 6102, the protection of and the nature of competition in payment systems. Essentially, those
trade secrets is stipulated as unfair competition, and persons that act decisions are based on the re-evaluation of earlier granted exemptions
in violation of the confidentiality obligation regarding trade secrets and for certain services of the Interbank Card Centre (BKM). In brief, the TCA
disclose trade secrets in bad faith; and employees, representatives and found that the BKM’s digital wallet, BKM Express, is not qualified for
other contractors that deceive employers into providing trade secrets, exemption as its restrictive effects on competition outweigh the benefits
shall be subject to an administrative sanction or imprisonment of up to general welfare, and the TCA ordered the BKM to stop BKM Express
to two years. In addition, pursuant this Law, employers may request services no later than 30 June 2020.
pecuniary and non-pecuniary damages from persons that violate the
confidentiality obligation and non-competition obligation, causing unfair TAX
competition.
As for the protections offered during litigation processes where Incentives
court records become public knowledge, the Turkish Civil Procedure 43 Are there any tax incentives available for fintech companies
Code shall apply. Pursuant to Law No. 6100, parties that act in bad faith and investors to encourage innovation and investment in the
and unreasonably utilise litigation proceedings to have access to trade fintech sector in your jurisdiction?
secrets shall be subject to part of a or whole retainer fee in addition to
a disciplinary fine. There exists a variety of tax incentives that are applicable to entities
that are active in the technology industry, albeit these incentives are
Branding not exclusive to the fintech industry and under most circumstances an
40 What intellectual property rights are available to protect entity’s entitlement to these incentives requires that a sectoral analysis
branding and how do you obtain those rights? How can of the applicant be performed on a case-by-case review.
fintech businesses ensure they do not infringe existing According to Law No. 4691 on Technology Development Zones, the
brands? fintech companies located in technoparks can benefit from numerous
tax incentives, including exemption from corporate tax, income tax and
There are no specific regulations on intellectual property protection VAT. In addition, if fintech companies are essentially research and devel-
regarding fintech innovations. Intellectual and industrial property rights opment companies, these companies have the right to deduct 50 per
are generally protected by Law No. 5846 on Intellectual and Artistic Work cent of the social security premium exemption for its employees for a
and Law No. 6769. If fintech products or services are subject to indus- period of five years. Further, under the same law, a taxpayer whose
trial property rights (ie, a trademark or patent), a patent or trademark primary place of business is located within a designated tech zone shall
is required to be registered before the Turkish Patent and Trademark be excluded from the duty of paying corporate tax and income tax until
Office. However, there is no registration requirement in terms of intel- 31 December 2023.
lectual rights.
According to the Law No. 5846, ownership of a fintech innovation
will belong to its first creator and he or she will be deemed as an author.
If an employee creates an innovation during the employment contract,
the author will be his or her employer. The duration of the IP right is the
life of the author plus 70 years.
236 Fintech 2021


A new digital service tax was introduced with the Law on the Digital
Service Tax and Amendments on Certain Laws and Decree No. 375,
which was published in the Official Gazette on 7 December 2019 and
became effective after three months following its publication. Revenue Cigdem Ayozger Ongun
cigdem@srp-legal.com
gained from the activities that fall under the definition of digital services
and intermediary services provided in the digital environment shall be Begum Erturk
subject to digital service tax. Taxpayers exceeding a revenue threshold begum.erturk@srp-legal.com
of €750 million in global revenue and 20 million lira in local revenue will
be subject to a digital service tax at a rate of 7.5 per cent. 42 Maslak A27/8
The transactions carried out by the fintech companies that fall Maslak 34398
within the scope of the Law on Payment and Securities Settlement Istanbul
Systems, Payment Services and Electronic Money Institutions are Turkey
subject to banking insurance and transaction tax (BITT) at a rate of 5 per Tel: +90 212 4014401
cent in general (although some transactions are subject to 1 per cent or www.srp-legal.com
0 per cent BITT).
IMMIGRATION
in line with the Directive (EU) 2015/2366 on payment services. This
Sector-specific schemes Amendment is expected to enable the entry of new players to the fintech
45 What immigration schemes are available for fintech market, increase cooperation with the banking sector and facilitate the
businesses to recruit skilled staff from abroad? Are there development of fintech sector in Turkey.
sectors? Coronavirus
There is no specific immigration scheme for fintech businesses to recruit initiatives specific to your practice area has your state
staff from abroad. However, in the Turkish legal framework, there are implemented to address the pandemic? Have any existing
several laws and regulations for immigration schemes to recruit skilled government programmes, laws or regulations been amended
staff from abroad. The main regulations are the Turkish Citizenship Law, to address these concerns? What best practices are advisable
the Law on Foreigners and International Protection, the International for clients?
Labour Law, the Law on Work Permits for Foreigners and the Law on
Residence and Travel of Foreigners in Turkey. During the covid-19 outbreak, certain relief regulations have been stipu-
Persons that provide significant investment and employment lated. These include changes to labour law, commercial law, tax law and
opportunities or are expected to provide significant improvements to finance law, such as amendments to working conditions, credit opportu-
the technology and sciences sector, can receive Turkish citizenship nities, supportive payments to be made to employees, profit distribution
under the Turkish Citizenship Law. regulations and the practicalities and delays relating to tax payments.
As for work permits, industries that require specific expert employ- Civil and criminal proceedings and enforcement proceedings have been
ment or a qualified executive candidate be appointed to director postponed and institutions have started to accept online applications
positions, auditor positions that require the supervision of technical only. However, this has not hindered the application of laws. Although
and administrative standards, or any other personnel that might be some sectors have been adversely affected, some companies within
classified as key personnel will be eligible to receive a residency and specific sectors have considerably profited during this period.
work permit. In Turkey, the online education, fitness application, mobile retail
and domestic grocery sectors have profited most during this period,
UPDATE AND TRENDS whereas the most negatively affected are airlines, entertainment busi-
nesses and transport services.
Current developments According to the regulations stipulated under tax and finance laws,
46 Are there any other current developments or emerging if a company’s activity decreases by one-third and the company is in a
trends to note? poor financial state, we advise that these companies take advantage of
the relevant regulations adopted following the covid-19 outbreak.]
A spirited and developing fintech industry exists in Turkey. Even though
there are no specific definitions of crypto-assets in key legislation, there
are no restrictions on engaging in these cryptocurrency transactions
in Turkey. There have been developments in the legal and regulatory
landscape for equity-based crowdfunding, payments, open banking and
the protection of personal data. The recent Amendment to the Law on
Payment and Securities Settlement Systems, Payment Services and
Electronic Money Institutions reorganised the regulatory framework in
the payment and electronic money services and introduced new defini-
tions of account information services and payment initiation services
United Arab Emirates
Muneer Khan, Jack Rossiter and Raza Rizvi
FINTECH LANDSCAPE AND INITIATIVES Beyond the DIFC and ADGM financial free zones, there are a number
of other initiatives to foster innovation in the UAE that cross over into
General innovation climate the UAE fintech sector. The UAE Blockchain Strategy 2021 aims to have
1 What is the general state of fintech innovation in your 50 per cent of all government transactions on the blockchain network
jurisdiction? by 2021. In October 2016, the UAE cabinet launched Government
Accelerators as a new mechanism to boost the achievement of the
There is a generally progressive and ambitious trend around fintech National Agenda to achieve Vision 2021. Additionally, the Smart Dubai
innovation in the UAE, with some fintech subsectors generating more initiative is the Emirate of Dubai government office charged with facili-
notable and scaled innovation than others. Government and public tating Dubai’s citywide smart transformation, to empower, deliver and
sector entities and regulators play a key role in the innovation strate- promote an efficient, seamless, safe and impactful city experience for
gies across most industry verticals and this is also the case for fintech. residents and visitors. Among its key initiatives are the development of
From a financial services regulatory perspective, the UAE comprises Dubai’s first Artificial Intelligence Smart lab and the Dubai Blockchain
three separate and independent jurisdictions: Strategy, which is a collaboration between the Smart Dubai Office and
• the Dubai International Financial Centre (DIFC); the Dubai Future Foundation to continually explore and evaluate the
• the Abu Dhabi Global Market (ADGM); and latest technology innovations. The UAE created the first Minister of AI
• the remainder of the UAE (often referred to as ‘onshore’ or with a mandate that will cross over into fintech innovation. In August
‘onshore UAE’). 2018, it was announced that the DIFC courts has partnered with Smart
Dubai to create the world’s first Court of Blockchain.
Federal-level financial services regulators have jurisdiction over
onshore UAE; however, the DIFC and the ADGM each has its own regula- Government and regulatory support
tory bodies, and all the various regulators across all three jurisdictions 2 Do government bodies or regulators provide any support
have identified fintech innovation (albeit with some differing flavours) specific to financial innovation? If so, what are the key
as a key priority. benefits of such support?
In the DIFC, the DIFC FinTech Hive runs a now well-established
accelerator programme that has focussed on fintech, insurtech, regtech The UAE’s financial services free zones (namely, the ADGM and the
and Islamic fintech start-ups. In tandem, the DIFC’s financial services DIFC) each has its own regulators that have launched initiatives to
regulator, the Dubai Financial Services Authority (DFSA) launched its enable fintech businesses to participate and test their solutions in envi-
Innovation Testing Licence (ITL), a regulatory sandbox in 2017. These initi- ronments with lighter-touch regulation.
atives are in line with the goals of the Dubai Plan 2021 strategy to develop In the ADGM, the FSRA has created a RegLab. Participants in the
Dubai’s economy. The DFSA has also signed a number of bilateral fintech RegLab are not subjected to the full suite of authorisation regulation
agreements with other regulators globally, such as with the Monetary and rules from the outset; rather, a customised set of rules will be
Authority of Singapore in August 2018 and Japan’s Financial Services applied, which will depend on the business model, technology deployed
Agency in September 2018, to cooperate in the development of fintech and risk profile of the fintech participant.
and to foster innovation in their respective jurisdictions. Other similar Under the RegLab framework, fintech participants are given
agreements that the DFSA has entered into include with the Australian two years to develop, test and launch their products and services in
Securities and Investment Commission, the Hong Kong Monetary a controlled environment, after which fintech participants with viable
Authority, the Hong Kong Securities and Futures Commission, the Hong business models will be transferred to the full authorisation and super-
Kong Insurance Authority and the Securities Commission Malaysia. visory regime (provided they meet the authorisation criteria). Firms that
Similarly, the ADGM’s financial services regulator, the Financial are not ready after the two-year period will exit the RegLab framework.
Services Regulatory Authority (FSRA) launched its regulatory sandbox, In the DIFC, the DFSA has created the ITL, which fintech companies
the Regulatory Laboratory (RegLab) following the implementation of its can apply for to test an innovative product or service for six to 12 months.
fintech legislative framework. The ADGM has also partnered with the In exceptional cases, the DFSA will consider extending that period. If an
Association of Southeast Asian Nations Financial Innovation Network, ITL licensee has met the outcomes detailed in its regulatory test plan, and
which launched a digital marketplace – the Application Programming it can meet the full DFSA authorisation requirements, it will migrate to
Interface Exchange (APIX) – for South-East Asia to support financial full authorisation. If it does not, the company will have to cease carrying
inclusion, to test the cross-border connectivity between the ADGM on activities in the DIFC that need regulation. The DIFC also launched a
Digital Sandbox and APIX. Both the DFSA and the FSRA joined the Global fintech fund of US$100 million fund with a stated objective to help prom-
Financial Innovation Network (GFIN), to, among other objectives, assist ising start-ups raise growth capital, while also supporting their outreach
with cross-border testing. and connections within the wider financial services industry.
238 Fintech 2021

Simmons & Simmons LLP United Arab Emirates
To further the ambition of innovation of Dubai and the UAE in • dealing in products and investments (either as principal or agent);
the financial world, the DFSA and the FSRA are committed to cross- • underwriting and placing financial products;
border testing under the direction of the GFIN. The purpose of such a • offering and providing discretionary investment manage-
pilot scheme is to assist in providing efficient ways for fintech firms to ment services;
engage with regulators across multiple jurisdictions. • marketing or selling funds (including the provision of invest-
ment advice);
FINANCIAL REGULATION • accepting deposits;
• providing credit;
Regulatory bodies • providing money services;
3 Which bodies regulate the provision of fintech products and • arranging deals in investments;
services? • managing assets;
• managing a collective investment fund;
For banking and lending-related activities in onshore UAE, the financial • advising on financial products; and
services regulator is the UAE Central Bank, while for securities and • insurance intermediation.
capital markets-related matters, the UAE Securities and Commodities
Authority (SCA) is the relevant regulator. Onshore UAE also has an insur- Securities and financial products that are regulated by the respective
ance-sector regulator, which is the UAE Insurance Authority (IA). For all financial services regulators across onshore UAE, the DIFC and the
regulated financial activities in the Dubai International Financial Centre ADGM include, but are not limited to, equity securities, debt securi-
(DIFC), the regulator is the Dubai Financial Services Authority (DFSA). For ties, linked products, derivatives, structured products, deposits, notes
all regulated financial activities in the Abu Dhabi Global Market (ADGM), and warrants.
the regulator is the Financial Services Regulatory Authority (FSRA).
Consumer lending
Regulated activities 5 Is consumer lending regulated in your jurisdiction?
jurisdiction? Yes. Article 65 of UAE Decretal Federal Law No. 14 of 2018 Regarding the
Central Bank and Organisation of Financial Institutions and Activities
The onshore UAE regulatory regime is separate and different from the provides that the UAE Central Bank will regulate, among other things,
regulatory regime found in the DIFC and the ADGM. So, when consid- the activities of ‘providing credit facilities of all types’, ‘providing stored
ering the UAE, it is important to first ask which specific jurisdiction and values services, electronic retail payments and digital money services’
financial regulatory regime is applicable. and ‘providing virtual banking services’.
As financial free zones, both the DIFC and the ADGM have their own With regard to the provision and booking of these services ‘in
common law-based commercial and civil legal and financial services or from’ either the DIFC or the ADGM, these activities are likely to be
regulatory frameworks, as well as their own dedicated courts. The DFSA considered as ‘providing credit’, which will require a licence from either
is the financial services regulator for activities conducted in or from the the DFSA or FSRA respectively. To the extent that these services are
DIFC and the FSRA regulates financial services activities in or from the only ‘advised’ on or ‘arranged’ from the same jurisdictions, an appro-
ADGM. The relevant federal onshore UAE (ie, in the UAE but outside priate licence would also be required from either the DFSA or FSRA. If
the DIFC and ADGM) financial regulators are the SCA, the UAE Central these services are merely promoted (with no ‘advising’ or ‘arranging’)
Bank and the IA. The UAE Central Bank is the prudential regulator for ‘in or from’ either financial free zone, unless an exemption applies, a
onshore UAE and mainly regulates activities relating to banking and Representative Office licence would be required from either the DFSA
lending activities such as: or the FSRA respectively.
• deposit taking (including sweep deposit accounts);
• foreign exchange trading; Secondary market loan trading
• guarantees and commitments; 6 Are there restrictions on trading loans in the secondary
• payment services (including the issuance of payment instruments market in your jurisdiction?
and other means of payments);
• primary lending; Secondary market loan trading is an activity regulated by the UAE
• factoring; Central Bank. It constitutes primary lending and is regulated whether or
• invoice discounting; not the loan has been fully drawn. The trading of loans would also consti-
• arranging primary loans; tute a regulated financial services activity in the DIFC and the ADGM.
• secondary market loan trading; and
• secondary market loan intermediation. Collective investment schemes
Outside the banking and lending context, the UAE Central Bank was schemes and whether fintech companies providing
historically the sole financial services regulator for onshore UAE prior alternative finance products or services would fall within its
to the establishment of the SCA (in 2001) and the IA (in 2007). There are scope.
therefore some other areas of financial activity that the UAE Central
Bank continues to regulate – such as, among other things, currency In onshore UAE, there is a general prohibition on marketing unregis-
brokerage, money exchange and some activities that would be typically tered collective investment schemes (ie, funds) unless they have been
associated with investment banking. registered with the SCA accordingly (either for private or public promo-
Generally, the types of regulated activities in onshore UAE, the tion). However, the onshore UAE marketing prohibition does not apply
DIFC and the ADGM include, among other things: to the promotion of foreign funds to a non-natural ‘qualified investor’. A
• the marketing and sale of securities; non-natural qualified investor is defined in the SCA rules and includes
• providing investment advice; the federal government, among others.
United Arab Emirates Simmons & Simmons LLP
There is a private placement regime under the SCA rules, where • benefit from a new financial activity and licence for operating such
if the potential investor is a natural person, foreign funds can be regis- a platform;
tered for private placement by an SCA-licensed promoter subject to • apply appropriate prudential and conduct of business require-
several conditions. ments for these platforms;
With regard to the DIFC, there is a prohibition on marketing unreg- • disseminate appropriate risk warnings and disclosures to lenders
istered funds in the DIFC except through a DFSA-licensed intermediary and borrowers;
with the appropriate type of licence, unless an exemption applies. The • conduct suitable due diligence on the borrowers as well as checks
prohibition on the offer or sale of a fund only applies where this activity on lenders;
is carried out ‘in or from’ the DIFC. It is not possible to register a foreign • deploy a business cessation plan in the event that it ceases oper-
fund for distribution in the DIFC. Funds need only be registered with the ations; and
DFSA if they are domiciled in the DIFC. There are currently relatively few • follow rules in relation to transfer of rights and obligations
funds domiciled in the DIFC and so most funds marketed in the DIFC are between lenders.
foreign (ie, non-DIFC-domiciled) and, therefore, unregistered. However,
all funds and collective investment schemes promoted ‘in or from’ the On 1 August 2017, changes to the DFSA rules came into force that intro-
DIFC need to meet a fund eligibility criteria. duced rules relevant to crowdfunding. Additional rules, which included
Once a marketing entity holds the appropriate licence it may investment limits and property valuation requirements in the context of
market foreign domiciled funds or DIFC-domiciled funds, provided it property crowdfunding, came into force on 1 July 2019.
markets only to investors within the scope of its licence, and in the case
of any foreign fund: Crowdfunding
• the fund qualifies as a ‘designated’ or ‘non-designated fund’; 10 Describe any specific regulation of crowdfunding in your
• the marketing entity has a reasonable basis for recommending a jurisdiction.
fund as suitable to a particular client; or
• the fund offered discreetly to persons who are professional clients Financial services in the UAE are regulated either by the UAE Central
and the minimum subscription per investor is US$50,000. Bank, the IA or the SCA depending on the nature of the activity. In
Similar provisions exist with regard to the ADGM. respect of financial free zones in the UAE, such activities are regu-
lated by the DFSA in the DIFC, and the FSRA in the ADGM. In particular,
Following public consultation, with effect from 31 August 2017, the DFSA issues of securities by UAE companies are regulated under the UAE
updated its rules to include ‘operating a crowdfunding platform’ as a Companies Law (Federal Law No. 2 of 2015) and regulations issued
regulated activity. by the SCA. As such, under the UAE Companies Law, only public joint-
With regard to onshore UAE, while the UAE Central Bank is stock companies may offer securities by way of a public subscription
reported to be in the process of drafting regulations relevant to crowd- through a prospectus. Other companies, whether incorporated in the
funding, no specific regulatory regime has been introduced. However, UAE (onshore or in a free zone) or in a foreign jurisdiction, are prohib-
depending on the specific activities undertaken (ie, where the platform ited from advertising including the invitation to a public subscription
merely introduces two independently contracting parties or if the plat- without the approval of the SCA. In practice, private joint-stock compa-
form is actively establishing a fund or offering securities), the activity nies are entitled to issue securities to sophisticated investors by way
may potentially fall under existing UAE Central Bank or SCA regulation. of a private placement. Accordingly, this regulatory limitation restricts
the ability of limited liability companies, the legal form adopted by
Alternative investment funds most SMEs in the UAE, from raising funds through equity-based
8 Are managers of alternative investment funds regulated? crowdfunding.
On 1 August 2017, changes to the DFSA rules came into force that
Yes, managers of alternative investment funds are regulated in onshore introduced rules relevant to crowdfunding. Additional rules, which
UAE, the DIFC and the ADGM. included investment limits and property valuation requirements in the
context of property crowdfunding, came into force on 1 July 2019.
9 Describe any specific regulation of peer-to-peer or Invoice trading
marketplace lending in your jurisdiction. 11 Describe any specific regulation of invoice trading in your
jurisdiction.
Lending is a regulated activity whereby intermediary platforms are
required to obtain approvals to operate from the UAE Central Bank, Invoice trading currently falls within the activity of ‘arranging credit’
which would trigger compliance requirements on the platform including within the DIFC and is regulated as such by the DFSA. Similar provi-
the proper vetting of borrowers and anti-money laundering checks. sions exist in the ADGM. With regard to onshore UAE, invoice trading will
While interest is prohibited under articles 409 to 412 of the Penal require a form of regulatory licence either from the UAE Central Bank
Code and is void under articles 204 and 714 of the Civil Code, interest is (if providing credit) or the SCA (if invoices were to be considered as
permitted under articles 77 and 90 of the Commercial Code, provided it a financial product falling within the SCA’s Promoting and Introducing
does not exceed 12 per cent. In any case, UAE Federal Supreme Court Regulations – Regulation 3/RM of 2017). To the extent that services
Decision No. 14/9 of 28 June 1981 permits the charging of simple are merely promoted within onshore UAE, the DIFC or the ADGM,
interest (presumably as opposed to compound interest) in connection a Representative Office licence in the respective jurisdiction would
with banking operations. be required.
The DFSA issued a consultation paper in early 2017 called
‘Crowdfunding: SME Financing through Lending’, which proposed a
regulatory framework to operate loan-based crowdfunding platforms in
the DIFC. In summary, the DFSA proposed a regime whereby loan-based
crowdfunding platforms in the DIFC:
240 Fintech 2021

Payment services criminal liability under article 379 of the UAE Penal Code. Further,
12 Are payment services regulated in your jurisdiction? article 106 of the Banking Law requires the UAE Central Bank to keep
confidential all banking data that it receives.
Yes. On 1 January 2017, the UAE Central Bank published its Regulatory
Framework for Stored Values and Electronic Payment Systems Robo-advice
(the Digital Payment Regulation), which covers the following digital 14 Describe any specific regulation of robo-advisers or other
payment services: companies that provide retail customers with automated
• cash-in services: enabling cash to be placed in a payment account; access to investment products in your jurisdiction.
• cash-out services: enabling cash withdrawals from a payment
account; The FSRA has issued a regulatory framework for digital investment
• retail credit and debit digital payment transactions; managers (robo-advisers) operating in the ADGM. To supplement this,
• government credit and debit digital payment transactions; the FSRA has also released guidance to illustrate how its regulatory
• peer-to-peer digital payment transactions; and framework applies to robo-advisers in the ADGM. In particular, the guid-
• money remittances. ance outlines:
• the regulatory permission that may be required to provide digital
The Digital Payment Regulation does not apply to the following payment investments services in or from the ADGM; and
services or providers, although it states that the list below may be • how the FSRA will apply its authorisation criteria in key existing
subject to other Central Bank laws and regulations: areas of technology governance, suitability and disclosure, and
• payment transactions in cash without any involvement from an newer areas such as algorithm governance.
intermediary;
• payment transactions using a credit or debit card; Insurance products
• payment transactions using paper cheques; 15 Do fintech companies that sell or market insurance products
• payment instruments accepted as a means of payment only to in your jurisdiction need to be regulated?
make purchases of goods or services provided from the issuer or
any of its subsidiaries (ie, closed-loop payment instruments); Nothing in current UAE legislation (whether onshore UAE, DIFC or
• payment transactions within a payment or settlement system ADGM) specifically regulates fintech companies that wish to sell or
between settlement institutions, clearinghouses, central banks and market insurance products, and, therefore, the general regulation
payment service providers (PSPs); around the sale and marketing of insurance products in the relevant
• payment transactions related to transfer of securities or assets jurisdictions applies.
(including dividends, income and investment services); The IA was established under Federal Law No. 6 of 2007 (the
• payment transactions carried out between PSPs (including their Insurance Law). The IA, through the powers given to it under the
agents and branches) for their own accounts; and Insurance Law, regulates insurance and reinsurance operations in
• technical services providers. onshore UAE. Insurance operations include insurance activities such as
life assurance and funds accumulation operations, properties insurance
The Digital Payment Regulation specifies four categories of PSPs: retail and life liability insurance.
PSPs, micropayment PSPs, government PSPs and non-issuing PSPs. Detailed financial regulations around insurance companies were
In November 2019, the DFSA published Consultation Paper No.125 published at the end of 2014. The IA has issued various guidance and
on Proposals for Money Services. circulars that affect the scope of regulation around the insurance
In the paper, the DFSA set out its proposal to allow certain activities industry in the UAE. Insurtech businesses looking at the UAE market
relating to money services that have emerged owing to rapid advance- will need to observe additional guidance from the IA.
ments in technology, with the DFSA recognising that these activities
could promote the growth of regulated financial services activities in Credit references
the DIFC and provide greater protection and choices to users of money 16 Are there any restrictions on providing credit references or
services. One of the activities it proposed to allow was the provision of credit information services in your jurisdiction?
money services (as defined in the DFSA Rulebook Conduct of Business
Module (COB)) in respect of electronic currency. The consultation has On 15 April 2018, the SCA issued Chairman of the SCA Board of Directors’
since closed and amendments to the DFSA Rulebook COB Module came Decision No. 18/RM of 2018 Concerning the Regulations as to Licensing
into force on 1 April 2020, introducing requirements for the provision of Credit Rating Agencies. Under these regulations, a credit rating is ‘a
money services in relation to electronic money in the DIFC. periodic measure to determine and assess the ability of the rated entity
to meet its financial liabilities, and potential risks that may affect it, and
Open banking to evaluate the financial products and potential risks of acquiring them
13 Are there any laws or regulations introduced to promote by the investor’ and credit rating activities are regulated. To be eligible
competition that require financial institutions to make for a licence to carry on credit rating activities, an entity must have,
customer or product data available to third parties? among other things, a minimum of 2 million UAE dirhams in capital and
consent from the UAE Central Bank or the IA (should the licence applica-
Other than in the context of a regulatory or official investigation, there tion be subject to their mandate).
is no specific obligation in UAE legislation requiring the disclosure of In the DIFC, ‘operating a credit rating agency’ is a regulated activity
data to third parties. However, the Digital Payment Regulation maintains that would require a DFSA licence. Similar provisions exist in the ADGM.
the UAE Central Bank’s rights to impose access regimes and interoper- However, individual credit reference and information services
ability obligations on PSPs. are possible in the UAE through the Al Etihad Credit Bureau (AECB),
The general position is that financial institutions that are in a posi- which is a public joint stock company wholly owned by the UAE federal
tion to collect and store data from the public are bound by a duty of government. According to UAE Federal Law No. 6 of 2010 concerning
confidentiality. A breach of this duty of confidentiality could attract Credit Information, the AECB is mandated to regularly collect credit
information from financial and non-financial institutions in the UAE. SALES AND MARKETING
The AECB aggregates and analyses this data to calculate credit scores
and produce credit reports that are made available to individuals and Restrictions
companies in the UAE. The AECB collects information on individuals 19 What restrictions apply to the sales and marketing of
and companies from banks, finance companies and telecoms compa- financial services and products in your jurisdiction?
nies. Additional information from other sources such as utilities, real
estate, government and other entities are planned to be added in the There are a number of restrictions on the offering or promotion of finan-
future. Financial institutions in the UAE are mandated by law to supply cial services in onshore UAE, the Dubai International Financial Centre
the AECB with all credit information on a monthly basis. and the Abu Dhabi Global Market, and in many cases corresponding
exemptions relating to these promotions, all of which differ according to
CROSS-BORDER REGULATION the type of product or service offered.
Passporting CHANGE OF CONTROL

There is currently no general passport regime either into the Dubai 20 Describe any rules relating to notification or consent
International Financial Centre (DIFC), the Abu Dhabi Global Market requirements if a regulated business changes control.
(ADGM) or onshore UAE, or between these jurisdictions.
It was announced in May 2017 that the Dubai Department of Under the Dubai International Financial Centre and Abu Dhabi Global
Economic Development (the relevant commercial registry for onshore Market frameworks, there are detailed provisions relating to changes
UAE within the Emirate of Dubai) and the DIFC Authority had signed of control, including where notifications need to be made with the
a memorandum of understanding to allow companies operating within Dubai Financial Services Authority or the Financial Services Regulatory
DIFC and holding a commercial licence issued by the DIFC Registrar of Authority respectively, or where their prior approval needs to be
Companies to obtain licences to operate in mainland Dubai. However, obtained. In both cases, these are contained in the general modules
legislation and regulation to facilitate this remains forthcoming. of the respective regulator’s rulebook. Similar, although less detailed,
Notwithstanding the efforts to create a facilitative cross-border regime provisions exist within the regulatory frameworks relevant to the
between onshore UAE within the Emirate of Dubai and the DIFC at a UAE Central Bank, the Securities and Commodities Authority and the
commercial licence level, passporting with regard to financial services Insurance Authority.
between any of the onshore UAE regulators and the Dubai Financial
Services Authority (DFSA) or Financial Services Regulatory Authority FINANCIAL CRIME
(FSRA) has yet to be formally announced (other than in the case of
marketing a domestic (ie, DIFC, ADGM or onshore UAE) domiciled fund Anti-bribery and anti-money laundering procedures
across the three financial services jurisdictions within the UAE. 21 Are fintech companies required by law or regulation to have
Requirement for a local presence
18 Can fintech companies obtain a licence to provide financial There are express restrictions on insider dealing and market abuse that
services in your jurisdiction without establishing a local would apply to UAE-licensed counterparties.
presence? For there to be an anti-money laundering (AML) offence, there
needs to be actual awareness that such funds are derived from an
It is possible for fintech companies to market on a cross-border basis offence or misdemeanour.
into onshore UAE without having to obtain a licence. If marketing activi- In addition to various administrative penalties, the Federal UAE
ties are undertaken on a true cross-border basis (ie, by telephone, AML Law states that whoever commits or attempts to commit money
website or email from outside the UAE) they should not be subject to laundering shall be punished by imprisonment for a term not exceeding
UAE regulation. To ensure that marketing activities are conducted on 10 years or by a fine of between 100,000 and 500,000 dirhams, or both.
a true cross-border basis and not deemed to be conducting business In the Dubai International Financial Centre (DIFC), under article
in the UAE, several guidelines should be followed, which include not 71(1) of the DIFC Regulatory Law, the DIFC regime requires compli-
having a physical or legal presence in the UAE, marketing only towards ance with the federal regime. The federal legislation governing money
non-natural qualified investors and making any subscription payments laundering and terrorist financing is also applicable in the DIFC. The
made outside the UAE. Anti-Money Laundering, Counter-Terrorist Financing and Sanctions
In relation to cross-border marketing into the DIFC, there are several Module to the Dubai Financial Services Authority (DFSA) Rulebook
guidelines that should be followed to reduce the risk of marketing activi- applies to entities in respect of their activities carried on in or from
ties being treated as having taken place ‘in’ the DIFC, such as not having the DIFC. The procedures that must be put in place include applying
a physical or legal presence in the DIFC, keeping marketing materials a risk-based approach that is objective and proportionate to the risks,
generic and only made to certain types of pre-identified ‘professional based on reasonable grounds, properly documented and reviewed and
clients’ (as defined under the DFSA’s Conduct of Business Rules) and updated at appropriate intervals. Effective AML systems and controls
performing all generic marketing from outside the DIFC. must also be established and maintained to prevent opportunities for
With regard to regulated activities where a licence is required money laundering. A risk-based assessment must be undertaken for
from a UAE financial services regulator (including the UAE Central every customer in order to assign the customer a risk rating propor-
Bank, Securities and Commodities Authority, DFSA or FSRA), a fintech tionate to the customer’s money laundering risks. Customer due
company would need to be locally established in the relevant jurisdic- diligence must be undertaken to verify the identity of the customer and
tion to obtain a licence. Note, however, that the initiatives launched by the beneficial owner and understand the source of funds. This should
the ADGM and the DIFC require lighter regulatory oversight for qualified be ongoing by monitoring transactions and complex and unusual trans-
participants. actions. A money laundering reporting officer must be appointed with
242 Fintech 2021

responsibility for implementing and overseeing compliance; the officer Assignment of loans
must have an appropriate level of seniority and independence to act in 24 What steps are required to perfect an assignment of
the role and be resident in the UAE. loans originated on a peer-to-peer or marketplace lending
Similar to the DIFC, the federal legislation governing money laun- platform? What are the implications for the purchaser if the
dering and terrorist financing also applies within the Abu Dhabi Global assignment is not perfected? Is it possible to assign these
Market (ADGM). The ADGM’s AML rules are contained in the Anti-Money loans without informing the borrower?
Laundering and Sanctions Rules and Guidance Module to the Financial
Services Regulatory Authority Rulebook (the ADGM AML Module). In onshore UAE, an assignment of rights requires only notification from
According to the ADGM AML Module, an entity must have policies, proce- the assignor to the counterparty, confirming the assignment to the
dures, systems and controls that ensure compliance with the federal assignee. Where this is not possible, the bank may require this income
law, enable suspicious customers and transactions to be detected and to be deposited into a collection account, which will be covered by an
reported, ensure the entity is able to provide an appropriate audit of trail accounts pledge.
of a transaction, and ensure compliance with any other obligations as In the DIFC, an assignment is perfected when it attaches (ie, when
contained in the ADGM AML Module. it becomes enforceable against the debtor or third party). The position
in the ADGM is similar.
Guidance Assuming there are no contractual restrictions on transfers, the
22 Is there regulatory or industry anti-financial crime guidance position in each of the relevant jurisdictions is as follows.
Onshore UAE
There is no guidance specifically targeted at fintech companies. The Article 1109 of the UAE Civil Code (Federal Law No. 5 of 1985) provides
regulatory guidance on financial crime is contained in the DFSA AML that the assignor, the assignee and the borrower must consent for there
rules, the ADGM AML rules and the applicable federal laws. to be a valid assignment. There are Federal Supreme Court judgments
Further federal legislation in relation to financial crime regarding holding that, in commercial matters, the consent to the assignment by
corporate and business fraud is contained in articles 399 to 402 of the the borrower is not necessary, although evidence will be required that
UAE Penal Code (Federal Law No. 3 of 1987), provisions of the Dubai the borrower has been notified of the assignment.
Recovery of Public Funds (Dubai Law No. 37 of 2009) and other specific UAE law does not generally recognise the concept of beneficial
offences set out in legislation including the UAE Cyber Crimes Law ownership. Accordingly, an assignee of certain rights otherwise than in
(Federal Law No. 5 of 2012) and the UAE Commercial Transactions Law accordance with the UAE will not be recognised as having a beneficial
(Federal Law No. 18 of 1993). interest in the rights to be assigned.
PEER-TO-PEER AND MARKETPLACE LENDING DIFC

The DIFC makes a distinction between assignment of rights and assign-
Execution and enforceability of loan agreements ment of obligations. The DIFC Contract Law No. 6 of 2004 (the DIFC
23 What are the requirements for executing loan agreements or Contract Law) sets out several limitations on assignments and delega-
security agreements? Is there a risk that loan agreements tions. Under section 94 of the DIFC Contract Law, a contractual right can
or security agreements entered into on a peer-to-peer or be assigned unless the substitution of a right of the assignee for the
marketplace lending platform will not be enforceable? right of the assignor would:
• materially change the duty of the borrower;
If any security is based within the UAE, the agreements should be • materially increase the burden or risk imposed on the borrower by
entered into with a local security agent whereby the local security agent his or her contract;
holds security on behalf of the service provider. Security may need to be • materially impair the borrower’s chance of obtaining return
perfected, depending on the type of asset to which the security relates. performance; or
In the Dubai International Financial Centre (DIFC), there is no • materially reduce its value to the obligor.
licensing or registration requirement for a lender to take security over
DIFC-based assets. Any real estate mortgages must be registered with A contractual obligation can be transferred unless the obligee has
the DIFC Register of Real Property without delay. For all other types of a substantial interest in having the obligor perform or control the
security interest, a security interest will be considered perfected if it acts promised.
has ‘attached’ and a financing statement has been filed with the DIFC While there are no explicit requirements under the DIFC Contract
Security Register. For security to ‘attach’, different procedures will need Law to notify borrowers of an assignment or transfer, it is advisable that
to be taken depending on the type of security interest under either the the borrower be notified of this assignment or transfer.
DIFC Real Property Law or the DIFC Law of Security (land, shares in a
DIFC company, bank accounts, receivables, insurance, floating charges, ADGM
etc). Similar protection requirements exist within the Abu Dhabi Global In the ADGM, as per the ADGM Application of English Law Regulations
Market (ADGM). 2015, the principles of English law relating to the assignment of rights
and transfer of obligations would apply. Under English law, an assign-
ment is perfected once notice is given to the borrower. In the absence
of such notice, the assignee’s rights under the assignment become an
equitable right. The transfer of an obligation would require the consent
of the borrower.
Borrower consent may be required prior to any assignment of loans.
Securitisation risk retention requirements The UAE federal government and certain emirate-level govern-
25 Are securitisation transactions subject to risk retention ments have publicly committed to the creation of problem statements
requirements? and use cases to enable government services to benefit from DLT and,
in particular, blockchain. Examples of this include the government of
There are currently no risk retention requirements within the onshore Dubai’s public commitment to have all government services and trans-
UAE legislation or the legislation of the DIFC or ADGM. However, while actions on the blockchain by 2020.
not imposed by UAE law, securitisations originating in the UAE may still In some areas, UAE law is permissive as regards the use of DLT
be subject to risk retention rules depending on the relevant investor and distributed digital ledgers or databases in scenarios where parties
base that is being marketed to. intend to create legal relations; for example, article 12 of Federal Law
No. 1 of 2006 on Electronic Commerce and Transactions, which seems to
Securitisation confidentiality and data protection requirements have foreseen ‘smart contracts’ by confirming the validity and enforce-
26 Is a special purpose company used to purchase and securitise ability of contracts formed through computer programs that include two
peer-to-peer or marketplace loans subject to a duty of or more electronic information systems present and preprogrammed to
confidentiality or data protection laws regarding information carry out the transaction, even if no individual is directly involved.
Crypto-assets
There are likely to be contractual duties of confidentiality in the relevant 29 Are there rules or regulations governing the use of crypto-
local documentation that may require borrower consent prior to disclo- assets, including digital currencies, digital wallets and
sure concerning the loans or the borrowers. Further, if the borrowers e-money?
are data subjects for the purposes of the DIFC Data Protection Law or
the ADGM Data Protection Law, the special purpose vehicle may be Virtual currencies are defined in the Regulatory Framework for
treated as a processor for the purposes of those laws. Stored Values and Electronic Payment Systems (the Digital Payment
Regulation) as:
TECHNOLOGY AND CRYPTO-ASSETS Any type of digital unit used as a medium of exchange, a unit of
account, or a form of stored value. Virtual Currency is not recog-
Artificial intelligence nised by this Regulation. Exceptions are made to a digital unit that:
27 Are there rules or regulations governing the use of artificial (a) can be redeemed for goods, services, and discounts as part
intelligence, including in relation to robo-advice? of a user loyalty or rewards programme with the Issuer; and (b)
cannot be converted into a fiat/virtual currency.
The Financial Services Regulatory Authority (FSRA) has issued a regu-
latory framework for digital investment managers (robo-advisers) The Digital Payment Regulation contained a provision which that stated
operating in the Abu Dhabi Global Market (ADGM). To supplement this, that ‘all virtual currencies (and any transactions thereof) are prohib-
the FSRA has also released guidance to illustrate how its regulatory ited’. A month after the Digital Payment Regulation was published, the
framework applies to robo-advisers in the ADGM. In particular, the guid- Governor of the UAE Central Bank issued a statement to the state media
ance outlines: to say that the regulations ‘do not cover digital currency’ but are under
• the regulatory permissions that may be required to provide digital further review and likely to be subject to new regulations in due course.
investments services in or from the ADGM; and For now, there remains a grey area around the specific legal status
• how the FSRA will apply its authorisation criteria in key existing of virtual currencies (eg, bitcoin) in the UAE, which affects how they
areas of technology governance, suitability and disclosure, and are treated and any restrictions around specific use. However, while
newer areas such as algorithm governance. there are currently no laws in force that specifically regulate crypto-
assets in the UAE, in October 2019, the UAE Securities and Commodities
Otherwise, there are currently no rules or regulations governing the Authority (SCA) issued draft legislation – the Regulation for Issuing and
use of artificial intelligence or automated investment advice (ie, robo- Offering Crypto Assets – that, when implemented, will directly regulate
advisory services) in the Dubai International Financial Centre (DIFC) crypto-assets in the UAE. The draft regulations cover all aspects of the
or onshore UAE. Those conducting these automated investment activi- crypto-asset industry, such as safekeeping practices and compliance
ties will need to ensure that they are authorised to provide investment with financial crime prevention measures.
advice, irrespective of the method of delivery. The ADGM regulatory framework for virtual assets (first introduced
The Dubai Financial Services Authority's (DFSA) Innovation Testing on 25 June 2018 and amended in February 2020) features a number of
Licence regime has been used to issue licences relevant to automated guidance points related to virtual assets and digital wallets.
investment advisory services. In these cases, there are bespoke disclo- In November 2019, the DFSA published Consultation Paper No.125
sures, reporting conditions and monitored progress in line with an on Proposals for Money Services. In the paper, the DFSA set out its
agreed ‘regulatory test plan’. Firms intending to provide robo-advi- proposal to allow certain activities relating to money services that have
sory services have also been accepted into the ADGM’s Regulatory emerged owing to rapid advancements in technology, with the DFSA
Laboratory (which provides a controlled environment for fintech partici- recognising that these activities could promote the growth of regulated
pants to develop and test innovative fintech solutions). financial services activities in DIFC and provide greater protection and
choices to users of money services. One of the activities it proposed
Distributed ledger technology to allow was the provision of money services (as defined in the DFSA
28 Are there rules or regulations governing the use of Rulebook Conduct of Business Module (COB)) in respect of electronic
distributed ledger technology or blockchains? currency. Amendments to the DFSA Rulebook COB Module came into
force on 1 April 2020, introducing requirements for the provision of
There are currently no dedicated rules or guidelines regarding the use money services in relation to electronic money in the DIFC.
of distributed ledger technology (DLT) or blockchain.
244 Fintech 2021

Digital currency exchanges Initial coin offerings

30 Are there rules or regulations governing the operation of 31 Are there rules or regulations governing initial coin offerings
digital currency exchanges or brokerages? (ICOs) or token generation events?
Following a public consultation, on 25 June 2018 the ADGM FSRA issued Not specifically.
its framework for the regulation of spot crypto-asset activities, including On 13 September 2017, the DFSA issued a General Investor Statement
those undertaken by exchanges, custodians and other intermediaries in on Cryptocurrencies that warned that it considered initial coin offerings
the ADGM. Specifically, the FSRA introduced the new regulated activity (ICOs) to be high-risk investments owing, in part, to the complex systems
of ‘Operating a Crypto Asset Business’ that covers, among other things, and technology on which they are based. According to the DFSA General
the arranging, buying, selling, custody provision, marketing and advising Statement, cryptocurrencies and ICOs have their own unique risks, which
on the merits of the buying or selling of ‘Accepted Crypto Assets’. The may not be easy to identify or understand. The statement urged potential
regime also included a regulatory framework for the operation of a investors to conduct due diligence and exercise caution. This is a similar
‘Crypto Assets Exchange’ and a ‘Crypto Asset Custodian’. approach to that taken by the UK’s Financial Conduct Authority, which
On 14 May 2019, the FSRA issued its updated guidance addressing, released a consumer warning on the risks of ICOs on 12 September 2017.
among other things: In the ADGM, the FSRA is moving towards greater regulation of
• Stablecoins and fiat tokens: stablecoins that are fully backed by virtual currencies under its principal financial services legislation, the
fiat currencies (fiat tokens) will be treated as a form of digital ADGM FSMR, as amended. The FSRA issued its Supplementary Guidance
representation of money. Where used as a payment instrument – Regulation of Initial Coin/Token Offerings and Virtual Currencies under
for the purposes of money transmission as defined under the the FSMR on 9 October 2017, which is aimed at those wanting to use ICOs
ADGM’s Financial Services and Markets Regulations 2015 (FSMR), to raise funds, investors and generally anyone considering transacting
the activity will be licensed and regulated as ‘providing money in virtual currencies. It states that whether or not an ICO is regulated
services’. under the FSMR, it will be assessed by the FSRA on a case-by-case
• Custody: further clarity on the types of crypto-asset custody activi- basis. If the tokens in an ICO are assessed to exhibit the characteris-
ties that can be undertaken and setting out FSRA expectations in tics of a security (as defined in the FSMR, such as, among other things,
terms of custody governance and operations. ‘certificates representing certain financial instruments’ or ‘instruments
• Technology governance: further enhancements and clarifications giving entitlements to investments’), the FSRA may deem them to be a
are introduced, including in relation to changes in the underlying security under section 58(2)(b) of the FSMR, which empowers the FSRA
protocol of a crypto-asset that results in a fork (coding change), to deem any investment a security under ADGM regulation. The ADGM
and the associated governance and control expectations for crypto- Guidance also outlines that derivatives of virtual currencies or secu-
asset exchanges and licence-holders. rity tokens will be regulated as ‘specified investments’ under the FSMR.
• FSRA Anti-Money Laundering and Sanctions Rules and Guidance: However, the ADGM Guidance states that other virtual tokens that do
as the Anti-Money Laundering Rulebook applies in full to the regu- not exhibit the features and characteristics of a regulated investment
lated activity of crypto-asset operators or holders, the guidance or instrument under the FSMR will be treated as commodities and not
has been updated with the latest local and global changes and regulated as specified investments under the FSMR.
provides further clarity on the use of new regulatory and surveil- Outside the UAE’s financial free zones in onshore UAE, the UAE
lance technologies in this area. Central Bank issued a Regulatory Framework for Stored Values and
Electronic Payment Systems on 1 January 2017, under powers vested
As part of its ongoing commitment to regularly update and improve its in the UAE Central Bank under the UAE Decretal Federal Law No. 14
crypto-regulatory framework based on global developments, the FRSA of 2018 Regarding the Central Bank and Organisation of Financial
updated its virtual asset regulatory framework in February 2020. Institutions and Activities. The Regulatory Framework for Stored Values
Among other things, the key amendments included: and Electronic Payment Systems states that its purpose is to facilitate
• changing the definition of ‘crypto-asset’ to ‘virtual asset’ (to align the robust adoption of digital payments across the UAE in a secure
the terminology in the legalisation with that of the Financial Action manner. However, it then states that virtual currencies (and any trans-
Task Force); and actions thereof) are prohibited.
• moving the applicable regulations and rules from the bespoke A virtual currency is defined as ‘any type of digital unit used as
category of ‘Operating a Crypto Asset Business’ to the respective a medium of exchange, a unit of account, or a form of stored value,
underlying regulated activities (eg, providing custody, operating a although there are exceptions for digital units that can be redeemed
mulitlateral trading facility and dealing in investments). This is to for goods, services, and discounts as part of a user loyalty or rewards
be better reflect the nature of the underlying activities in relation programmes with the issuer, and which cannot be converted into a fiat
to virtual assets. or virtual currency’.
On the face of it, the Regulatory Framework for Stored Values and
Currently, there are no other rules in onshore UAE, the DIFC or the Electronic Payment Systems seemed to cover the major virtual or cryp-
ADGM specific to the operation of digital currency exchanges or broker- tocurrencies on the market. However, on 23 October 2017, the Governor
ages. However, in October 2019, the SCA issued draft legislation of the UAE Central Bank stated that the Regulatory Framework for
– the Regulation for Issuing and Offering Crypto Assets – that, when Stored Values and Electronic Payment Systems did not apply to all
implemented, will directly regulate cryptoassets in the UAE, including virtual currencies. The Governor then clarified the UAE Central Bank’s
crypto-exchanges. As of 21 May 2020, these regulations are yet to enter policy on virtual currencies on 23 October 2017 by warning against use
into force and so, for the time being, the existing regulations relevant of ‘digital coins’ saying it had not issued a licence to allow virtual curren-
to exchanges or authorised market institutions generally may apply if cies in the local UAE market. The Governor also warned of the risks of
a digital currency is deemed to be a security. However, with the draft using digital currencies as a medium for exchange, stating that because
crypto-asset regulations having been published, this is an area where virtual currencies do not go through official channels and cannot be
regulation is susceptible to change at short notice. monitored or controlled, they pose a risk of being used for money laun-
dering or terrorist financing purposes.
Similarly, the SCA issued a public warning on ICOs in February • impose conditions concerning the disclosure of personal data to
2018, cautioning investors to be aware of some risks associated with third parties and the transfer of personal data outside the respec-
these investments, such as the potential for fraud, high volatility in tive free zone.
light of speculation, and the fact they are not specifically catered for
under existing SCA regulations. Whether the SCA will consider ICOs as a The DIFC law is enforced by the Commissioner of Data Protection, while
‘foreign security’ under existing legislation, such as the SCA Promoting the Registrar is responsible for enforcing the ADGM law.
and Introducing Regulations (SCA Decision No. 3/R of 2017), remains
to be seen. Fintech-specific rules and regulations
Of particular relevance to fintech products and services is the Regulatory
DATA PROTECTION AND CYBERSECURITY Framework for Stored Values and Electronic Payment Systems (the
Digital Payment Regulation), which requires payment service providers
Data protection (PSPs) to keep users’ identification and transaction data confidential
32 What rules and regulations govern the processing and and to only disclose this data to the relevant user, the Central Bank,
transfer (domestic and cross-border) of data relating to another regulatory authority approved by the Central Bank or by order
fintech products and services? of a UAE court. There is a separate requirement to ensure that personal
data is only processed and shared for the purposes of compliance with
The UAE does not yet have a specific, standalone data protection law. anti-money laundering and terrorist financing legislation. The Digital
Instead, various general and sector-specific laws and regulations govern Payment Regulation also provides for minimum retention periods for
aspects of the processing of personal data in the UAE. For example, the user and transaction data. There are no other legal requirements or
UAE Constitution provides for a right to freedom and secrecy of commu- regulatory guidance relating to personal data that are specifically aimed
nications; the Penal Code and Cybercrime Law provide for a range of at fintech companies.
criminal offences prohibiting the disclosure or publication of private
information and the interception of personal communications; the Civil Anonymisation and aggregation of personal data
Code and Labour Law set out certain obligations on employers when There are no specific legal requirements or regulatory guidance in the
dealing with employee information; another law governs the collection, UAE dealing with the anonymisation or aggregation of personal data
processing and disclosure of credit-related information; and telecoms used for commercial gain. This, and the absence of a specific data
operators are subject to special regulations regarding the protection of protection law in the UAE (outside the financial free zones), has the
subscriber information. result that there is a wider scope for the commercial exploitation of data
While there has been no formal confirmation or release, a draft for commercial purposes in the UAE.
data protection law is generally known to be under consideration by the The definitions of ‘personal data’ in the ADGM and DIFC data
UAE government. protection laws each require the individual to whom the data relates
The Abu Dhabi Global Market (ADGM) and Dubai International to be identifiable. The guidance published by the DIFC Commissioner
Financial Centre (DIFC) have each introduced standalone laws of Data Protection suggests that, as data that is stripped of all personal
governing the processing of personal data by organisations operating in identifiers will no longer relate to an identifiable individual, the DIFC
their respective zones. The DIFC’s much anticipated new and refreshed data protection law will no longer apply.
data protection law was enacted on 1 June 2020 and set to become The guidance cautions that complete anonymisation may be diffi-
enforceable after 1 October 2020. cult to achieve in practice, as data will still be protected if it is possible
Although the new DIFC data protection law sets a high benchmark to identify an individual indirectly using the data. The guidance also
and aligns more closely with the GDPR, it does share some common reminds organisations that the act of anonymisation is itself an activity
elements with the data protection law in the ADGM. For instance, each that must be conducted in compliance with the DIFC data protection law.
law requires that personal data is processed in a manner that is fair, The guidance published in respect of the ADGM data protection regime
lawful and secure. does not provide further comment on the anonymisation or aggregation
The most common methods used by businesses in each free zone of personal data.
to ensure that their processing of personal data is fair and lawful are: In light of the restrictions on the processing of user and transac-
• obtaining the consent of the relevant individual to the processing tion data introduced by the Digital Payment Regulation, PSPs seeking to
of their data; use personal data for commercial gain will need to consider employing
• processing the data based on the ‘legitimate interests’ of the anonymisation and aggregation techniques in respect of the data
company undertaking the processing (provided that these inter- they hold.
ests are not overridden by the interests of the individual);
• processing in order for the company undertaking the processing to Cybersecurity
comply with a legal requirement (not a contractual requirement); and 33 What cybersecurity regulations or standards apply to fintech
• processing in order to perform or enter into a contract with the businesses?
individual.
Fintech businesses must comply with the UAE Cyber Crimes Law
The ADGM and DIFC data protection laws also require organisations to: (Federal Law 5 of 2012 on Combatting Cybercrimes), the provisions of
• provide specific information to individuals before collecting their which broadly relate to IT security, state security and political stability,
personal data; morality and proper conduct and financial and commercial issues arising
• create various rights for individuals, including rights to obtain from the use of the internet or IT infrastructure. The Cyber Crimes Law
a copy of personal data, to require the correction or deletion of has extraterritorial effect.
personal data, and to object to the processing of personal data, that
a company holds about them;
• require organisations to implement appropriate security
measures; and
246 Fintech 2021

OUTSOURCING AND CLOUD COMPUTING As computer programs are not specifically excluded from patent-
ability under UAE legislation, so long as registration formalities are
Outsourcing followed, it is possible in principle to obtain patent protection for
34 Are there legal requirements or regulatory guidance with software-implemented inventions and business methods. It is likely to
respect to the outsourcing by a financial services company of be more difficult, however, for these inventions to meet the criteria of
a material aspect of its business? novelty, inventiveness and industrial applicability as required by UAE
legislation.
There is no regulatory guidance setting out notification or approval
requirements where a financial services company in the UAE intends IP developed by employees and contractors
to outsource a material aspect of its business. However, depending on 37 Who owns new intellectual property developed by an
the nature of the company and the functions being outsourced, there employee during the course of employment? Do the same
may be other restrictions. For example, the Regulatory Framework for rules apply to new intellectual property developed by
Stored Values and Electronic Payment Systems (the Digital Payment contractors or consultants?
Regulation) imposes restrictions upon certain payment service
providers (PSPs) looking to outsource operational functions where, Copyright in works created by an employee in the course of employ-
among other things, the functions being outsourced are deemed mate- ment will not automatically be owned by the employer. Such a work will
rially important or where a defect or failure in performance of the be owned by the individual employee or, if created alongside others,
outsourced functions would materially impact continued compliance may be protected as a joint work. It may be possible for the employer
with licensing requirements. to assert that a work created under the supervision or direction of the
employer meets the conditions for protection as a collective work under
Cloud computing UAE legislation.
35 Are there legal requirements or regulatory guidance with In most cases, however, employers seeking to take ownership of
respect to the use of cloud computing in the financial services copyright-protected works created by employees must do so by way of
industry? written assignment. Under the Copyright Law, a provision in a contract
that purports to assign the copyright in more than five future works
There are regulations that set parameters around the use of cloud will be void.
computing in the context of outsourcings, which includes those within In the context of patents, provided that an employee’s role includes
the financial services industry. inventive activities, inventions created by an employee in the course
Organisations carrying out functions that are regulated by the of an employment contract are automatically owned by the employer,
Dubai Financial Services Authority (in the Dubai International Financial unless otherwise agreed. Different rules apply if the employee’s role
Centre) or the Financial Services Regulatory Authority (in the Abu Dhabi does not include inventive activities. In these cases, the employer may
Global Market) have specific obligations in relation to material outsourc- exercise an option to take ownership of the invention within four months
ings, which in practice will include many cases of the use of cloud of becoming aware of the invention and the employee is entitled to
computing services. In respect of each material outsourcing, the organi- receive fair compensation.
sation must implement policies and risk management programmes, The same rules that apply to employee creators of copyright-
enter into an appropriate contract with the service provider incorpo- protected works apply in respect of works created by contractors and
rating certain minimum terms, and notify the relevant regulator of the consultants. These works will be owned by the individual creator or, if
outsourcing arrangement. created alongside others, may be protected as joint works.
The Digital Payment Regulation regulates how PSPs (other than non- As against employee creators, different rules apply in respect of
issuing PSPs) may outsource operational functions, which could include inventions created by a contractor or consultant during the course of a
outsourcings to cloud service providers. In respect of each outsourcing, contract. In these cases, the contractor or consultant will own the inven-
the PSP must obtain approval from the Central Bank. The outsourced tion, unless otherwise agreed.
services are required to be carried out in the UAE (outside the financial
free zones). Special rules apply when an outsourcing is considered to Joint ownership
relate to a material operational function, although no specific distinction 38 Are there any restrictions on a joint owner of intellectual
or guidance is given in relation to cloud computing solutions. property’s right to use, license, charge or assign its right in
Joint owners of a copyright-protected work in which it is not possible
IP protection for software to separate the contributions of each owner cannot exercise their rights
36 Which intellectual property rights are available to protect to use, license or assign the work individually, unless otherwise agreed
software, and how do you obtain those rights? in writing.
Where multiple authors contribute different kinds of art to a single
Original computer programs and related software applications are work, they may each exploit their individual contributions provided that
protected by copyright as literary works. Databases underlying soft- this does not damage the exploitation of the joint work. The legal posi-
ware programs can also attract copyright protection. Copyright arises tion is less clear in relation to works that include contributions of the
automatically as soon as the relevant literary work is created, so when same kind of art from multiple contributors.
a computer program is recorded, software lines are coded or a database A joint owner of a patented invention may exploit or assign his or
is created. There is no requirement to register these rights to be able to her rights independently of the other patentees. However, joint paten-
have them recognised or enforce them against a third party in the UAE. tees may only license the exploitation of the patent jointly with the other
If the software code has been kept confidential, it may also be patentees.
protected as confidential information and unauthorised disclosure can
attract criminal sanctions. No registration is required.
Trade secrets scope. One of these wholly excluded sectors is the financial sector. The
39 How are trade secrets protected? Are trade secrets kept list of excluded sectors and other important aspects of the competition
confidential during court proceedings? regime in the UAE are within the discretion of the Ministry of Economy,
and fintech businesses in the UAE will need to consider their specific
The UAE legislation dealing with patents and industrial designs also competition law issues to assess their exposure. Looking ahead, there
includes specific protection for trade secrets and know-how. Employees is expected to be increased consolidation in the banking sector and an
have specific statutory duties to keep the commercial and industrial expectation of greater collaboration, information-sharing and other
secrets of their employers confidential and may be criminally liable in horizontal arrangements, all of which could give rise to competition law
cases of unlawful use or disclosure of information. Trade secrets and risks in the UAE.
confidential information more broadly are commonly protected by way
of contractual obligations. TAX
Court proceedings in the UAE are not held in public and there is
thereore less of a concern around maintaining the confidentiality of Incentives
trade secrets in this context. 43 Are there any tax incentives available for fintech companies
Branding fintech sector in your jurisdiction?
branding and how do you obtain those rights? How can fintech There are no special incentives. However, onshore UAE, the Dubai
businesses ensure they do not infringe existing brands? International Financial Centre and Abu Dhabi Global Market are all
currently low or zero-tax jurisdictions.
Brands can be protected as registered trademarks in the UAE. An
application for registration and other formalities must be pursued to Increased tax burden
obtain protection. A law recognising a unified trademark regime for Gulf 44 Are there any new or proposed tax laws or guidance that
Cooperation Council countries has been decreed in the UAE but has not could significantly increase tax or administrative costs for
yet entered into force. fintech companies in your jurisdiction?
The UAE trademark database can be used to identify registered
trademark rights and, therefore, help ensure that a fintech business There are no relevant new or proposed tax laws or guidance.
does not infringe existing brands. The database is not available to the
public but the law provides for a right to obtain a certified extract of IMMIGRATION
the contents of a register upon payment of a fee. Applicants must pay a
separate fee to search each class for existing trademark rights. Sector-specific schemes
It is highly advisable for new businesses, perhaps using the 45 What immigration schemes are available for fintech
services of specialist trademark attorneys, to check whether the data- businesses to recruit skilled staff from abroad? Are there
base enquiry results indicate earlier registrations that are identical or any special regimes specific to the technology or financial
similar to their proposed brand names and marks. It may also be advis- sectors?
able to conduct internet searches for any unregistered trademark rights
that may prevent use of the proposed mark. Once an employee enters the UAE on an entry permit, the employer must
make an application for a residence visa to the immigration authorities.
Remedies for infringement of IP Before the visa is granted, the employee must pass a medical exami-
41 What remedies are available to individuals or companies nation. These requirements must be satisfied within 60 days of the
whose intellectual property rights have been infringed? employee’s entry into the UAE on the entry permit. Residence visas are
typically valid for two years outside the free zones and three years for
Remedies available to individuals or companies include: employees within a free zone. The total cost of the residence visa and
• precautionary measures, including requirements to cease the use the required permits depends on the nature of the company’s activity
of an infringing item; and whether the employee is hired within or outside the UAE. The cost
• confiscation or destruction of infringing items; outside the free zones ranges from US$400 to US$1,200. Free zone
• damages; and costs can differ.
• publication orders. Both financial free zones in the UAE offer start-up-specific licences
that, if obtained, provide for the recruitment of skilled staff from outside
The UAE legislation dealing with intellectual property rights, including of the UAE. In 2018, the Abu Dhabi Global Market (ADGM) introduced
in respect of patents, designs, trademarks and copyright, provides for the ADGM Tech Start-up Commercial Licence, under which it is possible
criminal liability in various cases of infringement. to secure up to four UAE residence visas. In the Dubai International
Financial Centre (DIFC), the DIFC FinTech Commercial Licence enables
COMPETITION fintech start-ups to apply for residence visas for their staff, the number
of which is dependent on office space (generally one visa per 80
Sector-specific issues square feet).
42 Are there any specific competition issues that exist with Investor visas are available to shareholders and proprietors.
Since the enactment of Federal Law No. 12 of 2012, the UAE has had a
standalone, federally applicable competition law that covers anticom-
petitive agreements, abuse of dominance and merger control; however,
the law also has a list of sectors that are entirely excluded from its
248 Fintech 2021

UPDATE AND TRENDS
trends to note?
No updates at this time.
Coronavirus Muneer Khan

muneer.khan@simmons-simmons.com
initiatives specific to your practice area has your state Jack Rossiter
implemented to address the pandemic? Have any existing jack.rossiter@simmons-simmons.com
government programmes, laws or regulations been amended Raza Rizvi
to address these concerns? What best practices are advisable raza.rizvi@simmons-simmons.com
for clients?
Level 7, The Gate Village, Building 10

UAE economic initiatives
Dubai International Financial Centre
UAE authorities have introduced a series of temporary measures
PO Box 506688
intended to support the citizens of the UAE and businesses affected by
Dubai
the covid-19 outbreak. United Arab Emirates
In March 2020, the UAE Cabinet announced that it would be Tel: +971 4 709 6600
providing 126 billion dirhams of financial support to the economy. As of Fax: +971 4 709 6601
5 April 2020, this support package was doubled. www.simmons-simmons.com
The UAE Central Bank also introduced the Targeted Economic
Support Scheme to facilitate temporary relief from the payments of
principal and interest or profit on outstanding loans for all affected
private sector corporates, small and medium-sized companies (SMEs) and Obligations in the UAE in the context of the Covid-19 Crisis. The
and individuals. The relief will not apply, however, to government loans guidance recognises that the pandemic could lead to altered patterns
nor loans from foreign entities. of normal and suspicious transactions behaviour. Among other actions,
financial institutions are required to revisit and consider their govern-
Establishment of Dubai’s Startup Hub and remote access ance, operational and risk frameworks in response to these exceptional
The Dubai Chamber of Commerce and Industry’s entrepreneurship circumstances to ensure that they remain compliant with their regu-
initiative – the Dubai Startup Hub – has provided its first wholly online latory obligations. The guidance also reminds financial institutions to
event for its members. Forty new members participated and can benefit maintain their customer due diligence requirements as a priority and
from online mentorship to support entrepreneurs in their new ventures encourages the use of technology to address the difficulties in verifying
during this difficult period. identities during this time.
Small businesses initiatives in Abu Dhabi

The Abu Dhabi Department of Economic Development and the Abu
Dhabi Department of Finance, in conjunction with Abu Dhabi registered
banks, have introduced a series of initiatives to assist SMEs that are
experiencing the effects of the outbreak. These measures include (but
are not limited to) reducing banking fees and charges, reducing interest
charges on new borrowing and deferring instalments on existing loans.
Stabilisation initiatives of market values

The UAE Securities and Commodities Authority (SCA) has introduced a
5 per cent limit on the reduction of stock prices across all sectors in the
UAE. The cap specifies the maximum permissible decline in the price
of stocks during one trading day and applies from 18 March 2020 until
further notice.
Dubai free zone initiatives

Free zones operating within Dubai will benefit from the Dubai Free Zone
Council’s package. Along with other free zones, the DIFC has intro-
duced additional measures for new and existing DIFC entities, including
discounted application fees, a waiver of certain fees and extensions to
returns and reports filing deadlines.
Financial crime risks

The supervisory bodies of the UAE (including the Central Bank, SCA,
Dubai Financial Services Authority and Abu Dhabi Global Market) have
issued the Joint Guidance on the Treatment of Financial Crime Risks
United Kingdom
Angus McLean, George Morris, Jo Crookshank, Kate Cofman-Nicoresti, Olly Jones, Penny Miller
and Peter Broadhurst
FINTECH LANDSCAPE AND INITIATIVES • the Global Financial Innovation Network is an international group
of financial regulators and related organisations, including the FCA,
General innovation climate committed to supporting financial innovation internationally;
1 What is the general state of fintech innovation in your • supporting regtech by encouraging the development of new
jurisdiction? technologies to help overcome regulatory challenges in financial
services; and
The United Kingdom has been at the forefront of innovation in tech- • engaging with firms across the UK and internationally to maximise
nology and finance for many years. Despite the ongoing uncertainty the reach of the FCA’s Innovate initiatives.
over the terms of the UK’s departure from the EU and the effects of the
covid-19 pandemic, this remains the case today. As the worlds of tech- The Bank of England is also interested in fintech. Its FinTech Hub
nology and finance become increasingly linked, London, in particular, includes the FinTech Accelerator Project, which works with businesses
has the unique advantages of being the national centre of govern- on fintech proofs of concept.
ment and finance and having many world class universities nearby.
Fintech businesses also benefit from the UK’s time zone, language and FINANCIAL REGULATION
legal system.
Perhaps mindful of the potential effect of Brexit, the UK government Regulatory bodies
remains committed to attracting start-ups and scale-up entrepreneurs 3 Which bodies regulate the provision of fintech products and
and investors. The UK remains the leading jurisdiction within Europe for services?
fintech activity. According to data from the UK's fintech trade associa-
tion, Innovate Finance, in 2019 fintech companies in the UK attracted The Financial Conduct Authority (FCA) is the financial services regulator
more capital and completed more deals than the rest of the top 10 for most regulated activities and services that a fintech would provide.
European countries combined. Seven of the top 10 deals in Europe The Prudential Regulation Authority is the regulator for banks in the UK.
involved UK fintech companies. Overall, investment was up 38 per cent The FCA regulates conduct matters for banks.
to $4.9 billion. This moved the UK up to second in the global rankings for
fintech venture capital investment. Regulated activities
While the UK is home to fintech innovation across the water- 4 Which activities trigger a licensing requirement in your
front, there is particular strength and expertise in AI and automation, jurisdiction?
blockchain and distributed ledger technology, cloud computing, crypto-
assets, cybersecurity, big data, insurtech, open banking, payments, There are a large number of activities (‘specified activities’) that, when
peer-to-peer lending and crowdfunding, and regtech. carried on in the UK by way of business in respect of specified kinds of
investments, trigger licensing requirements in the UK. These are set
Government and regulatory support out in the Financial Services and Markets Act 2000 (Regulated Activities)
2 Do government bodies or regulators provide any support Order 2001 (RAO). While it is not practical to list them all, the most
specific to financial innovation? If so, what are the key common include the following.
benefits of such support? • Accepting deposits: this is mainly carried on by banks and building
societies. An institution will accept a deposit where it lends the
Fintech in the UK is promoted by a range of government and regula- money it receives to others or uses it to finance its business.
tory bodies. • Dealing in investments (as principal or agent): buying, selling,
The Financial Conduct Authority (FCA) started ‘Project Innovate’ subscribing for or underwriting particular types of investments. In
in 2014 to encourage innovation and promote competition. Currently, respect of dealing as principal, the specified investments are ‘secu-
Project Innovate includes six initiatives: rities’ and ‘contractually based investments’. In respect of dealing
• the Regulatory Sandbox allows businesses to test innovative prop- as agent, the specified kinds of investments are ‘securities’ and
ositions in the market with real consumers; ‘relevant investments’:
• the Innovation Hub provides tailored regulatory support for inno- • securities include shares, bonds, debentures, govern-
vative firms; ment securities, warrants, units in a collective investment
• the Advice Unit provides feedback to firms developing automated scheme (CIS) and rights under stakeholder and personal
advice and guidance models; pension schemes;
250 Fintech 2021

Simmons & Simmons LLP United Kingdom
• contractually based investments include rights under statements and the detailed requirements as to the form and content of
certain insurance contracts (excluding contracts of general the credit agreement itself.
insurance), options, futures, contracts for differences and The CONC chapter in the FCA Handbook sets out detailed rules that
funeral plan contracts; and regulated consumer credit firms must comply with and covers areas
• relevant investments include the same investments as such as conduct of business, financial promotions, pre-contractual disclo-
contractually based investments but also include contracts of sure of information, responsible lending, post-contractual requirements,
general insurance. arrears, default and recovery, cancellation of credit agreements and
• Arranging deals in investments (this is split into two activities and agreements that are secured on land.
specified investments in respect of arranging include securities In addition to the CONC, authorised consumer credit firms must also
and relevant investments): comply with other applicable chapters of the FCA Handbook.
• arranging (bringing about) deals in investments, which applies Failing to comply with the requirements of the CCA may result in
to arrangements that have the direct effect of bringing about those agreements being unenforceable against borrowers and the FCA
a deal; and imposing financial penalties on the firm in question.
• making arrangements with a view to transactions in invest- Entering into a regulated mortgage contract is a regulated activity.
ments, which is much wider and includes arrangements that Such contracts are loans where:
facilitate others entering into transactions. • the contract is one under which a person (lender) provides credit to
• Advising on investments: advising a person in their capacity as an an individual or trustee (borrower);
investor on the merits of buying, selling, subscribing for or under- • the contract provides for the obligation of the borrower to repay to
writing a security or relevant investment or exercising any right be secured by a mortgage on land in the EEA (this will change to
conferred by that investment to buy, sell, subscribe for or under- land in the UK from 31 December 2020); and
write such an investment. • at least 40 per cent of that land is, or is intended to be, used:
• Managing investments: managing assets belonging to another • in the case of credit provided to an individual, as or in connec-
person, in circumstances involving the exercise of discretion, where tion with a dwelling by the borrower; or
the assets include any investment that is a security or contractu- • in the case of credit provided to a trustee that is not an indi-
ally based investment. vidual, as or in connection with a dwelling by an individual who
• Establishing, operating or winding up a CIS. is a beneficiary of the trust, or by a related person.
• Certain lending activities: entering into a regulated mortgage
contract or a regulated (consumer) credit agreement (or consumer Secondary market loan trading
hire agreement) as lender. 6 Are there restrictions on trading loans in the secondary
• Certain insurance activities: effecting a contract of insurance as market in your jurisdiction?
principal and carrying out a contract of insurance as principal.
• Payment services: providing payment services. Provided that the loan itself is being traded, and not the loan instrument
• Electronic money: issuing electronic money. (eg, an instrument creating or acknowledging indebtedness), then there
are no restrictions on trading loans in the secondary market.
Consumer lending
5 Is consumer lending regulated in your jurisdiction? Collective investment schemes
The general position is that lending by way of business to consumers is schemes and whether fintech companies providing alternative
regulated in the UK. The FCA is responsible for authorising and regu- finance products or services would fall within its scope.
lating consumer credit firms.
There are two categories of regulated lending: regulated credit Establishing, operating or winding up a CIS is a regulated activity in the
agreements and mortgages. UK for which firms must be authorised by the FCA.
Any person (A) who enters into an agreement with an individual (or The definition of a CIS is set out in section 235 of the Financial
a ‘relevant recipient of credit’, which includes a partnership consisting Services and Markets Act 2000 (FSMA). Broadly, a CIS is any arrange-
of two or three persons not all of whom are bodies corporate and an ment with respect to property of any description, the purpose or effect of
unincorporated body of persons that does not consist entirely of bodies which is to enable the persons taking part in the arrangements to partici-
corporate and is not a partnership) (B) under which A provides B with pate in or receive profits or income arising from the acquisition, holding,
credit of any amount must be authorised by the FCA – unless an appro- management or disposal of the property or sums paid out of such profits
priate exemption applies. or income. The persons participating in the arrangements must not have
Two of the most common exemptions are: where the amount of day-to-day control over the management of the property. The arrange-
credit exceeds £25,000 and the credit agreement is entered into wholly ments must also have either or both of the following characteristics:
or predominantly for business purposes; and where the borrower certi- • the contributions of the participants and the profits or income out of
fies that they are ‘high net worth’ and the credit is more than £60,260. which payments are to be made to them are pooled; or
Other complex exemptions are available that relate to, among other • the property is managed as a whole by, or on behalf of, the operator
things, the total charge for the credit, the number of repayments to be of the scheme.
made under the agreement and the nature of the lender.
If an exemption applies, the lender does not need to comply with Whether a fintech company falls within the scope of this regime will
the detailed legislative requirements that apply to regulated credit depend on the nature of its business. For example, fintech companies that
agreements contained in the Consumer Credit Act 1974 (CCA) (and manage assets on a pooled basis on behalf of investors should consider
secondary legislation made under it) and the FCA’s Consumer Credit carefully whether they may be operating a CIS. On the other hand, fintech
Sourcebook (CONC). companies that only provide advice or payment services may be less
Broadly, the CCA sets out the requirements lenders need to likely to operate a CIS. Fintech companies are advised to seek legal advice
comply with in relation to the provision of information, documents and on this subject and to have regard to their other regulatory obligations.
United Kingdom Simmons & Simmons LLP
The management of two forms of regulated collective investment • setting out the minimum information that a platform should provide
schemes, UCITS and AIFs, are also regulated activities. to investors; and
• introducing a requirement to monitor the investors that can use
Alternative investment funds a platform, including that platforms assess investors’ knowledge
8 Are managers of alternative investment funds regulated? and experience of platform lending where no advice has been given
to them. Firms are required to ensure that retail clients:
Managers of alternative investment funds are regulated in the UK under • are certified or self-certified as ‘sophisticated investors’ or
the Alternative Investment Fund Managers Directive, which has been ‘high net worth investors’; or
implemented in the UK by the Alternative Investment Fund Managers • confirm before a promotion is made that they will receive
Regulations 2013 and rules and guidance contained in the FCA Handbook. regulated investment advice or investment management
services from an authorised person; or
Peer-to-peer and marketplace lending • do not invest more than 10 per cent of their net investible
9 Describe any specific regulation of peer-to-peer or assets in P2P agreements in the 12 months following
marketplace lending in your jurisdiction. certification.
Peer-to-peer (P2P) lending is a term that generally refers to loan-based Crowdfunding

crowdfunding. In the UK, the FCA regulates loan-based crowdfunding 10 Describe any specific regulation of crowdfunding in your
platforms. jurisdiction.
Under article 36H of the RAO, operating an electronic system that
enables the operator (A) to facilitate persons (B and C) becoming the In the UK, reward-based crowdfunding (where people give money in
lender and borrower under an article 36H agreement is a regulated return for a reward, service or product) and donation-based crowd-
activity (and a firm will require FCA authorisation) where the following funding (where people give money to enterprises or organisations they
conditions are met: wish to support) are not currently regulated in their own right.
• the system operated by A is capable of determining which agree- Equity-based crowdfunding is where investors invest in shares in,
ments should be made available to each of B and C; typically, new businesses. Equity-based crowdfunding is not specifically
• A (or someone acting on its behalf) undertakes to receive payments regulated in the UK (in the same way as loan-based crowdfunding).
due under the article 36H agreement from C and make payments to However, a firm operating an equity-based crowdfunding service
B that are due under the agreement; and must ensure that it is not carrying on any other regulated activity
• A (or someone acting on its behalf) takes steps to procure the without permission. Examples of regulated activities that equity-based
payment of a debt under the article 36H agreement or exercises crowdfunding platforms may carry on (depending on the nature and
or enforces rights under the article 36H agreement on behalf of B. structure of their business) include:
• establishing, operating or winding up a CIS;
An article 36H agreement is an agreement by which one person provides • arranging deals in investments; and
another with credit in relation to which: • managing investments.
• A does not provide the credit, assume the rights of a person who
provided credit or receive credit; and Additionally, equity-based crowdfunding platforms must not market to
• either the lender is an individual or the borrower is an individual retail clients unless an appropriate exemption applies.
and the credit is less than £25,000, or the agreement is not entered In the FCA’s policy statement on P2P lending, investment-based
into by the borrower wholly or predominantly for the purposes of a crowdfunding platforms were also covered. Recent work has focused
business carried on, or intended to be carried on, by the borrower. on restrictions on the types of clients these platforms can market to and
how this is managed.
In addition to falling within the definition of an article 36H agreement, a
loan may also constitute a regulated credit agreement, unless an exemp- Invoice trading
tion applies and so a lender, through a platform authorised under article 11 Describe any specific regulation of invoice trading in your
36H, may also be required to have permission to enter into a regulated jurisdiction.
credit agreement as lender. Two of the most common exemptions are:
where the amount of credit exceeds £25,000 and the credit agreement is Currently, there are no regulations relating specifically to invoice trading.
entered into wholly or predominantly for business purposes; and where However, depending on how the business is structured, a firm
the borrower certifies that they are ‘high net worth’ and the credit is that operates an invoice-trading platform may be carrying on regulated
more than £60,260. activities for which it must have permission, including:
Other complex exemptions are available that relate to, among other • establishing, operating or winding up a CIS; and
things, the total charge for the credit, the number of repayments to be • managing an alternative investment fund.
made under the agreement and the nature of the lender.
The FCA produced a policy statement in June 2019 that confirmed There is also a possibility that the firm may need to register with the
new rules that came into place in December 2019 in relation to FCA as an Annex 1 financial institution because it carries on commer-
P2P lending. These changes are found in the Conduct of Business cial lending. As an Annex 1 financial institution, the firm would need
Sourcebook and Senior Management Arrangements, Systems and to comply with all the detailed anti-money laundering requirements
Controls, and include: under the Money Laundering, Terrorist Financing and Transfer of Funds
• enhanced requirements for platform governance arrangements (Information on the Payer) Regulations 2017.
including in relation to credit risk assessment, risk management
and fair valuation practices;
• strengthening rules on wind-down planning in the event of plat-
form failure;
252 Fintech 2021

Payment services requires banks to allow third-party payment service providers to initiate
12 Are payment services regulated in your jurisdiction? payments from their customers’ accounts.
Payment services are regulated under the Payment Services Regulations Robo-advice
2017, which implement the second Payment Services Directive (PSD2) 14 Describe any specific regulation of robo-advisers or other
in the UK. Payment services include: companies that provide retail customers with automated
• services enabling cash to be placed on a payment account and all access to investment products in your jurisdiction.
the operations required for operating a payment account;
• services enabling cash withdrawals from a payment account and There are no specific regulations to cover robo-advisers. The rules
all the operations required for operating a payment account; applying to investment advisers or arrangers and discretionary invest-
• the execution of the following types of payment transaction: ment managers are technology-neutral and cover face-to-face as well
• direct debits, including one-off direct debits; as online or automated services. Therefore, a licence would generally
• payment transactions executed through a payment card or a be required, and robo-advisers would be subject to the usual conduct
similar device; and of business requirements, for example, around suitability assessments,
• credit transfers, including standing orders; disclosure of costs and charges, and marketing (which must be fair,
• the execution of the following types of payment transaction where clear and not misleading).
the funds are covered by a credit line for the payment service user:
• direct debits, including one-off direct debits; Insurance products
• payment transactions executed through a payment card or a 15 Do fintech companies that sell or market insurance products
similar device; and in your jurisdiction need to be regulated?
• credit transfers, including standing orders;
• issuing payment instruments or acquiring payment transactions; Effecting or carrying out a contract of insurance, arranging contracts
• money remittance; of insurance, or dealing in insurance as an agent are a regulated activi-
• payment initiation services (initiating a payment order at the ties and fintech companies that wish to do this must be regulated.
request of a payment service user with respect to an account held Companies that wish to market insurance products must either be
with another payment service provider); and regulated, have their marketing material approved by a regulated firm
• account information services (online service to provide consoli- or fall within an applicable exclusion. For example, exemptions may be
dated information on one or more payment accounts held by the available for communications to high net worth individuals, companies,
payment service user with another one (or more) payment service sophisticated individuals and other investment professionals.
provider).
Credit references
The PSD2 broadens the scope of transactions governed by its provi- 16 Are there any restrictions on providing credit references or
sions, narrows the scope of certain exclusions, amends the conduct of credit information services in your jurisdiction?
business requirements and introduces security requirements.
To provide payment services in the UK, a firm must fall within the Providing credit information services and providing credit references
definition of a ‘payment service provider’. Payment service providers are regulated activities for which firms must be regulated. A firm
include ‘authorised payment institutions’, ‘small payment institutions’, provides credit information services where it takes any of the following
credit institutions, electronic money institutions, the post office, the steps (or gives advice in relation to any of the following steps) on behalf
Bank of England and government departments and local authorities. of an individual or relevant recipient of credit:
A firm that provides payment services in or from the UK as a • ascertaining whether a credit information agency holds informa-
regular occupation or business activity (and is not exempt, or a bank) tion relevant to the financial standing of an individual or relevant
must apply for authorisation or registration as a payment institution. recipient of credit;
• ascertaining the contents of such information;
Open banking • securing the correction of, the omission of anything from, or the
13 Are there any laws or regulations introduced to promote making of any other kind of modification of, such information; and
competition that require financial institutions to make • securing that a credit information agency that holds such
customer or product data available to third parties? information:
• stops holding the information; or
Following its investigation into the retail and small and medium-sized • does not provide it to any other person.
enterprise (SME) banking sectors between 2013 and 2016, the UK’s
competition authority (the Competition and Markets Authority (CMA)) Providing credit references involves providing people with infor-
ordered a number of remedies to help promote greater competition in mation relevant to the financial standing of individuals or relevant
the retail and SME banking markets. recipients of credit where the person has collected the information
One of the core remedies ordered by the CMA requires the nine for that purpose.
largest retail banks in Great Britain and Northern Ireland to develop In addition, the Small and Medium-Sized Business (Credit
and implement an open banking standard application programming Information) Regulations 2015 (the SMB Regulations) require:
interface (API) to give third parties access to information about their • designated banks to share specified credit information about SMEs
services, prices and service quality in order to improve competition, effi- with designated credit reference agencies (with the permission of
ciency and stimulate innovation. The open APIs also allow retail and SME the relevant SME); and
customers to share their own transaction data with trusted intermedi- • designated credit reference agencies to provide this information
aries, which can then offer advice tailored to the individual customer. to finance providers at the request of the SME and to the Bank
These measures are intended to make it easier for customers of England.
to identify the best products for their needs. Additionally, the PSD2
While the provision of this information is not a regulated activity under SALES AND MARKETING
the FSMA, the FCA does monitor and enforce compliance with the SMB
Regulations. Restrictions
19 What restrictions apply to the sales and marketing of
CROSS-BORDER REGULATION financial services and products in your jurisdiction?
Passporting The UK has a comprehensive set of rules relating to financial promo-

17 Can regulated activities be passported into your jurisdiction? tions. These are set out in Chapter 4 of the Financial Conduct Authority's
(FCA) Conduct of Business Sourcebook (COBS).
An EEA firm that has been authorised under one of the EU single market The definition of a financial promotion is very wide and includes
directives may provide cross-border services into the UK. For these an invitation or inducement to engage in investment activity that is
purposes, the relevant single market directives include the: communicated in the course of business. Marketing materials for finan-
• Capital Requirements Directive; cial services are likely to fall within this definition.
• Solvency II Directive; The basic concept is that financial promotions must be fair, clear
• second Markets in Financial Instruments Directive (MiFID II); and not misleading. FCA guidance suggests that:
• Insurance Distribution Directive; • for a product or service that places a client’s capital at risk, it
• Mortgage Credit Directive; makes this clear;
• fourth Undertakings for Collective Investment in Transferable • where product yield figures are quoted, this must give a balanced
Securities Directive; impression of both the short- and long-term prospects for the
• the Alternative Investment Fund Managers Directive; investment;
• the second Payment Services Directive; and • where the firm promotes an investment or service with a complex
• Electronic Money Directive. charging structure or the firm will receive more than one element
of remuneration, it must include the information necessary to
To passport a regulated activity into the UK, a firm must first provide ensure that it is fair, clear and not misleading and contains suffi-
notice to its home regulator. The directive under which the EEA firm is cient information taking into account the needs of the recipients;
seeking to exercise passport rights will determine the conditions and • the FCA, Prudential Regulation Authority (PRA) or both (as appli-
processes that the firm must follow. cable) are named as the firm’s regulator and any matters not
Operating an electronic system that enables the operator to facili- regulated by either the FCA, PRA or both are made clear; and
tate persons becoming the lender and borrower under an ‘article 36H • where if it offers ‘packaged products’ or ‘stakeholder products’
agreement’, that is, over a peer-to-peer lending platform, is not currently not produced by the firm, it gives a fair, clear and not misleading
an activity that may be passported. impression of the producer of the product or the manager of the
It is unclear at this point how Brexit might affect the ability for underlying investments.
EEA firms to passport services into the UK, and UK firms to passport
services into the EEA, in the future. However, an exemption may be available to keep marketing materials
outside the scope of the financial promotion rules. For example, exemp-
Requirement for a local presence tions may be available for communications to high net worth individuals,
18 Can fintech companies obtain a licence to provide financial companies, sophisticated individuals and other investment professionals.
services in your jurisdiction without establishing a local Even authorised firms are prohibited from the promotion of unreg-
presence? ulated collective investment schemes, except in specific circumstances
set out in the Financial Services and Markets Act 2000 (Promotion
An EEA firm may exercise passport rights to provide services in the of Collective Investment Schemes) (Exemptions) Order 2001 (SI
UK. Alternatively, in the case of a non-EEA firm or an EEA firm that 2001/1060).
is not undertaking an activity that can be passported into the UK, it Only authorised persons may make financial promotions and it is a
must establish a local presence and obtain an appropriate licence. For criminal offence for an unauthorised person to communicate a financial
example, an equity crowdfunding platform with the relevant permis- promotion. Any agreements entered into with customers as a result of
sions in another EEA state may be able to passport into the UK without an unlawful financial promotion are unenforceable.
establishing a local presence.
Operating an electronic system that enables the operator to facili- Lending
tate persons becoming the lender and borrower under an article 36H In relation to lending, there is also a comprehensive set of rules and the
agreement is not currently an activity that can be passported. position is similar, but not identical, to that set out in COBS.
Therefore, peer-to-peer (P2P) or marketplace lending platforms In respect of credit agreements, the FCA’s Consumer Credit
that are licensed under local rules governing P2P or marketplace Sourcebook 3.3 applies and provides that a financial promotion must
lending in other jurisdictions (whether inside or outside the EEA) would be clear, fair and not misleading. In addition, firms must ensure that
have to establish a local presence and become appropriately regulated. financial promotions:
• are clearly identifiable as such;
• are accurate;
• are balanced (without emphasising potential benefits without
giving a fair and prominent indication of any relevant risks);
• are sufficient for, and presented in a way that is likely to be under-
stood by, the average member of the group to which they are
directed, or by which they are likely to be received;
• are presented in a way that does not disguise, omit, diminish or
obscure important information, statements or warnings;
254 Fintech 2021

• present any comparisons or contrasts in a fair, balanced and mean- • each exiting controller notifying the FCA of the change of
ingful way; control; and
• use plain and intelligible language; • the FCA-regulated firm notifying the FCA of these changes.
• are easily legible and audible (if given orally);
• specify the name of the person making the communication (or In practice, a joint notification is usually made, coordinated by the
whom they are communicating on behalf of, if applicable); and FCA-regulated firm with the new controllers and exiting controllers.
• do not state or imply that credit is available regardless of the Any potential controllers must provide detailed information, including in
customer’s financial circumstances or status. respect of its group structure, senior management, commercial activi-
ties, any criminal or civil proceedings against the company, and details
Various other detailed requirements apply depending on the type of of the acquisition.
credit (eg, peer-to-peer, secured, unsecured or ‘high-cost short-term’ The FCA has a statutory assessment period of 60 working days to
credit) and the type of agreement (eg, whether it is secured on land), determine change-of-control applications. This can be interrupted for a
which govern things such as: period of 30 days. In practice, determinations are made more quickly.
• the requirement to include particular risk warnings and how those There is no application fee.
warnings must be worded;
• when and how annual percentage rates and representative exam- FINANCIAL CRIME
ples must be included and displayed; and
• expressions that cannot be included in financial promotions. Anti-bribery and anti-money laundering procedures
In relation to mortgages, chapter 3A of the Mortgages and Home Finance: procedures to combat bribery or money laundering?
COBS applies. In addition to being clear, fair and not misleading, finan-
cial promotions must: Generally, fintech companies are only required to have anti-money laun-
• be accurate; dering (AML) procedures if the company is authorised by the Financial
• be balanced (without emphasising any potential benefits without Conduct Authority (FCA) or carries out business that is subject to the
also giving a fair and prominent indication of any relevant risks); Money Laundering Regulations 2017 (MLRs 2017). The UK implemented
• be sufficient for, and presented in a way that is likely to be under- the Fifth Money Laundering Directive (5MLD) on 10 January 2020, by
stood by, the average member of the group to whom it is directed, way of updates to the MLRS 2017 effected by the Money Laundering
or by whom it is likely to be received; and Terrorist Financing (Amendment) Regulations 2019 (the 2019
• make it clear, where applicable, that the credit is secured on the Regulations). Under 5MLD, the 2019 Regulations (in line with the 5MLD),
customer’s home; the types of entities required to have money laundering procedures has
• be presented in a way that does not disguise, omit, diminish or been widened to include crypto-asset exchange providers and custo-
obscure important items, statements or warnings; and dian wallet providers. The 2019 Regulations also capture peer-to-peer
• where they contain a comparison or contrast, be designed in such exchange providers, crypto-asset automated teller machines and the
a way that the comparison or contrast is presented in a fair and issuing of new crypto-assets (eg, an initial coin offering (ICO) or initial
balanced way and ensures that it is meaningful. exchange offering (IEO)).
Entities subject to UK money laundering regulations are required
As with credit agreements, other provisions apply depending on the to, among other things:
particular type of mortgage, covering, among other things: • identify and assess the firm’s exposure to money laundering risk
• the inclusion and presentation of annual percentage rates and by, for example, undertaking a risk assessment;
other credit-related information; • perform customer due diligence to an adequate standard depending
• points of contact; and on the risk profile of the customer;
• when and how financial promotions can be made. • keep appropriate records;
• monitor compliance with the AML regulations, including internal
CHANGE OF CONTROL communication of policies and procedures; and
• report suspicious transactions.
20 Describe any rules relating to notification or consent With respect to anti-bribery policies and procedures, all companies
requirements if a regulated business changes control. (including fintech companies) that are incorporated in or carry on busi-
ness, or a part of their business, in the UK are subject to the Bribery
Part 12 of the Financial Services and Markets Act 2000 sets out a strict Act 2010. While the Bribery Act does not require the implementation of
system concerning changes of control of regulated firms, and failure policies or procedures to combat bribery, it creates a de facto require-
to adhere to the appropriate statutory requirements can be a criminal ment to do so. This is because a company charged with ‘failing to
offence, depending on the nature of the breach. prevent bribery’ may rely on the statutory defence that the company had
Controllers or potential controllers of FCA-authorised firms are adequate policies and procedures in place designed to prevent bribery.
required to make notifications to and obtain approval from the Financial It is not just large companies that need to be concerned with this law.
Conduct Authority (FCA) when a change of control occurs. The notifica- The successful prosecution of Skansen Interiors Ltd (a company with
tion must be made before a change of control takes place. A person fewer than 30 employees) for failing to prevent bribery in 2018 indicates
who fails to obtain the appropriate FCA approval will be guilty of a crim- that UK prosecutors will target smaller companies for such an offence.
inal offence.
The notification process takes place under three parallel
processes:
• each new controller submitting the appropriate controller notifica-
tion form to seek the FCA’s pre-approval;
Guidance of simple contracts (such as loan agreements) is accepted as creating

22 Is there regulatory or industry anti-financial crime guidance enforceable agreements, subject to complying with regulatory require-
for fintech companies? ments (eg, in respect of regulated lending). E-signing can take a range
of forms, including typing the signatory’s name, signing through biody-
There is no anti-financial crime guidance issued by the FCA specifi- namic software (ie, the signatory signing on a screen or on a digital pad)
cally for fintech firms. However, firms that are authorised by the FCA or clicking an 'I accept' (or similar) icon on a web page. Certain limita-
should comply with its ‘Financial Crime Guide: A firm’s guide to coun- tions on e-signing generally need to be borne in mind:
tering financial crime risks’ (www.handbook.fca.org.uk/handbook/FCG. • English law prohibits e-signing in respect of certain types of
pdf) and may find the FCA’s outline to its supervision of crypto-assets contract, including but not limited to documents required to be
helpful (www.fca.org.uk/firms/financial-crime/cryptoassets-aml-ctf- registered at HM Land Registry;
regime). In addition, the Joint Money Laundering Steering Group issues • there may be restrictions within a company’s articles of associa-
detailed guidance for the financial sector, and is currently in the process tions that may restrict or forbid the use of e-signing, and these
of drafting guidance specific to the crypto-asset sector(https://jmlsg. should be checked prior to any signing; and
org.uk/consultations/consultation-part-ii-sector-22/). • questions arise as to whether the prescribed formalities for
It is important for fintech firms to understand the concerns and executing deeds can be satisfied by e-signing. In particular, diffi-
policy drivers that financial institutions have with respect to their culties are likely to arise in satisfying the attestation requirement
fintech clients. In June 2018, the FCA sent a ‘Dear CEO’ letter to financial (where a deed is executed by an individual or by a single director
institutions, advising them to take ‘reasonable and proportionate meas- of a company in the presence of a witness) by electronic means.
ures to lessen the risk of your firm facilitating financial crimes which
are enabled by cryptoassets’. This will have a consequential effect on Even if it were possible to satisfy these formalities, there may be prac-
fintech companies, as financial institutions are likely to apply the FCA’s tical reasons (such as certainty and evidential issues) why executing a
guidance when conducting due diligence on and monitoring their deed with a ‘wet-ink’ signature (rather than e-signing it) may be prefer-
relationships with crypto-businesses as a result of this letter. While able. As such, best practice remains for deeds to be executed with a
not addressed to fintech companies, they may also find this guidance wet-ink signature.
helpful in mitigating financial crime risks in their own relationships with On 3 September 2019, the Law Commission published Law Com
individuals and entities whose wealth, funds or revenue derives from report No. 386 concerning e-signatures. Of particular importance, the
crypto-related activities. Law Commission confirmed that e-signing is capable in law of being
used to execute documents (including deeds), provided that (1) the
PEER-TO-PEER AND MARKETPLACE LENDING executing party ‘intends to authenticate’ the document, which it clarified
as the same as intending to be bound, and (2) any formalities relating to
Execution and enforceability of loan agreements the execution of such document are satisfied.
23 What are the requirements for executing loan agreements or With respect to the attestation requirement, however, the Law
security agreements? Is there a risk that loan agreements Commission’s views are that the physical presence of a witness is
or security agreements entered into on a peer-to-peer or required, even when both the signatory and the witness are executing
marketplace lending platform will not be enforceable? or attesting the document using e-signature. The Law Commission was
not satisfied that the witness’s ‘virtual’ or ‘remote’ presence would
Provided the essential elements of a contract are present, loan suffice, and this is also the position that is followed by the HM Land
agreements governed by English law can be executed in the form of Registry. These views, and the law in respect of physical witness, remain
agreements by signatories of the respective parties with due authority. unchanged since the beginning of the covid-19 pandemic.
The execution requirements for an English law security agreement
will depend on the form of security agreement. However, most English Assignment of loans
law security agreements will be executed in the form of a deed to ensure 24 What steps are required to perfect an assignment of
that no challenge can be made on the grounds of a lack of considera- loans originated on a peer-to-peer or marketplace lending
tion or owing to the form of property being secured. It is also common platform? What are the implications for the purchaser if the
for a security agreement to grant the lender a power of attorney, which assignment is not perfected? Is it possible to assign these
must be executed as a deed to be enforceable. Certain formalities are loans without informing the borrower?
required for the execution of a deed:
• the deed must be in writing; To perfect a legal assignment of loans originated on a P2P lending
• it must be clear on its face that it is intended to take effect as a deed; platform, various criteria must be met. Most importantly, notice of the
• it must be validly executed as a deed, the requirements of which assignment must be received by the other party to the loan agreement.
will vary according to the executing party (for example, whether it In addition to this, the benefit under the loan that is being assigned must
is an individual or a company). In particular, if the executing party be absolute, unconditional and not purporting to be by way of charge
is a company and if the deed is signed by a director (rather than only, the contract effecting the assignment of the loans must be in
through the affixing of the company seal or the signature of two writing and signed by the assignor, and the assignment must be of the
authorised signatories), the signature of such director must be whole of the debt under the loan agreement.
attested by a witness (in other words, an individual must observe Subject to certain exceptions, notice by email will comprise notice
the execution of the deed and record, on the deed itself, that he or in writing under English law and, therefore, sending a notice to the other
she has made such observation); and party to the loan agreement by email should not preclude it from being
• it must be delivered as a deed, which is to say that the parties must effectively delivered. However, a question remains over whether notice
demonstrate an intention to be bound. of assignment can be effectively delivered solely by updating the rele-
vant party’s account on the P2P lending platform. It is therefore best
Typically, peer-to-peer (P2P) marketplace lending platforms require practice to notify the other party to the loan agreement of the assign-
agreements to be entered into electronically (e-signing). The e-signing ment both by email and an update to their P2P account.
256 Fintech 2021

If the assignment does not comply with the above criteria for a legal registered office. Therefore, the non-EU subsidiary of an EU entity may
assignment, it may nevertheless take effect as an equitable assignment. not be subject to the direct retention obligation because a subsidiary
One of the key distinctions between a legal and an equitable assignment is typically a separate legal entity, whereas a non-EU branch of an EU
is that, in the case of an equitable assignment, the person to whom the entity may be caught within this provision because a branch is typically
loan has been transferred would not be able to bring an action under not a separate legal entity.
the contract in their own name. Further, there was an unexpected and unintended consequence
of the drafting under article 1(11) in Regulation (EU) 2017/2401, which
Securitisation risk retention requirements amended article 14 of Regulation (EU) No. 575/2013 (CRR) effective
25 Are securitisation transactions subject to risk retention from 1 January 2019. The effect of such amendment was to require
requirements? non-EU subsidiaries to comply with the direct obligations under Chapter
2 of the EU Securitisation Regulation on a consolidated basis (ie, those
The risk retention requirements set out in Regulation (EU) 2017/2402, relating to due diligence, risk retention, transparency, banning re-secu-
which came into force on 1 January 2019 (the EU Securitisation ritisation and criteria for credit granting). This raised challenges for
Regulation) will apply directly to the ‘originators’, ‘sponsors’ and ‘original third-country entities that are consolidated into European groups (eg,
lenders’ of a ‘securitisation’ transaction (as each such term is defined in EU banks operating in third countries through their non-EU subsidi-
the EU Securitisation Regulation) where any of the originator, sponsor aries), as these non-EU subsidiaries may be required to comply with
or original lender is established in the EU, and indirectly to originators, potentially conflicting sets of requirements under the EU risk retention
sponsors and original lenders of securitisation transactions that are rules and the locally applicable rules.
offered to ‘institutional investors’ (as defined in the EU Securitisation Following concerns from market participants, the position on the
Regulation) regulated by a competent authority of an EU member jurisdictional scope is now clarified through article 1(9) of Regulation
state (in each case, including any P2P securitisation that falls within (EU) 2019/876 (the CRR II Regulation), which further amended article 14
the definition of ‘securitisation’ in the EU Securitisation Regulation), as of the CRR. CRR II Regulation entered into force on 27 June 2019 (except
described further below. for certain provisions) and limited the application article 14 of the CRR
to article 5 of the EU Securitisation Regulation such that only the due
What are the risk retention requirements? diligence requirements will continue to apply on a consolidated basis to
The EU Securitisation Regulation requires the originator, sponsor or non-EU subsidiaries.
original lender in respect of a securitisation to retain on an ongoing
basis a material net economic interest in such securitisation of not less Possible retaining entities in respect of P2P securitisations
than 5 per cent using one of five prescribed risk retention methods, Typically, a P2P lending platform will not qualify as the ‘sponsor’ or
including (among other things) retention of: ‘original lender’ of a P2P securitisation. However, it may qualify as an
• the most subordinated tranches, so that the retention equals no less ‘originator’ if it was (either itself or through related entities) directly or
than 5 per cent of the nominal value of the securitised exposures; indirectly involved in the original agreement that created the P2P loans
• 5 per cent of the nominal value of each of the tranches sold to being securitised. Whether or not the P2P lending platform comprises
investors; or an originator will ultimately be a question of fact, but it is likely that
• randomly selected exposures equivalent to no less than 5 per cent some P2P lending platforms in the market will (by virtue of their docu-
of the nominal value of the securitised exposures. mentation structure and role as operator of the platform) comprise
originators for the purposes of the EU Securitisation Regulation. If this
Direct and indirect approaches is the case, any such P2P lending platform will be required to retain a
The retention requirement applies on a direct basis, as originators, 5 per cent economic interest in any securitisation of loans originated
sponsors and original lenders are required to agree on an entity that on their platform unless the originator, sponsor or original lender have
will act as retention holder and to ensure compliance with the retention agreed between them that another entity will retain.
requirements, and on an indirect basis, as it is incumbent upon investors If a P2P lending platform does either not qualify as an originator
in securitisation transactions to ensure that the retention requirement or does qualify as an originator but does not wish to retain, another
has been complied with. In the absence of agreement among the origi- entity with the capacity to retain will need to be identified and this entity
nator, sponsor or original lender as to who will be the retention holder, will need to agree to retain in accordance with the terms of the EU
the originator shall be the retention holder. Originators, sponsors and Securitisation Regulation. Any entity that retains in the capacity of ‘origi-
original lenders may potentially be subject to a broad range of adminis- nator’ is expected to be an entity of substance, and the EU Securitisation
trative sanctions (including significant fines) or remedial measures, or Regulation expressly provides that an entity will not be considered an
even criminal sanctions, where the they have negligently or intentionally originator where it has been established or operates for the sole purpose
infringed the risk retention requirements under the EU Securitisation of securitising exposures. The EU Securitisation Regulation does not
Regulation. Investors in a securitisation that is non-compliant will be specify in what circumstances an entity will be considered to have been
subject to higher regulatory capital charges. established for the sole purpose of securitising exposures but, in the Final
Draft Regulatory Technical Standards relating to risk retention pursuant
Jurisdictional scope to article 6(7) of the EU Securitisation Regulation (published on 31 July
The EU Securitisation Regulation does not explicitly set out the juris- 2018), the European Banking Authority (EBA) proposed that an originator
dictional scope of the direct retention obligation (which is where the will not be considered to have been established with the ‘sole purpose’
originator, sponsor or original lender would be required to comply of securitising exposures if it satisfies certain conditions, including that:
with the risk retention requirements), but there is a helpful note in the • it has a broader business enterprise and strategy;
Explanatory Memorandum to the original Commission proposal for the • it has sufficient decision makers with the required experience; and
EU Securitisation Regulation that the intention is that the direct approach • its ability to make payment obligations does not depend on the
would not apply where none of the originator, sponsor or original lender exposures to be securitised or on any exposures retained for the
is ‘established in the EU’. ‘Establishment’ is typically described by refer- purposes of the risk retention regulations.
ence to the jurisdiction in which the legal entity is incorporated or has its
Impact of Brexit on EU Securitisation Regulation ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER

As an EU Regulation, the scope of the EU Securitisation Regulation is TECHNOLOGY AND CRYPTO-ASSETS
directly applicable only to EU member states, which brings into consid-
eration its applicability following the UK’s departure from the EU. The Artificial intelligence
EU Securitisation Regulation will not apply directly to originators, orig- 27 Are there rules or regulations governing the use of artificial
inal lenders or sponsors in the UK for new securitisations post-Brexit. intelligence, including in relation to robo-advice?
However, EU investors required to comply with the EU Securitisation
Regulation will only be able to invest in a UK securitisation transac- There are not yet any significant rules or regulations that specifically
tion that complies with the EU Securitisation Regulation requirements. govern the use of AI in the UK (including in respect of robo-advice),
Accordingly, we would expect many UK deals to continue to be struc- except in respect of some limited regulatory provisions; most notably
tured to comply with the EU Securitisation Regulation post-Brexit for in the EU General Data Protection Regulation (GDPR), which sets out
liquidity purposes. requirements in respect of ‘automated’ decision-making (which would
Although the UK left the EU on 31 January 2020, the European include AI) involving personal data. In particular, Article 22 provides that
Union (Withdrawal Agreement) Act 2020, which implements the UK-EU a data subject has the right not to be subject to a decision based solely
Withdrawal Agreement into UK domestic law, provides that a transition on automated processing except in certain circumstances (eg, with the
period will apply until 31 December 2020 (the transition period). EU law, data subject’s explicit consent). Articles 13(2) and 14(2) also require
including the EU Securitisation Regulation, will continue to apply during a data controller to provide ‘meaningful information about the logic
the transition period, and it is only following the end of the transition involved’ in an automated decision-making process. For fintech busi-
period that the interactions of EU laws into the UK becomes uncertain. nesses using personal data in the context of AI (eg, in assessing loan
In the event of a ‘no deal’ Brexit, all of the UK’s statutory instru- applications), this is likely to mean that the business should be able to
ments that amend EU laws will come into force at the end of the explain how the AI system operates in that context and why, in any given
transition period. This includes the Securitisation (Amendment) (EU case, it has arrived at its decision.
Exit) Regulations 2019, which facilitates the onshoring of the EU The obligation in articles 13(2) and 14(2) reflects a growing
Securitisation Regulation as UK domestic law. The Securitisation consensus on the importance of transparency and explainability in
(Amendment) (EU Exit) Regulations 2019 also make some drafting the context of responsible or ethical AI. Regulators and policy groups,
changes to the implementation of the EU Securitisation Regulation in particularly in the financial services sector, have emphasised that,
the UK, for example, clarifying the application of the investor due dili- while there are considerable benefits to be harnessed from the use of
gence obligations for third country securitisations and the definition of AI, businesses should understand and be able to explain how they are
sponsor. However, the current Securitisation (Amendment) (EU Exit) using AI and the impact on stakeholders, particularly consumers. This
Regulations 2019 may still be subject to further amendments and/or is particularly so given the increasing complexity of AI systems and the
supplements until the end of the transition period. corresponding difficulty in understanding how they operate.
The Financial Conduct Authority (FCA) published two papers
Securitisation confidentiality and data protection requirements on AI in 2019 – ‘Explaining why the computer says no’ and ‘Artificial
26 Is a special purpose company used to purchase and securitise Intelligence in the boardroom’ – which both emphasise that financial
peer-to-peer or marketplace loans subject to a duty of institutions (including their board members) should be able to explain
confidentiality or data protection laws regarding information AI-based decisions, particularly in sensitive contexts (for example, in
relating to the borrowers? consumer loan applications).
While there are not yet any specific legislative requirements in
The entity assigning loans to the special purpose vehicle (SPV) must this regard, it should be remembered that fintech businesses using
ensure that there are no confidentiality requirements in the loan docu- AI, including for robo-advice, may still be subject to the FCA’s regu-
ments that would prevent it from disclosing information about the loans latory regime more generally, particularly as the advice offered by a
and the relevant borrowers to the SPV and the other securitisation robo-adviser will be a regulated activity where that advice involves an
parties. If there are such restrictions in the underlying loan documen- element of personal recommendation regarding investments.
tation, the assignor will require the consent of the relevant borrower
to disclose to the SPV and other securitisation parties the information Distributed ledger technology
they require before agreeing to the asset sale. In addition, the SPV will 28 Are there rules or regulations governing the use of
want to ensure that there are no restrictions in the loan documents that distributed ledger technology or blockchains?
would prevent it from complying with its disclosure obligations under
English and EU law (such as those set out in the EU Securitisation There are no specific rules or regulations specifically governing the use
Regulation and the CRR). of distributed ledger technology or blockchains in the UK.
Again, if such restrictions are included in the underlying loan docu- Regulators in the UK in general seek to adopt a technology-neutral
ments, the SPV would be required to obtain the relevant borrower’s stance, regulating the outputs of systems rather than how they operate
consent to such disclosure. In addition, if the borrowers are individ- in the background. For example, the FCA in 2017 undertook a review
uals, the SPV, its agents and the P2P platform would each be required of distributed ledger technology and its use in the financial services
to comply with the statutory data protection requirements under industry and concluded that no technology-specific regulation is
English law. required to govern its use.
However, some rules and regulations applicable in the UK
indirectly have an effect on the deployment of distributed ledger tech-
nologies and blockchains as a result of the nature of the operation
of these types of systems. For example, the GDPR generally requires
personally identifiable information to be capable of erasure once it is
no longer needed, which causes difficulties for those seeking to use
distributed ledger technology to govern the use of that type of data,
258 Fintech 2021

given the technology's generally ‘immutable’ (ie, unchangeable) nature. Therefore, in broad terms, the approach in the UK to the regulation
Another example is the Centralised Securities Depositary Regulation of crypto-assets at present varies.
(an EU-level regulation applicable in the UK), which requires dema- • Unregulated tokens (classic exchange tokens such as bitcoin
terialised securities to be settled through a centralised securities and utility tokens) are unregulated, although to offer services
depositary, which is a hurdle to be overcome for those fintech busi- concerning them, a business may need to be registered
nesses seeking to settle securities via distributed ledger technologies with the FCA.
(security tokens). • E-money tokens (crypto-assets that have the characteristics of
e-money) are regulated as if they were e-money, and businesses
Crypto-assets dealing in them need to be properly authorised by the FCA as
29 Are there rules or regulations governing the use of crypto- appropriate under the Electronic Money Regulations and the
assets, including digital currencies, digital wallets and Payment Services Regulations.
e-money? • Security tokens (crypto-assets that have the characteristics of
regulated financial products) are regulated in the same way as the
In the UK, there are specific rules relating the operation of certain types type of security that the crypto-asset shares characteristics with,
of crypto-businesses in the UK, requiring the following businesses to be and any businesses dealing in them need to be properly authorised
registered with the FCA: by the FCA as appropriate.
• those that provide a facility to enable the exchange of one crypto-
asset for another or the exchange of fiat currency for crypto-assets Crypto-asset regulation in the UK continues to be a developing area.
(or vice versa), or any business that makes arrangements with a There are two outstanding regulatory consultations that have been
view to any such exchange; announced but not yet published – one on extending the FCA’s powers
• those that provide custodial crypto-asset wallet services; in respect of regulation of currently unregulated crypto-assets, and
• any business that issues new crypto-assets (eg, a business another on potentially applying certain rules to the promotion of crypto-
conducting an initial coin offering); and assets, both of which are likely to be relatively transformative if and
• businesses that operate crypto-asset automated teller machines. when they are published.
Prior to operating any such business, the business must first register Digital currency exchanges
with the FCA. The registration process is complex and requires the 30 Are there rules or regulations governing the operation of
submission of a number of different information requirements. Once a digital currency exchanges or brokerages?
complete application has been submitted, the FCA has three months
to consider the application and accept or reject it as it sees fit. At the Any digital currency exchange or brokerage operating in the UK needs
time of writing, there is currently a grace period for registration oper- to be registered with the FCA. The registration process is complex and
ating, whereby any in-scope business that was operating crypto-asset requires the submission of a number of different information require-
services as at 10 January 2020 has until 10 January 2021 to register. For ments. Once a complete application has been submitted, the FCA has
any business launching after 10 January 2020, they must be registered three months to consider the application and accept or reject it as it
with the FCA before they can begin providing crypto-asset services sees fit. At the time of writing, there is currently a grace period for regis-
in the UK. tration operating, whereby any in-scope business that was operating
Other regulatory processes regarding crypto-assets continue in crypto-asset services as at 10 January 2020 has until 10 January 2021
other areas. These follow on from the FCA, Bank of England and HM to register. For any business launching after 10 January 2020, they must
Treasury’s Crypto Assets Task Force report of 2018, which announced be registered with the FCA before they can begin providing crypto-asset
the intention to launch a series of consultations on regulation of the services in the UK.
crypto-assets industry, including on: Beyond the registration requirement noted above, there are no
• the transposition of the Fifth Anti-Money Laundering directive rules or regulations specifically governing the operation of digital
into UK law (which resulted in the registration requirements currency exchanges or brokerages where they deal in spot transac-
noted above); tions of unregulated crypto-assets. If a digital currency exchange or
• guidance around the application of existing financial services regu- brokerage deals in regulated crypto-assets or any other regulated
lation to the crypto assets market (see below); product (even if in tokenised form), FCA regulations will apply around
• the potential extension of the FCA’s regulatory perimeter to authorisation and compliance to the same extent that they would apply
encompass certain assets and activities within the crypto- to a traditional exchange or brokerage.
assets sector (which, as at the date of writing, has not yet been Regulation around crypto-assets in the UK is undergoing some
published); and change at the time of writing.
• a potential ban on the offering of derivative products to retail
customers, where those products reference crypto-assets (which Initial coin offerings
was published in 2019, but the results of which have not been 31 Are there rules or regulations governing initial coin offerings
released at the time of writing). (ICOs) or token generation events?
On the consultation for guidance on crypto-asset regulation, this was Any business intending on carrying out an initial coin offering (ICO) in
launched in January 2019, and finalised guidance was released in July the UK needs to be registered with the FCA. The registration process
2019. The guidance details the FCA’s taxonomy covering ‘exchange is complex and requires the submission of a number of different infor-
tokens’ (decentralised assets such as bitcoin), ‘security tokens’ (block- mation requirements. Once a complete application has been submitted,
chain-traded products that have similar characteristics to traditional the FCA has three months to consider the application and accept or
regulated securities), and ‘utility tokens’ (blockchain-traded products or reject it as it sees fit. At the time of writing, there is currently a grace
other items that do not have similar characteristics to traditional regu- period for registration operating, whereby any in-scope business that
lated securities). had launched its ICO as at 10 January 2020 has until 10 January 2021
to register. For any ICO launching after 10 January 2020, they must be to transfer personal data between the UK and the EU). The oversight of
registered with the FCA before they can begin their ICO in the UK. UK businesses’ compliance with the GDPR and related legislation, and
Beyond the registration requirement noted above, here are no enforcement of them, is carried out by the UK regulator, the Information
rules or regulations specifically governing ICOs, token generating Commissioner’s Office.
events or any other analogous token distribution process, provided that There are no rules or regulations in the UK relating to personal
the tokens being issued as part of the process in question do not have data that are specifically aimed at fintech companies.
the same or similar rights to regulated securities or e-money in the UK.
If the token being issued has the same or similar rights attached to it Cybersecurity
as regulated securities or e-money in the UK, strict FCA regulations will 33 What cybersecurity regulations or standards apply to fintech
apply on issuing, holding, dealing in or otherwise selling those tokens. businesses?
Regulation around crypto-assets in the UK is undergoing some
change at the time of writing. There are no rules or regulations in the UK that provide cybersecu-
rity requirements for fintech businesses specifically. More generally,
DATA PROTECTION AND CYBERSECURITY the GDPR imposes more general requirements on businesses in the
UK to ensure a high standard of security over personal data that they
Data protection process, including the general obligation to have in place reasonable
32 What rules and regulations govern the processing and technical and organisational measures to ensure the security of that
transfer (domestic and cross-border) of data relating to data, compliance with which requires measures relating to cybersecu-
fintech products and services? rity to be put in place.
Further, for FCA-regulated businesses, the Financial Conduct
On 25 May 2018, the EU General Data Regulation (GDPR) came into force Authority (FCA) has significant powers of oversight and enforcement in
with direct effect across the entire EU. The GDPR governs the storage, respect of those businesses’ internal systems and controls relating to
viewing, use of, manipulation and other processing by businesses of protection of confidential client information. The FCA actively manages
data that relates to a living individual. In summary, the GDPR requires and oversees these requirements and, in recent years, has imposed
that businesses may only process personal data where that processing significant fines on entities that have failed to meet these requirements.
is done in a lawful, fair and transparent manner, as further described
in the GDPR. OUTSOURCING AND CLOUD COMPUTING
The GDPR requires that any processing of personal data must
be done pursuant to one of six lawful bases for processing. The most Outsourcing
commonly used lawful basis for processing is to obtain the consent 34 Are there legal requirements or regulatory guidance with
of the data subject to that processing – in relying on this lawful basis, respect to the outsourcing by a financial services company of
the business must ensure that the consent is freely given, specific, a material aspect of its business?
informed and unambiguous, and capable of being withdrawn as easily
as it is given. This places a significant burden on businesses to ensure The position on regulation of outsourcing by financial services compa-
that their customers are fully informed as to what their personal data is nies in the UK is a complex picture, encompassing a number of different
being used for, which is a crucial change to the previous regime under requirements that apply in different ways, depending on the type of
which disclosure did not need to be so transparent. Other lawful bases financial services business in question.
for processing data include where that processing is necessary for the The most important of these requirements is the new European
business to perform a contract it has with the data subject, or where Banking Authority (EBA) guidelines. On 25 February 2019, the EBA
required to comply with an obligation the business has at law (not a published revised (final) guidelines on outsourcing arrangements (the
contractual obligation). Guidelines) for credit institutions and certain investment firms as well
The GDPR further differs from the previous regime in that it places as payment and electronic money institutions. The Guidelines amend
a significantly increased compliance burden on businesses, including for and finalise previously published draft guidelines in light of extensive
example mandatory requirements to notify regulators of data breaches, consultation responses from the industry and industry bodies. Therefore,
obligations to keep detailed records on processing, and requirements the Guidelines are consistent with, and build upon, the previous Senior
for most entities to appoint a data protection officer. Management Arrangements, Systems and Controls Chapter 8 (SYSC 8)
The GDPR does not apply to personal data that has been truly requirements (which now operate mostly as guidance rather than as
anonymised – as anonymised data cannot, by definition, be personal requirements); however, they apply to a broader set of businesses than
data. However, to ensure that GDPR does not apply to a certain data set, SYSC 8 – most noteworthy is the inclusion of payment and electronic
that data set must be truly anonymised. The GDPR itself gives limited money institutions, which are not subject to SYSC 8.
guidance on anonymisation in Recital 26, requiring data controllers to In broad terms, the Guidelines provide more granular detail around
consider a number of factors in deciding if personal data has been truly requirements that relevant businesses must comply with when carrying
anonymised, including the costs and time required to de-anonymise, out outsourcing (including in relation to internal processes and proce-
the technology available at the time to attempt de-anonymisation and dures), compared to the SYSC 8 requirements.
further developments in technology. The Guidelines took effect on 30 September 2019 and have been
Businesses that infringe the GDPR may be subject to administra- adopted in the UK. All new outsourcing contracts entered into after this
tive fines of an amount up to €20 million or 4 per cent of global turnover, date should be compliant with the Guidelines, and relevant institutions
whichever is higher. are expected to review and update any internal processes and proce-
In the UK, the Data Protection Act 2018 came into force at the same dures to meet the Guidelines' requirements. There is also a backstop
time as the GDPR. Among other things, it replaces the Data Protection date for upgrading pre-existing contracts to comply with the Guidelines
Act 1998, fills in gaps in the GDPR and ensures that on leaving the EU, by 31 December 2021. The Guidelines support harmonisation of existing
the UK will have an ‘adequate’ data protection regime compared to that regulation and guidance applicable to different types of financial
of the EU (with the aim of ensuring an unhindered ability for businesses services firms.
260 Fintech 2021

Cloud computing However, copyright and inventions created by contractors or

35 Are there legal requirements or regulatory guidance with consultants in the course of their duties are owned by the contractor
respect to the use of cloud computing in the financial services or consultant unless otherwise agreed in writing. Database rights are
industry? owned by the person who takes the initiative and assumes the risk of
investing in obtaining, verifying and presenting the data in question.
There are no specific legal requirements in the UK regarding the use of Depending on the circumstances, this is likely to be the business that
cloud computing in the financial services industry. However, there does has retained the contractor or consultant.
exist a body of guidance on the subject and a number of legal require-
ments that apply to indirectly regulate the use of cloud computing in Joint ownership
financial services. 38 Are there any restrictions on a joint owner of intellectual
The primary legal requirements relevant to this question relate to property’s right to use, license, charge or assign its right in
the EBA and other outsourcing requirements, which apply to financial intellectual property?
services businesses when outsourcing material functions within their
businesses. In many different contexts, the use of cloud services will Restrictions on a joint owner’s ability to use, license, charge or assign
be of sufficiently significant importance to the business’s operations its right in intellectual property will depend on the intellectual property
to bring this requirement into scope and require the business to meet right in question. For example, the restrictions on a joint owner of a
those outsourcing requirements in undertaking outsourcing. patent are different from those on a joint owner of copyright.
A joint copyright owner cannot copy, license or grant security over
INTELLECTUAL PROPERTY RIGHTS jointly owned copyright without the consent of the other joint owners
(see sections 16(2) and 173(2) of the Copyright, Designs and Patents Act
IP protection for software 1988). Each joint owner may assign their own interest, but consent is
36 Which intellectual property rights are available to protect required for an assignment of the whole right. A joint copyright owner is
software, and how do you obtain those rights? also able to grant security over their interest.
In the case of UK patents and patent applications, a joint owner is
Computer programs (and preparatory design materials for computer entitled to work the invention concerned for his or her own benefit and
programs) are protected by copyright as literary works. Copyright does not need the consent of the other joint owners to do so (section
arises automatically as soon as the computer program is recorded. No 36(2) PA 1977). However, the consent of the other joint owners is
registration is required. required to grant a licence under the patent or patent application and to
Databases underlying software programs may also be protected assign or mortgage a share in the patent or patent application (section
by copyright and, in certain circumstances, by database right. Database 36(3) PA 1977).
right is a standalone right that protects databases that have involved The situation is similar for UK-registered trademarks. Each joint
a substantial investment in obtaining, verifying or presenting their owner is entitled to use the registered trademark for their own benefit
contents (see section 14(1) of the Copyright and Rights in Databases without the consent of the other joint owners (section 23(3) Trade
Regulations 1997). Both database copyright and database rights arise Marks Act 1994 (TMA 1994)), but the consent of the other joint owners is
automatically without any need for registration. required to grant a licence of the trademark and to assign or charge a
If the software code has been kept confidential, it may also be share in the trademark (section 23(4) TMA 1994).
protected as confidential information. No registration is required. Given the variations in the rights and restrictions of joint owners,
Programs for computers, and schemes, rules or methods of doing and given that the rights of joint owners also differ on a country-by-
business ‘as such’, are expressly excluded from patentability under country basis, it is highly advisable in any situation where parties work
the Patents Act 1977 (PA 1977). These exclusions ultimately flow from together on a project to agree at the outset how the results are to be
the European Patent Convention. Notwithstanding these exclusions, owned by the parties and their individual rights to exploit the results.
it is possible to obtain patents for computer programs and business In general, joint ownership of intellectual property should be avoided if
methods if it can be shown that the underlying invention makes a possible because of the complexities described above.
‘technical contribution’ over and above that provided by the program
or business method itself, such as an improvement in the working of Trade secrets
the computer. Accordingly, a well-drafted patent may be able to bring 39 How are trade secrets protected? Are trade secrets kept
a computer-based, software or business method invention within this confidential during court proceedings?
requirement, but this may be difficult to do and will not always be
possible. Registration formalities must be followed to obtain protection. Protection of trade secrets in the UK is regulated by The Trade Secrets
(Enforcement, etc) Regulations 2018 (the Trade Secrets Regulations),
IP developed by employees and contractors which implement the Trade Secrets Directive in the UK and came into
37 Who owns new intellectual property developed by an force on 9 June 2018. Trade secrets are also protected by the law
employee during the course of employment? Do the same on breach of confidence, which provides broadly the same level of
rules apply to new intellectual property developed by protection as is required under the Trade Secrets Directive. The Trade
contractors or consultants? Secrets Regulations define what qualifies as a protectable trade secret,
providing protection for information that:
Copyright and database rights created by an employee in the course • is secret, in the sense that it is not generally known among, or
of their employment are automatically owned by the employer unless readily accessible to, persons within the circles that normally deal
otherwise agreed. Inventions made by an employee in the course of with the kind of information in question;
their normal duties (or, in the case of employees who owe a special • has commercial value because it is secret; and
obligation to further the interests of their employer’s business, in the • has been subject to reasonable steps (under the circumstances) by
course of any duties) are automatically owned by the employer (see the holder of the information to keep it secret.
section 11(2) of the Copyright, Designs and Patents Act 1988).
The Trade Secrets Regulations also implement aspects of the Trade • issues around the anticompetitive use of algorithms and
Secrets Directive that differ from, or add to, the existing law applying machine learning.
to the protection of confidential information. This includes specifying
the limitation period for bringing a trade secrets claim and the rules The Competition and Markets Authority (CMA), Financial Conduct
regarding awarding damages and interim and corrective measures. Authority (FCA) and Payment Systems Regulator (all of which are
Confidential information (which may include non-public information concurrent competition law enforcement authorities in the UK) gener-
that is not captured by the definition of ‘trade secret’) can be protected ally consider fintech to represent a pro-competitive force, leading to
against misuse, provided the information in question has the necessary change in markets and encouraging innovation. For example, the FCA is
quality of confidence and is subject to an express or implied duty of an active participant in the Global Financial Innovation Network.
confidence. In the case of both trade secrets and the confidential infor- The CMA has been undertaking a number of initiatives to formulate
mation, no registration is necessary (or possible). Trade secrets and its approach to the regulation of competition in the UK digital markets,
confidential information can be kept confidential during civil proceed- with a view to focusing on the protection of the consumer. As well as
ings with the permission of the court. undertaking an investigation into the retail banking market, seeking
to implement open banking and improve the quality of information
Branding provided to customers, the CMA has also taken advice from external
40 What intellectual property rights are available to protect experts, advocating a more involved approach to competition regula-
branding and how do you obtain those rights? How can fintech tion. The CMA has been advised to perform more sophisticated analyses
businesses ensure they do not infringe existing brands? of digital mergers, consider the role of big data in creating barriers to
entry, and take account of network affects to create more effective rules
Brands can be protected as registered trademarks either in the UK for large digital platforms (see Furman and Lear reports for further
alone (as a UK trademark) or across the EU (as an EU trademark). A information). As a result, the CMA issued its Digital Markets Strategy in
brand can also be protected under the common law tort of passing-off if July 2019: a vision for how it proposes to protect consumers in complex
it has acquired sufficient goodwill. and rapidly-changing digital markets while continuing to protect inno-
Certain branding, such as logos and stylised marks, can also be vation. One concrete outcome of this has been the creation of a Digital
protected by design rights and may also be protected by copyright as Markets Taskforce, a dedicated unit with the role of monitoring develop-
artistic works. ments in digital markets and advising the Government on how best to
The UK and EU trademark databases can all be searched to iden- approach them.
tify registered or applied for trademark rights with effect in the UK. It is The CMA has also taken an increasingly interventionist stance
highly advisable for fintech businesses to conduct trademark searches in UK merger cases. In part, this is probably as a result of it having
to check whether earlier registrations exist that are identical or similar received more resources in preparation for Brexit; but also because of
to their proposed brand names. It may also be advisable to conduct a growing feeling that it may have been missing transactions that have
searches of the internet for any unregistered trademark rights that may negatively impacted competition. This more interventionist approach
prevent use of the proposed mark. has been present in all sectors to some extent, but it has been particu-
larly noticeable in relation to fintech deals – a number of Phase II
Remedies for infringement of IP (in-depth) investigations have been related to transactions involving
41 What remedies are available to individuals or companies fintech players in the last 12 months.
whose intellectual property rights have been infringed? The future of fintech competition regulation will depend in some
part on the UK’s relationship with the EU post-Brexit. The FCA has as
Remedies include: one of its priorities the development of future bilateral arrangements
• preliminary and final injunctions; with the EU and the rest of the world to promote its expertise in fintech
• damages or an account of profits; regulation.
• delivery up or destruction of infringing products;
• publication orders; and TAX
• costs.
Incentives
COMPETITION 43 Are there any tax incentives available for fintech companies
Sector-specific issues fintech sector in your jurisdiction?
respect to fintech companies in your jurisdiction? The UK has introduced a wide range of tax incentives that are available
to fintech companies and investors in such companies. The key incen-
Competition authorities in the UK (and elsewhere) face a range of poten- tives are set out below, although there are a number of conditions to be
tially complex competition law issues in relation to fintech offerings. met to qualify for each scheme:
These include: • seed enterprise investment scheme (SEIS): 50 per cent income tax
• the risks around the exchange of competitively sensitive relief and exemption from capital gains tax for investors in high-
information; risk start-up trading companies;
• the risks of a fintech firm or platform obtaining a dominant posi- • enterprise investment scheme (EIS): 30 per cent income tax relief
tion in the market and any behaviour that could potentially exclude and exemption from capital gains tax for investors in small high-
other market players; risk trading companies;
• the development and participation in technical standards; • venture capital trust (VCT) scheme: 30 per cent income tax relief
• exclusivity arrangements between parties to a fintech offering; and exemption from capital gains tax for investors in venture
• the limits of any specified tying or bundling of products or services capital trusts, which subscribe for equity in, or lend money to, small
to the fintech solution; and unquoted companies;
262 Fintech 2021

• business asset disposal relief (formerly entrepreneurs’ relief): a From April 2021, large businesses will be required to notify HMRC
reduced 10 per cent capital gains tax rate for entrepreneurs selling when they take a tax filing position HMRC is likely to challenge. The
business assets (only available to directors and employees of government is consulting on how this will operate and there are still
businesses); many details to be ironed out. However, the rules are expected to apply
• investors’ relief: an additional reduced 10 per cent capital gains to businesses with a turnover above £200 million or a balance sheet
tax rate that allows other types of shareholders to benefit from total over £2 billion. Large fintech businesses are advised to watch out
the same relief as is provided under business asset disposal for developments in this area.
relief when they sell their shares. Unlike business asset disposal
relief, this reduced rate is only available to investors who have IMMIGRATION
not been officers or employees in the company whose shares are
being sold; Sector-specific schemes
• research and development tax credits: tax relief for expenditure on 45 What immigration schemes are available for fintech
research and development; businesses to recruit skilled staff from abroad? Are there
• patent box regime: a reduced 10 per cent corporation tax rate any special regimes specific to the technology or financial
for profits from the development and exploitation of patents and sectors?
certain other intellectual property rights;
• innovative finance ISA eligibility: peer-to-peer (P2P) loans are Nationals from EU countries, Iceland, Liechtenstein, Norway and
eligible for inclusion in tax-free ISAs; Switzerland
• tax relief for P2P bad debt: an income tax relief for irrecoverable Despite the UK’s departure from the EU, Fintech businesses are
P2P loans, or P2P bad debt; and currently still able to recruit workers from EU countries, Iceland,
• P2P interest withholding tax exemption: P2P loan interest payments Liechtenstein, Norway and Switzerland in the same way and on the
are exempt from UK withholding tax. same basis as they recruit British nationals.
However, this is set to change with nationals from EU countries,
Subject to applicable lifetime limits, a company may raise up to £150,000 Iceland, Liechtenstein, Norway and Switzerland who enter the UK after
under the SEIS over a three-year investment period and up to a total 31 December 2020 becoming subject to the same working visa require-
of £5 million (£10 million for knowledge-intensive companies) over 12 ments as nationals from other countries.
months from ‘relevant investments’, which includes investments under
the SEIS and EIS and investments by VCTs. While financial activities Nationals from other countries
are an excluded activity for the SEIS, EIS and VCT scheme, as long as Workers from other countries may only be recruited by UK fintech busi-
a fintech company is only providing a platform through which financial nesses if they meet the relevant eligibility criteria and are awarded
activities are carried out, such a fintech company should still qualify for sufficient points under a tiered points-based system. The relevant tiers
those schemes assuming it meets the other conditions. for fintech businesses are likely to be tier 1 and tier 2.
Tier 1 is open to investors and, until recently, included the
Increased tax burden Exceptional Talent visa. This is now closed to new applicants and has
44 Are there any new or proposed tax laws or guidance that been replaced by a Global Talent visa, which is available to highly expe-
could significantly increase tax or administrative costs for rienced and internationally recognised professionals in a wide range of
fintech companies in your jurisdiction? disciplines, including digital technology. The application depends on an
endorsement by an approved body that, in the case of digital technology
In the Budget 2020, the lifetime limit for business asset disposal relief applicants, is Tech Nation.
(formerly entrepreneurs’ relief) was reduced from £10 million to £1 Tier 1 also includes options for entrepreneurs who may apply for
million for any qualifying disposals made on or after 11 March 2020. either a ‘start-up visa’ or an ‘innovator visa’, depending on their level
This significantly decreases the relief available from capital gains tax for of experience. In many cases, entrepreneurs and other workers will
investors disposing of businesses where the investor meets the quali- require an assessment or endorsement by a relevant UK body, which
fying conditions. for fintech related roles is likely to be Tech Nation
The Budget 2020 announced a review of VAT on fund management Tier 2 is open to skilled workers who are sponsored by a licensed
fees alongside the establishment of an industry working group to review organisation where the role is being transferred to the UK from over-
how financial services are treated for VAT purposes. Fintech companies seas or cannot be filled by someone living in the UK. A worker with skills
are advised to keep an eye on what emerges from the working group, deemed to be in short supply receives a number of advantages under
given the potential impact on their tax position. the tiered points-based system. Roles currently deemed to be in short
The digital services tax (DST) was introduced from 1 April 2020 supply include IT business analysts, architects and system designers,
following a government consultation. This 2 per cent tax applies to the programmers and software development professionals, and other infor-
revenues of search engines, social media services and online market mation technology and communications professionals. Finance roles
places, which derive value from UK users. The DST applies where a are not currently considered to be in short supply.
group’s worldwide revenue from digital activities is more than £500
million and more than £25 million of the revenue is derived from the UPDATE AND TRENDS
UK. As such, the tax is expected to impact a small number of large
multinationals. Financial services providers are excluded from the Current developments
online market places definition, meaning fintech companies should 46 Are there any other current developments or emerging
generally fall out of the scope of this tax. However, where there are trends to note?
unified platforms with social media, marketplace and search engine
elements and the threshold conditions are met, then fintech companies The authorities in the UK continue to develop their approach to the
could fall in scope for revenue from the social media and search engine regulation of fintech businesses. While we expect the next six months
income streams. of regulatory and policy activity to focus on supporting all aspects of
the financial services sector (including the fintech sector) through the
impact of the coronavirus pandemic and Brexit uncertainty, there is still
a large amount of fintech-specific regulator activity on the horizon.
In May 2020, The Financial Conduct Authority (FCA) launched a
regulatory grid to help financial firms prepare for upcoming regulatory
work. Upcoming regulatory work relevant to the fintech sector includes:
• a review of the UK fintech sector to identify measures to maintain
growth and competitiveness;
• a consultation on a measure to bring certain crypto-assets into the Angus McLean
angus.mclean@simmons-simmons.com
scope of financial promotions regulation;
• the Cryptoasset Task Force consultation on the broader regula- George Morris
tory approach to crypto-assets, including new challenges from george.morris@simmons-simmons.com
stablecoins; Jo Crookshank
• changes to the regulatory regime to prohibit investment products jo.crookshank@simmons-simmons.com
referencing certain crypto-assets;
Kate Cofman-Nicoresti
• a project involving the Bank of England (BOE) and seven firms to
kate.cofman-nicoresti@simmons-simmons.com
explore the viability of testing machine-readable and -executable
regulatory reporting; Olly Jones
• the establishment of a joint FCA and BOE forum with industry to olly.jones@simmons-simmons.com
look at the impact of AI on financial services; Penny Miller
• the implementation of new rules to enhance the security of penny.miller@simmons-simmons.com
payments and limit fraud during the authentication process; and
Peter Broadhurst
• an assessment of the opportunities and risks arising from open
peter.broadhurst@simmons-simmons.com
finance and the FCA’s role in ensuring that it develops in the best
interests of consumers.
CityPoint
In its 2020/2021 business plan, the Prudential Regulation Authority One Ropemaker Street
has outlined its intention to focus on digital currencies and RegTech. London EC2Y 9SS
United Kingdom
It also intends to examine its regulatory framework to identify any
Tel: +44 20 7628 2020
changes required.
Fax: +44 20 7628 2070
The BOE has launched a review in discussion with banks, insurers www.simmons-simmons.com
and financial market infrastructures to reform regulatory data over
the next decade. The review will seek ways to decrease the burden
on industry and to increase the timeliness and effectiveness of data in
supporting supervisory judgements, with the outputs helping inform up to £2,500. The scheme will run until October 2020, but the level
appropriate next steps. of government funding will taper from August 2020, with employers
The Payment Systems Regulator’s key projects for the coming year being expected to contribute the balance of the payments;
include a commitment to supporting Pay.UK’s development of the New • a £500 million Future Fund for Innovative UK-based companies,
Payments Architecture and ensuring that it delivers a resilient medium which allows them to apply for a convertible loan of between
for making digital payments. It has also strengthened its commitment £125,000 and £5 million from the UK government. The government
to ensuring that the market for card-acquiring services work well; high- loans need to be matched by private investors; and
lighted the need for greater efforts to tackle authorised push payment • £750 million grant and loan funding to be provided to small and
scams; and committed to ensuring that payment systems and markets medium-sized enterprises focusing on research and development.
are more competitive. The funding will be administered by Innovate UK.
Coronavirus Fintech businesses should carefully consider the appropriateness of

47 What emergency legislation, relief programmes and other these schemes to determine whether any of them are suitable for their
initiatives specific to your practice area has your state business needs. Further information about the various schemes can be
implemented to address the pandemic? Have any existing found on the business support pages of the government coronavirus
government programmes, laws or regulations been amended website at www.gov.uk/coronavirus/business-support.
to address these concerns? What best practices are advisable The government also introduced changes to insolvency law for
for clients? businesses that get into significant financial difficulty. These are likely
to include temporary measures intended to deal with specific issues
The UK government has launched a number of schemes to support arising from the covid-19 pandemic and permanent changes that
businesses with the impact of the covid-19 pandemic. To date, there were trailed during consultations carried out in 2016 and 2018 but
are no government measures specifically focused on the fintech sector. never implemented. The draft legislation is currently being consid-
However, several of the general support measures may be relevant to ered by the UK Parliament in the form of the Corporate Insolvency and
fintech firms. These include: Governance Bill.
• the Bounce Back Loan Scheme, which provides small businesses
with a quick and easy option to apply for an 100 per cent govern-
ment-backed loan of up to £50,000;
• the Coronavirus Job Retention Scheme under which the govern-
ment pays up to 80 per cent of the salaries of furloughed workers
264 Fintech 2021

Other titles available in this series
Acquisition Finance Distribution & Agency Investment Treaty Arbitration Public M&A
Advertising & Marketing Domains & Domain Names Islamic Finance & Markets Public Procurement
Agribusiness Dominance Joint Ventures Public-Private Partnerships
Air Transport Drone Regulation Labour & Employment Rail Transport
Anti-Corruption Regulation e-Commerce Legal Privilege & Professional Real Estate
Anti-Money Laundering Electricity Regulation Secrecy Real Estate M&A
Appeals Energy Disputes Licensing Renewable Energy
Arbitration Enforcement of Foreign Life Sciences Restructuring & Insolvency
Art Law Judgments Litigation Funding Right of Publicity
Asset Recovery Environment & Climate Loans & Secured Financing Risk & Compliance Management
Automotive Regulation Luxury & Fashion Securities Finance
Aviation Finance & Leasing Equity Derivatives M&A Litigation Securities Litigation
Aviation Liability Executive Compensation & Mediation Shareholder Activism &
Banking Regulation Employee Benefits Merger Control Engagement
Business & Human Rights Financial Services Compliance Mining Ship Finance
Cartel Regulation Financial Services Litigation Oil Regulation Shipbuilding
Class Actions Fintech Partnerships Shipping
Cloud Computing Foreign Investment Review Patents Sovereign Immunity
Commercial Contracts Franchise Pensions & Retirement Plans Sports Law
Competition Compliance Fund Management Pharma & Medical Device State Aid
Complex Commercial Litigation Gaming Regulation Structured Finance &
Construction Gas Regulation Pharmaceutical Antitrust Securitisation
Copyright Government Investigations Ports & Terminals Tax Controversy
Corporate Governance Government Relations Private Antitrust Litigation Tax on Inbound Investment
Corporate Immigration Healthcare Enforcement & Private Banking & Wealth Technology M&A
Corporate Reorganisations Litigation Management Telecoms & Media
Cybersecurity Healthcare M&A Private Client Trade & Customs
Data Protection & Privacy High-Yield Debt Private Equity Trademarks
Debt Capital Markets Initial Public Offerings Private M&A Transfer Pricing
Defence & Security Insurance & Reinsurance Product Liability Vertical Agreements
Procurement Insurance Litigation Product Recall
Dispute Resolution Intellectual Property & Antitrust Project Finance
Also available digitally
lexology.com/gtdt
ISBN 978-1-83862-339-5

2021 Fintech Book

Uploaded by

Copyright:

Available Formats

You might also like

2021 Fintech Book

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2021 Fintech Book

Uploaded by

Copyright:

Available Formats

Fintech

© Law Business Research 2020

Senior business development manager

Reproduced with permission from Law Business Research Ltd

Gibraltar77 South Africa 181

United Arab Emirates 238

United Kingdom 250

While various regulators and government departments offer fintech- ASIC

RBA Consumer lending

CROSS-BORDER REGULATION Notification and consent

FINANCIAL CRIME Assignment of loans

Securitisation confidentiality and data protection requirements Crypto-assets

CPS 231 concerns outsourcing arrangements generally and Confidentiality

Trade secrets Remedies for infringement of IP

Hardship Sarah Johnson

FINTECH LANDSCAPE AND INITIATIVES FINANCIAL REGULATION

General innovation climate Regulatory bodies

Consumer lending Peer-to-peer and marketplace lending

Crowdfunding Payment services

Securitisation confidentiality and data protection requirements Crypto-assets

If a competitor legally obtains the trade secrets or confidential infor-

COMPETITION start-up is a micro-enterprise). The investment (shares) must be

Incentives Sector-specific schemes

UPDATE AND TRENDS

Not to our knowledge.

Coronavirus Vincent Verkooijen

Credit references Any transaction resulting in a change of control (direct or indirect)

CROSS-BORDER REGULATION FINANCIAL CRIME

Passporting Anti-bribery and anti-money laundering procedures

PEER-TO-PEER AND MARKETPLACE LENDING Securitisation risk retention requirements

Currently, no. As a general rule, digital currencies are considered as

Fintech companies licensed by the BCB (ie, payment institutions, direct

Increased tax burden

Av. Brigadeiro Faria Lima

to the lending market. Thus, to provide temporary regulatory relief, the

In addition, specifically regarding the fintech sector, to facilitate access

Secondary market loan trading Peer-to-peer and marketplace lending

Invoice trading Robo-advice

Regulated activities cannot be passported into China.

Requirement for a local presence FINANCIAL CRIME

In general, if a regulated business changes control it must make a

PEER-TO-PEER AND MARKETPLACE LENDING Securitisation risk retention requirements

Assignment of loans Artificial intelligence

There are no tax incentives specifically applicable to fintech companies.

FINTECH LANDSCAPE AND INITIATIVES FINANCIAL REGULATION

General innovation climate Regulatory bodies

Foreign exchange Residential credit intermediation

• financial leasing; constitutes equity crowdfunding, thereby subjecting the fintech

Invoice trading CROSS-BORDER REGULATION

Guidance Securitisation confidentiality and data protection requirements

There are no specific requirements for executing loan agreements or

Additional immigration schemes are available that may be relevant (eg,

UPDATE AND TRENDS

No updates at this time.

Consumer lending Alternative investment funds

In practice, a number of donor-advised funds have been estab- Robo-advice

FINANCIAL CRIME In general, the originator of a securitisation portfolio must guarantee

Digital currency exchanges OUTSOURCING AND CLOUD COMPUTING

Gibraltar77 South Africa 181

United Arab Emirates 238

United Kingdom 250