Fintech 2021 Fintech 2021

Contributing editors Angus McLean and Penny Miller

Subscriptions Claire Bagnall Fintech [email protected]

Senior business development manager Adam Sargent 2021 [email protected]

Published by Law Business Research Ltd Contributing editors Meridian House, 34-35 Farringdon Street London, EC4A 4HL, UK Angus McLean and Penny Miller

The information provided in this publication Simmons & Simmons LLP is general and may not apply in a specific situation. Legal advice should always be sought before taking any legal action based on the information provided. This information is not intended to create, nor does receipt of it constitute, a lawyer– Lexology Getting The Deal Through is delighted to publish the fifth edition of Fintech, which is client relationship. The publishers and available in print and online at www.lexology.com/gtdt. authors accept no responsibility for any Lexology Getting The Deal Through provides international expert analysis in key areas of acts or omissions contained herein. The law, practice and regulation for corporate counsel, cross-border legal practitioners, and company information provided was verified between directors and officers. June and August 2020. Be advised that this Throughout this edition, and following the unique Lexology Getting The Deal Through format, is a developing area. the same key questions are answered by leading practitioners in each of the jurisdictions featured. Our coverage this year includes new chapters on Australia, Brazil, Denmark, Egypt, Liechtenstein, © Law Business Research Ltd 2020 Malta, New Zealand and Turkey. No photocopying without a CLA licence. Lexology Getting The Deal Through titles are published annually in print. Please ensure you First published 2016 are referring to the latest edition or to the online version at www.lexology.com/gtdt. Fifth edition Every effort has been made to cover all matters of concern to readers. However, specific ISBN 978-1-83862-339-5 legal advice should always be sought from experienced local advisers. Lexology Getting The Deal Through gratefully acknowledges the efforts of all the contribu- Printed and distributed by tors to this volume, who were chosen for their recognised expertise. We also extend special Encompass Print Solutions thanks to the contributing editors, Angus McLean and Penny Miller of Simmons & Simmons LLP, Tel: 0844 2480 112 for their continued assistance with this volume.

London August 2020

Reproduced with permission from Law Business Research Ltd This article was first published in September 2020 For further information please contact [email protected] www.lexology.com/gtdt 1 © Law Business Research 2020 Contents

Introduction 5 Indonesia 102 Angus McLean and Penny Miller Winnie Rolindrawan and Harry Kuswara Simmons & Simmons LLP SSEK Legal Consultants

Australia 6 Ireland 109 Michael Bacina, Andrea Beatty, Tim Clark, Will Fennell, Sarah Johnson, Liam Flynn and Lorna Smith Tim O’Callaghan and Andrew Rankin Matheson Piper Alderman Japan 117 Belgium 17 Akihito Miyake, Ken Kawai, Tomoyuki Tanaka and Asako Matsuo Vincent Verkooijen, Jérémie Doornaert, Martin Carlier, Anderson Mori & Tomotsune Dimitri Van Uytvanck and Marc de Munter Simmons & Simmons LLP Kenya 125 John Syekei, Dominic Indokhomi, Irene Muthoni and Mercy Mwaniki Brazil 28 Coulson Harney Advocates Nei Zelmanovits, Thais De Gobbi, Pedro Nasi, Vicente Braga, Érica Yamashita, Diego Gualda, Vinicius Costa and Alina Miyake Liechtenstein 134 Machado Meyer Advogados Thomas Nägele and Thomas Feldkircher NÄGELE Attorneys at Law China 39 Jingyuan Shi Malta 142 Simmons & Simmons LLP Leonard Bonello and James Debono Ganado Advocates Denmark 48 Rasmus Mandøe Jensen and Christian Scott Uhlig Netherlands 150 Plesner Advokatpartnerselskab Aron Berket, Jeroen Bos and Marline Hillen Simmons & Simmons LLP Egypt 57 Mohamed Hashish New Zealand 161 Soliman, Hashish & Partners Derek Roth-Biester and Megan Pearce Anderson Lloyd Lawyers Germany 64 Christopher Götz, Dang Ngo, Elmar Weinand, Eva Heinrichs, Singapore 170 Felix Biedermann, Janine Marinello, Jochen Kindermann, Grace Chong, Jason Valoti, Calvin Tan, Benedict Tan, Marcus Teo, Martin Gramsch and Sascha Kuhn Ng Aik Kai, Sun Zixiang, Low Si Rong and Seah Ern Xu Simmons & Simmons LLP Simmons & Simmons JWS

Gibraltar 77 South Africa 181 David Borge, Kunal Budhrani and Peter Howitt David Geral, Kirsten Kern, Livia Dyer, Claire Franklyn, Xolani Nyali Ince and Bright Tibane Bowmans Hong Kong 84 Ian Wood Spain 194 Simmons & Simmons LLP Alfredo De Lorenzo, Álvaro Muñoz, Carlos Jiménez de Laiglesia, Ignacio González, Juan Sosa and María Tomillo India 93 Simmons & Simmons LLP Anuj Kaila and Stephen Mathias Kochhar & Co

2 Fintech 2021 © Law Business Research 2020 Contents

Sweden 203 Emma Stuart-Beck, Caroline Krassén, Anton Sjökvist, Mikaela Lang, Henrik Schön, Trine Osen Bergqvist, Nicklas Thorgerzon, Karl-Hugo Engdahl, Maria Schultzberg, Viveka Classon and Malin Malm Waerme Vinge

Switzerland 212 Clara-Ann Gordon and Thomas A Frick Niederer Kraft Frey

Taiwan 220 Abe T S Sung and Eddie Hsiung Lee and Li Attorneys at Law

Turkey 230 Cigdem Ayozger Ongun and Begum Erturk SRP-Legal Law Firm

United Arab Emirates 238 Muneer Khan, Jack Rossiter and Raza Rizvi Simmons & Simmons LLP

United Kingdom 250 Angus McLean, George Morris, Jo Crookshank, Kate Cofman-Nicoresti, Olly Jones, Penny Miller and Peter Broadhurst Simmons & Simmons LLP

www.lexology.com/gtdt 3 © Law Business Research 2020 Introduction

Angus McLean and Penny Miller Simmons & Simmons LLP

What’s old is new dealing with young fintech firms in the future, not to mention inves- With the excitement surrounding the potential for financial technology tors. The next few years will present the ultimate test for the energy, to change the world and transform lives over the past few years, it resourcefulness and adaptability of the entrepreneurs who will have is worth remembering that financial innovation has been with us for to navigate their businesses through these unprecedented headwinds. some time. From the invention of money before the beginning of written history to the advent of the double-entry accounting method in Korea A broad church during the Goryeo dynasty and its adoption by the Medici family in the You know that fintech has penetrated the public consciousness when the 14th century, fintech has come a long way. portmanteau enters the dictionary for the first time. Last year, Merriam However, in recent years it has it has been difficult to open a news- Webster defined fintech as ‘products and companies that employ newly paper (or a news aggregator) without reading about the promise of developed digital and online technologies in the banking and financial artificial intelligence, distributed ledger technology, cloud computing services industries’. It should be clear from this definition that fintech and ever-cheaper computer power. is a broad church. It encompasses businesses of all sizes, from the Combined with the creation of new business models, the increasing founder writing the first lines of code to some of the largest companies democratisation of technical education, significant investment and in the world. It also encompasses a wide variety of technologies and public policy and regulatory support, the fintech sector has experienced business models. Fintech products and services now exist across the remarkable growth. There can never have been a better time to be a entire financial services sector, including: fintech-focused entrepreneur, financier, investor, policy maker, tech- • payments processing and networks; nologist or (whisper it quietly) lawyer. • crypto-assets; • mobile wallets and remittances; Challenging times • retail investing and secondary markets; Is all that about to change though? Like every industry, the fintech • capital markets and institutional trading; sector has been heavily affected by the covid-19 pandemic. Some sub- • core banking and infrastructure; sectors within the industry, such as digital asset and payments firms, • wealth management; have benefited from increased volumes of business. However, many • personal finance and saving; have struggled both from a business perspective and from the wider • digital banking; effect the pandemic has had on the global economy. In particular, the • real estate lending and investing; economic uncertainty created by the pandemic has had a big impact on • financial regulation and compliance; the ability of fintech firms to raise new investment at the same levels • insurance; (and valuations) as previously possible. Despite numerous support • payroll and benefits; packages launched by governments around the globe, this trend looks • credit scores and analytics; and likely to continue in the short term at least. • personal and business lending. When taken together with the impact of the accounting scandal that has embroiled the German payments firm Wirecard, the fintech While there are significant differences between the legal issues affecting sector looks to be in the eye of a perfect storm of challenges. For a businesses operating across this diverse universe of sub-sectors, this young industry that has only every enjoyed the tailwinds of a largely publication seeks to address the most pressing issues that we see in supportive regulatory and policy environment and enthusiastic inves- our day-to-day practice, advising firms in all of these areas. tors, the double shock of these two very significant events could well reshape the sector. The public failure and alleged mismanagement of Fintech 2021 one of the biggest names in sector looks likely to be the fintech indus- This publication is intended to provide a user-friendly resource to help try’s ‘ENRON moment’. fintech entrepreneurs and their advisers and investors around the How the various stakeholders respond will be key to the longer- world navigate the often complex key legal and regulatory issues on term prospects for the sector. There is no doubt that events at Wirecard which we are most often asked to advise. have already had an impact on the level of regulatory scrutiny that is Now, more than ever, understanding the legal and regulatory being imposed on fintech firms. That trend is only likely to continue landscape on which you operate is paramount to success. We hope this as regulators and policymakers begin to look at the sector with a new edition serves as a valuable reference point wherever you are on your perspective. It will also inevitably affect the approach of counterparties fintech journey.

www.lexology.com/gtdt 5 © Law Business Research 2020 Australia

Michael Bacina, Andrea Beatty, Tim Clark, Will Fennell, Sarah Johnson, Tim O’Callaghan and Andrew Rankin Piper Alderman

FINTECH LANDSCAPE AND INITIATIVES be made available from 1 July 2020, with consumer data relating to mortgages and personal loans to be made available from 1 November General innovation climate 2020. However, the Australian Competition and Consumer Commission 1 What is the general state of fintech innovation in your (ACCC) has given non-major banks and credit unions temporary exemp- jurisdiction? tion to begin sharing product reference data from those dates on the basis that covid-19 has caused widespread delays and resource real- The Australian fintech sector continues to rapidly evolve, as entities locations at banks. work together to transform the industry and reshape the provision On 7 February 2020, the Hon Karen Andrews announced the of financial services in the wake of covid-19. Recognising the size Department of Industry, Innovation and Science’s National Blockchain and scope of the opportunity for Australian consumers and business Roadmap, which identifies opportunities for Australia to capitalise on arising from fintech, the federal government established a Senate economic opportunities presented by blockchain technologies. The Select Committee on Financial Technology and Regulatory Technology Department of the Treasury is due to publish its report on initial coin in late 2019, to which there have been over 160 public submis- offerings, arising from a consultation held in early 2019. sions to date. FINANCIAL REGULATION Government and regulatory support 2 Do government bodies or regulators provide any support Regulatory bodies specific to financial innovation? If so, what are the key 3 Which bodies regulate the provision of fintech products and benefits of such support? services?

While various regulators and government departments offer fintech- ASIC specific services or benefits, there is no overarching fintech strategy The Australian Securities and Investment Commission (ASIC) is yet implemented by the government. However, the Senate Select the primary regulator of credit and financial products in Australia. It Committee on Financial Technology and Regulatory Technology is due regulates the conduct of providers of credit and financial products to present its final report on 16 April 2021. and services. The Australian Securities and Investments Commission’s (ASIC) ASIC is responsible for granting and regulating Australian credit innovation hub encourages eligible businesses to apply for informal licences (ACLs) in accordance with the National Consumer Credit assistance and guidance on Australia’s financial services laws. Protection Act 2009 (Cth) (the NCCP Act) and the National Consumer Unfortunately, the hub does not offer businesses any legally binding Credit Protection Regulations 2010 (Cth) (the NCCP Regulations). guidance or specific confirmation as to whether exemptions to certain ASIC is also responsible for granting and regulating Australian regulatory requirements will apply. The hub does provide a designated financial services licences (AFSL) which are governed under a licensing contact for applicants and 12 months of informal guidance. regime contained in Chapter 7 of the Corporations Act 2001 (Cth). ASIC also operates a fintech regulatory sandbox, allowing eligible fintech entities to test certain products or services for up to 12 months APRA without an Australian financial services licence. The sandbox is The Australian Prudential Regulation Authority (APRA) is responsible currently limited to services offering advice or dealing in certain deposit for prudential supervision and regulation of banks, neobanks, insurers or payment products (up to A$10,000 if issued by an authorised deposit- and superannuation funds (other than self-managed superannuation taking institution), general insurance (up to A$50,000 insured), liquid funds). It is responsible for authorising entities to carry on banking or securities (up to A$10,000) and limited consumer credit contracts (with insurance business in Australia or to be the trustee of a superannuation certain features and between A$2,001 and A$25,000). Legislation has fund. APRA’s main concern is financial system stability. been passed to enable the expansion of the parameters of the sandbox by later regulation. AUSTRAC The government has emphasised its commitment to implementing Most financial services are considered designated services under the the consumer data right regime, which seeks to ensure that information Anti-money Laundering and Counter-Terrorism Financing Act 2006 (Cth) is accessed and transferred to accredited data recipients in a safe and (the AML/CTF Act) and are regulated by the Australian Transaction efficient manner. After an initial delay, consumer data relating to credit Reports and Analysis Centre (AUSTRAC). and debit cards, deposit accounts and transaction accounts is due to

6 Fintech 2021 © Law Business Research 2020 Piper Alderman Australia

RBA Consumer lending The Reserve Bank of Australia (RBA) is Australia’s central bank. In addi- 5 Is consumer lending regulated in your jurisdiction? tion to its traditional central bank functions, the RBA is responsible for regulating payment systems (ie, systems that facilitate the circulation Consumer lending in Australia is regulated by the NCCP Act, which of money). Under the Payment Systems (Regulation) Act 1998 (Cth), includes the National Credit Code (NCC), and the NCCP Regulations. the RBA has the power to designate a payment system where it is in Under the NCCP Act, any persons that engage in a credit activity the public interest to do so and, thereafter, impose access regimes and must hold an ACL. There are several exemptions from the requirements standards on participants in that payment system as well as arrange for to hold an ACL including the making of business-to-business loans. the arbitration of disputes between participants. Responsible lending ACCC Chapter 3 of the NCCP Act details the responsible lending obligations The Australian Competition and Consumer Commission (ACCC) is for credit licensees, which vary between different types of credit activity. responsible for protecting consumer, business and communal inter- Key obligations include giving a credit guide (when applicable) to ests by promoting competition and fair trade in the market. The ACCC collect and verify financial information about a prospective debtor and ensures that all individuals and businesses comply with the Competition assessing the unsuitability of a credit contract for a particular consumer. and Consumer Act 2010 (Cth), including the Australian Consumer Law, ASIC’s guidance regarding responsible lending is set out in which contains prohibitions on misleading and deceptive conduct and ‘Regulatory Guide 209: Credit licensing: Responsible lending conduct’, unconscionable conduct. which ASIC released in December 2019 to provide more specific guidance about responsible lending obligations. Regulated activities 4 Which activities trigger a licensing requirement in your External dispute resolution jurisdiction? All ACL holders must be a member of the Australian Financial Complaints Authority scheme, which is the mandatory external dispute The following activities constitute ‘carrying on a financial services busi- resolution scheme for financial services providers. ness’ in Australia and require an AFSL: • providing financial product advice; Secondary market loan trading • dealing in a financial product; 6 Are there restrictions on trading loans in the secondary • making a market for a financial product; market in your jurisdiction? • providing a custodial or depository service; • operating a registered managed investment scheme; At present, there are no legislative restrictions on trading loans in the • providing a crowdfunding service; secondary market in Australia. However, trading is limited by a fairly • providing traditional trustee company services; and illiquid market, as most lenders prefer to take a ‘buy and hold’ approach. • claims handling is currently expected to be licensed from 30 Further, for consumer debts regulated by the NCCP Act, assignees of June 2021. the legal title must also hold an ACL.

In general, these activities include any product or service with a predom- Collective investment schemes inant investment character and any dealing in that product or service. In 7 Describe the regulatory regime for collective investment addition, the federal government announced in May 2020 that litigation schemes and whether fintech companies providing alternative funders would be required to hold an AFSL. finance products or services would fall within its scope. Activities relating to the following credit products constitute carrying on a credit activity and require an ACL: Collective investment arrangements usually fall within the scope of the • credit contracts; Corporations Act definition of a ‘managed investment scheme’ (MIS). • credit services (ie, credit assistance and acting as an intermediary); An arrangement or scheme will be an MIS if: • consumer leases; • people contribute money or money’s worth as consideration to • mortgages; and acquire interests to benefits produced by the scheme (whether the • guarantees, both as the credit provider or as a person that performs rights are actual, prospective or contingent, and whether they are the obligations, or exercises the rights, of a credit provider. enforceable); • any of the contributions are pooled or used in a common enter- Lending is regulated only if it is to an individual or strata corporation prise to produce financial benefits or benefits consisting of rights predominantly: or interests in property for the members who hold interests in the • for personal, domestic or household purposes; scheme; and • to purchase, renovate or improve residential property for invest- • members of the scheme do not have day-to-day control of the ment purposes; or operation of the scheme (regardless of whether they have voting • to refinance credit that has been provided wholly or predominantly or other similar rights). to purchase, renovate or improve residential property for investment purposes. The definition of an MIS is deliberately broad and can include arrange- However, some exceptions apply. ments that would not traditionally be considered an investment. Examples include class action litigation, collective buying schemes, Taking money on deposit (other than as a part payment for goods or digital token offerings meeting the above definition, lottery syndicates services) and making advances of money amounts to banking business and time share schemes. and will require an authorised deposit-taking institution (ADI) licence. After being announced in the 2016–17 Federal Budget, the regulatory framework for a new corporate collective investment vehicle (CCIV) structure is yet to be settled but is expected to include: www.lexology.com/gtdt 7 © Law Business Research 2020 Australia Piper Alderman

• that a CCIV must be a public company, structured as an umbrella • have their financial reports audited once they raise A$3 million fund with sub-funds, each of which may hold different assets and or more from CSF offers; and have different investment strategies; • comply with the related party transaction rules that apply to • that a CCIV must be operated by a corporate director that is an public companies. Australian public company and holds an AFSL with CCIV authorisation; and Other obligations applicable to CSF offers include: • that a retail CCIV must separate out investor funds using a licensed • an investor cap of A$10,000 per year per company for retail depositary with authorisation to provide deposit services to CCIVs, investors; and this depository will hold the assets of the CCIV on trust and • a CSF offer document containing minimum information; and provide oversight of the operations of the CCIV. • a five-day cooling-off period for investors.

The CCIV is designed to encourage the entry of new and alternative In addition, CSF offers must be made by the holder of an AFSL or on a service providers into the Australian market by providing an interna- platform operated by a CSF intermediary holding an AFSL. tionally recognisable investment structure and making compliance processes simpler for Australian fund managers seeking to offer prod- Invoice trading ucts overseas. 11 Describe any specific regulation of invoice trading in your At present, given the broad definition of an MIS, fintech entities jurisdiction. making an offering that are at risk of being considered an MIS must obtain an AFSL and meet disclosure requirements to offer their product. In general, credit facilities (including any kind of financial accommodation provided by one person to another) are not financial products, so Alternative investment funds trading in debts is not subject to the AFSL regime. As far as the struc- 8 Are managers of alternative investment funds regulated? ture of a factoring arrangement may cause it to be an over-the-counter ‘derivative’ as defined in the Corporations Act (which ordinarily requires Collective investment undertakings that do not provide investors with an AFSL to deal in), specific licensing relief is available under the ASIC day-to-day control over the operation of the investment will generally Corporations (Factoring Arrangements) Instrument (2017/794) in some be considered an MIS and as a result the provider will need to hold circumstances. an AFSL. Funds offering specific asset classes, such as hedge fund or property products, may be subject to additional licensing and disclosure Payment services obligations. 12 Are payment services regulated in your jurisdiction?

Peer-to-peer and marketplace lending The provision of a purchased payment facility (PPF) or being the holder 9 Describe any specific regulation of peer-to-peer or of stored value for a PPF is deemed to be carrying on banking business. marketplace lending in your jurisdiction. Consequently, providers of PPFs (eg, digital wallet services) must obtain an ADI authorisation from APRA. However, the authorisation granted Australia has no specific legislation dealing with peer-to-peer lending. is typically subject to a condition limiting them to providing PPFs and However, the investment aspect of these marketplaces will often be preventing them from lending money (other than incidental advances to structured as an MIS regulated by the Corporations Act, requiring that customers in the course of providing a PPF). the operator hold an AFSL. The provision of consumer credit is regulated under the NCCP Open banking Act, requiring an operator to hold an ACL. The NCCP Act and the NCC 13 Are there any laws or regulations introduced to promote contain consumer protection provisions requiring an operator to assess competition that require financial institutions to make whether credit is unsuitable to a consumer before providing it. Credit customer or product data available to third parties? provided for investment purposes, business purposes or to non-natural persons is not regulated by the NCCP Act but may be subject to the ASIC On 5 February 2020, the ACCC published the Competition and Consumer Act if it is provided to small businesses. (Consumer Data Right) Rules. These Rules require Australia’s four Additional advertising guidance has been published by ASIC for major banks to share product reference data with accredited data recip- marketplace lending products. ients, and give legislative force to consumer data sharing obligations in banking. The Rules were meant to become mandatory from 1 July 2020, Crowdfunding however it has been pushed back three months until 1 October 2020 due 10 Describe any specific regulation of crowdfunding in your to the covid-19 pandemic. jurisdiction. Robo-advice Australia’s regulatory framework for equity-based crowd-sourced 14 Describe any specific regulation of robo-advisers or other funding (CSF) allows eligible companies to raise up to A$5 million companies that provide retail customers with automated using CSF. access to investment products in your jurisdiction. CSF offers can be made only by ‘eligible’ CSF companies, including: • unlisted public companies with less than: While there is not specific regulation of robo-advisers, ‘robo-advice’ • A$25 million in consolidated gross assets; and is defined in the Australian Securities and Investment Commission • A$25 million in annual revenue; and (ASIC) Regulatory Guide 255 as the provision of financial product advice • proprietary companies that: using algorithms and technology and without the direct involvement • maintain a minimum of two directors; of a human adviser. Where that robo-advice is generating general or • prepare annual financial and directors’ reports in accordance personal financial product advice, that advice will be a financial service with accounting standards; under the Corporations Act, unless an exemption applies.

8 Fintech 2021 © Law Business Research 2020 Piper Alderman Australia

To the extent that AI or robo-advice is used to provide a desig- SALES AND MARKETING nated service under the Anti-money Laundering and Counter-Terrorism Financing Act 2006 (Cth), the business providing that service – even if Restrictions automated – will likely have reporting obligations to AUSTRAC. 19 What restrictions apply to the sales and marketing of financial services and products in your jurisdiction? Insurance products 15 Do fintech companies that sell or market insurance products A person will be conducting financial and related activities whenever in your jurisdiction need to be regulated? they publish advertisements in Australia that are reasonably likely to induce Australians to acquire a financial service or product. Marketing In general, a person carrying on a life or general insurance business a product itself may constitute an Australian financial services licence- must be authorised by APRA to conduct business and hold an AFSL, regulated activity, unless an exemption applies. unless an exemption applies. Persons other than insurers that sell or The Australian Securities and Investment Commission Act provides market insurance products must hold an AFSL unless a specific exemp- for consumer protection surrounding advertising and marketing of finan- tion applies. Persons that sell or market home contents or personal and cial services, including prohibitions on misleading or deceptive conduct. domestic property insurance products with an insured value less than Advertisements and promotional material in respect of credit prod- A$50,000 may be eligible for 12-month licensing relief under the regula- ucts must comply with the National Consumer Credit Protection Act tory sandbox exemption in the ASIC Corporations (Concept Validation 2009 (Cth). This includes a requirement to include a credit licensee’s Licensing Exemption) Instrument 2016/1175. Australian credit licence number on all printed ads. Advertisements and promotional material in respect of finan- Credit references cial products must comply with the Corporations Act. This includes a 16 Are there any restrictions on providing credit references or requirement to include the identity of the issuer or the seller, confir- credit information services in your jurisdiction? mation that a product disclosure statement (PDS) is available and a statement that a person should consider the PDS in deciding whether to Subject to the Privacy Act 1988 (Cth), only credit reporting agencies are acquire or to continue to hold a product. authorised to collect, collate and disclose consumer credit reporting The Australian advertising industry also self-regulates via industry information to credit providers. There are no restrictions on commer- standards. cial credit references or commercial credit information, subject to privacy law. CHANGE OF CONTROL

CROSS-BORDER REGULATION Notification and consent 20 Describe any rules relating to notification or consent Passporting requirements if a regulated business changes control. 17 Can regulated activities be passported into your jurisdiction? Subject to exemptions, the Corporations Act contains a takeover prohi- On 31 March 2020, the Australian Securities and Investments bition, which prohibits a person from acquiring a relevant interest in Commission (ASIC) repealed licensing exemptions that apply to foreign the issued voting shares or the voting interests (as the case may be) financial service providers (FFSPs) regulated under an overseas regu- of a listed body (including a listed managed investment scheme) or an latory regime that ASIC had assessed as sufficiently equivalent to the unlisted company with more than 50 members in the entity if: Australian regulatory regime. From 1 April 2020, FFSPs must apply for • the person acquires the interest through a transaction (defined a foreign AFS licence to provide financial services to wholesale clients broadly) in relation to the securities; and in accordance with Regulatory Guide 176: Foreign financial services • because of the transaction, that person's or someone else's voting providers (RG 176). Transitional arrangements will apply to FFSPs that power in the entity increases from less than to more than 20 per were able to rely on the sufficient equivalence relief on 31 March 2020, cent, or from a starting point that is more than 20 per cent and less such that they may continue to rely on that relief from 1 April 2020 until than 90 per cent. either the FFSP has been granted a foreign AFS licence commencing before 31 March 2022 or the end of the transitional period on 31 March There are also restrictions on the acquisition of shareholdings in certain 2022 (whichever occurs first). financial sector companies and on the acquisition of substantial interests in Australian businesses. Requirement for a local presence The takeover prohibition applies to the acquisition of relevant 18 Can fintech companies obtain a licence to provide financial interests in: services in your jurisdiction without establishing a local • listed Australian companies; presence? • unlisted Australian companies with more than 50 members; • Australian-listed bodies; and From 1 April 2020, new FFSPs will be required by ASIC to apply for a • Australian-listed managed investment schemes. foreign AFS licence to provide financial services to wholesale clients. Existing FFSPs that are currently relying upon sufficient equivalence The takeover prohibition will be triggered whenever a person seeks relief will have a transitional two-year relief period until 31 March 2022 to acquire a relevant interest in securities that results in the person's before being required to obtain a foreign AFS licence. voting power being more than 20 per cent. This includes transactions where the person's voting power is already more than 20 per cent. The requirements are expressed to apply both in and outside Australia. The concept of 'relevant interest' is detailed and expansive. 'Voting power' is defined as the total number of voting shares or interests in which a person and their associates have a relevant interest, www.lexology.com/gtdt 9 © Law Business Research 2020 Australia Piper Alderman

represented as a percentage of the total number of voting shares inter- In 2017, amendments to the AML/CTF Act required that digital currency ests in the relevant entity. 'Associate' is also broadly defined to include: exchanges be registered with AUSTRAC. • subsidiaries, holding companies and sibling entities controlled by The main provisions regarding anti-bribery are included in federal the same ultimate holding company; and state or territory legislation, including the Criminal Code Act 1995 • persons with whom the relevant person enters, or proposes to (Cth). Federal legislation prohibits bribing foreign and Commonwealth enter, into an agreement for the purpose of controlling or influ- public officials, and state or territory legislation prohibits some private encing the composition of the target's board or its affairs; and and commercial bribery practices. There is currently no specific bribery • a person with whom the relevant person acts, or proposes to act, in legislation in place in Australia. relation to the target's affairs. Guidance Under the Financial Sector (Shareholdings) Act 1998 (Cth), a person 22 Is there regulatory or industry anti-financial crime guidance may not acquire more than 20 per cent of the voting shares or practical for fintech companies? control of Australian banks, other authorised deposit-taking institutions and Australian insurers without the approval of the federal Treasurer. There is currently no guidance specific to fintech companies. The restrictions also apply to Australian and foreign holding companies of these financial sector companies. PEER-TO-PEER AND MARKETPLACE LENDING Under the Foreign Acquisitions and Takeovers Act 1975 (Cth), there are restrictions on foreign persons acquiring a substantial interest (ie, Execution and enforceability of loan agreements more than 20 per cent (individually) or 40 per cent (collectively)) in 23 What are the requirements for executing loan agreements or Australian companies without the approval of the Foreign Investment security agreements? Is there a risk that loan agreements Review Board. The constitutions of some Australian companies (particu- or security agreements entered into on a peer-to-peer or larly those privatised by the federal and state governments) also contain marketplace lending platform will not be enforceable? restrictions on foreign shareholdings. There are several exceptions to the takeover prohibition, which Loan and security agreements may be executed by companies either allow a person to obtain voting power of more than 20 per cent if they with or without a common seal in accordance with section 127 of the fall within the terms of the permitted exception. The most commonly Corporations Act. Subject to the formulation of a loan agreement, and relied on exceptions include: state or territory requirements for the execution of deeds (where an • making a takeover offer; interest in land can only be granted or disposed of by deed), these agree- • obtaining the approval of members of the target; ments may be executed electronically in accordance with the Electronic • obtaining control by means of a scheme of arrangement; Transactions Act 1999 (Cth) and equivalent state or territory legislation. • 'creeping' (ie, acquiring no more than 3 per cent of the voting power The same requirements apply to peer-to-peer or marketplace lending in any six-month period); platforms. There have recently been amendments made to state, terri- • underwriting; or tory and federal legislation to provide more certainty around electronic • making the acquisition through an upstream company listed on an signatures for deeds or for witnessing remotely in response to the approved foreign financial market. social distancing requirements of covid-19.

FINANCIAL CRIME Assignment of loans 24 What steps are required to perfect an assignment of Anti-bribery and anti-money laundering procedures loans originated on a peer-to-peer or marketplace lending 21 Are fintech companies required by law or regulation to have platform? What are the implications for the purchaser if the procedures to combat bribery or money laundering? assignment is not perfected? Is it possible to assign these loans without informing the borrower? The Anti-money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (the AML/CTF Act) imposes obligations regarding the prevention An assignment of loans in these circumstances may be effected by of money laundering and terrorism financing, including: a deed of assignment and will be perfected once the assignee takes • conducting know-your-customer customer identification; control of the loan. If no valid deed is effected, the assignment may • transaction monitoring and reporting, including reporting transfers constitute a deemed security interest and perfected by registering of physical currency of A$10,000 or more and international funds a valid security interest over the collateral on the Personal Property transfer instructions; Securities Register (PPSR). Failure to register on the PPSR may result • suspicious matter reporting; in the security becoming void against a liquidator. On liquidation, the • having an AML/CTF programme in place; and unperfected security interest vests in the grantor on its liquidation and • submitting annual compliance certificates with the Australian the relevant secured party loses their interest. Transaction Reports and Analysis Centre (AUSTRAC). No notice or consent is required to transfer loans on a peer-to-peer lending platform. However, the assignee must provide a copy of their Entities providing designated services under section 6 of the AML/ credit guide as soon as is practicable following the assignment. CTF Act must comply with the requirements of the Act. ‘Designated services’ include: Securitisation risk retention requirements • taking deposits; 25 Are securitisation transactions subject to risk retention • being a lender, account provider or insurer; requirements? • providing remittance services; and • exchanging currency (including digital currency in the course of There are currently no minimum risk retention requirements. operating a digital currency exchange business).

10 Fintech 2021 © Law Business Research 2020 Piper Alderman Australia

Securitisation confidentiality and data protection requirements Crypto-assets 26 Is a special purpose company used to purchase and securitise 29 Are there rules or regulations governing the use of crypto- peer-to-peer or marketplace loans subject to a duty of assets, including digital currencies, digital wallets and confidentiality or data protection laws regarding information e-money? relating to the borrowers? The AML/CTF Act defines a ‘digital currency’ as: If the special purpose company used to purchase and securitise is • a digital representation of value that: subject to the Privacy Act, the company must comply with its obligations • functions as a medium of exchange, a store of economic value under the Act regarding the data protection of the borrowers. The duty or a unit of account; of confidentiality will apply to the underlying loan or security agree- • is not issued by or under the authority of a government body; ment, subject to the usual practice of including express consents in the • is interchangeable with money and may be used as consid- underlying documents to permit disclosures. eration; and • is generally available to members of the public; or ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER • a means of exchange or digital process or crediting declared to be TECHNOLOGY AND CRYPTO-ASSETS digital currency under the AML/CTF Rules.

Artificial intelligence The AML/CTF Rules may be updated by the CEO of AUSTRAC and do not 27 Are there rules or regulations governing the use of artificial require Parliament to change underlying legislation. Where a business intelligence, including in relation to robo-advice? wishes to offer a service of converting fiat currency to digital currency, it will be providing a designated service under the AML/CTF Act and that ‘Robo-advice’ is defined in the Australian Securities and Investment business will be required to be registered as a digital currency exchange Commission (ASIC) Regulatory Guide 255. (DCE) with AUSTRAC unless an exemption applies. This is expected to The obligations that apply to the provision of traditional financial be expanded in the future to capture conversion services from digital product advice and digital advice are functionally identical. For example, currency to digital currency. no Australian financial services licence (AFSL) is required for the Over 300 digital currency exchanges are registered in Australia. provision of factual information. However, if robo-advice is generating For businesses that plan to issue or offer to deal in digital assets general or personal financial product advice, that advice will be a finan- or crypto-assets, the starting point is to determine if the crypto-assets cial service under the Corporations Act, unless an exemption applies. or tokens are financial products within the definition of the Corporations ASIC has provided specific relief from holding a licence to providers Act. If so, a business issuing crypto-assets will be required to hold an of generic financial calculators under Regulatory Guide 167 and the AFSL. A business offering to deal in crypto-assets, such as by operating ASIC Instrument 2016/207. A ‘generic financial calculator’ is defined as a market, must also obtain an AFSL if it is dealing with, giving advice or a facility, device, table or thing used to make general calculations and providing intermediary services for crypto-assets that constitute finan- that does not advertise a specific product. cial products. To the extent that AI or robo-advice is used to provide a desig- If a business is offering payment services, such as accepting crypto- nated service under the Anti-money Laundering and Counter-Terrorism assets and making payments, assuming the crypto-asset is not a financial Financing Act 2006 (Cth) (the AML/CTF Act), the business providing that product, the business will still be providing a ‘non-cash payment facility’ service – even if automated – may have reporting obligations to the as defined in section 763D of the Corporations Act, and the entity will be Australian Transaction Reports and Analysis Centre (AUSTRAC). required to hold an AFSL unless an exemption applies (Regulatory Guide 185 provides for a low value NCP exemption that many fintech businesses Distributed ledger technology rely on). Digital wallets in Australia will most likely constitute non-cash 28 Are there rules or regulations governing the use of payment facilities. The non-cash payment facility concept in Australia is distributed ledger technology or blockchains? broadly analogous to the e-money regulatory system in Europe. Finally, if digital assets stored by a business are financial products, There are no specific rules or regulations governing the use of distrib- that business must ensure that it holds the appropriate custodial and uted ledger technology or blockchain. depository authorisations under an AFSL. ASIC’s INFO 219 sets out an assessment tool for businesses to identify whether an AFSL may be required for distributed ledger tech- Digital currency exchanges nology-based (DLT) services. This tool includes a set of factors to be 30 Are there rules or regulations governing the operation of considered by the business, such as: digital currency exchanges or brokerages? • Which DLT platform is being used? • How it will be run? The conversion of fiat currency to a crypto assets is a designated service, • How does it work? requiring registration as a DCE with AUSTRAC. To register as a DCE, a • How is the DLT using data? business must prepare an AML/CTF programme and meet specified • How the DLT affects others? threshold and suspicious transaction reporting obligations. In addition to the need to register with AUSTRAC, if a DCE is issuing ASIC’s view is that many DLT token offerings will likely be a managed tokens that are financial products (eg, via an initial exchange offering investment scheme (MIS), and that fintech providers that offer market or listing a token from an initial coin offering if the tokens constitute infrastructure or clearing and settlement will likely require licensing or an financial products), the exchange will need to hold an AFSL to deal in exemption. To date there has been no case law deciding if this is correct. The those tokens and may need a market authorisation. Digital currency or Department of the Treasury’s ICO Review report is overdue for publication. crypto-payment services will require an AFSL unless they fall under an The offering of digital currency conversion services in the course of exemption such as the low value exemption. operating a digital currency exchange business will require an operator Depending on the exchange’s structure, and how digital assets are (including one located offshore) to register with AUSTRAC. cleared or settled, an exchange may be operating a clearing settlement www.lexology.com/gtdt 11 © Law Business Research 2020 Australia Piper Alderman

facility and, as a result, be required to hold a clearing and settlement • notify APRA of material information security incidents (separate to facility licence under Part 7.3 of the Corporations Act. notifiable data breach obligations under the Privacy Act 1988 (Cth)).

Initial coin offerings Fintech businesses dealing with APRA-regulated entities may still need 31 Are there rules or regulations governing initial coin offerings to be cognisant of CPS 234, as APRA-regulated entities must meet the (ICOs) or token generation events? requirements of CPS 234 even if their information assets are managed by third parties. In May 2019, ASIC updated its INFO 225 guidance in relation to initial ASIC’s Regulatory Guide 255 – Providing Digital Financial Product coin offerings (ICOs). ASIC considers that there is a high risk that most Advice to Retail Clients sets out requirements that Australian financial ICOs or token generation events will be considered MISs requiring the services licensees that provide certain digital financial product advice responsible entity to hold an AFSL. ASIC expects entities that do not should follow to protect against malicious cyber activity. have an AFSL to be able to justify a conclusion that their token or ICO is not a financial product. OUTSOURCING AND CLOUD COMPUTING Unfortunately, INFO 225 still does not provide clear guidance on how entities can undertake a token offering that is compliant with the Outsourcing obligations of an MIS operated by an AFSL holder in relation to matters 34 Are there legal requirements or regulatory guidance with such as custody or secondary trading of crypto-assets or provide respect to the outsourcing by a financial services company of any categories of crypto-token that will not be considered financial a material aspect of its business? products. The Australian Securities and Investments Commission’s (ASIC) DATA PROTECTION AND CYBERSECURITY Regulatory Guide 104 – Licensing: Meeting the General Obligations sets out guidance of ASIC’s expectations for Australian financial services licen- Data protection sees outsourcing their functions. In particular, while they can outsource 32 What rules and regulations govern the processing and their functions, they cannot outsource their responsibilities as a licensee transfer (domestic and cross-border) of data relating to and remain responsible for complying with licensee obligations. fintech products and services? Certain Australian Prudential Regulatory Authority-regulated (APRA) financial institutions are required to comply with prudential While there are no legal requirements or regulatory guidance relating standards on outsourcing (CPS 231) and related guidelines. Separate to personal data that is aimed specifically at fintech businesses, all prudential standards (SPS 231 and HPS 231) apply to registrable super- are subject to the obligations of the Privacy Act, including a notifiable annuation entity licensees and private health insurers respectively. data breach reporting requirement. The Privacy Act is concerned with These mandatory standards set out requirements on how material busi- the protection of personal information, which includes an individual’s ness activity can be outsourced. identity or information from which an individual’s identity can be ascer- A ‘material business activity’ is an activity that has the potential, if tained. Additional protections are required when businesses deal with disrupted, to have a significant impact on the APRA-regulated institution prescribed sensitive information that includes certain health-related or its ability to manage risks effectively. information. The notifiable data breach reporting requirements require The principal requirements under these prudential standards are: that processes be put in place by businesses to address data breaches, • having a board-approved policy for the outsourcing of material including reporting certain data breaches to the Office of the Australian business activities and monitoring of outsourcing arrangements; Information Commissioner. • having an agreement with any outsourced service provider involving a material business activity that addresses, at a minimum, Cybersecurity certain matters in CPS 231 (including matters relating to owner- 33 What cybersecurity regulations or standards apply to fintech ship, storage and control of data); businesses? • consulting APRA before entering into any offshoring arrangement involving a material business activity; and There are no overarching regulations or standards on cybersecurity in • notifying APRA as soon as possible after entering into an Australia. However, there are certain regulatory standards and guide- outsourcing agreement involving a material business activity, but lines that offer guidance. no later than 20 business days after the execution of an outsourcing The Australian Prudential Regulatory Authority (APRA) has issued agreement. several mandatory standards and regulatory guidelines concerning cybersecurity and cloud computing as they relate to businesses In addition, APRA has issued several mandatory standards and regu- providing financial services, superannuation and insurance. These latory guidelines concerning cloud computing, including standards on include prudential standards on outsourcing (CPS 231, SPS 231 and business continuity management (CPS 232 and SPS 232) and informa- HPS 231), business continuity management (CPS 232 and SPS 232), tion security (CPS 234). information security (CPS 234) and related regulatory guidelines. CPS 234 took effect from 1 July 2019 and applies to certain Cloud computing APRA-regulated entities. Among other things, CPS 234 requires ARPA- 35 Are there legal requirements or regulatory guidance with regulated entities to: respect to the use of cloud computing in the financial services • clearly define information security-related roles and responsibilities; industry? • maintain appropriate information security capability commensurate with the size and extent of threats to their information assets; APRA has issued various mandatory standard and regulatory guide- • implement appropriate controls to protect their information assets lines regarding cloud computing, including prudential standards on and ensure their effectiveness through systematic testing and outsourcing (CPS 231, SPS 231 and HPS 231), business continuity assurance; and management (CPS 232 and SPS 232) and information security (CPS 234).

12 Fintech 2021 © Law Business Research 2020 Piper Alderman Australia

CPS 231 concerns outsourcing arrangements generally and Confidentiality applies where the use of cloud computing services involves material Confidential information is protected by case law, where the owner has business activities. APRA’s ‘Outsourcing Involving Cloud Computing taken steps to keep the information confidential and a person receiving Services’ information paper provides regulatory guidance relating to that information in circumstances of confidence releases to others or risk management, notification and consultation obligations for APRA- uses the information in a manner not authorised by the owner, or both. regulated entities using cloud computing services. The Privacy Act 1988 (Cth) regulates the collection, use, disclosure IP developed by employees and contractors and handling of personal information that could be relevant to cloud 37 Who owns new intellectual property developed by an computing services. Organisations that have to comply with the Privacy employee during the course of employment? Do the same Act must comply with the Australian Privacy Principles and have specific rules apply to new intellectual property developed by obligations where data is disclosed outside Australia. contractors or consultants?

INTELLECTUAL PROPERTY RIGHTS An employer will own intellectual property developed by an employee during the course of their employment – unless the employment IP protection for software contract stipulates otherwise – and where the material giving rise to 36 Which intellectual property rights are available to protect the IP rights was created as part of the duties for which the employee software, and how do you obtain those rights? was employed. Where an employee’s duties involve the development of intellectual property, their employment contract should refer to these The three main forms of IP protection for software in Australia are copy- duties and specify that IP rights in material created by the employee will right, patents and confidentiality. be owned by the employer. New intellectual property developed by contractors or consultants Copyright will generally be owned by the contractor or consultant unless there is Computer programs as defined under the Copyright Act 1958 (Cth) a written assignment to the contrary. qualify for protection under copyright law as literary works, provided An employee, contractor or consultant that has assigned the IP that the requirements for copyright subsistence are met. There is no rights in materials that they have created will continue to retain their registration requirement in Australia. moral rights, which are provided for in Part IX of the Copyright Act 1968 Copyright law requires a computer program to be attributable to (Cth). Individuals have the following rights that last for the same period an author and not reproduced or copied from another source. As the as copyright protection (generally 70 years): copyright owner will usually be the authors who created or developed • to be identified as the author of the work; the source code of the software, fintech businesses must ensure that • not to have authorship of their work falsely attributed; and when third-party software developers are commissioned, the engage- • integrity of authorship (ie, the right not to have their work subjected ment agreement stipulated that copyright in the software is assigned to to derogatory treatment). the fintech entity. Copyright will generally vest in the employer where an individual has developed the computer program in the course of Individuals cannot assign, transfer or sell their moral rights, but may their employment duties. The duration of the copyright protection for consent to their moral rights being infringed, provided that the consent published works is usually 70 years from the death of the author of the relates to specified acts or omissions or specified types of acts or omis- copyright work. sions. An employee can also provide a broad consent to their employer covering any acts or omissions in relation to all works created by the Patents employee during their employment. In Australia, two types of patent can be granted, the traditional standard patent providing 20 years of protection and an innovation Joint ownership patent providing eight years of protection. The innovation patent has a 38 Are there any restrictions on a joint owner of intellectual faster and cheaper application process and less stringent patentability property’s right to use, license, charge or assign its right in requirements, but has been reviewed, and will be abolished from 25 intellectual property? August 2021. An invention must meet the requirements of Patents Act 1990 (Cth) The rights of a joint owner of intellectual property differs according to to receive patent protection. Specifically, the patent must be a patent- the type of intellectual property. able subject matter that is new, useful, involves an innovative step (in Unless there is an agreement to the contrary, co-owners of copy- respect of innovation patents) or inventive step (in respect of standard right material own the copyright as tenants in common in equal shares patents) and satisfies other formality requirements. and not as joint tenants. A co-owner may not do or authorise any act The requirement of patentable subject matter must be satisfied comprised in the copyright of a work, including reproducing the copyright for business methods implemented by a computer program. In general, materials, granting a licence to a third party or charging or assigning a separate result beyond the typical working of a computer must be any right in this copyright, without the consent of the co-owner. The achieved for a business method implemented in or by a computer non-consenting owner is entitled to an injunction against the infringing process to be patentable. The mere use of well-known and understood co-owner and licensee preventing these unauthorised acts. functions of computers for implementing business methods is insuffi- A joint owner of a patent is entitled to an equal undivided share in cient for patent protection. that patent, unless there is an agreement to the contrary. Therefore, a Finally, certain aspects of software, including software-imple- joint owner may use the patent for their own benefit without accounting mented inventions or business methods, may also be protected by to the other joint owner or owners, but may not grant a licence under, imposing confidentiality obligations on customers and keeping those or assign an interest in, the patent without the consent of the other joint aspects a trade secret of the business. owner or owners.

www.lexology.com/gtdt 13 © Law Business Research 2020 Australia Piper Alderman

Trade secrets Remedies for infringement of IP 39 How are trade secrets protected? Are trade secrets kept 41 What remedies are available to individuals or companies confidential during court proceedings? whose intellectual property rights have been infringed?

There is no legislation that specifically protects trade secrets. However, Registered IP rights are each governed by a different legislative scheme, section 183 of the Corporations Act 2001 (Cth), which requires that a for example: current or former director, officer or employee of a corporation does not • the Copyright Act 1968; improperly use the information to gain an advantage for themselves or • the Designs Act 2003; others or cause detriment to the organisation, is sufficiently broad to • the Patents Act 1990; and cover trade secrets. • the Trademarks Act 1995. Trade secrets are also protected by equitable principles relating to breach of confidence. A breach of confidence requires that: In general, the Federal Court of Australia is the most appropriate court • an obligation of confidence exists in relation to specific information; to initiate proceedings for infringement of IP rights, particularly for • the information disclosed is of a confidential nature; registered rights or actions brought under the Australia Consumer Law, • the information was received in circumstances importing an obli- as the legislative schemes that govern those rights are federal acts. gation of confidence; The court has the power to award various remedies in IP infringe- • there is an actual or threatened misuse of the information without ment proceedings, including: the disclosing party’s consent; and • injunctive relief (both interim and final injunctions may be awarded); • the breach resulted in the disclosing party suffering damage. • an Anton Piller order (ie, search and seizure order); • damages or account of profits; The courts may make orders to protect trade secrets contained in discov- • declaratory relief; ered documents or documents produced by a third party. The court will • costs; and weigh the risk of inadvertent or accidental disclosure and the likely loss • additional damages in circumstances of flagrancy of the against the extent to which a party’s ability to seek advice and provide infringement. instructions may be hampered if a claim for confidentiality is upheld. The limitation period for bringing infringement proceedings is six years. Branding However, the courts will be less inclined to assist when an applicant has 40 What intellectual property rights are available to protect delayed bringing infringement proceedings. branding and how do you obtain those rights? How can It is not uncommon for the respondent to cross claim with an fintech businesses ensure they do not infringe existing action to revoke the registered right of the applicant (eg, on the grounds brands? that the registration does not conform with the requisite requirements of registration). The owner of the registered right should carefully Branding elements are usually protected by trademark registration. examine the validity of the registration before threatening infringement A trademark is a badge of origin or a sign used to distinguish goods proceedings. and services from those of others, including: The recipient of a threat of infringement is entitled to initiate legal • product names; proceedings to seek orders that the threats are groundless and seek • tag lines; injunctive relief to prevent further threats from being made. In general, • logos; proceedings initiated on the basis of groundless threats will be unsuc- • aspects of packaging; and cessful once the applicant issues proceedings. • colours, sounds and scents. COMPETITION Trademark registration provides exclusive rights to use, license and sell the trademark for an initial period of 10 years, which continues indefi- Sector-specific issues nitely provided the renewal fees are paid every 10 years. 42 Are there any specific competition issues that exist with An application to register a trademark is made with IP Australia. respect to fintech companies in your jurisdiction? Assuming no objections or oppositions, the process takes approximately seven months. The Australian Federal Government recently implemented an ‘open As a practical measure, before choosing a trademark applicants banking regime’, whereby consumers have a general right to control should ensure that the domain name (web URL), social media names their data pursuant to the Treasury Laws Amendment (Consumer Data (eg, Facebook page or Twitter handle) and business name are available. Right) Act 2019 (Cth) (the Consumer Data Right). Unregistered trademarks can be protected by establishing that the Australian Treasurer, Hon Josh Frydenberg MP, in his second use of the same or a similar trademark by a person is likely to mislead reading speech on the Treasury Laws Amendment (Consumer Data others to believe that the person is somehow connected with the appli- Right) Bill 2019, stated that: cant (ie, misleading and deceptive conduct in breach of the Australian Consumer Law) or amounts to passing off. This requires the applicant to The consumer data right … will drive competition… For consumers, prove that they have reputation in the trademark to such an extent that improved access to data will support better price comparison the use of the trademark by someone else would be misleading. services, taking into account their unique circumstances, and To ensure that applicants do not infringe the rights of a third party’s promote more convenient switching between products and existing brands, they should: providers… • search the Australian Trade Marks Register for any similar registered trademarks; and After several delays in implementing the Consumer Data Right, on 5 • conduct a general market knowledge enquiry to identify any unreg- February 2020, the Australian Competition and Consumer Commission istered trademarks that may have a reputation. made the Competition and Consumer (Consumer Data Right) Rules

14 Fintech 2021 © Law Business Research 2020 Piper Alderman Australia

2020, which were subsequently revised on 19 June 2020 (as amended, Australia has an R&D tax incentive designed to encourage compa- the Rules). nies to invest in R&D activity. The tax incentive is in the form of two tax Pursuant to the Rules: offsets that apply to eligible R&D expenditure, namely: • certain obligations regarding banks’ product data became a statu- • a 43.5 per cent refundable tax offset for the first A$100 million tory requirement for the Australia and New Zealand Banking Group of eligible expenditure for certain eligible entities whose aggre- Limited, Commonwealth Bank of Australia, National Australia Bank gated turnover is less than A$20 million and provided they are not Limited and Westpac Banking Corporation (together, the ‘big four’ controlled by income tax exempt entities; and banks) on 6 February 2020 and were to be a requirement for non- • a 38.5 per cent non-refundable tax offset for the first A$100 million major banks from 1 July 2020; however, the ACCC has granted a of eligible expenditure for all other eligible entities, which may be three-month exemption until 1 October 2020 because of the impact carried forward. of the covid-19 pandemic; • the disclosure of consumer data to accredited persons commenced The Taxpayer Alert 2017/5 sets out the view of the Australian Taxation for the big four banks from 1 July 2020 and is currently scheduled Office in relation to R&D claims on software development projects. to commence for non-major banks on 1 November 2020; and • the balance of the obligations will be rolled-out progressively Increased tax burden between 1 July 2020 and 30 June 2022. 44 Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for Fintech companies are also subject to the competition law prohibitions fintech companies in your jurisdiction? contained in the Competition and Consumer Act 2010 (Cth) (CCA). The CCA prohibits various forms of anti-competitive practices, including the There are no new or proposed laws or guidance specifically affecting misuse of market power, exclusive dealing (including third line forcing), fintech companies. resale price maintenance and cartel conduct. The Australian Consumer Law contained in Schedule 2 of the CCA provides consumer protection IMMIGRATION in the form of: • general prohibitions against conduct that is likely to mislead or Sector-specific schemes deceive or that is unconscionable; 45 What immigration schemes are available for fintech • specific prohibitions against unfair practices including false or businesses to recruit skilled staff from abroad? Are there misleading representations on goods or services; and any special regimes specific to the technology or financial • an ability for Australian Courts to declare unfair contract terms sectors? contained in standard form consumer contracts to be void, such that they are unenforceable. There are no immigration schemes specific to the technology or financial sectors. The following visa options may be open to skilled workers TAX recruited from overseas by fintech businesses: • Temporary Work (Short Stay Specialist) (subclass 400) visa: for Incentives three to six months in a highly specialised job; 43 Are there any tax incentives available for fintech companies • Temporary Skill Shortage (subclass 482) visa: for up to four years, and investors to encourage innovation and investment in the for workers sponsored by their employer and whose occupa- fintech sector in your jurisdiction? tion is on the Australian government’s list of skilled occupations or the employer has a labour agreement with the Australian Australia has many tax concessions applicable to fintech companies. government; and The early-stage investment company (ESIC) regime provides that a • Employer Nomination Scheme (subclass 186) visa: permanent, for company must be recently incorporated and not have incurred expendi- workers nominated by their employer and whose occupation is on ture or generated income over certain limits in the preceding income the Australian government’s list of skilled occupations. year. The company must meet either a 100-point or a principles-based innovation test. If the company qualifies as an ESIC, investors qualify for UPDATE AND TRENDS a 20 per cent non-refundable carry forward tax offset. The amount of the tax offset is 20 per cent of the amount paid for the shares to a maximum Current developments of A$200,000. Investors also enjoy no capital gains tax for the first 10 46 Are there any other current developments or emerging years of their holding of the shares. trends to note? Australia also has concessions for start-up companies in relation to employee share schemes. In general, any discount an employee The key emerging trend is a renewed focus from the federal govern- receives on shares or options or rights is treated as assessable income. ment on the opportunities fintech provides, and the potential upsides for However, under this concession, start-up companies can offer (without Australian consumers and the broader economy. Following the volume the discount being taxed): of submissions to the Senate Select Committee, and the subsequent • shares with a discount to market value of no more than 15 changes to the economy, the Committee is requesting further submis- per cent; or sions on what support is necessary in the short-, medium- and long • rights or options with an exercise price being the market value of a term, including post-recovery, focusing on solutions that can be deliv- share when the right or option is acquired. ered swiftly by government and the private sector.

In calculating the market value of a share, the company can use a net tangible asset valuation method. This allows a fintech entity with, for example, a large IP or goodwill element to issue equity at a significant discount to employees. www.lexology.com/gtdt 15 © Law Business Research 2020 Australia Piper Alderman

Coronavirus 47 What emergency legislation, relief programmes and other initiatives specific to your practice area has your state implemented to address the pandemic? Have any existing government programmes, laws or regulations been amended to address these concerns? What best practices are advisable for clients?

While there has not been any government initiatives specifically Michael Bacina [email protected] targeted at the fintech sector in response to covid-19, the federal and state governments have implemented various legislative changes, Andrea Beatty stimulus packages and relief programmes generally. FinTech Australia, [email protected] a member organisation that advocates for fintech issues in Australia, Tim Clark has published a short guide of the various available government assis- [email protected] tance programs specifically for fintech businesses. We have, however, Will Fennell summarised two key developments below. [email protected]

Hardship Sarah Johnson The Australian Securities and Investments Commission (ASIC) has [email protected] suggested various arrangements for entities considering hardship Tim O’Callaghan complaints, such as delaying scheduled loan repayments, waiving fees [email protected] and charges, interest-free periods, no interest rate increases and debt Andrew Rankin collection. Lenders are treating covid-19 relief measures as tempo- [email protected] rary and not formal arrangements regulated by the National Credit Code (NCC). This aligns with the public policy intent of these measures. ASIC has been called to issue a legislative instrument exempting Level 23, Governor Macquarie Tower the application of time period rules under the NCC for covid-19 hard- 1 Farrer Place ship arrangements to deal with the significant quantities of hardship Sydney NSW 2000 Australia requests received – but this has not yet occurred. AFCA has yet to report Tel: +61 2 9253 9999 a material increase in banking disputes, but expects to see an increase www.piperalderman.com.au in hardship disputes in six months’ time when deferrals expire.

Electronic signatures Widespread social distancing requirements have restricted the ability for entities to rely on ‘wet signatures’, and has caused an increase in entities seeking to rely on electronic signatures. The Electronic Transactions Amendment (COVID-19 Witnessing of Documents) Regulation 2020 (NSW) allows a broad range of documents to be signed electronically and remotely. In New South Wales, this means that documents can be witnessed through an audiovisual link, providing relief to those who cannot physically sign or witness documents. At the federal level, the government has introduced the Corporations (Coronavirus Economic Response) Determination (No. 1) 2020, which modifies the legislative requirements regarding meetings and execution of company documents to facilitate electronic methods.

16 Fintech 2021 © Law Business Research 2020 Belgium

Vincent Verkooijen, Jérémie Doornaert, Martin Carlier, Dimitri Van Uytvanck and Marc de Munter Simmons & Simmons LLP

FINTECH LANDSCAPE AND INITIATIVES FINANCIAL REGULATION

General innovation climate Regulatory bodies 1 What is the general state of fintech innovation in your 3 Which bodies regulate the provision of fintech products and jurisdiction? services?

Although the Belgian fintech ecosystem is currently booming (over The Financial Services and Markets Authority (FSMA) and the National the years, the number of start-ups active in the financial sector with a Bank of Belgium (NBB) are generally the bodies responsible for regu- predominantly technological approach has increased steadily), Belgian lating the provision of fintech products and services in Belgium. fintech companies that have reached a size large enough to play in the big league can still be counted on the fingers of one hand. In effect, Regulated activities Belgian fintech companies have a tendency to rely more on organic 4 Which activities trigger a licensing requirement in your growth and to focus for longer periods on the local market, taking jurisdiction? more time to cross the Belgian border. Transforming all these promising start-ups into scale-ups capable of competing on the international A large number of financial activities trigger licensing requirements scene is therefore a major challenge that requires stronger support and in Belgium. The following providers of financial services are regulated financing. (among others): credit institutions, certain lenders, stockbroking and investment firms, fund management companies, payment institutions, Government and regulatory support e-money institutions, and insurance and reinsurance firms. 2 Do government bodies or regulators provide any support The supervision of financial institutions in Belgium is organised specific to financial innovation? If so, what are the key according to a ‘twin peaks’ model, by which the competences are benefits of such support? shared between two autonomous supervisors: the NBB and the FSMA. Each regulator has a specific set of objectives. The NBB is the principal No. However, a Belgian fintech platform called B-Hive was launched in prudential supervisor for (among others) banks, insurance companies, January 2017 to support fintech start-ups. The Belgian federal govern- stockbroking firms, payment and e-money institutions, on both a macro- ment – by means of the federal investment fund – and a number of major and micro-level. The FSMA is responsible for supervising the financial banks, insurers and market infrastructure players support the project. markets and the information circulated by companies, certain catego- B-Hive has recently set up hubs in New York, London and Tel Aviv. ries of financial service providers (including investment firms and fund In addition, both the National Bank of Belgium and the Financial management companies) and intermediaries, compliance by financial Services and Markets Authority (FSMA) offer fintech companies the institutions with conduct of business rules and the marketing of finan- opportunity to enter into direct contact with them through a dedicated cial products to the public. The Federal Public Services Economy, small ‘fintech portal’ available on their websites. The purpose of the Fintech and medium-sized enterprises (SMEs), Self-employed and Energy (FPS Contact Point is to support a dialogue between the regulator and fintech Economy) also has certain supervisory powers (eg, consumer credit, companies whereby the regulator aims to get back to the firms within payment services). three business days and to assist them in understanding the applicable Only credit institutions may receive deposits from the public in regulatory framework. This facility can be used, for example, for any Belgium or solicit the public in Belgium in view of receiving deposits. project relating to crowdfunding, distributed ledger technology, virtual Credit institutions are regulated by the Belgian Act of 25 April 2014 currencies, application programming interfaces or alternative distribu- relating to the status and supervision of credit institutions and stock- tion models. broking firms. Besides deposit-taking, the majority of the activities Finally, a sectorial association called Fintech Belgium has been listed under Annex I of the Capital Requirements Directive may only created, regrouping around 100 Belgian fintech companies. be carried out by licensed entities, are subject to specific regulations, or both. Certain lenders are also subject to local supervision (eg, consumer lenders, consumer mortgage lenders). Commercial lending (on a stand-alone basis) does not require a licence but specific rules of conduct apply where lending to SMEs. These rules of conduct include a duty of rigour, a duty of information and a right of prepayment for the enterprise. SMEs are individual or legal entities pursuing an economic purpose in a sustainable manner or liberal professions (eg, lawyers and notaries) that have no more than one of the following criteria in www.lexology.com/gtdt 17 © Law Business Research 2020 Belgium Simmons & Simmons LLP

their last and penultimate closed financial year: 50 employees on an Receivables in respect of consumer loans may only be transferred annual basis, annual turnover of €9 million and total balance sheet of to a limited number of assignees (including credit institutions, regulated €4.5 million. lenders, credit insurers and a specific category of collective investment All investment services contemplated by the second Markets in scheme designed for making investments in receivables, the société Financial Instruments Directive are regulated and may only be carried d’investissement en créances or vennootschap voor belegging in schuld- out by duly licensed entities. Investment services include reception vorderingen). The transfer of consumer mortgage loans is also subject and transmission of orders, execution of orders, proprietary trading, to specific rules. portfolio management, investment advice, underwriting and placing of financial instruments and operation of multilateral trading facilities, Collective investment schemes where they are carried out in respect of financial instruments such 7 Describe the regulatory regime for collective investment as transferable securities (shares, bonds, puts or calls on shares or schemes and whether fintech companies providing alternative bonds, etc), money market instruments, units in collective investment finance products or services would fall within its scope. undertakings (UCITS), derivative contracts and instruments. Dealing in foreign exchange spot and forward contracts (on one’s own account or In Belgium, collective investment schemes (CISs) and the management as agent) is also regulated in Belgium. Investment services are carried of CISs are regulated entities and activities respectively. In general, a out by (Belgian or foreign) investment firms. Belgian investment firms CIS is any entity whose purpose is the collective investment of financial can be set up either as stockbroking firms (subject to the Act of 25 April means collected from investors through an offer of financial instruments. 2014 on alternative investment firms and their managers) or portfolio The persons participating in the scheme (the investors) must not have management and investment advice firms (subject to the Act of 25 day-to-day control over the management of the property. Furthermore, October 2016 on investment firms and services). the contributions of the participants and the profits or income out of The Act of 3 August 2012 implemented the Undertakings for which payments are to be made to them must be pooled and the prop- Collective Investments in Transferable Securities Directive and regu- erty managed as a whole. lates UCITS funds, UCITS management companies and funds investing Whether a fintech company will fall within the scope of this regime in receivables. The Act of 19 April 2014 has implemented the Alternative will depend on the exact nature of its business. Fintech companies that Investment Fund Managers Directive (AIFMD) and regulates alternative manage assets on a pooled basis on behalf of investors should give investment funds and their managers. particular consideration to whether they may be operating a CIS. Fintech Payment services institutions and e-money institutions are regu- companies that are geared more towards providing advice or payment lated by the Act of 11 March 2018, which implemented the second services may be less likely to operate a CIS, but should nonetheless Payment Services Directive (PSD2) in Belgium. Insurance and rein- check this and have regard to their other regulatory obligations. surance companies are ruled by the Act of 13 March 2016. Insurance contracts are regulated by the Act of 4 April 2014. Alternative investment funds Intermediaries in banking and investment services, insurance 8 Are managers of alternative investment funds regulated? intermediaries and consumer credit intermediaries are also subject to local supervision. Managers of alternative investment funds are regulated in Belgium under It is an offence to carry out any of the above regulated financial the AIFMD, which was implemented in Belgium by the Act of 19 April services in Belgium without being duly licensed by or registered with 2014 relating to alternative investment funds and their managers, imple- the relevant regulator, subject to applicable EU passporting rules. menting royal decrees and circulars and guidance issued by the FSMA.

Consumer lending Peer-to-peer and marketplace lending 5 Is consumer lending regulated in your jurisdiction? 9 Describe any specific regulation of peer-to-peer or marketplace lending in your jurisdiction. Consumer lending is a regulated activity in Belgium under Book VII of the Belgian Code of Economic Law. ‘Consumer’ means any individual There are currently no (consumer) peer-to-peer lending platforms oper- acting for purposes that do not fall within his or her trade, business, ating in Belgium. The Belgian regulatory framework does not currently craft or professional activity. authorise direct lending by consumers to consumers. The main legal A licensing requirement applies to consumer lenders (including obstacles are, first, that the Belgian prospectus regulations prevent consumer mortgage lenders) and intermediaries in consumer lending. individuals from raising funds publicly, even with the intervention of Certain (limited) exemptions are available. In addition, there are ongoing a platform. In practice, this means that an individual cannot solicit the requirements that have to be complied with by the lenders (eg, provi- public to lend him or her money. Second, consumer lenders must be sion of information, documents and statements, and form and content of approved by the FSMA and only approved lenders have access to the the credit agreement itself). Central Individual Credit Register (CICR). However, alternative ways to structure this type of lending are Secondary market loan trading possible, for example, by using an indirect lending model whereby a 6 Are there restrictions on trading loans in the secondary legal entity is interposed between the lenders and the borrowers. In such market in your jurisdiction? an indirect model, there is no direct relationship between the lenders and the borrowers. The legal entity must be approved by the FSMA as Provided that the borrowers do not qualify as consumers and the loan (consumer) lender and grants the loans to the borrowers. To finance the itself is being traded and not a loan instrument, there are in principle no loans, the legal entity issues notes, which typically replicate the repay- restrictions on trading (receivables in respect of) loans in the secondary ment characteristics of the underlying loans and can be subscribed by market in Belgium. However, the loan agreement must not prohibit the the lenders (in principle, based on a prospectus approved by the FSMA). assignment and civil law requirements may have to be complied with Peer-to-peer lending mainly differs from lending-based crowd- to ensure the enforceability of the transfer of the loan (and, as the case funding by the fact that the borrowers are individuals or consumers may be, the security rights attached thereto) in relation to third parties. borrowing for private purposes.

18 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP Belgium

Crowdfunding Payment services 10 Describe any specific regulation of crowdfunding in your 12 Are payment services regulated in your jurisdiction? jurisdiction. Yes. Payment services are regulated by the Act of 11 March 2018, Belgium adopted a law on crowdfunding platforms on 18 December which implemented the PSD2 in Belgium. A firm that provides payment 2016, which entered into force on 1 February 2017 and creates a legal services in or from Belgium as a regular occupation or business activity framework for crowdfunding and alternative types of funding. The (and is not exempt) must apply for registration as a payment institution. Belgian Crowdfunding Act is applicable to both lending-based and equity-based crowdfunding platforms. Open banking The Belgian Crowdfunding Act only regulates financing by the 13 Are there any laws or regulations introduced to promote crowd of a business or a professional project. It is not applicable to competition that require financial institutions to make platforms that only offer or provide alternative funding services to the customer or product data available to third parties? following investors or lenders: legal entities, (MiFID) professional investors or fewer than 150 persons. Pursuant to the implementation of the PSD2 into Belgian law by the Act Crowdfunding platforms are defined as any natural or legal persons of 11 March 2018, financial institutions holding ‘payment accounts’ (eg, that offer or provide alternative funding services in the Belgian territory current accounts, credit card accounts, prepaid card accounts) will be through a website or any other electronic means, and that are not regu- required to allow, for free, access to their customers’ account informa- lated companies. The financing is raised by the issuance of ‘investment tion to third-party payment service providers, subject to the consent instruments’, which can be issued directly by ‘issuers-entrepreneurs’ of the customer. From a technical point of view, third-party payment (enterprises carrying out business, trade, craft, profession or real estate service providers could get either direct access to the account or activities), or through start-up funds or funding vehicles. For these indirect access through a dedicated interface, such as an application purposes, ‘investment instruments’ include: programming interface. • transferable securities (such as shares and transferable debt instruments); Robo-advice • units issued by start-up funds; and 14 Describe any specific regulation of robo-advisers or other • standardised loans (ie, loans for which the duration, interest companies that provide retail customers with automated rate and general conditions are not negotiable; only the invested access to investment products in your jurisdiction. amount can vary). There is no specific regulation on robo-advice in Belgium. Consequently, The marketing of investment instruments can be carried out in the whatever the mechanism underling the robo-adviser’s functioning, the context of a public or private offering and may not involve the provision services it provides will be considered as investment service relating of any investment service other than, as the case may be, investment to financial instruments within the meaning of the Law of 25 October advice or reception and transmission of orders. 2016. This investment service will be considered either as investment Crowdfunding platforms offering these types of alternative funding advice or portfolio management and companies using robo-advice on a services must be authorised by the FSMA and are subject to rules of professional basis will be subject to regulatory requirements applicable conduct. Regulated entities (credit institutions and investment firms) do to investment firms providing the above-mentioned services. not, however, need an additional licence to provide alternative funding services, but they must notify the FSMA and comply with the same rules Insurance products of conduct as the platforms. 15 Do fintech companies that sell or market insurance products If the investment exceeds certain thresholds, a prospectus must be in your jurisdiction need to be regulated? issued and approved by the FSMA. No prospectus is required where the project remains below €300,000 (per project) and €5,000 (per investor). Yes. Insurance intermediaries must be licensed by the FSMA before starting their activities as broker, agent or sub-agent. Intermediaries Invoice trading who only act as ‘introducers’ (ie, who only provide general information 11 Describe any specific regulation of invoice trading in your without interfering with the practical execution of insurance contracts or jurisdiction. with the handling of claims) are not subject to licensing requirements. Insurance intermediaries must prove to the FSMA that they have Factoring (on a stand-alone basis) is not a regulated activity. In Belgium, sufficient professional knowledge and adequate experience, and they factoring is based on the transfer of ownership of the accounts receiv- have to comply with ongoing requirements. able. It is the activity whereby the factor (the buyer of the receivables) Furthermore, Belgian law has introduced MiFID-like conduct of pays an agreed percentage of approved debts in exchange for the business rules in the insurance sector, which include rules on suitability transfer of the related receivables by the client (the seller of the assessment and inducements. receivables). A distinction is made between ‘non-recourse’ factoring (where Credit references credit protection is part of the factoring agreement) and ‘with recourse’ 16 Are there any restrictions on providing credit references or factoring (where the credit risk on the debtors of the receivables credit information services in your jurisdiction? remains with the seller). Some factoring contracts (also referred to as ‘invoice discounting’) There are two credit information registers: the CICR and the Central permit the client to manage the receivables on the factor’s behalf. The Corporate Credit Register (CCCR), which are both operated by the NBB. contract generally provides that this option can be switched off if the The CICR records information relating to all consumer credits and client does not comply with its obligations with due and proper care. mortgage loans contracted by natural persons for private purposes as well as any payment defaults resulting from these loans. The sharing of credit data is an obligation for regulated financial institutions (including www.lexology.com/gtdt 19 © Law Business Research 2020 Belgium Simmons & Simmons LLP

banks, firms specialising in consumer credit or mortgage loans and SALES AND MARKETING credit card issuers). Furthermore, regulated lenders have an obligation to consult Restrictions the CICR in the process of assessing the borrower’s creditworthiness. 19 What restrictions apply to the sales and marketing of financial Credit data to be reported in the CICR include the debtor’s or co-debtor's services and products in your jurisdiction? identification details, the characteristics of the credit contract and the details of the overdue debt. Financial products (such as investment products, savings products The CCCR records information on credits granted to legal persons and insurance products) (enterprises) and natural persons (individuals) in connection with their Marketing materials for financial products are governed by Royal Decree business activity. Participation in the CCCR is mandatory for some finan- dated 25 April 2014 and Financial Services and Markets Authority (FSMA) cial institutions, including: guidance, which regulate the advertising of financial products where • credit institutions established in Belgium and licensed by the distributed to retail clients. ‘Marketing materials’ means any communi- NBB (also branches incorporated under foreign law established cation designed specifically to promote the acquisition of the product, in Belgium); irrespective of the medium used or the method of dissemination. • finance-lease companies established in Belgium and licensed by The general requirements are that: the FPS Economy; • the information included in the marketing materials shall not be • factoring companies established in Belgium; and misleading or incorrect; • insurance companies established in Belgium and licensed for • only information relevant for the Belgian market should be presented; classes 14 (guarantee insurance) and 15 (credit insurance) • it is recommended to translate the marketing materials into French by the NBB. or Dutch as there is a general requirement that the marketing materials must be understandable by a retail investor (also, technical Participants have to report each month to the CCCR all informa- terms should be avoided or, if it is impossible to avoid using technical tion on any current contract (granted amounts) and non-repayments. terms, they should be explained in a way that is easily understand- Participants, debtors as well as other central credit offices abroad may able for a retail client where these terms appear); consult the data recorded in the CCCR. • the marketing materials should not emphasise the potential benefits of the product without also giving a fair, balanced and visible indica- CROSS-BORDER REGULATION tion of the risks, limits or conditions applicable to the product; • the marketing materials should not disguise, mitigate or conceal Passporting important items, mentions or warnings; 17 Can regulated activities be passported into your jurisdiction? • the marketing materials should not highlight characteristics that are not relevant or that are of little relevance for a sound understanding All financial services benefiting from European passporting rights of the nature and the risks of the product; may be provided by EEA firms licensed in their home country under • the information conveyed in the marketing materials should be in one of the EU single market directives (eg, the Banking Consolidation line with the information in the prospectus or any other contractual Directive, Capital Requirements Directive, Solvency II, Markets in or pre-contractual information; and Financial Instruments Directive (MiFID II), Insurance Mediation • any advertisement should be clearly recognisable as such. Directive, Insurance Distribution Directive, Mortgage Credit Directive, Undertakings for Collective Investments in Transferable Securities Furthermore, detailed guidance is provided by the FSMA for the marketing Directive, Alternative Investment Fund Managers Directive, Payment materials to comply with the non-misleading information principle. Services Directive or E-Money Directive) either on a cross-border Detailed content requirements apply. The presentation of performance basis without a permanent establishment in Belgium or through a figures is also highly regulated. Belgian branch. To exercise this right, the firm must first provide notice to its home Consumer credit regulator. The directive under which the EEA firm is seeking to exercise The Belgian Code of Economic Law contains provisions on advertising, passporting rights will determine the conditions and processes that the (pre-contractual) information requirements, misleading and aggressive firm has to follow. commercial practices and unfair contract terms. Furthermore, under certain conditions and limits, non-EEA firms All advertising setting out the interest rate or the costs of the credit may be authorised to provide investment services (as defined under must be drafted in a clear, summarised and explicit way, and contain MiFID II) either on a cross-border basis in Belgium or through a specific legal information that must be illustrated by a representative Belgian branch. example. Advertising must also include the warning: ‘Be aware, borrowing money costs money’. Some advertising practices are also prohibited – Requirement for a local presence for example, encouraging consumers to regroup their existing credits, 18 Can fintech companies obtain a licence to provide financial emphasising the ease and speed by which credit can be obtained and services in your jurisdiction without establishing a local such like. presence? CHANGE OF CONTROL The Belgian regulator only grants licences to companies established in Belgium. However, EEA fintech firms may exercise passporting rights Notification and consent to provide services in Belgium. Under certain conditions and limits, 20 Describe any rules relating to notification or consent non-EEA firms may also be authorised to provide (MiFID) investment requirements if a regulated business changes control. services on a cross-border basis in Belgium or through a Belgian branch. Shareholders intending to hold (directly or indirectly) a qualifying holding in certain regulated businesses must make a prior notification to, and be

20 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP Belgium approved by, the Financial Services and Markets Authority or the National banking network. As long as all the required formalities are fulfilled, Bank of Belgium, as appropriate. A qualifying holding means any direct however, it should be possible to structure secured loans. or indirect holding that represents 10 per cent or more of the capital or voting rights, makes it possible to exercise a significant influence over the Assignment of loans management of the undertaking, or both. There are additional thresholds 24 What steps are required to perfect an assignment of at 20, 30 and 50 per cent and companies may decide to insert specific loans originated on a peer-to-peer or marketplace lending thresholds in their articles of association. In addition, shareholders platform? What are the implications for the purchaser if the ceasing to hold a qualifying holding, or reducing their holding below 10, assignment is not perfected? Is it possible to assign these 20, 30 or 50 per cent, must also make a prior notification to the relevant loans without informing the borrower? Belgian regulator. Finally, shareholders who have acquired a direct or indirect holding The formalities for assignment will depend on how the lending is struc- of 5 per cent or more (or have reduced their holding to below 5 per cent) tured (via a loan agreement or a debt instrument and through a direct of capital or voting rights must make a notification to the relevant Belgian or an indirect model). regulator within 10 business days of the acquisition. As a general rule, and in the absence of any contractual provisions prohibiting the transfer, the transfer of a loan agreement by the lender FINANCIAL CRIME requires the express prior consent of the borrower (as an agreement involves both rights and obligations for both parties). Such consent may Anti-bribery and anti-money laundering procedures be granted in the loan agreement itself. Alternatively, the lender can 21 Are fintech companies required by law or regulation to have transfer only its rights (ie, its receivable in relation to the borrower) procedures to combat bribery or money laundering? without the express consent of the borrower. Indeed, according to article 1690 of the Belgian Civil Code, the transfer of a receivable or There is no legal or regulatory requirement for fintech companies to have right is valid between parties (transferor and transferee) and enforce- anti-bribery or anti-money laundering procedures unless the company able in relation to all third parties other than the assigned debtor (ie, the is a licensed financial institution (eg, a payment services institution) or borrower) by the mere conclusion of the transfer agreement. However, carries out business that is subject to the Belgian anti-money laundering the transfer will only become enforceable in relation to the borrower regulations. Specific customer due diligence and know-your-customer once the transfer is notified to it or once the borrower has acknowl- obligations apply to e-money products. Fintech companies, regardless of edged the transfer. In practice, if (and as long as) the assignment is whether they are authorised, ought to have appropriate financial crime not perfected, this means that repayment is validly made to the initial policies and procedures in place as a matter of good governance and lender. The latter can act as servicer for the receivables, which, in prac- proportionate risk management. tice, avoids having to notify the borrowers upfront. The transfer of consumer loans is subject to specific rules. If secu- Guidance rity rights are attached to the loans, additional formalities may also 22 Is there regulatory or industry anti-financial crime guidance be required. for fintech companies? The formalities to transfer a debt instrument depend on the type of instrument (bearer, registered or dematerialised) and whether the latter There is no anti-financial crime guidance specifically for fintech firms. is freely negotiable or not. The general rules and standards set out for regulated financial institu- If the applicable transfer formalities are not fulfilled, the transfer tions apply, particularly the circulars issued by the Belgian regulators could be held to be unenforceable towards the borrower and possibly (the National Bank of Belgium and the Financial Services and Markets third parties. Authority). These documents are helpful for non-authorised fintech firms and may inform their own internal financial crime policies and procedures. Securitisation risk retention requirements 25 Are securitisation transactions subject to risk retention PEER-TO-PEER AND MARKETPLACE LENDING requirements?

Execution and enforceability of loan agreements Yes, the EU risk retention rules apply to securitisations of loans 23 What are the requirements for executing loan agreements or originated on a peer-to-peer or marketplace lending platform (P2P secu- security agreements? Is there a risk that loan agreements ritisations). The risk retention requirements set out in the sectoral EU or security agreements entered into on a peer-to-peer or legislation will apply to P2P securitisations that are offered to European marketplace lending platform will not be enforceable? banks, investment firms, alternative investment funds or insurers. Under the current sectoral EU risk retention rules, certain investors As a general rule, there are no documentary or execution requirements (such as credit institutions, Markets in Financial Instruments Directive- applicable to loan and security agreements (other than security over real regulated firms and firms regulated under the Alternative Investment estate), which can be signed by private contract and in counterparts (with Fund Managers Directive) will be subject to higher regulatory capital as many originals as there are parties to the agreement). The nature charges where they invest in securitisation positions that do not comply of the collateral will determine the type of security that can be granted with the risk retention rules. and the formalities required to make it enforceable in relation to third Those rules require that either the sponsor, originator or original parties. The revision of the legal regime applicable to security interests in lender in respect of the securitisation explicitly discloses to the investor movable assets (which came into force in early 2018), whereby it became that it will retain, on an ongoing basis, a material net economic interest possible to perfect such security by way of filing in a central register. in the securitisation (which in any event is not less than 5 per cent) Consumer loans, however, are subject to specific formal and content using one of five prescribed retention methods. Those methods include, legal requirements. among other things, retention of: In the current Belgian market, peer-to-peer loans generally do • the most subordinated tranches, so that the retention equals no less not involve security agreements as they operate outside the traditional than 5 per cent of the nominal value of the securitised exposures; www.lexology.com/gtdt 21 © Law Business Research 2020 Belgium Simmons & Simmons LLP

• 5 per cent of the nominal value of each of the tranches sold to documents that would prevent it from disclosing information about the investors; or loans and the relevant borrowers to the SPV and the other securitisation • randomly selected exposures equivalent to no less than 5 per cent parties. If there are such restrictions in the underlying loan documenta- of the nominal value of the securitised exposures. tion, the assignor will require the consent of the relevant borrower to disclose to the SPV and other securitisation parties the information they The definitions of ‘sponsor’ and ‘originator’ as used in the sectoral EU require before agreeing to the asset sale. legislation are set out in Regulation (EU) 2017/2402. The term ‘original In addition, the SPV will want to ensure that there are no restric- lender’ is undefined. tions in the loan documents that would prevent it from complying with Since 1 January 2019, there has been a direct requirement on the its disclosure obligations under Belgian and EU law (such as those sponsor, originator and original lender to agree on an entity that will act set out in the Credit Rating Agency Regulation). Again, if such restric- as retention holder and to ensure compliance with the retention require- tions are included in the underlying loan documents, the SPV would be ment. In the absence of agreement among the originator, sponsor and required to obtain the relevant borrower’s consent to such disclosure. original lender as to who will be the retention holder, the originator will Furthermore, if the borrowers are individuals, the SPV, its agents be the retention holder. Definitions of ‘sponsor’, ‘originator’ and ‘original and the peer-to-peer platform will each be required to comply with the lender’ are set out in the EU Securitisation Regulation. statutory data protection requirements under Belgian law. The EU Securitisation Regulation does not explicitly set out the jurisdictional scope of the ‘direct’ retention obligation, but there is a helpful ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER note in the Explanatory Memorandum to the European Commission’s TECHNOLOGY AND CRYPTO-ASSETS original proposal for the EU Securitisation Regulation that the intention is that the ‘direct’ approach would not apply to securitisations (including Artificial intelligence P2P securitisations) where none of the originator, sponsor or original 27 Are there rules or regulations governing the use of artificial lender is ‘established in the EU’. ‘Establishment’ is typically described by intelligence, including in relation to robo-advice? reference to the jurisdiction in which the legal entity is incorporated or has its registered office. Therefore, the non-EU subsidiary of an EU entity Currently, there is no specific regulation on robo-advice or artificial may not be subject to the ‘direct’ retention obligation because a subsid- intelligence in Belgium. iary is typically a separate legal entity, whereas a non-EU branch of an EU entity may be caught within this provision because a branch is typically Distributed ledger technology not a separate legal entity. Market participants are still seeking clarity on 28 Are there rules or regulations governing the use of this and it is expected that this point will be raised as part of the ongoing distributed ledger technology or blockchains? European Banking Authority (EBA) consultation on risk retention. Distributed ledger technology is in a developmental phase and, as a Possible retaining entities in respect of P2P securitisations consequence, it is not yet subject to specific legal or regulatory rules Typically, a peer-to-peer lending platform will not qualify as the ‘sponsor’, or guidelines. Several legal and regulatory issues need to be carefully ‘originator’ or ‘original lender’ of a P2P securitisation, and another entity considered relating to the clearing, settling and recording of payments, with the capacity to retain will, therefore, need to be identified. The range securities, derivatives or other financial transactions. The impact of of entities with capacity to retain is broader under the EU Securitisation various rules and regulations must be analysed and may be relevant Regulation than under the current EU sectoral legislation and, therefore, in respect of digital transformation initiatives, such as the Central the ability of an entity to retain will depend on the rules that apply at the Securities Depositories Regulation, the Settlement Finality Directive, time the securitised notes are issued. the European Market Infrastructure Regulation, Markets in Financial Any entity that retains in the capacity of ‘originator’ is expected to Instruments Directive and so on. Outsourcing arrangements also need be an entity of substance, and the EU Securitisation Regulation expressly to be carefully reviewed where regulated firms outsource technological provides that an entity shall not be considered to be an originator where innovations to third parties. it has been established or operates for the sole purpose of securitising Data protection requirements and customer data protection also exposures. The EU Securitisation Regulation does not specify in what need detailed analysis because of the transparency of transactions, circumstances an entity will be considered to have been established for which is inherent to the blockchain technology, and the fact that once the sole purpose of securitising exposures but, in December 2017, the data is stored it cannot be altered (this could be an issue for the compli- EBA published a consultation paper that proposed that an originator will ance with the right for rectification or the right to be forgotten). not be considered to have been established with the ‘sole purpose’ of Given that the nodes on a blockchain can be located anywhere in securitising exposures if it satisfies certain conditions, including that: the world, the determination of the data controller, applicable law and • it has a broader business enterprise and strategy; competent courts in the case of litigation and the drafting of appropriate • it has sufficient decision makers with the required experience; and contractual provisions in that respect are also essential. • its ability to make payment obligations depends neither on the A particular point of attention relates to the status of the decen- exposures to be securitised nor on any exposures retained for the tralised autonomous organisations that are used to execute smart purposes of the risk retention regulations. contracts, recording activity on the blockchain.

22 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP Belgium

(2009/110/EC) as implemented in Belgian law, e-money means ‘mone- to the Protection of Individuals regarding the Processing of Personal tary value as represented by a claim on the issuer that is stored Data and came into force on 5 September 2018. The GDPR, however, electronically, issued on receipt of funds of an amount not less in value remains the principal legislation governing the processing of personal than the monetary value issued, and accepted as a means of payment data as only few provisions of the Belgian law concern private compa- by undertakings other than the issuer’. Digital Instruments do not fall nies. The GDPR provides how data controllers (the natural person under this definition as they do not represent a claim on the issuer, or legal person, which, alone or jointly with others, determines the which is not obliged to exchange them back to real money. Furthermore, purposes and means of the processing of personal data) may process they are purely digital and not necessarily linked to the real funds upon the personal data of living individuals (data subjects). The GDPR which they were issued. requires that businesses may only process personal data where that Consequently, digital instruments are currently not regulated processing is done in a lawful, fair and transparent manner. The Belgian under Belgian law. No licence is required to issue digital instruments law provides some specific provisions on the consent, the processing of and they are not subject to regulatory supervision. Digital instruments health-related and judicial data, the processing for statistical purposes do not benefit from legal protection. The Financial Services and Markets or scientific research, exceptions to data subjects’ rights, etc. Authority (FSMA) has issued several warnings advising the Belgian The GDPR requires that any processing of personal data must public against the risks of these currencies (eg, the risk of consider- be done pursuant to one of six lawful bases for processing. The most able currency fluctuations and the risk of losing the virtual money if the commonly used lawful basis for processing is to obtain the consent of trading platform is hacked). the data subject to that processing – in relying on this lawful basis, the business must ensure that consent is freely given, specific, informed and Digital currency exchanges unambiguous, and capable of being withdrawn as easily as it is given. 30 Are there rules or regulations governing the operation of Other lawful bases for processing data include where that processing digital currency exchanges or brokerages? is necessary for the business to perform a contract it has with the data subject, or where required to comply with a legal obligation. A distinction must be made between e-money and virtual curren- The GDPR also provides a set of rights for the data subjects, cies. E-money is currently regulated by the second E-Money Directive including the right to information, the right to access to their personal (2009/110/EC), which refers to, among others, the Anti-Money data, to correct their personal data should it be inaccurate, the right Laundering Directive (now 2015/849 EU) setting out various rules to oppose (upon request and free of charge) the processing of their regarding the operation of exchanges or brokerage offices in the EU. personal data for marketing purposes, the right to withdraw one’s Additionally, the Law of 11 March 2018 on the Status and Supervision consent and the right to data portability. of Payment Institutions and Electronic Payment Institutions amends The GDPR also differs from the previous regime in that it places a the Investment Law, which sets out similar rules for the operation of significantly increased compliance burden on businesses, including, for e-money currency exchanges and brokerage as those applicable to non- example, mandatory requirements to notify regulators of data breaches, digital currencies. obligations to keep detailed records on processing and requirements for Virtual currencies, however, are not subject to regulatory supervi- most entities to appoint a data protection officer. sion and there are no rules or guidelines relating to the operation of The Belgian Data Protection Authority is the body that controls exchanges or brokerage offices in Belgium for these digital currencies. compliance with the GDPR and applicable Belgian law by businesses. Various warnings in respect of digital currency exchanges have been Data subjects now have the right to lodge a complaint with the Belgian issued by the FSMA. Data Protection Authority. Significant administrative sanctions (up to the greater of €20 million and 4 per cent of the worldwide turnover) can be Initial coin offerings imposed following a breach of the GDPR. 31 Are there rules or regulations governing initial coin offerings Recital 26 of the GDPR states that where data has been processed (ICOs) or token generation events? such that it is truly anonymised, the principles within the GDPR do not apply to the processing of that data. Businesses will have to determine The FSMA issued a communication on ICOs in Belgium on 13 November what steps must be taken to ensure that personal data is indeed truly 2017, building on a communication by the European Securities and anonymised. Markets Authority on the same subject and on the same date. While The Article 29 Working Party (an EU body comprising repre- no specific regulatory rules are in place for ICOs, depending on its sentatives from data protection regulators across the member states) structuring it might fall within the scope of more generic Belgian laws released Opinion 05/2014 on Anonymisation Techniques (in the context such as the law implementing the Prospectus Directive and the law on of the previous EU data protection regime). This Opinion discusses the crowdfunding platforms. main anonymisation techniques used – randomisation and generalisation (including aggregation). The Opinion states that when assessing the DATA PROTECTION AND CYBERSECURITY robustness of an anonymisation technique, it is necessary to consider: • if it is still possible to single out an individual; Data protection • if it is still possible to link records relating to an individual; and 32 What rules and regulations govern the processing and • if information can be inferred concerning an individual. transfer (domestic and cross-border) of data relating to fintech products and services? In relation to aggregation, the Opinion further states that aggregation techniques should aim to prevent a data subject from being singled out There are no regulations specifically governing the processing and by grouping them with other data subjects. While aggregation will avoid transfer of personal data relating to fintech products and services. the risk of singling out, it is necessary to be aware that links and infer- However, the processing and transfer of personal data relating to ences may still be possible with certain aggregation techniques. fintech products and services shall be governed by the General Data The position on anonymisation taken from the Article 29 Working Protection Regulation (GDPR), which took effect on 25 May 2018. The Party’s Opinion is broadly unchanged in the GDPR. The GDPR itself GDPR was implemented in Belgium by the Law of 30 July 2018 relating also gives limited guidance on anonymisation in Recital 26, requiring www.lexology.com/gtdt 23 © Law Business Research 2020 Belgium Simmons & Simmons LLP

data controllers to consider a number of factors in deciding if personal OUTSOURCING AND CLOUD COMPUTING data has been truly anonymised, including the costs and time required to de-anonymise, the technology available at the time to attempt Outsourcing de-anonymisation, and further developments in technology. 34 Are there legal requirements or regulatory guidance with respect to the outsourcing by a financial services company of Cybersecurity a material aspect of its business? 33 What cybersecurity regulations or standards apply to fintech businesses? When a Markets in Financial Instruments Directive firm outsources operational tasks of critical importance to the continuous and satis- Belgium has implemented Directive (EU) 2016/1148 (the NIS Directive) factory provision of investment services and activities, it has to take by way of the Belgian Law of 7 April 2019 (entered into force on 3 May appropriate measures to limit the associated operational risk. In 2019) establishing a framework for the security of network and informa- particular, the outsourcing must not substantially affect the effective- tion systems of general interest for public security. The Law applies to ness of the internal control procedures of the company or the ability sectors of banking and financial market infrastructure and establishes, of the regulator to check whether the company is fulfilling its legal among others, security and notification requirements for operators obligations. of essential services and for digital service providers. Many practical The Financial Services and Markets Authority has issued a circular aspects provided for in the Law of 7 April 2019 are further elaborated on on sound management practices for outsourcing by credit institutions in a Belgian Royal Decree dated 12 July 2019. and investment firms, and, recently, the National Bank of Belgium issued The Payment Services Directive (EU) 2015/2366 entered into a recommendation on outsourcing by credit institutions and investment force on 12 January 2016, setting out, among others, rules concerning firms to providers of cloud computing that implements the recommen- strict security requirements for electronic payments and the protec- dations of the European Banking Authority on this subject. tion of consumers’ financial data, guaranteeing safe authentication and reducing the risk of fraud. Belgium implemented the provisions of the Cloud computing Payment Services Directive by way of the Belgian Law of 11 March 2018. 35 Are there legal requirements or regulatory guidance with Regarding cybersecurity, the Law of 11 March 2018 stipulates a security respect to the use of cloud computing in the financial services policy containing a number of obligations for payment service providers. industry? Furthermore, Regulation (EU) 526/2013 is of importance in the fintech sector, as it establishes the European Union Agency for Network There are no specific legal requirements with respect to the use of cloud and Information Security (ENISA). ENISA provides recommendations on computing in the financial services industry. However, the outsourcing cybersecurity, supports policy development and its implementation, and of cloud computing by regulated entities is subject to regulatory super- collaborates with operational teams throughout Europe for the purpose vision from both a data protection and an IT security perspective. of contributing to a high level of network and information security within the EU. INTELLECTUAL PROPERTY RIGHTS Moreover, on 13 September 2017, the European Commission published the Proposal for a Regulation of the European Parliament and IP protection for software of the Council on ENISA, the ‘EU Cybersecurity Agency’, and repealing 36 Which intellectual property rights are available to protect Regulation (EU) 526/2013, and on ICT cybersecurity certification. The software, and how do you obtain those rights? Proposal reinforces ENISA’s role in the areas where the agency is already competent, and introduces new areas where support is needed, Under Belgian law, computer programs (or software) are protected by in particular the NIS Directive, the review of the EU Cybersecurity copyright (article XI.294-XI.304 of the Belgian Code of Economic Law) and Strategy, the upcoming EU Cybersecurity Blueprint for cyber crisis assimilated as literary works in the meaning of the Berne Convention. cooperation and ICT security certification. Copyright protection also covers the source code, object code, architec- Additionally, on 17 May 2017, the European Parliament adopted ture of the software and preparatory design materials (provided that Resolution 2016/2243 on fintech: the influence of technology on the they can lead to a computer program). Ideas and principles that underlie future of the financial sector. This resolution further underlines that any element of a program, including those that underlie its interfaces, regulation on the provision of financial services infrastructure needs are, however, excluded from the copyright protection. to provide for appropriate incentive structures for providers to invest The author of the software owns the rights as soon as it is created, adequately in cybersecurity and emphasises the need for end-to-end provided that the software is original. No registration is required to security across the whole financial services value chain. This resolution benefit from the protection. For evidentiary purposes, it is, however, is non-binding and has a purely advisory function. useful to include the name of the author and the creation date in the Finally, in March 2018 the European Commission adopted an action code of the software and to file it with a public notary or the Benelux plan on fintech, setting out a number of steps that the Commission Office for Intellectual Property. intends to take, one of which is to increase cybersecurity and the integ- If the software code has been kept confidential it may also be rity of the financial system. The action plan mentions the fact that the protected as confidential information. No registration is required, but European Parliament has called on the Commission ‘to make cyberse- confidentiality agreements are recommended if third parties have curity the number one priority in the fintech action plan’. It states that access to it. the transposition by member states of the NIS Directive is ongoing but Computer programs and business methods are explicitly excluded that gaps may remain in EU financial sector legislation that should be from patent protection. The exclusion from patentability is, however, filled to improve the sector’s resilience. Therefore, we can expect this limited to the software as such and it is possible to grant a patent to an field to evolve in the near future. invention implemented by or including a piece of software. In Belgium, databases underlying software programs may also be protected by copyright (article XI.186-XI.188 Belgian Code of Economic Law) and, in certain circumstances, by sui generis database right (Book

24 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP Belgium

XI, Title 7 Belgian Code of Economic Law). The database right is a stan- discloses confidential information and to enter into proper confidenti- dalone right that protects databases that have involved a substantial ality agreements with those persons. These confidentiality agreements investment in obtaining, verifying or presenting their contents (article should include provisions such as the definition of confidential informa- XI.306 Belgian Code of Economic Law). Both database copyright and tion, the duration of the confidentiality obligations (knowing that under database rights arise automatically without any need for registration. general Belgian civil law, it is always possible to terminate an obliga- Database rights do not apply to computer programs as such, including tion for an indefinite term against ‘reasonable’ notice, meaning that a those used in the manufacture or operation of databases. fixed term should be provided in the confidentiality agreement) and the limited use of trade secrets and confidential information regarding the IP developed by employees and contractors purpose of a specific project. 37 Who owns new intellectual property developed by an Legal proceedings are, in principle, public, so it would be possible employee during the course of employment? Do the same to hear trade secrets and confidential information during hearings or rules apply to new intellectual property developed by pleadings. In addition, the Belgian Judicial Code does not restrict access contractors or consultants? to documents including trade secrets – it provides for principles of collaboration as regards production of evidence in court proceedings Unless otherwise provided in writing, where a computer program is and the requirement for any party to submit all documents to the other created by an employee in the execution of his or her duties or following party, without specifications or exceptions concerning trade secrets. the instructions given by his or her employer, the employer will be In practice, however, it appears that, depending on the interest that exclusively entitled to exercise all economic rights in the program so is considered most relevant, Belgian (commercial) courts may choose created. This means that the IP rights subsisting in a computer program to limit the production of evidence to certain elements or even block are automatically transferred to the employer when an employee has access to or disclosure of trade secrets (eg, if there is no sufficient developed the software in the framework of his or her employment evidence of a breach). contract. This automatic transfer only applies to the economic rights, not the moral rights of the author. The rule is different for other forms of IP Branding rights, meaning that (except for above-mentioned computer programs), 40 What intellectual property rights are available to protect IP that is created by an employee in execution of his or her employment branding and how do you obtain those rights? How can contract in principle belongs to the employee himself or herself, unless fintech businesses ensure they do not infringe existing a clause explicitly stipulates that it belongs to the employer. brands? Where IP is developed by a contractor or a consultant, the rights are owned by the author of the software (ie, the contractor or the Brands can be protected by a Benelux trademark (covering the Benelux consultant). The fintech company will only own the economic rights territory) or by an EU trademark (covering the EU territory). Registration if they have been explicitly transferred in writing (even if the fintech is required to obtain a trademark right (with the Benelux Office for company has commissioned the software). The same goes for other IP Intellectual Property for Benelux trademarks or with the European developed by a contractor or consultant. Therefore, contracts must be Union Intellectual Property Office (EUIPO) for EU trademarks). carefully drafted. Brands can also be protected by market practices if they have acquired sufficient goodwill in the market and another undertaking tries Joint ownership to take advantage of the reputation or market position of the brand. 38 Are there any restrictions on a joint owner of intellectual Brands in the form of logos or slogans can also be protected by property’s right to use, license, charge or assign its right in copyright as artistic works (provided they are original) or by Benelux intellectual property? or EU design and models rights (provided that they are new and have specific character). There are no legal restrictions to the exercise of IP rights by a joint The Benelux Office for Intellectual Property and EUIPO have public owner. However, in general, an agreement is required between the joint databases that can be consulted to check the availability of a design owners regarding their respective IP rights, in the absence of which the or trademark. It is highly advisable for new businesses to conduct IP rights must be exercised jointly. There are certain exceptions to this, trademark and design searches to check whether earlier registrations depending on the type of IP. exist that are identical or similar to their proposed brand names. It may also be advisable to conduct searches for any unregistered trademark Trade secrets rights that have gained sufficient distinctiveness on the market that may 39 How are trade secrets protected? Are trade secrets kept prevent use of the proposed mark. Specialised companies offer services confidential during court proceedings? to carry out these searches.

Belgium mainly implemented the Trade Secrets Directive (EU) 2016/943 Remedies for infringement of IP in Book XI of the Code of Economic Law. The Directive requires member 41 What remedies are available to individuals or companies states to provide protection for information that: whose intellectual property rights have been infringed? • is secret, in the sense that it is not generally known among, or readily accessible to, persons within the circles that normally deal The following remedies and proceedings may be available: with the kind of information in question; • (unilateral) primary injunction; • has commercial value because it is secret; and • cease-and-desist action; • has been subject to reasonable steps by the holder of the informa- • damages; and tion to keep it secret. • application with custom authorities for border detention.

If a competitor legally obtains the trade secrets or confidential information of a company, it is, in principle, free to use it. Therefore, it is highly recommended to be prudent regarding the persons to whom one www.lexology.com/gtdt 25 © Law Business Research 2020 Belgium Simmons & Simmons LLP

COMPETITION start-up is a micro-enterprise). The investment (shares) must be retained for at least four years to benefit from the tax shelter. Since Sector-specific issues assessment year 2019, the tax shelter system has been extended to 42 Are there any specific competition issues that exist with new equity investments in growth companies, via capital increases respect to fintech companies in your jurisdiction? in cash in the fifth to 10th year after their incorporation. The tax reduction amounts to 25 per cent of the investment; Competition law (ie, Book IV of the Belgian Code of Economic Law and • the provision of loans by physical persons via approved crowd- the EU competition rules in the case of an effect on trade between EU funding platforms is encouraged fiscally by a (withholding) tax member states) applies to all undertakings carrying out business in exemption on the interest of the loans up to the first bracket of Belgium, irrespective of their sector. Hence, the competition law rules €15,860 (assessment year 2021) and this for the first four years of (such as the prohibition of anticompetitive agreements, the prohibi- the loan. This (withholding) tax exemption is subject to the loans tion of abuse of dominance, merger control and, in Belgium as of 1 having a minimum maturity of four years and is only applicable if December 2020 at the latest, abuse of economic dependence) apply to the loans have been provided to start-up companies not older than fintech companies. four years; While fintech is generally considered to be beneficial for consumers • start-up companies can benefit from reduced labour costs, via (because of cost reduction, improvements in efficiency, greater trans- a retention of 10 per cent or 20 per cent (if employer is micro- parency and increased financial inclusion), it could raise competition law enterprise) of the payroll tax withheld by the employer on the issues. Competition authorities in all jurisdictions, including Belgium, employee salaries; face a range of potentially complex competition law issues in relation to • the new innovation tax deduction of 85 per cent of the net income fintech offerings. These are likely to include: realised by companies also applies to income and gains from copy- • the extent to which a fintech solution has or obtains (through right protected software, including adaptations of existing software growth, acquisition or joint venture) market power (eg, because of and derivative works; big data or network effects) and the consequences of this; • an increased deduction for investment in certain digital assets and • the risks that the definition of any technical standards involved in environmental friendly R&D investments and patents of 13.5 per any jointly developed fintech solution result in other third parties cent of the acquisition value; and being excluded; • private individuals trading in bitcoins are not necessarily taxed on • whether banks are limiting access of fintech companies to bank the gains as professional income, but insofar the trade is specula- accounts and thereby hindering competition in the payment market. tive in nature (short holding period, high risk, etc), the gains may be The European Commission, in this context, conducted dawn raids taxed as miscellaneous income at 33 per cent, with an exemption in 2017 at the premises of banking associations in, among others, from social security contributions. the Netherlands and Poland (the investigation is on-going as at the time of writing); Increased tax burden • the extent to which there can be any exclusivity between the finance 44 Are there any new or proposed tax laws or guidance that and technology providers of a fintech offering; and could significantly increase tax or administrative costs for • the limits of any specified tying or bundling. The European fintech companies in your jurisdiction? Commission, in this context, started to investigate Apple in 2019 because the company would direct users of iPhones towards As far as we know, Belgium is not intending to launch a separate digital Apple Pay over other payment methods such as those of Google or tax that could affect fintech companies, but closely monitors the OECD Samsung (the investigation is on-going as at the time of writing). work on the digitalised economy. In particular, the current focus is on the OECD/G20 Inclusive Framework (Pillar One on revised nexus and On 9 July 2018, the Economic Affairs Committee of the European profit allocation rules and Pillar Two on development of a global anti- Parliament published a study regarding competition issues in fintech. base erosion proposal and minimum tax proposal) to address the tax The study concludes that the procompetitive effects of fintech needs challenges arising from the digitalisation of the economy and what the to be weighed against the anticompetitive effects and that, currently, impact (if any, taking into account the proposed exclusion of at least it would be better to research, monitor and regulate than to enforce regulated financial services from Pillar One) may be of these proposals through the usual competition tools (ie, investigate and sanction). on, inter alia, the Belgian fintech sector.

TAX IMMIGRATION

Incentives Sector-specific schemes 43 Are there any tax incentives available for fintech companies 45 What immigration schemes are available for fintech and investors to encourage innovation and investment in the businesses to recruit skilled staff from abroad? Are there fintech sector in your jurisdiction? any special regimes specific to the technology or financial sectors? In support of the ‘Digital Belgium’ action plan, the Belgian federal government has introduced a number of tax incentives that are avail- To work in Belgium for a longer period than 90 days, foreign workers able to fintech companies and investors subject to certain conditions must have a valid work permit. This condition does not apply to nationals being met. These incentives include, among others: of a member state of the EEA (the countries of the EU and Iceland, • the Belgian tax shelter regime for start-ups, which provides for a Norway and Liechtenstein) and Switzerland and to some categories of tax reduction for physical persons who invest in start-ups, has been workers who are exempted. extended to direct and indirect equity investments via approved Belgian employers must apply for a single permit if they want to crowdfunding platforms. The tax reduction amounts to up to 30 employ a foreign worker. per cent or 45 per cent of the invested amount (45 per cent if the There are no special regimes specific to the fintech sector.

26 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP Belgium

UPDATE AND TRENDS

Current developments 46 Are there any other current developments or emerging trends to note?

Not to our knowledge.

Coronavirus Vincent Verkooijen [email protected] 47 What emergency legislation, relief programmes and other initiatives specific to your practice area has your state Jérémie Doornaert implemented to address the pandemic? Have any existing [email protected] government programmes, laws or regulations been amended Martin Carlier to address these concerns? What best practices are advisable [email protected] for clients? Dimitri Van Uytvanck [email protected] Despite the various measures enacted by Belgium to mitigate the effects of the covid-19 pandemic, companies in Belgium generally Marc de Munter remain subject to Belgian regulations and bound by the contractual [email protected] arrangements they entered into. In this respect, clients are advised to operate with the same approach as they did before the crisis and to Avenue Louise 143 liaise with competent authorities or external counsel in circumstances 1050 Brussels where specific issues arise. Belgium Tel: +32 2 542 09 60 Finance Fax: +32 2 542 09 61 Federal measures www.simmons-simmons.com These include: • a €50 billion state guarantee scheme for all new credit and credit lines of up to a 12-month duration that credit institutions grant to non-financial companies and viable self-employed persons for Employment their activities in Belgium; A simplified procedure for temporary unemployment was approved by • Belgian companies, organisations and self-employed persons the government on 20 March 2020. All temporary unemployment owing financially affected by covid-19 can apply to their credit institutions to covid-19 is considered as temporary unemployment owing to force for a deferral of payment of their corporate credits for a maximum majeure. In the case of force majeure it is not required that the company of six months; cease activities completely. In practice, this means that some employees • a temporary moratorium on bankruptcies has been introduced, may be temporary unemployed and others may not. This simplified according to which, between 24 April 2020 and 17 June 2020 procedure is applicable until 30 June 2020. There is a possibility that (included), any company in financial difficulty because of covid-19 this will be prolonged. will be protected against any executory or conservatory measures and any declaration of bankruptcy, judicial dissolution or Competition forced transfer; In relation to competition law, the Belgian Competition Authority – in a • a payment scheme for debts owed to the administration to provide joint statement with other European competition authorities – stated financial leeway to enable companies to overcome their temporary it would continue to apply antitrust rules, but would not actively inter- financial difficulties, which includes: vene against necessary and temporary measures put in place to avoid • a payment plan; a shortage of supply. • exemption from interest on arrears; and On 8 April 2020, the European Commission issued a Temporary • remission of fines for non-payment; Framework relating to business cooperation in response to situations • bridging rights for the self-employed; and of urgency stemming from the covid-19 outbreak (see Simmons & • flexibility in the execution of federal government contracts. Simmons’ article on the Temporary Framework published on 8 April 2020 for more information). The relevance of this Temporary Framework Regional measures for the fintech sector appears to be limited. These include: • premiums granted to companies on which full closure is imposed Data privacy owing to covid-19 measures; and Belgium has not adopted any specific measures to derogate or • funds made available by several regional institutions, and, more specifically govern the processing of personal data in the context of specifically, Participatiemaatschappij Vlaanderen developed three- a pandemic. The Belgian Data Protection Authority has made it clear year subordinated loans under which a medium-term financial that the principles and obligations under the General Data Protection buffer with subordinated loans of up to €800,000 over three years Regulation (GDPR) and Belgian implementing legislation would be is available for start-ups, scale-ups, small and medium-sized enter- softened in the context of a pandemic. General principles and obliga- prises and the self-employed. tions under the GDPR and Belgian implementing legislation should, therefore, fully apply.

www.lexology.com/gtdt 27 © Law Business Research 2020 Brazil

Nei Zelmanovits, Thais De Gobbi, Pedro Nasi, Vicente Braga, Érica Yamashita, Diego Gualda, Vinicius Costa and Alina Miyake Machado Meyer Advogados

FINTECH LANDSCAPE AND INITIATIVES In the case of the BCB, all the actions described above are part of a broader agenda, in place since 2018 and currently known as ‘Agenda General innovation climate BC#’, which seeks to foster financial inclusion, competition, transparency 1 What is the general state of fintech innovation in your and education, and identifies the fintech sector as a strategic partner. jurisdiction? FINANCIAL REGULATION As a developing country with a young population, a culture of plurality, a strong appetite for social media, a high percentage of unbanked popu- Regulatory bodies lation and tens of millions of entrepreneurs, Brazil has a lively and 3 Which bodies regulate the provision of fintech products and booming fintech scene. According to recent data, there are more than services? 700 fintech entities in Brazil (an increase of more than 30 per cent since last year), employing around 40,000 people. Fintech products and services involving payment (the issuance of pre- Although, historically speaking, Brazilian regulators were very paid cards and credit cards, acquiring services, etc) and lending are cautious and not particularly sympathetic towards innovation, this subject to the rules issued by the National Monetary Council (CMN) and has been gradually changing over the past few years, especially the Central Bank of Brazil (BCB), whereas those regarding securities, as policymakers see the fintech sector as an opportunity to foster such as crowdfunding, are subject to the regulatory framework issued some long-desired competition and financial inclusion in the finan- by the Securities and Exchange Commission (CVM). cial industry. Led by a few already well-established companies, the sector enjoys Regulated activities massive adherence and political support from the general public and is 4 Which activities trigger a licensing requirement in your expected to grow further in the upcoming years. jurisdiction?

Government and regulatory support The legal framework for financial institutions in Brazil is set by Law No. 2 Do government bodies or regulators provide any support 4,595 of 31 December 1964, while Law No. 6,385 of 7 December 1976 specific to financial innovation? If so, what are the key regulates securities offerings and trading. Several activities trigger a benefits of such support? licensing requirement in Brazil pursuant to applicable regulations, including: Since 2018, the Central Bank of Brazil (BCB) has allowed payment insti- • conducting banking business (ie, performing financial intermedi- tutions (payment fintech companies) to function outside its regulation ation on a regular and professional basis through the raising of and supervision – including without the need for a licence – as long as funds from the public in general, as well the custody of values on their activities do not reach specific operational thresholds. The BCB also behalf of third parties: this requires authorisation from the BCB; created two new categories of financial institution with simpler regula- • rendering certain types of payment services: this requires authori- tory requirements to accommodate credit-granting fintech entities that sation from the BCB upon reaching the thresholds set forth in perform their services exclusively through electronic platforms: direct applicable regulations; lending companies and peer-to-peer lending companies. • dealing in securities transactions in regulated markets as principal In mid-2019, the BCB, the Securities and Exchange Commission or agent (ie, securities brokerage services): this requires authorisa- (CVM) and the Superintendence of Private Insurance, together with the tion from the BCB and the CVM; Special Finance Bureau of the Ministry of Economy, jointly announced • rendering investment advisory services: this requires authorisa- their intention to set up a regulatory sandbox for fintech companies to tion from the CVM; and test and develop new products. The first of those initiatives is expected • operating in the foreign exchange market: this requires authorisa- to begin by the end of 2020. tion from the BCB. Both the BCB and the CVM, together with other entities, engage with and support financial innovation labs (the Financial and Technology Innovation Laboratory (launched by the BCB) and the Laboratory of Financial Innovation (in connection with the CVM)), which are aimed at providing guidance and identifying opportunities and obstacles to the fintech sector.

28 Fintech 2021 © Law Business Research 2020 Machado Meyer Advogados Brazil

Consumer lending individuals to enter into a lending and financing transaction among 5 Is consumer lending regulated in your jurisdiction? themselves, exclusively by means of electronic platforms. Crowdfunding platforms (and the offer of securities in connection Yes. The provision of consumer lending in Brazil (eg, overdraft, credit thereof) are subject to a specific rule issued by the CVM and may only be card invoice financing and consumer loans) is restricted to financial operated by a legal entity duly authorised by the CVM to do so. institutions duly authorised to operate by the BCB and subject to certain specific rules. Alternative investment funds Interest rates vary depending on the institution and are not subject 8 Are managers of alternative investment funds regulated? to specific limits (except for overdraft interests, which were recently limited to 8 per cent per month). Administrators of any investment fund, which are responsible for a However, when extending credit to individuals, micro-companies group of services related to the maintenance and proper operation of and small companies, financial institutions must disclose to the client, the fund, such as treasury, bookkeeping, custody of financial assets and prior to the execution of the credit transaction, the total effective cost, portfolio management, are regulated by the CVM and are required to expressed as an annual percentage rate, which evidences the sum of obtain a licence before commencing their activities. all the costs related to the transaction (including taxes and fees). This Administrators may delegate certain responsibilities to third allows consumers to compare the total cost of the loans offered by parties, such as portfolio management activities. Portfolio managers different institutions. (either individuals or legal entities) are also regulated by the CVM and Individuals, micro-companies and small companies are also enti- are required to obtain a specific licence. tled to prepay their debts, in whole or in part, without having to pay any additional fees in connection thereof. Peer-to-peer and marketplace lending Furthermore, when entering into transactions with, or rendering 9 Describe any specific regulation of peer-to-peer or services to, consumers, financial institutions are also subject to the marketplace lending in your jurisdiction. Consumer Defence Code. SEPs are financial institutions of which the main purpose is to enable Secondary market loan trading individuals to enter into lending and financing transactions among 6 Are there restrictions on trading loans in the secondary themselves exclusively by means of electronic platforms. Transactions market in your jurisdiction? intermediated by SEPs will have the characteristics of a linked credit transaction, in which there is a link between the funds raised from the In general, no, provided that the loans do not have a securities nature creditors and the corresponding loan transaction entered into with the in accordance with applicable laws and regulations. Certain exceptions debtor, with the respective subordination of the repayment of the funds apply, such as in respect of direct lending companies, which may only delivered by the creditors to the payment of the loan transaction by the assign credit to financial institutions, receivables investment funds and debtors. Granting of loans with their own funds, as well as any type of securitisation companies. risk retention, either directly or indirectly, is not allowed for SEPs. To be effective towards the debtor, the debtor must be notified of SEPs may also provide certain ancillary services in connection with the credit assignment. their main activity, such as credit analysis for clients and third parties, collection of debts on behalf of clients and third parties and issuance of Collective investment schemes electronic money, according to applicable regulations. 7 Describe the regulatory regime for collective investment Finally, SEPs must: schemes and whether fintech companies providing • be incorporated as corporations and have paid-up stock capital and alternative finance products or services would fall within its shareholders’ equity of 1 million reais; scope. • segregate their funds from the funds of creditors and debtors; • provide information to their clients and users in respect of the In Brazil, the types of special condominium (pool of assets) directed to nature and complexity of the transactions and services offered; investment purposes, of which the portfolio is indirectly owned by their • use a proper credit analysis model; and investors (quota holders) proportionally to the amounts invested by • comply with proportional operational and prudential requirements each of them (investment funds) and their permitted investments, are consistent with their size and profile. subject to the rules and regulatory oversight of the CVM. Investment funds are divided into two main groups: Crowdfunding • ‘traditional’ investment funds, which may invest in several different 10 Describe any specific regulation of crowdfunding in your types of financial assets (eg, equity, fixed income, real estate and jurisdiction. derivatives); and • structured funds, such as: Crowdfunding in Brazil is regulated by the CVM and defined as the • private equity funds, which may invest mainly in securities (eg, raising of funds through public offers for the distribution of securities shares and subscription bonuses) and convertible notes; and issued by small businesses conducted with exemption from registration • credit receivables investment funds, which may invest in through an electronic investment platform. credit rights arising from different sectors of the economy, The rule expressly excludes peer-to-peer loans from its activities such as financial, industrial and commercial ones. (which are regulated by the BCB). However, the regulation does not limit the type of security to be offered; therefore, small businesses may Fintech companies, such as peer-to-peer lending and crowdfunding issue shares, debentures or other securities as long as they are legally platforms, are subject to a different regulatory regime. available. Peer-to-peer lending platforms are operated by peer-to-peer The public offering (which is limited to 5 million reais) must take lending companies (SEPs), which are a type of financial institution place through an electronic platform managed by a company duly incor- (and not an investment fund), the main purpose of which is to enable porated in Brazil and registered with the CVM, which is responsible for www.lexology.com/gtdt 29 © Law Business Research 2020 Brazil Machado Meyer Advogados

verifying compliance by the issuer and the offering with applicable regu- Only financial institutions belonging to segments S1 and S2 of latory requirements. the Brazilian financial system (which mainly comprises major banks), The offers are intended for any type of investor, subject to a 10,000 according to segmentation rules set forth in Brazil, will be required to reais investment limit per calendar year (exceptions apply to certain join open banking at its inception. Other institutions, such as payment investors, such as qualified investors). institutions, are allowed to participate on a voluntary basis, but only The grouping of investors supporting a lead investor in ‘participatory those licensed by the BCB may take part in the open banking directly. investment syndicates’ is expressly allowed, as is the incorporation of an Non-licensed institutions may participate through partnerships investment vehicle for those purposes (subject to certain requirements). with authorised participant institutions. Any participation must follow the principle of reciprocity (ie, the recipient must also share informa- Invoice trading tion). All regulated institutions offering payment accounts, on-demand 11 Describe any specific regulation of invoice trading in your deposit accounts and savings accounts will also be required to join open jurisdiction. banking in its third phase (August 2021) in respect of payments initiation services and the sharing of data related to those services. Trade notes are regulated by Law No. 5,474 of 18 July 1968 as well as by The new regulation is based on the principle that registration data Decree No. 57,663 of 24 January 1966, which also governs the endorse- and information on the products and services provided belong to the ment of trade notes, jointly with the Civil Code. customer, and it is up to him or her to decide whether to share them Furthermore, in May 2020, the CMN and the BCB issued two rules with third parties. Therefore, consent will always be required before any governing the use of book-entry trade notes. Following the trend of customer data sharing. dematerialisation of financial assets and securities seen in the Brazilian Self-regulatory provisions will play an important role in the imple- market in recent decades, the new rules regulate: mentation of open banking in Brazil. Participants will be required to • financial transactions guaranteed by book-entry trade notes and discuss, prepare and execute a convention regulating operational the discounting or sale of those receivables; and aspects of the ecosystem, such as technological standardisation, • the bookkeeping activity of those securities. communications and security protocols, reimbursements among participants, disputes resolution and standardisation of data and service The rules aim to provide greater security for issuance, registration, layouts, among others. This convention will be subject to approval settlement and trading in respect of those transactions. The main by the BCB. change introduced by the rules is the mandatory use of registered book- entry trade notes. Financial institutions should, therefore, require their Robo-advice counterparts, in particular sellers who wish to discount their receiva- 14 Describe any specific regulation of robo-advisers or other bles, to issue and register the respective book-entry trade notes. companies that provide retail customers with automated access to investment products in your jurisdiction. Payment services 12 Are payment services regulated in your jurisdiction? There is no specific regulatory framework for robo-advisers. However, the CVM has already identified three main activities performed by The legal framework for payment services in Brazil is set by Law No. robo-advisers: the provision of financial advice, asset management and 12,865 of 9 October 2013. A licence is required upon reaching specific financial analysis (robo-traders are considered financial analysts). As operational thresholds if the fintech company executes the following each of these activities is specifically regulated by the CVM, a robo- types of payment services: adviser providing any of these must comply with the same regulatory • issuance of electronic money and associated services, such as requirements applicable for traditional providers. issuance of prepaid instruments, management of prepaid payment accounts and provision of payment transactions based on elec- Insurance products tronic money deposited into those accounts; 15 Do fintech companies that sell or market insurance products • issuance of post-paid payment instruments (such as credit in your jurisdiction need to be regulated? cards); and • acquiring services. Insurance companies and the marketing of insurance products in Brazil are subject to regulation and supervision by different authorities: the Fintech companies providing the payment services mentioned above Superintendence of Private Insurance and the National Council of Private are defined by applicable legislation as payment institutions. Insurance. Only duly licensed insurance companies may provide insur- Owners of card networks (ie, the legal entities in charge of ance coverage in Brazil. The solicitation and intermediation of insurance managing the rules, procedures and the use of the brand associated contracts may be carried out only by licensed insurance brokers. with a card network) must request authorisation for the card network Pursuant to applicable regulations, legal entities may promote and that they operate (upon reaching certain triggers). Card networks are market insurance products for and on behalf of insurance companies, defined by applicable regulations as the set of rules governing the use acting as their representatives. Insurance representatives do not need of payment instruments accepted by more than one recipient entity. to be regulated or obtain any type of authorisation, but they must act within the powers established in the relevant agreement executed with Open banking the relevant insurance company. 13 Are there any laws or regulations introduced to promote Insurance representatives may not act as brokers; therefore, competition that require financial institutions to make any sales of insurance products carried out by the representative are customer or product data available to third parties? considered direct sales by the insurance company if not intermediated by a duly licensed broker. The BCB recently issued baseline regulations for open banking (via Only certain lines of insurance may be sold through this channel, application programming interfaces) based on the UK model, the imple- namely the simpler insurance, such as all risks, travel, extended mentation of which is expected to start in November 2020. warranty, life, unemployment and consumer credit.

30 Fintech 2021 © Law Business Research 2020 Machado Meyer Advogados Brazil

Not all licensed fintech companies may act as insurance represent- CHANGE OF CONTROL atives. Payment institutions (direct lending companies and peer-to-peer lending companies) are authorised to act as insurance representa- Notification and consent tives for the distribution of insurance products that are related to their 20 Describe any rules relating to notification or consent lending activities. requirements if a regulated business changes control.

Credit references Any transaction resulting in a change of control (direct or indirect) 16 Are there any restrictions on providing credit references or of a licensed fintech company (ie, payment institution, direct lending credit information services in your jurisdiction? company and peer-to-peer lending company) is subject to the prior approval of the Central Bank of Brazil, which must be requested within Yes. Credit references and credit information services are regulated 15 days of the execution of the relevant agreements. The approval under the Positive Register Law (Law No. 12,414 of 9 June 2011) and the process takes from around six months to one year and involves the Positive Register Decree (Decree No. 9,936 of 24 July 2019). A licence submission of several documents of the new shareholders. from the CVM is required when carrying out credit-rating operations In general terms, during the approval process the potential new regarding securities in Brazil. controller must evidence its knowledge on the segment of business Any company providing such information on natural persons that the fintech company operates in and that its financial capacity is must comply with the Brazilian General Data Protection Law (Law No. compatible with the size, nature and purpose of the acquired business, 13,709/2018). among other things.

CROSS-BORDER REGULATION FINANCIAL CRIME

Passporting Anti-bribery and anti-money laundering procedures 17 Can regulated activities be passported into your jurisdiction? 21 Are fintech companies required by law or regulation to have procedures to combat bribery or money laundering? There is no concept of passporting rights in Brazil. To engage in regulated financial activities, a company must apply for the relevant licences, Fintech companies include a myriad of entities engaged in different the process of which may impose special requirements on foreign types of business. Some fintech companies are regulated by the Central companies. Bank of Brazil (BCB), some are subject to the Securities and Exchange Commission (CVM), and some may not be subject to any specific Requirement for a local presence government body. 18 Can fintech companies obtain a licence to provide financial In respect of those subject to the BCB and the CVM, there are specific services in your jurisdiction without establishing a local regulations to be observed in addition to Law No. 9,613 of 3 March 1998 presence? on the money laundering offence and preventative measures. Recent regulations issued by the BCB and the CVM, which will No. All fintech companies must establish a local presence in Brazil to soon come into full effect, introduced a new framework on this matter, obtain a licence (assuming that a licence applies; not all fintech activities founded on a risk-based approach. Following international practices, the are regulated). new rules contemplate both full and simplified procedures (depending on the risk of money laundering), and it is reasonable to believe that SALES AND MARKETING best practices and standard procedures adopted by the market may play an important role. Restrictions In respect of non-regulated fintech entities, including cryptocur- 19 What restrictions apply to the sales and marketing of rency exchanges, in some circumstances, they may be subject to certain financial services and products in your jurisdiction? rules (such as the maintenance of client files and the reporting of suspicious transactions to the Council for Financial Activities Control (COAF), The reception and transmission of orders in relation to financial instru- a federal government body responsible for anti-money laundering and ments is a regulated financial activity, as is the provision of financial counterterrorist financing). These rules are particularly important for advice and financial analysis regarding securities. Thus, the sale and those engaged in the digital currency business and other fintech compa- marketing of financial services and products in Brazil is subject to nies not regulated by the BCB and the CVM. licensing requirements. Generally, the information provided to market financial services Guidance and products must be straightforward and truthful, not mislead the 22 Is there regulatory or industry anti-financial crime guidance customer and be restricted to its suitable audience. The financial for fintech companies? services and products providers may also be subject to additional marketing rules as specified in the laws and regulations governing the There is no anti-financial crime guidance specifically for fintech compa- specific types of financial services or products. nies; however, cryptocurrency exchanges and the various payment institutions that participate in the payment chain but are not regulated (including sub-acquirers) are having discussions to determine how certain anti-money laundering and counterterrorist financing obligations should be implemented. Moreover, the COAF frequently engages in educational initiatives as part of the National Strategy Against Corruption and Money Laundering.

www.lexology.com/gtdt 31 © Law Business Research 2020 Brazil Machado Meyer Advogados

To be valid, loan and security agreements are subject to the same Securitisation confidentiality and data protection requirements general requirements set forth by the Civil Code for the validity of 26 Is a special purpose company used to purchase and securitise any agreement (be executed by capable parties; have a licit, feasible, peer-to-peer or marketplace loans subject to a duty of determined or determinable object or purpose; and be formalised in a confidentiality or data protection laws regarding information manner provided by, or not prohibited by, applicable laws). relating to the borrowers? Furthermore, the validity of the transaction is dependent on the absence of any legal defects (such as fraud in enforcement procedures, Brazilian financial institutions (such as SEPs and SCDs) are subject to fraud against creditors and simulation). banking secrecy requirements. In summary, they are prevented from In general, credit transactions executed on a peer-to-peer platform disclosing to third parties any information concerning the transactions are formalised through bank credit notes, which are subject to addi- and services provided by them to their customers, except in certain situ- tional requirements, and signed electronically, which is permitted by ations provided by applicable laws. applicable laws and regulations. It is debatable whether third parties, such as investment funds and Specific requirements may be applicable to security instruments securitisation companies purchasing loans originated by financial insti- depending on their type. tutions, would also be subject to banking secrecy requirements. In any case, provided that the relevant loan and security agree- In any case, according to the Brazilian General Data Protection ments entered into on a peer-to-peer or marketplace lending platform Law (which is not yet in full force), a purchaser of the relevant loans are compliant with applicable laws and regulations (and that the peer- is subject to specific data protection obligations in respect of personal to-peer lending company (SEP) or the direct lending company (SCD) data, which is defined as any information relating to an identified or is duly authorised by the Central Bank of Brazil), those transactions identifiable natural person (including identifying numbers, location should be deemed valid for all legal purposes. data or electronic identifiers when these are related to a person). In those cases, it will be necessary to evaluate the role of the contracting Assignment of loans parties as controllers or processors in the context of the operation and 24 What steps are required to perfect an assignment of to include the applicable data protection provisions in the agreements loans originated on a peer-to-peer or marketplace lending to safeguard the parties accordingly. platform? What are the implications for the purchaser if the assignment is not perfected? Is it possible to assign these ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER loans without informing the borrower? TECHNOLOGY AND CRYPTO-ASSETS

With regard to SCDs (which may provide direct loans using their own Artificial intelligence funds), the loans are usually formalised through bank credit notes 27 Are there rules or regulations governing the use of artificial (issued by clients to the SCD), which may be transferred by the SCD intelligence, including in relation to robo-advice? through endorsement or assignment (the latter carried out pursuant to the rules of the Civil Code). In general, loans are assigned by the SCDs There is no specific regulatory framework for the use of artificial to finance their operations. intelligence in financial markets. Furthermore, there is no legal distinc- SEPs may adopt different business models. Some of those finan- tion between robo-advice and traditional investment advice in Brazil. cial institutions endorse the relevant credit instrument issued to their As such, companies providing robo-advice must fulfil the same legal benefit (by the borrower) to the creditor (which includes investment requirements as companies providing traditional investment advice, funds and securitisation companies). which are regulated by the Securities and Exchange Commission (CVM). Assignment of credit pursuant to the Civil Code is subject to registration with the registries of the titles and deeds of the place where the Distributed ledger technology relevant parties reside if they are to be effective towards third parties. 28 Are there rules or regulations governing the use of On the other hand, endorsements are not subject to this registration distributed ledger technology or blockchains? requirement. Although the Civil Code requires the borrower to be notified for Not presently, but there are certain bills under discussion in the House a credit assignment to be effective towards the borrower, the lack of of Representatives that, if approved, will establish a regulatory frame- notification does not affect the validity of the assignment between the work for digital currency transactions, exchanges and wallets. parties. From a practical standpoint, SEPs and SCDs usually collect payments from borrowers on behalf of creditors (assignees), which Crypto-assets is why the absence of notification does not pose an issue under those 29 Are there rules or regulations governing the use of crypto- structures. assets, including digital currencies, digital wallets and e-money?

Currently, no. As a general rule, digital currencies are considered as intangible movable assets (with high liquidity) that are, in principle, not subject to banking or securities laws and regulations in Brazil.

32 Fintech 2021 © Law Business Research 2020 Machado Meyer Advogados Brazil

The Central Bank of Brazil (BCB) has issued certain public notices DATA PROTECTION AND CYBERSECURITY acknowledging that digital currencies such as bitcoin are virtual currencies and, thus, would be different from electronic currencies (e-money), Data protection which are governed by Brazilian payment and electronic currency laws 32 What rules and regulations govern the processing and and regulations. Electronic currencies are funds (based on the ‘official transfer (domestic and cross-border) of data relating to currency’ or fiat currency) stored in electronic devices or electronic fintech products and services? systems that allow for end users to enter into payment transactions. Digital or virtual currencies, on the other hand, are not considered offi- The processing and transfer of data should be verified according to the cial currencies even though they may work as a means for end users to scope, regardless of whether the processing or transfer would include enter into payment transactions. personal data. In Brazil, personal data is considered to be any information In one of those public notices, the regulator stated that transactions relating to an identified or identifiable natural person. with digital currencies that imply international transfers denominated in The Brazilian General Data Protection Law (LGPD), which provides foreign currencies must take place in accordance with the applicable the general rules for privacy and data protection in Brazil, sets forth the foreign exchange regulations (in particular, the requirement to enter conditions of any processing and transferring (including cross-border into any foreign exchange transaction exclusively through institutions transfer) of personal data. The LGPD is expected to enter into full force authorised to operate in the foreign exchange market). on 3 May 2021. Currently, there are certain bills being discussed in the House of Cross-border personal data processing is allowed: Representatives that, if approved, may affect digital currency transac- • to countries or international organisations that provide the appro- tions, exchanges and wallets. In particular, the bills propose to place priate level of protection of personal data, as approved by the digital currency transactions and exchanges under the BCB’s supervi- Brazilian National Data Protection Authority; sion, create a series of rules and principles for their activity and protect • where the controller provides and demonstrates guarantees of user resources in the event of exchange bankruptcy. Although there compliance with the principles and rights of the data subject and is still much uncertainty regarding future regulation, there should be data protection regime established in the law, in the form of: more discussions and public hearings about these bills in the House of • specific contractual clauses for a given transfer; Representatives in the coming months. • standard contractual clauses; • binding corporate rules; or Digital currency exchanges • seals, certificates and codes of conduct that are regularly issued; 30 Are there rules or regulations governing the operation of • when the transfer is required for international legal cooperation digital currency exchanges or brokerages? between government intelligence, investigation and police bodies, in accordance with the international law instruments; Currently, digital currency exchanges or brokerages are not specifically • when the transfer is required for the protection of life or the physical regulated in Brazil. However, digital currency exchanges domiciled in integrity of the data subject or any third party; or Brazil for tax purposes must make certain tax-related reports to the • for other reasons, such as consent or compliance with a legal or Federal Revenue Service (RFB) in respect of transactions involving regulatory obligation by the controller. crypto-assets carried out by users and their yearly balance information. The RFB defines an ‘exchange of crypto-assets’ as a legal entity that For anonymised data (when the data relates to a data subject who cannot offers services related to crypto-assets transactions, including inter- be identified), considering the use of reasonable and available technical mediation, negotiation and custody – accepting any payment means, means at the time of the processing, there is no restriction on the transfer including crypto-assets. The definition is very broad and encompasses of the information. different kinds of companies dealing with crypto-assets. Fintech companies licensed by the Central Bank of Brazil (BCB) must comply with certain rules on the outsourcing of relevant data storage, Initial coin offerings data processing and cloud computing services in Brazil or abroad when 31 Are there rules or regulations governing initial coin offerings those services are considered critical services within the institution. As a (ICOs) or token generation events? general rule, they must guarantee the confidentiality, integrity and availability of the data and systems, and they must ensure that their partners Currently, ICOs or other token generation events are not regulated in and third-party service providers also have policies, procedures and Brazil. The CVM has issued statements and investor alerts advising that controls to prevent incidents related to the cyber environment as well as unregistered public offerings of tokens that constitute a security under ensure the security of sensitive information. The outsourcing of critical Brazilian laws are illegal when they involve securities, subjecting the services must be reported to the BCB, and, if services are contracted offering and the parties to applicable sanctions. In other words, if the abroad, authorisation is required in the absence of agreement for the underlying rights attributes a security nature to the relevant asset, the exchange of information between the BCB and the supervisory authority transaction, the issuer and other parties involved must comply with of the country where the data storage and processing services will applicable securities laws and regulations. When evaluating if a certain be provided. coin offering is a security offering, the CVM has been applying a test similar to the Howey test. Cybersecurity 33 What cybersecurity regulations or standards apply to fintech businesses?

Fintech companies licensed by the BCB (ie, payment institutions, direct lending companies and peer-to-peer lending companies) must comply with specific cybersecurity regulations. In general terms, applicable regulations establish that these entities must guarantee the confidentiality, integrity and availability of the data and information systems; put in place www.lexology.com/gtdt 33 © Law Business Research 2020 Brazil Machado Meyer Advogados

policies, procedures and controls to prevent incidents related to the cyber Certain specific provisions must be included in the relevant environment; and ensure the security of sensitive information. outsourcing agreements. As a general rule, the regulated institution To that end, licensed fintech companies must put in place a cyber- outsourcing the services must verify that the service provider is able security policy that takes into consideration the entity’s size, risk profile to ensure: and business model, as well as the nature of the operations and data • compliance with Brazilian laws and regulations; sensitiveness. An action and response plan in respect of security inci- • access by the regulated institution to the data to be processed or dents must be established as well. stored by the service provider; The cybersecurity policy must, among other things, comprise: • confidentiality, integrity, reliability, availability and recovery of the • procedures and controls adopted to reduce vulnerability to incidents; data to be processed or stored by the service provider; • specific controls, including those directed at information traceability, • adherence to the certifications required by the institution for the that aim to ensure the security of sensitive information; rendering of the services; • procedures to record incidents relevant to the entity’s activities as • access by the institution to the reports prepared by an independent well as the analysis of their cause and impact, and the control of audit company hired by the service provider in respect of the proce- their effects; dures and controls used in the rendering of the services; • guidelines on: • supply of information and management resources adequate to • the development of scenarios that reflect incidents considered monitor the services; in business continuity tests; • identification and segregation of the data of the clients of the institu- • the definition of procedures and controls directed at the prevention through physical or logical means; and tion and treatment of incidents to be adopted by third-party • the quality of the access controls aimed at protecting the data and providers that handle sensitive data or information, or that are information in respect of the clients of the institution. relevant for the institution’s operational activities; • the classification of data and information according to its Data on Brazilian clients (personal, financial or otherwise) should be relevance; and treated as confidential and should not be transferred to third parties • the definition of parameters to be used in the assessment of the without the express prior consent of those concerned. Data location and relevance of incidents; processing may take place inside or outside the Brazilian territory, but • mechanisms for dissemination of a cybersecurity culture within the access to data stored abroad must be granted at all times to the BCB for entity, including the implementation of programmes for the training inspection purposes. and periodic evaluation of employees, the provision of information to clients and users regarding precautions when using financial prod- Cloud computing ucts and services and the commitment of senior management to the 35 Are there legal requirements or regulatory guidance with continuous improvement of procedures related to cybersecurity; and respect to the use of cloud computing in the financial services • initiatives for sharing information with other entities regarding the industry? relevant incidents. The contracting of critical cloud computing services by licensed enti- The procedures and controls adopted to reduce the institutions’ vulner- ties must follow the requirements imposed by applicable regulations. ability to incidents and to meet other cybersecurity objectives should Cloud computing services encompass the availability of at least one of include, at least, authentication, encryption, intrusion prevention and the following services: detection, information leakage prevention, periodic testing and scanning • data processing, data storage, infrastructure of computer networks for vulnerabilities, protection against malicious software, establishment and other computer services that allow the implementation or of traceability mechanisms, computer network access and segmentation execution of software by a financial institution, including operational controls, and maintenance of data and information backups. systems and applications developed by a financial institution or acquired by it from third parties; OUTSOURCING AND CLOUD COMPUTING • implementation or execution of applications developed by a financial institution or acquired by it from third parties, using computer Outsourcing resources of a third-party service provider; or 34 Are there legal requirements or regulatory guidance with • execution, through the internet, of applications implemented or respect to the outsourcing by a financial services company of a developed by the third-party service provider, using computer material aspect of its business? resources of the third party.

Yes. Licensed institutions must comply with specific rules for contracting INTELLECTUAL PROPERTY RIGHTS data storage, data processing and cloud computing services with third parties in Brazil or abroad when those services are considered critical IP protection for software services within the institution. There are no express guidelines for 36 Which intellectual property rights are available to protect institutions to determine when a service should be qualified as critical; software, and how do you obtain those rights? applicable regulations simply state that the financial institution must take into account the importance of the service and the sensitiveness Intellectual property rights for software in Brazil are regulated by Law of the data and information to be processed, stored or managed by the No. 9,609 of 19 February 1998. Typically, software will be protected under services provider. the Copyright Law and will not be patentable. However, it is possible to The outsourcing of critical services must be reported to the Central require the patent of software related to an invention that meets the Bank of Brazil (BCB), and, if those services are contracted abroad, patent requirements set forth by the Industrial Property Law (Law No. authorisation is required in the absence of agreement for the exchange 9,279 of 14 May 1996). of information between the BCB and the supervisory authority of the The copyright on software provides the holder with all related country where the data storage and processing services will be provided. economic rights, independently of any previous registration. In respect of

34 Fintech 2021 © Law Business Research 2020 Machado Meyer Advogados Brazil moral rights, except for the right to claim the authorship of the software, Joint ownership no other moral rights are applicable. 38 Are there any restrictions on a joint owner of intellectual The owner is also assured the exclusive commercial licensing rights property’s right to use, license, charge or assign its right in of the software and technology transference. In the latter case, the tech- intellectual property? nology transfer agreements must be registered with the National Institute of Industrial Property (INPI) to have effect in relation to third parties. Brazilian copyright law provides for the possibility for co-authorship of When software is protected by copyright, the protection is inde- works. The co-authors (or joint owners) receive legal protection both for pendent of any form of registration, extending for 50 years from its their individual contributions and for the entire work. They must exer- creation, after which the work enters the public domain. However, cise their rights by common agreement (unless otherwise agreed). the owner has the option to register the source code before the INPI If the contributions of each author are not divisible (identifiable), no under Federal Decree No. 2,556 of 20 April 1998. The registration will co-author may publish or authorise the publication of the work without not put forth any differences in the protection of the specific rights over the consent of the others. However, it should be noted that each author the software, but is instead an alternative to publicise the ownership of may defend his or her rights over the work without the consent of the the software. others. The intellectual property produced by them will be an undivided During the 50 years in which the computer programs are protected, part, assuming that each author will have equal and proportional partic- only the owner can authorise its use by third parties by means of a ipation in the software, unless otherwise stipulated in writing. licensing agreement. In the absence of a written licensing agreement, When the work is made through an institution, organisation or legal the tax invoice relating to the acquisition or licensing of a copy of the entity, which is formed by the participation of different authors, whose program will evidence the regularity of its use. contributions merge into an autonomous creation, it is called a collective work, as per section 17 of the Federal Law No. 9,610/98. Article 5, IP developed by employees and contractors item XXVIII, item ‘a’ of the Federal Constitution also ensures individual 37 Who owns new intellectual property developed by an participation in a collective work. employee during the course of employment? Do the same The legislation guarantees to the joint owner of collective work his rules apply to new intellectual property developed by or her due remuneration and establishes the property rights over the contractors or consultants? collective work as a single right of the organisation. The contract with the organisation shall indicate the contribution of each of the partici- Law No. 9,609 of 19 February 1998, which provides the rights and obliga- pants, the remuneration and other conditions for its execution, such as tions for the protection of software’s intellectual property, states that the licensing, charging and the assignment. software ownership developed as a result of services provided within Unlike the co-authorship, the collective work, despite being elabo- a specific contract will belong to the contracting party (an employer, a rated by several people, becomes a unique work, and for this reason, company or a public agency) unless it can be proven that the software the agreement shall establish the participation of each author, and the was created without connection to the performance of the contract and conditions for the economic exploitation of it. without the use of resources, technological information, industrial or commercial secrets, materials, installations or equipment belonging to Trade secrets the contracting party. 39 How are trade secrets protected? Are trade secrets kept The same provisions are applicable in the case of an employment confidential during court proceedings? agreement. Violations of those intellectual property rights may result in penalties. Trade secrets are protected by the Industrial Property Law, which Brazilian copyright laws provide for the possibility for co-authorship characterises as a criminal offence the ‘disclosure, exploitation or use, of works. The co-authors (or joint owners) receive legal protection both without authorisation, of confidential knowledge, information or data, for their individual contributions and for the entire work. They must exer- usable in industry, commerce or the provision of services, excluding cise their rights by common agreement (unless otherwise agreed). information which is publicly known or evident to a person skilled in the If the contributions of each author are not divisible (identifiable), field, to which one has had access through a contractual or employment none of the co-authors may publish or authorise the publication of the relationship’. Penalties may include imprisonment of the offender, from work without the consent of the others. However, each author may three months to one year, or a fine. In addition, the company is liable for defend his or her right over the work without the consent of the others. any proven damages as a civil violation. The intellectual property produced by them will be an undivided part, The Industrial Property Law also assures injured parties ‘the right assuming that each author will have equal and proportional participation to receive compensation for the loss caused by acts of infringement of in the software unless otherwise stipulated in writing. industrial property rights and by acts of unfair competition’. When the work is made through an institution, organisation or legal To prove that one is the lawful holder of the violated rights, it must entity, which is formed by the participation of different authors, whose be evidenced that reasonable steps to maintain the confidentiality of contributions merge into a single creation, it is called a collective work. the information were taken and that access to the information by the The Constitution also ensures individual participation in a collective work. infringing party was fraudulent and unlawful, in breach of contractual The legislation guarantees to the joint owner of a collective work or legal obligations. his or her due remuneration and establishes the property rights over the The injured party can request judicial secrecy over the lawsuit. collective work as a single right of the organisation. The contract with the Furthermore, if a trade secret is disclosed ‘in the course of a court organisation indicates the contribution of each of the participants and the action in order to defend the interests of any of the parties, the judge remuneration and other conditions for its execution, such as licensing, must determine that the case proceed in judicial secrecy’, which implies charging and the assignment. restricted access to the case files and hearings only by the parties, their Unlike co-authorship, the collective work, despite being created lawyers, the judge and his or her clerks. from the collaboration of several people, becomes a unique work, and for this reason, the agreement establishes the participation of each author, and the conditions for the economic exploitation of it. www.lexology.com/gtdt 35 © Law Business Research 2020 Brazil Machado Meyer Advogados

Branding COMPETITION 40 What intellectual property rights are available to protect branding and how do you obtain those rights? How can Sector-specific issues fintech businesses ensure they do not infringe existing 42 Are there any specific competition issues that exist with brands? respect to fintech companies in your jurisdiction?

There are two ways of protecting branding rights in Brazil: the grant of Digital markets have been the focus of competition enforcers worldwide, industrial design registration and the grant of trademark registration (or including Brazil. The banking market is dominated by a few players and brand registration). Both are related to the registration before the INPI. fintech companies are viewed by the Brazilian antitrust authority – the The industrial design registration protects the design of a product. Administrative Council for Economic Defence (CADE) – as disruptive The product should have a new aesthetic or an ornamental aspect that companies, capable of offering more specific and profitable financial differs from existing products. The requirements are that the design products and services and, consequently, of exerting competitive pres- should be new (when it has not been made public in Brazil or abroad sure on banks and other financial institutions. before the deposit of the request to the INPI) and original (when it In this sense, in the past couple of years, CADE has been conducting results from a distinctive visual configuration in relation to other several investigations of alleged anticompetitive practices involving previous objects, including those resulting from the combination of the abuse of dominant position, particularly by financial institutions to known elements). The registration grants ownership to a specific brand. exclude or limit the operations of fintech companies, such as the refusal The conditions for an application for registration can be found in articles to provide services or information that are essential for the operation of 101 to 106 of the Industrial Property Law. their business or providing the services on discriminatory basis. The trademark registration is related to: As for merger cases, although CADE has yet to review a merger • distinctive signs, such as company names or logos, products and filing solely affecting the fintech market, cases involving large banks service marks, used to distinguish them from their competitors that may entail conglomerate or vertical integration issues are being • certification marks, which are those used to certify that a product subject to close scrutiny by CADE to ensure that the acquisition is not or service complies with certain technical specifications; and aimed at alleviating the threat of potential competition or preventing • collective marks, which are used to identify products and services an increase of market power that could further lead to discrimination of the members of a certain entity. or market foreclosure. Behavioural remedies, for instance, have been adopted to ensure future competition in the acquisition by a major bank The conditions for an application for trademark registration can be or stake in a platform for financial products (investments). found in the Industrial Property Law. In October 2019, CADE published a comprehensive report on the Foreign businesses, including in the fintech field, can ensure that payment industry, concluding that its technological developments they do not infringe existing brands in Brazil by properly applying for – including the surge of fintech companies – require a dynamic assess- the registration of its own brand and industrial property before the INPI. ment, with the introduction of more sophisticated and appropriate tools The current legal protection of intellectual and industrial prop- to evaluate the effects of those constant changes on competition in erty in Brazil derives from the Agreement on Trade-Related Aspects of digital markets. The concentration in the banking market, the verticali- Intellectual Property Rights. sation of the players in the payment industry, and the introduction of open banking in Brazil will continue to demand CADE’s attention and Remedies for infringement of IP careful review to ensure competition, innovation and improved welfare. 41 What remedies are available to individuals or companies There is a memorandum of understanding between CADE and whose intellectual property rights have been infringed? the Central Bank of Brazil (BCB) for joint cooperation, providing for coordinated actions, the exchange of information, meetings and discus- Under Law No. 9,609 of 19 February 1998, the violation of a piece of sions, for example, on the legal framework that may impact competition software’s intellectual property is a criminal offence, punishable by the involving institutions regulated by the BCB, as well as collaboration in imprisonment of the offender from six months to two years or a fine, and the review of merger filings or investigation of anticompetitive practices a civil tort. The offender is also liable for all losses and harm suffered involving financial institutions. by the claimant when the offender acts in bad faith or with the intention of imitating the claimant, or commits a gross error by violating a third TAX party’s intellectual property. Crimes against brands and industrial designs may be found in the Incentives Industrial Property Law, accompanied by their respective penalties. The 43 Are there any tax incentives available for fintech companies penalties usually involve a period of incarceration from three months to and investors to encourage innovation and investment in the one year or the application of a fine. fintech sector in your jurisdiction? Crimes or illicit activity that violates copyright can be found in Law No. 9,610 of 19 February 1998, which establishes the obligatory There are no specific tax incentives for fintech companies or investors compensation for losses and damage as well as other applicable sanc- in Brazil. tions, such as the suspension of transmissions or product sales and the Certain fintech companies that invest in research, development destruction of illicit copies, according to the type of violation. and innovation projects and that have surpassed the break-even point currently enjoy reductions from corporate income tax (IRPJ), social contribution on net profits (CSLL), the tax on manufactured products and withholding income tax under Law No. 11,196 of 21 November 2005. These benefits are available to any Brazilian company assessing IRPJ or CSLL under the real profit regime.

36 Fintech 2021 © Law Business Research 2020 Machado Meyer Advogados Brazil

Increased tax burden 44 Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for fintech companies in your jurisdiction?

Certain fintech entities in Brazil (eg, digital banks, direct lending companies and peer-to-peer lending companies) are qualified as financial institutions under Brazilian law. Those entities are subject to taxes imposed on net profits, namely IRPJ and CSLL, and taxes imposed on gross revenues, namely the contribution to the employees’ profit partici- Nei Zelmanovits pation programme (PIS) and the Contribution to the Financing of Social [email protected] Security (COFINS) under the financial institution regime. Thais de Gobbi This regime is more burdensome than the regimes applicable [email protected] to other companies in Brazil: the aggregate rate of corporate income tax and the CSLL is 45 per cent, and the aggregate rate of the PIS and Pedro Nasi [email protected] COFINS is 4.65 per cent (with no credit deductions), rather than the respective rates (with credit deductions) of 34 per cent and 9.25 per Vicente Braga cent applicable to companies assessing the IRPJ and the CSLL under [email protected] the real profit regime. Érica Yamashita Other tax regimes are applicable to small and medium-sized [email protected] companies in Brazil, which are not subject to the financial institutions’ Diego Gualda regime. In those cases, the tax burden tends to be even lower. [email protected] In relation to crypto-asset exchanges, the Federal Revenue Service has created an ancillary obligation for exchanges incorporated in Brazil: Vinicius Costa they must disclose a set of information regarding every transaction [email protected] intermediated by them. Alina Miyake At this stage, the digital taxes that have been created do not affect [email protected] the fintech environment.

Av. Brigadeiro Faria Lima IMMIGRATION No. 3144, 11th floor Sector-specific schemes São Paulo, SP 01451 000 Brazil 45 What immigration schemes are available for fintech Tel: +55 11 3150 7000 businesses to recruit skilled staff from abroad? Are there www.machadomeyer.com.br any special regimes specific to the technology or financial sectors?

There are no specific immigration schemes available for fintech busi- In addition, the advent of regulatory sandbox initiatives promises to nesses, nor for the technology and financial sectors in Brazil. The foster innovation, especially those related to the use of blockchain and ordinary rules described in the Migration Law (Law No. 13,445 of 24 distributed ledger technology. The widespread use of tokenised assets May 2017) and the Migration Decree (Decree No. 9,199 of 20 November is particularly expected, considering how the Securities and Exchange 2017) concerning work and residence permit requirements apply, which Commission (CVM) designed its regulatory sandbox initiative. Moreover, includes the possibility of granting a permit for the provision of services alternatives for trading foreign exchange are expected, as some stable- of technical assistance and technological transfer. coins make their way into the Brazilian market and the BCB welcomes its first cohort of regulatory sandbox applicants. UPDATE AND TRENDS News regarding the development of all these initiatives may be found at the official websites of the BCB and the CVM. Current developments 46 Are there any other current developments or emerging Coronavirus trends to note? 47 What emergency legislation, relief programmes and other initiatives specific to your practice area has your state In 2020, the Central Bank of Brazil (BCB) started to implement the implemented to address the pandemic? Have any existing instant payments system (PIX), which promises to foster competi- government programmes, laws or regulations been amended tion in the retail payment industry – a sector in which fintech entities to address these concerns? What best practices are advisable are overrepresented – and accelerate transactions through mobile for clients? and QR codes. The Brazilian open banking initiative is also scheduled to launch The government has enacted several pieces of emergency legislation its first phase this year. The initiative was initially mostly aimed at insti- and other initiatives, aiming mostly to preserve jobs and to help small tutions already regulated by the BCB, but the regulator was adamant and medium-sized enterprises. about keeping an open door for the participation of non-regulated In the financial sector, the National Monetary Council (CMN) and entities. Participation is designed to take place through partnership the BCB are considering the impacts of the pandemic in financial insti- agreements with regulated entities in a provider capacity, focused on tutions and are openly aware of the challenges of maintaining their enhancing the user’s experience. financial stability while ensuring that the economy has proper access www.lexology.com/gtdt 37 © Law Business Research 2020 Brazil Machado Meyer Advogados

to the lending market. Thus, to provide temporary regulatory relief, the BCB and the CMN have: • postponed the enforcement of several regulatory requirements due to enter in effect throughout the year; • softened the rules regulating reserve requirements for financial institutions to increase liquidity in the financial system; • relaxed the provisioning rules for refinancing loans; and • lowered the capital requirements for smaller and less complex financial institutions.

In addition, specifically regarding the fintech sector, to facilitate access to credit by small and medium-sized enterprises during the pandemic, direct lending companies were authorised to issue credit cards and to grant credit with funding provided by the Brazilian Development Bank.

38 Fintech 2021 © Law Business Research 2020 China

Jingyuan Shi Simmons & Simmons LLP

FINTECH LANDSCAPE AND INITIATIVES incentives and special funds. Besides, some regions in China, such as Beijing, Guangdong-Hong Kong-Macao Greater Bay Area, Chengdu, General innovation climate Chongqing and Hangzhou, also issued incentive plans for the 1 What is the general state of fintech innovation in your fintech industry. jurisdiction? FINANCIAL REGULATION China’s reputation as a global leader in fintech innovation continues to grow, and fintech companies in China have particular expertise in Regulatory bodies areas such as payments, AI, blockchain and digital currency. Going 3 Which bodies regulate the provision of fintech products and forward, we expect fintech innovation in China to play a substantial services? role in the development of the entire financial services industry. The Chinese government actively encourages innovation by fintech compa- There is no single regulatory body responsible for the regulation of nies. However, the fintech sector remains highly regulated and this fintech products and services. Different fintech services and products seem unlikely to change. In fact, it is possible that fintech companies are regulated by different regulatory bodies. The main regulatory may be subject to greater regulatory supervision in the future, espe- bodies include the People's Bank of China (PBOC), China Banking cially where they carry out business related to peer-to-peer online and Insurance Regulatory Commission (CBIRC) and China Securities lending, blockchain-based currency, online insurance, the central- Regulatory Commission (CSRC). ised storage of deposits in payments sectors, cybersecurity and data protection. Regulated activities 4 Which activities trigger a licensing requirement in your Government and regulatory support jurisdiction? 2 Do government bodies or regulators provide any support specific to financial innovation? If so, what are the key The following activities are regulated and require a licence: benefits of such support? • carrying on securities brokerage; • carrying on securities investment consultancy; In August 2019, the People's Bank of China (PBOC) issued the Fintech • financial advising relating to securities trading or investment; Development Plan (2019–2021) (the Fintech Plan), which calls for • securities underwriting and sponsorship; strengthening the strategic deployment of fintech and the rational • carrying on proprietary account transactions; use of financial technology. The Fintech Plan outlines the principles, • carrying on securities asset management; objectives, tasks and supporting measures of fintech development in • taking in deposits from the general public; the three years from 2019 to 2021. It sets out 27 major tasks covering • handling domestic and foreign settlements; six areas, including measures to remove the data barrier for different • handling, accepting and discounting of negotiable instruments; financial businesses, to accelerate the integration of AI technology and • issuing financial bonds; financial operations. • acting as an agent for the issue, honouring and underwriting of Following the Fintech Plan, the PBOC and other five government government bonds; ministries and commissions approved 10 fintech application pilot prov- • buying and selling government bonds and financial bonds; inces and cities for the term of one year, which are Beijing, Shanghai, • offering and providing discretionary investment manage- Jiangsu, Zhejiang, Fujian, Shandong, Guangdong, Chongqing, Sichuan ment services; and Shanxi. A sandbox scheme was first introduced in Beijing in • buying and selling foreign exchange, and acting as an agent for the December 2019 and expanded to five more cities and districts in late purchase and sale of foreign exchange; April 2020, namely Shanghai, Chongqing, Shenzhen, Xiongan New Area • carrying on fund management services; of Hebei, Hangzhou and Suzhou. • carrying on fund custodian services; The pilot areas mentioned above have issued their own incen- • carrying on derivative products transactions; tive plans. For example, in January 2020, the government of Shanghai • lending micro loans online or offline; and issued the Implementation Plan for Accelerating the Construction of • providing consumer finance services. Shanghai Fintech Centre, which calls for actively exploring financial technology regulatory innovation and carrying out trials for fintech innovations. In addition, the Shanghai government supports fintech companies that meet certain qualifications to apply for relevant tax www.lexology.com/gtdt 39 © Law Business Research 2020 China Simmons & Simmons LLP

Consumer lending are funds managed by fund managers, placed in the custody of fund 5 Is consumer lending regulated in your jurisdiction? custodians and used in the interest of the holders of the fund units for investment in securities. Accordingly, peer-to-peer or marketplace Consumer lending is a regulated activity and is governed by the General lenders or crowdfunding platforms do not fit the definition of collec- Rules of Loans, the Administrative Measures for Pilot Consumer tive investment schemes and do not fall into the regulatory scope Finance Companies (the Consumer Finance Measures) and the of the them. Commercial Bank Law. The General Rules of Loans require that lenders are approved by Alternative investment funds the PBOC to engage in lending business, hold a financial legal person 8 Are managers of alternative investment funds regulated? licence or a financial institution business licence issued by the PBOC, and are approved and registered by the Administration for Industry Managers of alternative investment funds that raise capital from a and Commerce. number of investors and invest it in accordance with a defined invest- The Consumer Finance Measures regulates the operating activities ment policy for the benefit of those investors are regulated. These of consumer finance companies that refer to non-bank financial institu- activities are broadly defined as asset management services, and tions and do not receive public deposits but provide loans to resident may be conducted by securities companies, trust companies and fund individuals within China for consumption purposes (excluding house management companies and their subsidiaries. Managers are subject and vehicle purchases) under the principle of small sum and disper- to different regulatory regimes depending on the specific form of these sion. The consumer finance companies must be approved by the CBIRC. alternative investment funds.

Secondary market loan trading Peer-to-peer and marketplace lending 6 Are there restrictions on trading loans in the secondary 9 Describe any specific regulation of peer-to-peer or market in your jurisdiction? marketplace lending in your jurisdiction.

Trading loans between financial institutions in the secondary market The Interim Measures for the Administration of Business Activities on are subject to regulatory supervision by the CBIRC and the following Online Lending Information Intermediary Agencies (the Online Lending restrictions: Rules), issued on 17 August 2016 by the CBIRC, specifically target • the financial institutions must report certain information to the activities of peer-to-peer lending between individuals through an the CBIRC; internet-based platform. The Online Lending Rules require that the peer- • the transfer of loans is subject to the consent of the borrower and to-peer lending platforms register with the local branch of the CBIRC, the guarantor (if any); apply for the applicable telecommunication service operation licence • all outstanding principal and interest must be transferred and include serving as an internet lending information intermediary as a whole; in its business scope, and shall only act as information intermediaries • parties are prohibited from making any direct or indirect repur- between parties. Peer-to-peer lending platforms must not conduct chase arrangements; and credit enhancement services, cash concentration or fundraising activi- • if the lender is from a consortium, other members of the consor- ties for themselves, or provide security or guarantee arrangements for tium shall have the right of first refusal for such a transfer. lenders. The Online Lending Rules also set out detailed requirements for information disclosure, protection of lenders and borrowers and risk Trading loans between non-financial institutions are generally not control measures. subject to mandatory regulatory restrictions. In the years 2017 to 2019, the Chinese government and relevant regulatory authorities issued various regulations and guidelines Collective investment schemes governing the peer-to-peer online lending industry. The main purpose 7 Describe the regulatory regime for collective investment was to regulate peer-to-peer industry behaviour and enhance supervi- schemes and whether fintech companies providing sion of the industry. alternative finance products or services would fall within its scope. Crowdfunding 10 Describe any specific regulation of crowdfunding in your The establishment and operation of securities investment funds within jurisdiction. China via public and non-public raising of funds is regulated by the Securities Investment Fund Law. The primary regulatory body for The Guideline Opinion on Promoting the Healthy Development of funds in China is the CSRC. Generally, the regulation on public raising Internet Finance has defined equity-based crowdfunding as public equity funds (retail funds) is more detailed and restrictive than for private financing in small amounts through an internet-based platform. The funds. Retail funds and retail fund managers must be registered with Opinion provides that equity crowdfunding must be conducted through the CSRC. Fundraising, fund custodian and investment activities are an agency platform such as a website or other digital medium, and strictly regulated by the CSRC. Agencies that engage in sales, sales that the CSRC will be the regulatory authority for equity crowdfunding payment, unit registration, valuation services, investment consulting, business. In 2016, the CSRC issued an action plan for risk control of rating, information technology system services and other fund services equity-based crowdfunding, prohibiting the establishment of private related to publicly raised funds are subject to registration or record equity funds or public offering of securities through crowdfunding. filing in accordance with the requirements of the CSRC. Private funds In 2014, the Securities Association of China was entrusted by the and private fund managers must register with the Asset Management CSRC to draft a Management Measures for Private Equity Crowdfunding Association of China, an industry self-disciplinary body under the super- (Trial). The Measures were released for public comment in December vision of the CSRC. 2014. However, the final version of the Measures has not yet been offi- Pursuant to article 2 of Securities Investment Fund Law, the defi- cially released. nition of collective investment schemes (securities investment funds)

40 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP China

Invoice trading Robo-advice 11 Describe any specific regulation of invoice trading in your 14 Describe any specific regulation of robo-advisers or other jurisdiction. companies that provide retail customers with automated access to investment products in your jurisdiction. The Chinese Negotiable Instruments Law, issued in 2004, applies to three categories of negotiable instruments including money order, In 2018, the PBOC, the CBIRC, the CSRC and SAFE jointly issued the promissory note and cheque. It provides rules for the transfer, endorse- Guidelines on Standardising the Asset Management Business of ment, acceptance and payment of the three negotiable instruments. Financial Institutions (the Guidelines). The Guidelines define robo-advice However, there is no specific regulation of invoice trading or as investment consulting service, and, thus, institutions or personnel invoice trading platforms in China. Depending on how the business is carrying out robo-advice services must obtain relevant investment structured, a firm that operates an invoice trading platform may be consulting service qualifications. The Guidelines confirm that robo- carrying on a number of different regulated activities for which it must advice services must also strictly comply with the general rules of have permission. asset management services, such as the rules regarding the suitability of investors, investment scope, information disclosure and risk isola- Payment services tion. In addition, the Guidelines also highlight that the development of 12 Are payment services regulated in your jurisdiction? investment algorithms must be diverse, thus avoiding the increase of the pro-periodicity of investment behaviour. Payment services provided by non-financial institutions (payment In addition, some cities, such as Shanghai and Beijing, have services providers) in China are primarily regulated by the PBOC under issued incentive plans for new businesses that include robo-advisers. the Administrative Measures for the Payment Services Provided by For example, Shanghai has issued the Action Plan for Promoting the Non-financial Institutions. Payment services refer to any of the following Development of Online New Businesses of Shanghai City. transfer services provided by non-financial institutions as the intermediaries between the payer and the payee: Insurance products • online payments; 15 Do fintech companies that sell or market insurance products • issuance of prepaid cards; in your jurisdiction need to be regulated? • acceptance of payments using a bank card; and • any other payment services as determined by the PBOC. Yes. In addition to the general insurance laws and regulations, internet insurance companies are obliged to comply with the Interim Measures A payment service provider is required to obtain a payment service for the Supervision of Internet Insurance Business and Implementation licence issued by the PBOC to provide payment services in China. For Rules for the Information Disclosure of Internet Insurance Business cross-border payments, payment services providers will need to obtain a issued by the CBIRC. Insurance companies and brokers must be CBIRC- licence from the foreign exchange authority (ie, the State Administration licensed to carry out their business. They are permitted to conduct of Foreign Exchange (SAFE)), in addition to the payment licence issued internet insurance business on their own online platforms or through by the PBOC. Non-financial payment institutions must deposit customer third-party online platforms (these third-party online platforms are not reserve funds in accounts with the PBOC or qualified commercial banks required to be CBIRC-licensed because all the insurance-related activi- to protect the funds. ties are, and must be, conducted by the licensed insurance companies According to the legislation plan issued by the PBOC on 17 April and brokers, instead of the platform operator). 2020, the drafting of the ‘Measures for the Administration of Cross- border Payment Services’ has been put on the agenda to further Credit references regulate cross-border payment services. 16 Are there any restrictions on providing credit references or credit information services in your jurisdiction? Open banking 13 Are there any laws or regulations introduced to promote Yes. The Administrative Regulations on the Credit Reporting Industry competition that require financial institutions to make are the primary regulations for credit references and credit informa- customer or product data available to third parties? tion services. The providers of corporate credit information services are subject to filing requirements with the PBOC, while the providers of There are currently no such laws or regulations in China. On 13 February personal credit information services are subject to prior approval from 2020, the PBOC issued the financial industry standard of the application the PBOC and stricter qualification requirements. programming interface secure management specification for commer- In 2018, the PBOC issued its first (and the only so far) personal cial banks (not mandatory but recommended). The standard specifies credit rating business licence to Baihang Credit Co, Ltd, a newly estab- the type and security level of the application programming interface lished company comprising the eight companies in the pilot and the (API) of commercial banks and the security design, deployment, inte- National Internet Finance Association. gration, operation and maintenance, termination and system downline and management, as well as other security technology and require- CROSS-BORDER REGULATION ments. Some media organisations report that the financial authorities plan to launch new regulations and policies for the open banking sector Passporting and open API. 17 Can regulated activities be passported into your jurisdiction?

Regulated activities cannot be passported into China.

www.lexology.com/gtdt 41 © Law Business Research 2020 China Simmons & Simmons LLP

Requirement for a local presence FINANCIAL CRIME 18 Can fintech companies obtain a licence to provide financial services in your jurisdiction without establishing a local Anti-bribery and anti-money laundering procedures presence? 21 Are fintech companies required by law or regulation to have procedures to combat bribery or money laundering? In our experience, a licence for regulated activities would only be granted to an entity that has a local presence. Therefore, it is unlikely Yes. The Administrative Measures for Anti-money Laundering and that Chinese regulators, including the People's Bank of China, China Counter-terrorism Financing by Internet Finance Service Agencies (for Securities Regulatory Commission (CSRC) and China Banking and Trial Implementation) issued by the People's Bank of China (PBOC) and Insurance Regulatory Commission, would grant a licence for regulated China Banking and Insurance Regulatory Commission, effective on 1 activities to an entity that was not permanently established in China. January 2019, applies to all the approved institutions that carry out Under special circumstances, foreign securities companies may conduct internet finance business in China. Internet finance businesses include certain activities within China subject to the approval of the CSRC. but are not limited to online payment, peer-to-peer lending, peer-to- Foreign institutions may provide financial information services without peer lending information intermediary services, equity crowdfunding a local presence in China subject to the approval of the Cyberspace financing, internet fund sale, internet insurance, internet trust and Administration of China, which is the primary authority for internet internet consumption finance. content regulation in China. Institutions other than financial institutions and non-banking payment institutions must register the fulfilment of duties in anti- SALES AND MARKETING money laundering and counter-terrorism financing on the online monitoring platform set up by the PBOC, while financial institutions and Restrictions non-banking payment institutions may, depending on the need for anti- 19 What restrictions apply to the sales and marketing of money laundering work, connect with the online monitoring platform to financial services and products in your jurisdiction? participate in exchange of work information, share technical facilities and assess risks. The sale of financial services and products is regulated by different Other major requirements for institutions carrying out internet regulatory bodies depending on the type of financial services and prod- finance business include, among others: ucts being sold. For example, the sale of fund products is subject to the • establishing an internal control system and compliance manage- approval of the China Securities Regulatory Commission and the sale of ment policies for anti-money laundering and counter-terrorism insurance products is subject to the approval of the China Banking and financing and reporting these systems and policies to relevant Insurance Regulatory Commission. regulators; Regarding the marketing of financial services and products, • conducting know-your-client (KYC) checks with due diligence; different requirements are applicable to different types of services. • putting in place a monitoring and reporting system for large In relation to securities-related services, for example, securities amount transactions and doubtful transactions; and companies are required to obtain sufficient knowledge of the investors • cooperating with on-site and off-site inspections and anti- and recommend suitable products and services based on the situation of money laundering investigations conducted by the PBOC or its each investor. Securities companies must ensure that investors under- local branches. stand the risks clearly and each investor must sign a risk disclosure statement. Securities companies are not allowed to promise guaranteed In addition, under regulations for third-party payment transactions, profits to the investors or make up for loss in promoting or marketing KYC checks must be completed on clients for anti-money laundering financial products. purposes and there are annual limits on outgoing payments. Payment For insurance services, internet insurance institutions must not platform operators can offer three types of accounts that have esca- make any misrepresentations, exaggerate previous track records lating regulatory requirements. Accounts with lower annual limits have or promise guaranteed profits as part of the marketing process. lower minimum KYC requirements and accounts with higher annual Information concerning insurance products, services, premiums, etc, limits have more comprehensive KYC requirements. must be clearly presented to the customers. In relation to peer-to-peer lending, internet platforms must comply Guidance with the information disclosure obligations and must not present fraud- 22 Is there regulatory or industry anti-financial crime guidance ulent records or misleading representations or make major omissions for fintech companies? when communicating with customers. Yes. On 18 July 2015, several central government ministries and CHANGE OF CONTROL commissions jointly issued the Guideline on Promoting the Healthy Development of Internet Finance. The purpose of these guidelines was Notification and consent to further the government’s promotion of, and incentives given to, digital 20 Describe any rules relating to notification or consent financial services and innovative platforms, while also establishing requirements if a regulated business changes control. regulatory competences between different commissions.

In general, if a regulated business changes control it must make a change of registration application to the regulatory authority. The change of control may only take place after the change of registration has been approved.

42 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP China

PEER-TO-PEER AND MARKETPLACE LENDING Securitisation risk retention requirements 25 Are securitisation transactions subject to risk retention Execution and enforceability of loan agreements requirements? 23 What are the requirements for executing loan agreements or security agreements? Is there a risk that loan agreements There are no risk retention requirements for securitisation under or security agreements entered into on a peer-to-peer or Chinese law. marketplace lending platform will not be enforceable? Securitisation confidentiality and data protection requirements There are no specific legal requirements for executing loan agreements 26 Is a special purpose company used to purchase and securitise or security agreements in China. peer-to-peer or marketplace loans subject to a duty of The Interim Measures for the Administration of Business Activities confidentiality or data protection laws regarding information on Online Lending Information Intermediary Agencies, issued by the relating to the borrowers? China Banking and Insurance Regulatory Commission on 17 August 2016, provide that online lending platforms are designated as informa- The peer-to-peer platform operator must keep the lender’s and borrow- tion intermediaries for borrowers and lenders and must not provide er’s information confidential, and further processing activities of data credit enhancement or security or guarantee arrangements for the loan from the subjects in China must be carried out in China. However, there transactions by itself. is no mandatory rule in China requiring that a purchaser of the relevant Therefore, a peer-to-peer lending platform is merely an informa- loans shall be subject to specific data protection obligations (although, tion exchange, and loan and security agreements cannot be entered in practice, they are most likely contractually bound so). into on the peer-to-peer marketplace itself. Accordingly, the use of a peer-to-peer marketplace does not impact the legal effectiveness and ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER enforcement of loan agreements or security agreements. TECHNOLOGY AND CRYPTO-ASSETS

Assignment of loans Artificial intelligence 24 What steps are required to perfect an assignment of 27 Are there rules or regulations governing the use of artificial loans originated on a peer-to-peer or marketplace lending intelligence, including in relation to robo-advice? platform? What are the implications for the purchaser if the assignment is not perfected? Is it possible to assign these In 2018, the People's Bank of China (PBOC), China Banking and Insurance loans without informing the borrower? Regulatory Commission, China Securities Regulatory Commission and State Administration of Foreign Exchange jointly issued the Guidelines on According to the Provisions of the Supreme People’s Court on Several Standardising the Asset Management Business of Financial Institutions Issues concerning the Application of Law in the Trial of Private Lending (the Guidelines). The Guidelines define robo-advice as investment Cases and the Contract Law, the legal assignment of a loan by the consulting service, and, thus, institutions or personnel carrying out assignor (ie, the lender) to the assignee (ie, the purchaser) will be robo-advice services must obtain relevant investment consulting perfected provided that: service qualifications. The Guidelines confirm that robo-advice services • the following circumstances are not applicable to the assignment: must also strictly comply with the general rules of asset management the rights may not be assigned in light of the nature of the contract, services, such as the rules regarding suitability of investors, invest- according to the agreement between the parties and according to ment scope, information disclosure and risk isolation. In addition, the the provisions of the laws; Guidelines also highlight that the development of investment algo- • a notice of the assignment has been given to the borrower; rithms must be diverse, thus avoiding the increase of the pro-periodicity • the assignor absolutely assigns the receivable to the assignee; and of investment behaviour. • where the laws or administrative regulations stipulate that the assignment of rights or transfer of obligations shall undergo Distributed ledger technology approval or registration procedures, these provisions shall 28 Are there rules or regulations governing the use of be followed. distributed ledger technology or blockchains?

If the assignment is not perfected, it may still constitute an equitable On 10 January 2019, the Cyberspace Administration of China (CAC) assignment (in contrast to a legal assignment), which is still recognised issued the Administrative Provisions on Blockchain Information by Chinese courts. However, the disadvantage of an undisclosed assign- Services (the Blockchain Provisions), which came into effect on 15 ment is that, in the event of taking any legal action against the borrower February 2019. The Blockchain Provisions apply to blockchain infor- for payment, the assignee would have to join the assignor in any such mation services in China, which are defined as information services legal action against the borrower (in contrast to being able to sue in its delivered to the public by way of the internet or application programs own name in the case of legal assignment) and the assignee may be based on blockchain technology or systems. The Blockchain Provisions vulnerable to, among other things, certain competing claims and other do not require blockchain service providers to obtain special operating set-off rights that may otherwise have been halted by the serving of permits from regulators. However, if the blockchain services fall within notice on the borrower. the application scope of other Chinese rules, such as telecom business- It is not possible to transfer loans to the purchaser without related regulations, the blockchain service will still be subject to the informing the borrower. Unless the borrower is notified, the assign- operating permits under those rules. Although there is no operating ment shall not be binding on the borrower. This notice by the assignor permits requirement on providing blockchain services, the Blockchain to assign its rights must not be revoked, unless such revocation is Provisions require blockchain service providers to file a record with the consented to by the assignee. CAC within 10 working days from the commencement of the blockchain services. In addition, the Blockchain Provisions set out certain security requirements for blockchain service providers. For example, blockchain www.lexology.com/gtdt 43 © Law Business Research 2020 China Simmons & Simmons LLP

service providers should certify the real identity of blockchain service mainland China) had to stop. For completed ICOs (launched within main- users by checking relevant information and keeping the login records of land China), exit arrangements were made for the investors that would the users for at least six months. reasonably protect the investors’ interest. All financial institutions and In October 2019, the Central Committee of the Communist Party of third-party payment institutions must not provide services in connec- China organised a special study on blockchain technology chaired by tion with ICOs or virtual currency. Chinese President Xi Jinping, who promoted the use of the technology and its industrial innovation and development. This top-level endorse- DATA PROTECTION AND CYBERSECURITY ment was viewed as an encouragement to those in the sector, which has been dampened since the ban on initial coin offerings (ICOs) in 2017 Data protection (however, there has been no relaxation of this ban). 32 What rules and regulations govern the processing and In the Fintech Development Plan (2019–2021) issued by the PBOC, transfer (domestic and cross-border) of data relating to the regulator proposed to improve China’s internet identity authentica- fintech products and services? tion system by steadily advancing the testing, R&D and application of distributed ledger technology. The key regulation governing the processing and transfer of data is the Chinese Cybersecurity Law (the Cybersecurity Law) promulgated by Crypto-assets the Standing Committee that was effective in 2017. It sets out the main 29 Are there rules or regulations governing the use of crypto- requirements and principles related to cybersecurity and data privacy. assets, including digital currencies, digital wallets and The Cybersecurity Law is not specifically aimed at fintech companies. e-money? Instead, it applies generally to a ‘network operator’, which is broadly defined as ‘the owner or manager of a network, or a network service The PBOC, together with six ministries, issued the Notice on Preventing provider’. Financial Risks relating to Initial Coin Offerings on 7 September 2017, Under the Cybersecurity Law, the general principles of use and which remains the primary regulation on ICOs. The Notice states that processing of personal data in China include that: all financial institutions and non-banking payment institutions in China • the collection, use and processing of personal data shall be legiti- must not directly or indirectly provide products or services for ICO mate, reasonable and necessary; financing and cryptocurrency activities, including account opening, • data subjects shall be informed of the purpose, scope, method and registration, trading, clearing and settlement services, and must not rules of data collection and processing, rights to access and correct provide insurance services for ICOs and cryptocurrency activities or personal data, and the implications for refusal of data collection or include any of them in insurance coverage. processing; In light of above, virtual currency is generally not recognised and • the consent of data subjects shall be obtained prior to any collec- virtual currency issuance and trading is generally prohibited in China. tion, use, processing or transfer of his or her personal data; The PBOC recently announced that it has made some break- • the data collected shall be kept strictly confidential and shall not throughs on its Digital Currency Electronic Payment (DCEP) project. The be leaked, tampered with, sold or otherwise illegally provided to DCEP is the digital version of the renminbi and has the same legal status third parties; and functionality as paper currency. The value of DCEP is also backed • the data processor shall take reasonable technical and other by state credit. The DCEP will be distributed to the market through measures to ensure the safety of collected data and shall promptly the PBOC and other commercial banks and banking institutions. It is notify and make remedies in case of data breach incidents; and reported that the DCEP will first be pilot tested in Suzhou, Shenzhen, • telecoms service providers shall establish a compliant mechanism Xiongan New Area and Chengdu in May 2020. However, the DCEP is fiat for data collection and processing, and shall provide data subjects money, and its development does not in any way suggest a change in the access to their collected data and the right to correct such data. regulator’s attitude towards cryptocurrencies. In addition, the Cybersecurity Law requires that personal information Digital currency exchanges and important data collected or gathered by the Critical Information 30 Are there rules or regulations governing the operation of Infrastructure (CII) operators during their operations is stored within the digital currency exchanges or brokerages? territory of China. Where it is necessary to provide this information and data to overseas entities owing to business demands, a security assess- Virtual currency trading is generally prohibited in China, and digital ment must be conducted. The draft Measures for Security Assessment currency exchanges and brokerages are also banned. of Data Exportation and the draft Measures for Security Assessment of Cross-Border Transfer of Personal Information were published, which Initial coin offerings further extend the security assessment requirements on cross-border 31 Are there rules or regulations governing initial coin offerings transfer from CII to all network operators. However, these two meas- (ICOs) or token generation events? ures have not been finalised and adopted. In addition to the Cybersecurity Law, certain industrial-specific The PBOC, together with six ministries, issued the Notice on Preventing laws (including regulations in the financial sector) prohibit or restrict Financial Risks relating to Initial Coin Offerings on 7 September 2017 the cross-border transfer of certain types of sensitive data. For example, confirming that initial coin offerings (ICOs) are considered a type of financial institutions must not provide the personal financial information unauthorised public financing activity, and, therefore, these activities of citizens in China to any entity overseas, subject to exceptions made by must (within mainland China) stop immediately. The Notice reaffirmed the law. A credit rating entity must not collect sensitive personal infor- the official position that virtual currency is not legitimate in mainland mation relating to, for example, religion, gene information, fingerprints, China and must not be traded. The Notice states that ICOs are deemed blood type, diseases and other medical history, or other information a significant risk to the financial stability of society and may allow prohibited by law. various crimes (such as illegal offering of securities, illegal fund raising The Cybersecurity Law allows network operators to provide and financial fraud). Effective immediately, all ICOs (launched within personal data to a third party without consent under exceptional

44 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP China circumstances where the personal data has been anonymised so that it • avoidance of a high concentration level of suppliers; cannot be used or recovered to identify a specific individual. • stricter due diligence on suppliers by the banking institutions and Besides the mandatory laws and regulations, two new specifica- third parties when necessary, on their technology and industrial tions that came into effect in 2020 are notable to fintech companies. experiences, internal control and management capability and conti- One is the Personal Information Security Specification issued by the nuity of operation; Standardisation Administration of China, which sets out a much higher • a specific chapter on cross-border and off-site IT outsourcing, standard for personal data protection than the mandatory laws and which may involve international compliance; and introduces many concepts and rules for data protection derived from • any outsourcing involving client information must be authorised by EU data protection laws. The other is the Personal Financial Information the clients and comply with regulations and policies. Protection Technology Specification issued by the People's Bank of China, which classifies personal financial data into three categories according The banking institutions are required to report their important to the level of sensitivity and requires personal financial data be trans- outsourcing activities to CBIRC or its local branches beforehand. ferred via safe channels or in the form of encrypted data. The Personal Important outsourcing activities include, among others: Financial Information Protection Technology Specification requires that, • outsourcing of the entire IT service; under certain circumstances, (such as sharing and transfer, disclosure • outsourcing of the entire data centre or disaster recovery centre; and aggregation of personal financial information) a security impact • outsourcing of the analysis or processing of client information or assessment be conducted. transaction data; Although the above two specifications are not binding, they are • off-site outsourcing of operation systems with client data storage; recommended as best practice for personal data protection in China. • affiliated outsourcing; and • cross-border IT outsourcing. Cybersecurity 33 What cybersecurity regulations or standards apply to fintech In addition, banking institutions must report to the CBIRC or its local businesses? branches within two working days in cases of leaks of sensitive data, data damage or suspension of important operations, possible suspen- There are no cybersecurity regulations specific to fintech business. sion of outsourcing services caused by force majeure or the operational The general cyber security obligations of network operators under the or financial problems of the suppliers, violation of laws and regulations Cybersecurity Law include requirements to: by the suppliers, and other significant events. • establish internal cybersecurity policies and procedures; The Asset Management Association of China (AMAC) issued the • implement proper technical measures to prevent hacking and Interim Administrative Measures for Private Funds Services Business viruses as well as to monitor network operations; on 1 March 2017. The Measures require that service providers providing • retain network operation records and logs for at least six months; fundraising, investment consulting, fund unit registration, valuation • formulate and implement contingency plans; and audit and information technology system services to private fund • address cyber risks known to the operators; and managers register with the AMAC. The service providers must not sub- • report any cybersecurity incident to the government and the contract any such outsourcing business to third parties. customers affected by the incident. Cloud computing OUTSOURCING AND CLOUD COMPUTING 35 Are there legal requirements or regulatory guidance with respect to the use of cloud computing in the financial services Outsourcing industry? 34 Are there legal requirements or regulatory guidance with respect to the outsourcing by a financial services company of Cloud computing is deemed a type of value-added telecommunication a material aspect of its business? service and requires a telecoms service licence. There are no specific legal rules relating to the use of cloud computing in the financial sector, The China Banking and Insurance Regulatory Commission (CBIRC) but the State Council has issued several related policy documents, such issued the Guidelines of Risk Management for Outsourcing by Banking as the Guiding Opinions on Actively Promoting the ‘Internet Plus’ Action Financial Institutions on 4 June 2010. The Guidelines define outsourcing Plan (2015), the Opinions on Promoting the Innovation and Development activities as entrusting service providers to continually process certain of Cloud Computing and Fostering New Business models of Information business for and on behalf of the banking institutions themselves. The Industry (2015) and the Development Plan of Promoting Inclusive board of directors and senior management of the banking institutions Finance (2015), where the use of cloud computing in the financial sector shall be ultimately responsible for the outsourcing activities. The banking and the use of online financial cloud service platforms is encouraged. institutions must conduct a risk assessment prior to engaging any outsourcing service providers. The banking institutions must enter into INTELLECTUAL PROPERTY RIGHTS written agreements with service providers and establish a client information confidentiality mechanism. Additionally, the service providers IP protection for software must not sub-contract any outsourcing business to third parties. 36 Which intellectual property rights are available to protect In 2013, the CBIRC issued the Guidelines on the Risk Supervision software, and how do you obtain those rights? of Information Technology Outsourcing of Banking Financial Institutions, which provide more detailed requirements on outsourcing in terms of Computer software is protected by copyright as an independent cate- risk evaluation, due diligence, contracting, security management, super- gory of works. The subject of copyright is the code script of the software vision and assessment, and services suspension and termination. Key and not the operating process or results of the software. issues covered in the Guidelines and requirements include: Software copyright arises automatically upon completion of the • major risks in the IT outsourcing of banking institutions; code script. Although registration is not a mandatory requirement for • thorough assessment of outsourcing risks at least once a year; granting copyright, there is a specific procedure of software copyright www.lexology.com/gtdt 45 © Law Business Research 2020 China Simmons & Simmons LLP

registration under Chinese law. Copyright issuers may apply to the Trade secrets China Copyright Protection Centre for the registration of software copy- 39 How are trade secrets protected? Are trade secrets kept right, licence agreement and assignment agreement of the software confidential during court proceedings? copyright. If the software code has been kept confidential it may also be Trade secrets are protected against unauthorised disclosure, misuse protected as confidential information. No registration is required. and appropriation under competition laws in China. It is also provided Although it is not common, software can also be protected by in employment contract law that employees are responsible for keeping patents as long as the software demonstrates novelty, creativity and the trade secrets of their employer confidential. Trade secrets are applicability as required by patent laws. Patents must be applied for, defined as any technology information or business operation informa- granted and registered before the competent patent office. tion that: is unknown to the public; can bring about economic benefits to the owner; has practical utility; and the owner has adopted security IP developed by employees and contractors measures on. Serious infringement of trade secrets can be deemed a 37 Who owns new intellectual property developed by an criminal offence in China. employee during the course of employment? Do the same Trade secrets are kept confidential during court proceedings. Cases rules apply to new intellectual property developed by involving trade secrets can be heard in private if a party so requests. contractors or consultants? Branding The copyright of works created mainly by using the materials and 40 What intellectual property rights are available to protect technical resources of the employer (and that were the employer’s branding and how do you obtain those rights? How can responsibility) shall belong to the employer. Otherwise, any works fintech businesses ensure they do not infringe existing created during the course of employment shall belong to the employee brands? who develops it. However, the employer has the priority right to exploit the work within the scope of its normal business operation. Furthermore, Brands can be protected as registered trademarks in China. Other the author may not authorise a third party to use the work in the same branding factors, such as trade names, commercial appearance, manner in which his or her employer uses it, without the employer’s product packaging and decoration, can be protected from plagiarism consent, within two years of the work’s completion. under competition laws in China. The patent right of an invention accomplished in the course of Certain branding, such as logos and stylised marks, can also be performing normal employee duties or mainly by using the material and protected by design rights and may also be protected by copyright as technical resources of the employer shall be owned by the employer. artistic works. However, in practice, most employers, especially technology All registered trademarks are publicly announced upon registra- companies, will specify in the employment contract that all intellectual tion and recorded in the trademark database of the State Intellectual property rights of works and inventions developed during the course Property Office of China, and can be publicly searched. It is highly advis- of employment or for the purpose of fulfilling a work assignment are able for fintech businesses to conduct trademark searches to check owned by the employer. whether earlier registrations exist that are identical or similar to their The rules do not apply to new intellectual property developed by proposed brand names. It may also be advisable to conduct internet contractors or consultants unless otherwise agreed, the intellectual searches for any unregistered trademark rights that are also recognised property rights of inventions or works developed by contractors or and protected in China, which may prevent use of the proposed mark. consultants shall be owned by the contractors or consultants. In practice, it is often provided in the commissioning contract that Remedies for infringement of IP the commissioner owns the intellectual property rights of the work, or 41 What remedies are available to individuals or companies that the author owns the rights but shall grant the commissioner an whose intellectual property rights have been infringed? exclusive and royalty-free licence to use the commissioned work for the purposes contemplated at the time of the commissioning. Remedies include preliminary and final injunctions, damages or an account of profits, destruction of infringing products, and costs. Joint ownership 38 Are there any restrictions on a joint owner of intellectual COMPETITION property’s right to use, license, charge or assign its right in intellectual property? Sector-specific issues 42 Are there any specific competition issues that exist with The joint owners of intellectual property rights must negotiate and respect to fintech companies in your jurisdiction? reach agreement on the use, licensing and assignment of these intellectual property rights. If no such agreement exists, any joint owner has There is a competition regime in China that applies to all entities the right to use or grant a non-exclusive licence to third parties, and the carrying out business in China. However, there are no particular aspects licence fees collected shall be distributed among all joint owners. The of this regime that would affect fintech businesses disproportionately to granting of a sole or exclusive licence, and the charge, assignment or other businesses. other disposal of the intellectual property rights shall be subject to the consent of all joint owners. The joint owners of a trademark are not subject to the above restrictions. This is because, usually, the joint owners register the trademark under different classes and will not create confusion for customers. Each joint owner is entitled to use, license, charge or assign its right in the trademark without the consent of the other joint owners.

46 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP China

TAX

Incentives 43 Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the fintech sector in your jurisdiction?

There are no tax incentives specifically applicable to fintech companies. However, there are some incentives and government support policies Jingyuan Shi [email protected] applicable to IT and high-tech companies, tech start-ups and their investors. These industrial policies and incentives are found across different regions and districts of China. 25th Floor Kerry Centre South Tower In addition, there are also tax incentives available for some finan- 1 Guang Hua Road cial sector companies (which could be fintech companies), if they meet Chaoyang District certain conditions. For example, the interest income of a microloan Beijing company’s lending to farmers is entitled to VAT exemption and income 100020 China tax reduction until the end of 2023. Tel: +86 10 8588 4500 Increased tax burden Fax: +86 10 8588 4588 www.simmons-simmons.com 44 Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for fintech companies in your jurisdiction? Coronavirus There are no new or proposed tax laws or guidance that could signifi- 47 What emergency legislation, relief programmes and other cantly increase tax or administrative costs for fintech companies in China. initiatives specific to your practice area has your state implemented to address the pandemic? Have any existing IMMIGRATION government programmes, laws or regulations been amended to address these concerns? What best practices are advisable Sector-specific schemes for clients? 45 What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there On 1 February 2020, the PBOC, Ministry of Finance, China Banking any special regimes specific to the technology or financial and Insurance Regulatory Commission, China Securities Regulatory sectors? Commission and State Administration of Foreign Exchange jointly issued a Notification on Further Strengthening Financial Support There are no immigration schemes specifically for fintech talent, but for the Prevention and Control of Novel Coronavirus Pneumonia the National Foreign Experts Bureau together with another two govern- Outbreak, which introduced 30 measures to provide financial support ment authorities jointly issues a notice in January 2018, encouraging for epidemic control and to avoid potential financial risks. The major foreign scientists, specialised talents and highly skilled technical talents measures include: to come to work in China. Eligible applicants can be issued visas that are • that financial institutions are required to increase the amount of valid for five to 10 years with multiple entry. loans for small and medium enterprises; • that credit bureaus are required not to record citizens’ debt defaults UPDATE AND TRENDS if these defaults are caused by the outbreak; and • that relevant authorities are required to improve the efficiency Current developments of services such as bond issuance, reduce the approval time for 46 Are there any other current developments or emerging capital market-related transactions and exempt the listing fees for trends to note? companies based in regions with severe outbreaks.

One area of particular note in the People's Bank of China's (PBOC) Fintech In addition, the State Council announced in February that social secu- Development Plan (2019–2021) is the proposal for a new standard for rity contributions will be exempted for medium-sized, small and micro domestic payments, an area in which Chinese fintech players are heavily companies and large companies in Hubei province for five months, and focused. The PBOC aims to propel the interoperability of different reduced by half for large businesses in other areas for three months. payment barcode systems by setting out a single set of coding rules At the provincial level, most local governments also introduced for barcode payments. This unified barcode system is hoped to enable similar financial support policies for fighting against covid-19. To every scanning terminal in China to recognise any domestic payment boost consumption, some local governments are working closely barcode (regardless of the payment service provider) and will greatly with e-payment service providers to provide citizens with consump- enhance payment efficiency. tion coupons.

www.lexology.com/gtdt 47 © Law Business Research 2020 Denmark

Rasmus Mandøe Jensen and Christian Scott Uhlig Plesner Advokatpartnerselskab

FINTECH LANDSCAPE AND INITIATIVES FINANCIAL REGULATION

General innovation climate Regulatory bodies 1 What is the general state of fintech innovation in your 3 Which bodies regulate the provision of fintech products and jurisdiction? services?

In recent years, the fintech sector has experienced significant growth in The main financial regulator is the Financial Supervisory Authority, Denmark. This has been facilitated by: which also oversees compliance with anti-money laundering • a highly educated and digitally literate population; regulation. • a high degree of digitisation of public sector systems; Compliance with certain business conduct rules and other • the support of specific government policies aimed at promoting consumer and competition-oriented rules is overseen by the fintech innovation; and Competition and Consumer Authority. • the development of Copenhagen as an international fintech hub. The Data Protection Agency oversees compliance with data protection rules. Under the auspices of Copenhagen Fintech (https://copenhagenfintech. The Central Bank has limited oversight over systemically impor- dk/), a dedicated fintech lab opened in Copenhagen in 2016 (https:// tant payment and securities clearing and settlement infrastructures copenhagenfintech.dk/startups/copenhagen-fintech-lab/) and has and similar systems. become a central hub for fintech activity in Denmark. In recent few years, a number of partnerships between fintech Regulated activities start-ups and banks have been announced, which reflects the current 4 Which activities trigger a licensing requirement in your trend of fintech companies seeking to partner and cooperate with jurisdiction? existing financial sector bodies rather than attempting to be in competition with and opposition to them. Banking While there has been significant activity in traditional fintech core Deposit-taking activities generally require a banking licence under areas such as payments and investment services, ancillary areas such the Financial Business Act (https://www.retsinformation.dk/eli/ as regtech and insurtech remain less developed, but are expected to lta/2019/937) to legally operate in Denmark. There are no de minimis grow in the future. or similar exemption available. Lending does not require a licence in Denmark, although a regis- Government and regulatory support tration under the Act on Measures to Prevent Money Laundering 2 Do government bodies or regulators provide any support and Financing of Terrorism may be required (as described below). specific to financial innovation? If so, what are the key However, under the Financial Supervisory Authority's current guid- benefits of such support? ance, EU banking institutions may have to passport their licence into Denmark if they wish to perform lending activities there. The government has specific policies aimed at promoting fintech busi- A new Act on Consumer Loan Undertakings entered into force on ness and investments and to support Copenhagen as an international 1 July 2019, creating an exception to the licence-free lending require- fintech hub. Recently, this has resulted in increased funding for the ment in Denmark. Financial Supervisory Authority, enabling it to dedicate resources to a specialised fintech office and create a regulatory sandbox. The Financial Payment services or e-money issuance Supervisory Authority opened applications for its regulatory sandbox The performance of payment services, as defined in the Annex to in 2018 and opened for applications for its second cohort during 2019. the Payments Act implementing Annex I to the revised EU Payment In terms of purpose and eligibility criteria, the sandbox is similar to the Services Directive (2015/2366/EU) (PSD2), requires a licence under the existing one operated by the UK Financial Conduct Authority. Payments Act (https://www.retsinformation.dk/eli/lta/2019/1024). The Payments Act generally reflects the catalogue of exemptions to the licence requirement in article 3 of the PSD2 and article 1 of the Second EU Electronic Money Directive (2009/110/EU) (EMD2), except that technical services covered by the exemption in article 3(j) of the PSD2 are subject to certain fee regulations in the Payments Act. Specifically, regarding the limited network exemption (article 3(k) of the PSD2 and article 1(4) of the EMD2), although limited network

48 Fintech 2021 © Law Business Research 2020 Plesner Advokatpartnerselskab Denmark products are exempted from the licence requirement, they must still The licensing exemptions set out in article 2 of the EU Markets in comply with the disclosure, business conduct and fee rules of the Financial Instruments II Directive have generally been implemented Payments Act, as well as the regulation on issuance and redemption without material changes. of e-money (corresponding mainly to Titles III and IV of the PSD2 and article 11 of the EMD2). However, the disclosure, business conduct and Investment advice fee rules do not apply to e-money issued within a limited network if: Undertakings that provide investment advice must be licensed as an • the instrument cannot load a value of more than 3,000 investment adviser if they do not hold another licence that permits them Danish kroner; to provide investment advice. Investment advisers may also receive and • the instrument cannot be reloaded; and transmit orders. • the issuer's aggregate outstanding e-money liabilities do not exceed an amount equivalent to €5 million, in which case only the Financial advice rules on redemption of e-money apply. Undertakings that provide advice on financial products to consumers must be licensed as financial advisers. For this purpose, ‘financial prod- Denmark has not elected to use the options in article 32 of the PSD2 ucts’ are credit agreements, excluding residential credit agreements, and article 9 of the EMD2 to exempt low-volume and low-value payment deposits, insurances, pension and investment products. ‘Investment services or e-money from the licensing requirement; however, the products’ are transferable securities, units or shares in collective Payments Act provides for a less burdensome licensing process for investment schemes, deposits in banks where the return depends on such providers and issuers, which are also exempt from the own funds the performance of one or more underlying assets, guarantee certifi- requirements. cates, cooperative certificates and mortgage deeds.

Foreign exchange Residential credit intermediation Unless performed by a licensed bank, foreign exchange activi- Undertakings that provide advice on or arrange or facilitate residen- ties require a licence under the Act on Measures to Prevent Money tial credit agreements to consumers must be licensed as residential Laundering and Financing of Terrorism (https://www.retsinformation. credit intermediaries. Residential credit agreements essentially cover dk/eli/lta/2017/651). Exemptions from certain parts of the Act are the granting of loans secured on real estate. available for entities whose foreign exchange activities are de minimis – including a requirement that the foreign exchange business does Alternative investment funds not account for more than 5 per cent of the entity's aggregate annual The management of alternative investment funds triggers a registra- turnover – and purely ancillary to their main business. tion or licensing requirement depending on the size of the assets of In addition, the Act on Measures to Prevent Money Laundering the managed investment fund. The threshold for authorisation rather and Financing of Terrorism was amended following a legislative act than registration is assets under management by the manager of that entered into force on 10 January 2020. Part of the purpose of €100 million (or €500 million if certain conditions are complied with). the amendments is to implement the Fifth EU Anti-money Laundering Authorised managers must comply with all of the requirements of the Directive (2018/843/EU) in Denmark. The amendment has subjected, legislation implementing the EU Alternative Investment Fund Managers among others, providers of exchange services between virtual and fiat Directive, whereas a registered manager must comply with only a few currencies to regulation under the Act just as such operators will have limited requirements. to be registered under the Act. The definition of ‘alternative investment funds’ has been implemented from the EU Alternative Investment Fund Managers Directive Investment activities without material changes. The provision of ‘investment services’ – as defined in the EU Markets in Financial Instruments II Directive – and custody services triggers a Insurances licensing requirement under Danish law. Insurance activities generally trigger a licensing requirement. The There are three different investment firm sizes in terms of own Financial Business Act provides certain specific exemptions to the funds requirements: licensing requirement, none of which would be expected to be relevant • Small investment firms are subject to a minimum own funds for fintech businesses. requirement of €50,000, a share capital of 500,000 kroner and the If the activity does not amount to being an insurer but involves Capital Requirements Regulation own funds requirements and insurance distribution, the activity will require a licence if it constitutes are permitted to provide: insurance or reinsurance mediation. There are no exemptions to this • reception and transmission of orders; requirement. On the other hand, intermediaries that perform only ancil- • execution of orders; lary insurance intermediation must be registered. • discretionary portfolio management; and In general, the Danish market has seen only a limited number of • investment advice. insurtech providers, including Undo, which has entered into a partner- • Medium-sized investment firms permitted to provide the same ship with Danish insurance provider Tryg and Penni and has previously investment services as small investment firms in addition to worked with the Danish insurance provider TopDanmark. safe keeping (which is a core service in Denmark) are subject to a minimum own funds requirement of €125,000, and a share Anti-money laundering capital of 500,000 kroner and Capital Requirements Regulation Fintech businesses that are not otherwise required to have a licence own funds requirements. under any of the above regulations must be registered with the • Large investment firms permitted to provide all types of invest- Financial Supervisory Authority if they perform any of the activities set ment service are subject to a minimum own funds requirement out in Annex I to the Act on Measures to Prevent Money Laundering and of €730,000, a share capital of 500,000 kroner and Capital the Financing of Terrorism, including: Requirements Regulation own funds requirements. • deposit taking; • lending; www.lexology.com/gtdt 49 © Law Business Research 2020 Denmark Plesner Advokatpartnerselskab

• financial leasing; constitutes equity crowdfunding, thereby subjecting the fintech • assistance in offering securities and services ancillary thereto; and business to the rules regulating¸ among other things, offerings of • the storage, administration and management of securities. securities and prospectus requirements; • the Payments Act (implementing the PSD2 or the EMD2), if the Consumer lending activity involves offering payment services or issuing e-money; 5 Is consumer lending regulated in your jurisdiction? • the Investment Association Act (implementing the EU Undertakings for Collective Investment in Transferable Securities Directive The Act on Consumer Loan Undertakings (https://www.retsinforma- (2009/65/EU)), if the activity involves establishing or managing tion.dk/eli/lta/2019/450) entered into force on 1 July 2019, creating undertakings for collective investment in transferable securities; or an exception to the absence of a requirement for a licence to lend in • the Act on Alternative Investment Fund Managers (implementing Denmark. The new Act applies to most types of consumer loan and the EU Alternative Investment Fund Managers Directive (2011/61/ credit agreements unless: EU) (AIFMD)), if the activity involves establishing or managing an • they are provided by an already licensed bank or other finan- alternative investment fund. cial business; • the agreement is for a zero-interest and zero-fee loan; or In respect of crowdfunding lending platforms, as of 1 July 2020, lenders • the agreement is a leasing agreement without any obligation engaging on the platform will – regardless of whether the lenders are to purchase. professional lenders or acting in a private capacity – be subject to a cap of 35 per cent of the annual percentage rate on such loans, if the Under the Act on Consumer Loan Undertakings, consumer loan and borrower is a consumer. credit in-scope providers must obtain a licence from the Financial Supervisory Authority (as during which, the management of the Alternative investment funds consumer loan undertaking will be subject to customary fit and proper 8 Are managers of alternative investment funds regulated? requirements) and will be subject to ongoing conduct of business rules. An amendment to the Act on Consumer Loan Undertakings and As Denmark is an EU member state, the AIFMD applies. the Marketing Practices Act entered into force on 1 July 2020. The The management of alternative investment funds triggers a regis- amendments include (1) a 35 per cent cap on the annual percentage tration or licensing requirement depending on the size of the assets rate (APR) on consumer loans, including on peer-to-peer loans; (2) a of the managed investment fund. The threshold for authorisation cap on expenses (eg, interest, fees and reminder charges) over the life rather than registration is assets under management by a manager of of the credit of 100 per cent of the original principal amount; and (3) a €100 million (or €500 million if certain conditions are complied with). prohibition on marketing consumer loans with an APR of more than 25 Authorised managers must comply with all of the requirements of the per cent as well as any marketing of consumer loans in connection with legislation implementing the AIFMD, whereas a registered manager gambling or betting, or both (subject to limited exceptions, including must comply with only a few limited requirements. marketing on the credit provider's own website). The definition of ‘alternative investment funds’ has been imple- However, in respect of online marketing directed at consumers, mented from the AIFMD without material changes. the above-mentioned marketing prohibition will not apply to consumer loan undertakings located in other EU countries. To the extent that the Peer-to-peer and marketplace lending marketing by these foreign consumer loan undertaking is carried out 9 Describe any specific regulation of peer-to-peer or on television or on-demand services or in connection with gambling or marketplace lending in your jurisdiction. betting, or both, the marketing prohibition will apply. Such types of alternative financing are not subject to bespoke regu- Secondary market loan trading lation in Denmark. However, whether they are professional lenders or 6 Are there restrictions on trading loans in the secondary acting in a private capacity, the lenders using the platform and the loans market in your jurisdiction? provided by them over the platform have, from 1 July 2020, been subject to a cap of 35 per cent of the annual percentage rate on these loans if There are no restrictions on trading loans in the secondary market the borrower is a consumer. under Danish law. Crowdfunding Collective investment schemes 10 Describe any specific regulation of crowdfunding in your 7 Describe the regulatory regime for collective investment jurisdiction. schemes and whether fintech companies providing alternative finance products or services would fall within its Crowdfunding and other types of alternative financing are not subject to scope. bespoke regulation in Denmark. However, if the crowdfunding scheme in question constitutes ‘donation-based crowdfunding’, the rules set out Fintech companies providing such financial products or services are in the Danish Fundraising Act may apply. not subject to any bespoke regulation. However, to the extent that their Non-bank lending or equity crowdfunding vehicles have a relatively services constitute a regulated activity pursuant to the generally appli- limited market share. Recently, several projects have been launched cable regulatory regime, these companies fall within the scope of the that focus on crowdfunding the ownership of real estate. relevant regulation. Depending on the structure of the crowdfunding scheme (eg, Depending on the nature of the activity, fintech businesses may equity-based crowdfunding), the general capital market rules, including be subject to one or more of the following laws, each of which include EU Regulation 596/2014 on market abuse, EU Regulation 2017/1129 on associated delegated regulations: prospectuses and the Danish Capital Markets Act (https://www.retsin- • the Capital Markets Act and the EU Market Abuse Regulation formation.dk/eli/lta/2019/459) may apply. (2014/596), to the extent that the crowdfunding scheme in question

50 Fintech 2021 © Law Business Research 2020 Plesner Advokatpartnerselskab Denmark

Invoice trading CROSS-BORDER REGULATION 11 Describe any specific regulation of invoice trading in your jurisdiction. Passporting 17 Can regulated activities be passported into your jurisdiction? Invoice trading is not subject to bespoke regulation. However, to the extent that the relevant invoice trading scheme constitutes a factoring Yes, to the extent that the entity is an EU entity and the underlying EU arrangement, such factoring arrangements are subject to the Anti- law provides for a passporting system. money Laundering Act and would trigger a registration requirement with the Financial Supervisory Authority, as well as a requirement to Requirement for a local presence comply with the other provisions set out in the Act. 18 Can fintech companies obtain a licence to provide financial services in your jurisdiction without establishing a local Payment services presence? 12 Are payment services regulated in your jurisdiction? In general, obtaining a Danish licence (as opposed to passporting an The performance of payment services, as defined in the Annex to the existing licence) for financial services requires that the applicant be Payments Act implementing Annex I to the PSD2, requires a licence domiciled in Denmark. under the Payments Act. SALES AND MARKETING Open banking 13 Are there any laws or regulations introduced to promote Restrictions competition that require financial institutions to make 19 What restrictions apply to the sales and marketing of financial customer or product data available to third parties? services and products in your jurisdiction?

No, except the rules implementing articles 65 to 68 of the PSD2. The The laws and regulations that govern and restrict the sale and marketing Payments Act contains rules that severely restrict the processing and of financial services and products in Denmark include: use of payment data. • the Act on Alternative Investment Fund Managers (implementing the EU Alternative Investment Fund Managers Directive (2011/61/EU)); Robo-advice • the Markets in Financial Instruments Directive (2014/65/EU); 14 Describe any specific regulation of robo-advisers or other • the Consumer Contracts Act (implementing parts of the EU companies that provide retail customers with automated Directive on Consumer Rights (2011/83/EU) and the EU Directive access to investment products in your jurisdiction. on Distance Marketing of Consumer Financial Services (2002/65/ EU)), which contains rules on pre-contractual information require- Robo-advice is not subject to specific regulation in Denmark. In July ments, right of withdrawal, termination and binding periods; 2019, the Financial Supervisory Authority published a regulatory note • the Marketing Practices Act (implementing the EU Directive on regarding best practice when using supervised machine learning. Unfair Commercial Practices (2005/29/EU)), which – in addition to the rules implementing the EU Unfair Commercial Practices Insurance products Directive – contains rules on, among other things: 15 Do fintech companies that sell or market insurance products • unsolicited marketing; in your jurisdiction need to be regulated? • comparative advertisements; • the marketing of consumer credit; Insurance activities generally trigger a licensing requirement. The • Consumer Ombudsman activities; and Financial Business Act provides certain specific exemptions to the • how businesses must comply with good marketing practices; licensing requirement, none of which are considered relevant for fintech • the Payments Act (implementing the Payment Services Directive businesses. (2015/2366/EU)), which contains rules implementing the disclo- If the activity is not of a scale for the provider to be considered an sure, business conduct and fee rules set out in Titles III and IV of the insurer but involves insurance distribution, the activity will require a directive and corresponding provisions of the Second EU Electronic licence if it constitutes insurance or reinsurance mediation. There are no Money Directive (2009/110/EU)); exemptions to this requirement. On the other hand, intermediaries that • the Credit Contracts Act (implementing parts of the EU Consumer perform only ancillary insurance intermediation must be registered. Credit Directive (2008/48/EU)), which applies to credit arrangements with consumers and that contains, among other things: Credit references • mandatory disclosure requirements; 16 Are there any restrictions on providing credit references or • rules on changes to interest rates; credit information services in your jurisdiction? • walk-away rights; and • rules on term and termination; Credit information services and credit information bureaus must gener- • the Act on Consumer Loan Undertakings, which applies to certain ally adhere to the rules set out in the EU General Data Protection forms of loan and credit to consumers provided by lenders that are Regulation and the Danish Data Protection Act. Credit information not banks or other forms of licensed financial business; bureaus must seek a licence from the Danish Data Protection Agency • the Executive Order on Good Business Practices for Financial prior to the commencement of any data processing. Businesses (implementing parts of the EU Directive on Consumer Rights), which contains rules on duty of care to customers, disclosure requirements, advising customers and restrictions on amending or terminating customer contracts and applies to, among others: www.lexology.com/gtdt 51 © Law Business Research 2020 Denmark Plesner Advokatpartnerselskab

• banks; platforms are not subject to bespoke regulation, there is no specific risk • mortgage banks; and that the agreements in question would not be enforceable. • investment firms; and However, new legislation has been adopted by the Danish parlia- • the Executive Order on Good Business Conduct for Insurance ment on 4 June 2020, which entered into effect on 1 July 2020, and Distributors (implementing parts of the EU Insurance Distribution amended the Act on Consumer Loan Undertakings. The amendments Directive (2016/97/EU)), if the activity involves insurance distribution. include a 35 per cent cap on the annual percentage rate (APR) on consumer loans, including on peer-to-peer loans to consumers. To the As of 1 July 2020, the Marketing Practices Act also (subject to limited extent that a consumer loan agreement has APR higher than the 35 per exceptions, including marketing on the credit provider’s own website) cent cap and the lender does not hold a licence as a consumer loan prohibits the on-marketing of consumer loans with an annual percentage provider or is licensed as a financial institution, the lender will only be rate of more than 25 per cent and all marketing of consumer loans in entitled to demand repayment of the principal (ie, repayment without connection with gambling or betting, or both. any interest). To the extent that the lender holds a license as a consumer loan provider or is licensed as a financial institution, the lender would in CHANGE OF CONTROL this case only be entitled to demand repayment of the principal together with costs (the interest and fees, etc) up to an APR of 35 per cent. Notification and consent 20 Describe any rules relating to notification or consent Assignment of loans requirements if a regulated business changes control. 24 What steps are required to perfect an assignment of loans originated on a peer-to-peer or marketplace lending In general, if a regulated business changes control, this triggers a notifi- platform? What are the implications for the purchaser if the cation or a consent requirement from the Financial Supervisory Authority. assignment is not perfected? Is it possible to assign these This includes businesses and undertakings subject to the regulations set loans without informing the borrower? out in the Financial Business Act. Further, to the extent that a company must register with the Financial Supervisory Authority pursuant to the In the relationship between an assignor and assignee, the transfer of the Anti-money Laundering Act, there would be a de facto consent require- assignment will be effective once an assignment agreement has been ment from the Financial Supervisory Authority in the event of a change entered into. However, for the sale to be effective against any creditors of control, as the Financial Supervisory Authority can revoke a registra- of the assignor and the bankruptcy estate of the assignor, the assignee tion if it considers that the company or the management of the company (or the assignor, or both) must notify the relevant borrower of the sale no longer meets the requirements under the Anti-money Laundering Act. and inform it to redirect payments under the loan to the assignee. If an assignment has not been duly perfected, it may be voided FINANCIAL CRIME subject to a hardening period, pursuant to which it may become void- able and unenforceable. In the case of unaffiliated parties, the normal Anti-bribery and anti-money laundering procedures hardening period under Danish law is three months. 21 Are fintech companies required by law or regulation to have Therefore, it is impossible to complete the perfection requirements procedures to combat bribery or money laundering? without informing the borrower. However, in the relationship between the assignor and assignee, the borrower need not be notified to validate Fintech businesses that require a licence under the Financial Business the assignment. Act, the Payments Act, the Alternative Fund Managers Act or the Act on Financial Advisers, Investment Advisers and Residential Credit Securitisation risk retention requirements Intermediaries or require a licence to carry out insurance activities, 25 Are securitisation transactions subject to risk retention investment services or the provision of investment or financial advice are requirements? subject to the rules set out in the Act on Measures to Prevent Money Laundering and the Financing of Terrorism. This also applies to fintech There are no specific Danish law risk retention requirements; however, businesses carrying out activities as a foreign exchange (and not other- the rules on risk retention requirements set out in the Capital wise subject to regulatory requirements under the Financial Business Act). Requirements Regulation may apply.

Guidance Securitisation confidentiality and data protection requirements 22 Is there regulatory or industry anti-financial crime guidance 26 Is a special purpose company used to purchase and securitise for fintech companies? peer-to-peer or marketplace loans subject to a duty of confidentiality or data protection laws regarding information No such guidelines have been made available at this time. relating to the borrowers?

PEER-TO-PEER AND MARKETPLACE LENDING Such special purpose vehicles are subject to both the EU General Data Protection Regulation and the Danish Data Protection Act. Execution and enforceability of loan agreements 23 What are the requirements for executing loan agreements or security agreements? Is there a risk that loan agreements or security agreements entered into on a peer-to-peer or marketplace lending platform will not be enforceable?

There are no specific requirements for executing loan agreements or security agreements other than authorisation and execution of a loan or security agreement. As peer-to-peer lending marketplace lending

52 Fintech 2021 © Law Business Research 2020 Plesner Advokatpartnerselskab Denmark

ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER Danish rules, including special rules on the processing of national iden- TECHNOLOGY AND CRYPTO-ASSETS tification numbers (ie, CPR number). Fintech products and services that involve the processing of Artificial intelligence personal data on behalf of another company (ie, the customer or data 27 Are there rules or regulations governing the use of artificial controller) require that a written data processing agreement is entered intelligence, including in relation to robo-advice? into. Further, if data is transferred outside the European Union, a legal basis for the transfer must be in place. AI is not subject to bespoke regulation in Denmark. In July 2019, the Financial Supervisory Authority published a regulatory note regarding Cybersecurity best practice when using supervised machine learning. 33 What cybersecurity regulations or standards apply to fintech businesses? Distributed ledger technology 28 Are there rules or regulations governing the use of Financial businesses (eg, banks, investment firms and insurers), distributed ledger technology or blockchains? payment institutions and e-money institutions must generally have prudent IT and cybersecurity systems, procedures and policies. Distributed ledger technology and blockchain are not subject to bespoke However, apart from these general regulatory requirements, there regulation in Denmark. are no generally applicable statutory cybersecurity regulations or standards. Crypto-assets Further, particularly within payment services, there are a number 29 Are there rules or regulations governing the use of crypto- of important IT and cybersecurity standards, including: assets, including digital currencies, digital wallets and • the Regulatory Technical Standards on Strong Customer e-money? Authentication and Common and Secure Open Standards of Communication (Commission Delegated Regulation (EU) 2018/389); Crypto-assets and digital currencies are not subject to bespoke regula- • the Guidelines on the Security Measures for Operational and tion. Digital wallets and e-money are subject to the EU rules pursuant Security Risks of Payment Services (promulgated under the to the revised EU Payment Services Directive (2015/2366/EU). revised EU Payment Services Directive); and Furthermore, as of 10 January 2020, custodian wallet providers and • the payment card industry (PCI) IT industry security standards, providers of exchange services between virtual and fiat currencies are particularly the PCI Data Security Standard and the PCI Payment subject to regulation under the Act. Application Data Security Standard. Although these are widely accepted industry standards, they do not constitute public law Digital currency exchanges regulations and as such are not directly enforced by the Financial 30 Are there rules or regulations governing the operation of Supervisory Authority. digital currency exchanges or brokerages? OUTSOURCING AND CLOUD COMPUTING There are no specific rules regulating the operation of digital currency exchanges or brokerages; however, custodian wallet providers and Outsourcing providers of exchange services between virtual and fiat currencies 34 Are there legal requirements or regulatory guidance with fall under the Act on Measures to Prevent Money Laundering and the respect to the outsourcing by a financial services company of Financing of Terrorism. a material aspect of its business?

Initial coin offerings The Executive Order on Outsourcing of Material Areas of Activity (the 31 Are there rules or regulations governing initial coin offerings Outsourcing Order) sets out the legal requirements relating to the (ICOs) or token generation events? outsourcing by a financial services company of a material aspect of its business. In addition to the Outsourcing Order, the Financial Supervisory There are no specific rules regulating initial coin offerings (ICOs) or Authority has published regulatory guidance on its requirements. token generation events. However, to the extent that coins or tokens A new draft Outsourcing Order has been put forward that will offered in an ICO constitute financial instruments, the general capital significantly amend the existing Outsourcing Order. market rules, including the EU Regulation 596/2014 on market abuse The purpose of the new legislative proposal is to, inter alia, align and the Danish Capital Markets Act, apply. the Danish outsourcing rules with the outsourcing guidelines of the European Banking Authority. As one of the key changes to the existing DATA PROTECTION AND CYBERSECURITY Outsourcing Order, it is the intention that electronic money institutions and payment institutions be subject to the rules set out therein. The new Data protection Outsourcing Order contains some national gold plating provisions (eg, 32 What rules and regulations govern the processing and regarding outsourcing to cloud service providers) that goes beyond the transfer (domestic and cross-border) of data relating to outsourcing guidelines of the European Banking Authority. fintech products and services? The new Outsourcing Order will regulate all outsourcing and will entail further requirements for ‘critical or important’ outsourcing, which The EU General Data Protection Regulation (GDPR) and the Danish Data includes, inter alia, outsourcing of capital and liquidity-risk manage- Protection Act (DDPA) apply to fintech products and services if personal ment, outsourcing of IT and security and outsourcing of key functions. data is processed. The regulations apply to all data processing relating The new Outsourcing Order sets out specific requirement for the to an identified or identifiable natural person (eg, name, account and outsourcing of ‘critical or important’ areas, including detailed require- credit card information, other customer identification data and internet ments for the outsourcing agreement between the company and the protocol address). The DDPA supplements the GDPR with national outsourcing provider; for example, requirements for the description of www.lexology.com/gtdt 53 © Law Business Research 2020 Denmark Plesner Advokatpartnerselskab

the outsourced activity and whether the outsourcing provider may sub- Inventions (patents and utility models) outsource the activity to a third party. If a person (eg, an employee or a consultant) has made a technical Furthermore, the new Outsourcing Order will require businesses invention that can be patented or registered as a utility model, the to keep a register of information on all of the relevant company's starting point is that the employee or the consultant is entitled to this outsourcing and outsourcing providers. invention. The new Outsourcing Order entered into force on 1 July 2020. Pursuant to the Danish Employees’ Inventions Act, if the invention has been made as part of the employment, the employer is entitled to Cloud computing claim that the right to the invention be transferred to them if the use 35 Are there legal requirements or regulatory guidance with of the invention falls within the scope of the activities of the company. respect to the use of cloud computing in the financial services The same applies if the employee’s invention relates to a specific industry? task assigned to him or her by the employer. Even if the invention was made during off-duty hours, the employer could still be entitled to claim In addition to the Outsourcing Order and the related Financial Supervisory the right to the invention. The Danish Employees' Inventions Act does Authority regulatory guidance on the Outsourcing Order, Danish finan- not apply to consultants. cial services companies use the European Banking Authority guidelines The Act on inventions at public research institutions regulates the on outsourcing as guidance. right to inventions made by teachers and other scientific employees at universities. The Act stipulates that the employee is entitled to an inven- INTELLECTUAL PROPERTY RIGHTS tion that he or she has made him or herself; however, the Act also states that the institution has a right to claim that this invention be transferred IP protection for software to it, if the employee made the invention as part of his or her work. 36 Which intellectual property rights are available to protect software, and how do you obtain those rights? Designs The right to a design depends on whether it is a Danish design or a Fintech innovations may be protected as inventions under patent law community design. The Danish Designs Act stipulates that the person if they are patentable. This includes filing for a patent and meeting the who created the Danish design or the person to whom the designer's requirements under Danish patent laws (eg, patentable subject matter, right has been transferred has the right to acquire the exclusive right novelty and inventive step). Fintech innovations may also be protected as to the design. utility models where the bar for protection is lower than that of a patent. The Danish Designs Act does not regulate the relationship between Further, if the innovation is embodied in software coding, copyright employer and employee. It is, however, assumed that under the Danish protection may be available to the author (in this case, the programmer) Designs Act the design rights belong to the employer, unless the design if the software coding has a sufficient degree of originality. In addition, is also protected by copyright. In the latter case, the design right follows fintech innovations may be protected as sui generis database rights if the copyright and is determined based on an analogy of the rules on the conditions for protection set out in section 71 of the Copyright Act copyright for employees (see above). (incorporating the EU directive on the Legal Protection of Databases According to article 14(3) of the Regulation on Community designs, (96/9/EU)) are met. any rights to a community design shall vest in the employer unless Although not intellectual property in the traditional sense, a fintech otherwise agreed or specified under national law. This only applies innovation may be protected as a trade secret under the Trade Secrets to traditional employment relationships (employer–employee). For Act (incorporating the EU directive on the Protection of Undisclosed commissioned designs, the question of whom the rights belong to must Know-How and Business Information (Trade Secrets) (2016/943/EU)) if be decided specifically. the innovation is kept secret. Trademarks IP developed by employees and contractors The trader, and not the person who created the sign, owns the rights 37 Who owns new intellectual property developed by an to the sign. If an employee owns the copyright or design rights to the employee during the course of employment? Do the same sign, the employer can only use it if they have agreed on this or if it is rules apply to new intellectual property developed by otherwise justified under the copyright and design rules. Accordingly, it contractors or consultants? is important to determine whether the employee created the trademark as a part of his or her work or whether the exploitation of the trademark Copyright falls within the scope of the usual activities of the employer. The Danish Copyright Act stipulates that the person who creates a work If a consultant owns the copyright to the sign, the trader will have owns the copyright to that work. This applies regardless of whether the a right of use only unless otherwise agreed. person is an employee or a contractor or consultant. In relation to copyright created during the term of employment, the Joint ownership general rule is that there is an automatic transfer of copyright from the 38 Are there any restrictions on a joint owner of intellectual employee to the employer by virtue of the employment provided certain property’s right to use, license, charge or assign its right in criteria are met. The employer shall only be entitled to the parts of the intellectual property? employee's copyright that were necessary for the employer’s usual activities at the time when the employee created the work. Further, it As the joint ownership of IP rights is commonly regulated on a contrac- is a condition that the employment is of a permanent nature and that tual basis between the joint owners, restrictions on a joint owner follow creating the work was part of the employee's tasks. from the contractual regulation thereof. Further, the copyright to computer programs developed by an If an invention is made jointly, each person will own a propor- employee within the scope of his or her employment or as a result of tionate share of the invention in the absence of a prior agreement. The the employer's directions, automatically transfer in full to the employer. joint ownership entails some restrictions in each person's right to use, license, charge or assign the invention, even without an agreement.

54 Fintech 2021 © Law Business Research 2020 Plesner Advokatpartnerselskab Denmark

In general, all joint owners of an invention must agree on substantial Remedies for infringement of IP decisions regarding the jointly owned invention, including agreements 41 What remedies are available to individuals or companies on licensing. Each owner may individually sell or assign its own share in whose intellectual property rights have been infringed? the invention unless otherwise agreed. With regard to copyright, co-authors to a copyrighted work, where A number of remedies are available to individuals or companies whose each contribution cannot be separated as independent works, enjoy IP rights have been infringed, including: joint co-ownership in the copyright of the work. • financial compensation (eg, damages and reasonable remuneration); Trade secrets • injunctions (eg, preliminary injunctions); 39 How are trade secrets protected? Are trade secrets kept • corrective measures; confidential during court proceedings? • the publication of judicial decisions; • reasonable compensation for legal costs; and Confidential information and trade secrets are covered by the new • criminal penalties. Trade Secrets Act (incorporating the EU Directive on the Protection of Undisclosed Know-How and Business Information (Trade Secrets) COMPETITION (2016/943/EU)) and the Danish Penal Code. With regard to the confidentiality of trade secrets (including confi- Sector-specific issues dential information) during court proceedings, the Trade Secrets Act 42 Are there any specific competition issues that exist with stipulates that the duty of confidentiality to which the court's staff (eg, respect to fintech companies in your jurisdiction? the judge), lawyers and others employed by the law firm are subject, implies that the unlawful use or disclosure of trade secrets that the The fintech nature of a product or service does not in itself give rise to person in question has learned about through involvement in or access particular competition law issues. to the legal proceedings is a punishable offence. This also applies to However, aspects of the fintech business model mean that certain other persons involved in the legal proceedings, such as witnesses. competition law considerations – of general application – often become relevant in the context of fintech businesses. Branding One example of this is the widespread use of partnerships between 40 What intellectual property rights are available to protect fintech businesses and incumbent financial institutions that, depending branding and how do you obtain those rights? How can on the nature of the partnership, may raise competition law questions fintech businesses ensure they do not infringe existing about horizontal or vertical cooperation. brands? At the other end of the spectrum, where a fintech product or service requires the fintech business to access a financial institution's The most relevant IP rights protecting branding are set out in the systems or customer data and the financial institution is reluctant to Trademarks Act, the Marketing Practices Act and the Copyright Act. provide this access, questions of anticompetitive behaviour may arise in The Trademarks Act protects signs used in branding, such as brand certain circumstances. names, mottos or catchphrases and logos. The Marketing Practices Act protects certain commercial signs that have the necessary degree of TAX distinctiveness. Copyright protection may in principle be afforded under the Copyright Act for user interfaces in software and website designs, Incentives which may enjoy copyright protection with regard to branding; however, 43 Are there any tax incentives available for fintech companies in practice, this protection is difficult to obtain. and investors to encourage innovation and investment in the Trademark protection in Denmark may be obtained by way of both fintech sector in your jurisdiction? a community (EU) trademark and on the national level in Denmark as a Danish trademark. In Denmark, trademark protection may be obtained Danish tax law provides no specific fintech incentives. However, Danish by way of both registration and use-based rights. To be registered as a tax law contains general tax incentives in the form of tax-favourable trademark, the trademark owner must be able reproduce the trademark treatment on granting shares, options and warrants, where a company in an appropriate manner by using technology that is generally avail- can grant up to 10 per cent (or 20 per cent if certain requirements are able in order to determine the content of the trademark right clearly and met) of an employee's remuneration through such instruments. These precisely. Protection under the Marketing Practices Act is obtained by favourable tax incentives have in part been introduced to promote start- use, when necessary degree of distinctiveness exists. up businesses in Denmark. To avoid trademark infringement of existing brands, fintech businesses should perform appropriate freedom-to-operate analysis prior Increased tax burden to launching brands, including checking both national and EU registers 44 Are there any new or proposed tax laws or guidance that for potentially conflicting registered rights. As protection in some cases could significantly increase tax or administrative costs for can be established by use, a market check is also necessary. Similarly, fintech companies in your jurisdiction? as regards the Marketing Practices Act, where protection is also established formlessly, a market check is necessary. There are no such proposed tax laws currently implemented or The Danish Patent and Trademark Office will, in connection with underway. a trademark application, produce a search report showing rights with which the applicant may come into conflict. However, the owners of these prior rights are not automatically notified of this and, thus, it is up to each owner to stay informed and assess whether they believe their rights are infringed.

www.lexology.com/gtdt 55 © Law Business Research 2020 Denmark Plesner Advokatpartnerselskab

IMMIGRATION

Sector-specific schemes 45 What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there any special regimes specific to the technology or financial sectors?

Citizens from other EU and EEA countries or Switzerland may work Rasmus Mandøe Jensen [email protected] in Denmark under the EU rules on the free movement of persons and services. As a clear starting point, these citizens must have a work Christian Scott Uhlig permit to work in Denmark. [email protected] There are several immigration schemes aimed at the recruitment of skilled staff. However, none are specific to the technology or financial Amerika Plads 37 sector. The most relevant schemes for a fintech business are: DK-2100 Copenhagen • the Pay Limit Scheme, which ensures that an employee is granted Denmark a work permit if their annual salary is over a certain amount Tel: +45 33 12 11 33 (436,000 kroner) and the employment terms correspond to Danish www.plesner.com standards; • the Positive List scheme, under which residence and work permits are granted to employees who have been offered jobs that are listed on the Positive List covering certain professions and fields that are and ‘covid-19 investor loans’, which both are aimed at seed-stage start- currently experiencing a shortage of qualified professionals. The ups, and ‘covid-19 syndicated loans’, which are aimed at late-stage list contains more than 100 professions and is available on the start-ups. Danish Immigration Service website; and These covid-19 financing schemes are set to expire on 30 • the fast-track scheme, which makes it faster and easier for certified September 2020. companies to recruit foreign employees with special qualifications to work in Denmark

Additional immigration schemes are available that may be relevant (eg, for trainees or intra-group secondments).

UPDATE AND TRENDS

Current developments 46 Are there any other current developments or emerging trends to note?

No updates at this time.

In the area of banking and finance, the Danish authorities have put in place several schemes as a result of the covid-19 outbreak, however none specifically targeted fintech companies. These schemes include, inter alia, a guarantee scheme from the Danish Growth Fund covering up to 70 per cent of loans issued for the purpose of funding losses resulting from the covid-19 outbreak as well as a similar guarantee scheme from the Danish Export Credit Agency directed at Danish export businesses (ie, businesses where a minimum of 10 per cent of the revenue stream from the last financial year related to exports), which also covers up to 70 per cent of losses incurred by lenders on new credit lines offered for liquidity purposes. Furthermore, the Danish Growth Fund has initiated certain lending schemes directed at Danish start-ups. These schemes include ‘covid-19 start loans’, which are aimed at pre-seed start-ups, as well as certain match-rate financing schemes, including ‘covid-19 business angel loans

56 Fintech 2021 © Law Business Research 2020 Egypt

Mohamed Hashish Soliman, Hashish & Partners

FINTECH LANDSCAPE AND INITIATIVES After an almost five-month review, the House of Representatives introduced a number of amendments to the Law, which were approved, in General innovation climate principle, by the House of Representatives on 5 May 2020. 1 What is the general state of fintech innovation in your The Draft Banking Law was referred to the State Council for review, jurisdiction? which approved and referred it to the President for issuance.

Fintech is governed by several Egyptian laws and regulations, including Government and regulatory support the following main laws and regulations (as amended): 2 Do government bodies or regulators provide any support • the Non-cash Payment Methods Law No. 18 of 2019; specific to financial innovation? If so, what are the key • Law No. 88 of 2003 on the Central Bank of Egypt and the Banking benefits of such support? Sector (the Banking Law) and its executive regulation; • the E-signature Law No. 15 of 2004 and its executive regulation; In May 2019, the CBE launched a regulatory sandbox for the purpose of • the Non-Financial Markets and Instruments Law No. 10 of 2009; providing fintech players with is a virtual space within which, subject • the Microfinance Law No. 141 of 2014; to a specific framework, applicants can experiment with their solutions • the Trade Code No. 17 of 1999; for a limited period of time on a small scale and under a well-defined • the Consumer Finance Law No. 18 of 2020; parameter. • the Cybercrime Law No. 175 of 2018; Furthermore, a number of funds initiatives are available to fintech • the Investment Law No. 72 of 2017 and its executive regulation; start-ups in Egypt. For example, in March 2019, the CBE launched the • the Consumer Protection Law No. 181 of 2018 and its executive Fintech Innovation Fund with a value of 1 billion Egyptian pounds. In regulation; April 2019, the International Finance Corporation launched, in collabora- • the Small and Microenterprises Law No. 141 of 2004 and its execution with two local partners in Egypt, a two-year programme to support tive regulation; the fintech space in Egypt, and the World Bank Group set aside US$200 • the Telecoms Law No. 10 of 2003; million for small and medium-sized enterprises in Egypt, which can be • the Media Law No. 180 of 2018; used also by small and medium-sized fintech players. • the Capital Market Law No. 95 of 1992 and its executive regulation; • the Movable Securities Law No. 115 of 2015 and its executive FINANCIAL REGULATION regulation; • the Anti-Money Laundering Law No. 80 of 2002 and its executive Regulatory bodies regulation; 3 Which bodies regulate the provision of fintech products and • the Public Entities Contracts Law No. 182 of 2018 and its executive services? regulation; and • Presidential Decree No. 89 of 2017, founding the National Several bodies are responsible for enforcing fintech-related laws and Payments Council. regulations, including: • the Central Bank of Egypt (CBE), which is empowered by Law No. There has been rapid global change in the banking and finance sector, 88 of 2003 on the Central Bank of Egypt and the Banking Sector particularly in the fintech space. The banking sector in Egypt, being a (the Banking Law) to, among other things, regulate bank accounts country that witnessed two revolutions in 2011 and 2013, was certainly and banking transactions; affected by this change as well as the local political challenges. • the Information Technology Industry Development Agency, which is As a result, the Egyptian government, upon a request by the Central empowered by the E-signature Law No. 15 of 2004 to, among other Bank of Egypt (CBE), proposed a new Draft Banking Law. This Law things, promote and develop the information technology and commu- was prepared based on, among other things, several pieces of advice nications industry, support small and medium-sized enterprises in provided by international consultancy firms, a comparative study on the using e-transactions and regulate e-signature services activities; laws of other countries, international standards, the Basel Framework, • the Financial Regulatory Authority (FRA), which is empowered by recommendations of the Organisation for Economic Co-operation and the Non-Financial Markets and Instruments Law No. 10 of 2009 Development, the World Bank Group and the International Monetary to, among other things, license the carrying out of non-banking Fund, as well as recommendations made by the banks that are regis- financial activities and the protection of stakeholders within the tered with the CBE. non-banking financial market; In accordance with the Constitution, the Draft Banking Law was • the National Payments Council, which is empowered by Presidential submitted to the House of Representatives for review and approval. Decree No. 89 of 2017 to, among other things, reduce the use of www.lexology.com/gtdt 57 © Law Business Research 2020 Egypt Soliman, Hashish & Partners

cash outside the banking sector, support and encourage the use of Secondary market loan trading electronic methods and channels instead of cash, and protect the 6 Are there restrictions on trading loans in the secondary consumers of any payment systems and services; and market in your jurisdiction? • the National Telecommunications Regulatory Authority, which is generally empowered by the Telecoms Law No. 10 of 2003 to regu- In general, there are no restrictions on trading loans in Egypt. However, late and enhance telecommunication services. if the trading is being carried out on a regular basis, then it may be deemed as the carrying out of banking activities, in which case licensing Regulated activities by and registration with the CBE is required. 4 Which activities trigger a licensing requirement in your The assignment of debts in Egypt is subject to a specific legal jurisdiction? framework to be effective in respect of debtor and surety (if any).

In general, according to the Banking Law and several judgments issued Collective investment schemes by the economic courts, neither natural nor juristic persons may practise 7 Describe the regulatory regime for collective investment any banking activity in Egypt without being licensed by and registered schemes and whether fintech companies providing with the CBE. alternative finance products or services would fall within its ‘Banking activities’ are defined under the Banking Law as any activ- scope. ities regarding the receipt of deposits, the provision of refinancing, loans, facilities, contributions to share capital in local companies and any other As a general rule, no activity relating to investment funds can be carried activities that are considered as banking activities according to banking out unless a licence is obtained from the FRA. Banks registered with the customs that are carried out on a regular basis and as the main business CBE may carry out the activity, provided that an approval is obtained activities of any person carrying out those activities. This definition is from the CBE. also found in the Trade Code No. 17 of 1999. Investment funds may, in general, be established in the form of a Any person that violates those provisions is subject to imprison- joint-stock company with a minimum issued capital of 5 million Egyptian ment of between 24 hours and three years or a fine of between 5,000 pounds or any equivalent currency. Egyptian pounds and 50,000 Egyptian pounds, or both, in accordance Licensed investment funds must deposit any securities that with the Banking Law. There are two main prerequisites that must be they are investing in with one of the banks that is registered with the satisfied to apply those penalties in respect of any banking activity, CBE, providing that the bank (and its related parties) does not control namely carrying out the banking activity on a regular basis and having or hold more than 10 per cent of the total shares in the investment the banking activity as the main activities of any person, including indi- fund company. viduals and juristic persons. One of the licensing requirements to be qualified for the invest- Other than the general rule above, each of the following activities is ment fund underwriting is to have the minimum required infrastructure also regulated and subject to licensing requirements in Egypt: and technology to do so. • microfinancing; Investment funds may take the form of an open-end fund, closed- • investment banking; end fund, private equity fund, exchange-traded fund, money market • brokerage; fund, debt fund, real estate fund, donor-advised fund or related fund. • factoring; Promoting investment funds is generally not allowed before estab- • foreign exchange trading; lishing them except for in the case of private equity funds and providing, • payment services; among other things, that a notification is sent to the FRA and that no • e-commerce; underwriting is made as a part of the promotion. • financial leasing; Most of the alternative financial products and services that are • mortgage finance; and provided by fintech companies generally fall within the scope of either • consumer lending. collective investment schemes or banking activities.

Consumer lending Alternative investment funds 5 Is consumer lending regulated in your jurisdiction? 8 Are managers of alternative investment funds regulated?

The Consumer Finance Law No. 18 of 2020 was issued on 16 March 2020, Yes, managers of alternative investment funds are regulated, including governing any activity aiming at financing the purchase of products or board members. services for consumption purposes as long as the activity will be carried out on a regular basis. Among the activities covered is financing through Peer-to-peer and marketplace lending payment cards or any other means decided by the CBE. 9 Describe any specific regulation of peer-to-peer or The consumer finance-related activities above may not be carried out marketplace lending in your jurisdiction. in Egypt unless a licence is obtained from the FRA. The licence requires, among other things, the carrying out of the activities by a joint-stock Peer-to-peer and marketplace lending can be deemed as banking company with an issued capital of at least 10 million Egyptian pounds. activities, in which case licensing by and registration with the CBE is The Consumer Finance Law (including the licensing requirement) required. does not apply to all banks registered with the CBE nor any entity licensed to carry out mortgage financing, financial leasing, factoring, microfi- Crowdfunding nancing or the purchasing of properties from real estate developers. 10 Describe any specific regulation of crowdfunding in your The Consumer Finance Law applies only to vehicles, durable jurisdiction. products, educational services, medical services, travel and leisure services as well as any other products and services that are determined Crowdfunding falls within the meaning of banking activities; however, it by the FRA. may also be a form of donor-advised fund.

58 Fintech 2021 © Law Business Research 2020 Soliman, Hashish & Partners Egypt

In practice, a number of donor-advised funds have been estab- Robo-advice lished by a special presidential decree rather than a licence from the 14 Describe any specific regulation of robo-advisers or other FRA. For example, Presidential Decree No. 139 of 2014 established a companies that provide retail customers with automated fund of a private nature called the Tahya Misr Fund for the purpose of access to investment products in your jurisdiction. assisting the government in, among other things, establishing development and service projects as well as developing slums and micro and Robo-advice is not yet regulated in Egypt. small projects. The government has used the crowdfunding approach to fund a Insurance products number of public utility projects, such as the crowdfunding that was 15 Do fintech companies that sell or market insurance products used in 2014 to fund the development of the New Suez Canal, which cost in your jurisdiction need to be regulated? Egypt around 30 billion Egyptian pounds. According to the Insurance Law No. 10 of 1981, no one is allowed in Invoice trading person or through an intermediary to carry out any activity related to 11 Describe any specific regulation of invoice trading in your insurance or reinsurance in Egypt without obtaining a licence from the jurisdiction. FRA. Fintech companies that sell or market insurance products fall within this restriction and are regulated in Egypt. Invoice trading may be characterised under Egyptian law as banking activities (if providing credit), and it may also be characterised as a Credit references factoring. This can be assessed on a case-by-case basis. 16 Are there any restrictions on providing credit references or Licensed factors are allowed to provide, among other things, guar- credit information services in your jurisdiction? antee, collection and account management services. The following main three conditions are required in the subject of All services relating to the provision of credit rating and indebtedness any factoring transaction: references are regulated. Those services require a licence from the CBE. 1 it must be created from a commercial transaction related to the At present, there is only one licensed company, the Egyptian Credit relevant buyer and debtor but not through a cash financing; Bureau, that is subject to a specific legal framework governing the 2 it must not be associated with any third party’s existing or future provisions of those references. right; and In general, disclosing credit ratings and indebtedness references 3 it must not be limited or restricted unless otherwise agreed by the related to any person is not allowed unless an approval from the person relevant factor and buyer. is obtained.

The subject may also be fully depreciated, provided that points (2) and CROSS-BORDER REGULATION (3) are satisfied. The provisions of Law No. 88 of 2003 on the Central Bank of Egypt Passporting and the Banking Sector and several judgments issued by the economic 17 Can regulated activities be passported into your jurisdiction? courts also apply to factoring. Not applicable. Payment services 12 Are payment services regulated in your jurisdiction? Requirement for a local presence 18 Can fintech companies obtain a licence to provide financial There is a specific regulation governing payment services that are services in your jurisdiction without establishing a local provided by technical payment aggregators or payment facilitators. presence? Services agreements are subject to specific know-your-customer and anti-money laundering checks and must include specific terms and No, conditions for those services, including a restriction on sub-contracting unless certain conditions are being met. SALES AND MARKETING Under the Draft Banking Law, no activity concerning the operation of a payment system or the provision of a payment system may be Restrictions carried out unless a licence is obtained by the CBE. This new restric- 19 What restrictions apply to the sales and marketing of tion applies to all persons, whether natural or juristic, carrying out the financial services and products in your jurisdiction? activity in Egypt or providing the services from abroad to any residents in Egypt, with the exceptions of stock exchanges, futures exchanges, In general, the sales and marketing of financial services and products in securities settlement systems, licensed central clearing, depository and Egypt are regulated and subject to a prior licence and approval. registry systems, custodian banks and internal systems of the Egyptian Ministry of Finance that do not include payment, collection, setting-off CHANGE OF CONTROL or clearance of payment. Notification and consent Open banking 20 Describe any rules relating to notification or consent 13 Are there any laws or regulations introduced to promote requirements if a regulated business changes control. competition that require financial institutions to make customer or product data available to third parties? It depends on several elements, such as the type and location of business that is the subject of the change of control. For example, no one No. is allowed to acquire between 5 and 10 per cent of the issued capital of any bank registered with the Central Bank of Egypt (CBE) unless a www.lexology.com/gtdt 59 © Law Business Research 2020 Egypt Soliman, Hashish & Partners

notification is sent to the CBE. Prior approval from the CBE is required Securitisation risk retention requirements to acquire more than 10 per cent of the issued capital. A similar restric- 25 Are securitisation transactions subject to risk retention tion applies to insurance companies. requirements?

FINANCIAL CRIME In general, the originator of a securitisation portfolio must guarantee its existence at the assignment date, and the originator is not liable for Anti-bribery and anti-money laundering procedures settling any dues that are the subject of the portfolio upon the perfec- 21 Are fintech companies required by law or regulation to have tion of the assignment to the relevant securitisation special purpose procedures to combat bribery or money laundering? vehicle. The assignment is required, in general, not to be conditional except Money laundering is mainly governed by the Anti-Money Laundering for one condition that requires complete subscription to the securitised Law No. 80 of 2002 (the AML Law) and its executive regulation. portfolio. The AML Law names 15 entities that must comply with the its provisions and its executive regulation, including all banks, branches of Securitisation confidentiality and data protection requirements foreign banks in Egypt and money transfer entities. 26 Is a special purpose company used to purchase and securitise Those entities are also subject to several obligations under other peer-to-peer or marketplace loans subject to a duty of laws governing their specific activities. Violating these obligations confidentiality or data protection laws regarding information will result in imposing different penalties including fines or imprison- relating to the borrowers? ment, or both. Not applicable. Guidance 22 Is there regulatory or industry anti-financial crime guidance ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER for fintech companies? TECHNOLOGY AND CRYPTO-ASSETS

Yes, all available guides can be found on the anti-money laundering Artificial intelligence page of the Central Bank of Egypt’s website. 27 Are there rules or regulations governing the use of artificial intelligence, including in relation to robo-advice? PEER-TO-PEER AND MARKETPLACE LENDING There is no special regulation in Egypt governing artificial intelligence. Execution and enforceability of loan agreements However, according to Prime Ministerial Decree No. 2889 of 2019, a new 23 What are the requirements for executing loan agreements or national council was established: the Artificial Intelligence National security agreements? Is there a risk that loan agreements Council (AINC). The AINC is empowered to determine, supervise and or security agreements entered into on a peer-to-peer or follow up on Egypt’s national strategy for artificial intelligence in light of marketplace lending platform will not be enforceable? international developments. In addition, since 2019, the Minister of High Education has started In general, loan agreements do not require any execution formali- to add special artificial intelligence departments to several engineering ties, whereas almost all types of securities, such as mortgages, liens, universities in Egypt. pledges, assignments of rights and movable collateral, have specific execution formalities to be enforceable and effective in respect of Distributed ledger technology third parties. 28 Are there rules or regulations governing the use of Peer-to-peer and marketplace lending platforms may be deemed distributed ledger technology or blockchains? as banking activities; therefore, there is an invalidity risk associated with any loan granted within the peer-to-peer and marketplace lending There are no specific regulations or rules applied to distributed ledger platform without compliance with the relevant licensing framework. technology or blockchain. However, the Draft Banking Law includes a Chapter regulating fintech, including, among other things, the possibility Assignment of loans of issuing cryptocurrencies for the first time in Egypt. 24 What steps are required to perfect an assignment of loans originated on a peer-to-peer or marketplace lending Crypto-assets platform? What are the implications for the purchaser if the 29 Are there rules or regulations governing the use of crypto- assignment is not perfected? Is it possible to assign these assets, including digital currencies, digital wallets and loans without informing the borrower? e-money?

In general, there are no restrictions on trading loans in Egypt. However, There is no specific regulation governing crypto-assets in Egypt. if the trading is being carried out on a regular basis, then it may be However, the Draft Banking Law includes a Chapter regulating fintech, deemed as the carrying out of banking activities, in which case licensing including, among other things, the possibility of issuing cryptocurren- by and registration with the Central Bank of Egypt is required. cies for the first time in Egypt. The assignment of debts in Egypt is subject to a specific legal The Mobile Payment Regulation was issued by the Central Bank framework to be effective in respect of debtor and surety (if any). of Egypt (CBE) in November 2016. The Regulation governs mobile payments and provides the minimum requirements that banks must meet to authorise mobile payments, including risk management, supervisory requirements, customers’ security, mobile cash, partnership with services providers, interoperability, authentication, confidentiality and licensing framework.

60 Fintech 2021 © Law Business Research 2020 Soliman, Hashish & Partners Egypt

The Mobile Payment Regulation does not apply to mobile banking, Cybersecurity which is governed separately. 33 What cybersecurity regulations or standards apply to fintech Each bank is allowed to issue mobile cash of up to 5 per cent of its businesses? paid-in capital or 50 million Egyptian pounds, whichever is less. Mobile cash may only be issued in Egyptian pounds, not in any other currency. According to the Cybercrime Law No. 175 of 2018, all providers of infor- Local transactions in mobile cash within Egypt are allowed within mation technology and telecommunications services, including the specific daily and monthly thresholds adopted by the CBE. However, processing or storing of data, must retain and store users’ data for at these thresholds may be exceeded if a positive outcome for the know- least 180 continuous days, including identification, the content of the your-customer and authentication process is made. services’ system, communication traffic, terminals and any other data The Mobile Payment Regulation allows the receipt of mobile cash required by the National Telecommunications Regulatory Authority. transfers from abroad, subject to satisfying a number of conditions, The providers must also keep all stored and archived data including that the transfers must be converted into Egyptian pounds (including personal data) confidential and not disclose the data unless and be limited to natural persons. there is court order to do so.

Digital currency exchanges OUTSOURCING AND CLOUD COMPUTING 30 Are there rules or regulations governing the operation of digital currency exchanges or brokerages? Outsourcing 34 Are there legal requirements or regulatory guidance with There is no specific regulation governing crypto-assets in Egypt. respect to the outsourcing by a financial services company of However, the Draft Banking Law includes a Chapter regulating fintech, a material aspect of its business? including, among other things, the possibility of issuing cryptocurrencies for the first time in Egypt. Yes. There are specific legal requirements and regulatory guidance for the outsourcing of specific services. For example, online trading is Initial coin offerings subject to specific regulations requiring brokerage companies to satisfy 31 Are there rules or regulations governing initial coin offerings certain conditions and requirements to provide any trading solutions (ICOs) or token generation events? online. These conditions and requirements include specific technical requirements and conditions on the information technology infrastruc- There is no specific regulation governing ICOs in Egypt. However, the ture of the brokerage companies. Draft Banking Law includes a Chapter regulating fintech. Another example, according to a Circular issued by the Central Bank of Egypt (CBE) in 2014, is that no bank registered with the CBE DATA PROTECTION AND CYBERSECURITY may provide internet banking solutions, including online lending, unless prior authorisation is obtained from the CBE. This prior authorisation Data protection requires all banks registered with the CBE to meet specific legal require- 32 What rules and regulations govern the processing and ments, including the provision of a penetration test report to the CBE. transfer (domestic and cross-border) of data relating to fintech products and services? Cloud computing 35 Are there legal requirements or regulatory guidance with There is not yet a personal data protection law in Egypt. However, on respect to the use of cloud computing in the financial services 24 February 2020, the House of Representatives approved Egypt’s first industry? personal data protection law (the Data Protection Law), and it is now subject to issuance by the President. Cloud computing is subject to the Cybercrime Law No. 175 of 2018, The approved Data Protection Law prohibits any act of transfer, which applies to any person providing users, directly or indirectly, with storage or sharing of personal data, which was collected or prepared any information technology and telecommunications service, including for processing, to any foreign state unless the following two main condi- processing or data storage. Those providers must retain and store tions are being satisfied: users’ data for at least 180 continuous days, including identification, the • a protection level applies that is not less than the one adopted by content of services’ system, communication traffic, terminals and any the Data Protection Law; and other data required by the National Telecommunications Regulatory • a licence by the Personal Data Protection Centre is obtained. Authority. According to the Media Law No. 180 of 2018, a prior licence from The executive regulations to be issued for the approved Data Protection the Supreme Council for Media Regulation is required to launch any Law will specify the policies, criteria, requirements and rules that must website in Egypt if: be met for the transfer, storage, sharing, processing and protection of • the website will be created in Egypt; personal data across borders. • the website will be managed by any person in Egypt; or The details of the licensing process are not yet clear. The process • any of the website’s subdomains will be managed by any may depend on a number of factors, including the country to which person in Egypt. the personal data will be transferred, national security concerns and whether the other country allows the transfer of personal data to Egypt.

www.lexology.com/gtdt 61 © Law Business Research 2020 Egypt Soliman, Hashish & Partners

INTELLECTUAL PROPERTY RIGHTS claim damages that cover all the losses incurred to the owner as well as all the profits of which the owner has been deprived as a result of IP protection for software the infringement. 36 Which intellectual property rights are available to protect software, and how do you obtain those rights? COMPETITION

Software is protected in Egypt in the form of copyright. This protection Sector-specific issues requires the registration of the software, including, among other things, 42 Are there any specific competition issues that exist with the first and final 10 pages of the source code, with the Information respect to fintech companies in your jurisdiction? Technology Industry Development Agency. To assess whether there is an antitrust-related risk, it must first be deter- IP developed by employees and contractors mined whether the relevant fintech player is deemed to be in a dominant 37 Who owns new intellectual property developed by an position in accordance with the meaning given under the Antitrust Law employee during the course of employment? Do the same No. 3 of 2005 (the Antitrust Law) and its executive regulations. rules apply to new intellectual property developed by For a fintech player and its controlled affiliates in Egypt to be contractors or consultants? deemed to be in a dominant position under the Antitrust Law, the player must: According to the Intellectual Property Rights Law No. 82 of 2002 (the 1 hold a market share exceeding 25 per cent of the market that is IPRs Law), only the person who provides the direction to create a joint relevant to each service provided by the player (the relevant work is entitled to exercise the author rights of the work. This rule market), the percentage being calculated based on two elements, applies to copyright created by employees during the course of their namely the relevant products (the relevant market products) and employment. the geographic area during a certain period; For contractors and consultants, it depends on the specific terms 2 be able to make an impact on changing the prices or the quantity of and conditions of the relevant development or services agreement. the market products (the dominant ability); and 3 not be in a position to limit the dominant ability, noting that the Joint ownership competitors have the ability to carry out the same business as the 38 Are there any restrictions on a joint owner of intellectual fintech player in Egypt whether in the present or in the future. property’s right to use, license, charge or assign its right in intellectual property? Points (2) and (3) are reviewed and assessed by the Egyptian Competition Authority (ECA) based on specific criteria. According to the IPRs Law, if there is more than one author of any work, If the fintech player is in a dominant position in the relevant market, all participants in the work are considered joint authors, and none of then that player must be in a position to conduct certain practices, them can individually use any right over the work unless otherwise including entering into any agreement with any of its suppliers or its agreed between the authors in writing. customers that results in limiting competition. The assessment of any violation under the Antitrust Law is made Trade secrets by ECA on a case-by-case basis according to specific criteria, including, 39 How are trade secrets protected? Are trade secrets kept among other things, the benefits of customers and commercial customs. confidential during court proceedings? The assessment is subject to a judicial review by the economic courts.

Trade secrets (including confidential information) are protected by the TAX IPRs Law, provided that the secrets: • are maintained as confidential and are not within the public domain; Incentives • maintain their value as a result of their confidential status; and 43 Are there any tax incentives available for fintech companies • maintain their confidentiality status under the effective protection and investors to encourage innovation and investment in the measures taken by their owner. fintech sector in your jurisdiction?

According to the IPRs Law, the court will maintain the confidentially of The Investment Law No. 72 of 2017 provides fintech companies, subject trade secrets. to the satisfaction of specific criteria, with several key guarantees and incentives, including: Branding • exemption from stamp duty and the notarisation fee imposed on 40 What intellectual property rights are available to protect articles of incorporation, facilities and loans agreements, security branding and how do you obtain those rights? How can documents or plot of land purchase agreements for five years, fintech businesses ensure they do not infringe existing starting from the date of registration with the Commercial Registry; brands? • application of a unified custom duty at a flat rate of 2 per cent of the value of any equipment, machinery and device that is necessary for Branding is generally protected as both copyright and trademarks. establishment of the investment projects; and • tax reduction for seven years, counting from the date of starting the Remedies for infringement of IP investment projects in Egypt, subject to a specific formula. 41 What remedies are available to individuals or companies whose intellectual property rights have been infringed?

There are several remedies under Egyptian law for owners of intellectual property rights, including specific performance and the right to

62 Fintech 2021 © Law Business Research 2020 Soliman, Hashish & Partners Egypt

Increased tax burden 44 Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for fintech companies in your jurisdiction?

The Tax Authority is currently in the process of proposing several amendments to the existing tax regimes in Egypt, whereby a new digital tax will be introduced. However, it is too early to know the rates of the proposed digital tax. Mohamed Hashish [email protected] IMMIGRATION 10th Floor, Degla Plaza Building (75/77) Sector-specific schemes 199 St, Degla 45 What immigration schemes are available for fintech New Maadi, Cairo businesses to recruit skilled staff from abroad? Are there Egypt any special regimes specific to the technology or financial Tel: +201 00047 0077 sectors? www.shandpartners.com

As a general rule, non-Egyptians are not allowed to work in Egypt without being permitted to do so by the Ministry of Manpower. In practice, the issuance of a work permit takes up to three months, and it is overcome the repercussions of the pandemic. The Rules also provide valid from one to three years. that these businesses should not lay off any of their employees or The proportion of foreign employees must not exceed 10 per cent reduce the salaries of their employees. of the total number of employees and must not exceed 20 per cent of the company’s payroll. The 10 per cent threshold may be increased to 20 per cent for fintech businesses subject to specific criteria.

UPDATE AND TRENDS

Current developments 46 Are there any other current developments or emerging trends to note?

The Egyptian government, upon a request by the Central Bank of Egypt (CBE), has proposed a new Draft Banking Law. This Law was prepared based on, among other things, several pieces of advice provided by international consultancy firms, a comparative study on the laws of other countries, international standards, the Basel Framework, recommendations of the Organisation for Economic Co-operation and Development, the World Bank Group and the International Monetary Fund, as well as recommendations made by the banks that are registered with CBE. In accordance with the Constitution, the Draft Banking Law was submitted to the House of Representatives for review and approval. After an almost five-month review, the House of Representatives introduced a number of amendments to the Law, which were approved, in principle, by the House of Representatives on 5 May 2020.

In response to the covid-19 pandemic, several pieces of emergency legislation and relief initiatives have been issued in the private sector. For example, a new law was issued under Law No. 24 of 2020, determining the financial rules for facing the challenges brought on the pandemic (the Financial Support Rules). The Financial Support Rules grant all businesses working in the sectors that have been badly affected by the pandemic a number of benefits and exemptions to support them to www.lexology.com/gtdt 63 © Law Business Research 2020 Germany

Christopher Götz, Dang Ngo, Elmar Weinand, Eva Heinrichs, Felix Biedermann, Janine Marinello, Jochen Kindermann, Martin Gramsch and Sascha Kuhn Simmons & Simmons LLP

FINTECH LANDSCAPE AND INITIATIVES be subject to reduced requirements provided it limits its activities to, broadly: General innovation climate • the distribution of open or closed-end funds registered for public 1 What is the general state of fintech innovation in your distribution in Germany; or jurisdiction? • the distribution of participation rights, subordinated loans or profit participation rights. According to latest statistics, the fintech market has reached a level of saturation. Recent statistics show that after a peak of new compa- In these cases, the local trade office would be the competent supervi- nies in 2017 the number of new fintech start-ups in Germany reduced to sory authority. eight in 2019. As a result of strong competition with non-German fintech companies, several big tech companies and long-established market Regulated activities participants, a substantial increase in new fintech companies in the 4 Which activities trigger a licensing requirement in your German market is not expected. There is a trend towards established jurisdiction? business models that have proven to be reliable. Established companies benefit from higher funding compared to smaller or new companies for Pursuant to section 32(1), sentence 1 of the German Banking Act whom access to funding seems to have become more difficult. (KWG), anyone wishing to conduct banking business or to provide financial services in Germany commercially or on a scale that requires Government and regulatory support a commercially organised business undertaking requires a written 2 Do government bodies or regulators provide any support licence from BaFin. What constitutes banking business or financial specific to financial innovation? If so, what are the key services is set out in section 1(1) and (1a) KWG and includes, among benefits of such support? other things: • the acceptance of monies from the public (deposit business); The German government and municipalities support fintech companies • the provision of money loans (lending business); in various ways. The Federal Financial Supervisory Authority (BaFin) is • the brokering of business involving the purchase and sale of finan- the financial regulatory authority in Germany. BaFin set up a dedicated cial instruments (investment broking); team to support fintech companies in relation to their market entry, • providing customers or their representatives with personal recom- and it also organises events (eg, the annual BaFin-Tech conference) to mendations in respect of transactions relating to certain financial discuss regulatory developments with market participants. Although instruments where the recommendation is based on an evalua- fintech companies do not benefit from special treatment, BaFin supports tion of the investor’s personal circumstances or is presented as fintech companies in relation to evaluating licensing requirements and being suitable for the investor and is not provided exclusively via clarifying ongoing regulatory aspects. The German FinTechRat includes information distribution channels or for the general public (invest- experts appointed by the German Ministry of Finance who support the ment advice); legislature in developing a suitable regulatory framework. All German • the purchase and sale of financial instruments on behalf of and for cities that are hubs for fintech (Berlin, Frankfurt, Munich and Hamburg) the account of others (contract broking); offer additional support through fintech centres. In addition, universities • the management of individual portfolios of financial instruments in or around fintech centres tend support and dedicate resources to the for others on a discretionary basis (portfolio management); development of an effective fintech ecosystem. • dealing in foreign notes and coins (foreign currency dealing); • the ongoing purchase of receivables on the basis of standard FINANCIAL REGULATION agreements, with or without recourse (factoring); • the conclusion of financial lease agreements in the capacity of the Regulatory bodies lessor and the management of asset-leasing special purpose vehi- 3 Which bodies regulate the provision of fintech products and cles (financial leasing); and services? • the purchase and sale of financial instruments separately from the management of a collective investment scheme for a community of The Federal Financial Supervisory Authority (BaFin) is responsible for investors, who are natural persons, on a discretionary basis with regulating fintech products and services in Germany if they fall under regard to the choice of financial instruments (asset management). the scope of regulated activities or products. A fintech company may

64 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP Germany

Since the beginning of 2020, crypto-custody business has been added Alternative investment funds to the list of licensable activities. Crypto-custody business is defined as 8 Are managers of alternative investment funds regulated? the safekeeping, administration and storage of crypto-assets or private cryptographic keys used to hold, store and transfer crypto-assets for Managers of alternative investment funds located in Germany are others (crypto assets custody services). regulated under the KAGB. The same also applies to a certain extent to In general, a licence is required for any investment services and German branches of non-German managers of alternative investment activities listed in section A of Annex I of the Directive 2014/65/EU funds. Alternative investment funds may only be marketed in Germany on markets in financial instruments or Annex I of Directive 2013/36/ once they are registered or passported for distribution to investors in EU on access to the activity of credit institutions and the prudential Germany. Germany has implemented the Alternative Investment Fund supervision of credit institutions and investment firms. The provision of Managers Directive 2011/61/EU. payment services is licensable based on the provisions of the German Depending on the nature of their actual activities, fintech companies Act on the Supervision of Payment Services (ZAG). could fall outside the scope of the KAGB if their activities do not consti- The trading of claims deriving from fully drawn loan agreements tute an investment fund. An investment fund is, pursuant to section 1(1), does not trigger a licence requirement, provided that the claim is not sentence 1 of the KAGB, any collective investment scheme that raises amended. However, amendments requiring a new credit decision (eg, capital from a number of investors, with a view to investing in accord- prolongation) can constitute licensable lending business. ance with a defined investment policy for the benefit of those investors and that does not constitute an undertaking operating outside of the Consumer lending financial sector. Such a number of investors will be deemed to exist if 5 Is consumer lending regulated in your jurisdiction? the fund rules or the articles of association of the collective investment fund do not limit the number of potential investors to a single investor. The contractual basis for consumer lending contracts can be found in the German Civil Law Code. The civil law provisions contain an elabo- Peer-to-peer and marketplace lending rate protection regime and require the borrower to comply with, among 9 Describe any specific regulation of peer-to-peer or other things, certain disclosure obligations and walk-away rights for marketplace lending in your jurisdiction. the borrowers. In particular, the licence requirement is triggered if the repayment obligation is in cash. Where the repayment obligation Lenders and borrowers takes the form of financial instruments or other goods or rights, other BaFin has published guidance on the question of when the participants licensing requirements may apply (eg, investment services). of a P2P marketplace typically conduct lending or deposit business on a scale that triggers a licensing requirement. According to this guidance, Secondary market loan trading BaFin assesses potential licence requirements on a case-by-case basis, 6 Are there restrictions on trading loans in the secondary taking into account the activities of each single investor. It is particularly market in your jurisdiction? important that investors do not invest on a commercial scale or in a manner that would require a commercially organised business under- In general, the trading of fully drawn loans does not trigger a licensing taking, because otherwise a banking licence requirement is triggered. requirement in Germany. Restrictions on the trading of loans may apply BaFin suggests that a commercially organised business undertaking is under the terms of the respective contract or as a result of data protec- required if more than €500,000 is invested or more than 100 loans are tion rules. granted. An investor invests on a commercial scale if he or she undertakes the investments for a certain time and with a view to making a Collective investment schemes profit. In addition, under certain circumstances crowd-lending models 7 Describe the regulatory regime for collective investment are subject to the Act on Capital Investments, so that several investor schemes and whether fintech companies providing protection rules apply, such as the requirement to produce a sales alternative finance products or services would fall within its prospectus, which must be approved by BaFin. However, exemptions scope. may apply.

The German Capital Investment Code (KAGB) provides the licensing and Peer-to-peer or platform operators supervision regime for investment management companies and invest- Whether the operation of a crowd-lending platform requires a licence ment funds in Germany. In addition, the marketing of investment funds (and which kind of licence) depends on the actual services that are to investors in Germany is also regulated under the KAGB. The KAGB provided. Generally, it depends on the way the contracting is designed takes a holistic approach and provides the legal regime for all collective on the platform. In cases where the operator of the platform merely investment schemes (eg, alternative investment funds and undertak- provides the infrastructure, the licensable activities are more likely to ings for collective investments in transferable securities). The aim of the be conducted by the users of the platform. If, on the other hand, the KAGB is to ensure an adequate supervision of collective investments, operator of the platform steps into each transaction and takes on its including the administration, marketing and compliance with investment own credit risk, it is likely that the licensable activity will be conducted rules. However, crowdfunding platforms and peer-to-peer (P2P) lending by the platform operator. However, the pure brokerage of loans would platforms are generally not viewed as collective investment schemes generally not be considered as banking, financial or payment services, by BaFin. BaFin focuses on the lending aspect and indicates in several so ‘only’ an authorisation under the GewO may be required. guidance notes that, depending on the actual nature of the services provided, licensable lending business may be conducted. Further, the brokerage of loans requires a licence under the German Industrial Code (GewO) and, therefore, the operation of a P2P lending platform could trigger the requirement for a loan broker licence.

www.lexology.com/gtdt 65 © Law Business Research 2020 Germany Simmons & Simmons LLP

Crowdfunding In terms of their supervision and regulation, robo-advising busi- 10 Describe any specific regulation of crowdfunding in your nesses are generally subject to the same rules as if such services were jurisdiction. rendered ‘manually’. Thus, automated investment advice will need to comply with the applicable licensing requirements and conduct of busi- There are several different kinds of crowdfunding platforms available ness rules. BaFin’s guidance sets out that the provision of robo-advice in Germany. In a guidance note, BaFin sets out four main crowd- could fall under a number of regulated services, including investment funding models: advice and contract broking. Additionally, providers often offer portfolio • donation-based and rewards-based crowdfunding, which is also management services under the label of robo-advice. Depending on the referred to as crowd sponsoring; actual structure of the business, additional conduct of business rules • loan-based crowdfunding (crowd lending); and may apply. For example, where the provider uses an advisory model • crowd investing. and gives personalised recommendations to its investors, certain documentation obligations apply. In addition, the provider may need to In the latter two types, the aim is to generate a financial return. BaFin determine the suitability and appropriateness of the financial products does not apply specific regulatory regimes to different business models that it recommends. per se. BaFin instead focuses on the nature of the activities undertaken by the users and the operators of the crowdfunding platforms and Insurance products decides on a case-by-case basis whether licensable activities are being 15 Do fintech companies that sell or market insurance products conducted and by whom. in your jurisdiction need to be regulated?

Invoice trading Fintech companies selling or marketing insurance products in Germany 11 Describe any specific regulation of invoice trading in your are likely to be regulated by BaFin if they conduct insurance business in jurisdiction. Germany and by the local chamber of industry and commerce if they act as insurance brokers in Germany. Invoice trading is generally not a regulated activity. However, if the actual activities constitute a financial service (eg, factoring, which Credit references means the ongoing purchase of receivables on the basis of standard 16 Are there any restrictions on providing credit references or agreements, with or without recourse) this activity is regulated and credit information services in your jurisdiction? requires a financial services licence. Should a credit information service qualify as a credit-rating agency, the Payment services rules of the EU Credit Rating Agency Regulation apply. 12 Are payment services regulated in your jurisdiction? CROSS-BORDER REGULATION Germany has implemented the Payment Services Directive and, thus, anyone wishing to conduct payment services as a payment institu- Passporting tion commercially or on a scale that requires commercially organised 17 Can regulated activities be passported into your jurisdiction? business operations needs written authorisation from BaFin. What constitutes payment services is set out in ZAG and comprises the same As Germany is a member of the European Union, institutions holding a activities set out in the Payment Services Directive. licence to conduct regulated activities in any EEA country can apply for a ‘passport’. The passport is a notification procedure to the home state Open banking regulator. Such a passport would enable the licence holder to estab- 13 Are there any laws or regulations introduced to promote lish a physical presence in the form of a branch in the host country or competition that require financial institutions to make to provide services on a cross-border basis without a physical pres- customer or product data available to third parties? ence. The passport avoids a complete authorisation procedure if a party intends to carry out a regulated activity in another EU country. Not all No, we are not aware of any such laws or regulations. services can be passported. Crypto-assets custody services and asset management services are, for example, services that are not harmonised Robo-advice and will trigger a licence requirement when carried out in Germany. 14 Describe any specific regulation of robo-advisers or other companies that provide retail customers with automated Requirement for a local presence access to investment products in your jurisdiction. 18 Can fintech companies obtain a licence to provide financial services in your jurisdiction without establishing a local Robo-advice is any form of customer support on investment decisions presence? by making use of partially or fully automated IT systems. There are several different kinds of automated investment advice platforms that A German financial services licence will only be granted to a fintech are active in Germany. BaFin has issued guidance on robo-advice, company that has established a physical presence in Germany. However, indicating that these services can be qualified as (and regulated a fintech company with a financial services licence in another EEA as) investment advice, financial portfolio management, acquisition country can apply for a passport to Germany and, thus, would be able brokerage and investment brokerage (each depending on its individual to provide financial services in Germany through a branch or without a features), and, thus, offering respective services regularly requires physical presence on a purely cross-border basis. licensing under German banking (eg, KWG and the German Securities Trading Act) and commercial law (eg, GewO). Most offerings currently available on the German market constitute investment advice or financial portfolio management.

66 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP Germany

SALES AND MARKETING under the Money Laundering Act. For this reason, the corresponding sanctions also result directly from the law itself. Restrictions There have been some important changes to the Money Laundering 19 What restrictions apply to the sales and marketing of Act in the past: on 1 January 2020, the Act was amended to implement financial services and products in your jurisdiction? the requirements of EU’s Fifth Anti-money Laundering Directive. The changes imposed additional obligations, especially for regulated finan- There are various restrictions regarding the sales and marketing of cial services businesses, including fintech companies. Since this date, financial services and products in Germany. The marketing of a regu- institutions in the field of crypto-assets (eg, virtual currency exchange lated activity in Germany constitutes a licensable activity and providing platforms and custodian wallet providers) are explicitly included in the those services without the necessary licence constitutes a criminal group of obliged entities. offence. The marketing of financial instruments is subject to a detailed Generally, entities subject to German AML laws are, or will be regulatory framework set out in Directive 2014/65/EU on markets required to, among other things: in financial instruments. Providing false or misleading information is • implement preventive policies, controls and procedures; generally prohibited. Further rules apply for specific types of financial • identify and assess the firm’s exposure to money laundering risk instruments like investment funds. by, for example, undertaking a risk assessment; • perform customer due diligence to an adequate standard CHANGE OF CONTROL depending on the risk profile of that client; • keep appropriate records; Notification and consent • monitor compliance with the anti-money laundering regulations, 20 Describe any rules relating to notification or consent including internal communication of policies and procedures; and requirements if a regulated business changes control. • report suspicious transactions.

Investors that intend to acquire 10 per cent or more of the capital or the Furthermore, the abovementioned amendment of the Money voting rights of a regulated entity are required to file a disclosure as Laundering Act includes unified, enhanced due diligence requirements holders of a significant holding. These investors must provide detailed for transactions with high-risk countries and extended data access information regarding their background, the origin of their funding, the competencies for the Federal Financial Intelligence Unit and law CVs of relevant persons and the details of their group structure. The enforcement agencies. In addition, digital companies will be required Federal Financial Supervisory Authority then generally has 60 days to to provide payment service providers with access to infrastructure approve or oppose the acquisition and may make approval subject to services. These include, for example, interfaces for near field commu- certain actions being taken. nication, which is required for cashless payments by mobile phone at In addition, notification requirements under securities trading or physical points of sale. stock corporation laws may apply, depending on the legal nature of Violations of anti-money laundering regulations are administra- the target. tive offences and will result in fines of up to €5 million or 10 per cent of the institution’s total revenue. FINANCIAL CRIME According to recent federal jurisdiction plans, fines of up to 10 per cent of a corporation's annual turnover for regulatory offences may be Anti-bribery and anti-money laundering procedures imposed. Furthermore, corporations are to be excluded from public 21 Are fintech companies required by law or regulation to have tenders for a term of five years if they have been fined for bribery or if procedures to combat bribery or money laundering? a member of the executive board has been convicted for bribery. At a state level, some German federal states already have adopted an act Firstly, a distinction must be made between anti-corruption and bribery that allows their authorities to exclude companies from public tenders (ABC) regulations and rules for combating money laundering (AML). if the company or its employees are associated with ABC-related As taking and giving bribes are criminal offences under the behaviour. German Criminal Code, only individuals can be held criminally liable. In addition, Germany has been debating for years whether compa- Corporations and legal entities as such can solely be subject to regu- nies should be held liable under a kind of criminal law (ie, corporate latory investigations and sanctions. However, if the individual acts on sanctions law) if its responsible persons commit crimes or regulatory behalf of a corporate body, the corporation may be subject to additional offences. The current federal government is working on such an act fines and confiscation of assets gained because of the criminal conduct and has recently published a first draft. However, this draft will likely or forfeiture of other assets. All relevant administrative offences be revised a few times before it enters into force. committed in Germany are mainly covered under the provisions of the In summary, despite some differences in the material scope, it is Act on Regulatory Offences. important for fintech companies to adhere to the legal requirements of Thus, German regulatory offences law allows legal entities to be ABC and AML regulations and to create a corresponding compliance fined for bribery offences that have been committed by their legal repre- structure. After all, the risk for the company is always the same in the sentatives or by any other senior management employee, the conduct of event of infringement as very high fines are threatened. whom can be associated to the legal entity. Fines of up to €600 million have been imposed for bribery offences in the past. Guidance In contrast to this, all companies in Germany must generally 22 Is there regulatory or industry anti-financial crime guidance comply with national AML regulations. In addition, where an institu- for fintech companies? tion is an obliged entity under the German Money Laundering Act (see section 2), it is under numerous additional obligations (eg, to set up a There is no specific anti-financial crime guidance for fintech compa- specific AML compliance system). This means that it is not – as with the nies apart from the general advice that companies should always be ABC regulations – a matter of breach of criminal provisions by natural compliant with relevant regulations. Therefore, it is essential to have persons (eg, employees), but that the entity itself may violate the rules an adequate compliance system in place. www.lexology.com/gtdt 67 © Law Business Research 2020 Germany Simmons & Simmons LLP

The design of the compliance system and the compliance organi- to damage claims by the borrower; if the form requirements are not sation is fundamentally subject to the business judgement rule as an complied with, the loan agreement can be void; or if the consumer has entrepreneurial decision. The management has to make decisions not been instructed correctly on his or her revocation rights, the loan based on appropriate information, acting for the benefit of the entity. can become revocable for an indefinite period. With regard to formal Above all, in terms of compliance, this means analysing the risks to requirements for the execution of the loan and security agreements, which the company is exposed as part of its business activities and to written form is required; electronic form is permitted as well, except repeat that continuously and regularly. Based on the risk analysis, the for in the case of certain security documents where a notarisation by management must make appropriate organisational arrangements for a German notary is required (eg, land charge deeds, which include an compliance in the company, such as: immediate enforcement clause or share pledge agreements, which • use of increased compliance resources in countries with a high risk relate to the pledge of shares in a German limited liability company). of corruption; • stricter compliance checks on public contracts; Assignment of loans • ongoing due diligence and monitoring; 24 What steps are required to perfect an assignment of • ongoing internal training; loans originated on a peer-to-peer or marketplace lending • separate rules for dealing with certain occupational groups; platform? What are the implications for the purchaser if the • clear rules; and assignment is not perfected? Is it possible to assign these • where appropriate, controls for contacts with competitors. loans without informing the borrower?

However, institutions that are regulated by the Federal Financial An assignment agreement would need to be concluded in relation to the Supervisory Authority, in addition, should comply with all applicable assignment of the loan claims; there are no further perfection require- anti-financial crime guidance for the financial sector. ments and the borrower’s consent is not required. The assignment is also valid if it is not being disclosed to the borrowers. In the case of a PEER-TO-PEER AND MARKETPLACE LENDING transfer of rights and obligations under a loan agreement (ie, transfer of the whole contractual relationship) to a new lender of record, the Execution and enforceability of loan agreements borrower (as both debtor and creditor of the transferred rights and 23 What are the requirements for executing loan agreements or obligations) would need to consent to the transfer. Usually, the loan security agreements? Is there a risk that loan agreements documentation would include provisions requiring the prior consent of or security agreements entered into on a peer-to-peer or the borrower to such a transfer. In the case of an assignment of rights marketplace lending platform will not be enforceable? under a loan agreement, an assignment is generally possible without the consent of the borrower. If an assignment of the rights under a There is no special legislation applicable in Germany in relation to peer- loan agreement was explicitly excluded by a borrower in the loan docu- to-peer (P2P) lending (ie, the general regulatory and civil law provisions mentation, the assignment would be void. However, in the case of the are applicable). A distinction needs to be made between direct and indi- indirect P2P lending structure, the loan documentation should already rect P2P lending. include the prior consent of the borrower to transfer the rights and obli- • In relation to direct P2P lending, the agreement is concluded gations under the loan agreement to the investor (or intermediary, as directly between the investor and the borrower. However, owing to the case may be). regulatory limitations (ie, licence requirements for lending activity), this structure is not popular in Germany. Securitisation risk retention requirements • In relation to indirect P2P lending (which is more common in 25 Are securitisation transactions subject to risk retention Germany), a cooperating licensed bank is involved. The licensed requirements? bank enters into a loan agreement with the borrower. Once the loan agreement between the bank and the borrower has been Regulation (EU) 2017/2402 provides for the general securitisation entered into, the bank assigns under a purchase and assignment framework, including rules regarding risk retention. Under this frame- agreement its claims under the loan agreement pro rata to the work, the originator, sponsor or original lender of a securitisation must respective investor whereby often an affiliated company (inter- retain a material net economic interest in the securitisation of not less mediary) of the platform provider is interposed. Thus, there is no than 5 per cent. However, if securitisation is achieved via an interme- direct agreement between the borrower and the investor. The bank diary single purpose company, this entity will no longer be allowed cooperates with the platform provider under a cooperation agree- to retain risk as the originator. Rather, this may only be done by an ment and the platform provider serves as loan broker under a loan originator with a broader business purpose, the sponsor or the original brokerage agreement with the borrower. For the loan brokerage, lender. The required entity must possess sufficient substance to hold the platform provider needs permission according to the German the assets for a minimum period of time before they are securitised. Industrial Code. Further, the platform provider must not receive Furthermore, assets to be securitised must not be selected with the aim monies that are determined to have been forwarded, otherwise a of rendering the losses on such assets higher than the losses on compa- payment services licence could be required. Generally, care should rable assets remaining on the balance sheet of the originator without be taken in the documentation that the purchase of claims does not disclosing this accordingly to investors. qualify as factoring, that the money laundering requirements have been complied with and that the borrower consents to the transfer of the borrower’s personal data to the investors.

With regard to loan agreements with consumers, consumer protection laws need to be taken into account (ie, special information and form requirements as well as revocation rights are applicable). If consumer information undertakings are not complied with, this can give rise

68 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP Germany

Securitisation confidentiality and data protection requirements could fall under a number of regulated services, including investment 26 Is a special purpose company used to purchase and securitise advice and contract broking. Additionally, providers often offer portfolio peer-to-peer or marketplace loans subject to a duty of management services under the label of robo-advice. Depending on the confidentiality or data protection laws regarding information actual structure of the business, additional conduct of business rules relating to the borrowers? may apply. For example, where the provider uses an advisory model and gives personalised recommendations to its investors, certain Yes, the special purpose company would be subject to data protection documentation obligations apply. In addition, the provider may need to laws regarding information relating to the borrowers. However, in the determine the suitability and appropriateness of the financial products case of the indirect P2P lending structure, the loan documentation that it recommends. should already include the consent of the borrower to share its information with the special purpose company. Distributed ledger technology 28 Are there rules or regulations governing the use of ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER distributed ledger technology or blockchains? TECHNOLOGY AND CRYPTO-ASSETS No, there is no single regulation specifically addressing distributed Artificial intelligence ledger technology (DLT). However, use cases deploying DLT or block- 27 Are there rules or regulations governing the use of artificial chain technology in regulated markets (eg, securities markets) must intelligence, including in relation to robo-advice? comply with the existing legal framework applicable to the specific service and its providers. European requirements such as the European In Germany, the Federal Financial Supervisory Authority (BaFin) has Market Infrastructure Regulation (EU) No 648/2012 (EMIR), the actively addressed these regulatory aspects in the past; however, Markets in Financial Instruments Regulation (EU) No 600/2014 (MiFIR), currently this is an ongoing process. Starting in 2018, BaFin conducted the Central Securities Depositaries Regulation (EU) No 909/2014, a comprehensive study on the challenges and implications for supervi- the Markets in Financial Instruments Directive II 2014/65/ EU, the sion and regulation of AI-based and big data-based services, concluding Alternative Investment Fund Managers Directive 2011/61/EU and the that proliferation of these technologies will increasingly challenge Securities Financing Transactions Regulation (EU) 2015/2365 as well as current regulatory frameworks. Besides ascertaining the need to adapt the national implementation thereto must be regarded. For instance, a the supervisory framework accordingly, regulated companies remain use case involving the clearing of assets by deploying DLT would have accountable for regulatory compliance in AI-based and big data-based to fulfil the requirements of EMIR and MiFIR regarding authorisation products. While management boards remain fully accountable for any and regulated entities. BaFin has the power to prohibit unauthorised results automatically produced or used within their company (section businesses. In addition, smart contracts and initial coin offerings (ICOs) 25a German Banking Act (KWG)), these results must also remain trans- are currently under close scrutiny by the supervisory authorities. parent and explainable to ensure persisting human control. Thus, BaFin BaFin issued a consumer warning with regards to risks associated considers the use of ‘black-box’ algorithms an indicator of dysfunctional with ICOs on 15 November 2017. Specific risks identified by BaFin include (unlawful) business organisation. In addition, the accurateness and reli- the significant price fluctuations of tokens and, in many cases, a lack of ability of AI-based and big data-based products must be ensured. This, information regarding ICO providers making ICO businesses prone to again, requires robust data quality, thorough testing and continuous the risk of fraud, money laundering and the financing of terrorism. BaFin supervision of algorithmic decision models, as well as technical safe- also published an advisory letter to the classification of tokens on 20 guards against maldevelopment (eg, automated shutdown procedures). February 2018. The key aspect of this letter is that BaFin will assess Since late 2019, there has been increasing demand by various on a case-by-case basis whether a token constitutes a financial instru- stakeholders in the German financial market for BaFin to engage in ment, a security or a capital investment. The supervisory classification authorising the use of algorithms for automated decision-making. To of a token determines the applicability of the existing legal framework, date, this request remains unheard. BaFin announced that, apart from the services and products associated with the tokens. Depending on the existing authorisation of individual scenarios (eg, article 142 et seqq classification of tokens, several legislative acts apply including, among and 362 et seqq EU Capital Requirements Regulation; high-frequency others, the WpHG, the German Securities Prospectus Act, the German trading), there is no legal basis for requiring or granting such authorisa- Capital Investment Act, the German Capital Investment Code and the tion on a general basis. KWG. Further, at the beginning of 2020 crypto-custody business was Robo-advice is any form of customer support on investment deci- added to the list of licensable activities. sions by making use of partially or fully automated IT systems. There are several different kinds of automated investment advice platforms Crypto-assets that are active in Germany. BaFin has issued guidance on robo-advice, 29 Are there rules or regulations governing the use of crypto- indicating that these services can be qualified as (and regulated assets, including digital currencies, digital wallets and as) investment advice, financial portfolio management, acquisition e-money? brokerage and investment brokerage (each depending on its individual features), and, thus, offering respective services regularly requires Yes. BaFin treats bitcoin and other crypto-tokens as a financial instru- licensing under German banking (eg, KWG and the German Securities ment in the form of ‘units of account’. These units of account are similar Trading Act) and commercial law (eg, the German Industrial Code). Most to foreign currencies and are not legal tender. Bitcoin is neither central offerings currently available on the German market constitute invest- bank money nor e-money under German law: it is not central money ment advice or financial portfolio management. because it is not issued by the central bank, and it is not e-money because In terms of their supervision and regulation, robo-advising busi- it is not issued by an issuer against whom a claim can be established. The nesses are generally subject to the same rules as if such service was distribution of bitcoin requires authorisation by BaFin if the distribution rendered ‘manually’. Thus, automated investment advice will need to is performed on a commercial basis or requires a commercially organ- comply with the applicable licensing requirements and conduct of busi- ised business operation. If virtual currencies are bought and sold for ness rules. BaFin’s guidance sets out that the provision of robo-advice third parties, this could be classified as ‘proprietary trading’ under the www.lexology.com/gtdt 69 © Law Business Research 2020 Germany Simmons & Simmons LLP

German Banking Act, depending on the specific arrangements deployed, The GDPR requires that any processing of personal data be done which requires a BaFin authorisation as well. In addition, e-money insti- pursuant to one of six lawful bases for processing. The most commonly tutions must be authorised and subject to supervision by BaFin. Offering used lawful basis for processing is to obtain the consent of the data digital wallets online may require BaFin authorisation depending on the subject to that processing – in relying on this lawful basis, the busi- tokens and the wallet services being provided. BaFin has the power to ness must ensure that the consent is freely given, specific, informed prohibit any unauthorised business activities with immediate effect. and unambiguous, and capable of being withdrawn as easily as it is At the beginning of 2020, crypto-custody business was added to given. This places a significant burden on businesses to ensure that the list of licensable activities. Crypto-custody business is defined as their customers are fully informed as to what their personal data is the safekeeping, administration and storage of crypto-assets or private being used for, which is a crucial change to the previous regime under cryptographic keys used to hold, store and transfer crypto-assets for which disclosure did not need to be so transparent. Other lawful bases others (crypto-assets custody services). for processing data include where that processing is necessary for the business to perform a contract it has with the data subject, or where Digital currency exchanges required to comply with an obligation the business has at law (not a 30 Are there rules or regulations governing the operation of contractual obligation). digital currency exchanges or brokerages? The GDPR further differs from the previous regime in that it places a significantly increased compliance burden on businesses, including, for There is no special legal regime for digital currency exchanges or example, mandatory requirements to notify regulators of data breaches, brokerages in Germany. The German regulator assesses activities in obligations to keep detailed records on processing, and requirements the context of cryptocurrencies or tokens on a case-by-case basis. It for most entities to appoint a data protection officer. has been BaFin’s administrative practice for several years now to view The GDPR does not apply to personal data that has been truly bitcoin and similar cryptocurrencies as financial instruments in the form anonymised – as anonymised data cannot, by definition, be personal of units of account. Consequently, the rules for dealings with financial data. However, to ensure that GDPR does not apply to a certain data set, instruments apply. In a guidance note dated 20 February 2018, BaFin that data set must be truly anonymised. The GDPR itself gives limited states that the mining of cryptocurrencies and the sale of the mined guidance on anonymisation in Recital 26, requiring data controllers to tokens are, in principle, licence-free in Germany. However, persons who, consider a number of factors in deciding if personal data has been truly for example, buy and sell cryptocurrencies in their own name and for anonymised, including the costs and time required to de-anonymise, the account of others on a commercial scale are likely to conduct the the technology available at the time to attempt de-anonymisation and licensable business of financial brokerage. Further, operating a digital further developments in technology. currency exchange could qualify as operating a multilateral trading When it comes to international data transfers, a two-step test must facility. Additionally, operators of mining pools may be carrying on be carried out. First, the legitimacy of an international data transfer has licensable activities. the same requirements as a national data transfer. An international data transfer can only be legitimate if an analogous transfer within Germany Initial coin offerings was legitimate. Second, an international data transfer is only legitimate 31 Are there rules or regulations governing initial coin offerings if the country to which data is to be transferred provides for reasonable (ICOs) or token generation events? data protection legislation. The transfer of data to other members of the EEA is permitted because those countries provide for an adequate level BaFin is of the view that each initial coin offering has to be judged of data protection. In the case of a data transfer to a country outside the on a case-by-case basis, applying the existing legal framework. First, EEA, it must be ensured that the country of destination also provides BaFin categorises the token to be issued and then, depending on the for an adequate level of protection. With regard to certain jurisdictions, legal nature of the token (security token, utility token, payment token, the European Commission has provided decisions on the adequacy of etc), applies the applicable legal framework. The consequence of this data protection. Another way of ensuring that adequate safeguards approach is that, for example, a securities prospectus would be required are provided is the use of one of the model contracts approved by the for the issuance of securities tokens and a payment services licence European Commission (standard contractual clauses (SCCs)). To date, would be required for the issuance of payment tokens. the European Commission has already approved different types of There is, however, no special legal regime for token-generating model contracts. In addition, there is theoretically another solution that events yet. Discussions between the legislature and the respective renders an assessment of the second step (legality of a data transfer stakeholders, including the Federal Ministry of Finance and BaFin, are to an entity in a country without an adequate level of data protection) ongoing with a view to evaluating the need for special legislation and its unnecessary, namely corporate binding rules (CBRs). CBRs are codes potential scope. of conduct and a set of rules a company can draft to allow data transfer outside the EEA and to overcome some practical problems with SCCs. DATA PROTECTION AND CYBERSECURITY From an EU perspective, the United States does not provide for adequate protection of personal data. For this reason, the European Commission Data protection has adopted a special decision in respect of the US: an adequate level 32 What rules and regulations govern the processing and of protection will be deemed to apply for those organisations that have transfer (domestic and cross-border) of data relating to registered under the EU–US Privacy Shield. However, financial institu- fintech products and services? tions cannot register under the Privacy Shield. Businesses that infringe the GDPR may be subject to administra- On 25 May 2018, the EU General Data Regulation (GDPR) came into force tive fines of an amount up to €20 million or 4 per cent of global turnover, with direct effect across the EU. The GDPR governs the storage, viewing, whichever is higher. use of, manipulation and other processing by businesses of data that In Germany, a new Federal Data Protection Act (BDSG) came into relates to a living individual. In summary, the GDPR requires that busi- force at the same time as the GDPR. The BDSG makes use of opening nesses only process personal data where that processing is done in a clauses, such as for the processing of personal data in the context of lawful, fair and transparent manner, as further described in the GDPR. employment and for the appointment of data protection officers. The

70 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP Germany oversight of GDPR, including compliance and enforcement, is carried OUTSOURCING AND CLOUD COMPUTING out in Germany by 16 data protection supervisory authorities (one supervisory authority based in each federal state). Outsourcing German data protection authorities have not issued any specific 34 Are there legal requirements or regulatory guidance with guidance for fintech companies. respect to the outsourcing by a financial services company of a material aspect of its business? Cybersecurity 33 What cybersecurity regulations or standards apply to fintech There is a legal regime for outsourcing by financial services compa- businesses? nies. Section 25b of the German Banking Act (KWG) sets the framework and the Federal Financial Supervisory Authority's (BaFin) publication ‘Fintech’ here is understood as technology-enabled innovation in finan- ‘Minimum Requirements for Risk Management’ (MaRisk) further details cial services often resulting in new business models, applications, the requirements for outsourcing in chapter AT9. Further, BaFin indi- processes or products each materially affecting the traditional provi- cates that the ‘Guidelines on Outsourcing’ published by the Committee sion of financial services. Owing to the technology-neutral regulation of European Banking Supervisors and European Banking Authority are of financial markets in Germany, there are no cybersecurity standards also relevant for BaFin’s administrative practice. specifically addressing fintech companies. In broad terms, it can be said that the outsourcer needs to ensure The Federal Financial Supervisory Authority's (BaFin) standards on that its risk profile does not change owing to the outsourcing and that cybersecurity reflect the traditional demarcations of regulatory frame- the outsourced services must be in compliance with the applicable legal works in Germany: the German Banking Act (ie, BaFin Circular 10/2017 requirements. The outsourcing of services must not lead to outsourcing on Banking Supervisory Requirements for IT), the Insurance Supervision of the management’s responsibilities and the regulator must not be Act (ie, BaFin Circular 10/2018 on Insurance Supervisory Requirements hindered in its supervisory activities owing to the outsourcing. Further, for IT) and German Capital Investment Code (ie, BaFin Circular 11/2019 the outsourcing agreement must meet certain criteria, if material parts on Capital Management Supervisory Requirements for IT). of the business are outsourced. Controlling and audit functions may According to BaFin, compliance with its sector-specific stand- only be outsourced to an extent that it does not bias the capability of ards on IT security and cybersecurity does not relieve any regulated the outsourcing entity to monitor, understand and manage the risks it entity from complying with other (general) standards in this field. incurs during its business operations. For Germany, this namely refers to standards issued by the Federal Office for Information Security (BSI), including the IT-Basic Protection Cloud computing Compendium, the Standards 200-1 to 200-3 (security and risk manage- 35 Are there legal requirements or regulatory guidance with ment), the Technical Guidelines and, particularly relevant, the standards respect to the use of cloud computing in the financial services on certain aspects of cybersecurity. Fintech businesses must also industry? comply with IT and data security requirements stipulated in other applicable laws (such as the GDPR). Sections 25a paragraph 1 and 25b KWG stipulate specific legal require- Certain stakeholders on the financial markets are, thus, also ments relating to IT outsourcing and, as such, cloud computing in the regulated as operators of a critical infrastructure or digital service, or financial services industry. Regulatory guidance is given in this context both, under the German IT Security Act (IT-SiG). Briefly, any facility or by MaRisk. According to MaRisk, any material outsourcing requires an installation (or parts thereof) in the finance and insurance sectors is outsourcing agreement in writing that fulfils minimum requirements, considered a critical infrastructure if their failure or impairment would such as stipulating audit rights (in favour of the financial services lead to considerable supply bottlenecks or threats to public safety. provider as well as the supervisory authority), data protection and exit Digital services are electronically provided services relating to online management. New guidance on the ‘Bank regulatory requirements marketplaces, search engines and cloud-computing applications; these relating to IT’ was published by BaFin. This guidance specifies MaRisk are likewise regulated if they qualify as ‘critical’ in the aforesaid meaning requirements relating to IT risk and information security management and provide the public with finance or insurance products. Specific guid- as well as the concrete IT operation, and, therefore, is also relevant to ance on identifying critical infrastructure and services in practice is cloud computing in the financial services industry. provided in form of legislative decrees of the German Federal Ministry of the Interior. Operators of critical infrastructure are, inter alia, obliged INTELLECTUAL PROPERTY RIGHTS to take appropriate organisational and technical precautions to avoid disruptions to the availability, integrity, authenticity and confidentiality IP protection for software of their IT systems, components or processes, as far as these are essen- 36 Which intellectual property rights are available to protect tial for the functionality of their critical infrastructure (see section 8a, software, and how do you obtain those rights? paragraph 1 BSI Act). The same accounts for critical service providers in terms of IT security and network security (see section 8c BSI Act). As According to German copyright law, computer programs shall be detailed by the BSI, both obligations require regulated entities to imple- protected if they represent individual works in the sense that they are ment various measures to ensure network security. the result of the author’s own intellectual creation. No other criteria, BaFin is conducting regular checks relating to the IT infrastruc- especially qualitative or aesthetic criteria, shall be applied. The protec- ture of regulated entities. These aspects are likewise covered in audits tion granted shall apply to the expression in any form of a computer performed by data protection supervisory authorities. Resulting from program. Ideas and principles underlying any element of a computer latest amendments of the IT-SiG, BSI is furnished with information and program, including the ideas and principles underlying its interfaces, audit rights. Furthermore, fintech businesses must comply with the IT shall not be protected. A copyrightable work is protected as of the security requirements that are stipulated in any other applicable law, moment of creation, so no further administrative measures are needed. such as the GDPR. The German Act on Copyright and Related Rights comprises specific stipulations concerning various uses of software, including decompi- lation and rearrangement of software. While software as such is not www.lexology.com/gtdt 71 © Law Business Research 2020 Germany Simmons & Simmons LLP

patent-protectable, computer-implemented inventions may be if they • it is secret in the sense that it is not, as a body or in the precise show a technical effect. configuration and assembly of its components, generally known Business methods and software as such are not patent-eligible; among or readily accessible to persons within the circles that both the German Patent Act and the European Patent Convention say so normally deal with the kind of information in question; explicitly. However, for practical purposes the patent eligibility of soft- • it has commercial value because it is secret; and ware very much depends on the claim drafting: if the invention can be • it has been subject to reasonable steps under the circumstances, by presented as having a technical effect, patent protection may be avail- the person lawfully in control of the information, to keep it secret. able. The case law of both the Federal Court of Justice and the EPO Boards of Appeal provide useful guidance in this respect. The most important requirement for the applicability of the German Trade Secrets Act is that the confidential information needs to be subject IP developed by employees and contractors to adequate and traceable trade secret measures implemented by the 37 Who owns new intellectual property developed by an trade secret owner. The adequacy of the measures depends on the employee during the course of employment? Do the same company and the usual confidentiality measures, the value and nature rules apply to new intellectual property developed by of the trade secret in detail as well as the specific circumstances of its contractors or consultants? use. Physical access restrictions and precautions as well as contractual security mechanisms should be considered. In Germany, intellectual property generated by an employee will not The still fairly new law protects trade secrets against direct automatically become the gratuitous property of the employer as in most unlawful attainment, use and disclosure, as well as against indirect other jurisdictions. Rather, the German Act on Employees’ Inventions infringements when third parties acquire trade secrets from a party and provides a complex system according to which the employer merely has knew or should have known that a trade secret was used or disclosed a right to claim an employee invention. In this case, the employer must in an unlawful way. In the event of an unlawful action, the holder of a pay a certain amount, which is calculated in a complex manner based on trade secret can claim for cease and desist, destruction, surrender and a number of factors and parameters. recall, disclosure, and, in the case of intentional or negligent violation, These rules do not apply to independent contractors or consult- damages. A special feature of the German Trade Secrets Act is the legal ants. If the intellectual property is based on true cooperation, this can basis for a right to information about infringing products. Thus, it can lead to complex legal situations, including the factual foundation of a prove a powerful tool to protect confidential information when other private partnership. Accordingly, any such potential issues should be intellectual property rights might not be applicable. dealt with in a contract, clearly allocating the rights and obligations of However, the German Trade Secrets Act does not provide protec- all parties arising under such a cooperation or R&D project. tion against reverse engineering. Rather, it is generally permitted if the product or article has been made publicly available or if it is in the lawful Joint ownership possession of the party who observes, tests, examines or dismantles it 38 Are there any restrictions on a joint owner of intellectual and is not subject to any (contractual) prohibition from obtaining the property’s right to use, license, charge or assign its right in trade secret. intellectual property? As for the protection of trade secrets in court proceedings, the German Trade Secrets Act stipulates special regulations that apply to Subject to contractual stipulations, co-ownership of inventions and trade secret litigation proceedings only and prevails through execution patents are considered a simple company-like structure (Gemeinschaft). proceedings. At the request of a party, contentious information can be This legal form is dealt with in the German Civil Code, though only in fully or partly classified as a trade secret. Parties to the proceedings rudimentary form. Each owner may use the invention (as a rule, without and individuals with access to procedural documents can neither use having to pay a licence fee to the others) or may sell its share in the nor disclose trade secrets. There is no in-camera proceeding, but the invention. However, a licence may only be granted with the consent number of individuals gaining access to procedural documents can be of all co-owners. Each co-owner can request that the Gemeinschaft limited to one natural person from each party and their respective liti- be dissolved, which typically happens by way of selling the intellec- gant or legal representative. The court may, at the request of one of the tual property asset. This is one reason why co-owners should devise a parties, impose a fine of up to €100,000 or imprisonment for up to six contract early on rather than relying on statutory rights. months for failure to comply with the obligations; however, this might In addition, the German trade secret law, unlike patent and copy- not be considered a very high fine compared to the value some trade right law, does not regulate the legal relationship between joint owners secrets hold. The German Courts Constitution Act can also be applied and can, therefore, cause difficulties if no contractual provisions are as it contains, inter alia, a confidentiality obligation subject to criminal established. prosecution for the hearing itself. After the proceedings it is relevant to know that the prevailing party Trade secrets can request to (partly) publish the decision when it is legally binding and 39 How are trade secrets protected? Are trade secrets kept cannot be subject to appeals anymore. confidential during court proceedings? As it is at the discretion of the court to decide which orders are necessary for adequate protection during legal proceedings, it remains Germany implemented the Trade Secrets Directive (EU) 2016/943 on to be seen how the still relatively new German Trade Secrets Act is 26 April 2019 with the civil law on the protection of trade secrets (ie, enforced in practice. In any event, care must be taken to ensure that the German Trade Secrets Act), which first and foremost protects trade trade secrets are, firstly, categorised and documented as such and, secrets. Trade secrets are also protected under criminal law as well as secondly, kept secret by adequate trade secret measures so that confi- through general civil law, civil procedure law and unfair competition dential treatment is ensured and accidental disclosure is avoided. law (against general passing-off). Contracting parties are also free to protect individually defined trade secrets. The German Trade Secrets Act protects information that meets all the following requirements:

72 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP Germany

Branding hub-and-spoke practices. Even though it seems that no concrete action 40 What intellectual property rights are available to protect has been taken yet, the topic remains on the agenda of the FCO as well branding and how do you obtain those rights? How can fintech as other authorities. businesses ensure they do not infringe existing brands? A German particularity is the additional merger control threshold based on the value of the consideration. In short, transactions must be Before entering a market with a designation (importantly including a notified in Germany if the parties to the transaction achieved a combined trade or company name), each new market entrant should conduct due worldwide turnover of more than €500 million, one participant had turn- diligence on its brand. As a first step, this would include an internet over of more than €25 million in Germany and another participant had search for identical designations. In a second step, the trademark regis- turnover of more than €5 million in Germany in the last complete busi- ters and possibly commercial registers should be reviewed with regard ness year. Under the new rule, a transaction is also notifiable if one of to the designation, at the very least as far as identical applications are the participants did not achieve a turnover of more than €5 million in concerned. This can be done in-house but also via experienced search Germany, but the consideration is more than €400 million and the target companies and law firms. has been active in Germany to a significant extent. This new threshold could mean that transactions relating to highly valued start-up fintech Remedies for infringement of IP companies can trigger merger control proceedings even if the target 41 What remedies are available to individuals or companies company did not have high turnover levels. This has been applied to the whose intellectual property rights have been infringed? acquisition of Honey Science Corporation by PayPal Inc. The FCO found that the transaction was notifiable as Honey Science Corporation had a There are various measures against infringements of intellectual prop- significant local activity owing to its active user base despite not having erty rights. The main goal of any action, including by way of preliminary turnover in excess of €5 million. Ultimately, the transaction was cleared injunction, is to stop the infringer from continuing to infringe. An injunc- as the FCO found no competition concern. In particular, in relation to tion or preliminary injunction will achieve this aim. Apart from this, all online payment services, various operators such as Klarna, WireCard the established intellectual property remedies are available, including and, recently, Google Pay and Apple Pay are active on the market. claims for damages (computed by lost profits, infringer’s profits or Section 57 of the Act on the Supervision of Payment Services, licence analogy) and for rendering account. which is based on section 35 of PSD2, requires payment systems not to impose on payment service providers, payment service users or other COMPETITION payment systems any of the following: restrictive rules on the effective participation in other payment systems; rules that discriminate between Sector-specific issues authorised payment service providers or between registered payment 42 Are there any specific competition issues that exist with service providers in relation to the rights, obligations and entitlements respect to fintech companies in your jurisdiction? of participants; or restrictions on the basis of institutional status. Lastly, the German Federal Government published plans to revise Fintech companies and the fintech sector are subject to the general its foreign direct investment regime. While some changes have already competition law rules in Germany. There are no specific rules in compe- been implemented in the healthcare sector in response to the covid-19 tition law targeting the fintech sector. This means that the provisions outbreak, some changes will come later in the year. One particular prohibiting cartels, abuse of dominance and the merger control rules, issue is that the acquisition of companies operating 'critical technology' and the general principles developed in other industries, are applied. will become subject to a notification requirement. Even though details The German Federal Cartel Office (FCO) used its competition law are not yet available, critical technology will most likely encompass powers recently in relation to payment services. The FCO found provi- AI, robotics, semiconductors, biotechnology, and quantum and nuclear sions in general banking terms and conditions introduced by the banking technology. Fintech companies may become subject to this according to association that prevented customers from using their personal identi- the use of AI or if they meet the thresholds laid down in the regulation fication numbers and tax deduction and collection account number in on critical infrastructure. independent online payment procedures to infringe competition law in order to cause revisions to these general terms and also enhance new TAX (technological) developments. This decision has now been upheld by the Federal Supreme Court ruling that the restrictions on third-party Incentives payment providers were an unlawful restriction on competition. The 43 Are there any tax incentives available for fintech companies immediate effect of the judgment is limited as the revised Payment and investors to encourage innovation and investment in the Services Directive (Directive (EU) 2015/2366) (PSD2) requires banks to fintech sector in your jurisdiction? grant online financial service providers (fintech companies) access to payment and account information if the customer allows it. However, A new law came into force on 1 January 2020 supporting research and some commentators think that the judgment heralds a broader payment development by granting a tax-exempt research and development allow- service liberalisation as its reasoning can be applied to other services ance that will be available for all companies regardless of their size and such as savings, investment and insurance accounts. business purposes provided they are subject to German income tax. One issue that has arisen across sectors is the assessment of According to the new law, in general, research and development projects digital pricing tools, especially in the form of pricing algorithms, which are supported to the extent they can be assigned to the categories: are able to observe and evaluate a large amount of market-relevant • basic research; information from competitors, customers and suppliers as well as other • industrial research; or market conditions, thus enabling their users to react quickly with solu- • experimental development. tions adapted to each individual case to these observations (dynamic algorithm pricing). A potential competition concern that has been voiced According to the official reasoning of the new law, the administrative is that pricing software may help to implement and increase the reli- practices of the European Commission regarding the European General ability of cartel agreements or that pricing software can implement Block Exemption Regulation as well as the Frascati Manual of the www.lexology.com/gtdt 73 © Law Business Research 2020 Germany Simmons & Simmons LLP

Organisation for Economic Cooperation and Development have to be IMMIGRATION considered when describing these terms. The assessment basis for the allowance is the eligible expenses. Sector-specific schemes Eligible expenses are labour costs for employees and the employer's 45 What immigration schemes are available for fintech expenditure to secure the employee's future who is entrusted with this businesses to recruit skilled staff from abroad? Are there any research and development projects, including expenses for services special regimes specific to the technology or financial sectors? rendered by a shareholder on the basis of an employment agreement that are subject to wage withholding tax. Furthermore, eligible expenses Citizens of the European Union and the European Economic Area have are also personal contributions of an individual entrepreneur regarding unrestricted access to the German labour market. Swiss nationals also these research and development projects. In this case, each labour hour enjoy free movement within the EU but must apply for a special declara- is valued at €40 up to a maximum of 40 hours per week. tory Swiss residence permit. The assessment basis for the allowance are the eligible expenses. Third-country nationals who wish to work in Germany need a However, the assessment basis for the allowance is capped at €2 million. residence permit that includes a work permit. There are no specific The research and development allowance would be 25 per cent of this immigration schemes for fintech businesses. assessment basis (ie, the maximum allowance is capped at €500,000 However, special regulations for highly qualified employees and job per annum). For contract research for contractors established in the EU positions in ‘shortage occupations’ apply. or an EEA State, 60 per cent of the remuneration paid to the contractor A privileged residence permit exists for highly qualified persons: the is taken into account. The amount of state aid granted for a research EU Blue Card. The EU Blue Card is limited to a maximum term of four and development project, including research allowances under the years when issued for the first time. Third-country nationals who are new law, must not exceed €15 million per enterprise and research and entitled to hold an EU Blue Card can obtain a national visa for an entry development project. The allowance shall be granted on application. The in advance at the relevant German diplomatic mission. This visa will be application must be accompanied by an official certificate stating that replaced by an EU Blue Card after entry by the relevant immigration research and development projects are eligible in the meaning of this authority. law. The research and development allowance is not paid out immedi- To obtain a EU Blue Card, no priority examination (no preferential ately after it has been determined, but is taken into account in the next workers available for the job) and no examination of working conditions income or corporate income tax assessment by offsetting it against the are necessary (which would normally be required). The applicant needs determined income or corporate income tax. If the research allowance to provide evidence of his or her qualifications, meet the labour market exceeds the established income or corporate income tax, the excess requirements in Germany and provide a German employment agree- amount will be paid out. ment with a German employer. In general, a university degree from a Apart from this, there has, until now, been no specific tax incentives German university, a recognised degree from a foreign university or at available regarding the fintech environment. However, the following least a foreign university degree comparable to a German university should be noted. degree is required. A minimum salary of €53,600 gross per year (for • The German Income Tax Act allows small and medium-sized 2019; the threshold differs annually) is required. For shortage occupa- businesses (ie, taxpayers with business assets of not more than tions, the minimum annual gross salary is €41,808 (for 2019). Shortage €235,000 if the taxable profit is calculated on an accrual basis; or occupations are, inter alia, natural scientists, mathematicians, architects, taxpayers with profits of not more than €100,000 if the taxable engineers, engineering scientists and academic specialists in informa- profit is calculated on a cash-flow basis) to deduct up to 40 per cent tion and communication technology. If those requirements are met, no of the anticipated costs for future acquisitions or productions of approval of the employment agency is necessary. depreciable moveable fixed assets from their taxable income up to In all other cases, the approval of the Federal Employment Agency three fiscal periods before the capital asset is actually purchased is required, which will examine if any German employee of equal status (investment deduction, see section 7g of the German Income Tax is available for employment. If this is the case, the job position must be Act). The maximum investment deduction amount is €200,000. offered to a German employee and the residence permit is denied. • Furthermore, the German Corporate Income Tax Act, in principle, After a residence of 33 months in Germany, holders of a EU Blue foresees that the transfer of more than 50 per cent of the shares in Card can apply for an indefinite settlement permit. If sufficient knowl- a German company results in an entire forfeiture of tax loss carry edge of the German language can be proven (at least level B1), an forwards. However, according to an amendment of the German indefinite settlement permit can already be applied for after 21 months Corporate Income Tax Act in 2016, tax loss carry forwards (as well of residence in Germany. as interest carry forwards) will not be forfeited in the event of a For applicants without a university degree but who have completed transfer of shares beyond these thresholds if the business opera- professional training, a temporary residence permit can be applied for tion is maintained unchanged by the seller since the establishment if the applicant gets a job in a shortage occupation. This applies for job of the company (or at least from the beginning of the third fiscal positions as an expert in IT system analysis, IT sales and an expert in period preceding the year of the transfer) and also by the acquirer software development and programming. The applicant must provide a until the end of the transfer year. Even though companies in all specific job offer, which corresponds to his or her completed training, industries are entitled to benefit from this new rule according to a German qualification or a qualification recognised as equivalent, a the official reasoning of the law, the amendment should serve in completed professional training (of at least two years) and a labour particular to increase the chances of IT start-ups attracting capital. market examination that is less comprehensive than the Federal Employment Agency. A priority examination is not required. Increased tax burden After five years of holding a preliminary residence permit, it is 44 Are there any new or proposed tax laws or guidance that possible to obtain an indefinite residence permit. Proof is required that could significantly increase tax or administrative costs for the living costs can be covered without using statutory benefits; that at fintech companies in your jurisdiction? least 60 months of compulsory contributions to the statutory pension insurance have been made; that the applicant has sufficient German No. language skills; that he or she has basic knowledge of the legal and

74 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP Germany social order as well as living conditions in Germany; that a permit for employment is available; that no reasons of public safety and order speak against the residence; and that sufficient housing space is available for the applicant and, as the case may be, for family members. A new Immigration Act is currently planned, which has not yet been passed. It is expected that the current privileges for skilled workers in shortage occupations will be extended.

UPDATE AND TRENDS Christopher Götz [email protected] Current developments Dang Ngo 46 Are there any other current developments or emerging trends [email protected] to note? Elmar Weinand [email protected] The legislature and the regulatory authorities have taken unprecedented Eva Heinrichs measures to address the risks deriving from the covid-19 pandemic. [email protected] These measures include, inter alia, those that are specifically targeted at start-up companies and the fintech sector. Felix Biedermann [email protected] Coronavirus Janine Marinello 47 What emergency legislation, relief programmes and other [email protected] initiatives specific to your practice area has your state Jochen Kindermann implemented to address the pandemic? Have any existing [email protected] government programmes, laws or regulations been amended to address these concerns? What best practices are advisable Martin Gramsch for clients? [email protected] Sascha Kuhn Extended deadlines for annual general meetings and general [email protected] meetings in 2020 The German legislature enacted the Act on Measures in Company, MesseTurm Cooperative, Association, Foundation and Home Ownership Law to Friedrich-Ebert-Anlage 49 Combat the Effects of Covid-19 to provide temporary relief. In particular, 60308 Frankfurt am Main for stock corporations (AGs), partnerships limited by shares (KGaAs) and Germany cooperatives, some relief applies with regard to the form and deadline Tel: +49 69 90 74 54 0 for holding annual general meetings in 2020. For European compa- Fax: +49 69 90 74 54 54 nies (SEs) and European cooperative societies (SCE), this relief by the www.simmons-simmons.com German legislature does not fully apply owing to the lack of legislative competence. The European Parliament has taken action in this regard and has resolved a temporary deviation from the SE and SCE Regulation. Relief for annual general meetings Support measures for start-ups in the covid-19 pandemic The German legislature has decided to simplify the holding of general The German Ministries of Finance and Economy have prepared a €2 meetings and passed the Law to mitigate the consequences of the billion package of measures for start-ups. Private investors, not the covid-19 pandemic in civil, insolvency and criminal proceedings. The start-ups themselves, are entitled to apply. A prerequisite for the use aim of the regulation is to give companies the ability to act despite the of the Corona Matching Facility is the successful completion of a due covid-19 crisis. diligence by the private investor. The start-up in question must have In addition to regulations under civil, insolvency and criminal experienced financial difficulties owing to the effects of covid-19. It is not procedural law, the draft provides for facilitations for the holding yet clear what defines covid-19-related economic difficulties. of annual general meetings of, among others, AGs, KGaAs and SEs. Therefore, these companies should be able to pass all necessary resolu- More time for conversions tions and remain capable of acting even if holding in-person meetings is The legislature has granted companies four months more to complete still restricted. Even without authorisation in the articles of association conversions. In terms of taxation, however, the regulation does not apply or the rules of procedure, the management board can order the share- in all cases. holders to participate and vote; order the members of the supervisory Late financial reports are not sanctioned for a short period board to participate via electronic communication; and the meeting can For now, listed companies are not threatened with penalties if they be held online by video and audio transmission. report their financial results too late as a result of the covid-19 pandemic. The economic uncertainties associated with the novel coronavirus Economic stabilisation fund also affect the financial reporting of listed companies. The European To reduce the negative effects of the covid-19 pandemic on the German Securities and Markets Authority, the supervisory authority for the economy, the German federal government set up a multibillion euro European securities markets, therefore, has now issued a public state- economic stabilisation fund. This fund, which is to be managed by the ment on the impact of the covid-19 pandemic on the deadlines for Finance Agency, is intended to serve to stabilise companies by over- publishing financial reports, which apply to all issuers of securities. coming liquidity bottlenecks and by creating the framework conditions for strengthening the capital base of companies whose existence would www.lexology.com/gtdt 75 © Law Business Research 2020 Germany Simmons & Simmons LLP

be threatened by significant impacts on the economy, technological sovereignty, supply security, critical infrastructure or the labour market. As can be seen from the underlying Economic Stabilisation Fund Act, which went through the legislative process within only one week, these companies must have: • a balance sheet total of more than €43 million; • a turnover of more than €50 million; and • an average number of employees that is more than 249.

Where it is sufficient that two of these three criteria are met, financial sector enterprises and credit institutions are excluded from these measures.

Suspension of the obligation to file for insolvency Under normal circumstances, in the event of insolvency or over-indebtedness, the CEO or board of directors of a limited liability company, stock corporation or cooperative must take action at the latest after three weeks before the insolvency court if the reason for the insolvency cannot be eliminated out-of-court by then. In the covid-19 crisis, this is different. As part of the Covid-19 Insolvency Act, the obligation to file for insolvency will be suspended at least until 30 September 2020, possibly even until 31 March 2021, but only for those cases in which the insolvency maturity is a direct consequence of the covid-19 pandemic and if, in the event of insolvency, there is at least a chance of its elimina

76 Fintech 2021 © Law Business Research 2020 Gibraltar

David Borge, Kunal Budhrani and Peter Howitt Ince

FINTECH LANDSCAPE AND INITIATIVES Regulated activities 4 Which activities trigger a licensing requirement in your General innovation climate jurisdiction? 1 What is the general state of fintech innovation in your jurisdiction? The following activities are licensable, regulated activities in Gibraltar: • accepting deposits; Gibraltar has taken a lead in the area of e-commerce and fintech inno- • issuing electronic money; vation and is a world leader in the blockchain and distributed ledger • providing payment services; technology economy, having been the first jurisdiction to regulate the • effecting and carrying out contract of insurance; use of such technology. • insurance management; Gibraltar’s strong track record in regulated e-commerce (particu- • insurance distribution; larly e-gaming, e-money and payments and other electronically supplied • reinsurance distribution; financial services) and its reputation for attracting quality operators • reception and transmission of order; mean that it is well positioned to be a leading global hub. It also has • executing orders on behalf of clients; local banks that have chosen to get involved in the sector and that can • dealing on own account; support operators. • portfolio management; The jurisdiction, through the Gibraltar Government’s Finance • providing investment advice; Centre Department (the Finance Centre), actively encourages local and • underwriting or placing on a firm commitment basis; external entities to establish financial services businesses and provide • placing without a firm commitment basis; offerings in or from Gibraltar. • operating an multilateral trading facility; Gibraltar’s financial regulator, the Gibraltar Financial Services • operating an organised trading facility; Commission (GFSC) encourages fintech innovation via its Innovate and • sending, etc, dematerialised instructions; Create Team. • selling or advising in relation to structured deposits; • administering a benchmark; Government and regulatory support • operating a regulated market; 2 Do government bodies or regulators provide any support • operating an approved publication arrangement; specific to financial innovation? If so, what are the key • operating a certified treasury professional; benefits of such support? • operating an adjustable-rate mortgage; • managing an undertaking for collective investment in transferable While the Finance Centre and the GFSC encourage financial innovation, securities (UCITS); there is no specific support or benefits offered in relation to financial • acting as depositary of a UCITS; innovation, which would not be available to other industries in the • acting as trustees of a UCITS; jurisdiction. • acting as sole director of a UCITS; There are, however, associations such as the Gibraltar Association • managing an alternative investment fund (AIF) (in-scope alternative of New Technologies (GANT), of which the Gibraltar government is a investment fund manager (AIFM)); member and which receives government funding. GANT’s purpose is to • acting as depositary of an AIF with an in-scope AIFM; encourage interest and participation of new technologies in the finance • managing an AIF (small scheme manager); industry and to provide a forum for discussion between its members • acting as depositary of an AIF with a small scheme manager; and the government. • establishing a collective investment scheme; • acting as bank or broker, or both, of an experienced investor fund; FINANCIAL REGULATION • acting as depositary of a private scheme; • acting as administrator of a collective investment scheme; Regulatory bodies • establishing a personal pension scheme; 3 Which bodies regulate the provision of fintech products and • advising on personal or occupational pension schemes; services? • granting credit by means of a mortgage credit agreement; • acting as a mortgage credit intermediary; The Gibraltar Financial Services Commission (GFSC). • providing advisory services in connection with mortgage credit; • company management; • acting as a professional trustee or foundation councillor; www.lexology.com/gtdt 77 © Law Business Research 2020 Gibraltar Ince

• acting as a bureau de change; and • Financial Services (Alternative Investment Fund Managers) • providing distributed ledger technology services. Regulations 2020; • Financial Services (Investment Services) Regulations 2020; Consumer lending • Financial Services (UCITS) Regulations 2020; 5 Is consumer lending regulated in your jurisdiction? • Financial Services (Distance Marketing) Regulations 2006; and • Financial Services (Experienced Investor Funds) Regulations 2020. Consumer lending is a regulated activity in Gibraltar. Directive 2014/17/EU (the Mortgage Credit Directive) created Fintech companies providing alternative finance products would fall harmonised EU rules in the mortgage-credit market in respect of within the scope of the regulatory regime of collective investment the provision of credit for residential properties. It is transposed schemes if the product or service being offered falls within the defini- into Gibraltar law by way of the Financial Services (Mortgage Credit) tion of a collective investment scheme. Regulations 2020 and does the following: • sets out the requirement to provide precontractual information Alternative investment funds through the European Standardised Information Sheet – a stand- 8 Are managers of alternative investment funds regulated? ardised format – and the calculation of the Annual Percentage Rate of Charge; Managers of alternative investment funds are regulated in Gibraltar. • sets out principles for marketing and advertising; Gibraltar has implemented the EU regime applicable under the • encourages the concept of responsible lending practices; Alternative Investment Fund Managers Directive (2011/61/EU) (AIFMD) • includes provisions requiring the lender to assess the creditworthi- in respect of the regulation of investment advisers, arrangers and ness of the consumer, and imposes disclosure obligations on the managers, as well as managers of collective investment schemes. It part of the consumer; also has national legislation that covers a number of other areas outside • requires the application of appropriate standards to valuations, the scope of EU law, which can largely be found in the Financial Services where these are carried out; Act 2019 and the Financial Services (Collective Investment Schemes) • provides standards for the provision of advisory services; Regulations 2020. • provides minimum knowledge and competence requirements for The AIFMD has been implemented by way of several legislative staff as well as remuneration requirements; changes, including those made to the following: • establishes a regulatory regime for creditors and credit intermedi- • Financial Services (Alternative Investment Fund Managers) aries, as well as containing provisions that allow for the regulation Regulations 2020; and supervision of non-credit institutions; and • Financial Services (Alternative Investment Fund Managers) (Fees) • permits tied credit intermediaries and appointed representatives. Regulations 2015; • Financial Services (Alternative Investment Fund Managers The lending of amounts between €200 and €75,000 (which are not (European Long-Term Investment Funds) Regulations 2020; secured by way of mortgage) is governed by two distinct regimes: the • Financial Services (Alternative Investment Fund Managers) Financial Services (Consumer Credit) Act 2011 and by the Financial (European Venture Capital Funds) Regulations 2020; Services (Moneylending) Act 1917. • Financial Services (Alternative Investment Fund Managers) Licences granted under the Financial Services (Consumer Credit) (European Social Entrepreneurship Funds) Regulations 2020; and Act 2011 are issued and regulated by the GFSC, while licences granted • Financial Services (Experienced Investor Funds) Regulations 2020. under the Financial Services (Moneylending) Act 1917 are issued by the Gibraltar Finance Minister. The regime under the AIFMD applies to fund managers that manage within the scope of alternative investment funds. Secondary market loan trading Most funds in Gibraltar are either experienced investor funds (EIFs) 6 Are there restrictions on trading loans in the secondary (not available to retail investors) or private funds (limited to 50 inves- market in your jurisdiction? tors and not capable of being publicly promoted). Some investors take advantage of the private funds regime in There are no restrictions on trading loans in the secondary market in Gibraltar, which is intended to be a vehicle to enable friends, family and Gibraltar. close associates of a person to invest using a pooling structure without the need for full authorisation of the fund. Private funds are limited to 50 Collective investment schemes investors and do not require licensed fund administrators (unlike EIFs). 7 Describe the regulatory regime for collective investment schemes and whether fintech companies providing alternative Peer-to-peer and marketplace lending finance products or services would fall within its scope. 9 Describe any specific regulation of peer-to-peer or marketplace lending in your jurisdiction. The regulatory framework for collective investment schemes is set out in the Financial Services (Collective Investment Schemes) Act 2011, There is no specific regulation governing peer-to-peer lending in which, among other things, transposes Directive 2009/65/EC on under- Gibraltar; however, any person or entity wishing to offer lending takings for collective investment in transferable securities into national platform services must ensure that they comply with the Markets in law. The Financial Services Act 2019, the Financial Services (Collective Financial Instruments Directive (MiFID) (if applicable) and with local Investment Schemes) Regulations 2011 and Financial Services financial services and securities legislation, such as the Financial (Collective Investment Scheme Administrators) Regulations 2020 are Services (Investment Services) Regulations 2020, which regulates the main pieces of legislation governing all retail collective investment offering securities and investment services. schemes in Gibraltar. In relation to undertakings in collective investment schemes in transferable securities, the following regulations are applicable:

78 Fintech 2021 © Law Business Research 2020 Ince Gibraltar

Crowdfunding Credit references 10 Describe any specific regulation of crowdfunding in your 16 Are there any restrictions on providing credit references or jurisdiction. credit information services in your jurisdiction?

Gibraltar does not have a specific crowdfunding regime. At present, No, but the EU General Data Protection Regulation is in effect in Gibraltar MiFID does not provide a unified crowdfunding landscape in the EU and so European data protection laws apply. and largely relies on specific local regimes. Operators in Gibraltar also need to consider the applicability of local regulatory regimes of CROSS-BORDER REGULATION the jurisdiction of the investor when seeking to raise finance by way of crowdfunding. Passporting 17 Can regulated activities be passported into your jurisdiction? Invoice trading 11 Describe any specific regulation of invoice trading in your Certain regulated activities that are subject to European harmonised jurisdiction. financial services regulatory regimes, such as the Markets in Financial Instruments Directive, the Alternative Investment Fund Managers There is no specific regulation relating to invoice trading in Gibraltar. Directive, credit institutions, insurance and reinsurance intermediaries, payments and e-money services can be passported into Gibraltar from Payment services other EU member states. 12 Are payment services regulated in your jurisdiction? Requirement for a local presence The second Payment Services Directive (PSD2) applies in Gibraltar 18 Can fintech companies obtain a licence to provide financial and has been transposed into national law by virtue of the Financial services in your jurisdiction without establishing a local Services (Payment Services) Regulations 2020. presence?

Open banking It depends on the type of regulated financial service. 13 Are there any laws or regulations introduced to promote Regulated payment services that are passported into Gibraltar by competition that require financial institutions to make way of a ‘freedom to provide services passport’ do not require a local customer or product data available to third parties? presence as they rely on their home state licence. To obtain any Gibraltar financial services licence, the licensed The PSD2 provides for the authorisation of account information service entity must establish a local presence, which includes the ‘four eyes’ (ie, providers (AISPs) and payment initiation service providers (PISPs). two individuals) principle, to be met on a continual basis. The principle AISPs are authorised to initiate retrieve account data provided by banks is designed to ensure that at least two minds are applied both to the and financial institutions. PISPs are authorised to initiate payments formulation and implementation of the firm’s policies and can be carried into or out of a user’s account. Both these services require the explicit out by its senior management. consent of the customer. SALES AND MARKETING Robo-advice 14 Describe any specific regulation of robo-advisers or other Restrictions companies that provide retail customers with automated 19 What restrictions apply to the sales and marketing of access to investment products in your jurisdiction. financial services and products in your jurisdiction?

There is no specific regulation of robo-advisers or other companies that The marketing of financial services and products is governed by the provide retail customers with automated access to investment products Financial Services Act 2019. It requires that where financial products in Gibraltar. and services are advertised the contents and the presentation are fair and not misleading and the risks involved in that service or investment Insurance products are disclosed and understood. It further provides that the issuer of the 15 Do fintech companies that sell or market insurance products advertisement has the appropriate expertise in relation to the invest- in your jurisdiction need to be regulated? ment or service. Distance sales are also covered by the Financial Services (Distance Fintech companies that sell or market insurance products are regulated Marketing) Act 2006. by the same national legislation that regulates traditional insurance products. This includes the following: CHANGE OF CONTROL • Financial Services Act 2019; • Financial Services (Insurance Distribution) Regulations 2020; Notification and consent • Financial Services (Insurance Management) Regulations 2020; 20 Describe any rules relating to notification or consent • Financial Services (Insurance Companies) Regulations 2020; requirements if a regulated business changes control. • Financial Services (Insurance Companies: Accounts Directive) Regulations 2020; Changes in the control of a regulated business requires the Gibraltar • Financial Services (Insurance Distribution) Regulations 2020; Financial Services Commission consent and approval. • Financial Services (Insurance Business Transfer) (Saving) Regulations 2020; and • Insurance (Marine) Act 1960.

www.lexology.com/gtdt 79 © Law Business Research 2020 Gibraltar Ince

FINANCIAL CRIME In a novation, the transferee transfers both rights and obligations to a third party: this is usually executed by way of deed, which requires Anti-bribery and anti-money laundering procedures execution by all the parties involved. 21 Are fintech companies required by law or regulation to have Without a perfected deed of assignment or deed of novation, rights procedures to combat bribery or money laundering? or obligations under a loan agreement will not be assigned. This would prevent the new lender from enforcing its rights against the borrower Fintech companies are subject to the same laws relating to money laun- and the borrower enforcing its rights against the new lender. dering and bribery as any other financial services provider in the EU. This derives from the fifth Anti-Money Laundering Directive and is trans- Securitisation risk retention requirements posed into national law by way of the Proceeds of Crime Act 2015 (POCA). 25 Are securitisation transactions subject to risk retention POCA requires fintech companies to have measures in place to requirements? prevent the financial system from being used for money laundering or terrorist financing purposes. Yes, securitisation transactions are subject to risk retention The Crimes Act 2011 details rules related to anti-bribery require- requirements. ments. In addition, Gibraltar is a British Overseas Territory and so various EU Regulation 2017/2404/EU (the Securitisation Regulation) elements of the UK anti-bribery regime (Bribery Act 2010) are applicable. applies directly in EU member states, including Gibraltar, as of 1 January 2019. Guidance The Securitisation Regulation applies to relevant securitisation 22 Is there regulatory or industry anti-financial crime guidance transactions, the securities of which are issued on or after 1 January 2019 for fintech companies? and to any securitisation in which a new securitisation position is created on or after 1 January 2019, subject to certain transitional arrangements. The Gibraltar Financial Services Commission has issued anti- Under the Securitisation Regulation, originators, sponsors and money laundering guidance notes on its website (www.gfsc.gi/fsc/ original lenders (including corporates) are under a positive obligation to financialcrime). retain a 5 per cent net economic interest in securitisation transactions. The Gibraltar Association of Compliance Officers is among the organisations that issue anti-financial crime guidance for fintech Securitisation confidentiality and data protection requirements companies. 26 Is a special purpose company used to purchase and securitise peer-to-peer or marketplace loans subject to a duty of PEER-TO-PEER AND MARKETPLACE LENDING confidentiality or data protection laws regarding information relating to the borrowers? Execution and enforceability of loan agreements 23 What are the requirements for executing loan agreements or Peer-to-peer and marketplace lending is not a specific regulated activity security agreements? Is there a risk that loan agreements in Gibraltar. or security agreements entered into on a peer-to-peer or marketplace lending platform will not be enforceable? ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER TECHNOLOGY AND CRYPTO-ASSETS Loan agreements must be executed in writing in accordance with the same formalities that govern regular contracts. Artificial intelligence Security agreements must also be in writing. Mortgages and 27 Are there rules or regulations governing the use of artificial charges that contain a power of attorney should be executed as deeds. intelligence, including in relation to robo-advice? Executed documents and their corresponding charge should be registered at Companies House within 30 days. No. Where mortgage or security relates to real estate, there is a further requirement to register it at the Gibraltar Land Titles Registry (Land Distributed ledger technology Property Services Limited). 28 Are there rules or regulations governing the use of Peer-to-peer and marketplace lending is not a regulated activity distributed ledger technology or blockchains? in Gibraltar. Yes, the Financial Services (Distributed Ledger Technology Providers) Assignment of loans Regulations 2020 (the DLT Regulations). 24 What steps are required to perfect an assignment of loans originated on a peer-to-peer or marketplace lending Crypto-assets platform? What are the implications for the purchaser if the 29 Are there rules or regulations governing the use of crypto- assignment is not perfected? Is it possible to assign these assets, including digital currencies, digital wallets and loans without informing the borrower? e-money?

Ordinarily, rights or obligations under a loan can be assigned by way of E-money and payment services are governed by the Financial Services assignment and by novation. (Electronic Money) Regulations 2020 and Financial Services (Payment Under an assignment, a lender assigns its rights under a loan to a Services) Regulations 2020 respectively. new lender. The original lender only transfers its rights, for example, to Subject to the below, the use of crypto-assets is regulated by receive loan repayment and interest payments. The lender is still liable the DLT Regulations in relation to DLT. Entities that handle or store for any obligations under the loan. Unless the original loan provides crypto-assets (specifically, such as collective investment schemes otherwise, the borrower may need to be notified of the assignment or that are investing in crypto-assets) but that are not licensed under the consent to it. An assignment is usually executed by deed. DLT Regulations are still expected to adhere to the Gibraltar Financial

80 Fintech 2021 © Law Business Research 2020 Ince Gibraltar

Services Commission guidance to DLT providers in relation to safe- In the case of automated processing, each data controller and data keeping of customer assets, cybersecurity and resilience. processor must, following an evaluation of the risks, implement meas- Where an alternative financial services licence is applicable, alter- ures designed to: native legislation would take precedence over the DLT Regulations. • prevent unauthorised processing or unauthorised interference By way of example, under Gibraltar law an experienced investor fund with the systems used in connection with it; (EIF) can contain crypto-assets and so might fall within EIF regulations. • ensure that it is possible to establish the precise details of any Equally, a crypto-asset that represents a security may fall within the processing that takes place; ambit of legislation governing securities. • ensure that any systems used in connection with the processing function are used properly and may, in the case of interruption, be Digital currency exchanges restored; and 30 Are there rules or regulations governing the operation of • ensure that stored personal data cannot be corrupted if a system digital currency exchanges or brokerages? used in connection with the processing malfunctions.

The operation of digital currency exchanges or brokerages is governed Fintech businesses are also expected to adhere to Gibraltar Financial by the DLT Regulations. The exception to this is when the exchange Services Commission guidance issued in relation to the safekeeping of or brokerage offers a service that requires an alternative financial customer assets, cybersecurity and resilience that apply to distributed services licence. ledger technology providers.

Initial coin offerings OUTSOURCING AND CLOUD COMPUTING 31 Are there rules or regulations governing initial coin offerings (ICOs) or token generation events? Outsourcing 34 Are there legal requirements or regulatory guidance with Draft regulations have been published in relation to initial coin offerings respect to the outsourcing by a financial services company of (ICOs) and token generation events, and, following a consultation period, a material aspect of its business? were expected to come into effect last year but to date have not. The new token sale regime is intended to bring into scope all There is both legal and regulatory guidance with respect to the token sales that fall outside existing financial services regimes so that outsourcing of certain material aspects of a financial services company’s there are minimum standards in place for the sale of ‘utility tokens’ business. In terms of legal guidance, this includes: that are otherwise outside of the scope of the DLT Regulations and • data processing (under EU General Data Protection existing financial services and securities law. The new regime is likely Regulation (GDPR)); to require that any token sale be conducted and promoted by a regu- • cloud computing; and lated sponsor firm. • carrying-out operational functions relating to the issuance, distri- As it stands, ICOs relating to security tokens (also known as bution or redemption of electronic money or the provision of tokenised securities) are governed by legislation governing securi- payment services under both the Financial Services (Electronic ties, including the Markets in Financial Instruments Directive, the Money) Regulations 2020 and Financial Services (Payment Prospectus Directive and the Alternative Investment Fund Managers Services) Regulations 2020. Directive. Further, investors and purchasers of tokens are subject to Under the GDPR, the outsourcing of data processing requires the customer due diligence and anti-money laundering requirements under contracting data controller or data processor to ensure that any the Proceeds of Crime Act 2015. person or entity engaged to carry out functions on their behalf adheres to the requirements of the GDPR. This must be done by way DATA PROTECTION AND CYBERSECURITY of a written contract that sets out the responsibilities and obligations of each party. Data protection When an electronic money institution or a payments services 32 What rules and regulations govern the processing and provider is intending to outsource operational functions relating to the transfer (domestic and cross-border) of data relating to issuance, distribution or redemption of electronic money or the provi- fintech products and services? sion of payment services, the company’s senior management will not be discharged of its legal responsibilities – the buck still stops with the The Data Protection Act 2004, the Communications (Personal Data senior management of the company. and Privacy) Regulations 2006 and the EU General Data Protection The Gibraltar Financial Services Commission (GFSC) has issued Regulation (GDPR) all govern the processing (including the transfer) of regulatory guidance on outsourcing and makes it clear that the personal data held by fintech companies in relation to the fintech prod- outsourcing of functions does not discharge senior management of its ucts and services they offer. ultimate responsibility over the company.

Cybersecurity Cloud computing 33 What cybersecurity regulations or standards apply to fintech 35 Are there legal requirements or regulatory guidance with businesses? respect to the use of cloud computing in the financial services industry? Fintech businesses that are data controllers or data processors are subject to article 32(1) of the GDPR, which provides that data controllers In addition to its guidance on outsourcing, which is taken to include and data processors must implement appropriate technical and organi- outsourcing data storage requirements, in its guidance note to distrib- sational measures to ensure a level of security appropriate to the risks uted ledger technology (DLT) providers on corporate governance the arising from the processing of personal data. GFSC specifically states: www.lexology.com/gtdt 81 © Law Business Research 2020 Gibraltar Ince

• there is no specific requirement for a DLT Provider to have their • it was made in the course of the employee’s duties and the employee technology or servers physically located in Gibraltar; and similarly, has, because of the nature of the duties and the particular respon- a DLT provider will not ordinarily be required to have their intel- sibilities arising from them, a special obligation to further the lectual property held in Gibraltar as this may be held by an affiliate employer’s interests. company outside Gibraltar; • a DLT provider will be able to use cloud services to host their busi- Joint ownership ness platforms and this can be outsourced to reputable and secure 38 Are there any restrictions on a joint owner of intellectual cloud service providers locally or outside Gibraltar so long as the property’s right to use, license, charge or assign its right in DLT provider can demonstrate it has access to and adequate over- intellectual property? sight over cloud storage and processing; and • a DLT provider should ensure that it has access to all relevant In Gibraltar, in the absence of some other agreement between them, records, and can provide access to the GFSC on demand, at all co-owners will be able to exploit the jointly held rights themselves times and have arrangements in place in the event of failure of but will not will not be able to assign or license them to third parties, primary record storage systems. without the consent of the other co-owner.

While the guidance is specific to DLT providers, it is deemed to apply to Trade secrets all financial service companies in Gibraltar. 39 How are trade secrets protected? Are trade secrets kept confidential during court proceedings? INTELLECTUAL PROPERTY RIGHTS As with the ownership of IP rights, the confidentiality of trade secrets is IP protection for software usually governed by confidentiality clauses in the employment contract 36 Which intellectual property rights are available to protect or service contract. software, and how do you obtain those rights? In respect of court proceedings, upon application by one of the parties, the courts will often embargo the reporting of such trade secrets. Gibraltar follows English law in relation to the registration of IP rights and the protection of registered and unregistered IP rights. Branding The UK Patents Act 1977 operates in Gibraltar by virtue of the 40 What intellectual property rights are available to protect Gibraltar Patents Act 1924. It is not possible to make an original applica- branding and how do you obtain those rights? How can tion to register a patent in Gibraltar. The application must be made to fintech businesses ensure they do not infringe existing the UK Intellectual Property Office and extended to include Gibraltar brands? within three years of the UK patent’s date of issue and protection will run for as long as the UK patent is valid. As with other IP, branding can be protected by way of trademark or European trademarks may be registered from Gibraltar and a UK design registration. Further, there are instances in which even without registration can be extended to cover Gibraltar. formal registration, the brand or trademark may have developed suffi- Designs registered in the UK are automatically protected in cient goodwill to enable the brand owner to take action against another Gibraltar by virtue of the Gibraltar Designs Act 1928. There is no Gibraltar person or entity for infringement or passing-off. design registry and no need for an application to be made in Gibraltar. To avoid infringement, fintech companies should carry out the Designs registered in the EU (by way of a registered community design) appropriate online searches and searches of IP registers when devel- are also automatically protected in Gibraltar under the Treaty on the oping a brand or product to ensure that it does not infringe pre-existing Functioning of the European Union. Further international protection is intellectual property rights of third parties. available under the World Intellectual Property Office Hague Agreement Concerning the International Deposit of Industrial Designs 1925. Remedies for infringement of IP With regard to unregistered designs, protection arises automati- 41 What remedies are available to individuals or companies cally when the design is recorded in a design document or an article whose intellectual property rights have been infringed? is made to the design. Designs made in Gibraltar qualify for reciprocal protection in UK (Design Right (Reciprocal Protection) Order 1989 (No. Remedies for IP infringement include the following: 2) 1989 (SI 1989/1294)). • interlocutory relief; In Gibraltar, copyright protects the authors of works by preventing • order for delivering up; others from copying or reproducing the work, with protection arising auto- • seizure of infringing copies and other articles; matically on creation of the qualifying work: registration is not required. • forfeiture; • injunctions; IP developed by employees and contractors • damages; or 37 Who owns new intellectual property developed by an • an account of profits. employee during the course of employment? Do the same rules apply to new intellectual property developed by COMPETITION contractors or consultants? Sector-specific issues This is governed by the employment or service contract between the 42 Are there any specific competition issues that exist with company and its employee or the contractor or consultant. Where respect to fintech companies in your jurisdiction? there is no such contractual provision, the IP rights will belong to the employer if: Fintech is viewed as generally pro-competitive in the financial services • it was made in the course of the employee’s normal or specifically market. However, the EU competition regime applies to Gibraltar and assigned duties; or is enshrined in articles 101 and 102 of the Treaty on the Functioning of

82 Fintech 2021 © Law Business Research 2020 Ince Gibraltar the European Union, which sets out the rules relating to anticompetitive agreements and the abuse of dominance.

TAX

Incentives 43 Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the fintech sector in your jurisdiction? David Borge [email protected]

Gibraltar has an attractive tax regime both for individuals and business, Kunal Budhrani with businesses enjoying a 10 per cent corporate tax rate. There are, [email protected] however, no incentives specific to fintech companies. Peter Howitt [email protected] Increased tax burden 44 Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for Unit 6.20, World Trade Center 6 Bayside Road fintech companies in your jurisdiction? Gibraltar GX11 1AA Gibraltar No. Tel: +350 200 68 450 www.incegd.com IMMIGRATION

Sector-specific schemes 45 What immigration schemes are available for fintech Coronavirus businesses to recruit skilled staff from abroad? Are there 47 What emergency legislation, relief programmes and other any special regimes specific to the technology or financial initiatives specific to your practice area has your state sectors? implemented to address the pandemic? Have any existing government programmes, laws or regulations been amended A company can apply to the Gibraltar Government’s Finance Centre to address these concerns? What best practices are advisable Department (the Finance Centre) director to have employees designated for clients? as a high executives possessing specialist skills (HEPSS individual). HEPSS individuals must: While the Gibraltar government was quick to implement measures • possess specialist skills of exceptional economic value to Gibraltar; across the board to alleviate the general financial strain on employers • have skills that are not available in Gibraltar; and and business tenants and has been extremely proactive in monitoring • earn more than £100,000 a year. and modifying these measures on a daily basis. No measures were introduced that were specific to the financial Income tax liability is capped at the first £120,000 of taxable earnings. services and legal services industries. The cap primarily applies to income from the designated employment, The Gibraltar Financial Services Commission is allowing finan- but can extend to certain dividends, interest, pensions income and cial services licence fees to be paid over the course of 12 months as foreign income. A HEPSS individual will be required to have residential opposed to upfront in advance as is usually required. accommodation in Gibraltar that is suitable for HEPSS requirements. The Finance Centre director must confirm suitability before a HEPSS individual can enter into any residential property agreements.

UPDATE AND TRENDS

Current developments 46 Are there any other current developments or emerging trends to note?

There is emerging interest in the regulation or facilitation of cannabis- related industries in Gibraltar. In addition to the general appetite within the jurisdiction for traditional ‘cannabusiness’ (eg, cultivation for medical exportation), those in financial services and the legal profession have noted the difficulty cannabusinesses have in obtaining financial services, specifically banking at a larger, global level, funds derived from the industry. Even if legal in the jurisdiction, funds can be treated by the authorities as proceeds of crime given its illegal status in many other jurisdictions. For this reason, many cannabusinesses have difficulty banking their income or raising finances.

www.lexology.com/gtdt 83 © Law Business Research 2020 Hong Kong

Ian Wood Simmons & Simmons LLP

FINTECH LANDSCAPE AND INITIATIVES to these agreements, the SFC will cooperate to share information on emerging fintech trends, developments and related regulatory issues, as General innovation climate well as on organisations that promote innovation in financial services. 1 What is the general state of fintech innovation in your In September 2017, the Insurance Authority launched a fast-track jurisdiction? scheme to expedite applications by insurance companies using solely digital distribution channels as a means to promote the development of Hong Kong is home to more than 600 fintech companies and start-ups, insurtech in Hong Kong. covering services in the areas of payment, AI, wealthtech, blockchain The government also supports tech start-ups through the HK$2 and insurtech. As is fitting for an international financial centre, more billion Innovation and Technology Venture Fund. than one-third of fintech founders are from other countries. Nearly half of the established fintech companies have been in operation for more FINANCIAL REGULATION than three years, and the market has begun to mature. Hong Kong has a 67 per cent consumer fintech adoption rate according to a recent Trade Regulatory bodies Development Council report, which demonstrates consumer desire 3 Which bodies regulate the provision of fintech products and for innovative approaches to serving their financial needs; although, services? business-to-business services remain the biggest drivers of fintech development in Hong Kong. The government supports the sector and The main regulatory bodies are the Hong Kong Monetary Authority has strengthened cooperation with regulators in other jurisdictions to (HKMA), Securities and Futures Commission (SFC) and the Insurance encourage cross-border fintech development. Authority. In 2019, the Hong Kong Monetary Authority (HKMA) granted eight new ‘virtual bank’ licences. A number of new virtual banking licence Regulated activities holders are operating in joint ventures, bringing together strengths 4 Which activities trigger a licensing requirement in your from traditional banking and online platforms to facilitate innovation. jurisdiction?

Government and regulatory support Pursuant to the Securities and Futures Ordinance, the following activi- 2 Do government bodies or regulators provide any support ties are regulated and trigger a licence requirement: specific to financial innovation? If so, what are the key • Type 1: dealing in securities; benefits of such support? • Type 2: dealing in futures contracts; • Type 3: leveraged foreign exchange trading; Fintech is identified by the government as a priority investment area. • Type 4: advising on securities; In 2019, the Hong Kong Monetary Authority (HKMA) granted • Type 5: advising on futures contracts; eight virtual bank licences. These licences were granted as part of the • Type 6: advising on corporate finance; government’s Smart Banking Initiative and recipients included tech- • Type 7: providing automated trading services; nology companies as well as more traditional banks. • Type 8: securities margin financing; The Securities and Futures Commission (SFC) operates a Fintech • Type 9: asset management; and Contact Point and the HKMA established a Fintech Facilitation Office • Type 10: providing credit rating services. which, in each case, are intended to facilitate the fintech community’s understanding of the current regulatory regime and for the regulators to For the purposes of the above categories, ‘securities’ are very widely work with market participants to support the sustainable development defined and include stocks, shares, loan stock, bonds, debentures, all of the fintech industry. Linked with the Fintech Supervisory Sandbox rights and interests in such securities, interests in collective investment established by the HKMA, in 2017 the SFC launched a Regulatory schemes and structured products. However, shares and debentures of Sandbox that permits new and existing licensed entities to carry out a private Hong Kong company do not constitute securities. Hong Kong regulated activities within a confined regulatory environment prior to private companies are companies incorporated in Hong Kong that launching on a wider scale. restrict members’ rights to transfer shares, limit the maximum number The HKMA is one of the founding contributors of, and the SFC has of shareholders to 50 and prohibit the making of an invitation to the joined as a coordination group member of, the Global Financial Innovation public to subscribe for shares or debentures. Network. The SFC has also signed cooperation agreements with a number The licensing regime applies irrespective of whether the specified of overseas regulators, including the UK’s Financial Conduct Authority activities take place in Hong Kong or, if a person is actively marketing and the Australian Securities and Investments Commission. Pursuant these activities to the public in Hong Kong, from outside Hong Kong.

84 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP Hong Kong

The activities that are most relevant to fintech businesses are likely Collective investment schemes to be dealing in securities and advising on securities. Dealing in securi- 7 Describe the regulatory regime for collective investment ties includes making or offering to make an agreement with a person, or schemes and whether fintech companies providing alternative inducing or attempting to induce another person to enter into an agree- finance products or services would fall within its scope. ment to acquire, dispose, subscribe or underwrite securities. Advising on securities includes giving advice on whether, and the terms on which, Broadly, a scheme is a collective investment scheme under Hong Kong securities should be acquired or disposed of and issuing analyses or law if it has the following four elements: reports for the purpose of facilitating decisions on whether to acquire • it is an arrangement in respect of property; or dispose of securities. It is also possible that some fintech platforms • participants do not have day-to-day control over the management could constitute automated trading services, the operation of which of the property even if they have the right to be consulted or to give requires a licence. directions about the management of the property; In addition to the above licensing requirements, if a business is • the property is managed as a whole by or on behalf of the person undertaking banking activities, such as receiving money on a current, operating the arrangements or the contributions of the partici- deposit, savings or similar account or paying or collecting cheques, pants, or both, and the profits or income from which payments are such a business is required to be licensed as a bank by the HKMA. made to them are pooled; and Certain other activities, such as moneylending, money exchange • the purpose of the arrangement is for participants to participate in services, money remittance services and money broking services, or receive profits, income or other returns from the acquisition or also require licences from the HKMA or the Commissioner of Customs management of the property. and Excise. The operation of stored value facilities (such as prepay cards or A collective investment scheme can cover any property and that prop- prepay mobile apps) or designated retail payment systems is subject to erty does not need to be located in Hong Kong for the scheme to be a a new licensing regime under the Payment Systems and Stored Value collective investment scheme. ‘Property’ in this context is not limited to Facilities Ordinance. Operators of these facilities now require a licence real property. from the HKMA. It is an offence in Hong Kong to issue any marketing material that contains an offer to the Hong Kong public to acquire an interest Consumer lending or participate in a collective investment scheme unless it has been 5 Is consumer lending regulated in your jurisdiction? authorised by the SFC or an exemption applies. Promoting a collective investment scheme may also constitute a regulated activity for which a Under Hong Kong law, the offering and provision of consumer lending is licence is required. It is possible that certain fintech activity could consti- not distinguished from primary lending. tute a collective investment scheme where the business concerned is Lending (consumer lending and primary lending) is a regulated managing assets on behalf of participants who have invested through a activity in the jurisdiction and is governed by the Money Lenders fintech platform (eg, investing in real estate or debt securities). Careful Ordinance. The Money Lenders Ordinance requires that all loans made analysis of the specific circumstances and the way in which the platform available in Hong Kong are by licensed moneylenders or authorised permits investors to participate will be required to determine whether it institutions (eg, licensed banks, restricted-licence banks and deposit- constitutes a collective investment scheme. taking companies under the Banking Ordinance). There are a number of exemptions that, if applicable, mean no formal Alternative investment funds licence is required. The loan and lending entity would need to satisfy 8 Are managers of alternative investment funds regulated? one of the specified categories of exempted lenders and exempted loans in Schedule 1 of the Money Lenders Ordinance. Examples of exempted Management of securities or futures contracts or real estate investment loans are: schemes constitutes a regulated activity as it falls under Type 9: asset • a loan made bona fide for the purchase of immovable property on management of the Securities and Futures Ordinance. Accordingly, the security of a mortgage of that property and a loan made bona managers of alternative investment funds that invest in real estate fide to refinance such a mortgage; or securities (which are widely defined) or futures contracts require a • a loan made by a company, firm or individual whose ordinary busi- licence to do so. ness does not primarily or mainly involve the lending of money in The SFC confirmed in November 2018 that companies engaged in the ordinary course of that business; the distribution to the Hong Kong public of funds that invest in virtual • an intra-group loan; and assets are required to be licensed for Type 1 activity whether or not • a loan made to a company that has a paid-up share capital of such virtual assets amount to ‘securities’. In addition, the SFC will now not less than HK$1 million or an equivalent amount in any other apply additional conditions on licensed corporations that manage or approved currency. distribute funds that invest, solely or partially, (more than 10 per cent of the gross asset value) in, or that have a stated investment objective Secondary market loan trading to invest in, virtual assets. These conditions include a restriction that 6 Are there restrictions on trading loans in the secondary such funds can only be invested in, or offered to, professional investors. market in your jurisdiction? Peer-to-peer and marketplace lending Secondary market loan trading is not a regulated activity in itself but it 9 Describe any specific regulation of peer-to-peer or constitutes primary lending regardless of whether the loan has been marketplace lending in your jurisdiction. fully drawn and, therefore, the loan and lender are subject to the restrictions of the Money Lenders Ordinance. There are no specific regulations applicable to peer-to-peer (P2P) However, secondary market loan intermediation is not a regulated or marketplace lending in Hong Kong. The SFC has issued a notice activity, provided that it does not involve any lending or deposit-taking reminding potential P2P businesses that activity such as P2P lending and provided that loans are not in the form of securities. might constitute a regulated activity, but much will depend on the www.lexology.com/gtdt 85 © Law Business Research 2020 Hong Kong Simmons & Simmons LLP

precise structure of the platform. For example, it is likely that a platform Robo-advice offering debentures or loan stocks would constitute a regulated activity 14 Describe any specific regulation of robo-advisers or other of dealing in securities. companies that provide retail customers with automated Additionally, it is an offence in Hong Kong to issue any marketing access to investment products in your jurisdiction. material that contains an offer to the Hong Kong public to enter into an agreement to acquire or dispose of securities, unless an exemp- Robo-advisers will usually need to be licensed by the SFC as they tion applies. provide investment advice and services for dealing in securities. In addition, the SFC has issued Guidelines on Online Distribution Crowdfunding and Advisory Platforms that took effect on 6 July 2019 (the Guidelines). 10 Describe any specific regulation of crowdfunding in your The Guidelines set out requirements through the application of core jurisdiction. principles concerning the proper design of the platform, clear disclosure of information, risk management, governance, capabilities and There are no specific regulations concerning crowdfunding. However, resources, review and monitoring of activities on the platform and certain crowdfunding activity is likely to constitute a regulated activity. record-keeping. Specific guidance is also given concerning robo-advi- For example, equity crowdfunding is likely to constitute dealing in secu- soes in respect of client profiling, system design and development, rities and possibly advising on securities, both of which are regulated supervision and testing of algorithms and technology and staff resource activities in Hong Kong. As such, the operator of these platforms would requirements. need to be licensed by the SFC. Additionally, it is an offence in Hong Kong to issue any marketing Insurance products material that contains an offer to the Hong Kong public to enter into 15 Do fintech companies that sell or market insurance products an agreement to acquire or dispose of securities unless an exemp- in your jurisdiction need to be regulated? tion applies. Yes, both insurance companies and insurance intermediaries (such as Invoice trading agents) need to be authorised or registered, or both, with the Insurance 11 Describe any specific regulation of invoice trading in your Authority in Hong Kong. jurisdiction. Credit references To the extent that an invoice is purchased, without risk of being re-char- 16 Are there any restrictions on providing credit references or acterised as a loan for the purposes of the Money Lenders Ordinance, credit information services in your jurisdiction? with true sale there is no specific regulation on the buying and selling of invoices. This is common in factoring and invoice discounting The provision of credit ratings (opinions regarding the creditworthiness arrangements. of entities other than an individual, securities and agreements to provide However, if invoices are opened to the public and crowdfunded credit) is regulated, but the gathering, collating, dissemination or distri- then the operator of the trading platform needs to follow certain regu- bution of information concerning the indebtedness or credit history of lations. It is usually the case that if a platform investor is classed as a any person is not regulated (except under data protection law). professional investor, then much of the regulation around crowdfunded invoicing might not apply, depending on the platform structure. CROSS-BORDER REGULATION

Payment services Passporting 12 Are payment services regulated in your jurisdiction? 17 Can regulated activities be passported into your jurisdiction?

Payment services include a wide range of activities such as taking cash No. deposits, making cash withdrawals, executing payment transactions, issuing or acquiring of payment instruments, issuing and administering Requirement for a local presence means of payment, making payments sent through the intermediary of a 18 Can fintech companies obtain a licence to provide financial telecoms, IT system or network operator, or even providing stored value services in your jurisdiction without establishing a local cards or devices. presence? Payment services are regulated activities in Hong Kong and are subject to the Banking Ordinance, the Anti-Money Laundering and It is unlikely that the SFC would grant a licence for regulated activities Counter-Terrorist Financing Ordinance and the Payment Systems and to an entity that did not have a local presence. Equally, the Hong Kong Stored Value Facilities Ordinance (as applicable). Monetary Authority is unlikely to provide a banking licence to an entity that does not have a presence in Hong Kong as it would be difficult to Open banking see how such an entity could comply with the obligations to which it 13 Are there any laws or regulations introduced to promote would be subject as a bank. competition that require financial institutions to make customer or product data available to third parties? SALES AND MARKETING

No. However, the HKMA published the Open Application Programming Restrictions Interface (API) Framework for the Hong Kong Banking Sector in July 19 What restrictions apply to the sales and marketing of 2018. This is intended to encourage financial institutions to make financial services and products in your jurisdiction? information available through open APIs within a staged time frame depending on the type of information but this is not a regulatory The issuance of any marketing materials that contain an offer to the requirement. Hong Kong public to enter into an agreement to acquire or dispose of

86 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP Hong Kong securities must be authorised by the Securities and Futures Commission, (eg, the persons authorised in the board resolutions to sign) is required unless an exemption applies. (under section 121 of the Companies Ordinance). A security agreement would typically be required to be executed as CHANGE OF CONTROL a deed. As such, in respect of the execution by a Hong Kong company, the deed should be executed either with the common seal affixed in Notification and consent accordance with the requirements in the articles of association of the 20 Describe any rules relating to notification or consent company or, in accordance with the Companies Ordinance, without the requirements if a regulated business changes control. common seal affixed but signed by, in the case of a Hong Kong company with two or more directors, any two directors or any director and the Different consent requirements apply to the acquisition of different company secretary or, in the case of a Hong Kong company with sole types of regulated businesses. In general, where a person is to become director, its sole director. a holder of a specified percentage of a regulated entity or will control a The key risk in respect of a peer-to-peer (P2P) marketplace lending specified percentage of voting rights of that entity, prior consent must platform is that in respect of pure P2P lending involving companies or be obtained from the relevant regulatory authority. For banks or enti- individuals lending via the lending platform, each such lending company ties that hold a licence for regulated activity, before a person acquires a and individual may be regarded as carrying on a business as a money- holding of more than 10 per cent of the issued shares, or prior to them lender and, thus, is subject to licensing and regulatory restrictions, controlling, alone or with other associates, more than 10 per cent of the including the restrictions on the form of loan agreement, early payment, voting rights in the bank or regulated entity, consent must be sought interest rate, moneylending advertisements and duty to provide infor- from the Hong Kong Monetary Authority or Securities and Futures mation and so on under the Money Lenders Ordinance. Commission respectively. Additional rules apply to persons becoming majority holders of banks and to the acquisition of indirect sharehold- Assignment of loans ings in regulated entities. Failure to obtain consent is a criminal offence. 24 What steps are required to perfect an assignment of In all cases, advice should be sought as to the applicable requirements loans originated on a peer-to-peer or marketplace lending and the process for obtaining consent. platform? What are the implications for the purchaser if the assignment is not perfected? Is it possible to assign these FINANCIAL CRIME loans without informing the borrower?

Anti-bribery and anti-money laundering procedures According to the Hong Kong Law Amendment and Reform (Consolidation) 21 Are fintech companies required by law or regulation to have Ordinance, the legal assignment of a loan by the assignor (ie, the lender) procedures to combat bribery or money laundering? to the assignee (ie, the purchaser) will be perfected if: • the assignor absolutely assigns the receivable to the assignee; If the relevant entity is licensed for regulated activities, is licensed as • the assignment is in writing and signed by the assignor in favour a bank, operates a money service or provides trust or company incor- of the assignee; and poration services, it needs to comply with the Hong Kong legislation • a written notice of assignment is delivered to and received by the in relation to anti-money laundering and counter-terrorist financing, party liable to pay the loan (the underlying debtor, in other words, including establishing policies and procedures to identify clients and the borrower). combat money laundering and terrorist financing. Whether these requirements apply to companies that receive digital currencies or Regarding the written notice of assignment above, although there is no launching ICOs will depend on whether they are carrying out a regu- time limit within which this notice of assignment has to be given, the lated activity and are required to be licensed to do so. notice should be given as soon as possible to complete the perfection The Hong Kong legislation in relation to the prevention of bribery of the assignment. would also apply, and licensed companies should have in place policies If the assignment is not perfected, the assignment concerned may and procedures to prevent bribery. still constitute an equitable assignment (in contrast to a legal assignment), which is still recognised by the Hong Kong courts, although there Guidance are some practical disadvantages that may affect enforcement. 22 Is there regulatory or industry anti-financial crime guidance The lender (as assignor) need not obtain the consent of the for fintech companies? borrower unless the loan agreement between the lender and the borrower contains a prohibition on the lender assigning certain or all of There is no specific guidance for fintech companies, but there is guid- its rights under the loan agreement to a third party. ance for licensed corporations and banks that would apply to fintech Notification to the borrower of the assignment is not mandatory businesses that are licensed accordingly. for the assignment to be effective. However, there are a number of practical and legal difficulties that arise from an assignment without PEER-TO-PEER AND MARKETPLACE LENDING notice to the debtor (that is, an equitable assignment rather than a legal assignment). Execution and enforceability of loan agreements 23 What are the requirements for executing loan agreements or Securitisation risk retention requirements security agreements? Is there a risk that loan agreements 25 Are securitisation transactions subject to risk retention or security agreements entered into on a peer-to-peer or requirements? marketplace lending platform will not be enforceable? In June 2016, the Hong Kong Monetary Authority (HKMA) published the A loan agreement does not need to be executed as a deed and, accord- Credit Risk Transfer Activities Module (the CRTA Module) for inclusion ingly, in respect of a Hong Kong company entering into a loan agreement, in the HKMA Supervisory Policy Manual. The CRTA Module defines an only the signature of the persons acting upon the company’s authority ‘originator’ as: www.lexology.com/gtdt 87 © Law Business Research 2020 Hong Kong Simmons & Simmons LLP

• a person who directly or indirectly originates the underlying expo- Crypto-assets sures in a securitisation transaction; or 29 Are there rules or regulations governing the use of crypto- • in relation to a securitisation transaction for which underlying assets, including digital currencies, digital wallets and exposures are acquired from third-party entities, a person who e-money? serves as a sponsor of the transaction by establishing, managing and advising on the transaction or by providing any credit enhance- In respect of common ‘digital currencies’ or ‘digital wallets’, such as ment or liquidity facility in respect of the transaction. bitcoin, the Hong Kong government considers that these are virtual commodities and do not qualify as digital currencies with regard to While there are no detailed risk retention requirements imposed on their nature and circulation in Hong Kong. In this regard, Hong Kong originators, the CRTA Module provides that an originating authorised does not have any specific regulatory measures in respect of the use of institution should ensure that investors have readily available access virtual commodities, but the existing laws provide for protection against to all materially relevant data concerning the transaction, including, unlawful activities in general (eg, anti-money laundering, fraud and where relevant and appropriate, the amount of risk retention by the terrorist financing). authorised institution in the transaction and the manner in which the Financial institutions dealing with virtual commodities are required risk is retained. to comply with regulations from time to time by the relevant financial The CRTA Module also provides that an authorised institu- regulators, the Hong Kong Monetary Authority and the SFC. Additional tion acting as an originator of a securitisation transaction should be requirements apply to companies engaged in distribution funds that prepared to explain to the HKMA the possible impacts on its financial invest in virtual assets. position, capital adequacy, liquidity and asset quality, with regard to the risks incurred by it in the structure of the transaction including through Digital currency exchanges retention of the first-loss tranche or provision of liquidity facilities. 30 Are there rules or regulations governing the operation of The CRTA Module states that unless otherwise agreed with digital currency exchanges or brokerages? the HKMA, an authorised institution should refrain from investing in, or incurring an exposure to, a securitisation if the originator has not Basic digital currencies, such as bitcoin, are considered virtual commod- disclosed its compliance with any risk retention requirements appli- ities, and, therefore, operating an exchange to trade these currencies is cable to it (in any jurisdiction). not a regulated activity in Hong Kong. However, if a digital currency falls within the definition of a ‘security’ in Hong Kong then trading Securitisation confidentiality and data protection requirements these securities is a regulated activity and requires a licence. In addi- 26 Is a special purpose company used to purchase and securitise tion, investment products linked to digital currencies, such as bitcoin peer-to-peer or marketplace loans subject to a duty of futures or funds linked to digital currencies, are considered securities, confidentiality or data protection laws regarding information and offering or trading these products requires a licence. relating to the borrowers? In November 2019, the SFC issued a position paper regarding the regulation of asset trading platform operators that provide trading, The Personal Data (Privacy) Ordinance governs the collection, use and clearing and settlement services for virtual assets where at least one of dissemination of the personal data of living individuals. the virtual assets is a security. The SFC has confirmed that it can only Data about or provided by obligors may also be protected by more regulate platform operators that provide services in relation to virtual general Hong Kong legal and regulatory principles that require the assets that constitute securities and that these platform operators may protection of confidential information. Largely, these apply irrespec- now apply for a licence. The SFC has adopted a set of regulatory stand- tive of the legal structure of the obligor, but their precise application ards for virtual asset trading platforms that are comparable to those depends on the circumstances. applicable to licensed security brokers and automated trading venues. The SFC expects a number of platform operators to elect to be licensed ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER by choosing to trade virtual assets that are securities. The SFC will TECHNOLOGY AND CRYPTO-ASSETS apply licensing conditions, including conditions that the platform may only offer services to professional investors, that stringent criteria be Artificial intelligence applied for the inclusion of virtual assets to be traded and that services 27 Are there rules or regulations governing the use of artificial must only be provided to clients that have sufficient knowledge of intelligence, including in relation to robo-advice? virtual assets. There are also requirements for the platform operator to adopt a reputable external market surveillance system and have in The provision of investment advice is a regulated activity irrespective of place an insurance policy covering the risks associated with the custody the method of delivery of the advice. There are no specific regulations of virtual assets. Initially, any licensed platform will be placed in the governing the use of artificial intelligence and the provision of robo- SFC Regulatory Sandbox and be subject to more frequent monitoring advice. However, the Securities and Futures Commission (SFC) has and reviews. issued guidelines on online distribution and advisory platforms, which took effect from July 2019. The guidelines identify six core principles Initial coin offerings that must be complied with by operators of online advice platforms and 31 Are there rules or regulations governing initial coin offerings provide additional requirements for robo-advisers. (ICOs) or token generation events?

Distributed ledger technology The regulation of tokens offered in ICOs depends on the nature of the 28 Are there rules or regulations governing the use of tokens offered. Utility tokens that only provide membership or access to distributed ledger technology or blockchains? a service or payment tokens that are only used as a means of payment for goods or services (such as bitcoin) are not regulated. However, There are no specific regulations or guidelines regarding the use of tokens that comprise securities under Hong Kong regulations are regu- distributed ledger technologies. lated. For example, tokens that represent an asset such as a debt or a

88 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP Hong Kong claim on the issuer’s assets (such as a share in future earnings) or that Cybersecurity amount to a collective investment scheme are securities. 33 What cybersecurity regulations or standards apply to fintech Where the tokens involved in an ICO fall under the definition of businesses? securities, dealing in or advising on these tokens, or managing or marketing a fund investing in them, may constitute a regulated activity. There are no cybersecurity regulations or standards specifically Persons engaging in a regulated activity targeting the Hong Kong public addressing fintech businesses in Hong Kong. Cybersecurity is covered are required to be licensed by or registered with the SFC, irrespective under various laws and regulations, such as the Personal Data Privacy of where they are located. In addition, investment products linked to any Ordinance and the Crimes Ordinance. tokens (whether securities or not), such as futures or derivatives, are The Hong Kong Monetary Authority's (HKMA) Supervisory Policy considered to be securities and offering, trading or advising on these Manual sets out the key regulatory standards that the HKMA expects products is a regulated activity. authorised institutions to follow in relation to technology security and has issued a circular on Cybersecurity Risk Management, requiring industry DATA PROTECTION AND CYBERSECURITY players to establish appropriate governance frameworks. Several frameworks were launched by HKMA to strengthen cyber resilience in Data protection the banking sector, including the Enhanced Competency Framework on 32 What rules and regulations govern the processing and Cybersecurity and the Cybersecurity Assessment Framework. transfer (domestic and cross-border) of data relating to The Securities and Futures Commission has issued the Guidelines fintech products and services? for Reducing and Mitigating Hacking Risks Associated with Internet Trading, and the Circular to All Licensed Corporations on Cybersecurity, There are no specific regulations governing the processing and transfer setting out areas that licensed corporations should pay close attention of data relating to fintech products and services in Hong Kong, but to when reviewing and mitigating their cybersecurity risks, as well as fintech companies are required to comply with the Personal Data certain controls that these corporations should consider implementing (Privacy) Ordinance (PDPO) when collecting or using the personal where applicable. data of individuals. Personal data is information that relates to a living person and can be used to identify that person, where the data is in a OUTSOURCING AND CLOUD COMPUTING form in which access or processing is practicable. Organisations that collect and use personal data must comply with, among other things, six Outsourcing data protection principles, which include the following. 34 Are there legal requirements or regulatory guidance with • DPP1: personal data can only be collected for a purpose directly respect to the outsourcing by a financial services company of related to a function and activity of the data user in a lawful and a material aspect of its business? fair manner, and the amount of data to be collected must not be excessive. Data subjects have to be informed of the purpose of the The Securities and Futures Commission (SFC) has endorsed the collection of data and how it will be used. Principles on Outsourcing of Financial Services for Market Intermediaries • DPP2: data users must take all practicable steps to ensure published by the International Organisation of Securities Commission personal data remains accurate and is deleted after the purpose of (the IOSCO Principles) but there are no specific regulations or guidance collecting this data is fulfilled. issued by the SFC on outsourcing. There are specific requirements that • DPP3: unless the data subject has given prior consent, personal regulated entities must comply with, such as record-keeping require- data can only be used for the purpose for which it was originally ments, which are relevant to decisions to outsource parts of the business. collected or a directly related purpose. The Hong Kong Monetary Authority (HKMA), which regulates • DPP4: data users must take all practicable steps to ensure that authorised institutions, such as banks, includes in its supervisory policy personal data is protected against unauthorised or accidental manual a chapter on outsourcing. The HKMA expects authorised insti- accessing, processing, loss or erasure. tutions to be aware of their legal obligations to meet the minimum • DPP5: data users should stipulate, publish and implement poli- authorisation criteria under the Banking Ordinance in relation to cies in relation to personal data that can generally be achieved by outsourcing plans. In particular, authorised institutions need to have having a data privacy policy in place. adequate accounting systems and systems of control and to conduct • DPP6: individuals have rights of access to and correction of their their business with integrity, competence and in a manner not detri- personal data. Data users should comply with data access or data mental to the interests of depositors. correction requests within the requisite time limit, unless reasons for rejection prescribed in the PDPO are applicable. Cloud computing 35 Are there legal requirements or regulatory guidance with The Hong Kong Privacy Commissioner issued an information leaflet respect to the use of cloud computing in the financial services in March 2019 explaining the privacy implications and risks of fintech industry? applications. The publication also recommends good practices in relation to data privacy for fintech operators. The Hong Kong Privacy Commissioner, the HKMA and the SFC have The Hong Kong Privacy Commissioner has also published an infor- published guidelines on outsourcing and data privacy in connection with mation leaflet – ‘Matching Procedure: Some Common Questions’ – that cloud computing. emphasises the importance of obtaining consent from all individual data The Hong Kong Privacy Commissioner has published various guide- subjects or the Privacy Commissioner if the process of aggregation of lines, circulars and information leaflets providing guidance on measures personal data for commercial gain constitutes a matching procedure and best recommended practices that are pertinent to cloud services. under the PDPO, to ensure that the risk of potential harm to the relevant These include having contractual arrangements between providers and data subjects is minimised. It also issued the ‘Guidance on the Proper customers of cloud services, to address the Privacy Commissioner’s key Handling of Customers’ Personal Data for the Banking Industry’. concerns relating to loss of control, and the use, retention or erasure and security, of personal data when it is stored in the cloud. www.lexology.com/gtdt 89 © Law Business Research 2020 Hong Kong Simmons & Simmons LLP

The HKMA’s Supervisory Policy Manual sets out the key regulatory IP developed by employees and contractors standards that the HKMA expects authorised institutions to follow, or 37 Who owns new intellectual property developed by an else be prepared to justify non-compliance, for managing technology employee during the course of employment? Do the same risks and cybersecurity, covering topics such as: rules apply to new intellectual property developed by • IT governance and oversight, system development and change contractors or consultants? management; • information processing; Copyright created by an employee in the course of his or her employ- • communication network management; and ment is automatically owned by the employer unless otherwise agreed. • management of technology service providers. An invention made by an employee belongs to the employer: • if it was made in the course of the normal duties of the employee or The SFC has endorsed the IOSCO Principles in relation to ‘licensed in the course of duties falling outside his or her normal duties, but corporations’ outsourcing their activities. The SFC also issued guide- specifically assigned to him or her, and the circumstances in either lines that require licensed corporations to establish policies and case were such that an invention might reasonably be expected to procedures to ensure the integrity, security, availability, reliability and result from the carrying out of his or her duties; or thoroughness of all information relevant to the licensed corporation’s • if the invention was made in the course of the duties of the employee business, which extends to situations where data is stored in the cloud. and, at the time of making the invention, because of the nature of Other best recommended practices relevant to cloud computing include: his or her duties and the particular responsibilities arising from • reviewing policies and procedures to manage, identify and assess the nature of his or her duties, he or she had a special obligation to cybersecurity threats and IT security controls; further the interests of the employer’s undertaking. • considering the cybersecurity controls of third-party service providers; and Copyright or inventions created by contractors or consultants in the • ensuring continuity of critical activities and systems. course of their duties are owned by the contractor or consultant unless otherwise agreed in writing. However, the person who commissions a On 31 October 2019, the SFC issued a circular on the use of external copyrighted work has an exclusive licence to exploit the commissioned electronic data storage by licensed corporations. The circular sets out work for all purposes that could reasonably have been contemplated by various requirements in relation to licensed corporations' use of external the author and the person who commissioned the work at the time the data storage providers (EDSPs). These include requirements to obtain work was commissioned, and the power to restrain any exploitation of undertakings from EDSPs in favour of the SFC in certain circumstances the commissioned work for any purpose against which he or she could and requirements regarding the management of risks and security with reasonably take objection. regard to the use of EDSPs. Joint ownership INTELLECTUAL PROPERTY RIGHTS 38 Are there any restrictions on a joint owner of intellectual property’s right to use, license, charge or assign its right in IP protection for software intellectual property? 36 Which intellectual property rights are available to protect software, and how do you obtain those rights? If copyright is jointly owned (eg, copyright in respect of a computer program that has been co-written by two people) then all joint owners Computer programs (and preparatory design materials for computer must consent to any act restricted by copyright (such as its use, licensing programs) are protected by copyright as literary works under the and assignment). As a result, the commercialisation of jointly owned Copyright Ordinance. Copyright arises automatically as soon as the copyright can be a challenge unless all owners consent to its use. It is computer program is recorded. Registration of copyright is not required advisable for the joint owners to enter into an agreement setting out and is not possible in Hong Kong. how these rights should be exercised. If the software code has been kept confidential, it may also be In respect of patents, each co-owner is entitled to an equal share in protected as confidential information. No registration is required. the patent and can do anything in respect of the invention for his or her Programs for computers, and schemes, rules or methods of doing own benefit without the consent or need to account to the other (in each business ‘as such’, are expressly excluded from patentability under the case, subject to any other agreement reached between the co-owners). Patents Ordinance. Notwithstanding these exclusions, it is possible to obtain patents Trade secrets for computer programs and business methods if it can be shown that 39 How are trade secrets protected? Are trade secrets kept the underlying invention makes a ‘technical contribution’ over and confidential during court proceedings? above that provided by the program or business method itself, such as an improvement in the working of the computer. Accordingly, a Confidential information can be protected against misuse, provided well-drafted patent may be able to bring a computer-based software the information in question has the necessary quality of confidence, is or business method invention within this requirement, but this may be subject to an express or implied duty of confidence, and that no registra- difficult to do and will not always be possible. Registration formalities tion is necessary (or possible). must be followed to obtain protection. Confidential information can be kept confidential during civil In particular, ‘standard’ patents are based on patents applied for proceedings with the permission of the court. and granted by one of three designated patent offices, namely, in China, the UK and the European Patent Office (where the UK is designated). They have a maximum period of protection of 20 years from the filing date of the designated application.

90 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP Hong Kong

Branding 40 What intellectual property rights are available to protect branding and how do you obtain those rights? How can fintech businesses ensure they do not infringe existing brands?

Brands can be protected as registered trademarks in Hong Kong. A brand can also be protected under the common law tort of passing-off if it has acquired sufficient goodwill. Certain branding, such as logos and Ian Wood [email protected] stylised marks, can also be protected by design rights and may also be protected by copyright as artistic works. The HK Registry trademark database can be searched to identify 30th Floor, One Taikoo Place potentially problematic trademarks that have been registered or applied 979 King’s Road for. It is highly advisable for fintech businesses to conduct trademark Hong Kong searches to check whether earlier registrations exist that are identical China or similar to their proposed brand names. It may also be advisable to Tel: +852 2868 1131 Fax: +852 2810 5040 conduct searches of the internet for any unregistered trademark rights www.simmons-simmons.com that may prevent use of the proposed mark.

Remedies for infringement of IP 41 What remedies are available to individuals or companies IMMIGRATION whose intellectual property rights have been infringed? Sector-specific schemes Remedies include: 45 What immigration schemes are available for fintech • preliminary and final injunctions; businesses to recruit skilled staff from abroad? Are there • damages or an account of profits; any special regimes specific to the technology or financial • delivery up or destruction of infringing products; sectors? • disclosure orders; and • costs. The Hong Kong government launched three schemes to recruit skilled staff in areas including the technology and financial sectors. COMPETITION The Talent List of Hong Kong was promulgated to attract people around the world who specialise in the 11 professions most needed for Sector-specific issues Hong Kong’s economic development, including ‘Experienced profes- 42 Are there any specific competition issues that exist with sionals in Fintech’, ‘Experienced data scientists and experienced cyber respect to fintech companies in your jurisdiction? security specialists’ and ‘Innovation and technology experts’. These candidates are potentially eligible for immigration via the Quality Migrant There is a competition regime under the Competition Ordinance in Hong Admission Scheme, which does not require them to have secured an Kong that applies to all entities carrying out business in Hong Kong. offer of local employment for settlement in Hong Kong. There are no particular aspects of this regime that would affect fintech The Innovation and Technology Commission introduced the businesses disproportionately to other businesses. Technology Talent Admission Scheme, a three-year scheme that provides a fast-track arrangement for admission of overseas and main- TAX land research and development talent. Eligible technology companies and institutes, including those engaged in the areas of fintech, artifi- Incentives cial intelligence and cybersecurity, may be granted quotas to sponsor 43 Are there any tax incentives available for fintech companies eligible persons to apply for employment visas or entry permits. and investors to encourage innovation and investment in the fintech sector in your jurisdiction? UPDATE AND TRENDS

There are no specific tax incentives applicable to fintech companies. Current developments 46 Are there any other current developments or emerging Increased tax burden trends to note? 44 Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for There is a particular focus on opening up banking and payment infra- fintech companies in your jurisdiction? structure and services in Hong Kong and the roll-out of services by the holders of the newly granted virtual bank licences. The industry is also No. watching the effect of the recent developments regarding the regulation of virtual assets platforms.

www.lexology.com/gtdt 91 © Law Business Research 2020 Hong Kong Simmons & Simmons LLP

While there have not been any Hong Kong government support measures specifically targeted at the fintech sector, there are a number of market-wide and industry programmes under which fintech business may obtain support. These include low interest loans for small and medium-sized enterprises (SMEs) and an SME financing guarantee scheme, pre-approved loan principal payment holidays, employee wage support, subsidies for Securities and Futures Commission-licensed individuals and waivers of business registration and annual return fees.

92 Fintech 2021 © Law Business Research 2020 India

Anuj Kaila and Stephen Mathias Kochhar & Co

FINTECH LANDSCAPE AND INITIATIVES banks, financial institutions and any other company partnering with or providing support to financial services businesses, is eligible to qualify General innovation climate under the regulatory sandbox. The relaxations extend to applicants 1 What is the general state of fintech innovation in your dealing with liquidity requirements, board composition, management jurisdiction? experience, financial soundness and track record. The Securities and Exchange Board of India, in May 2020, also India has been the hub of fintech innovation over the past few years, released its own regulations on a regulatory sandbox for fintech compa- and reports suggest there are over 2,000 fintech start-ups at present nies in relation to securities markets. This sandbox deals primarily with in the country. seeking innovation in securities market-related data, which includes India is the world’s second most populous country, but a large data from depositories (holding and KYC data), stock exchange data percentage of the population has yet to take the benefit of true financial (transaction data, such as order logs and trade logs) and mutual inclusiveness. Fintech companies have a unique opportunity to combine fund data. finance and technology to offer more effective financial solutions than This regulatory acknowledgement of innovation comes as a boost traditional institutions. for the industry, which has always been a few steps ahead of the regu- Fintech innovation is taking place across various industry verti- latory framework. Many entities have already started testing their cals, which include banking, payments, insurance, asset management, innovative products within these sandboxes. brokerage, etc. Fintech companies also focus on machine learning The government has also, over the past few years, opened no-frills that analyses customer expectations and matches them with appro- bank accounts for the majority of people without access to formal priate services. banking. This has given direct access to millions of Indians to formal With the advent of Aadhaar, a biometric-based identification project, banking solutions. the government can directly transfer subsidy-based payments to the bank accounts of holders without any third-party intervention. Aadhaar FINANCIAL REGULATION is also being used to meet know-your-customer (KYC) requirements in a cost-effective manner. However, a Supreme Court ruling in recent years Regulatory bodies over fears of privacy breaches of data with Aadhaar has derailed many 3 Which bodies regulate the provision of fintech products and fintech companies relying on the Aadhaar database for their businesses, services? and the law is in the process of being amended to resolve this issue. There is no universal regulatory body for fintech entities in India. Government and regulatory support Depending on the product or service offered by the entity, the regula- 2 Do government bodies or regulators provide any support tory body governing the vertical would regulate those specific entities. specific to financial innovation? If so, what are the key By and large, fintech products and services can be considered to fall benefits of such support? under the purview of these regulators: the Reserve Bank of India (RBI); the Securities Exchange Board of India (SEBI); the Ministry of Electronics The Reserve Bank of India (RBI) set up an inter-regulatory working and Information Technology; the Ministry of Corporate Affairs; and the group to look into the granular aspects of fintech and its implications so Insurance Regulatory and the Development Authority of India (IRDAI). as to review the regulatory framework and to respond to the dynamics However, the RBI currently regulates the majority of fintech companies of the rapidly evolving scenario of the market concerned. The working dealing with payment aggregation and gateways, account aggregation, group recommended the introduction of an appropriate framework for peer-to-peer (P2P) lending, cryptocurrencies, payments, etc. a regulatory sandbox and to provide an environment for developing fintech innovations and testing applications and application program- Regulated activities ming interfaces developed by banks and fintech companies. 4 Which activities trigger a licensing requirement in your Accordingly, the RBI, in August 2019, released regulations on jurisdiction? a regulatory sandbox for fintech entities to enable and encourage innovation in the industry with minimum regulatory supervision. The Indian law regulates various types of financial services. Advisory innovative products permitted to be tested within the sandbox include work relating to investments in Indian securities requires a licence retail payments, money transfer services, digital KYC, smart contracts, as an investment adviser. Certain types of investment banking, such marketplace lending, financial advisory services, wealth management as assisting private companies in obtaining funding, are considered to services, digital identification services, financial inclusion products be outside the scope of the licence. There are also licensed merchant and cybersecurity products. Any fintech company, including start-ups, bankers; for example, making a public issue on the stock exchanges or www.lexology.com/gtdt 93 © Law Business Research 2020 India Kochhar & Co

a public offer under the Takeover Code would need the support of a Asset reconstruction companies or securitisation companies are registered merchant banker. There are different categories of merchant permitted to securitise the acquired debt and sell the securitised debt bankers, and the functions of each level of category vary. There are only to qualified institutional buyers, which include banks, insurance other categories of agencies that require a licence, such as custodians, companies and foreign institutional investors. stockbrokers, underwriters, portfolio managers, credit rating agencies, Risk participation, either funded or unfunded, is unregulated in foreign institutional investors, venture capital funds, depositories and India, and banks and NBFCs rarely enter into domestic risk participation stock exchanges. transactions. There are various categories of institutions that can engage in In June 2020, the RBI released draft guidelines easing securitisa- lending. These are banks that include scheduled commercial banks tion and loan sale guidelines. and non-scheduled commercial banks, cooperative society banks, small finance banks, non-banking financial companies (NBFCs) and Collective investment schemes moneylenders. In respect of deposits, there are various categories of 7 Describe the regulatory regime for collective investment institutions that can receive deposits. These are banks that include schemes and whether fintech companies providing alternative scheduled commercial banks and non-scheduled commercial banks, finance products or services would fall within its scope. cooperative society banks, small finance banks, NBFCs that are authorised to receive deposits and payment banks. There is also the concept There are several categories of collective investment schemes. These are, of a chit fund, which receives contributions from members and periodi- broadly, mutual funds, alternative investment funds (AIFs) and collective cally conducts a lottery to pay the winner. Post offices can also receive investment schemes, all of which must be registered with SEBI. Mutual deposits. There is a provident fund that is a pension scheme operated funds are primarily focused on listed equity and debt instruments, and by the government. Mutual funds are also regulated. anyone can participate in a mutual fund. AIFs are primarily focused on Factoring can be undertaken by banks, NBFCs registered as factors unlisted instruments, and primarily institutional investors invest in AIFs with the RBI and certain other government entities. owing to a significant minimum investment by an investor. Invoice discounting can be undertaken by banks, NBFCs and The regulations on collective investment schemes cover all other corporates. forms of collective investment schemes. The regulations are extremely Bonds and debentures can be listed on stock exchanges as public stringent on collective investment management companies; for example, offerings. Syndications of loans are generally not regulated unless they there are requirements for rating, insurance, appraisal, schemes to be are converted into securitised instruments. closed-ended, no guaranteed returns and restrictions on advertise- Payment services are also regulated and are particularly relevant ment materials. Units subscribed to collective investment schemes to fintech. are freely transferable. A fintech company must be registered as a Entities in India can deal in foreign exchange trading only with collective investment management company to deal with collective permitted stock exchanges and banks in India. Other entities, such as investment schemes. However, alternative financial services, such as fully fledged money changers, are also permitted to deal with foreign P2P or marketplace lenders, would not fall under the ambit of collective exchange. Indian residents are not permitted to trade in foreign investment schemes. There are separate regulations governing these exchange through overseas trading platforms. services, which a fintech company must comply with.

Consumer lending Alternative investment funds 5 Is consumer lending regulated in your jurisdiction? 8 Are managers of alternative investment funds regulated?

Yes, consumer lending is regulated. There are various types of insti- Yes, managers of AIFs are regulated. There are requirements regarding tutions that are entitled to engage in consumer lending. These are their qualifications and minimum years of experience. The manager or banks that include scheduled commercial banks and non-scheduled sponsor of an AIF is also required to have a minimum investment in the commercial banks, NBFCs, cooperative society banks, small finance fund of not less than 2.5 per cent or 50 million rupees, whichever is lower. banks, microfinance institutions and moneylenders. Regulations require There are requirements relating to disclosure of their investments. lending agencies to maintain standards relating to capital adequacy, prudential norms, cash reserve ratio, statutory liquidity ratio, credit Peer-to-peer and marketplace lending ceiling, know-your-customer guidelines, etc, although each of these 9 Describe any specific regulation of peer-to-peer or norms would apply to each category of lending agency in a different marketplace lending in your jurisdiction. manner. Each agency plays a different role in terms of the type of lending and the kind of borrower. For example, infrastructure NBFCs The RBI is the authority that regulates P2P lending in India. All P2P can extend credit facilities to entities in the transport, energy, water and lending platforms must be registered with the RBI as an NBFC. The eligi- sanitation, and communications sectors. Loans and advances of up to bility requirements for a company to register as a P2P lending platform 2.5 million rupees are required to constitute at least 50 per cent of the include, among other things: loan portfolio of small finance banks. • a minimum capital of 20 million rupees; • that the company applying for registration is incorporated in India; Secondary market loan trading • that a robust and secure information technology system is in place; 6 Are there restrictions on trading loans in the secondary • that there is a viable business plan; and market in your jurisdiction? • that the promoters and directors fulfil the fit and proper criteria laid down by the RBI. Issuance and listing of debt securities and public offer and listing of securitised debt instruments are regulated in India. Trading of debt Although many analysts have cheered the steps taken by the RBI to securities and securitised debt instruments in the secondary market is regulate the P2P industry, the regulations themselves are extremely permitted after the debt securities or securitised debt instruments are stringent in respect of the scope of activities that can be undertaken by listed on a recognised stock exchange. these entities. For example:

94 Fintech 2021 © Law Business Research 2020 Kochhar & Co India

• P2P lending can only be done on an unsecured basis; The RBI, in March 2020, released regulations dealing with payment • loan maturity is capped at 36 months; aggregators and payment gateways. Payment aggregators are enti- • there is a limit of 50,000 rupees regarding exposure between the ties that facilitate the process for e-commerce sites and merchants to same lender and borrower; accept various payment instruments from customers for the completion • there is a limit of 1 million rupees in respect of exposure of a of their payment obligations, without the requirement for merchants to borrower across all P2P lending platforms and 5 million rupees for create a separate payment integration system of their own. Payment lenders across all P2P lending platforms; and aggregators make it easier for merchants to connect with acquirers, • there must be quarterly reporting to the RBI. and, in the process, they receive payments from customers, and pool and transfer them to the merchants. Crowdfunding A payment aggregator must obtain a licence to carry on its busi- 10 Describe any specific regulation of crowdfunding in your ness, and it must strictly adhere to the technology specifications laid jurisdiction. down in the regulations. Some of the conditions to be met by payment aggregators are: To the extent that crowdfunding involves investments in equity or debt • it must have a minimum net worth of 150 million rupees; instruments, these would be regulated by company or securities law. • e-commerce entities engaging in payment aggregation should hive A private company cannot access capital from the public and cannot off the payment aggregation business into a separate entity and have more than 200 shareholders. It also cannot accept deposits from apply for a license; the public. A public company must follow primary market processes for • it must follow stringent settlement timelines with merchants; equity or debt funding. There are no regulations that deal directly with • it must adhere to know-your-customer and anti-money laundering crowdfunding. guidelines prescribed by the government; For other types of funding, that is, those that are not debt or equity • it must maintain an escrow account parking all merchant based, the law is not settled at the moment as all kinds of crowdfunding proceeds; and could be considered as ‘deposits’. We believe that crowdfunding that • it must do authenticity checks on merchants. can be justified as an advance against purchase of a product would be permitted in India. The regulations are only advisory in nature for payment gateways. After the overnight demonetisation of the 500-rupee and 1,000- Invoice trading rupee notes in circulation on 8 November 2016, digital payments have 11 Describe any specific regulation of invoice trading in your seen huge traction in the country. At the forefront of this traction are jurisdiction. e-wallets; it is believed that e-wallet transactions have increased 40 times in the past five years. E-wallets are frequently used for online To enhance the ease of financing micro, small and medium-sized enter- purchase of goods and services. They have also gained popularity prises in India, the RBI has given approval to three companies to set because of the requirement of a second authentication (such as Visa up invoice discounting platforms. The Trade Receivables Discounting Verify or MasterCard Secure Code) for ‘card not present’ credit card System (TReDS) is a fintech platform where financers discount invoices and debit card transactions. This is difficult for services such as Uber. due by corporates, government entities, etc. TReDS requires a minimum Accordingly, customers use payment wallets that allow for automatic paid-up capital of 250 million rupees, and entities, other than the debit without the need for a second authentication. promoters, are not permitted to maintain shareholding in excess of 10 per cent in TReDS. Open banking 13 Are there any laws or regulations introduced to promote Payment services competition that require financial institutions to make 12 Are payment services regulated in your jurisdiction? customer or product data available to third parties?

Yes, payment services are regulated under the Payment and Settlement The laws regarding disclosure of customer data to third parties are Systems Act 2007. A payment system is defined as ‘a system that enables not very well established in India. Banks are required to adhere to the payment to be effected between a payer and a beneficiary, involving guidelines on information security, electronic banking, technology risk clearing, payment or settlement service or all of them, but does not management and cyber fraud issued by the RBI to ensure the data include a stock exchange’. These include credit cards, debit cards, smart protection of customers. cards and money transfers. Any entity interested in commencing a Under normal circumstances, disclosure of customer data requires payment system is required to obtain authorisation from RBI. prior written approval from the customer. This is usually obtained in The categories of payment providers are payment aggregators and the account opening forms or provided for in the terms and condi- payment gateways, prepaid payment instruments, financial market infra- tions. Under the current legal framework, financial institutions are only structure (clearing houses), retail payment organisations, card payment obliged to share this information where the disclosure is required by a networks (Visa, MasterCard, etc), cross-border money transfers, ATM court of law or where the disclosure is necessary for government agen- networks, white-label ATM operators and instant money transfer. cies mandated under law to procure the information. There are three types of prepaid payment instruments: open payment instruments, which are payment instruments that can be used Robo-advice to make a payment to any merchant; semi-closed, which are payment 14 Describe any specific regulation of robo-advisers or other instruments that can be used to make payment to a defined set of companies that provide retail customers with automated merchants; and closed, which are payment instruments of a merchant access to investment products in your jurisdiction. for payment only to that merchant. Open payment instruments can be issued only by banks. Cash withdrawal is permitted only in the case of SEBI, which regulates all public listed securities, has, in recent years, open payment instruments. Only closed payment instruments do not directed all fund houses and asset management companies to report require registration under the regulations. with SEBI all artificial intelligence and machine learning applications www.lexology.com/gtdt 95 © Law Business Research 2020 India Kochhar & Co

and systems offered and used by mutual funds. SEBI intends to conduct SALES AND MARKETING a survey and create an inventory of the robo-advisory landscape in the Indian financial markets to gain an in-depth understanding of the adop- Restrictions tion of those technologies in the markets and to ensure preparedness 19 What restrictions apply to the sales and marketing of for any robo-advisory policies that may arise in the future. SEBI also financial services and products in your jurisdiction? wants to ensure that any advertised financial benefit owing to these technologies in investor facing financial products do not constitute Rules on marketing materials for financial services are fairly limited. misrepresentation. Information in prospectus and letters of offer for public and public offers respectively are regulated. The Reserve Bank of India also requires Insurance products financial companies to use only registered telemarketers for telemar- 15 Do fintech companies that sell or market insurance products keting activity. in your jurisdiction need to be regulated? CHANGE OF CONTROL Selling and marketing of insurance products is regulated in India. The statutory authority regulating insurance products in India is IRDAI. An Notification and consent insurer must justify the premium amount and terms and conditions 20 Describe any rules relating to notification or consent of the insurance policy to be offered to customers to IRDAI. A fintech requirements if a regulated business changes control. company cannot offer any insurance product for sale unless the fintech company is duly certified by IRDAI. Most regulated entities require prior notification or consent for changes IRDAI has also issued guidelines on the advertisement, promotion in control. For non-banking financial companies, including peer-to-peer and publicity of insurance companies and insurance intermediaries. entities and account aggregators, prior approval from the Reserve Bank Fintech companies must comply with these guidelines in respect of of India (RBI) is required for a change beyond 26 per cent shareholding. marketing insurance products. For banks, RBI approval is required for foreign investment beyond 49 per cent shareholding. Foreign investment in banks is capped at 74 per Credit references cent. For insurance companies, prior RBI approval is required when the 16 Are there any restrictions on providing credit references or transferee’s shareholding is likely to exceed 5 per cent shareholding of credit information services in your jurisdiction? the insurance company, and if a transferor intends to transfer more than 1 per cent of its shareholding of the insurance company. For prepaid Companies carrying on the business of credit information services are payment instrument entities and payment aggregators, any takeover, regulated under the Credit Information Companies (Regulation) Act acquisition or change in management should be communicated to the 2005. Under the provisions of the Act, those companies must obtain a RBI within 15 days. certificate of registration from the RBI. Credit information companies are required to have a minimum issued capital of 200 million rupees. FINANCIAL CRIME The RBI has set up a Central Repository of Information on Large Credits to collect, store and disseminate credit data to lenders. Under the Anti-bribery and anti-money laundering procedures Insolvency and Bankruptcy Code 2016, information utilities have been 21 Are fintech companies required by law or regulation to have set up where all credit information is required to be reported by lenders procedures to combat bribery or money laundering? and borrowers. India has a law on the prevention of corruption that penalises CROSS-BORDER REGULATION corrupt practices. There are no requirements on framing policies or conducting training. Passporting The Prevention of Money Laundering Act 2002 prescribes strict 17 Can regulated activities be passported into your jurisdiction? criminal penalties on entities indulging in money laundering. It covers involvement with or concealment, possession, acquisition or use No, India does not allow passporting of regulated activities; that is, a of proceeds of a claim or projecting or claiming such proceeds as financial services provider registered in one country is not entitled to untainted property. engage in regulated financial services in India purely based on regis- The Reserve Bank of India has also prescribed stringent know- tration in a foreign jurisdiction and would need to obtain registration your-customer (KYC) norms, anti-money laundering standards and separately in India. guidelines on combating the financing of terrorism to be adhered to by all banks, non-banking financial companies, payment system operators, Requirement for a local presence e-wallet companies, etc. 18 Can fintech companies obtain a licence to provide financial Companies or exchanges dealing with digital currencies are gener- services in your jurisdiction without establishing a local ally not regulated in India. presence? Guidance By and large, this would be difficult as obtaining a licence for a regu- 22 Is there regulatory or industry anti-financial crime guidance lated financial service is available only to agencies incorporated in India for fintech companies? or, in the case of banks, that have a presence in India. It is possible for a fintech company outside India to provide services outside India to Indian India has fairly detailed laws with regard to the prevention of money nationals, especially for investments outside India. However, the scope laundering, KYC requirements, insider trading and combating the for this is limited because exchange control restrictions may come in the financing of terrorism. Depending on the services provided by the way of making payments outside India for services rendered. fintech companies, they may be governed by some of or all these regulations. There is also a heightened awareness of identity fraud, and most

96 Fintech 2021 © Law Business Research 2020 Kochhar & Co India financial institutions require a much higher level of identity proof from necessary to make the assignment binding against the borrower. For customers than is the case in many developing countries. example, A owes money to B, who transfers the right to receive the Given the slow court process and inefficiencies of the investigative dues to C. B then demands the debt from A, who, having not received agencies, financial institutions also resort to a high level of protection notice of the transfer, pays B. The payment is valid, and C cannot sue A compared with developed countries, such as through higher security for the debt. cover, undated cheques, bank guarantees, personal guarantees and the In June 2020, the Reserve Bank of India released draft guidelines appointment of nominee directors. Fintech companies must consider easing securitisation and loan sale guidelines. the optimal mix of these options to balance obtaining sufficient protection with ensuring business efficiency. Securitisation risk retention requirements 25 Are securitisation transactions subject to risk retention PEER-TO-PEER AND MARKETPLACE LENDING requirements?

Execution and enforceability of loan agreements The transferor transfers the risk of the underlying asset to the trans- 23 What are the requirements for executing loan agreements or feree. It is not necessary for the transferor to retain the risk from the security agreements? Is there a risk that loan agreements underlying asset. This is usually negotiated and specifically agreed to or security agreements entered into on a peer-to-peer or during the transfer. marketplace lending platform will not be enforceable? Securitisation confidentiality and data protection requirements Loan agreements and security agreements must be executed in accord- 26 Is a special purpose company used to purchase and securitise ance with the constitutional documents of the entity and the corporate peer-to-peer or marketplace loans subject to a duty of authorisations executed by the entity. Under Indian law, a mortgage confidentiality or data protection laws regarding information deed – that is, relating to immovable property – is executed by the relating to the borrowers? mortgagor, attested by two witnesses and registered with the relevant land registry. Most security arrangements involving immovable prop- Under Indian banking laws, there is a central register maintained by the erty relate to mortgage by deposit of title deeds. A mortgage by deposit regulator relating to security being provided by borrowers. This register of title deeds or an equitable mortgage encompasses a declaration is accessible by any person upon payment of the prescribed fees. provided by the mortgagor and a memorandum of entry in the records Outside this law, general laws on data protection and privacy apply, of the mortgagee that records the deposit of title deeds. There are other and a duty of confidentiality also applies. The law provides for payment various formalities to ensure perfection of the security documents. This of compensation on failure to exercise reasonable security practices includes filing a form with the company registry and registration of the and procedures to protect sensitive personal data or information (which charge with a central registry for security interest. includes financial information) that results in wrongful loss or gain, and As long as the peer-to-peer (P2P) lending contracts are prop- a criminal penalty for disclosure of personal information in breach of erly executed, they would be enforceable. While Indian law broadly contract or without consent of the data subject where the breach is done allows electronic contracts, a key issue relates to stamp duty. Indian with the intention of or knowing that it is likely to result in wrongful loss state governments are yet to introduce digital stamping of documents. or wrongful gain. There is, therefore, likely to be a need for contracts to be printed and stamped to comply with laws on stamp duty and for those contracts to ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER be admitted as evidence in court. TECHNOLOGY AND CRYPTO-ASSETS

Assignment of loans Artificial intelligence 24 What steps are required to perfect an assignment of 27 Are there rules or regulations governing the use of artificial loans originated on a peer-to-peer or marketplace lending intelligence, including in relation to robo-advice? platform? What are the implications for the purchaser if the assignment is not perfected? Is it possible to assign these The Securities Exchange Board of India (SEBI), which regulates all public loans without informing the borrower? listed securities, has, in recent years, directed all fund houses and asset management companies to report with SEBI all artificial intelligence While there are some distinctions between assignment of rights versus and machine learning applications and systems offered and used by obligations under a contract, it is preferable to state expressly in the mutual funds. SEBI intends to conduct a survey and create an inventory contract whether the rights and obligations under the contract can be of the robo-advisory landscape in the Indian financial markets to gain assigned, with or without the consent of the other party. A notice on the an in-depth understanding of the adoption of those technologies in the assignment to the counterparty is required in certain instances and is markets and to ensure preparedness for any robo-advisory policies that generally considered to be good practice. may arise in the future. SEBI also wants to ensure that any advertised There are certain contracts under which assignment is prohibited. financial benefit owing to these technologies in investor facing financial Contracts where personal skill or qualifications are involved cannot be products do not constitute misrepresentation. assigned. This primarily stems from common law. The assigner and the assignee may have to bear significant stamp Distributed ledger technology duty on the assignment. If a document is not duly stamped, the docu- 28 Are there rules or regulations governing the use of ment will not be admissible as evidence in court. distributed ledger technology or blockchains? P2P lending platforms will be required to adhere to the same method of assignment as described above. There are no legal or regulatory rules currently in place in relation to Under Indian law, for assignment of actionable claims, the assign- the use of distributed ledger technology in India. The Reserve Bank of ment must be executed by an instrument in writing by the assigner in India (RBI) has, in recent years, formally acknowledged blockchain tech- favour of the assignee. A notice of the assignment to the borrower is nology and is exploring ways to further use it in financial transactions. www.lexology.com/gtdt 97 © Law Business Research 2020 India Kochhar & Co

In 2015, the RBI released a Financial Stability Report, detailing the Initial coin offerings possible impact of blockchain technology. The report recognises the 31 Are there rules or regulations governing initial coin offerings need for the regulators and authorities to keep pace with developments (ICOs) or token generation events? as many of the world’s largest banks are said to be supporting a joint effort to set up a ‘private blockchain’ and build an industry-wide plat- ICOs are not regulated in India. The regulatory sandbox set up by the RBI form for standardising the use of the technology. specifically restricts ICOs from being tested in it. The importance of blockchain and distributed ledger technologies also finds specific mention in the report published by the working group DATA PROTECTION AND CYBERSECURITY set up by the RBI on fintech and digital banking. The working group recognises the importance of adopting these technologies in the finan- Data protection cial sector. On numerous occasions, the government has also made 32 What rules and regulations govern the processing and public statements in support of vast adoption of these technologies in transfer (domestic and cross-border) of data relating to various government sectors. A prime example of where the technology fintech products and services? could be extremely useful in India is for maintaining land records, which the government recognises and hopes to implement in the near future. India does not have a specific law on data protection. Certain provi- Certain Indian banks have successfully used blockchain technology sions of the Information Technology Act 2000 (the IT Act) deal with data in trade finance transactions with foreign banks. There are also reports protection. on Indian banks looking to use blockchain technology to share know- There are two provisions, civil and criminal, on the use of personal your-customer information through a private blockchain. data. A body corporate that has access to sensitive personal data or information (SPDI) will be liable to compensation if it is negligent in using Crypto-assets reasonable security practices and procedures (RSPP) in protecting such 29 Are there rules or regulations governing the use of crypto- SPDI and it results in wrongful loss or wrongful gain. SPDI includes: assets, including digital currencies, digital wallets and • passwords; e-money? • financial information, such as bank account, credit or debit card or other payment instrument details; On 6 April 2018, the RBI issued a circular prohibiting any entity regu- • information on physical, physiological and mental health conditions; lated by the RBI (including banks, financial institutions, payment • sexual orientation; gateways and digital wallets) from dealing with digital currencies or • medical records and history; and providing services that facilitate any person or entity in dealing with or • biometric information. settling digital currencies. The prohibition on services included maintaining accounts, registering, trading, settling, clearing, giving loans RSPP refers to procedures determined by any law in force (at present, against virtual tokens, accepting them as collateral, opening accounts none) or as agreed between the parties and, in the absence of those, the of exchanges dealing with them and transferring or receiving money rules of the central government. Accordingly, it is open to an organisa- in accounts relating to the purchase or sale of digital currencies. tion to agree privacy policies and security standards with its customers, Regulated entities were given until 6 July 2018 to discontinue providing service providers, employees, etc. The central government rules are those services. more in the nature of cursory privacy rules on collection, storage, This circular essentially crippled the digital currency market transfer, etc, of SPDI. They prescribe no specific security standard. in India. Users were only able to trade in digital currencies and not Indian law also imposes criminal penalties on an organisation exchange or redeem them for Indian rupees as the mode of payment of providing a service that is in possession of personal information if it Indian rupees is usually through banking channels. discloses the information in breach of contract or without the consent This notification was appealed in the Supreme Court, which struck of the data subject and does so with the intention of or knowing that it is down this order of the RBI. Entities have only recently resumed offering likely to result in wrongful gain or wrongful loss. virtual currencies in India. However, banks in India are still cautious in There are some general data protection and security require- dealing with any virtual currency operators. The government has, on ments applicable to the financial sector. For example, credit information various occasions, displayed its displeasure on any cryptocurrencies companies are governed by certain norms concerning protection and or virtual currencies being traded in India. Any entity dealing in those disclosure of personal information. The card-issuing entity should not currencies in India should be extremely cautious in doing so. reveal any information relating to customers obtained at the time of opening the account or issuing the credit card to any other person or Digital currency exchanges organisation without obtaining their specific consent. The purpose for 30 Are there rules or regulations governing the operation of which the information would be used and the organisations with which digital currency exchanges or brokerages? the information would be shared must also be disclosed. The Reserve Bank of India (RBI) has frowned upon credit companies There are no rules or guidelines relating to the operation of digital that obtain the consent of the customer for sharing their information, currency exchanges or brokerages in India. That being said, on 6 furnished while applying for the credit card with other agencies, as part April 2018, the RBI issued a circular prohibiting any entity regulated of the terms and conditions. Credit companies must provide the customer by the RBI (including banks, financial institutions, payment gateways with the option to decide whether he or she is in agreement with the and digital wallets) from dealing with digital currencies or providing credit company sharing the information with other agencies. Credit services that facilitate any person or entity in dealing with or settling companies are also required to explicitly state and explain clearly to the digital currencies. This notification was appealed in the Supreme Court, customer the full meaning and implications of the disclosure clause. which struck down this order of the RBI. Entities have only recently Separately, the regulations governing account aggregators resumed offering virtual currencies in India. prescribe a consent architecture to be followed by aggregators while Specific advice should be sought for the nature of the exchange. collecting personal and sensitive personal information from the data subject. They also impose restrictions on the sharing of financial

98 Fintech 2021 © Law Business Research 2020 Kochhar & Co India information without the consent of the data subject and a use limitation, Cloud computing and they require the conducting of periodical information security audits. 35 Are there legal requirements or regulatory guidance with The RBI has instructed all payment systems operators to store respect to the use of cloud computing in the financial services the entirety of the data relating to payment systems, including the full industry? end-to-end transaction details and the information collected, carried or processed as part of the message or payment instruction, on servers At present there are no legal requirements or statutory guidance for use located in India. The data storage norms also apply to system partici- of cloud computing. pants, service providers, intermediaries, payment aggregators and The Institute for Development and Research in Banking Technology, gateways, third-party vendors and other entities (whatever they are established by the RBI, has a centre for cloud computing. The centre called) in the payments ecosystem who are retained or engaged by the focuses on providing suitable cloud platforms to banks for testing, authorised or approved entities for providing payment services. If the undertaking studies on security, scalability and building secure cloud processing of the payment transaction is done abroad, the data should storage, among other things. be deleted from the systems abroad and brought back to India not A working committee formed by the RBI published a report on the later than the one business day or 24 hours from payment processing, use of cloud computing by urban cooperative banks in 2012. The report whichever is earlier. The data must be stored only in India, other than in tried to lay down the existing issues and the way forward for urban cross-border payment transactions in which case a copy of the domestic cooperative banks to establish a robust IT network that includes cloud component of the payment data may be stored abroad. computing. India proposes to enact a Personal Data Protection Bill. It is There are various private players in the market offering their cloud currently being reviewed by a joint committee of Parliament. Thereafter, computing services to banks and non-banking financial companies it will be revised if required and then introduced in Parliament. The Bill (NBFCs). Banks and NBFCs in India are slowly accepting and moving is expected to come into force before the end of 2020. towards those services.

Cybersecurity INTELLECTUAL PROPERTY RIGHTS 33 What cybersecurity regulations or standards apply to fintech businesses? IP protection for software 36 Which intellectual property rights are available to protect The law currently does not contemplate any specific cybersecurity regu- software, and how do you obtain those rights? lation or security standards to be complied with by fintech businesses in India. The rules framed by the government under the IT Act for regu- Software can be protected under copyright law. The patent laws of India lating SPDI do recommend a security standard (ie, IS/ISO/IEC 27001 provide fairly limited protection for software as they cannot protect soft- information security standards) to be complied with while processing ware per se; it requires something in addition to the mere software for it SPDI (financial information is SPDI). It is not mandatory to comply with to be patentable (eg, an operating system is patentable). those rules, and parties can agree on RSPP and exclude the application of those rules. IP developed by employees and contractors 37 Who owns new intellectual property developed by an OUTSOURCING AND CLOUD COMPUTING employee during the course of employment? Do the same rules apply to new intellectual property developed by Outsourcing contractors or consultants? 34 Are there legal requirements or regulatory guidance with respect to the outsourcing by a financial services company of In the case of copyright law, this would be the employer. In the case a material aspect of its business? of patent law, it would be the inventor, who could be the employee. Copyrights and patents can be assigned to the employer. In the case of Outsourcing of core management functions – including internal audit, patents, the application for a patent must be accompanied by the assign- compliance function and decision-making functions, such as deter- ment deed executed by the employee. mining compliance with know-your-customer norms for opening deposit accounts, according sanction for loans (including retail loans) and Joint ownership managing investment portfolio – are not permitted. Outsourcing of other 38 Are there any restrictions on a joint owner of intellectual functions is permitted. The banking laws prescribe certain principles on property’s right to use, license, charge or assign its right in the basis of which a bank can outsource its functions, where this results intellectual property? in data being processed, stored or accessed overseas. This is permitted provided that the following conditions are met: In the case of patents, the Patents Act 1970 provides that the share in • the off-shore regulator does not obstruct the arrangement or the patent held by a co-owner cannot be licensed or assigned without prevent inspections by the Reserve Bank of India (RBI) or auditors; the consent of the other owners. The same applies to all other intellec- • the availability of records to the management and the RBI is tual property rights. The licensing, charge and right to use would be in not affected by the liquidation of the off-shore provider or the accordance with the agreement entered into, or it will be equal among bank in India; the joint owners. • the offshore regulator does not have access to the data simply The Trademarks Act does not impose any such specific condition. because the data is being processed overseas; and However, it envisages that jointly owned trademarks cannot be used • the jurisdiction of the courts in the offshore location does not extend in rivalry or in competition against each other, and there can only be to the operations of the bank in India. one joint source in respect of the trademarks. Therefore, in the event of subsequent rivalry, if any, between the co-owners, there cannot be two The outsourcing regulations also require customer data to be isolated different owners of the trademarks. and clearly identified, and they prohibit any merging of data. www.lexology.com/gtdt 99 © Law Business Research 2020 India Kochhar & Co

Trade secrets A unique aspect of Indian law is that individuals can file a case of 39 How are trade secrets protected? Are trade secrets kept copyright or trademark infringement not just where the cause of action confidential during court proceedings? arose or where the defendant resides or does business, but also where the plaintiff resides and does business. Individuals can obtain Anton India does not have a specific law dealing with trade secrets. Trade Piller orders for appointment of a court commissioner to conduct an secrets are protected under the common law remedy of breach of confi- inspection, and it is possible to obtain injunctions. dentiality. Confidentiality may be protected under contract or implied, depending on the nature of the service. COMPETITION Trade secrets are to be kept secret unless it is an inherent part of the court proceedings; in that case, disclosure for the purpose of Sector-specific issues providing evidence is required. This has sometimes acted as a deterrent 42 Are there any specific competition issues that exist with to many from enforcing their trade secrets through the judicial process. respect to fintech companies in your jurisdiction?

Branding There are none. Indian competition law in general relates to anticompet- 40 What intellectual property rights are available to protect itive practices, monopolistic practices and merger control requirements, branding and how do you obtain those rights? How can which are across all industries. fintech businesses ensure they do not infringe existing brands? TAX

Branding is largely protected under trademark law, whereby the indi- Incentives vidual would need to register a trademark. The individual can file an 43 Are there any tax incentives available for fintech companies action for infringement in the case of a registered trademark or a and investors to encourage innovation and investment in the passing-off action in the case of unregistered marks. Indian law also fintech sector in your jurisdiction? recognises the concept of transnational reputation of international trademarks. There are no tax incentives specifically aimed at fintech companies. Trademark owners can also register their brands with customs However, the fintech companies that qualify as start-ups may avail authorities that could enable authorities to intercept goods they believe themselves of various benefits under the Startup India initiative are counterfeits. The trademark owner can also claim prior use and launched by the Indian government. Tax benefits are also extended to strike down a registered owner’s right, by seeking cancellation of the units in a special economic zone. mark. The trademark owner can also keep watch and seek to oppose any new marks that are the same or similar to the one owned by it. It Increased tax burden can also obtain a copyright registration over the copyright in a mark. 44 Are there any new or proposed tax laws or guidance that However, registration is not mandatory for ownership of copyright. could significantly increase tax or administrative costs for A new business can undertake a trademark search to determine fintech companies in your jurisdiction? whether a similar trademark has been registered. The trademark registry is online, and the business can search via the trademark There are no specific additional taxes or exemptions for fintech compa- registry website. The business can also undertake market studies or nies. However, under the Startup India initiative, certain companies test marketing to see if similar unregistered marks are in use. It can falling under the ambit of the start-up definition are provided with tax also search domain name registries to determine if websites with breaks to encourage innovation. similar domain names have been registered. IMMIGRATION Remedies for infringement of IP 41 What remedies are available to individuals or companies Sector-specific schemes whose intellectual property rights have been infringed? 45 What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there If a trademark, copyright or patent has been infringed, the individual any special regimes specific to the technology or financial would file a suit for infringement. In the case of a trademark, the indi- sectors? vidual can also file a passing-off action. In the case of copyright and a trademark, the individual can also pursue criminal remedies in the case There are no specific limits applicable for immigrants seeking employ- of infringement. ment in India. There are certain criteria that the applicant must meet; The Copyright Act deals with offences of infringement of copy- for example, a minimum salary of US$25,000 per year, subject to certain right or other rights conferred under it. It provides for imprisonment exemptions given only to individuals with skills that are unavailable in that ranges from six months to three years and a fine that ranges from India (such as highly qualified technical experts, senior executives in a 50,000 to 200,000 rupees. The Trademarks Act 1999 also deals with managerial position, etc). Labour and employment law in India dealing criminal remedies against infringement and passing-off actions. Search- with immigration is complex and specific advice should be sought. and-seizure procedures can also be invoked to deal with infringement. Individuals can also engage in opposition proceedings in respect of trademarks and patents that are sought to be registered. There is a procedure for the cancellation of marks. In addition, individuals can file actions with the company authorities in respect of companies registered with names that are similar to trademarks or other company name; however, a trade name registration in no way confers trademark protection.

100 Fintech 2021 © Law Business Research 2020 Kochhar & Co India

UPDATE AND TRENDS

Current developments 46 Are there any other current developments or emerging trends to note?

There has been a large amount of activity in the fintech regulatory space during the past year. The government has formally recognised the importance of this niche industry by setting up committees to study the Anuj Kaila [email protected] development and future of the industry. It has also passed regulations on peer-to-peer lending platforms and account aggregators directly in Stephen Mathias relation to fintech entities. [email protected] Although the Supreme Court struck down the notification of the Reserve Bank of India (RBI) restricting cryptocurrencies, banks are 201 Prestige Sigma reluctant to deal with any money arising from the proceeds of crypto- 3 Vittal Mallya Road currencies. The financial industry will likely wait for an official go-ahead Bangalore 560001 from the government to commence full-fledged operations dealing with India cryptocurrencies, which is extremely unlikely to happen. Tel: +91 80 4030 8000 On 6 April 2018, the RBI issued directives to all payment system Fax: +91 80 4112 4998 providers to store all data relating to payment systems operated by www.kochhar.com them only in India no later than 15 October 2018. The data includes the full end-to-end transaction details – the information collected, carried and processed as part of the message or payment instruction. For the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required. This has given rise to India–US tensions, with the US government threatening retaliatory measures affecting Indian businesses. In March 2020, the RBI issued regulations regulating payment aggregators and payment gateways. The regulations are extremely broad and vague in nature, and they may end up including entities within the ambit of a regulated payment aggregator without the regulator intending to do so; for example, educational institutions or companies running cafeterias permitting third-party stalls to sell food from time to time (through an e-commerce site) and where the educational institute or company collects the proceeds of the sale of the third-party vendor and settles the payment with the third-party vendor within mutually agreed timelines. India proposes to enact a Personal Data Protection Bill. It is currently being reviewed by a joint committee of Parliament. Thereafter, it will be revised if required and then introduced in Parliament. The Bill is expected to come into force before the end of 2020. The Bill is India’s first attempt towards a specific data protection and privacy statute in India. A large portion of the Bill seems to have been adopted from the recent global data protection regulations of the European Union, and it includes concepts such as the right to be forgotten, privacy by design, consent-based approach, data localisation requirements, data protection offices and data protection authorities, etc.

The RBI extended the statutory deadlines earlier imposed on multiple payment operators by a period ranging from two to nine months on account of the lockdown, which was imposed by the government to deal with the pandemic. Other measures include reduction in interest rates and credit guarantee schemes to micro, small and medium-sized enterprises.

www.lexology.com/gtdt 101 © Law Business Research 2020 Indonesia

Winnie Rolindrawan and Harry Kuswara SSEK Legal Consultants

FINTECH LANDSCAPE AND INITIATIVES fintech activities that require licensing or registration in relation to monetary stability, financial system stability and payment systems, as follows: General innovation climate • payment system activities, including authorisation, clearing, final 1 What is the general state of fintech innovation in your settlement and implementation of payment; for example, block- jurisdiction? chain or distributed ledgers for the provision of fund transfers, electronic money, electronic wallet and mobile payments; Fintech innovation is developing rapidly in Indonesia and the government • market support (ie, activities that use information or electronic has issued several regulations relevant to fintech in recent years and technology, or both, to facilitate the faster and more cost-efficient has endeavoured to register new fintech activities to ensure they do not provision of information to the public on financial products and cause losses to the public. New innovations and solutions are surfacing services; for example, the provision of information comparing avail- that are boosting the business activities they support, with more roles able products or services in the financial services area); available as, for example, aggregators, e-know your customer support, • investment management and risk management for the provision of financing agents, financial planners, equity crowdfunding support, online investment and online insurance, among others; and payment system support and market support. Among fintech busi- • lending, financing or funding and capital raising including peer- nesses, peer-to-peer lending appears to have had the largest impact on to-peer lending or information technology-based fundraising the market to date and has received the most media coverage. (crowdfunding).

Government and regulatory support Digital financial innovation, commonly referred to as fintech, is regu- 2 Do government bodies or regulators provide any support lated from a financial services perspective under OJK Regulation No. specific to financial innovation? If so, what are the key 13/POJK.02/2018, dated 16 August 2018, regarding Digital Financial benefits of such support? Innovation in the Financial Services Sector. This regulation covers: • transaction settlement: this focuses on, among other things, invest- The government is continuously trying to monitor and supervise fintech ment settlement; activities and developments in the sector. To keep abreast of recent • capital raising, such as equity crowdfunding, virtual exchange, developments in the market, support the players and at the same time smart contracts and alternative due diligence; ensure Indonesian consumers are well protected, the Indonesian central • investment management; for example, advance algorithms, cloud bank, Bank Indonesia, and the Financial Services Authority (OJK) each computing, capability sharing, open source information technology, provide sandboxes for new innovations with the potential to have a long automated advice and management, social trading and retail algo- reach and an impact on Indonesian consumers. Bank Indonesia focuses rithmic trading; on the aspects of the fintech sector related to payment systems and • fundraising and fund disbursement: this includes activities such as the OJK focuses on the aspects of the fintech sector related to financial peer-to-peer lending, alternative adjudication and third-party appli- services, such as banking, investment and insurance. cation programming interface; • provision of insurance; for example, sharing economy, autonomous FINANCIAL REGULATION vehicles, digital distribution and securitisation and hedge funds; • market support; for example, artificial intelligence or machine Regulatory bodies learning, machine readable news, big data, social sentiment, market 3 Which bodies regulate the provision of fintech products and information platforms and automated data collection and analysis; services? • other digital finance supporting activities, such as social and eco-crowdfunding, Islamic digital financing, e-waqf, e-zakat, robo- Fintech products and services in Indonesia are mainly regulated by advisers and credit scoring; and two government bodies, Bank Indonesia and the Financial Services • other financial services activities; for example, invoice trading, Authority (OJK). vouchers and products using blockchain-based applications.

Regulated activities The Indonesian government fairly recently issued Government 4 Which activities trigger a licensing requirement in your Regulation No. 80 of 2019 regarding Trade Through Electronic Systems, jurisdiction? dated 25 November 2019 (GR 80/2019). It then issued Minister of Trade (MOT) Regulation No. 50 of 2020 regarding Provisions on Business Bank Indonesia Regulation No. 19/12/PBI/2017 regarding the Licensing, Advertisements, Guidance and Supervision of Business Organisation of Financial Technology, dated 30 November 2017, regulates Practitioners in Trade Through Electronic System, dated 19 May 2020 as

102 Fintech 2021 © Law Business Research 2020 SSEK Legal Consultants Indonesia an implementing regulation for GR 80/2019. These regulations impose Alternative investment funds new obligations for organisers of trade through electronic systems 8 Are managers of alternative investment funds regulated? (PPMSE), which is any business practitioner that provides electronic communication facilities used in trade transactions. A PPMSE operating Collective investment in the form of an equity crowdfunding platform from outside Indonesia and that fulfils certain criteria is now required is described as the provision of share offering services whereby the to appoint a representative in Indonesia and, consequently, must have a issuers sell shares directly to investors through an open electronic foreign trade company representative office in the country. PPMSE that system network, as governed by OJK Regulation No. 37/POJK.04/2018 have completed transactions with more than 1,000 consumers in a year regarding Equity Crowdfunding, dated 31 December 2018. Collective or have delivered more than 1,000 packages to consumers in a year, or investment undertakings through the internet, whereby capital is raised both, are required to appoint a representative in Indonesia. from a number of investors and invested in accordance with a defined investment policy for the benefit of those investors, are not specifically Consumer lending regulated. 5 Is consumer lending regulated in your jurisdiction? Peer-to-peer and marketplace lending Consumer lending is regulated in Indonesia, with a particular focus on 9 Describe any specific regulation of peer-to-peer or information technology-based money lending services (peer-to-peer marketplace lending in your jurisdiction. lending), as regulated under OJK Regulation No. 77/POJK.01/2016 regarding Information Technology-Based Money Lending Services, Marketplace lending is not specifically regulated in Indonesia. Peer- dated 29 December 2016. The OJK has the authority to regulate, register to-peer lending is specifically regulated under OJK Regulation No. 77/ and issue licences, as well as supervise the fintech consumer lending POJK.01/2016 regarding Information Technology-Based Money Lending industry. A company engaging in the provision of peer-to-peer lending Services, dated 29 December 2016. It provides the OJK the right to regu- activities can have a maximum foreign ownership of 85 per cent, which late and supervise peer-to-peer lending activities, including handling the means at least 15 per cent of the ownership must be in the hands of registration and licensing of peer-to-peer lending platform providers. Indonesian parties. A company that wishes to register with the OJK Peer-to-peer lending in Indonesia is described as the provision of finan- is required to have a minimum issued and paid-up capital of 1 billion cial services whereby the lender meets the borrower in the framework Indonesian rupiahs. Once an applicant is registered, it will have one of entering into a lending agreement in rupiahs directly through an elec- year to apply for a licence from the OJK, and the company’s minimum tronic system by using the internet. issued and paid-up capital must then be 2.5 billion rupiahs. A company engaging in the provision of peer-to-peer lending is not allowed to Crowdfunding engage in any other business activities. The regulation refers to infor- 10 Describe any specific regulation of crowdfunding in your mation technology-based money lending services (peer-to-peer lending) jurisdiction. as the provision of financial services that allow the lender to meet the borrower in the framework of entering into a lending agreement in To date there is no specific regulation that deals with donation-based rupiahs directly through an electronic system by using the internet. crowdfunding in Indonesia. Equity crowdfunding covers the provision of share offering services conducted by issuers to sell shares directly Secondary market loan trading to investors through an open electronic system network. Equity crowd- 6 Are there restrictions on trading loans in the secondary funding is regulated under OJK Regulation No. 37/POJK.04/2018 market in your jurisdiction? regarding Equity Crowdfunding, dated 31 December 2018. Under this regulation, a licensed equity crowdfunding platform provider or organ- Currently, the trading of loans in the secondary market in Indonesia iser is able to provide access for issuers (Indonesian limited liability is not specifically regulated and there is no specific restriction on companies) to sell their shares to investors that are also using the plat- this activity. form. An equity crowdfunding platform company is required to be an Indonesian limited liability company or an Indonesian cooperative with Collective investment schemes a minimum issued and paid-up capital of 2.5 billion rupiahs and to have 7 Describe the regulatory regime for collective investment registered with and received a licence from the OJK to provide, manage schemes and whether fintech companies providing and operate the equity crowdfunding platform. alternative finance products or services would fall within its scope. Invoice trading 11 Describe any specific regulation of invoice trading in your The prevailing regulations do not categorise activities into collective jurisdiction. investment schemes. They only specifically regulate alternative finance products in the form of equity crowdfunding platforms. Peer-to-peer The prevailing regulations do not specifically address invoice trading lending is described as an information technology-based money lending in Indonesia. service, which is specifically regulated under a different regulation. Equity crowdfunding is regulated under the auspices of the OJK, through Payment services OJK Regulation No. 37/POJK.04/2018 regarding Equity Crowdfunding, 12 Are payment services regulated in your jurisdiction? dated 31 December 2018. The OJK has the authority to regulate, register and issue licences, as well as supervise equity crowdfunding activities. Payment services in Indonesia are regulated mainly by Indonesia’s central bank, Bank Indonesia, which is in charge of regulating payment system activities in Indonesia.

www.lexology.com/gtdt 103 © Law Business Research 2020 Indonesia SSEK Legal Consultants

Open banking The Credit Bureau Regulation also specifically mentions that a credit 13 Are there any laws or regulations introduced to promote bureau must be in the form of an Indonesian limited liability company competition that require financial institutions to make and is subject to applicable foreign shareholding restrictions. In addition, customer or product data available to third parties? a credit bureau must obtain a business licence from the OJK to conduct its business activities. While the total ownership of one or more foreign To date there is no law or regulation that requires financial institutions parties in a credit bureau is limited to 20 per cent, if one foreign party to make customer or product data available to third parties, unless to owns more than one credit bureau that foreign party’s total ownership in the relevant government agency or for law enforcement purposes. all the credit bureaus combined is limited to 20 per cent. In collecting and processing credit information, a licensed Indonesian Robo-advice credit bureau obtains credit data from the OJK. The credit data from the 14 Describe any specific regulation of robo-advisers or other OJK consists of data submitted to it by financial institutions. A licensed companies that provide retail customers with automated Indonesian credit bureau may also cooperate with financial institutions access to investment products in your jurisdiction. to obtain credit data or financial institutions and non-financial institutions for other data, or both. A credit bureau must make an effort to ensure To date there is no specific law or regulation that addresses robo- that the source of the data informs the relevant debtor or customer of advisers or other companies that provide retail customers with how the credit data and other data will be utilised. Credit data is defined automated access to investment products. as data regarding the condition of funding facility, funding from non- bank institutions and other facilities that can be deemed similar to the Insurance products foregoing. 15 Do fintech companies that sell or market insurance products Other data in relation to a credit bureau is defined as data other than in your jurisdiction need to be regulated? credit data that can be used to describe the capability of a certain party in fulfilling the party’s financial obligations. In principle, the selling and marketing of insurance products in Indonesia is regulated and licensed by the OJK, although there seems CROSS-BORDER REGULATION to be no differentiation yet between fintech companies and companies that engage in the conventional selling and marketing of insurance Passporting products. In practice, licensed insurance companies in Indonesia have 17 Can regulated activities be passported into your jurisdiction? been selling their products over the internet, through their own platforms or by cooperating with other parties (eg, e-commerce platforms The prevailing laws and regulations in Indonesia do not recognise the or e-money platforms) to assist in facilitating the selling and marketing concept of passporting, and regulated activities cannot be passported of their insurance products. The OJK is still in discussions over whether into Indonesia. unit-linked products can continue to be sold without a face-to-face meeting with the potential insured party. The prevailing regulations Requirement for a local presence require unit-linked products to be sold with a face-to-face meeting that 18 Can fintech companies obtain a licence to provide financial is used to explain the product to the potential insured party. services in your jurisdiction without establishing a local presence? Credit references 16 Are there any restrictions on providing credit references or No. To obtain a licence from the Indonesian government to provide finan- credit information services in your jurisdiction? cial services in Indonesia, a party must establish a local presence.

There are restrictions on providing credit information services. SALES AND MARKETING In Indonesia, credit reports can only be issued by a credit bureau licensed by the Financial Services Authority (OJK). A credit report is Restrictions defined under OJK Regulation 42/POJK.03/2019 regarding Credit 19 What restrictions apply to the sales and marketing of financial Information Management Agencies dated 31 December 2019 and Bank services and products in your jurisdiction? Indonesia Circular Letter No. 15/49/DPKL regarding Credit Information Management Agencies dated 5 December 2013 (together, the Credit There are regulations for the sale and marketing of financial services and Bureau Regulation) as a product or service generated by a credit bureau products in the traditional sense, such as conventional banking, invest- in writing, verbally or by some other method, sourced from credit data ment and insurance. There is far less clarity regarding the organisation of and other data owned by the credit bureau. The credit report generated the sale and marketing of unconventional financial services, for example, by the credit bureau, among other things, contains information on: investments related to cryptocurrency and initial coin offerings. The main • the feasibility of the debtor or customer to obtain funds; principle of sales and marketing by financial and fintech businesses is a • the track record of the debtor or customer in fulfilling its fund prohibition on misleading information and causing loss for consumers. provision obligations; • the ability of the debtor or customer to fulfil its fund provision CHANGE OF CONTROL obligations; • the character of the debtor or customer; and Notification and consent • other information that may be utilised to assess the abilities of the 20 Describe any rules relating to notification or consent debtor or customer. requirements if a regulated business changes control.

Pursuant to the Credit Bureau Regulation, a credit bureau engages The rules relating to notification or consent requirements in a change in the business activities of collecting credit data and other data, and of control depend on the specific licence held by the entity. As a matter processing credit data and other data to generate a credit report. of general principle, entities holding a licence in the financial services

104 Fintech 2021 © Law Business Research 2020 SSEK Legal Consultants Indonesia sector and the payment system services sector need to obtain prior • mechanism of dispute settlement; and approval from the Indonesian central bank or the Financial Services • settlement mechanism if the provider is unable to continue its Authority. operational activities.

FINANCIAL CRIME The provider is required to provide the lender with access to information on the appropriation of funds. This information does not include Anti-bribery and anti-money laundering procedures information related to the identity of the borrower. The information will 21 Are fintech companies required by law or regulation to have include, at least, the: procedures to combat bribery or money laundering? • amount of loaned funds to the borrower; • purpose of the use of the funds by the borrower; In general, fintech companies are required to implement anti-money • amount of the loan interest; and laundering procedures and also need to conform to anti-bribery regu- • tenor of the loan. lations in Indonesia. Initial coin offering activities are not yet clearly regulated in Indonesia. Commodity Futures Trading Regulatory Agency The lending agreement between the lender and borrower is made in (Bappebti) Regulation No. 5 of 2019 (as amended by Bappebti Regulation electronic document format and must contain, at least, the: No. 9 of 2019 regarding the Amendment of Bappebti Regulation 5/2019 • agreement number; dated 26 July 2019; Bappebti Regulation No. 2 of 2020 regarding the • date of agreement; Second Amendment of Bappebti Regulation 5/2019 dated 7 February • identities of the parties; 2020; and Bappebti Regulation No. 3 of 2020 regarding the Third • provisions on the rights and obligations of the parties; Amendment of Bappebti Regulation 5/2019 dated 31 March 2020) • amount of the loan; only deals specifically with the administration of the implementation • nterest rate of the loan; of crypto-asset exchanges within Indonesia and does not address or • instalment value; cover the implementation and operation of crypto-asset exchange plat- • tenor; forms outside Indonesia offering products and services to customers in • object of guarantee (if any); Indonesia on a cross-border basis. • breakdown of relevant expenses; • provisions on fines (if any); and Guidance • mechanism of dispute settlement. 22 Is there regulatory or industry anti-financial crime guidance for fintech companies? The provider is required to provide the borrower with access to information on the position of the received loan. This information will not Currently, there is no specific regulatory or industry anti-financial crime include information related to the identity of the lender. The agreements guidance for fintech companies. above are made by using electronic signatures in accordance with the prevailing laws and regulations on electronic signatures. If the provider PEER-TO-PEER AND MARKETPLACE LENDING uses a standard agreement (for any agreement between the provider and the users of the platform, be it lenders or borrowers, the standard Execution and enforceability of loan agreements agreement must not: 23 What are the requirements for executing loan agreements or • transfer the responsibilities or obligations of the provider to security agreements? Is there a risk that loan agreements the user; or or security agreements entered into on a peer-to-peer or • state that the user is subject to new regulations, addendums, marketplace lending platform will not be enforceable? supplementary or amendments drawn up unilaterally by the provider within the period during which the user uses the service. Loan agreements in a peer-to-peer lending platform are acknowledged and regulated. Based on Financial Services Authority Regulation No. 77/ A standard agreement or standard clause is described as a written POJK.01/2016 regarding Information Technology-Based Money Lending agreement as set forth unilaterally by the provider and that contains Services, dated 29 December 2016, there are two agreements in a peer- standard clauses regarding content, format, as well as method of to-peer lending scheme: production, and is used to make a mass offer of service to users. • an agreement between the provider of the peer-to-peer lending service (the provider of the platform) and the lender; and Assignment of loans • an agreement between the lender and the borrower. 24 What steps are required to perfect an assignment of loans originated on a peer-to-peer or marketplace lending The agreement on the provision of peer-to-peer lending between a platform? What are the implications for the purchaser if the provider and a lender is made in electronic document format and must assignment is not perfected? Is it possible to assign these contain, at least, the: loans without informing the borrower? • agreement number; • date of agreement; Presently there is no specific fintech law or regulation that addresses • identities of the parties; the assignment of loans on a peer-to-peer lending platform. Given this • provisions on the rights and obligations of the parties; absence, the assignment of loans should be allowed under the freedom • amount of the loan; of contract principle contained in the Indonesian civil law code. Any • interest rate of the loan; assignment of a loan will need notification to the borrower. • amount of commission; • tenor; • breakdown of relevant expenses; • provisions on fines (if any); www.lexology.com/gtdt 105 © Law Business Research 2020 Indonesia SSEK Legal Consultants

Securitisation risk retention requirements ledgers are referred to as examples of other financial service activities, 25 Are securitisation transactions subject to risk retention which include such examples as invoice trading, vouchers and products requirements? using blockchain-based applications.

This is not specifically regulated under the prevailing laws and regulations. Crypto-assets 29 Are there rules or regulations governing the use of crypto- Securitisation confidentiality and data protection requirements assets, including digital currencies, digital wallets and 26 Is a special purpose company used to purchase and securitise e-money? peer-to-peer or marketplace loans subject to a duty of confidentiality or data protection laws regarding information Crypto-assets trade is specifically regulated in Indonesia by Bappebti, relating to the borrowers? an agency under the Ministry of Trade, under the following regulations: • Bappebti Regulation No. 5 of 2019 regarding the Technical Provisions This is not specifically regulated under the prevailing laws and regula- for the Implementation of the Crypto Asset Physical Market in Futures tions. However, to date, there is no exemption for business practitioners Exchange dated 8 February 2019 (Bappebti Regulation 5/2019); for the implementation of data protection principles apart from for law • Bappebti Regulation No. 9 of 2019 regarding the Amendment of enforcement and public interest purposes. Bappebti Regulation 5/2019, dated 26 July 2019; • Bappebti Regulation No. 2 of 2020 regarding the Second Amendment ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER of Bappebti Regulation 5/2019, dated 7 February 2020; and TECHNOLOGY AND CRYPTO-ASSETS • Bappebti Regulation No. 3 of 2020 regarding the Third Amendment of Bappebti Regulation 5/2019, dated 31 March 2020. Artificial intelligence 27 Are there rules or regulations governing the use of artificial nder the regulations listed above, crypto-assets are deemed commodi- intelligence, including in relation to robo-advice? ties that can be traded in a crypto-asset exchange. The regulations describe crypto-assets as intangible commodities in the form of Presently, there is no specific law or regulation that addresses the use digital assets, using cryptography, peer-to-peer network and distrib- of artificial intelligence, including robo-advice. However, artificial intel- uted ledger to manage the creation of new units, verify transactions ligence is mentioned in Financial Services Authority (OJK) Regulation and secure transactions without any intervention by other parties. In No. 13/POJK.02/2018, dated 16 August 2018, regarding Digital Financial Indonesia, crypto-assets or cryptocurrencies are not recognised as a Innovation in the Financial Services Sector as one of the examples of payment instrument and, therefore, are prohibited from being used as digital financial innovation in the category of market support. Other a payment instrument. examples of market support include artificial intelligence or machine Digital wallets in Indonesia are commonly viewed as part of the learning, machine-readable news, big data, social sentiment, market payment system environment and, therefore, are regulated under the information platform, and automated data collection and analysis. Robo- regulations of Bank Indonesia, which oversees payment system activi- advice is also referred to in this OJK Regulation as a type of other digital ties in Indonesia. Digital wallets or electronic wallets as referred to finance supporting activity. Other examples activities include social and in regulations in Indonesia are mainly regulated by Bank Indonesia eco-crowdfunding, Islamic digital financing, e-waqf, e-zakat, robo-advice Regulation No. 18/40/PBI/2016 regarding the Provision of Payment and credit scoring. The regulation is silent on any specific provisions Transaction Processing, dated 9 November 2016. This regulation for artificial intelligence and robo-advice. Therefore, the principles and defines an electronic wallet (e-wallet) as an electronic service to store provisions under OJK Regulation No. 13/POJK.02/2018 is generally all payment instrument data (among others, payment instruments applicable to artificial intelligence and robo-advice used in the fintech using cards and electronic money) and an e-wallet is also able to store sector in Indonesia. credits (funds) to conduct payments. E-money in Indonesia is also viewed as part of the payment system Distributed ledger technology environment and is, therefore, regulated under regulations of Bank 28 Are there rules or regulations governing the use of Indonesia. E-money is mainly regulated by Bank Indonesia Regulation distributed ledger technology or blockchains? No. 20/6/PBI/2018 regarding Electronic Money, dated 4 May 2018. This regulation defines e-money as a payment instrument: There is no specific rule or regulation governing the use of distributed • that is issued based on the value of money that has been first ledger technology or blockchains. Blockchain and distributed ledger tech- deposited to the nology is referred to in Bank Indonesia Regulation No. 19/12/PBI/2017 • issuer; regarding the Organisation of Financial Technology, dated 30 November • where the value of money is deposited electronically in a server 2017. The regulation refers to blockchain and distributed ledgers as one of or chip; and the recognised examples of fintech activities within the payment system • where the value of electronic money managed by the issuer does category. Payment system activities include authorisation, clearing, final not constitute savings as intended in banking laws. settlement and implementation of payments, with examples such as blockchain or distributed ledgers for the provision of fund transfers, elec- E-money issued in Indonesia is required to be issued in Indonesian rupiahs. tronic money, electronic wallets and mobile payments. The regulation is silent on any specific provisions for artificial intelligence and robo-advice; Digital currency exchanges therefore, the principles and provisions under Bank Indonesia Regulation 30 Are there rules or regulations governing the operation of No. 19/12/PBI/2017 is generally applicable to blockchain and distributed digital currency exchanges or brokerages? ledgers used in the fintech industry in Indonesia. From the perspective of financial services, under OJK Regulation There is a regulation in Indonesia that specifically deals with the No. 13/POJK.02/2018, dated 16 August 2018, regarding Digital Financial trading of crypto-assets. The operation of a digital currency exchange Innovation in the Financial Services Sector, blockchain and distributed is governed by Bappebti Regulation No. 5 of 2019 and its amendments.

106 Fintech 2021 © Law Business Research 2020 SSEK Legal Consultants Indonesia

Initial coin offerings INTELLECTUAL PROPERTY RIGHTS 31 Are there rules or regulations governing initial coin offerings (ICOs) or token generation events? IP protection for software 36 Which intellectual property rights are available to protect There is, to date, no specific regulation governing initial coin offer- software, and how do you obtain those rights? ings (ICOs) in Indonesia. Bappebti Regulation No. 5 of 2019, which is the main regulation for crypto-assets, explicitly states that it does not Under Indonesian laws and regulations on intellectual property rights, a regulate ICOs. computer program, which, consequently, includes software, is regulated under Law No. 28 of 2014 regarding Copyrights, dated 16 October 2014. DATA PROTECTION AND CYBERSECURITY Copyright protection for computer programs is automatically provided by this law, without requiring the registration of this computer program. Data protection 32 What rules and regulations govern the processing and IP developed by employees and contractors transfer (domestic and cross-border) of data relating to 37 Who owns new intellectual property developed by an fintech products and services? employee during the course of employment? Do the same rules apply to new intellectual property developed by The main laws and regulations relevant to personal data protection and contractors or consultants? transfer are: • Law No. 11 of 2008 regarding Electronic Information and In principle, the IP rights will remain with the creators, which in this Transaction, dated 21 April 2008, as amended by Law No. 19 of instance is the employees or contractors or consultants, unless stated 2016, dated 25 November 2016; otherwise in an agreement. To avoid any uncertainty, it is common prac- • Government Regulation No. 71 of 2019 regarding the Provision of tice in Indonesia for the employer to include a clause in the agreement Electronic Systems and Transactions, dated 10 October 2019; and with the employees or contractors or consultants that clearly states • Minister of Communication and Informatics Regulation No. 20 of that the IP rights of the creation will be solely owned by the employee. 2016 regarding Personal Data Protection In Electronic Systems, dated 1 December 2016. Joint ownership 38 Are there any restrictions on a joint owner of intellectual Cybersecurity property’s right to use, license, charge or assign its right in 33 What cybersecurity regulations or standards apply to fintech intellectual property? businesses? There is no such restriction under Indonesian law. There is, to date, no specific cybersecurity regulations or standards applicable across the fintech sector in Indonesia. However, the obliga- Trade secrets tions to maintain system security and transaction security seem to be 39 How are trade secrets protected? Are trade secrets kept principles that generally exist in the various regulations related to the confidential during court proceedings? fintech business. Law No. 30 of 2000, issued on 20 December 2000 (the Trade Secret Law), OUTSOURCING AND CLOUD COMPUTING provides a very generic approach to the definition of a trade secret. A trade secret is defined as information that is not publicly known in the Outsourcing fields of technology or business, with an economic value owing to its 34 Are there legal requirements or regulatory guidance with usefulness in a business activity, and whose confidentiality is kept by respect to the outsourcing by a financial services company of the owner of the trade secret. The Trade Secret Law indicates that trade a material aspect of its business? secrets are inherently protected without needing to undergo a specific procedure. Holders of trade secrets may bring a claim for compensation There is no specific legal requirement or regulatory guidance with and a cease-and-desist action. Court proceedings involving trade secrets respect to the outsourcing by a financial services company of a material may be held confidentially upon the request of a party in the case. aspect of its business. Branding Cloud computing 40 What intellectual property rights are available to protect 35 Are there legal requirements or regulatory guidance with branding and how do you obtain those rights? How can respect to the use of cloud computing in the financial services fintech businesses ensure they do not infringe existing industry? brands?

There is no specific legal requirement or regulatory guidance with Under Law No. 20 of 2016 regarding Marks and Geographical respect to the use of cloud computing in the financial services industry. Indications, a brand (mark) is protected once it is registered with the relevant government IP office in Indonesia. As a precautionary action a fintech business can check with the government IP office to see if there are similar brands or trademarks already registered in Indonesia. It can also conduct market monitoring of known brands in its industry in Indonesia.

www.lexology.com/gtdt 107 © Law Business Research 2020 Indonesia SSEK Legal Consultants

Remedies for infringement of IP 41 What remedies are available to individuals or companies whose intellectual property rights have been infringed?

Individuals or companies whose intellectual property rights have been infringed may bring claims to the counterparty for compensation and a cease-and-desist action. These claims can go through commercial court, arbitration or alternative dispute settlement.

COMPETITION Winnie Rolindrawan Sector-specific issues [email protected] 42 Are there any specific competition issues that exist with Harry Kuswara respect to fintech companies in your jurisdiction? [email protected]

The prevailing regulations do not address competition issues particular Mayapada Tower I, 14th Floor to fintech companies. We have not identified any specific competition Jalan Jend. Sudirman Kav. 28 issues in the fintech industry. Jakarta, 12920 Indonesia TAX Tel: +62 21 521 2038 / +62 21 2953 2000 www.ssek.com Incentives 43 Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the fintech sector in your jurisdiction? IMMIGRATION

There are no specific tax incentives available for fintech companies and Sector-specific schemes investors. 45 What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there Increased tax burden any special regimes specific to the technology or financial 44 Are there any new or proposed tax laws or guidance that sectors? could significantly increase tax or administrative costs for fintech companies in your jurisdiction? There is no specific immigration scheme for fintech businesses, and, therefore, the general immigration scheme is applicable. An Indonesian The Indonesian Minister of Finance (MOF) recently issued a regulation on entity must act as the sponsor for any foreign national who will work in VAT for digital goods and services: MOF Regulation No. 48/PMK.03/2020 Indonesia, and foreign workers can only fill positions that are allowed regarding Procedures for the Appointment of Collectors and for the for foreign workers, as set out by the Ministry of Manpower. Collection, Deposit and Reporting of VAT for the Use Inside the Customs Area of Intangible Taxable Goods and/or Taxable Services from Outside UPDATE AND TRENDS the Customs Area through Electronic System Trade Activities. This is an implementing regulation for Government Regulation in Lieu of Law No. Current developments 1 of 2020 regarding State Financial Policy and Financial System Stability 46 Are there any other current developments or emerging for the Management of the Coronavirus or COVID-19 Pandemic and/ trends to note? or in Facing Threats to the National Economy and/or Financial System Stability (GR 1/2020). GR 1/2020 has since been adopted into law, as We understand that the Financial Services Authority has introduced a Law No. 2 of 2020. Starting 1 July 2020, a 10 per cent VAT will be appli- moratorium on the registration and licensing of peer-to-peer lending cable to intangible taxable goods and services from outside Indonesia companies in Indonesia. The Financial Services Authority will no longer that are utilised in Indonesia through electronic system trade activities receive applications for the registration of peer-to-peer lending compa- (PMSE). These goods and services include digital goods and services. If nies. There has been no confirmation on how long the moratorium the utilisation of goods and services from outside Indonesia is the result will last. There are also ongoing discussions of a draft Personal Data of a transaction between foreign traders or foreign service providers Protection Law, but it is not clear when the law might be passed by the and the Indonesian purchasers, the VAT will be directly collected, paid House of Representatives and issued by the government. and reported by these foreign parties. The foreign traders or foreign service providers will be appointed by the Directorate General on Coronavirus Taxation (DGT) as the PMSE VAT Collector. 47 What emergency legislation, relief programmes and other To qualify as a PMSE VAT Collector a party must have a transac- initiatives specific to your practice area has your state tion value with Indonesian purchasers that exceeds a certain threshold implemented to address the pandemic? Have any existing within 12 months; a traffic volume or number of persons who accessed government programmes, laws or regulations been amended the party’s platform that exceeds a certain threshold within 12 months; to address these concerns? What best practices are advisable or both. These thresholds will be further set out by the DGT. Indonesian for clients? government officials have been quoted in various media reports saying that they are targeting providers such as Spotify and Netflix that operate The Indonesian government has not issued any specific emergency outside of Indonesia with a significant number of users in the country. legislation or relief programme for fintech businesses.

108 Fintech 2021 © Law Business Research 2020 Ireland

Liam Flynn and Lorna Smith Matheson

FINTECH LANDSCAPE AND INITIATIVES The main state business and employment promotion agencies, IDA Ireland and Enterprise Ireland, provide a range of support for fintech General innovation climate operations at all levels of development, and the state investment fund 1 What is the general state of fintech innovation in your has made multiple venture capital or equity investments in promising jurisdiction? fintech start-ups. On 20 April 2018, the Central Bank launched its Innovation Hub. Ireland has a very active fintech scene and is one of the leading juris- This is a direct and dedicated point of contact for firms developing or dictions for fintech start-ups and corporate innovation in Europe. In implementing innovations in financial services based on new technolo- addition, with the impact of Brexit still to be determined, many payments gies. This was to accommodate greater interaction with the growing and e-money firms that previously provided services across the EU via a number of fintech businesses looking to set up operations in Dublin, or UK payments or e-money licence have sought to obtain authorisation by expand their existing operations both in the regulated and unregulated the Central Bank of Ireland (the Central Bank) so as to ensure continuity space. According to the Innovation Hub: 2019 Update, the innovation hub of operations. This has led to a very significant increase in the number has facilitated 166 engagements. of licensed payments and e-money firms, to 18 and 12 respectively, and there are multiple further licence applications in the pipeline. Examples FINANCIAL REGULATION of some of these companies that have chosen Ireland as their EU hub are Stripe, Google Payments, Western Union, Currency Fair, Paysafe, Regulatory bodies Coinbase and Facebook International Payments Limited. 3 Which bodies regulate the provision of fintech products and Ireland has won an outsized share of European investment in services? corporate innovation labs, with many global financial services groups establishing their innovation labs in Ireland. Accelerator programmes There is only one financial services regulator in Ireland, the Central are also expanding their activities in Ireland, with Dublin being added Bank of Ireland (the Central Bank), which is responsible for author- as one of two accelerator locations by the NadiFin FinTech accelerator ising and supervising all providers of regulated financial services. The programme and the National Digital Research Centre expanding its Central Bank is responsible for both prudential supervision and conduct activities outside Dublin to Waterford and Galway. Dublin remains the of business supervision of regulated entities that it has authorised. hub for fintech activities in Ireland, but other regional centres are also Where a regulated firm has been authorised by a supervisory authority seeing growth. in another EU or EEA jurisdiction, the home state regulator will be Notwithstanding the burgeoning start-up scene, digital challenger responsible for prudential supervision, but the Central Bank will be banks are only now penetrating the Irish market to any significant extent responsible for conduct of business supervision in Ireland. The Single and there are currently no home-grown challenger banks. European Supervisory Mechanism at the European Central Bank also directly digital operators have passported their services into Ireland but do not supervises significant credit institutions and has exclusive competence yet pose an existential threat to traditional Irish banking houses. Robo- for the authorisation of credit institutions (other than branches of third- advice has yet to make an appearance in the mainstream investments country credit institutions). market. Many life and health insurers are now investigating the potential incorporation of wearable devices into insurance underwriting, and Regulated activities some of the main motor insurers have launched safe driving apps that 4 Which activities trigger a licensing requirement in your provide telematics-based discounts for drivers. jurisdiction?

Government and regulatory support Whether a fintech business needs to hold a financial services authori- 2 Do government bodies or regulators provide any support sation will depend on the nature of the activities that the firm engages specific to financial innovation? If so, what are the key in. As far as investment-related activities are concerned, Directive benefits of such support? 2014/65/EU (MiFID II) was transposed into Irish law by the European Union (Markets in Financial Instruments) Regulations 2017 (the Irish The government of Ireland is strongly supportive of fintech and in its MiFID II Regulations). Engaging in any of the investment services and recently revised Strategy for the International Financial Services Sector activities listed in MiFID II, such as providing investment advice or (‘Ireland for Finance 2025’) has stated its commitment to developing executing client orders, is a regulated activity requiring authorisation. Ireland as a global leader in the financial services sector, creating an Other parts of the MiFID II package also have direct effect in Ireland. environment in which both indigenous and multinational firms can draw Engaging in banking business requires authorisation under the on key government incentives and supports to grow their businesses. Central Bank Act 1971. The European Union (Capital Requirements) www.lexology.com/gtdt 109 © Law Business Research 2020 Ireland Matheson

Regulations 2014 transposed the Capital Requirements Directive Collective investment schemes 2013/36/EU (CRD IV) into Irish law, and the requirements for obtaining 7 Describe the regulatory regime for collective investment an Irish banking licence are based on the transposition of the CRD IV schemes and whether fintech companies providing package. Other parts of the CRD IV package also have direct effect in alternative finance products or services would fall within its Ireland. Banking business means taking deposits or other repayable scope. funds from members of the public and granting credit for own account. There is a restriction in the 1971 Act, in the absence of an exemption Investment funds are authorised and regulated by the Central Bank, and from the Central Bank, which prohibits anyone from using the term may be regulated as: ‘bank’ in their name or holding themselves out as a bank without • undertakings for collective investment in transferable securi- holding the necessary authorisation. Ireland also has a regime for ties (UCITS) in accordance with the European Communities authorising branches of credit institutions established in third countries (Undertakings for Collective Investment in Transferable Securities) (third country branches) under section 9A of the Central Bank Act 1971. Regulations 2011, which implement the UCITS Directives into Irish law, and the Central Bank (Supervision and Enforcement) Act Consumer lending 2013 (Section 48(1)) (Undertakings for Collective Investment in 5 Is consumer lending regulated in your jurisdiction? Transferable Securities) Regulations 2019 (collectively the UCITS Regulations); or Subject to very limited exceptions, providing cash loans to individuals • retail investor alternative investment funds (RIAIFs) or qualifying (not just consumers) in Ireland is a regulated activity requiring authori- investor alternative investment funds (QIAIFs) in accordance with sation as a retail credit firm under the Central Bank Act 1997, unless the requirements of the Central Bank and of the European Union the lender is otherwise authorised to provide such credit, for example, (Alternative Investment Fund Managers) Regulations 2013 (as a bank. This is an Irish domestic licensing regime and does not derive amended) (the AIFM Regulations), which implement the Alternative from an EU law obligation. Investment Fund Managers Directive 2011/61/EU (AIFMD) into Multiple aspects of consumer lending are also regulated (at a Irish law. conduct-of-business level) under the Consumer Credit Act 1995 and the European Communities (Consumer Credit Agreement) Regulations UCITS, RIAIFs and QIAIFs may be organised through a number of legal 2010, which regulate the form and content of credit agreements. The structures, the most popular of which are the Irish collective asset- 1995 Act and the 2010 Regulations implement the provisions of Directive management vehicle (ICAV), the investment public limited company 87/102/EEC as amended, and Directive 2008/48/EC. (investment company) and authorised unit trusts. It is an offence to The Central Bank’s Consumer Protection Code 2012 and asso- carry on business as an ICAV, investment company or authorised unit ciated addenda (the CPC) are also relevant. The CPC applies to all trust unless authorised by the Central Bank. financial services providers who are authorised, registered or licensed Fintech companies, whether providing alternative finance prod- by the Central Bank, as well as financial services providers author- ucts or otherwise, would not typically fall to be regulated as investment ised, registered or licensed in another EU or EEA member state when funds. However, fintech firms that fall within the definition of alterna- providing services in Ireland on a branch or cross-border basis. The tive investment funds would require authorisation. Fintech companies CPC essentially requires regulated entities to adhere to a set of general that provide services to investment funds may require authorisation requirements such as to provide terms of business to consumers, if they are providing regulated depositary or administration services. conduct know-your-customer, to establish the suitability of the product Depositaries and administrators to investment funds may also engage and adhere to lending and advertisement requirements. fintech firms, in which case applicable Central Bank outsourcing require- There are also separate requirements for mortgage lending ments may apply, although in general, the fintech service providers to consumers, including the housing loan requirements under the would not themselves require authorisation. Consumer Credit Act 1995, European Union (Consumer Mortgage Credit Agreements) Regulations 2016, implementing the provisions Alternative investment funds of Directive 2014/17/EU and the Central Bank’s Code of Conduct on 8 Are managers of alternative investment funds regulated? Mortgage Arrears. The Central Bank authorises and regulates Irish alternative investment Secondary market loan trading fund managers (AIFMs) under the AIFM Regulations, as well as regu- 6 Are there restrictions on trading loans in the secondary lating UCITS management companies in accordance with the UCITS market in your jurisdiction? Regulations, and non-UCITS management companies (a residual category post-AIFMD). Most fintech companies would be expected to fall Part V of the Central Bank Act 1997 regulates credit servicing, which outside the scope of the AIFM Regulations and the UCITS Regulations. includes holding the legal title to loans made by regulated financial services providers to individuals and small to medium-sized enterprises Peer-to-peer and marketplace lending (SMEs). Credit servicing is a regulated activity requiring authorisation 9 Describe any specific regulation of peer-to-peer or by the Central Bank of Ireland. Acquiring the beneficial interest in such marketplace lending in your jurisdiction. loans is not, however, a regulated activity, although there are associated licensing requirements applicable to entities that provide administra- There is currently no distinct regulatory regime for peer-to-peer or tion or servicing in respect of such loans. Trading in non-SME corporate marketplace lending in Ireland. Some of the regimes described in this loans is not, generally, a regulated activity in Ireland. chapter (eg, retail credit) may, however, be relevant depending on the There may also be data protection issues and general contractual nature of the specific activities engaged in and a regulatory analysis of issues that need to be addressed, irrespective of the nature of the loans the proposed process flow is therefore always advisable. being traded.

110 Fintech 2021 © Law Business Research 2020 Matheson Ireland

Crowdfunding Open banking 10 Describe any specific regulation of crowdfunding in your 13 Are there any laws or regulations introduced to promote jurisdiction. competition that require financial institutions to make customer or product data available to third parties? Crowdfunding is not currently specifically regulated in Ireland, assuming it does not involve deposit-taking, which may attract banking Yes. One of the main aims of PSD2 was to increase competition in the regulation, or the promotion of equity investments, which may attract payment sector, introduce open banking and facilitate access by third- prospectus regulation. However, some of the other regimes described in party providers to a user’s account held with their account servicing this chapter (eg, payment services) may also be relevant depending on payment service provider (usually a bank). The Strong Customer the nature of the specific activities engaged in and a regulatory analysis Authentication requirements came into effect in September 2019 and of the proposed process flow is therefore always advisable. this has required account servicing payment service providers to In March 2018, the European Commission presented a proposal develop and test APIs to facilitate open access by third-party providers. for a regulation setting out a regulatory regime for crowdfunding service providers, which would apply to crowdfunding service providers Robo-advice involved in either peer-to-peer business lending where the investor has 14 Describe any specific regulation of robo-advisers or other an expectation of a financial return or the investment crowdfunding companies that provide retail customers with automated model, where investors receive shares or bonds in return for their access to investment products in your jurisdiction. investments. If adopted, the regulation will allow in-scope platforms to apply for an EU passport based on a single set of rules. To complement Robo-advice has yet to make a substantial impact on the Irish fintech the new regulation on crowdfunding, the European Commission has landscape. In 2016, the Joint Committee of the European Supervisory also proposed a directive amending MiFID II. These proposed instru- Authorities noted that while there had been growth in the use of robo- ments are currently awaiting review by the European Parliament. advisers across the EU, the majority of advice provided is at least a The Irish Department of Finance published a Consultation Paper hybrid of automated and human interaction, rather than fully auto- on the Regulation of Crowdfunding in April 2017, followed by a feedback mated. In June 2017, the Central Bank published a discussion paper statement. The government’s Ireland for Finance 2025 Strategy Paper on the Consumer Protection Code and the Digitalisation of Financial in March 2019 included a proposal to regulate crowdfunding in Ireland Services. It identified an upward trend in the use of automated advice and enact a domestic regulatory regime, in parallel with the European in the onboarding of new clients. These allow clients to input their risk regulation, to ensure sufficient consumer protection for unsophisticated profile into the system and then view a series of potential outcomes investors and to facilitate the growth of crowdfunding as an alternative based on their objectives and appetite for risk. source of finance for Irish SMEs. In the same discussion paper, the Central Bank noted the risks to customers stemming from robo-advice. It highlighted that there is Invoice trading frequently reduced consumer awareness and understanding of the 11 Describe any specific regulation of invoice trading in your complexity of the underlying technologies and systems involved in jurisdiction. the provision of the financial products and services such as the use of algorithms. Despite these concerns, there was no update made to Holding title to loans advanced to consumers and SMEs can constitute the Consumer Protection Code in light of the discussion paper. Robo- credit servicing, requiring licensing under the Central Bank Act 1997 advisers in Ireland will be subject to the usual regulatory rules that in certain circumstances. At a conduct of business level, the Central would apply to that financial product (eg, the Insurance Distribution Bank (Supervision and Enforcement) Act 2013 (Section 48) (Lending to Directive (EU) 2016/97 as transposed into Irish law). Small and Medium-Sized Enterprises) Regulations 2015 apply to regulated financial services providers and regulate the provision of credit Insurance products by a regulated entity to micro, small and medium-sized enterprises in 15 Do fintech companies that sell or market insurance products Ireland. ‘Credit’ is broadly defined as a deferred payment, cash loan or in your jurisdiction need to be regulated? other similar financial accommodation, including hire purchase, invoice discounting and the letting of goods. There are no regulations specific Any entity that carries on insurance or reinsurance business in Ireland to invoice trading, described as such, in Ireland. (ie, an insurance or reinsurance underwriter) requires an authorisation in accordance with the requirements of Directive 2009/138/EC as imple- Payment services mented in Ireland by the European Union (Insurance and Reinsurance) 12 Are payment services regulated in your jurisdiction? Regulations 2015. The European Union (Insurance Distribution) Regulations 2018 Yes. The provision of payment services is a regulated activity requiring (the IDD Regulations) came into force on 1 October 2018 and transpose authorisation under the European Union (Payment Services) Regulations the Insurance Distribution Directive (EU) 2016/97 into Irish law. The 2018 (the PSD Regulations), which transpose Directive 2015/2366/EU IDD Regulations set out authorisation and ongoing regulatory require- (PSD2) into Irish law. Ireland’s implementation of PSD2 through the ments for any person engaged in ‘insurance distribution’ in Ireland. PSD Regulations was consistent with the principle of maximum harmo- This is broadly defined to include advising on, proposing, or carrying nisation and as such the PSD Regulations reflect the requirements of out other work preparatory to the conclusion of contracts of insurance, PSD2 itself. of concluding such contracts, or of assisting in the administration and Where PSD2 does not apply, there is a domestic regime under performance of these contracts. Any fintech firm that sells or markets Part V of the Central Bank Act 1997 that regulates ‘money transmis- insurance products in Ireland (as a broker or agent) is likely to require sion business’. Money transmission business is defined as a business authorisation in accordance with the IDD Regulations. that comprises or includes providing a money transmission service to members of the public.

www.lexology.com/gtdt 111 © Law Business Research 2020 Ireland Matheson

Credit references or the Irish Markets in Financial Instruments Directive Regulations. 16 Are there any restrictions on providing credit references or These regimes set out rules in relation to offering financial services and credit information services in your jurisdiction? products, disclosure and transparency requirements for advertising and rules relating to incentives for the sale of financial products and The provision of third-party credit referencing or credit information services to customers in Ireland, among other matters. services is not specifically regulated in Ireland, but historically this activity has not been widespread – credit checking was conducted CHANGE OF CONTROL directly by lenders themselves. Reflecting the fragmented credit information formerly available in Ireland, the Credit Reporting Act 2013 and Notification and consent associated regulations provide for the establishment and operation of a 20 Describe any rules relating to notification or consent statutory central credit register (CCR) system, established and operated requirements if a regulated business changes control. by the Central Bank. Credit providers in Ireland are required to provide information to the Central Bank for entry to the CCR and are also obliged Most regulated businesses operating in Ireland are subject to change to make an enquiry in respect of relevant credit applications. of control regimes that require direct and indirect acquisitions and disposals of ‘qualifying holdings’ (10 per cent or more) to be notified CROSS-BORDER REGULATION to the relevant competent authority. For firms authorised in Ireland the notification is made to the Central Bank, which then has a specific time Passporting period to review the change of control and request further information, 17 Can regulated activities be passported into your jurisdiction? confirm no objection, or object to the change. For credit institutions, the European Central Bank also has a role in the assessment of change of Yes, where the regulated activity is covered by relevant EU legislation, control notifications. the provider is authorised in another EU or EEA member state and subject to compliance with the applicable notification procedures under FINANCIAL CRIME relevant legislation. As a general principle, where a financial institution authorised Anti-bribery and anti-money laundering procedures in another EU or EEA member state (the home state) passports its 21 Are fintech companies required by law or regulation to have services into Ireland through the establishment of a branch in Ireland, procedures to combat bribery or money laundering? or by providing its services on a cross-border services basis, the home state regulator retains responsibility for the prudential supervision of The Criminal Justice (Corruption Offences) Act 2018 overhauled Irish that entity. The regulator of the member state into which passporting anti-corruption laws and introduced a number of new offences, including is undertaken (the host state), in this case the Central Bank of Ireland a corporate liability offence that allows for a corporate body to be held (the Central Bank), will supervise the passported entity’s conduct of liable for corrupt actions committed for its benefit by any director, business in Ireland. The Central Bank does not in general adopt a gold- manager, secretary, employee, agent or subsidiary. The single defence plating approach, and in general local conduct of business rules are not available is demonstrating that the company took all reasonable steps excessively onerous. and exercised all due diligence to avoid the offence being committed. Many firms are now implementing robust procedures and delivering Requirement for a local presence training to staff on anti-bribery and corruption rules as a result. 18 Can fintech companies obtain a licence to provide financial Any fintech company that is a ‘designated body’ for the purposes services in your jurisdiction without establishing a local of the Criminal Justice (Money Laundering and Terrorist Financing) presence? Act 2010 (CJA) will be subject to anti-money laundering (AML) and counter-terrorist financing (CFT) requirements. Certain entities that are Where a fintech company wishes to provide a regulated service, then, designated bodies for the purposes of the CJA, such as leasing compa- subject to the ability to passport into Ireland on a services basis where nies, or those providing factoring services, do not require authorisations the fintech company is authorised in another EU or EEA member state, or licences from the Central Bank of Ireland (the Central Bank), but are it is not possible to provide regulated financial services in Ireland unless nevertheless subject to AML and CFT obligations under the CJA and the fintech company establishes a presence in Ireland. are required to register with the Central Bank for that purpose. Fintech The Central Bank, as the regulatory body responsible for author- providers that are not regulated should therefore check on a case-by- ising firms providing regulated financial services in Ireland, applies case basis whether they are subject to the CJA. minimum substance requirements depending on the nature, scale, The current position is that digital currencies or assets are not complexity and risk profile of the firm and the proposed activities and generally recognised as being ‘money’ for AML purposes, which trig- customers. gered the amendments set out in the Fifth Money Laundering Directive (EU) 2018/843 (MLD5), to bring digital currency custodian wallet SALES AND MARKETING providers, and providers engaged in exchange services between digital currencies and fiat currencies, within its scope. MLD5 has not yet been Restrictions transposed into Irish law and in May 2020, the European Commission 19 What restrictions apply to the sales and marketing of formally named Ireland, along with seven other member states, as in financial services and products in your jurisdiction? default in this regard.

There is no cross-industry financial promotions regime under Irish law and the promotion, sale and marketing of particular financial services and products are governed by sector-specific requirements, for example under the European Union (Insurance Distribution) Regulations 2018, the Central Bank’s Consumer Protection Code 2012 and associated addenda

112 Fintech 2021 © Law Business Research 2020 Matheson Ireland

Guidance to a third party. This obligation only applies to a regulated entity, which 22 Is there regulatory or industry anti-financial crime guidance would include regulated lenders and also regulated credit servicing for fintech companies? firms appointed to hold the legal title to, or service, the loans. Assuming there is no prohibition on assignment without the consent of the There is nothing specific to fintech companies. In line with other regula- borrower under the terms of the loan, Irish law would not otherwise tors, the Central Bank has generally increased its focus on AML/CFT require the borrower to be informed of the assignment. However, any and cyber risks across all regulated financial services. The Central Bank such assignment without notice would take effect as an equitable issued best practice guidance on cybersecurity within the investment assignment. firm and fund services industry in September 2015, followed by cross- industry guidance on information technology and cybersecurity risks in Securitisation risk retention requirements September 2016. The Central Bank will also expect relevant firms to 25 Are securitisation transactions subject to risk retention apply European Banking Authority guidelines and technical standards requirements? published under Directive 2015/2366/EU and other specific regimes, as applicable. There are also AML/CFT guidelines applicable to fintech The Securitisation Regulation (Regulation EU 2017/2402), which business that are ‘designated persons’ for the purposes of the CJA. became directly applicable across the EU on 1 January 2019, applies in Ireland. It requires institutional investors to ensure that the originator, PEER-TO-PEER AND MARKETPLACE LENDING sponsor or original lender of a securitisation retains at least a 5 per cent net economic interest in the securitisation. Execution and enforceability of loan agreements 23 What are the requirements for executing loan agreements or Securitisation confidentiality and data protection requirements security agreements? Is there a risk that loan agreements 26 Is a special purpose company used to purchase and securitise or security agreements entered into on a peer-to-peer or peer-to-peer or marketplace loans subject to a duty of marketplace lending platform will not be enforceable? confidentiality or data protection laws regarding information relating to the borrowers? For a loan agreement or security agreement to be binding, there has to be an offer, acceptance, consideration, intention to create legal relations Where the special purpose vehicle is established in Ireland and and certainty as to terms. The application of these principles does not controls personal data, it will be subject to the full scope of Ireland’s depend on the particular technology that is being used so that accept- data processing laws. Irish incorporated companies, partnerships or ance can be evidenced by clicking in a designated box on a peer-to-peer other unincorporated associations formed under the law of Ireland, and or marketplace lending platform website. persons not falling within the foregoing but who maintain in Ireland There are additional requirements for specific types of loan an office, branch or agency, or a regular practice will be established in agreement, for example under the European Communities (Consumer Ireland for these purposes. Data controllers that make use of equipment Credit Agreements) Regulations 2010, the Consumer Credit Act 1995 in Ireland for processing data can also fall within the scope of Ireland’s and the European Union (Consumer Mortgage Credit Agreements) data processing laws in certain circumstances. Broader confidentiality Regulations 2016. provisions applicable to a special purpose vehicle would typically arise A deed is necessary for certain types of transactions, including as a matter of contract, and the implied banker’s duty of confidentiality property-related transactions. Deeds made by individuals must be at common law is unlikely to apply. signed, and Irish law recognises electronic contracts and signatures in accordance with the requirements of the Electronic Commerce Act 2000 ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER and Regulation 910/2014 on electronic identification and trust services TECHNOLOGY AND CRYPTO-ASSETS for electronic transactions. Artificial intelligence Assignment of loans 27 Are there rules or regulations governing the use of artificial 24 What steps are required to perfect an assignment of intelligence, including in relation to robo-advice? loans originated on a peer-to-peer or marketplace lending platform? What are the implications for the purchaser if the There are no specific rules governing the use of artificial intelligence, assignment is not perfected? Is it possible to assign these including in relation to robo-advice, in Ireland. However, a regulated loans without informing the borrower? financial service provider would need to comply with applicable conduct and regulatory requirements in applying artificial intelligence (and robo- There are two main types of assignments of legal rights under Irish law: advice) to its regulated activities and would also need to ensure that a legal assignment and an equitable assignment. Irish law is similar it complies with Irish equality legislation (the Equal Status Acts 2000– to English law in this regard. The distinction can be important at point 2015) when using such technology to determine access to services. of enforcement and in general terms, a legal assignment is preferable. To create a legal assignment of a debt, the assignment must be in Distributed ledger technology writing and signed by the assignor; the assignment must be absolute (ie, 28 Are there rules or regulations governing the use of unconditional and not merely by way of security); and express notice in distributed ledger technology or blockchains? writing must be given to the borrower from whom the assignor would have been entitled to receive the debt. Part of a debt, or other legal There are no specific rules governing the use of distributed ledger chose in action, may not be legally assigned; only the whole debt may technology or blockchain in Ireland, but a regulated financial service be legally assigned. provider would need to comply with applicable conduct and regulatory The Central Bank’s Consumer Protection Code 2012 and associ- requirements in applying such technologies to its regulated activities. ated addenda requires a regulated entity to provide two months’ notice before transferring any part of its regulated activities (including loans) www.lexology.com/gtdt 113 © Law Business Research 2020 Ireland Matheson

Crypto-assets Cybersecurity 29 Are there rules or regulations governing the use of crypto- 33 What cybersecurity regulations or standards apply to fintech assets, including digital currencies, digital wallets and businesses? e-money? The Central Bank of Ireland (the Central Bank) issued best practice Assuming the crypto-assets are not financial instruments or other guidance on cybersecurity within the investment firm and fund services forms of collective investment, there is no regulatory framework industry in September 2015, followed by cross-industry guidance on governing crypto-assets in Ireland. When Fifth Money Laundering information technology and cybersecurity risks in September 2016. The Directive (EU) 2018/843 (MLD5) is transposed into Irish law, this will Central Bank will also expect relevant firms to apply relevant European impose anti-money laundering and counter-terrorist financing (AML/ Supervisory Authority guidelines, whether issued by the European CFT) requirements on crypto-asset exchanges and wallet providers. In Banking Authority or the European Securities and Markets Authority April 2020, the Central Bank of Ireland published a response to the EU (such as the Guidelines on security measures for operational and secu- consultation on an EU framework for markets in crypto-assets. rity risks under Directive 2015/2366/EU and other specific regimes, as applicable). Digital currency exchanges 30 Are there rules or regulations governing the operation of OUTSOURCING AND CLOUD COMPUTING digital currency exchanges or brokerages? Outsourcing Assuming the digital currency is not linked to any financial instruments 34 Are there legal requirements or regulatory guidance with and the exchange is not engaging in any other regulated activity, there respect to the outsourcing by a financial services company of is no regulatory framework governing the operation of digital currency a material aspect of its business? exchanges or brokerages. When MLD5 is transposed into Irish law, this will impose AML/CFT requirements on digital currency exchanges and There are multiple sector-specific requirements governing outsourcing, providers who exchange fiat currencies for digital currencies. for example, under the Directive 2014/65/EU and Directive 2009/138/ EC regimes. For credit institutions, payments and e-money firms, the Initial coin offerings European Banking Authority (EBA) has issued extensive Guidelines as 31 Are there rules or regulations governing initial coin offerings of February 2019. The Central Bank of Ireland takes an active interest (ICOs) or token generation events? in compliance by regulated firms with outsourcing requirements and in November 2018, published a paper ‘Outsourcing – Findings and Issues There are no laws specific to ICOs and offerings of digital assets in for Discussion’, highlighting the most obvious and minimum super- Ireland, and it is possible, depending on the nature of the digital assets, visory expectations for regulated firms around the management of that the offering, holding or trading of these assets may fall outside outsourcing risks. current securities or prospectus law, financial services regulation and other laws. Cloud computing 35 Are there legal requirements or regulatory guidance with DATA PROTECTION AND CYBERSECURITY respect to the use of cloud computing in the financial services industry? Data protection 32 What rules and regulations govern the processing and The EBA published its ‘Guidelines on Outsourcing Arrangements’ in transfer (domestic and cross-border) of data relating to February 2019 (the Outsourcing Guidelines). When the Outsourcing fintech products and services? Guidelines entered into force on 30 September 2019, the EBA’s ‘Recommendations on outsourcing to cloud service providers’, which The General Data Protection Directive (Regulation 2016/679) (GDPR) had been published in December 2017, were repealed. has had effect in Ireland since 25 May 2018, and is supplemented by the Data Protection Act 2018. The GDPR is intended to harmonise further the INTELLECTUAL PROPERTY RIGHTS data protection regimes within the EU and a full account of its impact is outside the scope of this chapter. For fintech operators, anonymisa- IP protection for software tion and aggregation of data for commercial gain may be important. 36 Which intellectual property rights are available to protect Aggregation of data for commercial gain will only be permissible where software, and how do you obtain those rights? the collection, aggregation and commercial use of the data meets GDPR requirements. There may be somewhat greater flexibility in the use of The principal intellectual property right that protects software is copy- anonymised data for commercial gain. However, it is generally accepted right (the right to prevent others from, among other things, copying the that the standard required for data to be truly anonymised (and therefore software). Under the Copyright Act 2000 (as amended), copyright vests not be personal data) is a high one, and that anonymisation techniques in the author on creation. Organisations should ensure that they have can only provide privacy guarantees if appropriate techniques are used appropriate copyright assignment provisions in place in all agreements and the application of those techniques is engineered appropriately. they have with employees or contractors to ensure that they obtain This is a complex area and any fintech operator considering engaging in these rights. such techniques should seek appropriate specialist advice.

114 Fintech 2021 © Law Business Research 2020 Matheson Ireland

IP developed by employees and contractors Branding 37 Who owns new intellectual property developed by an 40 What intellectual property rights are available to protect employee during the course of employment? Do the same branding and how do you obtain those rights? How can rules apply to new intellectual property developed by fintech businesses ensure they do not infringe existing contractors or consultants? brands?

The default position under Irish law is that the employer owns intel- The main intellectual property rights available to protect branding are lectual property developed by an employee during the course of registered and unregistered trade and service marks. employment, unless it is otherwise stated in an agreement with the Registered trade and service mark rights only arise through regis- employee. However, this default position does not extend to intellectual tration, and can be applied for either in Ireland (in respect of Ireland property generated by an employee outside their employment (such as only) or more broadly in the EU (as an EU trademark) or internationally. out of hours or off premises). Trade and service mark rights give registered owners certain rights to Contractors and consultants (who are not employees) are gener- prevent others using identical or confusingly similar trademarks to their ally not subject to the default position described above and, unless registered mark. the agreement between the contractor or consultant includes an Brand owners can also rely on unregistered trademark rights assignment or other transfer of intellectual property to the customer, through the common law tort of passing-off. This allows the owner to the contractor or consultant will own any intellectual property rights prevent others from damaging their goodwill with customers by using generated during the course of the work. Ownership of such intellec- branding or get up that is identical or confusingly similar to their own. tual property, if related to the subject matter of employment, should be For certain branding (particularly complex branding with artistic addressed through the relevant contract. elements), copyright protection may also be available.

Joint ownership Remedies for infringement of IP 38 Are there any restrictions on a joint owner of intellectual 41 What remedies are available to individuals or companies property’s right to use, license, charge or assign its right in whose intellectual property rights have been infringed? intellectual property? The exact remedies available to individuals or companies depend on Yes. Joint owners of patents cannot assign or grant a licence of an the intellectual property right that has been infringed, but generally, interest in a patent or a design right without the consent of all other for infringements of trademarks, patents, copyright and design rights joint owners. Under the Trade Marks Act 1996 (as amended) a joint under Irish law, the owner of the right may seek an injunction against owner may sue another joint owner for trademark infringement where further infringement, damages, an account of any profit made by the the trademark is used in relation to goods or services for which all joint infringer from any articles incorporating the infringed intellectual prop- owners have not been connected in the course of trade. On the basis of erty, and delivery up or destruction of those articles. this legislation, we would expect that the consent of all joint owners is required for a licence of the trademark to be given. COMPETITION Although the Copyright Act 2000 (as amended) is silent as to the rights of joint copyright owners, the current common law position Sector-specific issues appears to suggest that the consent of all co-owners is required for the 42 Are there any specific competition issues that exist with grant of a licence to third parties. respect to fintech companies in your jurisdiction?

Trade secrets There are no competition issues that are specific to fintech companies 39 How are trade secrets protected? Are trade secrets kept in Ireland. confidential during court proceedings? TAX Trade secrets are not a standalone right and are not protected separately from confidential information under Irish law. Confidential Incentives information is protected either through a contractual agreement to 43 Are there any tax incentives available for fintech companies keep certain information confidential, or through the common law obli- and investors to encourage innovation and investment in the gation to keep information confidential (because of the nature of the fintech sector in your jurisdiction? relationship between the discloser and disclosee, the nature of the communication or the nature of the information itself). In addition to Irish corporation tax rate of 12.5 per cent, there are a There is no general rule that requires confidential information that number of further Irish tax provisions that encourage innovation and is revealed during court proceedings to be kept secret. It is possible investment in fintech in Ireland, including: to obtain an order from a court limiting access to such confidential • a 25 per cent tax credit for qualifying R&D expenditure carried on information, but such orders are given on a case-by-case basis and are within the EEA. This tax credit is in addition to the normal business typically considered difficult to obtain. deduction for such R&D expenditure (at the 12.5 per cent rate), thus providing relief for expenditure on R&D at an effective rate of 37.5 per cent. These credits may also be surrendered by the company to key employees actively involved in R&D activities, thereby reducing the effective rate of Irish income tax for such employees; • a best-in-class ‘knowledge development box’ that complies with the OECD’s ‘modified nexus’ standard. This can reduce the rate of Irish corporation tax to 6.25 per cent for profits derived from certain IP assets, where qualifying R&D activity is carried on in www.lexology.com/gtdt 115 © Law Business Research 2020 Ireland Matheson

Ireland. This relief can also be claimed in conjunction with the R&D tax credit; • tax depreciation for certain intangible assets. Such assets can be amortised for Irish corporation tax purposes either in line with their accounting treatment or on a straight basis over 15 years; • the Employment and Investment Incentive (EII) and Start-up Refunds for Entrepreneurs schemes, which allow individual investors in fintech companies to obtain Irish income tax relief (of up to 41 per cent) on investments made, in each tax year, into certified Liam Flynn qualifying companies. Relief under the EII is available in respect of [email protected] funding of up to €15 million and is available until 2020; • entrepreneur relief, which allows for a capital gains tax rate of 10 Lorna Smith per cent on the disposal of certain qualifying business assets up to [email protected] a lifetime amount of €1 million; • an extensive double tax treaty network, totalling 74 treaties, that 70 Sir John Rogerson’s Quay prevents the taxation of the same portion of a company’s income Dublin 2 by multiple jurisdictions; Ireland • start-up relief, which provides for a reduction in corporation tax Tel: +353 1 232 2000 liability for the first three years of trading for companies of a Fax: +353 1 232 3333 certain size provided the company was incorporated on or after www.matheson.com 14 October 2008 and began trading between 1 January 2009 and 31 December 2021. This relief can be claimed on both profits from trading and on capital gains; and • a stamp duty exemption for transfers of intellectual property. Coronavirus 47 What emergency legislation, relief programmes and other Increased tax burden initiatives specific to your practice area has your state 44 Are there any new or proposed tax laws or guidance that implemented to address the pandemic? Have any existing could significantly increase tax or administrative costs for government programmes, laws or regulations been amended fintech companies in your jurisdiction? to address these concerns? What best practices are advisable for clients? There are currently no proposals at Irish national level to significantly increase tax or administrative costs for fintech companies in Ireland. The Irish Government announced a €5 billion stimulus package for busi- The OECD has launched a new project on the tax challenges of digi- ness in July 2020, which is to be implemented in legislation shortly. The talisation. Proposals in respect of this project should be made by the package will include enterprise supports to employers and enterprise- end of 2020. focused tax reliefs. The Central Bank has introduced certain initiatives in regulated IMMIGRATION sectors more generally including the following. • Countercyclical capital buffer (CCYB): the Central Bank has Sector-specific schemes released the CCYB from 0 to 1 per cent to assist banks and support 45 What immigration schemes are available for fintech lending to households and businesses. businesses to recruit skilled staff from abroad? Are there • Mortgage payment breaks: the Central Bank in conjunction with the any special regimes specific to the technology or financial retail banks implemented a six-month payment break for mortgage sectors? holders in difficulty as a result of covid-19. • The Central Bank has established a COVID-19 Crisis Response There are no specific immigration schemes available for fintech busi- Task Force, with a series of work streams covering subjects such ness, or the technology and financial sectors, in Ireland. The ordinary as financial and operational resilience, funds and bank liquidity, rules in relation to employment permit requirements apply. forbearance, and consumer-related issues. • The Central Bank has announced a series of regulatory flexibility UPDATE AND TRENDS measures for credit institutions, credit unions, insurers and rein- surers, securities markets, investment management, investment Current developments firms and fund service providers to assist with the pressures of the 46 Are there any other current developments or emerging covid-19 pandemic. trends to note? In terms of best practices, we are currently advising fintech clients to We expect Ireland to continue to develop as a leading domicile in this ensure that operational risks continue to be managed, including busi- area. We also expect the Central Bank of Ireland (the Central Bank) to ness continuity arrangements, and that they continue to ensure robust follow best EU practice in its regulation of the sector and to adopt a governance and oversight remains in place over any outsourced func- relatively accommodating approach to fintech innovation, but we do tions in the current environment, and that any changes to business not necessarily expect the Central Bank to introduce a specific sandbox models and engagement models with customers as a result of covid-19 regime in Ireland. do not create any risks from a consumer protection perspective in terms of transparency and disclosure, and treating customers fairly.

116 Fintech 2021 © Law Business Research 2020 Japan

Akihito Miyake, Ken Kawai, Tomoyuki Tanaka and Asako Matsuo Anderson Mori & Tomotsune

FINTECH LANDSCAPE AND INITIATIVES FINANCIAL REGULATION

General innovation climate Regulatory bodies 1 What is the general state of fintech innovation in your 3 Which bodies regulate the provision of fintech products and jurisdiction? services?

In Japan, fintech innovation has been quite active in almost every area The Financial Services Agency (FSA) is the main regulatory body of of finance. In particular cryptocurrency-based businesses, cashless fintech products and services that are regulated under the various payment or mobile payment services, financial account aggregation financial regulations. The Ministry of Economy, Trade and Industry is services, robo-advisers and crowdfunding are well known to the public. also the regulatory body for certain payment services (eg, credit cards In 2018 and 2019, an increasing number of companies entered or other advanced payment services). into or expanded their businesses in the mobile payment market, and several companies have launched QR code payment services. As a Regulated activities result, this market sector has become highly competitive. 4 Which activities trigger a licensing requirement in your In 2020, security tokens, or digital securities, have become a focus. jurisdiction? Because of amendments to the relevant laws and regulations, a number of financial institutions are entering into this new market. The arrangement of investment deals for an investment fund that Additionally, on 6 March 2020, the Financial Services Agency invests mainly in securities or derivative transactions, constitutes a submitted a bill to the Diet for: ‘financial instruments business’ under the Financial Instruments and • the establishment of a financial services intermediary business that Exchange Act (FIEA), and registration under the FIEA is required. is capable of intermediating the cross-sectoral financial services of To arrange transactions for investments that mainly comprise banking, securities and insurance under a single license; and securities or derivatives, registration under the FIEA is also required. • the classification of funds transfer services into three categories, Dealing in investments as principal or agent, under which invest- based on staggered maximum limits on remittance amounts. ments are made mainly in securities or derivative transactions, may also The bill was passed by the Diet on 5 June 2020. constitute a financial instruments business under the FIEA (in certain circumstances); thus, registration under the FIEA may also be required. Government and regulatory support Giving advice on investments in relation to the value of securities 2 Do government bodies or regulators provide any support or investment decisions on financial instruments under a contract for specific to financial innovation? If so, what are the key a fee may constitute an ‘investment advisory business’ under the FIEA, benefits of such support? and registration is required. Lending money is regarded as a ‘moneylending business’, Yes. Financial regulators and policymakers in Japan are supportive of which generally requires registration as a moneylender under the fintech innovation and new technology-focused entrants in the regu- Moneylending Business Act. lated financial services markets. For instance, the Ministry of Economy, There is no specific licensing requirement for factoring transac- Trade and Industry has been supportive of the blockchain industry, tions and invoice discounting. and it hosted the Blockchain Hackathon in February 2019 as part of a Secondary market loan trading does not trigger a licensing broader effort for the social implementation of blockchain technologies. requirement. In June 2018, the Japan Economic Revitalisation Bureau, under Acceptance of deposits is generally prohibited without a banking the auspices of the Cabinet Secretariat, opened a cross-government licence under the Banking Act. one-stop desk for the regulatory sandbox in Japan (the Regulatory There is no licensing requirement for foreign exchange transactions. Sandbox). The Regulatory Sandbox can be used by both Japanese and A bank licensed under the Banking Act may conduct funds transfer overseas companies, enabling them to apply and receive approval for services (which will generally include payment services). Other than projects, not yet covered by present laws and regulations, to conduct banks, registration under the Payment Services Act as a funds transfer demonstrations under certain conditions without the need for a legal service provider is required before conducting payment services. If the amendment to cover the project. payment service is provided as a later payment option using a credit card, then registration under the Instalment Sales Act is required for the issuers.

www.lexology.com/gtdt 117 © Law Business Research 2020 Japan Anderson Mori & Tomotsune

Consumer lending individuals and distributes the funds as dividends and returns to inves- 5 Is consumer lending regulated in your jurisdiction? tors. In this structure, the operator is required to be registered both as a moneylender under the Moneylending Business Act (to provide the A lender conducting consumer lending activities must register as a loans) and as a financial services provider under the FIEA to solicit the moneylender under the Moneylending Business Act. The total permis- purchase of interests in TK partnerships to investors. sible lending amount is generally limited to one-third of the borrower’s annual income if the borrower is an individual. The cap of the interest Crowdfunding falls between 15 and 20 per cent per annum depending on the principal 10 Describe any specific regulation of crowdfunding in your amount of the loan pursuant to the Interest Rate Restriction Act. jurisdiction.

Secondary market loan trading In Japan, crowdfunding is categorised as donation-based crowdfunding, 6 Are there restrictions on trading loans in the secondary reward-based crowdfunding and investment-based crowdfunding. market in your jurisdiction? Investment-based crowdfunding is further categorised as equity-based crowdfunding, fund-based crowdfunding and social-lending. There is no specific licensing requirement for trading loans. If a money- Reward-based crowdfunding involves sales and purchase agree- lender transfers loan claims, the transferee will be subject to the same ment of the reward. It is not regulated under the FIEA. restrictions under the Moneylending Business Act that are applicable to Equity-based crowdfunding and fund-based crowdfunding are the original moneylender, and the transferor must notify the operating regulated under the FIEA, which defines certain internet-based solicita- transferee of the applicability of the restrictions. tions, such as ‘electronic solicitation handling services’. Certain special provisions apply to electronic solicitation handling services compared Collective investment schemes with those that apply to ordinary solicitation handling services for 7 Describe the regulatory regime for collective investment securities. schemes and whether fintech companies providing alternative finance products or services would fall within its Invoice trading scope. 11 Describe any specific regulation of invoice trading in your jurisdiction. Under the FIEA, the solicitation of subscription of shares in collective investment schemes or investment management of assets of collective There is no specific regulation that applies to invoice trading in Japan. investment schemes, in principle, are regarded as financial instruments If invoice-trading is with recourse to a supplier (ie, the seller of the businesses. Therefore, business operators who conduct those activities invoice) when no repayment is forthcoming from the buyer, those trans- must be registered as financial instruments business operators. actions may be characterised as secured lending, and the business If a crowdfunding company raises funds for investment in a would be required to obtain a moneylending business licence under the company through a form of tokumei kumiai (TK) partnership, or if a Moneylending Business Act. social lending company raises funds for lending money to a company seeking funds through that form of partnership, the solicitation to invest Payment services in the partnership would, in principle, be considered as falling within 12 Are payment services regulated in your jurisdiction? the scope of a financial instruments business activity and must, thus, be registered under the FIEA. Payment services fall within the scope of funds remittance transactions, which generally require a banking licence under the Banking Act. The Alternative investment funds Payment Services Act permits non-banking entities registered there- 8 Are managers of alternative investment funds regulated? under to engage in funds remittance transactions in the course of their business, provided that the amount of each exchange transaction is not In Japan, there are no regulations that particularly focus on alterna- greater than ¥1 million. tive investment fund managers. Under the FIEA, investment managers acting for alternative investment funds, such as hedge funds, private Open banking equity funds and real estate funds, are regulated in the same manner 13 Are there any laws or regulations introduced to promote as those acting for investment funds similar to undertakings for the competition that require financial institutions to make collective investment in transferable securities, which means they are customer or product data available to third parties? not subject to the augmented regulations under the FIEA. However, additional licences may be required under other laws (apart from the The Banking Act regulates electronic payment intermediate service FIEA) for such alternative investment fund managers who conduct the providers in relation to the open application programming interface. business of managing investors’ funds by investing in real estate (not Electronic payment intermediate service providers are defined to the beneficiary rights therein). include intermediaries between financial institutions and customers, such as entities using IT to communicate payment instructions to banks Peer-to-peer and marketplace lending based on entrustment from customers, or entities using IT to provide 9 Describe any specific regulation of peer-to-peer or customers with information of their financial accounts held by banks. marketplace lending in your jurisdiction. Entities providing financial account aggregation services are also categorised as electronic payment intermediate service providers. They are Marketplace lending in Japan generally takes the form of a TK part- required to register with the FSA. nership, under which a social-lending business provider collects funds from TK partnership investors. The social-lending business provider advances the funds to enterprises or individuals as loans. The operator then receives principal and interest payments from the enterprises or

118 Fintech 2021 © Law Business Research 2020 Anderson Mori & Tomotsune Japan

Robo-advice SALES AND MARKETING 14 Describe any specific regulation of robo-advisers or other companies that provide retail customers with automated Restrictions access to investment products in your jurisdiction. 19 What restrictions apply to the sales and marketing of financial services and products in your jurisdiction? A robo-adviser that provides retail customers with automated access to investment products must be registered as an investment manager Providers of financial products and services should pay attention not (if it provides discretionary investment management services) or an only to their respective regulating laws and regulations and the guide investment adviser (if it provides non-discretionary investment advisory lines issued by their regulatory or self-regulatory bodies, but also to services) under the FIEA. If the robo-adviser accepts the customers’ the general customer protection legislation, such as the Act against assets, it must also be registered as a Type I financial instruments busi- Unjustifiable Premiums and Misleading Representations, the Consumer ness operator under the FIEA. Contract Act and the Act on Specified Commercial Transactions, when advertising, selling and marketing financial products and services. Insurance products In respect of investment products and services, such as securi 15 Do fintech companies that sell or market insurance products ties, derivatives, ‘deemed securities’ (eg, limited partnership interests) in your jurisdiction need to be regulated? and investment advisory and management services, only registered financial instruments business operators or financial institutions Yes. In Japan, when a company (including a fintech company) conducts (FIBOs) are permitted to sell and market such investment products or insurance solicitation (ie, acts as an agency or intermediary for insur- services under the Financial Instruments and Exchange Act (FIEA). As ance contracts), it must be registered as an insurance agent or insurance a general rule, a FIBO is prohibited from soliciting investment products broker under the Insurance Business Act. or services that are not suitable for an investor in light of his or her knowledge, experience, financial conditions and purpose of investment. Credit references A FIBO is required to deliver an explanatory document on the details of 16 Are there any restrictions on providing credit references or investment products or services to investors in advance. credit information services in your jurisdiction? In respect of insurance products, only insurance agents or brokers are permitted to sell and market insurance products for their affiliated In general, while credit references of individuals are subject to the Act insurance company under the Insurance Business Act. As a general on Protection of Personal Information, credit references of corpora- rule, an insurance company, agent or broker must provide information tions are subject to confidentiality obligations under financial services regarding insurance contracts to customers. An insurance company, regulations (such as the Corporate Information under the Moneylending agent or broker must understand each customer’s intention, recom- Business Act) and confidentiality agreements between financial institu- mend and explain the insurance product meeting the customer’s tions and corporations. intention, and offer to the customer an opportunity to reconfirm whether In Japan, personal credit information agencies collect information the recommended product meets the customer’s intention. The rules on on the ability of persons to make credit repayments and provide the advertising, sales and marketing of investment products and services information to financial institutions that are members of those agencies. under the FIEA apply mutatis mutandis in respect of variable annuity Financial institutions (banks or moneylenders) may not use information and insurance products and certain foreign currency-denominated on the ability of individuals to meet repayments (personal credit infor- insurance products. mation) for purposes other than the investigation of the ability of fund users to make repayments. CHANGE OF CONTROL

CROSS-BORDER REGULATION Notification and consent 20 Describe any rules relating to notification or consent Passporting requirements if a regulated business changes control. 17 Can regulated activities be passported into your jurisdiction? A shareholder holding more than 5 per cent but less than 20 per cent of In most cases, no. the voting rights held by all the bank’s shareholders (a major holder of Japan is a member of the Asia Region Funds Passport (ARFP), bank’s voting rights) must file a notification with the Financial Services which allows for a fund to be ‘exported’ to another participating economy, Agency (FSA) within five business days. A shareholder who intends to provided that it complies with the regulations of the jurisdiction in which hold, whether individually, jointly or as a group, 20 per cent or more of the fund is registered, the applicable regulations relating to the offer in the voting rights (a bank’s major shareholder) must obtain authorisa- the host jurisdiction and the ARFP passport rules. tion from the FSA in advance. Moreover, a bank’s major shareholder holding more than 50 per cent may be ordered to submit the relevant Requirement for a local presence bank’s business improvement plan. 18 Can fintech companies obtain a licence to provide financial A shareholder of an insurance company is subject to substantially services in your jurisdiction without establishing a local the same rules as those applicable to a major holder of bank’s voting presence? rights and a bank’s major shareholder, as outlined above. A shareholder holding, in principle, 20 per cent or more of the voting It depends on the nature of the services that the foreign fintech company rights held by all of the Type I financial instruments business operator’s intends to provide; however, generally speaking, foreign fintech compa- or investment manager’s shareholders (a major shareholder) must file nies will be required to have a subsidiary or a business office to obtain a notification with the competent Local Finance Bureau without delay. A a licence under applicable laws. major shareholder who comes to hold 50 per cent or more of the voting rights (a Specified Major Shareholder) must file a further notification without delay. www.lexology.com/gtdt 119 © Law Business Research 2020 Japan Anderson Mori & Tomotsune

FINANCIAL CRIME Assignment of loans 24 What steps are required to perfect an assignment of Anti-bribery and anti-money laundering procedures loans originated on a peer-to-peer or marketplace lending 21 Are fintech companies required by law or regulation to have platform? What are the implications for the purchaser if the procedures to combat bribery or money laundering? assignment is not perfected? Is it possible to assign these loans without informing the borrower? A person who gives, or offers or promises to give, a bribe to a domestic or foreign public officer can be subject to a criminal penalty under the As a general rule, a loan claim may be assigned by an agreement Criminal Code or, as the case may be, the Unfair Competition Prevention between the transferor and the transferee and can be perfected by Act. Although fintech companies are not explicitly required by law to put notice to or acknowledgement by the borrower with an instrument in place anti-bribery procedures, they are expected to do so as a part of bearing a fixed date stamp. their effective internal control. However, it is less likely that the loan claims are assigned or The Act on Prevention of Transfer of Criminal Proceeds (APTCP) perfected in a peer-to-peer or marketplace lending platform. requires ‘specified business operators’ (most financial service providers are included therein) to: Securitisation risk retention requirements • verify each customer’s identity, purpose of transaction, occupation 25 Are securitisation transactions subject to risk retention and, in the case of a corporate customer, identity of its representa- requirements? tives and ultimate owners and its purpose of business; • verify each customer’s financial condition in the case of a high-risk Financial institutions subject to the Basel Capital Accord in Japan are transaction; subject to risk retention requirements in respect of their securitisation • create and keep a record of verification and transaction reports; and exposures, while the originators or sponsors are not directly subject to • report any suspicious transaction to the competent authority. the same requirements. The financial institution is required to apply an increased regulatory capital risk weighting (ie, three times higher than A fintech company falling under a specified business operator is that otherwise applied to the compliant securitisation exposur e, up to required to put in place anti-money laundering procedures under the 1,250 per cent) to its securitisation exposure unless it can confirm that: APTCP and the Financial Services Agency’s Guidelines for Anti-Money • the originator retains at least 5 per cent of the aggregate credit risk Laundering and Combating the Financing of Terrorism. of the relevant securitised assets in any of the prescribed ways; or • the relevant securitised assets are not inappropriately originated Guidance based on the originator’s involvement in or the quality of the rele 22 Is there regulatory or industry anti-financial crime guidance vant assets, or any other circumstances. for fintech companies? However, it is less likely that the risk retention requirements should be No. considered in a peer-to-peer or marketplace lending platform.

PEER-TO-PEER AND MARKETPLACE LENDING Securitisation confidentiality and data protection requirements 26 Is a special purpose company used to purchase and securitise Execution and enforceability of loan agreements peer-to-peer or marketplace loans subject to a duty of 23 What are the requirements for executing loan agreements or confidentiality or data protection laws regarding information security agreements? Is there a risk that loan agreements relating to the borrowers? or security agreements entered into on a peer-to-peer or marketplace lending platform will not be enforceable? While it is less likely that a special purpose company is used to purchase and securitise peer-to-peer or marketplace loans, a lending In terms of a peer-to-peer or marketplace lending platform in Japan, platform operator extending loans to the borrowing participants must it had been construed that each lending participant would be required comply with the Personal Information Protection Act, which is one of the to be registered as a moneylender under the Moneylending Business primary data protection laws in Japan. Act unless there were multiple anonymised borrowing participants. However, the Financial Services Agency published its interpretation that ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER each lending participant is not required to be so registered if: TECHNOLOGY AND CRYPTO-ASSETS • all the borrowing participants are corporations; • the platform is formed as a tokumei kumiai, which is an agree- Artificial intelligence ment under the Commercial Code to be entered between the 27 Are there rules or regulations governing the use of artificial platform operator registered as a moneylender and each lending intelligence, including in relation to robo-advice? participant; and • the agreement prohibits each lending participant from contacting No. A robo-adviser using artificial intelligence is regulated under the any borrowing participants for the purpose of collecting money. Financial Instruments and Exchange Act (FIEA), generally in the same way as an ordinary investment adviser or manager. In terms of enforceability of loans, the portion of any interests (including lending-related fees) exceeding 15 per cent or higher (or up to 20 per Distributed ledger technology cent) of the loan principal amount shall be null and void under the 28 Are there rules or regulations governing the use of Interest Rate Restriction Act. distributed ledger technology or blockchains?

No.

120 Fintech 2021 © Law Business Research 2020 Anderson Mori & Tomotsune Japan

Crypto-assets On the other hand, tokens that do not fall under the definition of 29 Are there rules or regulations governing the use of crypto- ERTRs but are used as payment instruments are likely to constitute assets, including digital currencies, digital wallets and crypto-assets or prepaid payment instruments governed by the PSA. e-money? DATA PROTECTION AND CYBERSECURITY While the use of crypto-assets is not directly regulated, a service provider who deals with digital currencies, digital wallets or e-money Data protection may be regulated as a crypto-asset exchange service provider, a prepaid 32 What rules and regulations govern the processing and payment instruments issuer or, as the case may be, a fund transfer transfer (domestic and cross-border) of data relating to service provider under the Payment Services Act (PSA). fintech products and services? A crypto-asset exchange service provider is defined as an entity that, as a business: The Personal Information Protection Act (PIPA) applies to a person who 1 purchases, sells and exchanges crypto-assets; processes and transfers personal data. The general and industry-specific 2 acts as a broker, intermediary or agent with regard to the transac- (including the financial services industry) guidelines regarding protections listed in (1); tion of personal information are issued by the Personal Information 3 maintains users’ money or crypto-assets in relation to the transac Protection Committee and the relevant government authority (including tions listed in (1) or (2); or the Financial Services Agency (FSA)), although they do not particularly 4 holds crypto-assets in custody for and on behalf of another person, focus on the fintech industry. unless otherwise licensed to do so under the applicable laws. The PIPA requires a person who handles a personal information database in the business (a personal information handling business A prepaid payment instruments issuer is a person who issues prepaid operator (PIHBO)), as a general rule: payment instruments for its own or a third party’s business. • not to handle any personal information beyond the scope neces A fund transfer service provider is an entity that transfers users’ sary for achieving the purpose of use; funds (not exceeding ¥1 million per transaction) as a business. • not to transfer any personal data to a third party without obtaining The amended PSA is expected to be implemented in the first prior consent of the relevant data subject; half of 2021. The amended PSA has refined the regulatory framework • to keep the personal data accurate and updated; surrounding fund transfer service providers to categorise them into the • to put in place necessary and appropriate measures to maintain three categories to take into account the amount of funds contemplated the personal data in a safe manner; in their fund transfer businesses. • to disclose the personal data in hand to the relevant data subject whenever requested; and Digital currency exchanges • to correct and delete or cease to use the personal data in hand 30 Are there rules or regulations governing the operation of if the relevant data subject so requests with reasonable grounds. digital currency exchanges or brokerages? In the case of the transfer of personal data within Japan, as an excep Yes. It is regulated as a crypto-asset exchange service. tion to the general rule, a PIHBO may transfer personal data (excluding sensitive personal information) to a third party without obtaining prior Initial coin offerings consent of the relevant data subject, if the PIHBO notifies the matters 31 Are there rules or regulations governing initial coin offerings prescribed by the PIPA to the relevant data subject and the Personal (ICOs) or token generation events? Information Protection Committee. In the case of the transfer of personal data to a third party It had not been clear whether initial coin offerings or any other methods located overseas, as a special rule, a PIHBO may not transfer personal of token generation were governed by the PSA or the FIEA, or both. data unless: The amended FIEA, which came into effect in May 2020, introduces the • the PIHBO obtains the relevant data subject’s prior consent to the concept of electronically recorded transferable rights (ERTRs) to clarify transfer of personal data to a third party located overseas; the scope of tokens governed by the FIEA. The amended PSA clarifies • the relevant third party is located in a jurisdiction having an equiva that ERTRs do not fall under the category of ‘crypto-assets’ governed lent personal information protection framework to the PIPA; or by the PSA. • the relevant third party puts in place equivalent personal infor Tokens generated in security token offerings will constitute ERTRs mation protection measures to those required of a PIHBO if they meet the three requirements of ‘collective investment scheme under the PIPA. interests’ under the FIEA (mentioned below) and are represented by proprietary value transferable by means of an electronic data The aforementioned general rules do not apply in respect of anonymised processing system. Collective investment scheme interests are deemed data. Instead, the PIPA requires a PIHBO to comply with the standard to be formed if: prescribed by the PIPA and the relevant government guidelines when • investors contribute cash or other assets (including crypto-assets) creating and handling anonymised data to ensure that nobody can iden- to a business; tify any specific individual or recover personal information from such • the cash or other assets so contributed are invested in the data. A person who handles anonymised data in its business shall, when business; and transferring it to a third party, publish the items of information relating • investors have the right to receive dividends of profits generated to individuals contained in it and clearly state that the information to be from investments in the business. transferred is anonymised.

ERTRs may be subject to the disclosure rules under the FIEA. Offering of ERTRs will need to be handled by a Type I financial instruments business operator registered under the FIEA. www.lexology.com/gtdt 121 © Law Business Research 2020 Japan Anderson Mori & Tomotsune

Cybersecurity obtain a patent may be assigned to an employer in accordance with the 33 What cybersecurity regulations or standards apply to fintech rules established by the employer. businesses? Under the Copyright Act, the authorship of a work that is created by an employee during the performance of his or her duties for his or The Centre for Financial Industry Information Systems publishes ‘FISC her employer is attributed to the employer. An author retains its moral Security Guidelines on Computer Systems for Banking and Related rights to the subject matter of the copyright. Contractors and consult- Financial Institutions’ (the FISC Guidelines). The FSA refers to the FISC ants can usually acquire the right to obtain a patent or copyright for Guidelines when inspecting and monitoring fintech business operators. inventions developed by them. The FSA’s inspection manuals and supervisory guidelines show the points of focus in connection with cybersecurity risk management. Joint ownership 38 Are there any restrictions on a joint owner of intellectual OUTSOURCING AND CLOUD COMPUTING property’s right to use, license, charge or assign its right in intellectual property? Outsourcing 34 Are there legal requirements or regulatory guidance with Under the Patent Act, when a patent is jointly held, each of the joint respect to the outsourcing by a financial services company of owners may independently use the patent. However, the assignment a material aspect of its business? or grant of the patent requires the consent of the other joint patent holders. On the other hand, under the Copyright Act, the assignment, Broadly speaking, financial services companies may outsource a part licensing and use of the copyrighted work by one of the joint copyright of their business to a third party but are required, for those purposes, holders cannot be made without the consent of all the other joint copy- to put in place any necessary measures to ensure the outsourced busi right holders. ness will be appropriately performed pursuant to the relevant laws and regulations. Such measures include, without limitation, the: Trade secrets • selection of an appropriate service provider that is eligible to 39 How are trade secrets protected? Are trade secrets kept perform the outsourced business; confidential during court proceedings? • monitoring and supervision of outsourced service provider’s performance of duties; and Trade secrets can be protected under the Unfair Competition Prevention • replacing or ceasing to retain the outsourced service provider if it Act. Under the Act, a trade secret means a production method, sales is found that the outsourced service provider does not appropri method, or any other technical or operational information useful for ately perform its duties. business activities that is controlled as a secret and is not publicly known. During court proceedings, the court may, upon motion of a Cloud computing party, issue orders for protecting trade secrets, including prohibiting 35 Are there legal requirements or regulatory guidance with parties and their counsel from disclosing relevant trade secrets to any respect to the use of cloud computing in the financial services other persons. industry? Branding No. 40 What intellectual property rights are available to protect branding and how do you obtain those rights? How can fintech INTELLECTUAL PROPERTY RIGHTS businesses ensure they do not infringe existing brands?

IP protection for software Brands may be protected by a trademark. A trademark must be regis- 36 Which intellectual property rights are available to protect tered as a result of successful application with the JPO. Also, protection software, and how do you obtain those rights? under the Unfair Competition Act may be available for brands, regardless of whether they are registered. It must be proven that the product, Patent or copyright may be available to protect software. Software may or indications, is well known or famous. be registered as a patent under the Patent Act if it can be deemed as a For fintech businesses to ensure that they do not infringe existing ‘computer program, etc’. Business methods themselves are not patent- brands, they must conduct research of existing trademarks. They can able; however, a patent may be granted for business methods that are utilise J-PlatPat, the database operated by the National Centre for combined with computer systems or other devices. Productions in Industrial Property Information and Trading, for initial screening. which thoughts or ideas are expressed in creative ways (and that fall within the literary, scientific, artistic or musical domain) are protected Remedies for infringement of IP by copyright. 41 What remedies are available to individuals or companies Patent protection must be registered as a result of successful whose intellectual property rights have been infringed? application with the Japan Patent Office (JPO). A patent holder or the exclusive licensee or copyright holder can claim IP developed by employees and contractors for actual damages for losses incurred as a consequence of the infringe- 37 Who owns new intellectual property developed by an ment, and the Patent Act and the Copyright Act provide presumptive employee during the course of employment? Do the same provisions for the damages. The holder can also seek injunctions rules apply to new intellectual property developed by against infringing third parties, as well as actions required to prevent contractors or consultants? the infringement. In addition, it can make claims for unjust enrichment and licence fee equivalents, and it can seek to restore honour or credit, Under the Patent Act, a patent for an invention is owned by the inventor. for example, by publication of an apology. Infringing third parties may be If the inventor is an employee, he or she will own the patent. The right to subject to criminal penalties under the Patent Act and the Copyright Act.

122 Fintech 2021 © Law Business Research 2020 Anderson Mori & Tomotsune Japan

COMPETITION

Sector-specific issues 42 Are there any specific competition issues that exist with respect to fintech companies in your jurisdiction?

In April 2020, the Japan Fair Trade Commission published fintech- related market research reports, including the Account Aggregation Service Report and the Cashless Payment Service Report, based on its Akihito Miyake [email protected] extensive research through questionnaire surveys and hearing surveys. The Account Aggregation Service Report found, among other Ken Kawai things, that if a bank in a superior position unjustly refuses applica- [email protected] tion programming interface access from an account aggregation service Tomoyuki Tanaka provider, then in light of normal business practice, the bank’s conduct [email protected] would be in violation of the Anti-monopoly Act (AMA). Asako Matsuo The Cashless Payment Report identified the following potential [email protected] issues, among others. • Banks and fund transfer service providers are competitors in cashless payment, but such non-bank players must be connected to the Otemachi Park Building user's bank account to provide their service. Accordingly, if a bank in 1-1-1 Otemachi, Chiyoda-ku a superior position unjustly refuses fund transfer service providers Tokyo 100-8136 access, the bank’s conduct would be in violation of the AMA. Japan Tel: +81 3 6775 1000 • Interbank settlement charges when using Zengin System, a nation- www.amt-law.com wide online network system for banks, have been fixed at high rate for many years. Banks must reconsider whether the level of the charges are reasonable. • At present, Zengin-Net, the Zengin System operator, does not IMMIGRATION allow fund transfer service providers to access Zengin System. Zengin-Net should set reasonable conditions for access by fund Sector-specific schemes transfer service providers. 45 What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there TAX any special regimes specific to the technology or financial sectors? Incentives 43 Are there any tax incentives available for fintech companies Foreign nationals recognised as ‘highly skilled foreign professionals’ and investors to encourage innovation and investment in the will be given preferential immigration treatment. There are three cate- fintech sector in your jurisdiction? gories of activities of highly skilled foreign professionals: • advanced academic research activities; There are no tax incentives specifically targeting fintech companies • advanced specialised or technical activities; and and investors. That being said, the Japanese tax system provides angel • advanced business management activities. investors with the following tax incentives: • reduction of income tax; or A person who is recognised as a highly skilled foreign professional can • reduction of the capital gains from the transfer of shares in the enjoy preferential treatment, including permission for multiple purposes target company. of activities and grant of a five-year period of stay.

Following recent tax reforms, a tax incentive to promote open innova- UPDATE AND TRENDS tion is available from April 2020 to the end of March 2022. Under this new system, a 25 per cent income deduction will apply to investments of Current developments at least ¥100 million by domestic entities and corporate venture capital 46 Are there any other current developments or emerging in unlisted venture companies that are less than 10 years old. trends to note? In addition, the research and development tax incentive system has been adopted and is often revised with the aim of maintaining and At present, Japanese labour laws do not allow wages and salaries strengthening initiatives that support Japan’s global competitiveness. to be wire transferred to any account other than bank accounts. The Japanese government is now considering lifting the limitation so that Increased tax burden wages and salaries can be paid to users’ accounts held in fund transfer 44 Are there any new or proposed tax laws or guidance that service providers. could significantly increase tax or administrative costs for fintech companies in your jurisdiction?

No.

www.lexology.com/gtdt 123 © Law Business Research 2020 Japan Anderson Mori & Tomotsune

At the time of writing, no emergency legislation, relief programmes or other initiatives specific to fintech that have been implemented to address the pandemic.

124 Fintech 2021 © Law Business Research 2020 Kenya

John Syekei, Dominic Indokhomi, Irene Muthoni and Mercy Mwaniki Coulson Harney Advocates

FINTECH LANDSCAPE AND INITIATIVES a position to support innovators to develop capital market-related innovative ideas to a level of maturity that can be admitted to the sandbox. General innovation climate The Insurance Regulatory Authority has set up a regulatory 1 What is the general state of fintech innovation in your sandbox to facilitate the testing of new ideas and innovations in the jurisdiction? insurance sector. The Insurance Regulatory Authority is currently receiving applications for the first cohort of applicants. The fintech space in Kenya is vibrant. Investment in the sector has The Central Bank of Kenya has signed a fintech cooperation been focused on digital-based lenders, peer-to-peer payment providers, agreement with the Monetary Authority of Singapore to support digital crowdfunding platforms, initial coin offerings and the spread of the use infrastructure development in Kenya and has agreed to collaborate in of cryptocurrency. Across the globe, Kenya is gaining a reputation as developing basic digital infrastructure services in Kenya, based on a a leading fintech hub and was recently ranked as number 63 in the set of common standards. The two authorities also launched the Global global top 100 rankings in the 2020 report of the Findexable Global Fintech Hackcelerator, a platform for start-ups to showcase sustainable Fintech Rankings. financial services innovations. In addition, they organised the Afro- The steady growth of fintech in Kenya can be largely attributed to Asia Fintech Festival, a first of its kind in the region, which seeks to not only market forces but also the interaction and cooperation between explore sustainable financial services innovations from emerging Afro- industry players, end users and an enabling regulatory framework. Asian markets. There has also been an increase in the use of fintech in the delivery The Central Bank of Kenya partnered with five commercial banks of public services; for instance, the Kenyan government has issued to facilitate the launch of a mobile application dubbed Stawi, which is a mobile-based treasury bonds and has set up a taskforce to explore how lending platform targeted towards small and medium-sized enterprises. Kenya can leverage blockchain and internet of things technology. It will offer loans of up to 250,000 Kenyan shillings at a preferential lending rate. Government and regulatory support 2 Do government bodies or regulators provide any support FINANCIAL REGULATION specific to financial innovation? If so, what are the key benefits of such support? Regulatory bodies 3 Which bodies regulate the provision of fintech products and Regulators and government bodies provide support to financial innova- services? tion balanced against consumer protection. For example, the Ministry of Information Communication and Technology set up the Distributed They include the following: Ledgers Technology and Artificial Intelligence Taskforce, which deliv- • the Ministry of ICT is generally responsible for setting policy to ered a report on how the emerging technological revolution could be govern the fintech landscape; leveraged to enhance ICT adoption and development in Kenya. The • the Central Bank of Kenya, established under the Central Bank of government also collaborates with other governments and mone- Kenya Act 1984 (revised edition 2019), is primarily responsible for tary agencies. formulating and implementing monetary policy and regulates the The Capital Markets Authority has signed a cooperation agree- banking and payments sectors; ment with the Abu Dhabi Global Market and the Australian Securities • the Capital Markets Authority, established under the Capital and Investments Commission, which provides a framework for coop- Markets Act 2012 is responsible regulating and maintaining capital eration to support financial innovation between Kenya and the United markets in Kenya; Arab Emirates and between Kenya and Australia. The Capital Markets • the Communications Authority of Kenya, established under the Authority is also a member of the Global Financial Innovation Network, Kenya Information and Communication Act 1998 is in charge an international network of 29 financial services regulators and related of overseeing and developing the information and communica- organisations that is committed to supporting financial innovation. tion sectors; The Capital Markets Authority has also set up a regulatory sandbox • the Competition Authority, established under the Competition Act to test innovative products and services relevant to capital markets in 2010, is purposed with promoting and maintaining fair competition Kenya in a controlled and monitored environment under a more flex- in markets within Kenya; and ible regulatory regime. The Authority is currently receiving applications • other regulators, such as the Insurance Regulatory Authority, regu- for admission to the sandbox from innovators whose ideas have been late fintech products to the extent they are used in connection with developed to a level of operational testing. Moreover, the Authority is the activities regulated by those regulators. also working with existing innovation or incubation centres that are in www.lexology.com/gtdt 125 © Law Business Research 2020 Kenya Coulson Harney Advocates

Regulated activities • the platform or marketplace collects and pools funds from 4 Which activities trigger a licensing requirement in your the public or a section of the public in Kenya for the purpose of jurisdiction? investment; and • the funds collected are managed by or on behalf of the scheme by The following activities trigger a requirement to be licensed by the the promoter. Capital Markets Authority if the investments in question relate to securities issued to the public: Considering the above definition, there is a greater likelihood of a • arranging (bringing about) deals in investments; crowdfunding platform being deemed a collective investment scheme • making arrangements with a view to transact in investments; than a peer-to-peer or marketplace lending platform. To the extent • dealing in investments as principal or agent; and that the fintech innovation will be regarded as a collective investment • advising on investments. scheme, it must be registered with the Capital Markets Authority, which will regulate the activities of the scheme if approved. Foreign exchange trading also requires a licence issued by the Capital The Capital Markets Authority, on 28 May 2020, published a note Markets Authority. titled ‘Guidance for Collective Investment Schemes on Valuation, Deposit-taking business and provision of payment services require Investment Performance Measurement Reporting and other Related licensing and authorisation by the Central Bank of Kenya. Lending, Matters’ in recognition of the need to standardise practices in the factoring and invoice discounting do not require licensing. sector. The Guidance is in draft form and is awaiting public participation. It seeks to ensure that fund managers of collective investment schemes Consumer lending have developed comprehensive investment policies and procedures to 5 Is consumer lending regulated in your jurisdiction? govern the valuation of assets. In addition, the fund manager would be required to prepare and submit to the Authority a performance measure- Consumer lending constitutes a financial service that does not require ment report quarterly in addition to the existing reporting obligations. licensing in Kenya. However: • if the funds used for lending constitute deposits held from Alternative investment funds members of the public, a license issued by the Central Bank of 8 Are managers of alternative investment funds regulated? Kenya is required; • persons undertaking consumer lending must comply with the Yes. If the alternative investment fund is a collective investment scheme business set-up requirements in Kenya, including the obligation to as defined in the Capital Markets Act 2012, it may only appoint a person obtain a business permit from the applicable county government who is licensed by the Capital Markets Authority as a fund manager to where their business premises are located; and manage it. • persons undertaking consumer lending must comply with the If the alternative investment fund does not constitute a collec- requirements of the Consumer Protection Act 2012, which include tive investment scheme and is, therefore, not regulated by the Capital disclosure requirements and restrictions against imposition of Markets Authority, the manager may still have to be regulated as a penalty charges and prepayment penalties licensed investment adviser or fund manager, depending on the amount of the portfolio managed on behalf of the fund. An investment adviser There have been a number of statements by the Central Bank of Kenya may manage a portfolio of up to 10 million Kenyan shillings, whereas on the issue of regulating consumer lending by digital platforms. The a fund manager’s licence would be required to manage a portfolio first attempt to do this was through the Financial Markets Conduct Bill exceeding 10 million Kenyan shillings. 2018, which sought to introduce a new prudential regulator in the financial services sector. The Bill went through public participation but is yet Peer-to-peer and marketplace lending to be introduced to Parliament. 9 Describe any specific regulation of peer-to-peer or marketplace lending in your jurisdiction. Secondary market loan trading 6 Are there restrictions on trading loans in the secondary Except to the extent that peer-to-peer or marketplace lending constitute market in your jurisdiction? collective investment schemes, these are not generally regulated activities in Kenya. There are no regulatory restrictions on trading loans in the secondary If these activities are provided in conjunction with a regulated entity market. If the loans constitute debt securities issued to the public, (such as banks, financial institutions or payment service providers), the however, the requirements of the capital markets legislation with product may be subject to approval by the relevant regulator (being regard to issuance of securities to the public apply. These include the the Central Bank of Kenya), as well as compliance with regulations or need to obtain the approval of the Capital Markets Authority. guidelines issued by the regulator.

Collective investment schemes Crowdfunding 7 Describe the regulatory regime for collective investment 10 Describe any specific regulation of crowdfunding in your schemes and whether fintech companies providing alternative jurisdiction. finance products or services would fall within its scope. There are no specific laws or regulations concerning crowdfunding in Collective investment schemes are regulated by the Capital Markets Kenya. However, the laws governing the financial services sector are, Authority under the Capital Markets Act 2012 and the Capital Markets in many instances, broadly drafted. Consequently, crowdfunding may be (Collective Investment Schemes) Regulations 2001 issued thereunder. considered a regulated activity thereunder. For instance: These laws regulate any alternative financial products or services • dealing in securities, offering securities to the public or a section that fall within the definition of a CIS. This means that any platform or thereof, and marketing securities are regulated activities under marketplace that satisfies the following would be considered a CIS: the Capital Markets Act 2012 and the subsidiary legislation

126 Fintech 2021 © Law Business Research 2020 Coulson Harney Advocates Kenya

issued thereunder; thus, equity crowdfunding and, depending on The Act requires persons carrying out insurance or reinsurance the nature of the rewards, reward-based crowdfunding would be business to be licensed by the Commissioner of Insurance. Insurance regulated; and intermediaries, such as agents, motor assessors, insurance investiga- • by virtue of the fact that crowdfunding facilitates the transfer of tors and loss adjusters, must also be registered under the Act. There is value, it may fall within the regulatory ambit of the anti-money no distinction or exemption in place for fintech companies that carry on laundering and countering the financing of terrorism regulator, the any of these regulated activities. Financial Reporting Centre, and would be subject to the Proceeds of Crime and Anti-Money Laundering Act 2009 and the Prevention Credit references of Terrorism Act 2012. 16 Are there any restrictions on providing credit references or credit information services in your jurisdiction? Invoice trading 11 Describe any specific regulation of invoice trading in your Yes, only entities that are licensed by the Central Bank of Kenya under jurisdiction. the Banking Act (Credit Reference Bureau) Regulations 2020 to conduct credit reference business may provide credit reference checks. There is no specific regulation that governs invoice trading in Kenya. CROSS-BORDER REGULATION Payment services 12 Are payment services regulated in your jurisdiction? Passporting 17 Can regulated activities be passported into your jurisdiction? Yes. Payment services are regulated by the Central Bank of Kenya under the National Payment System Act 2011 and the regulations issued No, regulated activities cannot be passported into Kenya. thereunder. These laws require individuals to obtain the authorisation of the Requirement for a local presence Central Bank of Kenya to carry on a payment services provider business 18 Can fintech companies obtain a licence to provide financial in Kenya. The laws also empower the Central Bank of Kenya to desig- services in your jurisdiction without establishing a local nate a payment system, which will be subject to regulation. presence?

Open banking No. To provide regulated financial services in Kenya, a fintech company 13 Are there any laws or regulations introduced to promote must establish a local presence in Kenya. In addition, as part of the competition that require financial institutions to make licensing process and ongoing compliance requirements, they customer or product data available to third parties? often require a confirmation of the physical address of the applicant or licensee. No. Local laws do not require the mandatory sharing of information by Additionally, the Companies Act 2015 prohibits a company from financial institutions to make customer or product data available to third carrying out business in Kenya unless it has been registered as a parties. However, there is a credit referencing framework set up under foreign company. the Central Bank of Kenya Act 1984 (revised edition 2019). Kenya passed the Data Protection Act 2019, which requires data SALES AND MARKETING controllers and processors (in this case, financial institutions), as far as practicable before collecting personal data, to inform the data subject Restrictions of, among other things, the third parties with whom their personal 19 What restrictions apply to the sales and marketing of data may be shared. Customers should be notified of any anticipated financial services and products in your jurisdiction? sharing of their data, including for purposes of open banking or credit referencing. The marketing of financial services in Kenya is generally restricted to licensed entities. Various prudential regulators have sector-specific Robo-advice restrictions on marketing. For instance, the Central Bank of Kenya 14 Describe any specific regulation of robo-advisers or other requires marketing communication issued by its licensees to indicate companies that provide retail customers with automated that they are regulated by the Central Bank of Kenya. On the other hand, access to investment products in your jurisdiction. the Capital Markets Authority grants prior approval of public communication by its licensees and issuers of securities. There is no specific regulation pertaining to robo-advisers or other The Consumer Protection Act 2012 also sets out criteria for the companies that provide retail customers with automated access to marketing of products and services, which require that communication investment products in Kenya. be clear and true. However, where the investments in question relate to securities issued to the public, the company must comply with the capital market CHANGE OF CONTROL legislation and must obtain a licence. Notification and consent Insurance products 20 Describe any rules relating to notification or consent 15 Do fintech companies that sell or market insurance products requirements if a regulated business changes control. in your jurisdiction need to be regulated? The consent of the Competition Authority is required if the acquisition of Yes. The Insurance Act (revised edition 2020) and the subsidiary legisla- shares, business or other assets results in a change of control of a busi- tion issued thereunder regulates all persons carrying out insurance or ness under the Competition Act 2010. The Rules of the Determination reinsurance business. of Merger Notification Thresholds and Method of Calculation provide www.lexology.com/gtdt 127 © Law Business Research 2020 Kenya Coulson Harney Advocates

guidelines on the transactional limits that require a merger notifica- • National Payment System (Anti-money Laundering Guidelines for tion and an application for the exclusion or approval of the Competition the Provision of Mobile Payment Services) Guidelines 2013, which Authority. provide guidance to mobile payment services on the monitoring In addition to the approval of the Competition Authority, if certain and reporting of suspected money laundering activities on their regulated entities change control, they must obtain approval or notify platforms; and the relevant regulator. For example: • Guidelines on the Prevention of Money Laundering and Terrorism • a regulated telecommunications entity must notify the Financing in the Capital Markets (Gazette Notice 1421), which Communications Authority of any change of control, and where the emphasise the need for due diligence, record-keeping, the estab- change of control affects at least 15 per cent of the shareholding, lishment of policies and procedures to address specific risks the approval of the Communications Authority must be sought; associated with the use of new technology and business rela- • a person who intends to acquire at least 5 per cent of the share tions or transactions conducted at a distance, and reporting to the capital of any licenced bank must obtain the approval of the Central Financial Reporting Centre. Bank of Kenya; • any amalgamation of a bank or financial institution, or arrange- Fintech businesses that fall within the definition of reporting institutions ment to transfer any part of the assets or liabilities, must obtain under the Proceeds of Crime and Anti-Money Laundering Act 2009 and the written approval of the Cabinet Secretary of National Treasury the Prevention of Terrorism Act, 2012 should register with the Financial and Planning; Reporting Centre, actively exercise due diligence and conduct legal • a transfer of more than 10 per cent of a deposit-taking micro compliance audits to avoid violating the law. finance institution requires the prior approval of the Central Bank of Kenya; PEER-TO-PEER AND MARKETPLACE LENDING • a person who intends to acquire or dispose of 10 per cent or more of the share capital of an insurance company must obtain the Execution and enforceability of loan agreements approval of the Insurance Regulatory Authority; 23 What are the requirements for executing loan agreements or • for listed entities, the takeover regime requires the purchaser to security agreements? Is there a risk that loan agreements notify the Capital Markets Authority, the target and the Nairobi or security agreements entered into on a peer-to-peer or Securities Exchange if it intends to acquire effective control of the marketplace lending platform will not be enforceable? target entity; and • every company carrying out business in Kenya must inform the Under the general Contract Law, it is advisable for parties to execute an Kenya Revenue Authority of any changes in the case of persons with agreement that is valid, certain and provable. Execution formalities in a shareholding of 10 per cent or more of the issued share capital. relation to corporate entities largely depend on the constitutive documents and applicable laws. For instance, the Companies Act provides FINANCIAL CRIME that in respect of companies and for any agreement to be validly executed, it must be either signed by a director in the presence of a Anti-bribery and anti-money laundering procedures witness or by any two authorised signatories. 21 Are fintech companies required by law or regulation to have Additional execution requirements, such as attestation, may apply, procedures to combat bribery or money laundering? particularly for security documents. Pursuant to recent changes under the law, electronic signatures are acceptable as valid signatures to Yes. Fintech companies, as is the case of all other companies offering the extent that they meet the requirements regarding the reliability of regulated financial services in Kenya, must have procedures to combat advanced electronic signatures. These requirements are set out under bribery or money laundering, including procedures to maintain robust the Kenya Information and Communications Act 2010. know-your-customer procedures and to report any suspicious activity An internet agreement should comply with the provisions of the by customers that may be indicative of money laundering activities. Consumer Protection Act 2012. An internet agreement is defined as an agreement that is formed by text-based internet communications. The Guidance Act requires full disclosure of all prescribed information to a customer. 22 Is there regulatory or industry anti-financial crime guidance However, it is not clear what prescribed information is to be provided as for fintech companies? this has not been provided under the Act. An online loan agreement will be enforceable if a customer is given an opportunity to accept, decline Kenya does not have an industry anti-financial crime guidance. or correct any errors before concluding the agreement. Moreover, the Nonetheless, all entities operating in Kenya and their officers fall internet agreement will be validly executed by the use of an electronic under the purview of laws relating to anti-financial crime, including signature. fintech companies. The anti-financial crime laws require entities to In addition, unless exempted from payment of stamp duty, agree- comply with the: ments must be stamped with the relevant stamp duty to be enforceable. • Bribery Act 2016, which requires private entities to put in place Stamp duty payment and assessment may be done using the online procedures appropriate to their size and nature of their operations Kenya Revenue Authority platform. Failure to stamp the agreements for the purposes of preventing bribery and corruption; does not render them invalid, but the lack of stamping means that • Proceeds of Crime and Anti-Money Laundering Act 2009 and the they may not be admissible before the Kenyan courts as evidential Prevention of Terrorism Act 2012, which prohibit the use of prop- documents. Further, security agreements should be registered at the erty for money laundering purposes. They specifically target money relevant registries in accordance with applicable laws. laundering, tax evasion, theft, fraud, terrorist financing, drug traf- ficking, piracy, bribery and corruption; • Anti-Corruption and Economic Crimes Act 2003, which provides for the prevention, investigation and punishment of corruption, economic crime and related offences;

128 Fintech 2021 © Law Business Research 2020 Coulson Harney Advocates Kenya

Assignment of loans solely on automated processing, including profiling, that produces legal 24 What steps are required to perfect an assignment of effects concerning or significantly affecting the data subject. loans originated on a peer-to-peer or marketplace lending platform? What are the implications for the purchaser if the Distributed ledger technology assignment is not perfected? Is it possible to assign these 28 Are there rules or regulations governing the use of distributed loans without informing the borrower? ledger technology or blockchains?

The assignment of loans that originated on a peer-to-peer or marketplace There are no rules or regulations governing the use of distributed ledger lending platform should be registered on the online collateral registry, technology or blockchains. in accordance with the Movable Property Security Rights Act 2017, for the assignment to be effective against third parties. The registration is Crypto-assets done online on the eCitizen online platform. It is fairly straightforward, 29 Are there rules or regulations governing the use of crypto- and it requires the registrant to have a user account, that is, an eCitizen assets, including digital currencies, digital wallets and account that allows access to the eCitizen online platform. e-money? Where registration is not undertaken, the assignment may not be enforceable against a receiver or creditors of the assignor or There are currently no regulations that regulate the use of crypto-assets other parties. in Kenya. However, the Central Bank of Kenya has warned the Kenyan It is also necessary to inform or notify the borrowers or debtors public against dealing in virtual currencies, and the Capital Markets about the assignment to ensure that they are bound to channel repay- Authority has cautioned that it has not approved any initial coin offerings ments in accordance with the assignee’s instructions. Borrowers or because of the perceived volatility and the lack of specific regulation. debtors who have been notified can only be discharged by making The notice by the Central Bank of Kenya stated that virtual currencies payment as instructed in the notification. are not acceptable since they are not legal tender in Kenya. However, it is unclear what the legal position is in respect of virtual currencies that have Securitisation risk retention requirements been designated as legal tender in foreign jurisdictions as they would fall 25 Are securitisation transactions subject to risk retention within the definition of foreign currency, which is acceptable in Kenya. requirements? Digital wallets and e-money constitute payment instruments under the National Payment System Act 2011, which defines a payment instru- The regulation governing securitisation transactions requires that, as ment as an instrument that enables a person to obtain money, goods or key features of asset-backed securities, the special purpose vehicle services or to otherwise make payments. Accordingly, the use of digital used in the securitisation be bankruptcy or insolvency-remote, and that wallets and e-money is regulated and governed by the Act and would there should be a true sale of the assets to the special purpose vehicle need to comply with the conditions contained within it, including the or a direct origination of assets into the special purpose vehicle. Other requirement of the digital wallet or e-money provider to register with than those, there are no risk retention requirements. the Central Bank of Kenya.

Securitisation confidentiality and data protection requirements Digital currency exchanges 26 Is a special purpose company used to purchase and securitise 30 Are there rules or regulations governing the operation of peer-to-peer or marketplace loans subject to a duty of digital currency exchanges or brokerages? confidentiality or data protection laws regarding information relating to the borrowers? There are no rules or regulations governing the operation of digital currency exchanges or brokerages. However, the Central Bank of Yes. Article 31 of the Constitution of Kenya 2010 guarantees the right Kenya has issued a press release noting that those currencies are not to privacy for every Kenyan, including the right not to have information legal tender in Kenya and warning the public against dealing in digital relating to a person’s family or private affairs be required unnecessarily currencies. or the privacy of their communications be infringed. The Data Protection Act 2019 is the overarching legislation in Initial coin offerings Kenya that regulates collection, processing and related actions in the 31 Are there rules or regulations governing initial coin offerings handling, use and storage of personal data. It applies to the processing (ICOs) or token generation events? of personal data by resident and non-resident data controllers and processors where the data subjects are located in Kenya. A special There are no rules or regulations governing initial coin offerings or purpose company used to purchase and securitise peer-to-peer or token generation events. However, the Capital Markets Authority has marketplace loans must comply with the provisions of the data protec- cautioned the public that it has not approved any initial coin offerings. tion legislation if it collects or processes any personal data. DATA PROTECTION AND CYBERSECURITY ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER TECHNOLOGY AND CRYPTO-ASSETS Data protection 32 What rules and regulations govern the processing and Artificial intelligence transfer (domestic and cross-border) of data relating to 27 Are there rules or regulations governing the use of artificial fintech products and services? intelligence, including in relation to robo-advice? Article 31 of the Constitution guarantees the right to privacy for every There are no specific rules governing the use of artificial intelligence, Kenyan, including the right not to have information relating to a person’s including in relation to robo–advice. However, under the Data Protection family or private affairs be required unnecessarily or the privacy of their Act 2019, a data subject has a right not to be subject to a decision based communications be infringed. www.lexology.com/gtdt 129 © Law Business Research 2020 Kenya Coulson Harney Advocates

The Data Protection Act 2019 is the overarching legislation in Kenya instance, the National Payment System Act 2011 requires prior approval that regulates collection, processing and related actions governing of the Central Bank of Kenya for material outsourcing and prior notifica- the handling, use and storage of personal data. The Act applies to the tion where the outsourcing is not material. The Banking Act (revised processing of personal data by resident and non-resident data control- edition 2019) also requires that licensees apply for the prior approval of lers and processors where the data subjects are located in Kenya. the Central Bank of Kenya for any material outsourcing. There are certain restrictions related to the processing of sensitive personal data. Cloud computing Fundamentally, all processing of personal data should only be 35 Are there legal requirements or regulatory guidance with carried out in accordance with the data protection principles under the respect to the use of cloud computing in the financial services Data Protection Act 2019. A data controller or processor is not permitted industry? to process personal data unless it has a lawful basis for the processing, such as consent or necessity, or the processing is for the performance The ICT Authority of Kenya published the Cloud Computing Standard of a contract. However, where the data constitutes sensitive personal 2019 (the Standard), which outlines various considerations for minis- data, it should only be processed if the processing is necessary for the tries, counties or agencies in the selection of services and models for purpose of carrying out the obligations and exercising specific rights of online storage services, applications and data, such as software as a the controller or the data subject. A data controller or processor must service, infrastructure as a service, public cloud, private cloud, commu- obtain the personal data directly from the data subject and may only nity cloud and hybrid cloud. It is recommended that fintech service collect the data from a third party in accordance with the provisions of providers model their products in accordance with the Standard to the Data Protection Act 2019. allow for the use of the products and solutions by government agencies. A data controller or processor that transfers personal data outside In addition, where cloud computing involves the transfer of personal Kenya should ensure that it obtains the data subject’s consent or have data to data servers located outside Kenya, fintech companies should in place appropriate safeguards for the protection of the data that is ensure compliance with the Data Protection Act 2019. subject to the transfer. Where the personal data being transferred constitutes sensitive personal data, the consent of the data subject INTELLECTUAL PROPERTY RIGHTS must be obtained, and adequate data protection safeguards must be put in place. IP protection for software 36 Which intellectual property rights are available to protect Cybersecurity software, and how do you obtain those rights? 33 What cybersecurity regulations or standards apply to fintech businesses? Copyright The ownership of copyright to a computer program belongs to the All companies in Kenya, including fintech businesses, are subjected to creator of the software. Subject to the provisions of the Copyright the Computer Misuse and Cybercrimes Act 2018, which aims to protect Act 2001, the copyright holder enjoys the right to copy the software, the confidentiality, integrity and availability of computer systems, create derivative or modified versions of it and distribute copies to the programs and data, as well as facilitate the prevention, detection, inves- public for sale or licence. The rights come into existence immediately tigation, prosecution and punishment of cybercrimes. The Act provides upon the production of the work in a tangible medium of expression. for various offences including, inter alia, system interference; unlawful However, it is recommended to register the copyright with the Kenya interception of computer data, traffic data or signals; unlawful intercep- Copyright Board. tion of electronic messages or money transfers; and wilful misdirection of electronic messages. Patent In addition, the Central Bank of Kenya issued the Guideline on Patent protection is available for inventions of novel software that, Cybersecurity for Payment for Service Providers 2019. The Guideline beyond being novel, also disclose an inventive step that is machine sets out the minimum requirements that payment service providers linked and is industrially applicable. Patent protection is not available should build on in the development and implementation of strategies, for software that comprises business methods or results in a score. A frameworks, policies and procedures to mitigate cyber risk and enhance patent holder will enjoy the right to exclusive use, sale and distribution cybersecurity governance and risk management. This Guideline builds of the software. on a 2017 guidance note issued by the Central Bank of Kenya in August An eligible applicant should submit their claims and the prescribed 2017, which set the minimum requirements that regulated institutions Form IP3 to the Registrar of Patents at the Kenya Industrial Property must factor into their standards, policies and procedures. Institute, requesting the Registrar to grant a patent under the Industrial For fintech businesses that are also telecommunications licensees, Property Act 2001. Kenya operates a substantive examination process they are mandated, at all times, to ensure the integrity of their commu- that includes a worldwide novelty search. Patent holders’ rights may be nications infrastructure and to desist from unlawful interception of any subject to compulsory licensing where certain conditions under the Act messages or correspondence between users. are met for reasons of public interest or are based on the interdepend- ence of patents. OUTSOURCING AND CLOUD COMPUTING Patent holders are prohibited from including unjustified restrictions in licences on the licensee where the restrictions are harmful to the Outsourcing economic interests of Kenya. The restrictions are put in place to ensure 34 Are there legal requirements or regulatory guidance with that the terms of licensing are fair, reasonable and non-discriminatory. respect to the outsourcing by a financial services company of a material aspect of its business? Trademarks Although trademarks do not protect the software or technology itself, Yes, where financial services companies are regulated, various pruden- they can be used to protect the names or symbols used to distinguish a tial statutes have legal requirements in respect of outsourcing. For particular software or product in the marketplace.

130 Fintech 2021 © Law Business Research 2020 Coulson Harney Advocates Kenya

IP developed by employees and contractors of the right, the proprietor can institute a claim for damages and may 37 Who owns new intellectual property developed by an obtain an injunction preventing future use of the infringing mark. employee during the course of employment? Do the same A fintech business seeking to avoid infringing on any existing rules apply to new intellectual property developed by brands should conduct a search of the particular mark they propose to contractors or consultants? use at the trademarks registry to determine whether a brand is available for use or registration prior to use in Kenya. The Industrial Property Act 2001 and the Copyright Act 2001 provide that intellectual property developed by an employee during the course Remedies for infringement of IP of employment belongs to the employer. This notwithstanding, where an 41 What remedies are available to individuals or companies invention is exceptionally important, an employee is entitled to equitable whose intellectual property rights have been infringed? remuneration. Intellectual property developed by a contractor or consultant while In terms of copyright infringement under the Copyright Act 2001, an executing a commission belongs to the person who commissioned the aggrieved party should alert the Kenya Copyright Board to seize the work unless otherwise agreed between the parties in writing infringing materials and initiate appropriate criminal proceedings. Civil proceedings may also be initiated by aggrieved parties, and some of the Joint ownership remedies that may be sought include injunctions and damages. 38 Are there any restrictions on a joint owner of intellectual In respect of trademarks, enforcement proceedings should be property’s right to use, license, charge or assign its right in filed against any infringing action before the High Court of Kenya. intellectual property? If successful, the aggrieved party may be entitled to an injunction to prevent the future use of the trademark, damages, an account for profits Yes, a joint owner must obtain the consent of the other joint owner of by the infringer, delivery up and destruction of goods, products or mate- the intellectual property right to use, license, charge or assign its right rial bearing the infringing marks. in the intellectual property. Patent infringement proceedings are instituted before the It is recommended that joint owners set out each party’s rights and Industrial Property Tribunal, which sits within the Kenya Industrial obligations in an agreement. Property Institute. The aggrieved party may be entitled to an injunction to prevent the future use of the patent and damages. Trade secrets 39 How are trade secrets protected? Are trade secrets kept COMPETITION confidential during court proceedings? Sector-specific issues In Kenya, protection of trade secrets is mostly by way of common law 42 Are there any specific competition issues that exist with and equity (and there are a few judicial decisions on this topic). Some respect to fintech companies in your jurisdiction? form of protection of trade secrets can also be found in various pieces of legislation, such as those relating to employment and contracts. The Competition Act 2010 provides the statutory framework governing Kenya does not have a statute dedicated to the protection of trade competition within Kenya. Specific to fintech companies, the Act secrets. However, Kenya is a signatory to the Agreement on Trade- provides that in the provision of banking, microfinance, insurance and Related Aspects of Intellectual Property Rights, which regulates the other services, the services provider is not permitted to impose unilat- unauthorised use and disclosure of trade secrets. eral charges and fees if these have not been brought to the attention To protect trade secrets, non-disclosure agreements may be used, of the consumer prior to their imposition or prior to the provision of and information that is confidential should be marked as such and kept the service. confidential, and its circulation should be limited to restricted persons. In addition, fintech companies must ensure not to engage in restrictive trade practices that are prohibited by the Competition Act, including Branding entering into any agreements or undertakings, the effect of which 40 What intellectual property rights are available to protect prevent or weaken competition in the trade of any goods and services. branding and how do you obtain those rights? How can fintech businesses ensure they do not infringe existing TAX brands? Incentives Branding is protected in Kenya by registration of a brand as a trademark 43 Are there any tax incentives available for fintech companies under the Trade Marks Act 1982 (revised edition 2012). A trademark and investors to encourage innovation and investment in the is defined as a mark, which includes a guise, slogan, device, brand, fintech sector in your jurisdiction? heading, label, ticket, signature, word, letter or numeral or any combination of these, that is used to distinguish a product or service. There are currently no tax incentives specifically available to fintech To be afforded protection under the Act, an applicant is required companies in Kenya. to register the trademark with the Registrar of Trademarks at the Kenya Industrial Property Institute, using the prescribed Form TM2 and Increased tax burden providing a specimen of the trademark. Trademark protection is avail- 44 Are there any new or proposed tax laws or guidance that able for product names, logos, dress, certification marks and collective could significantly increase tax or administrative costs for marks. Trademarks must be distinctive for them to be registrable fintech companies in your jurisdiction? and enforceable against third parties unless acquired distinctiveness through use can be proven. Under the Income Tax Act (revised edition 2019), income that is derived Upon registration of a trademark, the proprietor of the trademark from or that accrues in Kenya through a digital marketplace is subject will enjoy the right to exclusive use of the trademark. Upon infringement to income tax at the prescribed rates, namely 25 per cent for Kenya www.lexology.com/gtdt 131 © Law Business Research 2020 Kenya Coulson Harney Advocates

tax residents and 37.5 per cent for permanent establishments for non- resident persons. A digital marketplace has been defined as a platform that enables the direct interaction of buyers and sellers though electronic means. The Finance Bill, 2020 (the Bill) proposes to amend the Income Tax Act (revised edition 2019) by introducing a digital services tax (DST) that will be payable by a person whose income is derived from or that is accrued in Kenya through a digital marketplace. The DST will be payable at the time of transfer of the payment for the services to the services John Syekei [email protected] provider. The rate of DST is 1.5 per cent of the gross transactional value. For residents and permanent establishments of a non-resident Dominic Indokhomi person (foreign companies), the DST is proposed to be an advance tax [email protected] that can be utilised towards offsetting a taxable person’s tax liability Irene Muthoni for that year of income. The Bill also provides for the appointment of a [email protected] digital services agent by the Kenya Revenue Authority for purposes of Mercy Mwaniki collecting the DST. [email protected] Under the Value Added Tax Act 2013, services in relation to the issue, transfer, receipt and any other dealing with money, including money transfer services and telegraphic money transfer services, are 5th Floor, West Wing exempt from value added tax (VAT). ICEA Lion Centre Riverside Park For the supply of electronic services, these are subject VAT at the Chiromo Road Nairobi standard rate, which is 14 per cent. Electronic services comprise the Kenya Tel: +254 20 289 9000 following services when offered through a telecommunications network: Fax: +254 20 289 9100 • websites, web-hosting, or remote maintenance of programs and www.bowmanslaw.com equipment; • software and the updating of software; • images, text and information; • access to databases; UPDATE AND TRENDS • self-education packages; • music, films and games, including games of chance; and Current developments • political, cultural, artistic, sporting, scientific and other broadcasts 46 Are there any other current developments or emerging and events, including broadcast television. trends to note?

Additionally, VAT is chargeable on supplies made through a digital The mainstream use of fintech is gaining traction in Kenya, and both marketplace. The implementation of the provision is subject to the issu- commercial enterprises and government entities are exploring the ance of regulations by the Cabinet Secretary in charge of the National adoption of fintech to improve service delivery; for instance, blockchain Treasury and Planning. The Cabinet Secretary recently issued the VAT solutions are being explored to streamline and update the land registra- (Digital Market Supply) Regulation (the Draft Regulations) for public tion process. comment. The Draft Regulations provide for a number of matters, At the same time, fintech innovation has led to the development including taxable services chargeable to VAT when supplied through of various platforms, such as Kopa Link, that aim to bridge the finan- a digital marketplace and registration of non-resident digital services cial gap by making financial products more accessible to a larger providers under a simplified registration regime or appointment of a tax population. representative where necessary. An emerging trend is the taxation of the digital economy with the The proposed taxes target both the parties transacting in a digital introduction and proposal of digital taxes on supplies of digital services marketplace as well as the operator of the digital marketplace platform. and the revenues of digital services providers. The growth of the fintech industry is likely to be accelerated by the IMMIGRATION covid-19 pandemic as the Kenyan government has discouraged cash transactions, leading to an increase in use of other payment services, Sector-specific schemes especially mobile-based payment solutions. 45 What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there Coronavirus any special regimes specific to the technology or financial 47 What emergency legislation, relief programmes and other sectors? initiatives specific to your practice area has your state implemented to address the pandemic? Have any existing There are no immigration schemes available for fintech businesses to government programmes, laws or regulations been amended recruit skilled staff from abroad. There is also no special regime specific to address these concerns? What best practices are advisable to the technology or financial sectors. Any person can apply under the for clients? Kenya Citizenship and Immigration Act 2011 for a work permit. However, ICT experts require clearance from the ICT Ministry to support their Some of the measures implemented by the government to contain the application for a work permit from the Immigration Department. spread of the coronavirus and cushion the economy against the adverse effects of the pandemic include those listed below. • The government has discouraged the use of physical cash. Through the Central Bank of Kenya in partnership with licensed banks, the

132 Fintech 2021 © Law Business Research 2020 Coulson Harney Advocates Kenya

government announced the waiver of certain transaction fees in respect of mobile money transfers. • Commercial Banks, in conjunction with the Central Bank of Kenya, initiated and have been implementing the restructuring of loans to provide relief and free up liquidity for businesses and individuals. • The Central Bank of Kenya amended the existing credit referencing regulations to restrict financial services providers from listing individuals whose loans fall overdue or in arrears during the pandemic. In addition, the amendments bar digital credit providers from providing the financial information of their borrowers to credit referencing bureaus. • The president assented to the Tax Laws Amendment Act 2020, which provides for a reduction in income tax rates for individuals, a reduction of the corporation tax rate for resident companies, a reduction in the turnover levy for small and medium-sized businesses and an exemption from income tax to individuals whose income is below 24,000 Kenyan shillings. • The government also reduced the VAT rate from 16 per cent to 14 per cent, a measure aimed at reducing the prices of basic goods and, thus, offering relief for low-income individuals.

www.lexology.com/gtdt 133 © Law Business Research 2020 Liechtenstein

Thomas Nägele and Thomas Feldkircher NÄGELE Attorneys at Law

FINTECH LANDSCAPE AND INITIATIVES Government and regulatory support 2 Do government bodies or regulators provide any support General innovation climate specific to financial innovation? If so, what are the key 1 What is the general state of fintech innovation in your benefits of such support? jurisdiction? Communication with the FMA's fintech department is excellent. Many reputable players on the blockchain scene have come to Therefore, any new projects may be introduced in a personal meeting Liechtenstein to establish businesses. For example, Yanislav Malahov with the FMA. A legal opinion examining the business model and the (who was closely involved in the creation of Ethereum) has founded token functionality (if a token is issued) will usually be filed with the Aeternity – the first blockchain-based project in Liechtenstein with a FMA to receive a preliminary evaluation. If no regulation applies, the market capitalisation of more than US$1 billion (on 8 May 2018, making FMA will issue a statement indicating that the intended business does it the first Liechtenstein blockchain unicorn). Ultimately, Aeternity is a not fall under its jurisdiction if it is exercised in the way presented to project focused on smart contracts, allowing for the execution of cred- the FMA in the set of facts of a legal opinion. The FMA has a department ible transactions through blockchain technology without the help of that is wholly dedicated to the analysis of fintech projects; therefore, it third-party intermediaries. has amassed extensive knowledge in this field and operates in a time- Communications with the local regulator – the Financial Market efficient manner. Authority (FMA) – are efficient, as the FMA established its own fintech The FMA has also issued a factsheet on virtual currencies such as department in June 2018. Moreover, a ‘regulation laboratory’ has been bitcoin, which was published on 16 February 2018. The fact sheet stated established to further the proliferation of fintech businesses. that a ‘virtual currency’ is generally defined as a ‘digital representation In addition to these local projects and advancements in favour of of a (cash equivalent) value that is neither issued by a central bank or a fintech innovation, the Law on Tokens and TT Service Providers (the public authority. Further, the factsheet states that these tokens do not Blockchain Act) came into force on 1 January 2020. In general, the constitute fiat currency (legal tender). However, it points out that virtual government is open-minded when it comes to fintech projects. In addi- currencies are similar to fiat currencies when they are used as a means tion, the Crypto Country Association has been founded, which deals with of payment or traded on an exchange. various topics relating to the Liechtenstein crypto-ecosystem. The FMA also issued a fact sheet on initial coin offerings (ICOs) on The success of established and young companies has been aided by 10 September 2017 (last updated on 1 October 2018). Depending on the general state conditions, which are especially favourable to blockchain- specific design and function of the tokens, the guidance explains that based projects. The Ministry of Presidential and Finance has created tokens may constitute financial instruments if they have characteristics innovation clubs, enabling companies to contribute ideas for improving of securities or other investments. Further, activities relating to finan- the framework of conditions in an unbureaucratic manner. Moreover, the cial instruments are subject to licensing by the FMA, which assesses ministry offers all market participants from Liechtenstein and overseas token offerings (ie, ICOs, token generation events or security token the ability to engage in a transparent process for implementing ideas to offerings) on a case-by-case basis. The FMA’s administrative practice improve the conditions of the local framework. Ultimately, successfully on token regulation has since developed, and the general opinion in tested ideas are supported in direct contact with the ministry until they Liechtenstein is that a token will follow the underlying (substance over are implemented. form). Therefore, the following applies: The ability to build new disruptive business models is crucial • If the token represents e-money, it will be classified as e-money. to the strategic competence of an economy. At the same time, while • If the token represents a financial instrument, the supervisory financing start-ups poses great challenges, so does the question of what regulations regarding financial instruments apply. constitutes an optimal level of support. Through favourable business • If the token represents ownership rights of tangible chattel (right in conditions and state support, the government has created an incubator rem), supervisory regulation does not apply, but general civil law is in cooperation with private partners, which has led to the successful applicable (eg, on the transfer of commodities). establishment of numerous start-ups in Liechtenstein. In addition, the FMA is responsible for the supervision and the implementation as well the registration of trustworthy technologies service providers under the Blockchain Act.

134 Fintech 2021 © Law Business Research 2020 NÄGELE Attorneys at Law Liechtenstein

FINANCIAL REGULATION assignment price paid for the purchased receivables without the possibility of a redemption. The retailer is only liable for the legal existence of Regulatory bodies its assigned customer claim. 3 Which bodies regulate the provision of fintech products and However, if loans (in the sense of a lending business) are traded (ie, services? a new creditor is entering the agreement), then this will likely constitute a banking business. This must be differentiated on a case-by-case basis. The Financial Market Authority (FMA) is the supervisory authority in the fintech sector, as well as the Liechtenstein financial market in general. Collective investment schemes The FMA has an entire department solely dedicated to the fielding of 7 Describe the regulatory regime for collective investment fintech-related inquiries. schemes and whether fintech companies providing alternative finance products or services would fall within its Regulated activities scope. 4 Which activities trigger a licensing requirement in your jurisdiction? The Liechtenstein Collective Investment Scheme Regulation is mainly based on the Undertakings for the Collective Investment in Transferable As Liechtenstein is a member of the EEA, general EU regulations and Securities (UCITS) Directive (2009/65/EC) and the Alternative directives apply (with an EEA Joint Committee decision required). All Investment Fund Managers Directive (2011/61/EU) (AIFMD) and is banking activities (deposit and loan business), as well as investment therefore harmonised within the European Union and the EEA. services pursuant to Annex I of Markets in Financial Instruments An ‘alternative investment fund’ (AIF) is broadly defined as an Directive II are regulated. In addition, payment services pursuant to the undertaking collecting capital to invest it pursuant to a defined invest- Payment Services Directive (2015/2366/EC) (PSD2) and the E-money ment strategy on behalf of the investors. Directive (2009/110/EC) are regulated. This represents an advantage A ‘UCITS’ refers to an undertaking that raises capital from the for start-ups based in Liechtenstein that benefit from the EU passport, public and invests this capital collectively in specific transferable secu- a system allowing providers of financial services already licensed in the rities on the principle of risk spreading. EEA to offer their services in other EEA countries (and, thus, including the EU) without additional approval requirements. Alternative investment funds Since 1 January 2020, legal and natural persons with headquar- 8 Are managers of alternative investment funds regulated? ters (registered office) or a place of residence in Liechtenstein who wish to professionally act as trustworthy technologies service providers (TT With funds, it is crucial to distinguish between the investment portfolio service providers) must apply to be entered into the TT Service Provider and the shares of the fund. Since a fund pursuant to the UCITS Directive Register in writing with the FMA before beginning their activity. This may invest only in specific types of financial product, a true crypto-fund also applies to token issuers that issue tokens in their own name or is not feasible and only the shares of the fund may be tokenised. In that in the name of a client in a non-professional capacity if tokens in the sense, a true crypto-fund can only be achieved under the AIFMD, as this amount of 5 million Swiss francs or more are issued within a 12-month is primarily a fund-manager regulation, rather than an investment-fund period. According to the transitional provisions of the Law on Tokens regulation. An AIF mainly targets professional investors. and TT Service Providers (the Blockchain Act), however, persons who, Hence, a fund pursuant to the AIFMD may invest in a crypto-port- on the date the Act entered into force, had already provided TT services, folio and its shares may be tokenised. A central aspect of an AIF is the were required to register within a 12-month period of the Blockchain Act pooling of capital or assets. These criteria must be broadly construed to entering into force. mean any assets. Thus, a fund may hold yachts in its portfolio or other commodities, such as tokens. Consumer lending 5 Is consumer lending regulated in your jurisdiction? Peer-to-peer and marketplace lending 9 Describe any specific regulation of peer-to-peer or Regulation of consumer lending depends on the concrete business marketplace lending in your jurisdiction. model. Taking deposits (in legal tender) and lending this money to others (deposit and lending business) are considered to be banking No specific regulation applies to peer-to-peer lending. EU legislation activities, which are both reserved to licensed banking institutions. If a applies and it should be analysed if banking business is conducted. platform is operated that enables users to provide these kinds of activities to other participants, then this could be an illegal business model. Crowdfunding However, it depends on the exact use case. In addition, if loans are given 10 Describe any specific regulation of crowdfunding in your in the form of tokens (which neither represent e-money nor financial jurisdiction. instruments), then the Banking Act is not applicable, as it deals with legal tender (fiat) only. An EU directive on crowdfunding is due to be enacted in the future, which will affect Liechtenstein jurisprudence owing to the country’s harmoni- Secondary market loan trading sation with the European Union as an EEA member state. At present, an 6 Are there restrictions on trading loans in the secondary initial coin offering (ICO) or a token generation event may be regulated market in your jurisdiction? in Liechtenstein if security tokens are being issued. In general, there is no singular act specific to ICOs that regulates crowdfunding, but several If obligations from a debtor to a creditor are purchased (eg, if the retail- laws may apply. er's receivables are purchased by a company) and the risk of insolvency Moreover, the Blockchain Act directly applies to token generating (eg, of the customer as debtor) is assumed by the buyer upon conclu- events, ICOs and security token offerings. sion of the assignment agreement (credit risk function), there is no requirement for special financial licences. The retailer may retain the www.lexology.com/gtdt 135 © Law Business Research 2020 Liechtenstein NÄGELE Attorneys at Law

Invoice trading Insurance products 11 Describe any specific regulation of invoice trading in your 15 Do fintech companies that sell or market insurance products jurisdiction. in your jurisdiction need to be regulated?

Factoring is not regulated as a financial market activity if the risk of The Liechtenstein Insurance Act is based on the Insurance Distribution insolvency is assumed by the buyer. Only a commercial business licence Directive (2016/97/EC) and the distribution of insurance products is a is required from the Office of Economic Affairs. If a TT service is offered, regulated activity. registering under the Blockchain Act is required. Depending on the use case, the registration under the Blockchain Act may supersede the Credit references requirement for a business licence. 16 Are there any restrictions on providing credit references or credit information services in your jurisdiction? Payment services 12 Are payment services regulated in your jurisdiction? Credit references and information services may constitute account information services pursuant to PSD2. The revised Liechtenstein Payment Service Act, which is based on PSD2, entered into force on 1 October 2019. The E-money Act, which is based CROSS-BORDER REGULATION on the EU E-money Directive, is also relevant to payment services. For a variety of business models, the application of PSD2 could Passporting trigger the need for a payment services licence. 17 Can regulated activities be passported into your jurisdiction?

Open banking Since Liechtenstein is a member of the EEA, the financial market – 13 Are there any laws or regulations introduced to promote along with the licensed financial intermediaries – is generally fully competition that require financial institutions to make harmonised. This allows passporting (notification) throughout the customer or product data available to third parties? European Union and the EEA, which enables companies to make use of the freedom of services and the freedom of establishment within the PSD2 introduces the new roles of a payment initiation service provider European single market. and an account information provider. In this regard, banking institutions must, to a certain extent, make customer or product data available to Requirement for a local presence third parties. 18 Can fintech companies obtain a licence to provide financial services in your jurisdiction without establishing a local Robo-advice presence? 14 Describe any specific regulation of robo-advisers or other companies that provide retail customers with automated Companies can make use of the freedom of services to provide financial access to investment products in your jurisdiction. services without establishing a local presence. In contrast to services provided under the freedom of services, when establishing a branch, The automated distribution of financial instruments (robo-advice) can, supervision may be split between the home and target jurisdiction depending on the business model, meet the definition of investment supervisory authority. advice and may require a banking or investment firm licence or a licence under the Asset Management Act – provided, however, that financial SALES AND MARKETING instruments are issued or services in relation to them are offered. Article 4 (1) (1) of the AIFMD provides that an AIF is any collective Restrictions investment undertaking, including the sub-funds thereof, that raises 19 What restrictions apply to the sales and marketing of capital from a number of investors with the intention of investing it financial services and products in your jurisdiction? to benefit of these investors in accordance with a defined investment strategy, and is not a UCITS as defined in the UCITS Directive nor an The provision of financial services (investment or ancillary services) investment undertaking as defined in the Investment Undertakings is regulated under the Markets in Financial Instruments Directive II. Act. In this context, the term ‘capital’ is very broad, including not only Likewise, the marketing of financial services may be deemed to be an traditional assets (such as equity or real estate) but also assets such investment service. as ships, forests and wine. Thus, conventional commodities are also included, which include cryptocurrencies, unless they are already CHANGE OF CONTROL covered in another manner by financial market regulations. A collective investment is a necessary characteristic of an AIF. Collective investment Notification and consent means that capital raised from investors is pooled together and invested 20 Describe any rules relating to notification or consent for the benefit of the investors, in line with the predefined investment requirements if a regulated business changes control. strategy. However, if capital is raised to be invested according to an unchangeable algorithm, which could be the case with a robo-advice, it Licensed intermediaries and institutions must notify the Financial can be argued that the fund regulations do not apply as long as there is Market Authority of any qualified holdings (10 per cent or more). no discretion in the investment of the collected capital.

136 Fintech 2021 © Law Business Research 2020 NÄGELE Attorneys at Law Liechtenstein

FINANCIAL CRIME Securitisation risk retention requirements 25 Are securitisation transactions subject to risk retention Anti-bribery and anti-money laundering procedures requirements? 21 Are fintech companies required by law or regulation to have procedures to combat bribery or money laundering? Securitisation transactions (securitisation special purpose vehicles) are not subject to any risk retention requirements. However, such an As an EEA member, Liechtenstein has implemented the 4th Money investment vehicle must be differentiated from collective investment Laundering Directive 2015/849/EU as well as the Regulation on infor- schemes, such as an alternative investment fund. mation accompanying transfers of funds 2015/847/EU. The relevant implementing provisions are found especially in Securitisation confidentiality and data protection requirements the Law on Professional Due Diligence to Combat Money Laundering, 26 Is a special purpose company used to purchase and securitise Organised Crime, and Terrorist Financing (DDA) and the Ordinance on peer-to-peer or marketplace loans subject to a duty of Professional Due Diligence to Combat Money Laundering, Organised confidentiality or data protection laws regarding information Crime, and Terrorist Financing (DDO). relating to the borrowers? Since 1 January 2020, the following companies have been supervised by the Financial Market Authority under the DDA and the DDO: Data protection applies to any personal data pursuant to the EU General • trustworthy technologies service providers subject to regis- Data Protection Regulation. However, there may be a legitimate interest tration; and (in order to carry out the duties under the agreement) or even a consent • token issuers not subject to registration that are domiciled or that personal data is being processed. resident in Liechtenstein and that issue tokens in their own name or not professionally on behalf of the principal, to the extent that ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER they process transactions of 1,000 francs or more, irrespective of TECHNOLOGY AND CRYPTO-ASSETS whether the transaction is carried out in a single operation or in several operations between which there appears to be a connection. Artificial intelligence 27 Are there rules or regulations governing the use of artificial Guidance intelligence, including in relation to robo-advice? 22 Is there regulatory or industry anti-financial crime guidance for fintech companies? Depending on the designated business plan, robo-advice or AI may constitute a form of asset management (ancillary securities service). In 2002, 2007 and 2014 the International Monetary Fund (IMF) and Ultimately, the regulation surrounding any automated platform Moneyval assessed the extent to which the Liechtenstein anti-money depends on the type of token being traded. Bitcoin itself is not a secu- laundering and combating the financing of terrorism provisions meet the rity; however, the government is moving towards classifying initial coin Financial Action Taskforce standards (FATF 40+9 Recommendations). offerings (ICOs) that meet certain requirements as securities, thus The IMF and Moneyval attested to Liechtenstein's high standards in subjecting those particular tokens to regulation. combating money laundering and the financing of terrorism. Therefore, any kind of AI applied to the trading of officially recognised securities is subject to regulation by the authorities. Conversely, PEER-TO-PEER AND MARKETPLACE LENDING AI that is applied to the trading of utility or commodity tokens does not require a licence by the Financial Market Authority (FMA). Again, Execution and enforceability of loan agreements whether the AI is regulated depends on the underlying business case. 23 What are the requirements for executing loan agreements or AI itself is not regulated. security agreements? Is there a risk that loan agreements or security agreements entered into on a peer-to-peer or Distributed ledger technology marketplace lending platform will not be enforceable? 28 Are there rules or regulations governing the use of distributed ledger technology or blockchains? Contracts are generally enforceable through the Liechtenstein courts. Enforcement may be difficult if the debtor is domiciled in a foreign On the regulatory front, the government enacted the Law on Tokens jurisdiction. and TT Service Providers (the Blockchain Act), which regulates certain business projects based on trusted technologies (eg, distributed ledger Assignment of loans technology and blockchain technology). Through this regulation, the 24 What steps are required to perfect an assignment of government is aiming to support and to monitor the use of trusted loans originated on a peer-to-peer or marketplace lending technology while regulating it. This ensures assistance, while avoiding platform? What are the implications for the purchaser if the uncontrollable growth. Ultimately, this serves to attract crypto-projects, assignment is not perfected? Is it possible to assign these while also providing legal certainty. loans without informing the borrower? Crypto-assets Assignment may take place through sign (cession by sign); written 29 Are there rules or regulations governing the use of crypto- form is not required. If the borrower is not informed of the assignment, assets, including digital currencies, digital wallets and they may discharge their debt (liberation) by repaying the debt to the e-money? assignor (former creditor). Virtual currencies were included in one of the latest amendments to the Law on Professional Due Diligence to Combat Money Laundering, Organised Crime, and Terrorist Financing (DDA), pursuant to the EU Anti-money Laundering Directive. The due diligence obligations codified www.lexology.com/gtdt 137 © Law Business Research 2020 Liechtenstein NÄGELE Attorneys at Law

in the act serve to combat money laundering, organised crime and Digital currency exchanges terrorist financing, and apply to providers of exchange services, among 30 Are there rules or regulations governing the operation of others. An ‘exchange office’ is defined as any natural or legal person digital currency exchanges or brokerages? whose activities consist of the exchange of legal tender at the official exchange rate or of virtual currencies against legal tender and vice As there are various forms of crypto-exchanges, varying regulations versa. ‘Virtual currencies’ are defined as ‘digital monetary units, which apply in certain cases. Exchanges that match the buying and selling can be exchanged for legal tender, used to purchase goods or services interests (matched principal trading; multilateral) with regard to utility or to preserve value and thus assume the function of legal tender’. tokens against fiat and cryptocurrencies are deemed to be unregulated Pursuant to the Report and Motion 2016/159, 31, the most famous and may only require a trade licence from the Office of Economic Affairs example of such a virtual currency is bitcoin. to conduct an operating business or a registration under the Blockchain ‘E-money’ is defined as any electronically or magnetically stored Act (eg, if providing services as trustworthy technologies (TT) service monetary value in the form of a claim against the issuer of electronic provider). In both cases, the exchange is required to comply with the money issued against the payment of a sum of money to effect payment obligations under the DDA. However, the settlement in fiat is considered transactions within the meaning of the Payment Service Act, and that to be a regulated payment service (especially as the commercial broker is accepted by natural or legal persons other than the issuer of elec- exemption is no longer applicable under PSD2 when acting both on the tronic money. In that sense, there are five characteristics or attributes buyer and seller side). of e-money: However, if these tokens are traded against the own book for fiat • having electronic or magnetic monetary value; payments, it may be deemed to be a ‘TT exchange service provider’ • involving a claim against the issuer (central issuance); pursuant to the Blockchain Act. This type of exchange must be regis- • being obtained by money (legal tender and e-money itself); tered with the FMA. • being suitable to conduct payments; and There are also security token exchanges. These kinds of exchange • being accepting by third parties. are fully regulated pursuant to the Markets in Financial Instruments Directive II and require an investment firm with a multilateral trading Cryptocurrencies such as bitcoin are mined; therefore, they cannot be facility (MTF) or an organised trading facility (OTF). The main differ- classified as e-money, because there is no claim against the issuer. In ences between an MTF and an OTF are that all financial instruments addition, if tokens (eg, in an ICO) can only be obtained through the use may be traded on an MTF, whereas only certain debt instruments may of other cryptocurrencies (non-regulated tokens), then the E-Money Act be traded on an OTF (the OTF may also act on a bilateral basis regarding is not applicable. With regard to the payment function and acceptance government bonds). Therefore, an MTF has participants while an OTF by third parties, two major exemptions may be relevant. If only a limited has customers (also owing to the discretionary execution). Another product range or range of services can be obtained with a newly gener- difference between the two trading facilities is that an OTF allows ated and issued token, then an exemption from the e-money regime discretionary trading and matching rules, compared to the non-discre- applies. The same applies if only a restricted service provider network tionary nature of an MTF. accepts the tokens as a means of payment (this is especially relevant Lastly, it is possible to set up fully decentralised peer-to-peer for franchises). security exchanges without any regulation requirements. With a However, the e-money regime is generally not suitable for block- decentralised network operating an exchange, there is no entity to be chain and crypto-technology. Most of the stablecoins (coins pegged to regulated and the exchange itself does not fall under the definition of fiat) should probably be deemed e-money, which has been implemented an MTF or OTF (trading venues). Depending on the services rendered in incorrectly, as certain restrictions apply to e-money and its distribution connection with such a peer-to-peer exchange, certain licence require- (although the territorial scope of the E-Money Directive may not apply ments may apply. In any event, prospectus requirements must be to jurisdictions outside the European Union and the European Economic adhered to. Both matching and settlement are usually carried out in a Area). For example, e-money must be exchanged back to fiat at all times decentralised manner on these exchanges and associated aspects, such at par value (Cp EFTA Court Decision in Case E-9/17 Falkenhahn AG as the order book and custodial or escrow services (smart contracts), v Liechtenstein FMA) and no or only minimal fees may apply for this are also decentralised. service (this is not a criterion for e-money to come into existence, but the re-exchange is merely the logical and legal consequence of e-money). Initial coin offerings E-money also cannot be used for savings purposes and no interest may 31 Are there rules or regulations governing initial coin offerings be granted. In addition, problems may arise with token holders storing (ICOs) or token generation events? their e-money token on a wallet to which they have access to the private key. Lastly, the money collected in exchange for e-money must be placed The rules and regulations governing ICOs or token generation events in deposit-protected accounts, which means that – contrary to popular depend on the token being offered. If the token offered constitutes a belief – these funds may not be used by the entity that collected them financial instrument or e-money, the respective regulation applies (eg, for their operating business. it is necessary to apply for an e-money licence or to prepare a securi- However, even if a token was deemed ‘electronic money’ as ties prospectus). Under the Blockchain Act, the issuer of tokens needs defined in article 2(2) of the E-Money Directive, it would be exempt from to register with the FMA and publish the ‘basic Information’ defined in the applicability of the E-Money Directive if it was issued outside the article 30 seq of the Blockchain Act. European Economic Area, namely in a country that is not subject to the E-Money Directive. With regard to the variety of business models in the sector, the Payment Services Directive (2015/2366/EC) (PSD2) may also apply; therefore, it may be necessary to apply for a payment service licence.

138 Fintech 2021 © Law Business Research 2020 NÄGELE Attorneys at Law Liechtenstein

DATA PROTECTION AND CYBERSECURITY Cloud computing 35 Are there legal requirements or regulatory guidance with Data protection respect to the use of cloud computing in the financial services 32 What rules and regulations govern the processing and industry? transfer (domestic and cross-border) of data relating to fintech products and services? There are no specific regulations on cloud computing. The general provisions – in particular, the EU General Data Protection Regulation – In general, the EU General Data Protection Regulation (GDPR) is must be adhered to. directly applicable in Liechtenstein. In addition, the Liechtenstein Data However, the European Banking Authority published guidelines Protection Act, which has undergone a complete revision in view of the for credit institutions and investment firms (as defined in article 4(1) GDPR, covers regulations based on enabling clauses and the implemen- of Regulation 575/2013/EU) on outsourcing to cloud service providers tation requirements under the GDPR. There is no specific regulation for (EBA/REC/2017/03). fintech companies, but any processing of personal data is subject to the In addition, some laws state specific retention requirements; for GDPR and the Liechtenstein Data Protection Act. If the prerequisites for example, the due diligence records must be stored in a place within processing personal data are fulfilled (eg, processing personal data is the country that is accessible at all times and various laws stipulate necessary to carry out duties under an agreement or imposed by the a retention period of 10 years (eg, the Blockchain Act or the Law on law, or for the purposes of legitimate interests of the processor or a Professional Due Diligence to Combat Money Laundering, Organised third party) or if the concerned person’s consent to process personal Crime, and Terrorist Financing). data is given, the processing is generally allowed. In connection with processing personal data, the processor is bound to a duty of informa- INTELLECTUAL PROPERTY RIGHTS tion towards the individual concerned, who has a right to know how, by whom, in what way and for how long their data is processed. It may be IP protection for software necessary to appoint a data protection officer and prepare internal data 36 Which intellectual property rights are available to protect protection concepts to implement the right to be forgotten, the right software, and how do you obtain those rights? to information and the right to data portability and procedures in the case of a data breach, among other things. It may also be necessary The Liechtenstein Copyright Act provides a wide range of IP protections to conclude a data processing contract with service providers. Lastly, (eg, copyright protection, trademark protection and patents). Computer processing data in countries that do not have the same level of data programs or code may be copyrighted in certain circumstances, which protection is generally prohibited. The relevant assessment on whether may be particularly interesting for developers of a blockchain or smart the same level of data protection applies is provided in an adequacy contracts. decision by the European Commission. IP developed by employees and contractors Cybersecurity 37 Who owns new intellectual property developed by an 33 What cybersecurity regulations or standards apply to fintech employee during the course of employment? Do the same businesses? rules apply to new intellectual property developed by contractors or consultants? Similar to other ventures, fintech businesses must be GDPR compliant, as well as compliant with the due diligence regime if they are subject According to paragraph 1173a article 41 litera E of the Civil Code, inven- to it (if not, it is still recommended to coordinate due diligence concepts tions and designs that the employee makes in performance of his or with involved banking partners or other intermediaries). her duties and in fulfilment of his or her contractual obligations belong The Financial Market Authority published a guideline on cyber- to the employer. By written agreement, the employer may request the security in Communication 2019/1 (see https://www.fma-li.li/de/ acquisition of inventions and designs that are produced by the employee regulierung/cyber-security.html). while exercising his or her official duties but not in the performance of his or her contractual obligations. OUTSOURCING AND CLOUD COMPUTING According to article 19 of the Copyright Act, if the employee creates a work protected by copyright while performing official duties and in Outsourcing fulfilment of contractual obligations, the right to this work shall pass to 34 Are there legal requirements or regulatory guidance with the employer unless otherwise agreed. respect to the outsourcing by a financial services company of These provisions do not apply to contractors or consultents. a material aspect of its business? In general, it is advisable to stipulate comprehensive ownership and transfer clauses in employment and contractual relationships. Key functions (personnel-wise) may not be outsourced. It is possible to outsource due diligence, but the financial intermediary will continue Joint ownership to be responsible for the upkeep of the necessary compliance stand- 38 Are there any restrictions on a joint owner of intellectual ards. According to the Law on Tokens and TT Service Providers (the property’s right to use, license, charge or assign its right in Blockchain Act), the outsourcing of important operational tasks is intellectual property? permitted if: the quality of the trustworth technologies (TT) service provider's internal control is not significantly impaired; the TT service Aside from any agreements providing otherwise, joint owners of intel- provider's obligations under the Blockchain Act remain unchanged; lectual property can use a work only with every other joint owner’s and it does not undermine the registration requirements under the consent. Denial of consent must not go against good faith (paragraph 3, Blockchain Act. article 7 of the Copyright Act). In the case of copyright infringement, each joint owner can individually assert a claim against the party committing

www.lexology.com/gtdt 139 © Law Business Research 2020 Liechtenstein NÄGELE Attorneys at Law

the infringement; however, the claim for remedy must be paid to all TAX joint owners (paragraph 4, article 7 of the Copyright Act). Incentives Trade secrets 43 Are there any tax incentives available for fintech companies 39 How are trade secrets protected? Are trade secrets kept and investors to encourage innovation and investment in the confidential during court proceedings? fintech sector in your jurisdiction?

Employees are prohibited from sharing or exploiting trade secrets of As a member of the European Economic Area, Liechtenstein is also which they acquire knowledge while being employed. If it is necessary subject to the prohibition of state aid. For this reason, specific tax to protect the employer’s legitimate interests, the employee remains concessions for the fintech sector are prohibited. bound to secrecy even after the employment contract is terminated. Overall, Liechtenstein is attractive for innovative business models The confidentiality of other information is subject to the employment because of its liberal tax law and the direct exchange with the tax agreement. administration. Trade secrets can be kept confidential in civil court proceedings. If the presentation of a document would lead to a breach of a trade Increased tax burden secret, the document does not have to be presented. Likewise, if, during 44 Are there any new or proposed tax laws or guidance that a witness statement, answering a question would reveal a trade secret, could significantly increase tax or administrative costs for the witness can refuse to answer the question. fintech companies in your jurisdiction? In addition, the Directive 2016/943/EU on the protection of undisclosed know-how and business information (trade secrets) against their No. unlawful acquisition, use and disclosure (Directive on the Protection of Trade Secrets) is relevant for Liechtenstein as a member of the EEA. IMMIGRATION

Branding Sector-specific schemes 40 What intellectual property rights are available to protect 45 What immigration schemes are available for fintech branding and how do you obtain those rights? How can businesses to recruit skilled staff from abroad? Are there fintech businesses ensure they do not infringe existing any special regimes specific to the technology or financial brands? sectors?

According to Liechtenstein law, branding and trademarks must be regis- Immigration to Liechtenstein is generally restricted. However, members tered for the corresponding rights to emerge. The rights include the of the European Union or European Economic Area can locate near exclusive right to use the branding or trademark to denote the holder’s the Liechtenstein border in Switzerland, Austria or Germany. In addi- goods or services and the right to dispose of it. Thus, others can be tion, a short-term permit can generally be granted for up to 12 months. prohibited from using the branding or trademark for their own goods or Further, there are exceptions from this restrictive regime for highly services. The registration of a brand or trademark is valid for 10 years skilled individuals. and can be extended by filing a corresponding application. Further, As the fintech area generally requires specialist knowledge, there branding and trademarks can also be registered on an EU level; regis- is potential to have these work permits granted to promote the growth trations in the EU trademark registry are valid in all EU member states. of fintech businesses within the country. There is no method that is specifically designed for fintech compa- In addition, if a person is unable to achieve residency in Liechtenstein, nies to ensure that existing brands are not infringed. The most reliable they can seek residency in Switzerland, Austria or Germany and then be way to avoid infringement is to check the national and EU trademark granted a cross-border commuter card for the purposes of employment registries regularly during the initiation process to determine whether within the country. the envisioned brand has already been registered. UPDATE AND TRENDS Remedies for infringement of IP 41 What remedies are available to individuals or companies Current developments whose intellectual property rights have been infringed? 46 Are there any other current developments or emerging trends to note? Available remedies include: • a declaratory action regarding the breach of IP rights; In the past year, the market has shifted from a focus on initial coin offer- • an injunction regarding an imminent breach; ings for utility tokens to a focus on security token offerings and the goal • a claim for remedying a present breach; and of creating crypto-exchanges with the ability to support the secondary • a claim for damages and reparation; if applicable, compensation market for security tokens. for pain and suffering, as well as compensation for lost profits, can also be asserted.

COMPETITION

Sector-specific issues 42 Are there any specific competition issues that exist with respect to fintech companies in your jurisdiction?

No competition issues are known.

140 Fintech 2021 © Law Business Research 2020 NÄGELE Attorneys at Law Liechtenstein

The 2nd Covid-19 Act was passed by the Liechtenstein Parliament in Thomas Nägele [email protected] April 2020. As a result of a financial ordinance by the Liechtenstein government, financial support is available to those individual and micro- Thomas Feldkircher enterprises that have been able to maintain their business activities [email protected] but are affected by a loss of earnings owing to regulations concerning the covid-19 pandemic and are not entitled to receive compensa- Dr. Grass Strasse 12 tion for short-time work or other support measures. This applies, in FL-9490 Vaduz particular, to companies whose customers or suppliers have been shut Principality of Liechtenstein down by the authorities or that are experiencing a decreasing number Tel: +423 237 60 70 of customers. Eligible for support are self-employed persons whose Fax: +423 237 60 71 main occupation is that of sole proprietor or manager or shareholder www.naegele.law of a microenterprise. Also eligible for support are persons who are not entitled to short-time work compensation and who are employed by a company, such as co-directors or spouses. Employers that have made wage payments to employees who are prevented from working for a long and unforeseeable period of time owing to official measures in connection with the covid-19 pandemic are compensated for continued wage payments through the covid-19 daily allowance. Additionally, the possibility of taking out an emergency loan from the National Bank of Liechtenstein, for which the Liechtenstein government grants a 100 per cent default-in-payment guarantee, is very popular. The loans will be granted interest-free until 30 June 2022. Financial intermediaries must continue to comply with their regulatory obligations. However, there may be eased requirements or special obligations as a result of the pandemic. These are based on the integration of the Financial Market Authority (FMA) in the European System of Financial Supervision. The FMA supports the recommendations of the European supervisory authorities and intends to implement them.

www.lexology.com/gtdt 141 © Law Business Research 2020 Malta

Leonard Bonello and James Debono Ganado Advocates

FINTECH LANDSCAPE AND INITIATIVES The Malta Digital Innovation Authority (MDIA) is a relatively new regulator established to act as: General innovation climate • a fintech promoter that incentivises ‘investment’ in ‘innovative 1 What is the general state of fintech innovation in your technology arrangements’, as such terms are defined under the jurisdiction? MDIAA; and • a supervisory authority that ensures the reliability of these tech- Malta’s reputation as the ‘blockchain island’ is a testament to its positive nologies and the integrity of the market. approach to the fintech industry. Malta was a pioneer in regulating distributed ledger technologies and cryptocurrencies through the enactment of: FINANCIAL REGULATION • the Virtual Financial Assets Act (Chapter 590 of the Laws of Malta); • the Malta Digital Innovation Authority Act (Chapter 591 of the Laws Regulatory bodies of Malta) (MDIAA); and 3 Which bodies regulate the provision of fintech products and • the Innovative Technology Arrangements and Services Act (Chapter services? 592 of the Laws of Malta). The Malta Financial Services Authority (MFSA) and the Malta Digital Other prominent fintech areas attracting investment in Malta relate to Innovation Authority are the main competent authorities regulating the e-payment services and insurtech. Furthermore, the Malta Financial provision of fintech products and services. Services Authority (MFSA) is also buttressing this technology revolution by setting up a dedicated FinTech and Innovation function. The MFSA is Regulated activities also driving the long-term fintech strategy targeting both start-ups and 4 Which activities trigger a licensing requirement in your industry scale-ups with the aim of establishing Malta as an international jurisdiction? fintech hub while promoting the infusion of technology solutions in the financial world. The local financial services regulatory framework comprises: • the Investment Services Act (Chapter 370 of the Laws of Malta) (ISA), Government and regulatory support which outlines the regulatory requirements of operators wishing 2 Do government bodies or regulators provide any support to set up investment services undertakings and collective invest- specific to financial innovation? If so, what are the key benefits ment schemes. It transposes the Markets in Financial Instruments of such support? Directive (2014/65/EU) (MiFID II) into Maltese law and regulates services outlined therein when they are carried out in or from Malta The Maltese government has always given the fintech industry priority in and in relation to one or more ‘instruments’, as defined therein; policy formation. The MFSA has launched a standalone FinTech Strategy • the Banking Act, Chapter 371 of the Laws of Malta, which is the aimed at providing legal and regulatory certainty and ensuring market law regulating credit institutions that carry out the ‘business of integrity and financial soundness while safeguarding investor rights in banking’, defined as: the fintech sphere. This strategy is based on six main pillars, namely: • accepting deposits of money from the public that are with- • a suite of regulations to support regulatory efficiency; drawable or repayable on demand, after a fixed period or • a holistic all-encompassing ecosystem to enhance access to finance after notice; and foster innovation; • borrowing or raising money from the public with the purpose • implementing an open architecture to support the use of application of using all or some of such money to lend to others; or programme interfaces in financial services; • otherwise investing for the account and at the risk of the • fostering international links to enhance bilateral cooperation and person accepting this money; and cross-border fintech knowledge, adoption and investment; • the Financial Institutions Act, Chapter 376 of the Laws of Malta, (FIA), • cultivating knowledge by the attracting and retaining talent and which sets out the licensing and ongoing obligations of non-banking carrying out extensive research; and institutions. These can be classified in two categories – namely, • security through implementing robust systems, plans and tech- institutions that carry out: niques to counteract threats and exposure. • payment services or the issuance of electronic money; and • activities such as lending, financial leasing, the provision of The strategy also features a regulatory sandbox that enables financial guarantees and commitments, foreign exchange services and service providers to test the viability of their products within the regula- money brokering. tory framework, while keeping in direct contact with the regulators.

142 Fintech 2021 © Law Business Research 2020 Ganado Advocates Malta

The FIA, the subsidiary legislation and the regulations promulgated A de minimis AIFM will be exempt from complying with certain provisions under the FIA transpose the Payment Services Directive (2015/2366/EU) of the AIFMD but does not enjoy the use of the EU passporting rights. (PSD2) and the second EU Electronic Money Directive (2009/110/EC). Peer-to-peer and marketplace lending Consumer lending 9 Describe any specific regulation of peer-to-peer or 5 Is consumer lending regulated in your jurisdiction? marketplace lending in your jurisdiction.

Lending is a regulated activity under the FIA, irrespective of whether it is The FIA stipulates that any person that, as a lender, regularly lends provided to consumers. Article 5 of the FIA outlines the requirements for money in or from Malta is carrying out a regulated activity and requires the authorisation of an institution to carry out lending activities, including: an MFSA licence prior to commencing operations. However, there is no • an initial capital in the amount established by the MFSA; specific regulation on P2P platforms or marketplaces lending under the • at least two individuals effectively directing the business of the insti- local financial services framework. tution in Malta; • all qualifying shareholders, controllers and all persons effectively Crowdfunding directing the institution’s business are suitable persons to ensure 10 Describe any specific regulation of crowdfunding in your its prudent management; and jurisdiction. • sound and prudent management and robust governance arrangements. While reward-based and donation-based crowdfunding platforms remain unregulated, the MFSA has introduced a framework under the Secondary market loan trading ISA applicable to investment-based crowdfunding services. Measures 6 Are there restrictions on trading loans in the secondary under this regime include a licensing requirement under the ISA, which, market in your jurisdiction? in addition to capital requirements, encompasses mandatory disclosure obligations. In the case of offers of securities that fall within the scope There are no particular restrictions applicable to trading loans in the of the EU Regulation 2017/1129 (in which case, the EU regime would secondary market in Malta. apply), the issuer must provide an information document, which will, however, not be approved or verified by the MFSA. Collective investment schemes 7 Describe the regulatory regime for collective investment Invoice trading schemes and whether fintech companies providing alternative 11 Describe any specific regulation of invoice trading in your finance products or services would fall within its scope. jurisdiction.

Collective investment schemes (CIS) are regulated under the ISA. CIS Invoice trading falls within the scope of the FIA. Factoring and invoice which fall within the scope of the local regulations are: discounting are listed as two types of lending activity that in turn trigger • retail collective investment schemes, primarily undertaking in a licensing obligation under the FIA if and when they are carried out in collective investment transferable securities; or from Malta on a regular basis. • professional investor funds; • alternative investment funds (AIFs); and Payment services • notified alternative investment funds. 12 Are payment services regulated in your jurisdiction?

Investment-based crowdfunding is regulated under a separate regime. The FIA includes a list of the payment services that are regulated in Malta With respect to peer-to-peer (P2P) or marketplace lenders, it is and reflects the services outlined in the PSD2. Institutions engaging in pertinent to refer to the FIA, which regulates ‘money broking’, defined these payment activities must obtain authorisation from the MFSA prior as the activity of introducing counterparties that wish to deal at mutually to the provision of these services in or from Malta on a regular basis. agreed terms with respect to wholesale and retail financial products. This regulation may have implications for both marketplace lenders and Open banking P2P platforms. 13 Are there any laws or regulations introduced to promote competition that require financial institutions to make Alternative investment funds customer or product data available to third parties? 8 Are managers of alternative investment funds regulated? There are no laws or regulations promoting competition among finan- Managers of alternative investments funds (AIFMs) that operate in or cial institutions through the use of available data. However, the concept from Malta fall within the scope of the ISA and the Alternative Investment of open banking has been locally introduced under the FIA through the Fund Managers Regulations (Subsidiary Legislation 370.23 of the laws regulation of third-party payment service providers, namely, payment of Malta), which transpose the Alternative Investment Fund Managers initiation service providers and account information service providers. Directive (2011/61/EU) (AIFMD) into Maltese law. An AIFM may be subject to a lite regime akin to the regime under the MiFID II if it quali- Robo-advice fies as a de minimis AIFM. This will be the case where the assets under 14 Describe any specific regulation of robo-advisers or other management are worth less than: companies that provide retail customers with automated • €100 million; or access to investment products in your jurisdiction. • €500 million and the portfolio consists of AIFs that are unleveraged and have no redemption rights in the first five years following the No laws or regulations specific to robo-advisers or the automated date of initial investment. access to investment products have been issued in Malta.

www.lexology.com/gtdt 143 © Law Business Research 2020 Malta Ganado Advocates

Insurance products Requirement for a local presence 15 Do fintech companies that sell or market insurance products 18 Can fintech companies obtain a licence to provide financial in your jurisdiction need to be regulated? services in your jurisdiction without establishing a local presence? Entities that undertake insurance or reinsurance, (re)insurance distribution activities or market (re)insurance services in or from Malta are Fintech companies cannot obtain a licence without establishing a local regulated by two legislative instruments, namely: presence in Malta. While local presence and substance requirements • the Insurance Business Act, Chapter 403 of the Laws of Malta; and vary across the different regulatory regimes applicable to the specific • the Insurance Distribution Act, Chapter 487 of the Laws of Malta. services being provided by a fintech company, a decree of substance in Malta is always required. These acts impose requirements from or with the MFSA depending on the nature of the insurance business activity being provided in or from SALES AND MARKETING Malta. These acts, which implement EU Directive 2009/138/EC and EU Directive 2016/97/EU respectively, are supplemented by regulations Restrictions promulgated under these two laws and by rules and guidelines issued 19 What restrictions apply to the sales and marketing of by the MFSA. financial services and products in your jurisdiction?

Credit references The Malta Financial Services Authority (MFSA) has the discretional 16 Are there any restrictions on providing credit references or authority to issue marketing guidelines and restrictions that apply to credit information services in your jurisdiction? various financial services sectors and to prohibit or alter any kind of promotional activity carried out by any financial services institution. ‘Credit reference agency’ is defined under the Trading Licence Act, Specific restrictions apply to licence holders that market their services Chapter 441 of the laws of Malta, as any undertaking licensed by the and products to ensure that all information including marketing Trade Licensing Unit, whose main business is to prepare, assemble communications addressed to retail investors or potential retail inves- and evaluate credit information and related credit and risk manage- tors is fair, clear and not misleading. The Investment Services Act states ment services concerning legal and natural persons for the purpose that no collective investment schemes, licensed or otherwise, can of issuing credit scores to be furnished to third parties, provided that issue or cause to be issued a prospectus in or from Malta unless it has the agency is not precluded from carrying out other related tasks. been approved by the MFSA. The marketing of retail financial services The definition of ‘credit reference agencies’ pursuant to the draft law in Malta also falls within the scope of the EU Distance Selling (Retail falls outside the scope of EU Regulation 1060/2009 and, therefore, the Financial Services) Regulation (Subsidiary Legislation 330.07), which European Securities and Markets Authority would not have supervisory implements EU Directive 2002/65/EC. powers over these entities. Further, credit reference services are listed under the Banking Act as one of the additional activities exercisable by CHANGE OF CONTROL credit institutions. On 7 November 2018, the European Central Bank received a Notification and consent request from the Central Bank of Malta (CBM) for an opinion on a draft 20 Describe any rules relating to notification or consent law amending the Central Bank of Malta Act and on Draft Directive 15 on requirements if a regulated business changes control. the supervision of credit reference agencies, which: • gives the CBM new supervisory powers with respect to credit The Investment Services Act imposes a notification requirement for reference agencies; and persons who, directly or indirectly, acquire a ‘qualifying shareholding’ • designates the CBM as the supervisory authority of credit refer- (as defined therein) in an investment services licence holder or increase ence agencies solely for the purpose of overseeing and regulating their qualifying shareholding to an extent that the proportion of the the issuance of credit scores. voting rights or the capital held would reach or exceed 20 per cent, 30 per cent or 50 per cent or so that the investment services licence holder CROSS-BORDER REGULATION would become its subsidiary. The Malta Financial Services Authority (MFSA) can object to such an acquisition. A notification obligation is Passporting also triggered in the case of disposal or reduction of such qualifying 17 Can regulated activities be passported into your jurisdiction? shareholding. Licence holders must obtain written consent from the MFSA before acquiring 10 per cent or more of the voting share capital Regulated activities emanating from EU directives transposed into of another company before agreeing to sell or merge all or any part of Maltese law can, subject to regulatory and procedural formalities, its undertaking. be passported into Malta. Credit and financial institutions, invest- In the context of credit institutions, Banking Rule 13/2009, ment services providers, collective investment schemes and issuers ‘Prudential assessment of acquisitions and increase of qualifying that are legally established in one member state may passport their shareholdings in credit institutions authorised under the Banking Act’, services through the establishment of a branch or otherwise, as may provides a blueprint of the procedural rules and evaluation criteria for be applicable. Conversely, ‘homegrown’ services that are regulated by a the prudent assessment of acquisitions and holdings increases in the standalone legislative framework in EU member states cannot be pass- financial sector and determines the criteria to be applied by the MFSA ported into Malta. in the assessment process of a proposed acquirer. These rules reflect the Joint Guidelines JC/GL/2016/01, which were issued by the Joint Committee of the European Supervisory Authorities in 2016.

144 Fintech 2021 © Law Business Research 2020 Ganado Advocates Malta

FINANCIAL CRIME pledge of shares, special rules contained in the Companies Act Chapter 386 of the laws of Malta, will also apply, which requires the pledge to Anti-bribery and anti-money laundering procedures be constituted by an instrument in writing and notified to the Malta 21 Are fintech companies required by law or regulation to have Business Registry. procedures to combat bribery or money laundering? Given that loan and security agreements are determined by contract between the parties, enforcement depends on the provisions The regulatory framework that governs anti-money laundering (AML) of the respective contracts; however, parties are not precluded from procedures in Malta falls under the Prevention of Money Laundering Act, enforcing an agreement before the Maltese courts or by instituting arbi- Chapter 373 of the laws of Malta (PMLA) and the Prevention of Money tration proceedings in Malta. Laundering and Funding of Terrorism Regulations, which implements EU Directive 2015/849/EU. The European Union extended the scope of Assignment of loans its AML regime to digital currencies through EU Directive 2018/8432/ 24 What steps are required to perfect an assignment of EU. Entities that must abide by the AML regulations include those that: loans originated on a peer-to-peer or marketplace lending • provide services to safeguard private cryptographic keys on platform? What are the implications for the purchaser if the behalf of its customers, or to hold, store and transfer virtual assignment is not perfected? Is it possible to assign these currencies; and loans without informing the borrower? • engage in exchange services between virtual currencies and fiat currencies. The assignment of loans and other rights is generally dealt with in the Civil Code, Chapter 16 of the laws of Malta. The Civil Code provides Malta has acknowledged the risks associated with digital currencies that an assignment is complete and the ownership of the thing being and has taken the initiative to anticipate this framework. The new assigned is acquired by the assignee as soon as the thing is transferred, Implementing Procedures issued by the Financial Intelligence Analysis the price has been agreed and when the deed of assignment (which Unit (FIAU) now also cover issuers of virtual financial assets (VFAs), must be in writing) is made. The assignee may not exercise the rights VFA service providers and the activities of safe custody services, even assigned to them, except against third parties after due notice of the when provided by any person or institution other than those licensed assignment (by judicial act) has been given to the debtor; however, or authorised under the Banking Act or the Investment Services Act. notice is not necessary if the debtor has acknowledged the assignment. Digital currency exchanges and issuers of VFAs are deemed to be However, Malta’s securitisation framework, based on the subject persons and must have measures, policies and procedures in Securitisation Act, Chapter 484 of the laws of Malta, operates as an place to address the identified risks. These measures, policies, controls opt-in regime whereby legal entities entering into securitisation trans- and procedures must include, inter alia: actions may style themselves as securitisation vehicles subject to the • customer due diligence, record-keeping procedures and reporting Securitisation Act, which aims to facilitate securitisation transactions by, procedures; and among other things, relaxing some of the requirements regarding the • risk management measures. assignment of rights as set out in the Civil Code. An assignment of rights (to a securitisation vehicle) made pursuant to the Securitisation Act: Guidance • does not require the assignment to have a price; 22 Is there regulatory or industry anti-financial crime guidance • is complete as soon as the assignment is written; and for fintech companies? • allows notice to be given to debtors by a simple written notice (ie, not a judicial act) or by publication of a notice in a daily newspaper. The FIAU has issued a specific rulebook applicable to VFA agents, issuers and licence holders with sector-specific guidance on how these An assignment made properly under the Securitisation Act is considered issuers and operators can meet their AML obligations under the PMLA. a true sale as the Act provides that such an assignment will be treated These procedures complement the Implementing Procedures that are as final, absolute and binding on the assignor (the originator), the applicable across all other sectors, and apply to VFA service providers, assignee (securitisation vehicle) and all third parties and is not subject VFA agents and issuers of initial VFA offerings, as well as to unlicensed to clawback. This implies that an assignment that is not perfected under subject persons operating within the VFA space. the Securitisation Act may not be considered a true sale and may be subject to annulment, rescission, revocation or termination. PEER-TO-PEER AND MARKETPLACE LENDING Securitisation risk retention requirements Execution and enforceability of loan agreements 25 Are securitisation transactions subject to risk retention 23 What are the requirements for executing loan agreements or requirements? security agreements? Is there a risk that loan agreements or security agreements entered into on a peer-to-peer or The Securitisation Regulation (Regulation 2017/2402/EU) became marketplace lending platform will not be enforceable? directly applicable to all EU member states as of 1 January 2019. Article 6 of the Securitisation Regulation directly tackles risk retention, Loan and security agreements are contracts that are generally providing that, subject to any exceptions set out therein, the originator, governed by Maltese contract law. In this respect, the parties entering sponsor or original lender of a securitisation must retain, on an ongoing into such an agreement must have the capacity to do so, which, in the basis, a material net economic interest in the securitisation of no less case of companies, means that the agreement is signed by a director than 5 per cent. In the circumstance that the retainer of this risk was not after having obtained proper authorisation from the board. In the case of agreed, the originator must by law retain the risk. natural persons, contracts can generally be entered into by anyone over the age of 18, provided that they have not previously been interdicted or incapacitated. Depending on the type of loan or security agreement that is being entered into, special laws may apply. In the context of a www.lexology.com/gtdt 145 © Law Business Research 2020 Malta Ganado Advocates

Securitisation confidentiality and data protection requirements • a virtual financial asset (VFA); or 26 Is a special purpose company used to purchase and securitise • a virtual token. peer-to-peer or marketplace loans subject to a duty of confidentiality or data protection laws regarding information If a person provides any of the services listed in the VFAA in relation relating to the borrowers? to a DLT asset that qualifies as a VFA, licensing obligations apply. The issuance of e-money also mandates a Malta Financial Services Authority The Securitisation Act provides that the transfer of any data or informa- (MFSA) authorisation pursuant to the Financial Institutions Act. tion made in the context of a securitisation transaction must remain subject to professional secrecy, confidentiality and data protection laws. Digital currency exchanges However, transfers of personal data made in the context of a securitisa- 30 Are there rules or regulations governing the operation of tion are deemed to have been made for the legitimate interest of the digital currency exchanges or brokerages? transferee and transferor unless it is shown that this interest is overridden by the interest to protect the fundamental rights and freedoms of The VFAA imposes a licensing requirement on service providers in the the data subject. Transfers of personal data made to a third country that VFA space, including VFA exchanges, custodians of VFAs (including does not ensure an adequate level of protection within the meaning of wallet providers) and VFA advisers and brokers that are operating in or the Data Protection Act, Chapter 586 of the laws of Malta, will not require from Malta. The MFSA has issued a Virtual Financial Assets Rulebook, the authorisation of the data protection commissioner, provided that the which is divided into three main chapters. The requirements for a VFA controller of this data can provide adequate safeguards for the protec- service provider licence include: tion of the data subjects’ privacy and fundamental rights and freedoms. • the setting up of a Maltese entity; • the holding of minimum capital; ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER • the appointment of various functionaries; and TECHNOLOGY AND CRYPTO-ASSETS • undergoing assessments by the MFSA into (among other things) the entity’s ultimate beneficial owners and board of administration. Artificial intelligence 27 Are there rules or regulations governing the use of artificial Initial coin offerings intelligence, including in relation to robo-advice? 31 Are there rules or regulations governing initial coin offerings (ICOs) or token generation events? AI is not yet a regulated area. A Malta AI task force, commissioned by the government launched the Strategy and Vision for Artificial The VFAA states that no issuer can: Intelligence in Malta 2030, to put the island among the foremost juris- • offer a VFA to the public in or from Malta; or dictions with the highest-impact national AI programme. The strategy • apply for a VFA’s admission to listing on a DLT exchange unless the rests on three vertical pillars that direct efforts towards investment, issuer draws up a white paper that: innovation and private and public sector adoption; and three horizontal • is dated; enablers, namely education and workforce, the legal framework and • states the matters specified in the first schedule to the VFAA; infrastructure. • includes a statement by the board of administration confirming that the white paper complies with the Act; and Distributed ledger technology • is registered with the MFSA. 28 Are there rules or regulations governing the use of distributed ledger technology or blockchains? The white paper must enable investors to make an informed assessment of the prospects of the issuer, the proposed project and the features of The Innovative Technology Arrangements and Services Act (ITAS) the VFA. Issuers must appoint a number of functionaries, including a outlines the framework of designated innovative technology arrange- VFA agent, a custodian and a systems auditor, and must ensure that an ments (including blockchain platforms and smart contracts) while investor does not invest more than €5,000 in its initial VFA offerings over catering for the Malta Digital Innovation Authority (MDIA) and its regula- a 12-month period. tory functions with regards thereto. Under the ITAS, any person may on a voluntary basis request the MDIA to certify eligible arrangements or DATA PROTECTION AND CYBERSECURITY services on the basis of a number of conditions, including that, among other things, the arrangement is fit and proper for the purposes for Data protection which it was set up and its underlying software has been reviewed by a 32 What rules and regulations govern the processing and registered systems auditor. transfer (domestic and cross-border) of data relating to fintech products and services? Crypto-assets 29 Are there rules or regulations governing the use of crypto- There is no specific law or guidance regulating fintech companies’ use assets, including digital currencies, digital wallets and of personal data. The processing and transfer of data is regulated by e-money? the Data Protection Act (DPA), which implements the EU General Data Protection Regulation, alongside any subsidiary legislation that supple- Crypto-assets in Malta are regulated by the Virtual Financial Assets Act ments the DPA, and regulates the processing of personal data with (VFAA), which spearheads the implementation of a bespoke financial regards to the e-communications sector, thereby implementing EU instrument test, applicable to issuers, agents and licence holders, for Directive 2002/58/EC. the purpose of determining whether a distributed ledger technology The European Commission has issued draft proposals for an (DTL) asset qualifies as: e-privacy regulation to supersede the current Directive (2002/58/EC), • electronic money; which would be directly applicable in all member states, harmonising • a financial instrument; data protection laws. On the 21 February 2020, the revised test of the

146 Fintech 2021 © Law Business Research 2020 Ganado Advocates Malta

Proposal for a Regulation of the European Parliament and of the Council INTELLECTUAL PROPERTY RIGHTS concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC IP protection for software (Regulation on Privacy and Electronic Communications) was published. 36 Which intellectual property rights are available to protect software, and how do you obtain those rights? Cybersecurity 33 What cybersecurity regulations or standards apply to fintech Software constitutes literary work, which enjoys automatic copyright businesses? protection under the Copyright Act, Chapter 415 of the laws of Malta,. A copyright is a non-registrable right that arises as soon as a work Different cybersecurity standards apply across different business considered eligible for copyright protection (which under Maltese law, sectors within the financial industry. In the digital assets space, which includes artistic works, audiovisual works, databases, literary works is regulated by the Virtual Financial Assets Act, licence holders must and musical works) is created. No formal registration of copyright establish various management policies within their cybersecurity (voluntary or otherwise) in Malta is required. Further, in accordance framework. Further, acknowledging that the financial services industry with the Patents and Designs Act, Chapter 417 of the laws of Malta is experiencing a digital and technological transformation, the Malta (PDA), schemes, rules and methods for doing business and computer Financial Services Authority has proposed a new set of guidance notes programs are not considered to constitute inventions that are capable on cybersecurity, which will apply to key players in this industry, setting of patent protection. out a minimum set of best practices and risk management procedures to be followed in order to effectively mitigate cyber risks. IP developed by employees and contractors 37 Who owns new intellectual property developed by an OUTSOURCING AND CLOUD COMPUTING employee during the course of employment? Do the same rules apply to new intellectual property developed by Outsourcing contractors or consultants? 34 Are there legal requirements or regulatory guidance with respect to the outsourcing by a financial services company of In terms of works that are eligible for copyright protection, the Copyright a material aspect of its business? Act dictates that such protection shall vest initially in the author or joint authors of the particular work. Particularly in the case of computer In general, the outsourcing of material activities of a financial services programs and databases, however, where a work is made in the course company would lead to the regulatory intervention and oversight of the of the author’s employment, the economic rights arising therefrom will Malta Financial Services Authority (MFSA). For example, the Banking Act be deemed to be transferred to the author’s employer – subject to an provides that no credit institution shall outsource its material services agreement between the parties to the contrary. Other works eligible for or activities, unless the outsourcing service provider is granted recog- copyright (ie, barring computer programs and databases) shall always nition by the MFSA. To obtain this recognition, the outsourcing service vest in the author or joint authors of the particular work, provided that provider must make a written request providing information on: an agreement to the contrary has not been entered into. • its name and address; With reference to patentable inventions, the PDA holds that any • the material services or activities to be outsourced; invention occurring under a contract of employment belongs to the • the reasons for outsourcing the service or activities; and employer; however, the creator of that work (ie, in this context, the • the regulatory status, if any, if it is authorised or licensed in a employee) would have a right to equitable remuneration for their inven- foreign jurisdiction. tion. In the absence of an agreement between the parties as to the remuneration due, this must be ascertained by the Maltese courts. Cloud computing In view of the various nuances highlighted above, it is always advis- 35 Are there legal requirements or regulatory guidance with able to incorporate a clause regulating the ownership, or otherwise, of respect to the use of cloud computing in the financial services intellectual property into a company’s standard contract of employment industry? and service agreements with its contractors or consultants. However, when developing or making use of intellectual property in the course of Various initiatives at both a local and European level seek to govern employment or engagement, there is an argument to be made that the the evolution of cloud computing. However, these are not neces- employee or the contractor or consultant engaged to render a particular sarily specific to the financial services sector. Locally, the Malta service must be considered a fiduciary in accordance with article 1124 Communications Authority has issued a guidance document enti- et seq of the Civil Code, and must therefore abide by the various obliga- tled ‘Cloud Computing Guidelines for SMEs & Microenterprises’ that tions specified therein. highlights considerations to be taken by small and medium-sized enterprises and microenterprises when assessing the suitability of the use of Joint ownership cloud computing in their firm. This guidance document provides further 38 Are there any restrictions on a joint owner of intellectual details as to the contractual implications that may arise between small property’s right to use, license, charge or assign its right in and medium-sized enterprises, microenterprises and cloud computing intellectual property? service providers. Transposing EU Directive 2016/1148/EU, Subsidiary Legislation 460.35 sets out cybersecurity standards and establishes The Trademarks Act, Chapter 597 of the laws of Malta, states that where a Critical Information Infrastructure Protection Unit (CIIP Unit). In a registered trademark is subject to co-ownership, each joint owner is Malta the CIIP Unit falls under the remit of the Critical Infrastructure entitled, subject to an agreement stating the contrary, to an equal undi- Protection Directorate, which also oversees the National Computer vided share in the registered trademark. Each co-owner is also entitled, Security Incidence Response Team. personally or otherwise, to perform for their own benefit, without the other co-owner’s consent, any act that would otherwise amount to an infringement of the registered trademark. A co-owner may not grant a www.lexology.com/gtdt 147 © Law Business Research 2020 Malta Ganado Advocates

licence over the registered trademark or assign or cede control of their This liability attaches to any person who, with a view to gain for them- share in the trademark without the other co-owner’s consent. selves or another, or with intent to cause loss to another, uses or applies The aforementioned is also applicable in the case of co-ownership without the consent of the trademark owner an infringing sign or else of a registered design under the Patents and Designs Act. Conversely, has in their possession or control or offers for sale, hire or distribu- in the case of joint proprietors of a patent, the law specifies that either tion goods that bear infringing marks. The Enforcement of Intellectual party may separately assign or transfer by succession their share of the Property Rights (Regulation) Act, Chapter 488 of the laws of Malta, patent with or without the other patent owner’s agreement. However, provides for measures that may be requested by IP rights holders to to surrender the patent or conclude a licensing agreement with third enforce their IP rights or to preserve evidence and request information parties, the co-owners must act jointly. from alleged infringers. In terms of copyright, a joint author can assign or license copyright unilaterally, provided that where any other joint author is not satisfied COMPETITION with the manner in which this assignment or licence has been granted, they can resort to the Copyright Board within three months from the Sector-specific issues day on which the terms of the assignment or licence have been commu- 42 Are there any specific competition issues that exist with nicated to them in writing. respect to fintech companies in your jurisdiction?

Trade secrets There are no competition issues that specifically affect fintech compa- 39 How are trade secrets protected? Are trade secrets kept nies in Malta. However, in 2019 the European Commission published confidential during court proceedings? its Competition Policy for the Digital Era, which tackles competition issues that arise from the digital industries and states how regulations The Trade Secrets Act, Chapter 589 of the laws of Malta, (TSA) provides should be tailor-made to cater for the specific issues that might arise. for measures to be taken against the unlawful acquisition, use and The report identified the following characteristics of the industry that disclosure of trade secrets. The TSA allows the competent court to might give rise to incentives for dominant digital firms to act in an anti- issue precautionary acts against the alleged infringer for the cessation competitive manner: or prohibition of the use or disclosure of the trade secret on a provi- • the extreme returns to scale that the industry brings with it; sional basis. The court may also issue precautionary acts to prohibit the • the convenience of the product being dependant on a large production, offering, placing on the market or use of infringing goods user base; and or the seizure of these infringing goods to prevent their entry into or • the pivotal role of data. circulation on the market. Once the court has determined that there has been unlawful acquisition, use or disclosure of a trade secret, it TAX can order the cessation of the unlawful behaviour, apply injunctive and corrective measures or impose damages that are appropriate to the Incentives actual prejudice suffered as a result of the unlawful acquisition, use or 43 Are there any tax incentives available for fintech companies disclosure of the trade secret. The TSA also states that should an appli- and investors to encourage innovation and investment in the cation be submitted by an interested party, it shall be unlawful for any fintech sector in your jurisdiction? of the parties participating within the legal proceedings to disclose the nature or any details relating to the trade secret in question. This obli- While the Maltese corporate tax environment is very attractive to gation shall remain in force even after legal proceedings have ended. businesses establishing a local presence, there do not seem to be tax incentives specifically available for fintech companies. Malta offers Branding several fiscal schemes and incentives in the form of tax credits to 40 What intellectual property rights are available to protect companies deemed as being innovative enterprises according to the branding and how do you obtain those rights? How can fintech rules and regulations set out by the Malta Enterprise. businesses ensure they do not infringe existing brands? Increased tax burden Trademarks create a distinctive brand and can be obtained by lodging 44 Are there any new or proposed tax laws or guidance that an application with the Malta IP rights directorate outlining the trade- could significantly increase tax or administrative costs for mark name or image (or combination thereof), as well as the goods and fintech companies in your jurisdiction? service that this trademark will protect. It is also possible to apply for an EU trademark, which will grant pan-European protection over the Without prejudice to the regulatory fees payable to the competent trademark. On an international level, it is also possible to lodge an appli- authorities in relation to any new licensing obligations imposed on cation with the World Intellectual Property Organisation, designating the fintech companies, there are no new or proposed tax laws or guidance countries in which trademark protection is sought. specific to fintech business that will amplify tax and administrative costs.

Remedies for infringement of IP IMMIGRATION 41 What remedies are available to individuals or companies whose intellectual property rights have been infringed? Sector-specific schemes 45 What immigration schemes are available for fintech The remedies available are enshrined in the acts that regulate specific businesses to recruit skilled staff from abroad? Are there any IP rights. The Trademarks Act provides that a person found guilty of special regimes specific to the technology or financial sectors? trademark infringement under this act may be liable for: • imprisonment for up to three years; At present, in Malta there are no immigration regimes specifically • a fine of up to €23,293.73; or targeting fintech businesses aspiring to recruit skilled staff from abroad, • both. which means that the immigration schemes that are available to fintech

148 Fintech 2021 © Law Business Research 2020 Ganado Advocates Malta businesses are no different from the schemes that are available to other business sectors. There are two regimes available, distinguishing EU, EEA and Swiss nationals from non-EU nationals. EU, EEA and Swiss nationals aspiring to work in Malta’s fintech business must apply for residence via CEA Form A submitted on the basis of employment or self- employment pursuant to the Free Movement of EU Nationals and their Family Members Order (LN 191/2007) and the Immigration Regulations (LN 205/2004). The non-EU, EEA and Swiss regime grants two applications to third-country nationals – namely, CEA Form B and the key Leonard Bonello [email protected] employee initiative, which is a single work permit for managerial or highly technical posts. James Debono [email protected] UPDATE AND TRENDS 171, Old Bakery Street Current developments Valletta VLT1455 46 Are there any other current developments or emerging Malta trends to note? Tel: +356 21 23 54 06 Fax: +356 21 22 59 08 The main current development in Malta is the drive and effort with www.ganadoadvocates.com which the Malta Financial Services Authority, as a proactive financial services regulator, is promoting the idea of Malta becoming a global fintech hub. Throughout its long-term fintech strategy, the regulator is not only supporting the financial services industry to harness the oppor- Guarantee Scheme), which mainly provides guarantees to commer- tunities presented by innovation and technology, but is also geared up to cial banks that facilitate access to bank financing for businesses harness as much legal and regulatory certainty as possible for industry established and operating in Malta (both small and meduim-sized players to operate in an environment with effective investor protection, enterprises with up to 250 employees and large enterprises with market integrity and financial soundness. more than 250 employees) that are facing liquidity and cash flow problems because of the pandemic. Coronavirus • To complement the Guarantee Scheme, the government also 47 What emergency legislation, relief programmes and other announced a second measure to further alleviate the terms initiatives specific to your practice area has your state relating to working capital loans extended by banks under the implemented to address the pandemic? Have any existing Scheme. Through the Interest Rate Subsidy Scheme, which is also government programmes, laws or regulations been amended targeted towards businesses facing unprecedented disruptions to address these concerns? What best practices are advisable owing to the covid-19 outbreak, businesses may avail themselves for clients? of a subsidy of up to 2.5 per cent on the interest rate charged by banks during the first two years of working capital loans guaran- The covid-19 pandemic has triggered a number of legislative and regu- teed by the Guarantee Scheme. latory initiatives within the financial services world that the Maltese government, regulators and competent authorities have implemented to lessen and mitigate the negative impacts to the relevant institutions and the general public. Among other measures relating to borrower- based measures or the timing of supervisory reporting, some of the initiatives launched to counteract the risks posed by the pandemic include the following. • Eurozone institutions have been granted a one-month extension by the Malta Financial Services Authority for the submission of specific supervisory reporting modules with remittance dates between March 2020 and May 2020. A further extension may be granted, but this will only be given on a case-by-case basis and provided that exceptional circumstances exist. • The government of Malta issued the Moratorium on Credit Facilities in Exceptional Circumstances Regulations to mandate credit and financial institutions licensed under the laws of Malta to grant a six-month moratorium on capital and interest for borrowers with respect to credit facilities satisfying the eligibility criteria established under Directive No. 18 issued by the Central Bank of Malta. Foreign banks do not fall within the scope of the Directive unless they have a branch, agency or office in Malta. The moratorium has been extended by a further six months in an effort to continue providing assistance for borrowers negatively affected by the pandemic. • The Malta Development Bank (MDB) has launched the EU Commission-approved MDB Covid-19 Guarantee Scheme (the www.lexology.com/gtdt 149 © Law Business Research 2020 Netherlands

Aron Berket, Jeroen Bos and Marline Hillen Simmons & Simmons LLP

FINTECH LANDSCAPE AND INITIATIVES the DNB to adopt a more data-driven approach and focus on the use of digital technologies in its supervision. General innovation climate Furthermore, in April 2020, the DNB stated that it has a favourable 1 What is the general state of fintech innovation in your attitude towards central bank digital currency (CBDC). CBDC is money jurisdiction? issued by a central bank and is generally accessible to households and businesses. Therefore, DNB does not only support financial innovation, Fintech innovation in the Netherlands continues to develop. There has but also intends to play a leading role in certain financial innovation, been a high level of activity in the fields of artificial intelligence, machine such as the development of CBDC. learning, blockchain, mobile and advanced analytics. The Dutch market There are no formal arrangements with foreign regulators that is also adopting other innovations, such as open banking (as a result relate specifically to fintech companies. However, the AFM and DNB of the Revised Payment Services Directive). Generally, diversification maintain contact with other regulators in the Netherlands (such as the in the Dutch financial services sector is increasing as new companies ACM and the Dutch Data Protection Authority), the EU and globally (such enter the market and incumbents (such as large Dutch banks) progress as the International Organization of Securities Commissions). their own fintech initiatives. However, some market participants are concerned that the new registration regime for certain crypto-service FINANCIAL REGULATION providers that entered into force on 21 May 2020 will deter potential new entrants from entering the market owing to additional administra- Regulatory bodies tive and compliance costs. 3 Which bodies regulate the provision of fintech products and services? Government and regulatory support 2 Do government bodies or regulators provide any support There is no specific regulatory framework applicable to the provision of specific to financial innovation? If so, what are the key fintech products and services. benefits of such support? Furthermore, it is unlikely that such a specific Dutch regulatory framework will be established now that the Dutch Authority for the In 2016, the Dutch Authority for the Financial Markets (AFM) and the Financial Markets (AFM) and Dutch Central Bank (DNB) have issued the Dutch Central Bank (DNB) set up the InnovationHub to provide new recommendation to regulate cryptos at an international level. As such, and existing firms with support in answering queries related to the depending on the nature and scope of products and services offered, regulation of innovative financial products and services. Within the the AFM and DNB supervise compliance with conducts of business rules InnovationHub, the AFM and DNB cooperate with the Dutch Authority and prudential requirements respectively. for Consumers and Markets. The InnovationHub aims to offer easy access to supervisors and regulators for companies that provide inno- Regulated activities vative services or products, remove any unnecessary barriers to entry, 4 Which activities trigger a licensing requirement in your gain more insight into the rapidly developing technological innova- jurisdiction? tion within the financial sector, and improve knowledge, sharing and dialogue with all relevant stakeholders. The InnovationHub enables Depending on the nature and scope of services offered, licensing fintech companies to obtain a temporary banking licence, among requirements under the Dutch Financial Supervision Act (FSA) and other things. secondary legislation may apply. The AFM and DNB have also set up a ‘regulatory sandbox’ for The following activities are regulated under the FSA. fintech companies to test and develop new products. If certain criteria • Deposit-taking and granting credits for one's own account: credit are met, the regulatory sandbox can provide bespoke solutions for institutions (ie, institutions that attract repayable funds from the financial services companies that cannot reasonably meet specific poli- public in the Netherlands and that extend credit for own account) cies, rules or regulations when marketing an innovative product, service require a banking licence. or business model, and that do meet the underlying rationale of these • Consumer lending: the extension of credit to consumers requires policies, rules or regulations. a licence. Furthermore, the DNB periodically organises a seminar, ‘Fintech • Factoring, to the extent this would constitute consumer lending. meets the Regulators’, during which relevant market participants and • Invoice discounting, to the extent this would constitute consumer DNB share thoughts on current developments. lending. Additionally, in November 2019, the DNB launched a joint partner- • Payment services: all institutions carrying out payment services as ship of banks, insurers and partnerships, the iForum, which enables described in the Annex to the Revised Payment Services Directive

150 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP Netherlands

(PSD2), require a licence. A licence to act as a credit institution may investment scheme can be an undertaking for collective investment in also cover carrying out payment services. transferable securities, as defined in the Undertakings for Collective • Investment services: a financial institution is required to have a Investment in Transferable Securities Directive. licence if it intends to provide investment services. These can be Whether a fintech company would qualify as a collective invest- split into the following services, carried out in pursuit of a business ment scheme will depend on the exact nature of its business. For or profession: example, fintech companies that manage assets on a pooled basis on • receiving and transmitting client orders relating to financial behalf of investors should give particular consideration as to whether instruments (which includes bringing about deals in financial they qualify as a collective investment scheme. On the other hand, instruments); fintech companies that provide advice or payment services may be • executing client orders relating to financial instruments; less likely to constitute a collective investment scheme. Peer-to-peer • managing an individual’s assets; lenders, marketplace lenders or crowdfunding platforms could poten- • providing advice regarding financial instruments; tially fall within the scope of the AIFMD, to the extent they would qualify • underwriting or placement with a firm commitment basis of as (managers of) collective investment schemes. Currently, the AFM’s financial instruments; and register ‘Crowdfunding platforms’ indicates that no crowdfunding • placement without a firm commitment basis of financial platform holds a licence for managing or offering units in collective instruments. investment schemes. • Investment activities: a financial institution is required to have a licence if it intends to perform an investment activity. Investment Alternative investment funds activities can be split into three activities: 8 Are managers of alternative investment funds regulated? • dealing on one's own account (including foreign exchange trading); Managers of alternative investment funds are regulated under the • operating an organised trading facility; and AIFMD, which has been implemented in the FSA. • operating a multilateral trading facility. • Clearing and settlement: acting as a clearing and settlement insti- Peer-to-peer and marketplace lending tution requires a licence. 9 Describe any specific regulation of peer-to-peer or • Secondary market loan trading. marketplace lending in your jurisdiction.

Consumer lending There is no specific regulation of peer-to-peer (P2P) or marketplace 5 Is consumer lending regulated in your jurisdiction? lending in the Netherlands. However, this activity might constitute a regulated activity under the FSA. For instance, if a platform facilitating Under the FSA, consumer lending requires a licence and is consid- P2P lending receives and transmits orders in financial instruments, it ered a financial product. Advising a consumer on a financial product or may be subject to a licensing obligation as an investment firm. providing intermediary services in relation to such a financial product is only allowed if the institution has obtained a licence from the AFM. Crowdfunding Financial institutions may be exempted if they have another licence that 10 Describe any specific regulation of crowdfunding in your permits consumer lending or advising consumers on financial products. jurisdiction. Before entering a loan agreement with a consumer, the financial institution must provide the consumer with relevant information Loan-based and equity-based crowdfunding may trigger certain require- relating to the financial product, so that the consumer is able to prop- ments under the FSA, such as the requirement to publish a prospectus erly assess the product. In addition, credit assessment rules exist to or to obtain a banking, consumer credit or investment firm licence. prevent consumer over-indebtedness. These rules are part of the over- Much will depend on the exact activities and model. arching requirement that lenders exercise due care when providing Crowdfunding platforms may apply for certain exemptions under these services. specific circumstances, which can allow them to perform activities as an intermediary to attract or obtain the disposal of repayable funds from Secondary market loan trading the public or, if the platform holds a licence to operate as an investment 6 Are there restrictions on trading loans in the secondary firm, they may be exempted from the prohibition on receiving commis- market in your jurisdiction? sions from third parties. However, crowdfunding platforms should be aware that the AFM Secondary market loan trading is only a regulated activity where it may attach certain conditions to licences or individual exemptions. For constitutes consumer lending. instance, the AFM may require that consumers have the right to reclaim their investment within 24 hours. Additionally, exempted crowdfunding Collective investment schemes platforms may still be subject to certain requirements in relation to 7 Describe the regulatory regime for collective investment governance and business operation policies. schemes and whether fintech companies providing Where a consumer invests in total more than €500 in a crowd- alternative finance products or services would fall within its funding platform, the platform is required to administer a ‘crowdfunding scope. investment test’ that meets certain preconditions in relation to that consumer. The outcome of this test is not strictly binding; however, in In the FSA, collective investment schemes can be an alternative invest- the case of a negative outcome, the crowdfunding platform is required to ment fund, as defined in the Alternative Investment Fund Managers inform the customer on the related risks. The AFM also applies certain Directive (AIFMD). Under the AIFMD, an alternative investment fund is investment limits for consumers, ranging from €40,000 to €80,000 per a vehicle with or without legal personality, which raises capital from platform, depending on the type of crowdfunding. investors with a view to investing it in accordance with a defined investment policy for the benefit of those investors. Alternatively, a collective www.lexology.com/gtdt 151 © Law Business Research 2020 Netherlands Simmons & Simmons LLP

Invoice trading companies providing traditional investment advice. Additionally, the 11 Describe any specific regulation of invoice trading in your AFM has issued guidelines regarding the (‘technique-neutral’) duty of jurisdiction. care of asset managers who offer semi-automatic investment advice. These guidelines are not legally binding but they do bring clarity for There is no specific regulation of invoice trading in the Netherlands. asset managers. The guidelines are aligned with Dutch law, Markets in However, depending on the exact services provided and the status of Financial Instruments Directive II and suitability guidelines published the parties involved, invoice trading may lead to either party qualifying by the European Securities and Markets Authority and set out, among as an intermediary of consumer credit or may amount to the extension other things, guidance on safety and the provision of information. of consumer credit. The AFM has published its views on robo-advice more generally, stating that while robo-advice could be an opportunity to improve both Payment services access to and the quality of investment advice, there are also specific 12 Are payment services regulated in your jurisdiction? points of attention to consider There is no specific regulation of other companies that provides retail customers with automated access to Yes. In the Netherlands, payment services are regulated on the basis of investment products in the Netherlands. There is no legal distinction PSD2, which has been implemented in the FSA. A licence is required to between companies providing automated access to investment prod- carry out all payment services listed in the Annex to PSD2. ucts and companies that offer investment products in a traditional way. Payment services include: • services enabling cash to be placed on a payment account or Insurance products cash withdrawals from a payment account and all the operations 15 Do fintech companies that sell or market insurance products required for operating a payment account; in your jurisdiction need to be regulated? • the execution of the following types of payment transactions: • direct debits, including one-off direct debits; The sale of insurance products is regulated under the FSA and requires • payment transactions executed through a payment card or a a licence. similar device; and • credit transfers, including standing orders; Credit references • the execution of the following types of payment transactions where 16 Are there any restrictions on providing credit references or the funds are covered by a credit line for the payment service user: credit information services in your jurisdiction? • direct debits, including one-off direct debits; • payment transactions executed through a payment card or a The rules on credit rating agencies laid down in Regulation (EC) similar device; and No. 1060/2009 on credit rating agencies (as amended) apply in the • credit transfers, including standing orders; Netherlands. A credit rating agency is required to adopt, implement and • issuing payment instruments or acquiring payment transactions; enforce adequate measures to ensure that the credit ratings it issues • money remittance; are based on a thorough analysis of all the information that is available • payment initiation services (initiating a payment order at the to it and is relevant to its analysis according to its rating methodologies. request of a payment service user with respect to an account held with another payment service provider); and CROSS-BORDER REGULATION • account information services (online services to provide consolidated information on one or more payment accounts held by the Passporting payment service user with another one (or more) payment service 17 Can regulated activities be passported into your jurisdiction? provider). An EEA firm that has been authorised under one of the EU single Open banking market directives (the Capital Requirements Directive, Solvency II, the 13 Are there any laws or regulations introduced to promote Markets in Financial Instruments Directive II, the Insurance Distribution competition that require financial institutions to make Directive, the Mortgage Credit Directive, the Undertakings for Collective customer or product data available to third parties? Investment in Transferable Securities Directive, the Alternative Investment Fund Managers Directive and the Revised Payment Services The implementation in the FSA of the access-to-account rules, as Directive) may, in principle, provide cross-border services into or estab- included in the PSD2, requires financial institutions to provide access lish a branch in the Netherlands. To exercise this right, in general, the to the payment accounts of consumers to payment initiation service firm must first provide notice to its home state regulator. The relevant providers and account information service providers. In general, data directive under which the EEA firm is seeking to exercise its passporting protection and privacy regulations should be considered prior to making rights as implemented in the Dutch Financial Supervision Act (FSA) will customer data available to third parties. determine the conditions and processes that the EEA firm must follow.

Robo-advice Requirement for a local presence 14 Describe any specific regulation of robo-advisers or other 18 Can fintech companies obtain a licence to provide financial companies that provide retail customers with automated services in your jurisdiction without establishing a local access to investment products in your jurisdiction. presence?

There is no specific regulatory framework for robo-advisers in the To obtain a licence for any of the activities regulated pursuant to the Netherlands. FSA, in general, a local presence must be established, unless a firm can Furthermore, there is no legal distinction between robo-advice benefit from a European passport. and traditional investment advice in the Netherlands. As such, companies providing robo-advice must fulfil the same legal requirements as

152 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP Netherlands

SALES AND MARKETING FINANCIAL CRIME

Restrictions Anti-bribery and anti-money laundering procedures 19 What restrictions apply to the sales and marketing of 21 Are fintech companies required by law or regulation to have financial services and products in your jurisdiction? procedures to combat bribery or money laundering?

Depending on the regulatory status of the financial institution, different There is no general framework under which fintech companies are marketing rules may apply, including clientele restrictions. Advice required to have in place procedures to combat bribery or money laun- should be sought on the specific circumstances of any particular case. dering. However, as of 21 May 2020, certain crypto-service providers The Dutch Financial Supervision Act (FSA) states that, in general, fall with scope of the Money Laundering and Terrorist Financing relevant marketing activities: (Prevention) Act. This concerns companies, legal entities or natural • must be correct, clear and not misleading; persons that provide: • must be recognisable as being of a commercial nature (where • services for the exchange between virtual and fiat currencies; and applicable); and • services offering custodian wallets (ie, services to safeguard • may not contradict the information that is required to be made private cryptographic keys on behalf of customers; consequently, available pursuant to the FSA. ‘soft wallets’ do not fall within the scope).

In addition, specific rules apply depending on the type of product These crypto service providers are also required to register with the offered or service provided and, in some cases, also on the type of client Dutch Central Bank (DNB). Requirements for registration include having targeted. Some of these are summarised below. in place an adequate integrity policy to ensure ethical operation manage- Marketing materials for complex products (eg, participation rights ment. In this policy, an analysis of integrity risks, compliance with the in an open-ended collective investment scheme and investment objects) Sanctions Act 1977, transaction monitoring, reporting of unusual trans- should include a risk indicator as prescribed by the Further Regulation actions to the Financial Intelligence Unit-Netherlands and customer on Conduct of Business Supervision of Financial Undertakings (the due digilence must be discussed. Other requirements for registration Further Regulation). include, among others, that: Marketing materials for credit offerings to consumers that refer to • the policymakers of crypto-service providers are trustworthy; and debit interest rates or other information regarding costs should include • the (directors of) holders of a qualifying holding (at least 10 per (at a minimum) information regarding floating or fixed interest rates cent of the shares or voting rights, or both) in crypto-service and other costs that form part of the total costs of the credit for the providers are trustworthy. consumer, the total credit amount, the yearly cost percentage, identity and address of the provider or intermediary, and certain other informa- Guidance tion depending on the type of credit, all as prescribed in the Decree 22 Is there regulatory or industry anti-financial crime guidance on Conduct of Business Supervision of Financial Undertakings. In addi- for fintech companies? tion, certain risk warnings are prescribed and certain prohibitions apply, such as the prohibition on including any references to the speed or ease There is no regulatory or industry anti-financial crime guidance specifi- with which the credit may be obtained. cally for fintech companies. However, the Dutch Authority for the For products other than complex products, the more general Financial Markets and DNB have set up the InnovationHub to support marketing rules included in the Further Regulation apply, including the market operators, such as fintech companies. Furthermore, the DNB obligation to include a warning that the value of an investment may has published a brochure entitled ‘Good practices fighting corruption’ fluctuate and that historical returns offer no guarantee for the future. and the DNB website provides answers to questions about DNB’s integ- Depending on the medium used for marketing (print, TV, radio or rity supervision of crypto-companies. As regards anti-money laundering internet) further rules apply, such as the relevant information to be and combating financing of terrorism, DNB issued a comprehensive included at a minimum (ie, the name of the provider, the regulatory guidance that also relates to trade sanctions on 18 December 2019. status of provider, and where and how further information relating to the product or service can be obtained). Specific marketing rules have PEER-TO-PEER AND MARKETPLACE LENDING been introduced to facilitate marketing on social media. Execution and enforceability of loan agreements CHANGE OF CONTROL 23 What are the requirements for executing loan agreements or security agreements? Is there a risk that loan agreements Notification and consent or security agreements entered into on a peer-to-peer or 20 Describe any rules relating to notification or consent marketplace lending platform will not be enforceable? requirements if a regulated business changes control. Loan agreements are not restricted to a certain form and can there- If a qualifying holding (at least 10 per cent of the shares or voting rights, fore be entered into and executed electronically. To create a security or both) is obtained in certain Dutch financial firms (such as settlement right (ie, a right of pledge or mortgage) a deed is required, which has to institutions, banks, managers of UCITS, investment firms, entities for be in writing. Dutch law distinguishes between authentic deeds, which risk acceptance, premium pension institutions and insurers and rein- require the involvement of a civil-law notary (and can therefore not be surers), prior approval by the Dutch Central Bank (DNB) is required. executed in electronic form), and private deeds. The DNB grants approval by way of a ‘Declaration of No Objection’. In A private deed can be executed electronically provided its contents specific cases, increases of qualifying holdings above certain thresholds are stored for future reference during a minimum relevant period are also notifiable to or subject to approval from DNB. (depending on the nature of the deed) in such a way that they can be reproduced without alteration. For example, a deed of pledge can be executed electronically provided that the pledgee can store the deed www.lexology.com/gtdt 153 © Law Business Research 2020 Netherlands Simmons & Simmons LLP

during the duration of the loan agreement for which the pledge was firms and alternative investment fund managers) will be subject to higher issued. In addition, the deed still needs to be printed as the tax authori- regulatory capital charges where they invest in securitisation positions ties do not accept electronic copies of a deed. that do not comply with the risk retention rules. Those rules require that An electronic deed will require an electronic signature. An electronic either the sponsor, originator or original lender in respect of the securiti- signature can constitute proof of the intention of the signatory to agree sation explicitly discloses to the investor that it will retain, on an ongoing with the contents of a certain document in the same way a written signa- basis, a material net economic interest in the securitisation (which in any ture does if the method used to authenticate the electronic signature is event is not less than 5 per cent) using one of five prescribed retention sufficiently reliable. The Dutch courts asses the reliability of this method methods. Those methods include (among others) retention of: in view of all the circumstances of the relevant case. There is no specific • the most subordinated tranche or tranches, so that the retention risk that loan agreements or security agreements will not be enforce- equals no less than 5 per cent of the nominal value of the securi- able when entered into on a P2P or marketplace lending platform. tised exposures; • 5 per cent of the nominal value of each of the tranches sold to Assignment of loans investors; or 24 What steps are required to perfect an assignment of loans • randomly selected exposures equivalent to no less than 5 per cent originated on a peer-to-peer or marketplace lending platform? of the nominal value of the securitised exposures. What are the implications for the purchaser if the assignment is not perfected? Is it possible to assign these loans without Definitions of ‘sponsor’, ‘originator’ and ‘original lender’ are set out in informing the borrower? the EU Securitisation Regulation. Furthermore, there is a direct requirement on the sponsor, originator and original lender to agree on an Under Dutch law, there is a distinction between the transfer of loans entity that will act as retention holder and to ensure compliance with (ie, the receivables and the liabilities under a loan) and the sole assign- the retention requirement. In the absence of agreement as to who will ment of receivables under the loans. As securitisations require that be the retention holder, the originator shall be the retention holder. only the receivable is assigned, only the assignment of receivables is The EU Securitisation Regulation does not explicitly set out the juris- discussed here. dictional scope of the ‘direct’ retention obligation, but there is a helpful Assignment always requires that: (1) the receivable is transferable; note in the Explanatory Memorandum to the European Commission’s (2) the seller holds legal title to the receivable; (3) there is a valid title for original proposal for the EU Securitisation Regulation that the intention the assignment (an agreement usually); and (4) the receivable is deliv- is that the ‘direct’ approach would not apply to securitisations (including ered. Delivery can be perfected by way of an undisclosed assignment or P2P securitisations) where none of the originator, sponsor or original disclosed assignment. lender is ‘established in the EU’. The European Banking Authority (EBA) An undisclosed assignment requires an executed deed, either in has stated in the Draft Regulatory Standards to the EU Securitisation notarial form or in private form, to be registered with the Dutch Tax Regulation (dated 31 July 2018) that the ‘direct’ obligation should apply Authority. Perfection takes place the moment the deed is executed by the only to originators, sponsors and original lenders established in the EU notary or at the time of registration with the Tax Authority. Receivables as suggested by the Commission in the explanatory memorandum. may only be transferred by way of undisclosed assignment if they: (1) ‘Establishment’ is typically described by reference to the jurisdic- exist at the date of registration or execution of the deed of assignment; tion in which the legal entity is incorporated or has its registered office. or (2) are future receivables directly resulting from a legal relationship Therefore, the non-EU subsidiary of an EU entity may not be subject existing at the date of assignment. to the ‘direct’ retention obligation because a subsidiary is typically a A disclosed assignment requires that notification of the assignment separate legal entity, whereas a non-EU branch of an EU entity may be is given to the debtor. caught within this provision because a branch is typically not a separate If the (delivery of the) assignment is not perfected, the receiv- legal entity. Market participants are still seeking clarity on this and it is able has not been successfully assigned to the assignee. If the seller expected that this point will be raised as part of the ongoing EBA consul- becomes insolvent before all conditions for the assignment have been tation on risk retention. perfected, the receivables can no longer be assigned and the insolvent seller remains the owner. Securitisation confidentiality and data protection requirements Until notification of the assignment, borrowers can only validly pay 26 Is a special purpose company used to purchase and securitise to the assignor in order to validly discharge their payment obligations, peer-to-peer or marketplace loans subject to a duty of and payments made prior to notification of the assignment but after the confidentiality or data protection laws regarding information assignor has been declared insolvent will fall in the estate of the assignor. relating to the borrowers? Assignment of receivables does not require the consent of the borrower or informing the borrower. Assignment of receivables only Yes, a special purpose vehicle that is based in the Netherlands will fall requires notification to the borrower in the case of a disclosed assign- under the scope of these laws if it processes personal data in relation to ment. A contractual non-assignment clause may prevent the transfer of activities in the Netherlands. receivables, depending on the exact wording of the clause. ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER Securitisation risk retention requirements TECHNOLOGY AND CRYPTO-ASSETS 25 Are securitisation transactions subject to risk retention requirements? Artificial intelligence 27 Are there rules or regulations governing the use of artificial As of 1 January 2019, the risk retention rules as set out in the EU intelligence, including in relation to robo-advice? Securitisation Regulation will apply to P2P securitisations that are offered to European banks, investment firms, alternative investment funds or There is no specific regulatory framework for the use of artificial insurers. Under these risk retention rules, certain investors (such as intelligence. Furthermore, there is no legal distinction between robo- credit institutions, Markets in Financial Instruments Directive-regulated advice and traditional investment advice in the Netherlands. As such,

154 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP Netherlands companies providing robo-advice must fulfil the same legal require- Initial coin offerings ments as companies providing traditional investment advice. 31 Are there rules or regulations governing initial coin offerings There is no specific regulation on automated investment advice. (ICOs) or token generation events? However, the Dutch Authority for the Financial Markets (AFM) has issued guidelines regarding the duty of care of asset managers who offer semi- The tokens that are used with an initial coin offering (ICO) are typically automatic investment advice. These guidelines are not legally binding drawn up in a way so as not to qualify as securities or units in an alter- but they do bring clarity for asset managers. The guidelines are aligned native investment funds. Therefore, they fall outside the scope of the with Dutch law, the Markets in Financial Instruments Directive II and FSA. This means that ICOs are not regulated by the FSA or supervised suitability guidelines published by the European Securities and Markets by the AFM or DNB. Theoretically, the ICO tokens could be drawn up in Authority and set out, among other things, guidance on safety and the a way that qualifies them as securities or units in an alternative invest- provision of information. ment fund. If that is the case, the FSA applies to the ICOs and there is The AFM has published its views on robo-advice more generally, supervision by the AFM and DNB. stating that while robo-advice could be an opportunity to improve both The AFM and DNB have issued multiple warnings about the risks access and the quality of investment advice, there are also specific of investing in ICOs and digital tokens. The AFM considers investing in points of attention to consider. ICOs as not suitable for retail investors.

Distributed ledger technology DATA PROTECTION AND CYBERSECURITY 28 Are there rules or regulations governing the use of distributed ledger technology or blockchains? Data protection 32 What rules and regulations govern the processing and Other than the General Data Protection Regulation, there is no specific transfer (domestic and cross-border) of data relating to legislation on blockchain or other distributed ledger technology (DLT). fintech products and services? The use of DLT is subject to the existing regulatory legislation depending on its application in any particular case. DLT is a subject that has led to On 25 May 2018, the General Data Protection Regulation (GDPR) came many questions in the InnovationHub . into force with direct effect across the entire EU. It governs the storage, viewing, use of, manipulation and other processing by businesses of Crypto-assets data that relates to a living individual. In summary, the GDPR requires 29 Are there rules or regulations governing the use of crypto- that businesses may only process personal data where that processing assets, including digital currencies, digital wallets and is done in a lawful, fair and transparent manner, as further described e-money? in the GDPR. The GDPR requires that any processing of personal data must The Dutch Central Bank (DNB) and the AFM have stated that digital be done pursuant to one of six lawful bases for processing. The most currencies do not constitute a financial product (such as e-money or commonly used lawful basis for processing is the consent of the data a financial instrument) and do not qualify as legal tender. Therefore, in subject to that processing – in relying on this lawful basis, the busi- principle, the Dutch Financial Supervision Act (FSA) does not apply to ness must ensure that the consent is freely given, specific, informed digital currencies. However, digital currencies may fall within the scope and unambiguous, and capable of being withdrawn as easily as it is of the FSA on the basis of activities provided in relation to these curren- given. This places a significant burden on businesses to ensure that cies. For example, this would be the case when the holder of a digital their customers are fully informed on what their personal data is being wallet is able to convert its digital currency holdings into cash hold- used for, which is a crucial change to the previous regime under which ings held with the crypto-service provider. Furthermore, depending on disclosure did not need to be so transparent. Other lawful bases for the structure and the specific characteristics of the digital currency or processing data include where that processing is necessary for the digital wallet, the relevant services could be considered to constitute business to perform a contract it has with the data subject, or where payment services or services provided by electronic money institu- required to comply with the legal obligations of the business. tions. In these circumstances, unless an exemption applies, the relevant The GDPR further differs from the previous regime in that it activities trigger a licence requirement and certain prudential and places a significantly increased compliance burden on businesses, conduct-of-business rules will apply. including, for example, mandatory requirements to notify regulators Furthermore, certain crypto-service providers are required to of data breaches, obligations to keep detailed records on processing register with the DNB. and requirements for most entities to appoint a data protection officer. Businesses that infringe the GDPR may be subject to administrative Digital currency exchanges fines of an amount up to €20 million or 4 per cent of global turnover, 30 Are there rules or regulations governing the operation of whichever is higher. digital currency exchanges or brokerages? Recital 26 of the GDPR states that where data has been processed such that it is truly anonymised, the principles within the GDPR do not The DNB and the AFM have stated that digital currencies do not consti- apply to the processing of that data. However, for the data to have been tute a financial product (such as e-money or a financial instrument) and effectively anonymised, the data subject must no longer be identifiable do not qualify as legal tender. Therefore, in principle, the FSA does not – which is a question of how far businesses have to go to ensure true apply to digital currencies. However, digital currencies may fall within anonymisation. scope of the FSA on the basis of activities provided in relation to these The Article 29 Working Party has released Opinion 05/2014 on currencies. Anonymisation Techniques (in the context of the previous EU data Furthermore, certain crypto-service providers are required to protection regime). This Opinion discusses the main anonymisation register with the DNB. techniques used – randomisation and generalisation (including aggregation). The Opinion states that when assessing the robustness of an anonymisation technique, it is necessary to consider: www.lexology.com/gtdt 155 © Law Business Research 2020 Netherlands Simmons & Simmons LLP

• if it is still possible to single out an individual; OUTSOURCING AND CLOUD COMPUTING • if it is still possible to link records relating to an individual; and • if information can be inferred concerning an individual. Outsourcing 34 Are there legal requirements or regulatory guidance with In relation to aggregation, the Opinion further states that aggregation respect to the outsourcing by a financial services company of techniques should aim to prevent a data subject from being singled out a material aspect of its business? by grouping them with other data subjects. While aggregation will avoid the risk of singling out, it is necessary to be aware that linkability and Where a financial services company outsources a material aspect inferences may still be a risk with aggregation techniques. of its business, it remains responsible for the outsourced activities. The position on anonymisation taken from the Article 29 Working Furthermore, outsourcing must not obstruct supervision by the authori- Party’s Opinion is broadly unchanged in the GDPR. The GDPR itself ties, and outsourcing by financial firms of critical or important functions also gives limited guidance on anonymisation in Recital 26, requiring must be notified to the regulator. If a financial service provider plans data controllers to consider a number of factors in deciding if personal on using a third party for activities for which a licence is required, this data has been truly anonymised, including the costs and time required can only be done where both parties have a licence for these activities. to de-anonymise, the technology available at the time to attempt For certain activities (such as fund management, investment services, de-anonymisation and further technological developments that may payment services and required activities under the Money Laundering take place. and Terrorist Financing (Prevention) Act) further detailed outsourcing There are no legal requirements or regulatory guidance relating to provisions apply. personal data that are specifically aimed at fintech companies. Cloud computing Cybersecurity 35 Are there legal requirements or regulatory guidance with 33 What cybersecurity regulations or standards apply to fintech respect to the use of cloud computing in the financial services businesses? industry?

The Revised Payment Services Directive (PSD2) includes provisions If a financial institution wants to make use of cloud computing, it must relating to measures that should be implemented by payment institu- notify the Dutch Central Bank (DNB) of its intention to do so. Before tions, such as securing the payment service user’s personal security using cloud computing, the financial institution is required to develop data and agreeing on how to manage operational and security risks. a risk analysis, which must be presented to the DNB. Because the DNB In addition to the PSD2, there are cybersecurity related provisions qualifies cloud computing as a specific type of outsourcing, the rules in the following regulations. on outsourcing apply. Outsourcing is not allowed in cases where it The GDPR includes a few provisions relating to the security of would obstruct the supervision of the outsourced activities or where the processing, such as the requirement for the controller to, both at the time internal audit function would be negatively affected by the outsourcing of the determination of the means for processing and at the time of the of the activities. Furthermore, the financial institution is required to have processing itself, implement appropriate technical and organisational adequate policies and proper procedures to manage outsourcing risks. measures that are designed to implement data protection principles in an effective manner and to integrate the necessary safeguards into the INTELLECTUAL PROPERTY RIGHTS processing to meet the requirements of the GDPR and protect the rights of data subjects. The controller and the processor must also implement IP protection for software these measures to ensure a level of security appropriate to the risk, 36 Which intellectual property rights are available to protect which may include, among other things: software, and how do you obtain those rights? • the pseudonymisation and encryption of personal data; • the ability to ensure the ongoing confidentiality, integrity, avail- Computer programs (and preparatory materials) are protected by copy- ability and resilience of processing systems and services; right. Copyright arises automatically as soon as the computer program • the ability to restore the availability and access to personal data in is created, registration is not required. Copyrighted works are protected a timely manner in the event of a physical or technical incident; and until 70 years after the death of the creator. • a process for regularly testing, assessing and evaluating the effec- Databases underlying software programs may also be protected by tiveness of technical and organisational measures for ensuring the copyright and, in certain circumstances, by database right. A database security of the processing. right is a stand-alone right that protects databases that have involved a substantial investment in obtaining, verifying or presenting their Furthermore, the Network and Information Security Act (NIS) applies contents. The right automatically comes into existence upon creation to so-called ‘vital’ providers. The vital providers are designated by the and expires after 15 years. Network and Information Security Decree. Fintech companies might fall Software may also be protected as confidential information or as a under the definition of vital providers and, if so, they might be subject to trade secret by keeping the software code secret. There are no formal certain requirements. For instance, vital providers are – in short – obliged (registration) requirements other than that a trade secret holder needs to report a breach of the security or loss of integrity of their information to take reasonable measures to protect its secret and it needs to have systems. Moreover, the NIS includes obligations relating to taking meas- commercial value. ures to control the security of network and information systems. Programs for computers and schemes, rules or methods of doing Finally, not having implemented any organisational and technical business as such are expressly excluded from patentability under the security measures could possibly lead to criminal liability. Any person Dutch Patent Act 1995 and the European Patent Convention. However, who by negligence or carelessness is responsible for, among other patent protection for software may be possible if the inventor is able to things, wrongful changes or losses of data that lead to serious damage demonstrate that the software makes a novel and inventive technical to that data, may be punished with a maximum prison sentence of one contribution over and above that provided by the program or business month or a fine. method itself. To obtain patent protection, registration is required with

156 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP Netherlands the relevant Dutch and European patent offices and the registration hand down decisions in which confidential information is redacted. The requirements must be followed. Patent protection is limited to 20 years current Trade Secrets Act proposal includes a new rule introducing the starting from the date of filing the application. option for the court to impose a confidentiality club, limiting the access to trade secrets. IP developed by employees and contractors 37 Who owns new intellectual property developed by an Branding employee during the course of employment? Do the same 40 What intellectual property rights are available to protect rules apply to new intellectual property developed by branding and how do you obtain those rights? How can contractors or consultants? fintech businesses ensure they do not infringe existing brands? Copyrights and databases created by an employee during the course of his or her employment are automatically owned by the employer unless Brands can be protected as registered trademarks either in the Benelux the parties have agreed otherwise. Patents protecting inventions made alone (as a Benelux trademark) or across the EU (as an EU trade- by an employee in the course of his or her normal duties are owned mark). Certain branding, such as logos and stylised marks, can also by the employer. Any other patented inventions will be owned by the be protected by design rights and may also be protected by copyright. employee unless agreed otherwise. Design rights and trademarks are obtained by registering the design Inventions or copyrights created by contractors or consultants in or trademark with the relevant authority (eg, the Benelux Office for the course of their duties are owned by the contractor or consultant Intellectual Property, World Intellectual Property Organization or unless otherwise agreed. By contrast, database rights are owned by the European Union Intellectual Property Office). person who takes the initiative and assumes the risk of investing in The Benelux and EU trademark databases can be searched to iden- obtaining, verifying and presenting the data in question. Depending on tify registered trademarks or applications for a trademark with effect in the circumstances, this is likely to be the business that has retained the the Netherlands. It is highly advisable for new businesses to conduct contractor or consultant. trademark searches to check whether earlier registrations exist that are identical or similar to their proposed brand names. Joint ownership 38 Are there any restrictions on a joint owner of intellectual Remedies for infringement of IP property’s right to use, license, charge or assign its right in 41 What remedies are available to individuals or companies intellectual property? whose intellectual property rights have been infringed?

Where two or more persons jointly own an intellectual property right, Remedies include: any one of them may use and enforce the right, unless otherwise • preliminary and final injunctions (preliminary injunctions are avail- agreed. Each joint owner may assign or charge its share of the intel- able cross-border); lectual property right without the other owners’ consent. Exploitation • damages or surrender of profits; of the intellectual property right, including the granting of licences and • delivery up or destruction of infringing products; charging or assigning the intellectual property right, can only be done • orders to disclose certain information that relates to the by the joint owners of the intellectual property right. infringement; • publication orders; and Trade secrets • reimbursement of costs, including court fees and costs of (patent) 39 How are trade secrets protected? Are trade secrets kept attorneys and experts (cost orders in Dutch intellectual property confidential during court proceedings? litigation are typically between 80 per cent and 100 per cent of actual costs). In the Netherlands, trade secrets are protected by the general law of tort (such as breach of the rules of fair competition) and by the Dutch COMPETITION Trade Secrets Act, which entered into force on 23 October 2018 and implements the EU Trade Secrets Directive (Directive 2016/943/EU). Sector-specific issues The Trade Secrets Act provides more specific rules for the protection 42 Are there any specific competition issues that exist with for trade secrets. The Trade Secrets Act defines a trade secret as infor- respect to fintech companies in your jurisdiction? mation that: • is secret, in the sense that it is not generally known among, or The Dutch Authority for Consumers and Markets (ACM) continuously readily accessible to, persons within the circles that normally deal monitors compliance with competition law by companies active in the with the kind of information in question; financial sector. It has established a specifically designated research • has commercial value because it is secret; and body, the Financial Sector Monitor (FSM). The FSM carries out economic • has been subject to reasonable steps by the holder of the informa- research into the operation of the financial markets and analyses the tion to keep it secret. risks to competition. Furthermore, the ACM has specific regulatory by payment system providers and interchange fees. The Trade Secrets Act contains measures and remedies to enforce trade In 2016, the ACM called for public input on how it can help to boost secrets. The secret holder can claim an injunction against further use or fintech companies’ contribution to competition in the financial sector, disclosure of a trade secret. The Trade Secrets Act includes the possi- whereby it indicated it would pay special attention: bility for the court to grant the winning party a full cost award of all • to barriers to entry that prevent the fintech sector from reaching reasonable and equitable legal and other costs. its full potential; and Measures are available in the Netherlands to prevent public • to risks involved with rapid technological change that may have disclosure of trade secrets during court procedures. For example, the adverse effects on competition and innovation. court may order oral hearings be conducted ‘behind closed doors’ and In addition, the ACM considered: www.lexology.com/gtdt 157 © Law Business Research 2020 Netherlands Simmons & Simmons LLP

• being more actively involved in the national implementation of • Innovation box: it allows companies to have profits derived from European regulation, such as the Revised Payment Services qualifying IP taxed at an effective corporate income tax rate of 7 Directive (PSD2), whereby it would try to make sure that the per cent instead of the regular corporate income tax rate of 16.5 competition perspective stays in focus; and per cent to 25 per cent. • conducting a market study. • Costs incurred in connection with the development of intangible assets may immediately be fully depreciated, instead of capitalised In this context, the ACM mentioned various competitive risks it identified and depreciated over a number of years. in the form of: • anticompetitive behaviour; In general, directors or majority shareholders of a company are deemed • high concentration and entry barriers; and to receive an annual salary from their company of at least €46,000 (in • consumer inertia. respect of which payroll taxes are payable) unless it can be demonstrated that others performing similar activities earn less. For directors Following this communication, the ACM has, to date, looked into the or majority shareholders of a start-up company, the deemed salary may following two specific issues. be lowered to the minimum wage in the Netherlands (€1,680.00 a month • Whether regulatory costs constitute barriers to entry for fintech as of 1 July 2020) as a result of which less payroll taxes are payable. A companies. The ACM ordered a study from EY that concluded that number of conditions must be met to qualify for each incentive. such regulatory costs do not constitute obstacles for new providers in the financial sector. Increased tax burden • Whether banks are limiting access of fintech companies – fron- 44 Are there any new or proposed tax laws or guidance that tend providers and end-to-end providers – to bank accounts and could significantly increase tax or administrative costs for thereby hinder competition in the payment market. fintech companies in your jurisdiction?

The ACM conducted a study and identified a risk of foreclosure of front- No. end providers. As a result, the ACM announced that it will actively monitor the behaviour of banks and how they deal with requests for IMMIGRATION access. In addition, the ACM: • proposed that, where possible in light of the PSD2 and the Sector-specific schemes European Commission’s Regulatory Technical Standards, further 45 What immigration schemes are available for fintech national implementation of EU law regarding access to bank businesses to recruit skilled staff from abroad? Are there any accounts should enable this access; special regimes specific to the technology or financial sectors? • indicated that a system of free access could result in the banks refusing access (which implies that the ACM proposes to allow the The following are the most common corporate immigration schemes banks to ask for compensation for the costs related to providing in and to the Netherlands (which are only relevant for those who are access); and not EU, EEA or Swiss nationals – third-country nationals – as all EU, • proposed that a light version of the banking licence could be EEA and Swiss nationals are free to reside and perform any activities in created for fintech companies so that they can offer payment the Netherlands for as long as they wish owing to the rules on the free accounts. movement of workers within the EU, which is expanded to the EEA and Switzerland). As regards end-to-end providers, the ACM considered that the risks of • Knowledge migrant scheme: this relates to the gross monthly foreclosure were limited. Nevertheless, it proposed to cut the red tape – salary (exclusive of holiday allowance, normally 8 per cent of the in addition to the above-mentioned light banking licence: salary) that is consistent with Dutch salary standards and with • by defining objective permit criteria that are related to the actual thresholds that vary from €2,423 to €4,612, depending on age and risks posed by end-to-end providers; and specific education (for the lowest threshold). Additionally, the formal • by making sure that, in the development of instant payments employer in most cases needs to be recognised as a sponsor. If the infrastructures in Europe, fintech companies are able to directly employer is not a sponsor, one can apply to become one or can make participate in the systems and arrangements for clearing and use of a recognised payroll company to fill up that gap, or both. settlement of payments under non-discriminatory and objective • Intra-corporate transfer scheme (Directive 2016/66/EU): if the conditions. employee is a specialist, manager or trainee and remains on the payroll of his or her employer outside the EU, he or she may be TAX transferred to the Netherlands under that scheme for up to three years (after which he or she can return to his or her home country Incentives or the residence permit can be prolonged, for example, under the 43 Are there any tax incentives available for fintech companies knowledge migrant scheme). No salary thresholds and no recog- and investors to encourage innovation and investment in the nised sponsorship is required, but, nevertheless, it is advisable for fintech sector in your jurisdiction? a faster procedure. Some form of intra-EU mobility is possible. This scheme is compulsory unlike other schemes if the application or There are no specific tax incentives applicable to fintech companies. situation falls within the scope of the Directive. However, there are some tax incentives available to ‘innovative’ compa- • Blue card scheme (Directive 2009/50/EC): the EU version of the nies. The key incentives are: US Green Card, but much more limited. Specific education require- • WBSO (R&D payroll tax credit): it allows an employer a payroll tax ments apply. The salary threshold in the Netherlands is now refund of 16 per cent to 40 per cent of the salary costs for the part €5.403,00 gross per month exclusive of holiday allowance. No of the salary costs that an employer has paid to its employees who recognised sponsorship is necessary but, nevertheless, is advis- conduct R&D activities. able. It is unpopular in the Netherlands owing to the much more

158 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP Netherlands

flexible national knowledge migrant scheme and the intra-corporate transfer scheme. • International trade regulation: it is a relatively new scheme that may be used in certain situations where larger and mostly lower-paid groups of third-country nationals have come to the Netherlands owing to a certain project that has been assessed and approved by the Dutch authorities. The salary threshold is currently the Dutch statutory minimum wage of €1,653.60 gross per month, which will increase to €1,680 on 1 July 2020, excluding the 8 per cent holiday Aron Berket [email protected] allowance. Specific conditions apply, and no recognised sponsorship is necessary. Jeroen Bos • Short-term knowledge migrant scheme: it has the same salary [email protected] criteria as above, but it varies from €3,381 to €4,612 gross per Marline Hillen month, excluding holiday allowance. In the line with employers in [email protected] the meaning of the Dutch Foreigners Employment law, a recognised sponsor can apply for a permit for short-term assignments (for a Claude Debussylaan 247 maximum of three out of nine months spent in the Netherlands, and 1082 MC limited by visa and free term requirements of 90 out of 180 days). Amsterdam • Work or residence permit in the context of the delivery of goods, Netherlands including software: specific conditions apply. There are no salary Tel: +31 20 722 2500 criterion but that the salary should be consistent with Dutch sala- Fax: +31 20 722 2599 ries for the specific work and position. www.simmons-simmons.com • Researcher (Directive 2016/801/EU): this is mostly for researchers and scientists working at universities and other research institutions and companies. A specific, recognised sponsorship is necessary. The Netherlands has implemented specific immigration law to • Intra-EU service provision: people are exempted from the work ensure that UK nationals who were already living in the Netherlands permit obligation in the Netherlands if intra-EU service provision is before Brexit up to the transition period of 31 December 2020, will be performed under articles 56 and 57 of the Treaty on the Functioning able to continue their residency in the Netherlands relatively easily of the EU. A residence permit obligation is necessary after 90 out based on the Withdrawal Agreement. After 31 December 2020, UK of 180 days has been spent in the Netherlands. It is a very specific nationals will need to fulfill the same criteria as any other non-EU, EEA scheme for third-country nationals that are living and working citizen or Swiss national, as they will become third-country nationals legally in an EU member state and are temporarily performing themselves, except for in cases of applications for family reunification. services or work for their employer in a different member state. This situation is still subject to ongoing negotiations, and, therefore, may There is no salary threshold, and no recognised sponsorship is change in the near future. needed. As of 1 March 2020, all cross-border service providers need to notify all their employees, including EU, EEA and Swiss UPDATE AND TRENDS nationals (via www.postedworkers.nl) before starting work in the Netherlands. Failure to complete the notification on time will lead Current developments to a fine. For EU, EEA and Swiss nationals, a grace period applies 46 Are there any other current developments or emerging up to 1 September 2020 in which no fine will be imposed. This grace trends to note? period does not apply on third-country nationals. • There are also several specific training and trainee schemes. Significant current developments relating to fintech are currently being driven by the Dutch Authority for the Financial Markets (AFM) and the These are only the most common schemes for corporate migration out Dutch Central Bank (DNB). of about 40 schemes available in the Netherlands, some are based on On 16 January 2020, the AFM published its agenda that includes EU-law and some are purely based on national law. Every case needs key developments over the last year, one of which is the digitalisation to be assessed by an immigration specialist on an individual basis as of the financial sector. In this context, the AFM states that new forms a different scheme may suit better than one of the above-mentioned of financial service provisions or activities, such as crowdfunding and schemes. Additionally, there are several short-term work permit exemp- initial coin offerings, will continue to be of interest to the AFM. tions (incidental labour in the Netherlands), for example for business On 22 January 2020, the DNB published its Supervision Outlook meetings and installing software and instructions. Being legally in the 2020, in which the DNB confirms that it will continue to strengthen its Netherlands is totally different to working legally in the Netherlands; cooperation with the sector in relation to technological innovations via it is forbidden for every third-country national – including American, the iForum. Canadian, Australian, Japanese, etc, nationals – to perform any work in the Netherlands without a work permit, a work permit exemption or a Dutch residence permit with the suitable labour market annotation, very specific exemptions left aside. Sanctions in the case of non-compliance are high – normally €8,000 per illegal working foreigner and per employer in the meaning of the Dutch Foreigners Employment Act – but are in most cases of an administrative rather than a criminal nature. Additional sanctions may include shutting down the operations of the company in the Netherlands for up to three months. www.lexology.com/gtdt 159 © Law Business Research 2020 Netherlands Simmons & Simmons LLP

Numerous emergency laws, programmes and other initiatives have been implemented to address the covid-19 crisis. However, these do not specifically concern fintech companies. For example, a recent development in intellectual property is the update of the procedural rules for conducting appeal proceedings to allow for repeated extensions for filing deadlines. First instance courts now provide the option for hearings via videoconferencing.

160 Fintech 2021 © Law Business Research 2020 New Zealand

Derek Roth-Biester and Megan Pearce Anderson Lloyd Lawyers

FINTECH LANDSCAPE AND INITIATIVES FINANCIAL REGULATION

General innovation climate Regulatory bodies 1 What is the general state of fintech innovation in your 3 Which bodies regulate the provision of fintech products and jurisdiction? services?

Fintech in New Zealand is in a very healthy state, driven largely by the There are several regulators, depending on the type of products and country’s strong start-up ecosystem, a broad base of industry partici- services being offered. The Financial Markets Authority (FMA) is the pants and a push from both the government and industry to develop a securities regulator, which supervises offers of financial products in New stronger technology export sector. The industry association FinTechNZ Zealand and is responsible for licensing the provision of certain financial acts as a focal point for the fintech community in New Zealand, services and the enforcement of certain prudential and fair dealing stand- connecting banks, insurers and managers with investors, innovators ards. The Reserve Bank of New Zealand is responsible for the supervision and regulators and promoting NZ fintech to the world. This promotion and prudential regulation of banks, non-bank deposit takers and insurers, is made easier because of New Zealand’s excellent international reputa- as well as generally maintaining the robustness of New Zealand’s finan- tion for being a good place to do business and for having: cial system. Other regulators include the Department of Internal Affairs • a strong financial system; (anti-money laundering) and the Commerce Commission (competition). • low corruption; and • open and approachable regulators. Regulated activities 4 Which activities trigger a licensing requirement in your Government and regulatory support jurisdiction? 2 Do government bodies or regulators provide any support specific to financial innovation? If so, what are the key Under the Financial Markets Conduct Act 2013 (FMCA) and subsidiary benefits of such support? regulations, if a person provides to retail investors any financial advice, crowdfunding services, ‘robo advice’, discretionary investment manage- Government departments (eg, the Ministry of Business and Innovation) ment services or peer-to-peer (P2P) lending services, or if they operate and regulators (eg, the Financial Markets Authority) have demonstrated a managed investment scheme for, issue derivatives (eg, a contract for their strong support for NZ fintech through proactively engaging with difference or forex futures) to or take deposits from retail investors, they industry participants and associations, such as FinTechNZ and its must be licensed by the FMA. Further, any person who carries on insur- FinTech Regulatory Roundtable. ance business in New Zealand must be licensed by the Reserve Bank of New Zealand's Innovation Fund, an initiative set up as a joint New Zealand. Any business that provides financial services (whether in programme by the New Zealand government and Westpac bank, New Zealand or from New Zealand to other countries) is also required provides funding to participants in the fintech sector to support initia- by the Financial Service Providers (Registration and Dispute Resolution) tives with a focus on the fund's themes, being digital identity, digital Act 2008 (FSP(RDR)A) to be registered on the Financial Services inclusion, optimising payment systems, and processes and data. Provider Register (FSPR). With registration comes certain obligations, Otherwise, the Reserve Bank of New Zealand, while striking a note including joining a dispute resolution scheme (if the business has retail of caution about fintech, has nevertheless recognised the efficiencies clients) and filing an annual confirmation of its details and services. that it might bring to NZ banking and payments systems. However, government regulators have stopped short of creating a sandbox, and Consumer lending fintech companies are encouraged to engage with them early on to 5 Is consumer lending regulated in your jurisdiction? inform their thinking about potential routes through the regulatory environment. Consumer lending is regulated primarily under the Credit Contracts and Consumer Finance Act 2003 (CCCFA), which applies to a range of transactions where money is loaned for personal use, such as consumer credit contracts, consumer leases and buy-back transactions. Among other things, the CCCFA: • requires those to whom it applies to act responsibly and disclose certain information to borrowers; and • provides general rules for credit contracts.

www.lexology.com/gtdt 161 © Law Business Research 2020 New Zealand Anderson Lloyd Lawyers

Notwithstanding the overhaul of the CCCFA by the Credit Contracts Crowdfunding Legislation Amendment Act 2019 (which received Royal Assent in 10 Describe any specific regulation of crowdfunding in your December 2019), the CCCFA still does not apply to buy now, pay later jurisdiction. companies, such as Afterpay, Laybuy and Partpay. However, the new Act includes a ‘call-in’ provision (despite strong protests at bill submission The FMCA regulates equity-based crowdfunding (ie, where companies stage from Afterpay and others) that came into force on 1 June 2020, raise money from retail investors through the issuance of shares) as a which allows new credit products such as these to be brought within the financial market service. Reward-based crowdfunding is not covered, remit of the CCCFA through new regulations. nor is any fundraising for charitable or philanthropic purposes if donors do not receive shares. Under the FMCA, companies may raise up to Secondary market loan trading NZ$2 million in any 12-month period on a licensed crowdfunding service 6 Are there restrictions on trading loans in the secondary provider’s platform with minimal regulatory hurdles (eg, not having to market in your jurisdiction? issue a product disclosure statement). Licensed crowdfunding platforms, in addition to meeting certain minimum standards and conditions There are no specific restrictions on trading loans, other than in relation for their licence, have several ongoing obligations, including notifying to P2P lending. Traders of lending books must ensure that they: the FMA of certain events (as well as providing an annual regulatory • contractually have the right to assign the loans; and return) and relating to financial reporting, fair dealing and anti-money • comply with the applicable data privacy obligations. laundering.

P2P lending markets such as Harmoney and Squirrel must be licensed Invoice trading providers of a P2P lending service. 11 Describe any specific regulation of invoice trading in your jurisdiction. Collective investment schemes 7 Describe the regulatory regime for collective investment There is no specific regulation of invoice trading; however, under the schemes and whether fintech companies providing FSP(RDR)A, invoice trading will likely constitute a financial service alternative finance products or services would fall within its (being a creditor under a credit contract) and invoice traders will be scope. required to register on the FSPR as financial services providers. With registration comes certain obligations, including joining a dispute reso- Collective investment schemes, in which money from several investors lution scheme (if the business has retail clients) and filing an annual is pooled together and those investors are reliant on the investment confirmation of its details and services. expertise of a scheme manager, are regulated chiefly as managed investment schemes. The FMCA’s definition of these schemes is broad Payment services enough to capture most open and closed-ended collective investment 12 Are payment services regulated in your jurisdiction? schemes and those involving participatory securities. Fintech companies providing P2P lending or crowdfunding platforms are not regulated There is no specific regulation of payment services along the lines of as managed investment schemes, but instead are regulated under the the revised EU Payment Services Directive (2015/2366/EU); however, relevant licensing regimes for those platforms. under the FSP(RDR)A, such services will constitute financial services (as they involve issuing and managing a means of payment) and payment Alternative investment funds services providers will be required to register on the FSPR as finan- 8 Are managers of alternative investment funds regulated? cial services providers. With registration comes certain obligations, including joining a dispute resolution scheme (if the business has retail Yes, managed investment scheme managers must register on the FSPR clients) and filing an annual confirmation of its details and services. as a provider of financial services and (where they will make a regulated offer to retail investors) be licensed by the FMA. Managers must Open banking also meet and maintain certain minimum standards (including fitness 13 Are there any laws or regulations introduced to promote and propriety of directors and senior managers) and have obligations competition that require financial institutions to make relating to financial reporting, fair dealing and anti-money laundering. customer or product data available to third parties?

Peer-to-peer and marketplace lending Not yet, as the government has preferred to allow the industry to take 9 Describe any specific regulation of peer-to-peer or the lead. The implementation of open banking is being spearheaded by marketplace lending in your jurisdiction. Payments NZ (a company formed in 2010 by ANZ, ASB, BNZ, Citibank, HSBC, Kiwibank, TSB Bank and Westpac with the support of the P2P lending is regulated by the FMA as a financial market service under Reserve Bank of New Zealand), which launched its API Centre in May the FMCA. Anyone wishing to operate in such a market must be licensed 2019. This is a suite of industry-standardised application program inter- as a provider of P2P lending services. Borrowers that use a licensed faces (APIs) for payment-related services, which is designed to manage service are exempt from the requirement to issue a product disclosure a move to greater openness in banking and payments and to create an statement (which they would otherwise be required to do, as it would be API-enabled ecosystem in New Zealand. Payments NZ is responsible seen as the issue of a debt security to the public). In addition to meeting for the governance of the API Centre but has delegated it to an API certain minimum standards and conditions for their licence, licensed Council comprising banks, non-bank third parties and independent P2P platforms have several ongoing obligations, including notifying members. The API Council gets recommendations from a business and the FMA of certain events (as well as providing an annual regulatory a technical group, and has an independent subcommittee to handle return) and relating to financial reporting, fair dealing and anti-money sensitive issues. laundering. Payments NZ published version 2.0 of their API standards for Payment Initiation and Account Information in May 2020, and these

162 Fintech 2021 © Law Business Research 2020 Anderson Lloyd Lawyers New Zealand standards were added to their API Centre sandbox in July 2020. This • entitling individuals to a free credit score (if the credit reporter has will allow users and community contributors to first test their fintech a practice of releasing such scores to subscribers); innovations against the API standards to ensure that their solutions • reducing the time limit for access to credit information from 20 to function as expected without having to first negotiate terms of access 10 working days; and with a bank. Payments NZ continues to work on a broader develop- • giving reporters the right to charge for expedited access requests ment pipeline of other API standards and iterations, including customer (ie, within three working days). experience guidelines to support the use of the standardised APIs in the market. CROSS-BORDER REGULATION

Robo-advice Passporting 14 Describe any specific regulation of robo-advisers or other 17 Can regulated activities be passported into your jurisdiction? companies that provide retail customers with automated access to investment products in your jurisdiction. Overseas issuers of financial products wishing to extend offers to New Zealand must do so under an official recognition scheme or an exemp- Robo-advice is expressly permitted under the Financial Advisers tion from the Financial Markets Authority (FMA). There are two such (Personalised Digital Advice) Exemption Notice 2018. Robo-advisers schemes in place: must apply to the FMA for approval under that exemption – currently • the Trans-Tasman Mutual Recognition Arrangement with Australia, there are nine approved, including NZ fintech company Sharesies. The which allows an Australian issuer to extend its offers into New application process typically involves an assessment of the applicant's Zealand, provided that they comply with Australian laws and adherence to certain minimum standards, including the good character certain reporting and filing obligations in New Zealand; and of the directors and senior managers of the applicant, their skills and • with effect from July 2019, the Asia Region Funds Passport, under experience, and the applicant's risk management processes and IT which a managed fund in the participating countries (ie, Australia, systems. For some of these criteria the standards might be relaxed for Japan, South Korea and Thailand) may extend the offer to New smaller applicants. The exemption notice will be revoked when the new Zealand provided that they: financial advice regime, which will be brought into effect in April 2021 • register in their home jurisdiction as a passport fund; by the Financial Services Legislation Amendment Act 2019, comes into • apply to the FMA for authorisation; and force. Therefore, there may be additional requirements relating to the • comply with certain initial and ongoing requirements provision of robo-advice under the new regime. (including registering on the Financial Services Provider Register (FSPR), joining a dispute resolution scheme and Insurance products appointing an agent for service in New Zealand). 15 Do fintech companies that sell or market insurance products in your jurisdiction need to be regulated? As of the date of writing, no foreign passport funds have been approved for NZ entry. Fintech companies that carry on insurance business in New Zealand are subject to the supervision of the Reserve Bank of New Zealand Requirement for a local presence and must be licensed. Whether this applies to an insurtech entity will 18 Can fintech companies obtain a licence to provide financial depend on its business activities – under Section 8(1) of the Insurance services in your jurisdiction without establishing a local (Prudential Supervision) Act 2010 (IPSA) it will be held to be carrying presence? on insurance business if it acts as an insurer either in or outside New Zealand or is otherwise liable as an insurer under a contract of insur- Any fintech company that provides financial services to New Zealand ance to a NZ policy holder. Regulation takes the form of a risk-based from overseas is required to register on the FSPR. If its activities in New supervisory regime established under the IPSA, requiring the licensee Zealand constitute ‘carrying on business’ within the meaning of section to meet certain criteria relating to: 332 of the Companies Act 1993, it must register with New Zealand’s • governance; Registrar of Companies as an overseas company (effectively a NZ branch • the fitness and propriety of their officers and managers; of the foreign company). Registration imposes obligations on the company • capital adequacy; and to submit annual financial statements to the Companies Office and may • liquidity. bring it within the remit of New Zealand’s anti-money laundering laws.

Credit references SALES AND MARKETING 16 Are there any restrictions on providing credit references or credit information services in your jurisdiction? Restrictions 19 What restrictions apply to the sales and marketing of Under the Privacy Act 1993, the privacy commissioner has promulgated financial services and products in your jurisdiction? the Credit Reporting Privacy Code to apply specific privacy rules to credit reporters that sell personal credit information (the three credit Part 2 of the Financial Markets Conduct Act 2013 contains several fair reporters operating in New Zealand are Centrix, Equifax and Illion). The dealing requirements that apply to such sales and marketing. Financial Code aims to provide individuals with greater assurances around the service providers must not engage in misleading conduct or make use of their personal credit information by these credit reporting agen- any false, deceptive or unsubstantiated statements about the financial cies. Since its inception in 2004, the Code has been amended 14 times, product or service, irrespective of the type of investor that they are with a series of amendments in 2019 (Amendment 14 took effect on offering to or where they are located. Further, the Fair Trading Act 1986 1 October 2019) following a major review by the commissioner. These (FTA) prohibits misleading and deceptive conduct in trade and applies recent amendments were designed (among other things) to keep the to the trading of assets, commodities and other goods and services. system fair and give enhanced rights to consumers, including by: Obligations under the FTA are enforced by the Commerce Commission. www.lexology.com/gtdt 163 © Law Business Research 2020 New Zealand Anderson Lloyd Lawyers

Other general consumer laws that prohibit fraudulent conduct (eg, • to assess and mitigate money laundering and terrorism financing obtaining money by deception) may apply. risks.

CHANGE OF CONTROL The other two supervisors (ie, the Financial Markets Authority and the Reserve Bank of New Zealand) to whom the AMLCFTA gives respon- Notification and consent sibility for providing industry guidance have also given more general 20 Describe any rules relating to notification or consent guidance on several other anti-money laundering topics, including: requirements if a regulated business changes control. • risk assessment; • enhanced customer due diligence; Persons or entities that wish to provide a financial market service in New • beneficial ownership; and Zealand (ie, peer-to-peer lending or crowdfunding) must be licensed as • suspicious activity reporting. providers of such services under the Financial Markets Conduct Act 2013 (FMCA). Each regulated business holding a market service licence Other guidelines published by the Police Financial Intelligence Unit may issued under the FMCA must notify and report to the Financial Markets also be relevant. Authority (FMA) on the occurrence of ‘a material change in circumstances’. This is defined under the FMCA as including any change in PEER-TO-PEER AND MARKETPLACE LENDING the licensee’s directors and senior managers or the fulfilment of the eligibility criteria in respect of which the licence was originally granted. Execution and enforceability of loan agreements Holders of a market service licence must report to the FMA as soon as 23 What are the requirements for executing loan agreements or is practical if the relevant licensee proposes to (among other things): security agreements? Is there a risk that loan agreements • change its legal structure; or security agreements entered into on a peer-to-peer or • enter into any major transaction; or marketplace lending platform will not be enforceable? • enter into a transaction that has the effect of a person obtaining or losing control of the licensee. Simple loan agreements require only the signature of the parties, while security documents such as a general or specific security agreement are On receipt of such reporting, the FMA may suspend, vary or revoke the executed as deeds and require individuals‘ signatures to be witnessed. licensee’s market services licence if it considers that, in light of the Secured parties should register a financing statement for their security relevant change, the licensee can no longer meet its licence conditions interests on the Personal Property Securities Register to maximise the or any of the minimum criteria in respect of which the original licence priority to be given to that security, as the order of registration determines was granted. priority. Provided that these basic criteria are met, the NZ courts will generally give effect to and enforce such loan and security documents. FINANCIAL CRIME Assignment of loans Anti-bribery and anti-money laundering procedures 24 What steps are required to perfect an assignment of 21 Are fintech companies required by law or regulation to have loans originated on a peer-to-peer or marketplace lending procedures to combat bribery or money laundering? platform? What are the implications for the purchaser if the assignment is not perfected? Is it possible to assign these Yes, if fintech companies carry on one of the many specified activities loans without informing the borrower? (including issuing or managing means of payment, such as electronic money) that would bring them within the definition of a ‘financial insti- Under the Property Law Act 2007, notice to a borrower is not required tution’ under the Anti-money Laundering and Countering Financing of for an absolute assignment to be effective as a true sale; however, notice Terrorism Act 2009 (AMLCFTA), they must have procedures to combat must be given to the borrower to perfect such assignment. If there is any bribery or money laundering. If it is a financial institution, a fintech underlying security assigned, further steps might be required to perfect company has certain obligations under the AMLCFTA, including: that security. If the assignment is not perfected, it will be subject to any • conducting a review and assessment of the risk of money laun- further equities that may have arisen in priority to the purchaser’s claim. dering specific to its business; • implementing a compliance programme; Securitisation risk retention requirements • undertaking due diligence on its customers (which could be simpli- 25 Are securitisation transactions subject to risk retention fied, standard or enhanced); requirements? • monitoring transactions; and • filing suspicious activity reports. Non-bank issuers are not subject to any specific NZ laws or regulations relating to credit risk retention. Guidance 22 Is there regulatory or industry anti-financial crime guidance Securitisation confidentiality and data protection requirements for fintech companies? 26 Is a special purpose company used to purchase and securitise peer-to-peer or marketplace loans subject to a duty of The Department of Internal Affairs, which is the lead AMLCFTA contact confidentiality or data protection laws regarding information for virtual asset service providers (VASPs), published guidance in relating to the borrowers? November 2019 stating that financial services provided by VASPs fall within the existing definition of a ‘financial institution’ in the AMLCFTA. Any person that processes personally identifiable information (PII) will As a result, VASPs have AMLCFTA responsibilities, including: be an agency under the Privacy Act 1993 and must therefore comply • to report suspicious activities and certain transactions; with the 12 information privacy principles set out in the Act. There are • to verify the identity of customers in certain circumstances; and no specific restrictions under the Privacy Act on an agency’s ability to

164 Fintech 2021 © Law Business Research 2020 Anderson Lloyd Lawyers New Zealand disclose PII, beyond a general restriction against disclosure for any apply to international transfers of digital assets. BlockchainNZ purpose that is not one of the purposes in connection with which the understands that the DIA will nevertheless take a pragmatic information was obtained. The current Privacy Act will be replaced by approach to VASP’s implementation of this rule, particularly in light the Privacy Act 2020 in December 2020, which will introduce further of current business disruptions that many are facing; and restrictions against the disclosure of PII to overseas persons (other • an international delegation from the Financial Action Task Force than cloud storage providers or other overseas processors). visited New Zealand in March 2020 to undertake a review of New Zealand’s approach to preventing money laundering and terrorist ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER financing. The delegation met with representatives of BlockchainNZ TECHNOLOGY AND CRYPTO-ASSETS to discuss the approaches taken in New Zealand. The outcome of the evaluation is expected to result in changes to New Zealand’s Artificial intelligence anti-money laundering regulations. 27 Are there rules or regulations governing the use of artificial intelligence, including in relation to robo-advice? Further developments in this area are expected as blockchain and DLT become more widespread. There are no specific rules or regulations governing the use of artificial intelligence. In relation to robo-advice, however, applicants must Crypto-assets describe their digital advice service as part of the application – including 29 Are there rules or regulations governing the use of crypto- any use of artificial intelligence – and the Financial Markets Authority assets, including digital currencies, digital wallets and (FMA) will assess the service against certain minimum standards e-money? around functionality and cyber resilience. Robo-advice is expressly permitted under the Financial Advisers In October 2017 the FMA issued guidance on cryptocurrencies, initial (Personalised Digital Advice) Exemption Notice 2018. Robo-advisers coin offerings (ICOs) and related services. The FMA’s view is that any must apply to the FMA for approval under that exemption – currently provision of a financial service relating to cryptocurrencies in New there are nine approved, including NZ fintech company Sharesies. The Zealand will require compliance with the fair dealing requirements application process typically involves an assessment of the applicant's under the Financial Markets Conduct Act 2013 (FMCA) and (potentially) adherence to certain minimum standards, including the good character with obligations under the Financial Service Providers (Registration of the directors and senior managers of the applicant, their skills and and Dispute Resolution) Act 2008 (FSP(RDR)A). The guidance states that experience, and the applicant's risk management processes and IT wallet providers that store cryptocurrency or money on behalf of others, systems. For some of these criteria the standards might be relaxed for or that facilitate exchanges between cryptocurrencies or between fiat smaller applicants. The exemption notice will be revoked when the new and crypto, will be operating a value transfer service. This is a type financial advice regime, which will be brought into effect in April 2021 of financial service within the meaning of the FSP(RDR)A and requires by the Financial Services Legislation Amendment Act 2019, comes into providers to register under that Act. Further, if a person holds money force. Therefore, there may be additional requirements relating to the for depositors, they may be offering debt securities (which are financial provision of robo-advice under the new regime. products regulated under the FMCA). Although, if those funds are held in trust, the wallets may not be debt securities. Distributed ledger technology The DIA confirmed in November 2019 that the Anti-money 28 Are there rules or regulations governing the use of Laundering and Countering Financing of Terrorism Act 2009 (AMLCFTA) distributed ledger technology or blockchains? imposes certain anti-money laundering checks and obligations on VASPs. These responsibilities include: Not as yet. However, it is on the regulatory radar – for example, the • to report suspicious activities and certain transactions; Reserve Bank of New Zealand (which has responsibility for providing • to verify the identity of customers in certain circumstances; and critical payment system infrastructure and maintaining the soundness • to assess and mitigate money laundering and terrorism financing of New Zealand’s financial system) has considered the role of distributed risks. ledger technology (DLT) in improving payments processes and how the use of DLT could affect the stability of payment systems. Furthermore, Digital currency exchanges Crown innovation entity Callaghan Innovation published a report in 30 Are there rules or regulations governing the operation of December 2018 (funded in part by Ministry of Business and Innovation) digital currency exchanges or brokerages? exploring the opportunities for DLT and blockchain in New Zealand. The industry association, BlockchainNZ, has been engaging with Under the FMA’s guidance, if a person arranges cryptocurrency transac- NZ government agencies such as the Financial Markets Authority, the tions, they are also operating a value transfer service and are regulated Department of Internal Affairs and the Reserve Bank, to discuss regula- under the FSP(RDR)A. Further, if a person provides transaction services tory approaches to blockchain. It is clear there is much interest from the relating to cryptocurrencies or tokens that also qualify as financial prod- regulators and a desire to work together to ensure New Zealand has the ucts under the FMCA, they may have obligations as a broker under the right structures in place. For example: Financial Advisers Act 2008. • the Inland Revenue Department issued a consultation paper in early Exchanges or brokerages would be considered to be VASPs, 2020 to seek input on a proposal to exclude cryptocurrencies (crypto- which the DIA confirmed in November 2019 are covered by the anti- assets) from goods and services tax and the financial arrangement money laundering checks and obligations on VASPs required under rules to ensure these rules do not impose barriers to developing the AMLCFTA. new products, raising capital or investing through crypto-assets; These responsibilities include: • the Department of Internal Affairs (DIA) has published guidance for • to report suspicious activities and certain transactions; the virtual asset service provider (VASP) sector (including cryptocur- • to verify the identity of customers in certain circumstances; and rency exchanges, brokers and token issuers). Under the guidance, • to assess and mitigate money laundering and terrorism the existing rules applying to international wire transfers will also financing risks. www.lexology.com/gtdt 165 © Law Business Research 2020 New Zealand Anderson Lloyd Lawyers

Initial coin offerings Further, the Financial Markets Authority conducted a thematic review 31 Are there rules or regulations governing initial coin offerings of cyber resilience in New Zealand’s financial services, culminating (ICOs) or token generation events? in a report issued in July 2019 containing guidance for regulated entities where they identified the need for improvement. The report There are no specific rules or regulations relating to ICOs, as the FMA recommended that market participants make use of a recognised cyber- has instead preferred to analyse offers of tokens under the current security framework to assist in planning, prioritising and managing their FMCA regulation of financial products. How an ICO will be regulated will cyber resilience. depend on whether: • the token on offer is a financial product (which will depend on the OUTSOURCING AND CLOUD COMPUTING characteristics and economic substance of the token); • the entity is providing a financial service (which will depend on the Outsourcing structure and features of the ICO); and 34 Are there legal requirements or regulatory guidance with • the investor is retail or wholesale and based in New Zealand respect to the outsourcing by a financial services company of or overseas. a material aspect of its business?

Tokens cannot be offered through crowdfunding platforms. The FMA’s The Reserve Bank of New Zealand has published an outsourcing policy guidance on cryptocurrencies specifically addresses both ICOs and how (last revised in April 2020), to which large banks (ie, those incorporated the fair dealing obligations apply to them. as a company in New Zealand with net liabilities exceeding NZ$10 billion) ICO providers are considered to be VASPs, which the DIA confirmed must comply as a condition of their registration. The policy aims to: in November 2019 are covered by the anti-money laundering checks and • ensure that the outsourcing does not compromise a bank’s ability obligations on VASPs required under the AMLCFTA. to be effectively administered and operated; These responsibilities include: • facilitate the carrying on of basic banking services by any new • to report suspicious activities and certain transactions; owner of all or part of a bank; and • to verify the identity of customers in certain circumstances; and • address the impact that the failure of an outsourced service • to assess and mitigate money laundering and terrorism provider may have on a bank’s ability to carry on all or part of financing risks. its business.

DATA PROTECTION AND CYBERSECURITY The Financial Markets Authority (FMA) also has certain rules relating to outsourcing (eg, by requiring certain licensees to ensure that their Data protection outsourced functions are adequate, effective and comply with their 32 What rules and regulations govern the processing and licence obligations). transfer (domestic and cross-border) of data relating to fintech products and services? Cloud computing 35 Are there legal requirements or regulatory guidance with There are no specific restrictions under the Privacy Act 1993 on an agen- respect to the use of cloud computing in the financial services cy’s ability to transfer personally identifiable information (PII) outside industry? New Zealand. However, the Privacy Act will be replaced in December 2020 by the new Privacy Act 2020, which introduces further restrictions There are no legal requirements or regulatory guidance with respect to against the disclosure of PII to overseas persons. Under the Privacy Act cloud computing, although any outsourcing arrangements that imple- 2020, agencies would be able to disclose PII to an overseas person only if: ment cloud computing must comply with the Reserve Bank of New • the individual concerned authorised the disclosure; Zealand’s policy and any requirements imposed by the FMA. • the overseas person was a prescribed country; or Cyber risk (eg, that arises from the use of cloud computing) was • the agency believed on reasonable grounds that the overseas one of the issues stemming from fintech that was identified in 2017 by person was required to protect the PII in a manner comparable to the Financial Stability Board as meriting closer attention. In July 2019 that required by the agency under NZ law. the FMA published guidance on cyber resilience in FMA-regulated financial services, which, among other things, strongly encouraged market The new Act will also provide that the proposed restrictions against the participants to use a recognised cybersecurity framework to assist with disclosure of PII to overseas persons should not apply to transfers to planning, prioritising and managing their cyber resilience. cloud storage providers or other overseas processors. Furthermore, in light of the move to remote working for much of the New Zealand workforce caused by covid-19, the New Zealand National Cybersecurity Cyber Security Centre published a cybersecurity guide in March 2020 to 33 What cybersecurity regulations or standards apply to fintech help organisations consider the specific risks around staff working from businesses? remote locations, including the deployment at pace and use of cloud- computing as part of a remote working solution. The Crimes Act 1961 provides for several cybersecurity regulations that Further developments in this area are expected. apply to all business operating in New Zealand. These include: • the criminal offences of accessing a computer system for a dishonest purpose or without authorisation; • damaging or interfering with a computer system; • making, selling, distributing or possessing software for committing a crime; and • using an interception device.

166 Fintech 2021 © Law Business Research 2020 Anderson Lloyd Lawyers New Zealand

INTELLECTUAL PROPERTY RIGHTS infringement of the trade secret constituted a breach of that contract) or for the tort of breach of confidence. The courts recognise an obliga- IP protection for software tion on a person that unlawfully receives confidential information not 36 Which intellectual property rights are available to protect to take unfair advantage of it and can grant injunctions to give effect to software, and how do you obtain those rights? these obligations.

Software is principally protected by NZ copyright laws. Under the Branding Copyright Act 1994, a computer program is a literary work and 40 What intellectual property rights are available to protect protected as such on creation. Subject to special rules for authors who branding and how do you obtain those rights? How can are employees or contractors, the person who is the author of the work fintech businesses ensure they do not infringe existing is the first owner of the copyright in that work and may freely licence or brands? assign that copyright. Copyright protection is 50 years from the end of the calendar year in which the author dies. The Trademarks Act 2002 provides for a system of registration of trade- Under the Patents Act 2013, computer programs as such are not marks. These are not limited to words or logos, but can include symbols, patentable in New Zealand. However, if a claim in an application imple- phrases, shapes or sounds. There is no requirement to register a mark ments software in the invention, it may be patentable. The issue will – unregistered marks can be protected using the common law tort of depend largely on whether the actual contribution made to the inven- passing off. However, registration gives the owner the exclusive right tion lies solely in it being a computer program – if so, no patent can to use the mark in New Zealand in the class in which it is registered be granted. and a defence against infringement claims. Fintech companies looking to avoid brand infringement can do an online search of the trademark IP developed by employees and contractors register maintained by the IP Office of New Zealand (IPONZ) or ask 37 Who owns new intellectual property developed by an IPONZ to conduct a clearance search before registering their own trade- employee during the course of employment? Do the same mark. Domain name searches and searches of the Companies Office rules apply to new intellectual property developed by register can also be conducted to determine if the desired domain and contractors or consultants? company name are registerable.

Under Section 21(2) of the Copyright Act, if an employee creates protect- Remedies for infringement of IP able work in the course of their employment, their employer is the first 41 What remedies are available to individuals or companies owner of the copyright in that work. A similar but narrower provision whose intellectual property rights have been infringed? is contained in Section 21(3) in relation to contractors and consultants. This section provides that if a person commissions and pays or The usual civil remedies are available, including: agrees to pay for one of the artistic works specified in that section (ie, • monetary damages; a computer program, photograph, painting, drawing, diagram, map, • summary judgment; chart, plan, engraving, model, sculpture, film or sound recording) and • injunctive relief (including ex parte); the work is made in pursuance of that commission, the commissioner is • specific performance (eg, delivery up of infringing articles and the first owner of the copyright in that work. For any other kind of work corrective advertising); and capable of copyright protection, provision regarding IP ownership must • civil search and seizure orders. be made in the applicable consulting agreement. Rights holders may also plead misleading and deceptive conduct in Joint ownership trade in breach of the Fair Trading Act 1986. The Copyright Act also 38 Are there any restrictions on a joint owner of intellectual provides for criminal liability for the infringement of copyright works for property’s right to use, license, charge or assign its right in commercial gain. intellectual property? COMPETITION This will depend on the type of intellectual property in question. For example, under the Copyright Act, an exclusive licence of a copyrighted Sector-specific issues work is required to be in writing signed by or on behalf of all of the joint 42 Are there any specific competition issues that exist with owners, but otherwise the joint owners are free to use, licence, charge respect to fintech companies in your jurisdiction? or assign their rights in that work. Under Section 24 of the Patents Act, without any agreement to the contrary, co-owners of patents are each There is no fintech-specific competition regulation in New Zealand. entitled to exercise the exclusive rights given by the patent for their own However, if fintech and open banking take off in New Zealand it will have benefit without accounting to the others, but cannot assign or grant a competition law implications, which will be of interest to New Zealand’s patent licence without the consent of all of the co-owners. competition regulator, the Commerce Commission. Competition law in New Zealand is governed by the Commerce Act 1986 and its subsid- Trade secrets iary regulations and is already applied by the commission to regulate 39 How are trade secrets protected? Are trade secrets kept behaviour in the sector. In early July 2019 the commission indicated confidential during court proceedings? that it would commence High Court proceedings against payday lender NZ Fintech Limited (trading as Moola), alleging breaches of the Trade secrets are not protected by statute but by common law prin- lender responsibility principles in the Credit Contracts and Consumer ciples of breach of confidence and the laws of contract (including Finance Act 2003. under contracts of employment). Trade secret owners do not need to – and cannot – register their trade secrets for them to be protected. Instead, they must bring an action for breach of contract (where the www.lexology.com/gtdt 167 © Law Business Research 2020 New Zealand Anderson Lloyd Lawyers

TAX

Incentives 43 Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the fintech sector in your jurisdiction?

Starting with the 2019/20 tax year, fintech and other businesses can take advantage of the research and development (R&D) tax incen- Derek Roth-Biester tive, which was brought in by the coalition government to grow New [email protected] Zealand’s investment in R&D. This is a tax credit equal to 15 per cent of Megan Pearce eligible R&D spending up to NZ$120 million. To be eligible, businesses [email protected] must spend more than NZ$50,000 per year on ‘eligible R&D’, although spending under this level may still be eligible if the R&D is done through Level 3 an approved research provider on a business’s behalf. The eligible R&D Australis Nathan Building must be carried out in New Zealand, subject to a 10 per cent cap on the 37 Galway Street total eligible R&D spending being carried out outside New Zealand. Britomart Auckland 1010 Increased tax burden New Zealand 44 Are there any new or proposed tax laws or guidance that Tel: +64 9 338 8300 could significantly increase tax or administrative costs for www.al.nz fintech companies in your jurisdiction?

In February 2019 the coalition government outlined a draft implementation of a new digital services tax, intended to capture what is thought remote working arrangements, and consumers' purchase of goods and to be lost revenue from online platforms, social networks and content services (including financial services) is shifting online. Furthermore, sharing platforms. One of the suggestions was a flat 2 to 3 per cent tax New Zealand's traditional revenue sources such as tourism and primary on the gross turnover of these digital businesses; however, the final industries have been greatly negatively affected by the effects of covid- form will become clear only if (and when) the tax comes into force. 19, driving the narrative that the country now needs to diversify our economy so that it is not as reliant on these traditional powerhouse IMMIGRATION industries. The coalition government has made no secret of its desire for New Zealand to become a technology centre of excellence and can Sector-specific schemes be expected to proactively push tech as part of its agenda for the next 45 What immigration schemes are available for fintech three years. All of these developments are expected to have flow-on businesses to recruit skilled staff from abroad? Are there implications for fintech in New Zealand. any special regimes specific to the technology or financial sectors? Coronavirus 47 What emergency legislation, relief programmes and other Immigration New Zealand maintains lists of skill shortages and there are initiatives specific to your practice area has your state many technology-related jobs on those lists. Depending on the particular implemented to address the pandemic? Have any existing role and a person’s age, qualifications and post-graduate work experi- government programmes, laws or regulations been amended ence, immigrants may be able to enter New Zealand on a Skilled Migrant to address these concerns? What best practices are advisable Category Resident Visa (which is points based and allows an indefinite for clients? length of stay) or under the Long Term Skill Shortage List Work Visa (which is a temporary work to residence visa valid for up to 30 months The coalition government and regulators have been very busy imple- and requires that the applicant has an existing offer of one of the jobs on menting legislation and regulations and guidance to address the the list). Other visas may be available for jobs that are not listed. impacts of the covid-19 pandemic. For example: • the government has implemented a number of financial pack- UPDATE AND TRENDS ages, including two wage subsidy schemes and a business debt hibernation scheme, which allows businesses affected by covid-19 Current developments to manage their debts by placing them into hibernation for up to 46 Are there any other current developments or emerging seven months; and trends to note? • the Financial Markets Authority has published various guidance notes on their expectations for financial services firms in light of New Zealand’s legislative and regulatory environment is constantly the covid-19 crisis, including: changing. There are upcoming law changes, including a new Privacy Act • prioritising a review of customer vulnerability practices; 2020 and changes to the regime for the regulation of financial advisers • providing ‘no-action’ relief where a market participant to retail clients in April 2021. Further, through its global cooperation breaches, or expects to breach, a regulatory obligation as a with other financial regulators and membership of the International result of covid-19; Organisation of Securities Commissions, the Financial Markets • ensuring insurers' continued good conduct in responding to Authority is keeping a keen eye on developments in the regulation of the needs of their customers during the crisis; fintech overseas. The wide-ranging impact of the covid-19 pandemic is • providing temporary regulatory relief in respect of certain also relevant, with many employers transitioning their employees to reporting deadlines;

168 Fintech 2021 © Law Business Research 2020 Anderson Lloyd Lawyers New Zealand

• providing guidance on hardship withdrawals from Kiwisaver accounts; and • deferring certain regulatory initiatives affecting the financial services sector, such as the new financial advisors regime (the commencement is now delayed to April 2021).

There is a general acknowledgement that New Zealand is merely in the first phase of the crisis, so further legislation and regulation is expected to be passed in this area on an as-needed basis.

www.lexology.com/gtdt 169 © Law Business Research 2020 Singapore

Grace Chong, Jason Valoti, Calvin Tan, Benedict Tan, Marcus Teo, Ng Aik Kai, Sun Zixiang, Low Si Rong and Seah Ern Xu Simmons & Simmons JWS

FINTECH LANDSCAPE AND INITIATIVES firms to embark on experiments more quickly without needing to go through the existing bespoke sandbox application and approval process, General innovation climate if the intended activities entail risks that are generally low or could be 1 What is the general state of fintech innovation in your reasonably contained within the specific predefined sandbox with its jurisdiction? predetermined boundaries, expectations and regulatory reliefs. MAS has encouraged engagement with the industry and has been Singapore provides a conducive fintech ecosystem with supporting open to discuss the support it can provide in forms such as financial regulations, customer demand, strong investments and the potential support, training and mentorship. In 2016, MAS opened a fintech inno- for high returns. The government considers a vibrant fintech sub-sector vation lab, Looking Glass@MAS, to provide a platform for the fintech key to Singapore’s vision for a Smart Financial Center – a subset of the community to connect, collaborate, and co-create with one another, and Smart Nation initiative. MAS also regularly publishes sets of data as application programming According to a study by Accenture, fintech investments in Singapore interfaces (APIs) on its website to encourage and facilitate development more than doubled to hit US$861 million in 2019 from US$365 million of innovative solutions. in 2018, placing it among the top five fintech markets by funds raised MAS has also launched the Financial Sector Technology and in the Asia-Pacific in 2019. About 40 per cent of the total funds raised in Innovation scheme to support innovation initiatives in the finance Singapore in 2019 went to payments start-ups, while insurtechs took 25 industry. Under the scheme, MAS set aside S$225 million over five years per cent and those in lending took 13 per cent. for the development of fintech, to attract financial institutions to estab- Based on the Innovation page of the Monetary Authority of lish their research and development and innovation hubs in Singapore, Singapore (MAS), there are currently more than 1,100 fintech start-ups to support the construction of industry-wide technological infrastruc- operating in Singapore, and there are more than 50 innovation labs in ture to deliver innovative integrated services and to catalyse financial Singapore. The Singapore FinTech Association, the industry association, institutions to develop creative solutions promoting growth, efficiency has enabled the development of the ecosystem by facilitating collabora- and competitiveness. tion between market participants and stakeholders. FINANCIAL REGULATION Government and regulatory support 2 Do government bodies or regulators provide any support Regulatory bodies specific to financial innovation? If so, what are the key 3 Which bodies regulate the provision of fintech products and benefits of such support? services?

MAS is a member of the Global Financial Innovation Network (GFIN), Generally, the provision of fintech products and services is predominantly which was formally launched in January 2019 by an international group regulated by the Monetary Authority of Singapore (MAS), Singapore’s of financial regulators and related organisations. The GFIN is committed central bank and financial regulatory authority. Particular aspects to supporting financial innovation in the interests of consumers and relating to competition and data privacy issues may be specifically regu- helping innovative firms navigate between countries as they look to lated by the Competition and Consumer Commission of Singapore and scale new ideas. A cross-border testing pilot programme was launched the Personal Data Protection Commissioner. The Intellectual Property in 2019 to allow firms to simultaneously trial and scale new technologies Office of Singapore has also launched a fintech fast-track initiative to in multiple jurisdictions, gaining real-time insight into how a product or expedite the file-to-grant process for fintech patent applications. service might operate in the market. MAS has launched various initiatives pertaining specifically As of November 2019, MAS had signed 33 fintech cooperation to fintech, such as the FinTech and Innovation Group and FinTech agreements with other countries, including Abu Dhabi, Australia, China, Regulatory Sandbox. MAS has also promulgated regulations relating to Canada, France and the United Kingdom, to foster closer cooperation on aspects of fintech. fintech and to promote innovation in financial services in their respective markets. MAS released a consultation paper on 14 November 2018 to propose the creation of predefined sandboxes, known as Sandbox Express, to complement the existing FinTech Regulatory Sandbox launched in 2016. The proposed predefined sandboxes would enable

170 Fintech 2021 © Law Business Research 2020 Simmons & Simmons JWS Singapore

Regulated activities business carries on a business of providing any type of payment service 4 Which activities trigger a licensing requirement in your in Singapore, it must have a licence that entitles it to do so in respect of jurisdiction? that type of payment service or be an exempt payment service provider with respect to that type of payment service. Each of the following Depending on the nature and scope of services or products offered, services is a payment service for the purposes of the PS Act: licensing requirements under the Securities and Futures Act (Chapter • account issuance; 289) (SFA) or the Financial Advisers Act (Chapter 110) (FAA), or both, • domestic money transfer; may apply. • cross‑border money transfer; The following activities are regulated under the SFA: • merchant acquisition; • dealing in capital markets products; • e-money issuance; • advising on corporate finance; • digital payment token; and • fund management; • money‑changing. • real estate investment trust management; • product financing; In general, licensing requirements may differ depending on the nature • providing credit rating services; and and scope of activities contemplated, and advice should be sought on • providing custodial services. the specific circumstances of any particular case.

The following activities are regulated under the FAA: Consumer lending 1 advising others, either directly or through publications or writ- 5 Is consumer lending regulated in your jurisdiction? ings, and whether in electronic, print or other form, concerning any investment product, other than: Under Singapore law, the offering and provision of consumer lending • in the manner set out in (2); or is not distinguished from primary lending. Lending (consumer lending • advising on corporate finance within the meaning of the SFA; and primary lending) is a regulated activity in the jurisdiction and is 2 advising others by issuing or promulgating research analyses governed by the Moneylenders Act (Chapter 188) of Singapore. or research reports, whether in electronic, print or other form, The Moneylenders Act requires that all loans made available in concerning any investment product; and Singapore are by licensed moneylenders or excluded moneylenders. 3 arranging any contract of insurance in respect of life policies, other Examples of excluded moneylenders are: than a contract of reinsurance. • any person regulated by MAS under any other written law who is permitted or authorised to lend money or is not prohibited from The licensing requirements under the SFA and the FAA have extrater- lending money under that other written law; ritorial effect. Section 339 of the SFA and section 90 of the FAA provide • any person who lends money solely to his or her employees as a that where a person does an act partly in and partly outside Singapore, benefit of employment; which, if done wholly in Singapore, would constitute an offence against • any person who lends money solely to accredited investors within any provision of the SFA or the FAA (as the case may be), that person the meaning of section 4A of the SFA of Singapore; and shall be guilty of that offence as if the act were carried out by that • any person carrying on any business not having as its primary person wholly in Singapore, and may be dealt with as if the offence was object the lending of money in the course of which and for the committed wholly in Singapore. In addition, section 339 of the SFA also purposes whereof he or she lends money. provides that where a person does an act outside Singapore that has a substantial and reasonably foreseeable effect in Singapore and that Secondary market loan trading act would, if carried out in Singapore, constitute an offence under the 6 Are there restrictions on trading loans in the secondary relevant provisions of the SFA, that person shall be guilty of that offence market in your jurisdiction? as if the act were carried out by that person in Singapore, and may be dealt with as if the offence were committed in Singapore. The acquisition of a (funded) loan receivable and the holding of that The activity most relevant to fintech businesses is likely to be loan receivable does not constitute moneylending unless, following the ‘dealing in capital markets products’ under the SFA. ‘Dealing in capital acquisition, additional loans are extended. markets products’ means (whether as principal or agent) making or Secondary market loan intermediation is not a regulated activity, offering to make with any person, or inducing or attempting to induce provided that it does not involve any lending or deposit taking and any person to enter into or to offer to enter into any agreement for or provided that loans are not in the form of securities. with a view to acquiring, disposing of, entering into, effecting, arranging, subscribing for, or underwriting any capital markets products. ‘Capital Collective investment schemes markets products’ means any securities, units in a collective investment 7 Describe the regulatory regime for collective investment scheme, derivatives contracts, spot foreign exchange contracts for the schemes and whether fintech companies providing purposes of leveraged foreign exchange trading, and such other prod- alternative finance products or services would fall within its ucts as MAS may prescribe as capital markets products. scope. In addition to the above licensing requirements, where a fintech business undertakes banking business, such as receiving money on current Broadly, ‘collective investment schemes’ are arrangements in respect of or deposit accounts, this business is required to be licensed as a bank any property that exhibit the following features: by MAS pursuant to the Banking Act (Chapter 19). Similarly, if the fintech • the participants do not have day-to-day control over the manage- business undertakes the business of moneylending or promotes doing ment of the property (Control Limb); so, it will require a licence pursuant to the Moneylenders Act (Chapter • the property is managed as a whole by or on behalf of a manager 188), unless it is an excluded moneylender or an exempt moneylender. (Management Limb) or the contributions of the participants, or Since 29 January 2020, the Payment Services Act (No. 2 of 2019) both, and the profits or income out of which payments are to be (the PS Act) has come into force. Under the PS Act, where a fintech made to the participants are pooled (Pooling Limb); and www.lexology.com/gtdt 171 © Law Business Research 2020 Singapore Simmons & Simmons JWS

• the purpose or effect (or purported purpose or effect) of the Generally, securities-based fundraising from the public through arrangement is to enable participants to participate in or receive equity-based crowdfunding is regulated by MAS under the SFA and the profits, income, or other payments or returns arising from the FAA. Therefore, such activity might constitute a regulated activity that acquisition, holding, management, disposal, exercise, redemption requires a licence, but much will depend on the precise model. or expiry of, any right, interest, title, or benefit in the property or Such a licensed crowdfunding operator must comply with the any part of the property or to receive sums paid out of such profits, controls and disclosures required of it under the MAS Circular No. CMI income, or other payments or returns (Purpose Limb). 27/2018 (issued 23 August 2018) (the Securities-Based Crowdfunding Circular). Under the Securities-Based Crowdfunding Circular, an Previously, it was a requirement that both the Management Limb and operator must: the Pooling Limb be satisfied. However, following certain amendments • disclose to investors the scope of due diligence that it has to the laws in October 2018, arrangements can now qualify as a ‘collec- performed on issuers; tive investment scheme’ if they fulfil either the Management Limb or the • institute policies and procedures to handle issuer defaults (particu- Pooling Limb, or both, in addition to the Control Limb and Purpose Limb. larly lending-based operators); Generally, unless an exemption applies, it is an offence to make an • put in place a proper business cessation plan; and offer of units in a collective investment scheme to the Singapore public • if offering auto-allocation tools, have a proper governance and unless the scheme is authorised or recognised by MAS and the offer is management framework over the design, monitoring, testing and made in or accompanied by an SFA-compliant prospectus. operation of the tools. It is possible that certain fintech activity could involve a collective investment scheme where the business concerned is managing assets As for lending-based crowdfunding in particular, it is specifically regu- on behalf of participants who have invested through a fintech platform. lated by the MAS’s FAQ on Lending-Based Crowdfunding (issued 8 Careful analysis of the specific circumstances and the way in which the October 2018). While the FAQs do not introduce new rules, the FAQs platform permits investors to participate will be required to determine do clarify the applicability of the SFA or the FAA to lending-based whether it constitutes a collective investment scheme. crowdfunding. If applicable, the SFA would require a lending-based crowdfunder Alternative investment funds to register a prospectus with MAS, unless exempted. It would only be 8 Are managers of alternative investment funds regulated? exempted if the crowdfunding offer is: • a personal offer (made only to pre-identified entities) below S$5 Managing the property of or operating a collective investment scheme million per 12-month period; or undertaking on behalf of a customer (whether on a discretionary • a private placement to 50 or fewer investors within a 12-month authority granted by the customer or otherwise) is regulated as ‘fund period; or management’ under the SFA if it involves: • an offer made only to institutional or accredited investors. • the management of a portfolio of capital markets products; or • the entry into spot foreign exchange contracts for the purpose The SFA would also require the operator to obtain a capital markets of managing the customer’s funds, but not including real estate services licence. Separately, if the operator provides financial advice to investment trust management. interested investors, the operator would also need to comply with the requirements of the FAA. Accordingly, unless an exemption applies, managers of alternative The FAQs also clarify that crowdfunding with promissory notes are investment funds generally require a licence to conduct business not exempted from the requirements under the SFA. Some of the peer- involving these activities. to-peer lending companies in Singapore engage with MAS-regulated trustees to hold escrow funds. Peer-to-peer and marketplace lending 9 Describe any specific regulation of peer-to-peer or Invoice trading marketplace lending in your jurisdiction. 11 Describe any specific regulation of invoice trading in your jurisdiction. There are no specific regulations applicable to peer-to-peer or marketplace lending in Singapore. Fundraising from the public through To the extent that an invoice is purchased, without risk of being rechar- lending-based crowdfunding, or peer-to-peer lending, is regulated by acterised as a loan for the purposes of the Moneylenders Act, with true MAS under the SFA and the FAA. Therefore, such activity might consti- sale there is no specific regulation on the buying and selling of invoices. tute a regulated activity that requires a licence, but much will depend This is common in factoring and invoice discounting arrangements. on the precise model. However, if invoices are opened to the public and crowdfunded, the Furthermore, in Singapore, any invitation to lend money to an operator of the trading platform will need to follow certain regulations, entity is deemed to be an offer of debentures, which is a type of security. including the SFA, FAA, the Securities-Based Crowdfunding Circular and The entity offering the debentures is required to prepare and register the MAS’s FAQ on Lending-Based Crowdfunding. The extent to which an SFA-compliant prospectus with MAS unless an exemption applies. each of these regulations apply will depend on the precise nature of the crowdfunding scheme and the manner in which it is carried out. Crowdfunding 10 Describe any specific regulation of crowdfunding in your Payment services jurisdiction. 12 Are payment services regulated in your jurisdiction?

There are specific regulations applicable to crowdfunding in Singapore. Payment services include a wide range of activities, such as taking cash These regulations apply to securities-based crowdfunding operators deposits, making cash withdrawals, executing payment transactions, and lending-based crowdfunding. issuing or acquiring payment instruments, issuing and administering means of payment, money remittance, making payments sent through

172 Fintech 2021 © Law Business Research 2020 Simmons & Simmons JWS Singapore the intermediary of a telecoms, IT system or network operator, or even MAS has also implemented the Financial Industry API Register, providing stored value facilities. which is updated semi-annually and designed to serve as the initial Since 29 January 2020, certain payment services are now regu- landing site for Open APIs in the Singaporean finance industry. These lated in Singapore under, inter alia, the PS Act. These regulated payment APIs fall under the following functional categories: service activities are: • product APIs that provide information on financial product details, • account issuance; rates and branch or ATM locations; • domestic money transfer; • sales and marketing APIs for product sign-ups, sales or cross- • cross‑border money transfer; sales and leads generation; • merchant acquisition; • servicing APIs for managing customer profiles or account details • e-money issuance; and customer queries or feedback; • digital payment token; and • transaction APIs that support customer instructions for payments, • money‑changing funds transfers, settlements, clearing, trade confirmations and trading; To carry on the business of providing any of the above-mentioned • other APIs for common services, such as authentication, authorisa- payment services, the entity will require one of three types of licence: tion, reporting, market data and compliance; and money-changing, standard payment institution or major payment • regulatory APIs that enable extraction of data sets related to the institution. financial industry as a whole. Different regulatory conditions apply to each type of licence, with the extent of regulatory conditions increasing from standard payment On 14 May 2020, the Personal Data Protection Commission and the institutions to major payment institutions. For instance, major payment Ministry of Communications and Information launched a public consul- institutions must safeguard customer money with an undertaking by tation paper where it proposed to introduce a new Data Portability a bank or prescribed financial institution, a guarantee by a bank or Obligation to give individuals greater choice and control over their prescribed financial institution or segregate customer money in a trust personal data, prevent consumer lock-in and enable switching to new account maintained by a bank or prescribed financial institution. On the services. Data portability allows individuals to request an organisation other hand, standard payment institutions are not subjected to these to transmit a copy of their personal data to another organisation. safeguarding measures, although they must alert customers so they can make informed decisions. Robo-advice Correspondingly, each type of licence authorises the licensee to 14 Describe any specific regulation of robo-advisers or other conduct different types and different quantums of each type of payment companies that provide retail customers with automated service. For example, licensees holding a money-changing licence may access to investment products in your jurisdiction. only conduct money-changing services. By contrast, standard payment institutions may conduct any type of payment service, so long as the Robo-advisoes and other companies that provide retail customers monthly transactions for any activity type do not exceed S$3 million, with automated access to investment products in Singapore are regu- the monthly transactions for two or more activity types do not exceed lated under the SFA or the FAA, or both, and must adhere to the MAS’s S$6 million and, where relevant, the total amount of daily outstanding Guidelines on Provision of Digital Advisory Services (CMG-G02) (the e-money does not exceed S$5 million. By extension, major payment Advisory Guidelines), including the requirement to be appropriately institutions may conduct any type of payment services, and the quantum licensed unless they qualify for relevant exemptions. limits applicable to standard payment institutions do not apply. However, as MAS is keen not to stifle digital innovation, the The PS Act includes provisions to mitigate the risks of loss of Advisory Guidelines provide for a lower bar for licensing in certain customer monies, money laundering and terrorism financing risks, frag- circumstances. For example, digital advisers that seek to offer fund mentation and lack of interoperability across payment solutions, and management services to retail investors will be eligible for licensing technology risks including cyber risks. MAS has also proposed tech- even if they do not meet the SFA corporate track record requirements, nology risk management requirements, including cybersecurity risk provided they meet other specified safeguards. management guidelines. Under the Advisory Guidelines, digital advisers will be exempted from the FAA requirement to collect the full suite of information on Open banking the financial circumstances of a client, such as income and financial 13 Are there any laws or regulations introduced to promote commitments. This is on the condition that they put in place measures to competition that require financial institutions to make mitigate the risks of providing unsuitable investment recommendations customer or product data available to third parties? owing to limited client information. While MAS is making it easier for digital advisers to set up in MAS has published a comprehensive application programming interface Singapore, the business model carries unique risks, such as faulty (API) playbook in its bid to encourage more banks to participate in open algorithms and cyber threats. To mitigate these risks, the Advisory banking. This document outlines and standards framework for: Guidelines set out MAS’s expectations for digital advisers to establish • API governance; robust frameworks to govern and supervise their algorithms, as well as • API lifecycle governance; to manage technology and cyber risks. • governance of API risk; and • regulatory considerations for partner API operating models. Insurance products 15 Do fintech companies that sell or market insurance products The result of MAS’s push towards open banking can be clearly seen in your jurisdiction need to be regulated? with businesses such as Citibank, DBS, OCBC, Standard Chartered and payments service provider NETS running their own Open API portals The marketing and sale of insurance products are regulated under the comprising over 272 API sets. Insurance Act (Chapter 142) of Singapore and the FAA.

www.lexology.com/gtdt 173 © Law Business Research 2020 Singapore Simmons & Simmons JWS

Credit references FINANCIAL CRIME 16 Are there any restrictions on providing credit references or credit information services in your jurisdiction? Anti-bribery and anti-money laundering procedures 21 Are fintech companies required by law or regulation to have Credit bureaus are recognised by the MAS under the Banking Act procedures to combat bribery or money laundering? (Chapter 19) of Singapore to collect and disclose credit data to their members. A credit bureau bill was passed in Parliament on 9 November Under the Payment Services Act, digital payment token service providers 2016 but has not yet come into force. Once in force, there will be a frame- that facilitate the exchange of or that deal in digital payment tokens work in place to subject credit bureaus to formal supervision by the MAS (DPT), commonly known as digital currencies or cryptocurrencies, will as credit bureaus collect increasing (and more specifically detailed) have to be licensed. The Monetary Authority of Singapore (MAS) has amounts of data to facilitate more comprehensive credit assessments issued a consultation on an anti-money laundering and combating the by their members. The bill will also allow consumers the right to access, financing of terrorism (AML/CFT) notice for regulating DPT services. review and rectify their credit records. The provision of credit ratings In its consultation paper, MAS reiterated that it considers DPT (opinions primarily regarding the creditworthiness of entities other than transactions to carry higher inherent money laundering and terrorism individuals, governments or securities) is also regulated under the SFA. financing (ML/TF) risks owing to the anonymity, speed and cross-border nature of the transactions, a view that is consistent with the position CROSS-BORDER REGULATION taken by the Financial Action Task Force in its standards for virtual asset services providers. Passporting MAS intends to require that AML/CFT measures also be applied 17 Can regulated activities be passported into your jurisdiction? for providers that facilitate the transfer of DPT or provide custodian wallet services, and asks for suggestions on other types of DPT-related No. services that could also pose ML/TF risks. The AML/CFT requirements will make licensees obliged to take Requirement for a local presence appropriate steps to identify, assess and understand their ML/TF risks, 18 Can fintech companies obtain a licence to provide financial and develop and implement policies, procedures and controls for the services in your jurisdiction without establishing a local effective management of these risks. presence? This includes policies, procedures and controls in relation to customer due diligence, transaction monitoring, screening, suspicious It is unlikely that the Monetary Authority of Singapore would grant a transactions reporting and record-keeping. Enhanced measures should licence to an entity for carrying on business in any regulated activity if be performed where higher ML/TF risks are identified. that entity did not have a local presence. The requirements also include monitoring the implementation of policies, procedures and controls, and enhancing them if necessary. SALES AND MARKETING Guidance Restrictions 22 Is there regulatory or industry anti-financial crime guidance 19 What restrictions apply to the sales and marketing of for fintech companies? financial services and products in your jurisdiction? There is no specific guidance for fintech companies, but there is guid- This will depend on many factors, including but not limited to, the regula- ance for regulated companies and banks that would apply to fintech tory status of the financial institution (eg, whether the financial institution businesses that are regulated similarly. is licensed or exempt and the type of licence held or exemption being Specifically for digital asset exchanges, the Association of relied upon) and the types of services and products being marketed. Cryptocurrency Enterprises and Start-ups Singapore has developed a Depending on the facts, different rules and restrictions may need to be ‘Code of Practice’ under its Standardisation of Practice In Crypto Entities taken into account, including, for example, clientele restrictions. initiative. Advice should be sought on the specific circumstances of any particular case. PEER-TO-PEER AND MARKETPLACE LENDING

CHANGE OF CONTROL Execution and enforceability of loan agreements 23 What are the requirements for executing loan agreements or Notification and consent security agreements? Is there a risk that loan agreements 20 Describe any rules relating to notification or consent or security agreements entered into on a peer-to-peer or requirements if a regulated business changes control. marketplace lending platform will not be enforceable?

Different consent requirements apply to the acquisition of different Loan agreements governed by Singapore law and evidencing appropriate types of regulated businesses. In general, where a person is to become consideration for the loan can be executed in the form of agreements by a holder of a specified percentage of a regulated entity or will control a signatories of the respective parties having due authority. specified percentage of voting rights of that entity, prior consent must Moneylending in Singapore is a regulated activity under the be obtained from the relevant regulatory authority. Moneylenders Act of Singapore and, accordingly, any person or entity In all cases, advice should be sought as to the applicable require- lending money to a person or entity in Singapore must either be licensed ments and the process for obtaining consent. in Singapore, exempted or excluded. Any lending to individuals resident in Singapore would customarily require a licence. The execution requirements for a Singapore law security agreement will depend on the form of security agreement. However, most

174 Fintech 2021 © Law Business Research 2020 Simmons & Simmons JWS Singapore

Singapore law security agreements will be executed in the form of a enforcement action being taken and held, by the purchaser, pending deed to ensure that no challenge can be made on the grounds of consid- any enforcement event occurring, at which time the notice of assign- eration or owing to the form of property being secured. The execution ment could be delivered to the borrower, giving rise to a legal security requirements for deeds allow for three options: assignment. • signing by a director of the company and a secretary of the company; Any assignment, by way of security or otherwise, will be subject • signing by at least two directors of the company; or to the general provisions of the loan agreement, including, without • signing by a director of the company in the presence of a witness limitation, confidentiality restrictions, restrictions on the granting of who attests the signature. security or transfers to third parties. As such, loan agreements for P2P or marketplace lending platforms that contemplate ease of assignment The enforceability of peer-to-peer (P2P) loan agreements and security or transfer must be drafted to ensure that any such restrictions are kept agreements will depend on the precise model being applied. However, as to a minimum or excluded to the extent possible and subject to regula- a general observation, provided that any P2P model complies with any tory constraints applicable to lending to specific classes of borrowers. regulatory requirements as outlined above in Singapore (and in any other relevant jurisdiction), there should be no specific issues regarding the Securitisation risk retention requirements enforceability of the loan agreement or security agreement in Singapore. 25 Are securitisation transactions subject to risk retention requirements? Assignment of loans 24 What steps are required to perfect an assignment of The Monetary Authority of Singapore Notice 637 (the MAS Notice) (last loans originated on a peer-to-peer or marketplace lending revised on 31 March 2020) requires a reporting bank (being a bank platform? What are the implications for the purchaser if the incorporated in Singapore) to ensure that the originator of the credit assignment is not perfected? Is it possible to assign these claims or receivables being securitised retains a material net economic loans without informing the borrower? exposure and demonstrates a financial incentive in the performance of these assets following their securitisation. As such, the reporting bank A legal assignment by way of security of the rights of the lender of a is required to ensure that this originator does retain such applicable risk loan under a P2P or marketplace lending platform, under which the in the exposures. purchaser of that loan would be entitled to directly sue the borrower for Pursuant to MAS Notice 637, reporting banks are also subject to repayment of the debt under the loan, requires notice of this assignment maximum retention thresholds in respect of securitisation exposures to by way of security to be given by the assigning lender to the borrower the extent that this reporting bank is looking to apply regulatory capital under the loan agreement. relief in respect of these exposures, as set out in more detail in MAS The ability to transfer rights and obligations in a loan under Notice 637. Singapore law (whether in respect of a P2P or marketplace lending platform or otherwise) will depend on the terms of the loan. Securitisation confidentiality and data protection requirements In the absence of any specific provisions regarding transfer of both 26 Is a special purpose company used to purchase and securitise rights and obligations of a lender’s position in a loan in the loan agree- peer-to-peer or marketplace loans subject to a duty of ment, the borrower’s consent would be required to transfer the lender’s confidentiality or data protection laws regarding information rights and obligations under a loan (although, in the absence of any relating to the borrowers? express provisions to the contrary, an assignment of a lender’s rights only (and not the lender’s obligations) would not require the giving of Possibly. In addition, loan agreements may contain confidentiality provi- notice to, or the receipt of consent from, the borrower although any lack sions that any purchaser, including any special purpose company, is of notice may affect the nature of any assignment by way of security of bound by. These would need to be carefully reviewed or drafted as part these rights). of any securitisation structure. It is quite common, however, for specific transfer provisions to be included in loan agreements to allow a lender to transfer its rights and ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER obligations in their position in a loan to a third party without borrower TECHNOLOGY AND CRYPTO-ASSETS consent. Customarily, criteria will be specified as to what constitutes an eligible transferee. Except in certain structures, it would be necessary Artificial intelligence to notify the borrower of the transfer in order for the transfer to take 27 Are there rules or regulations governing the use of artificial effect even in circumstances where borrower consent was not required. intelligence, including in relation to robo-advice? Any transfer would also need to comply with any related restrictions imposed under the terms of the loan agreement and under The Monetary Authority of Singapore (MAS) has issued a set of principles regulations applicable to particular classes of borrower. to promote fairness, ethics, accountability and transparency (FEAT) in In connection to any assignment of a lender’s rights under a loan the use of AI and data analytics in finance. Known as the FEAT Principles, by way of security, where notice of the assignment by way of security the document provides guidance to firms offering financial products and is not given by the assigning lender to the borrower under the loan services on the responsible use of AI and data analytics, to strengthen agreement, the security assignment would, in ordinary circumstances internal governance around data management and use. (and subject to due execution and other formalities), be characterised as MAS has said that this is intended to foster greater confidence and an equitable assignment. An equitable assignment is still characterised trust in the use of AI and data analytics, as firms increasingly adopt tech- as a security interest. However, any action by the purchaser to enforce nology tools and solutions to support business strategies and in risk rights under the loan agreement needs to be taken by the lender on management. behalf of the purchaser. This may delay the taking of action and have an With regard to robo-advice, MAS has issued the Guidelines on impact on recoveries. Provision of Digital Advisory Services (the Advisory Guidelines) to facili- In the case of an equitable assignment, it may be possible to have tate the provision of robo-advice in Singapore. Digital advisers that seek a notice of security assignment executed by the lender prior to any to offer fund management services to retail investors will be eligible for www.lexology.com/gtdt 175 © Law Business Research 2020 Singapore Simmons & Simmons JWS

licensing even if they do not meet the Securities and Futures Act (SFA) Digital currency exchanges corporate track record requirements, provided they meet other specified 30 Are there rules or regulations governing the operation of safeguards. digital currency exchanges or brokerages? Under the Advisory Guidelines, digital advisers will be exempted from the Financial Advisers Act (FAA) requirement to collect the full suite Yes, digital currency exchanges or brokerages that allow token trading of information on the financial circumstances of a client, such as income constituting capital markets products will need to seek MAS’s approval, and financial commitments. This is on the condition that they put in recognition or exemption under the SFA. place measures to mitigate the risks of providing unsuitable investment Additionally, under the PS Act, digital payment token service recommendations owing to limited client information. providers that facilitate the exchange of or that deal in digital payment While MAS is making it easier for digital advisers to set up in tokens, commonly known as digital currencies or cryptocurrencies, will Singapore, the business model carries unique risks, such as faulty algo- have to be licensed. rithms and cyber threats. To mitigate these risks, the Advisory Guidelines set out MAS’s expectations for digital advisers to establish robust frame- Initial coin offerings works to govern and supervise their algorithms, as well as to manage 31 Are there rules or regulations governing initial coin offerings technology and cyber risks. (ICOs) or token generation events? In May 2020, MAS announced the first phase of its Veritas initiative. Veritas outlines a framework for the responsible adoption of AI and data The regulation in Singapore of tokens offered in initial coin offerings analytics by financial institutions. MAS will commence with the develop- (ICOs) depends on the nature of the tokens offered. Utility tokens that ment of metrics to measure the fairness of deployment of this technology. only provide membership or access to a service or payment tokens that MAS has identified credit risk scoring and customer marketing as the are only used as a means of payment for goods or services (such as first two workstreams in which it would like to introduce the metric. bitcoin) are not at present regulated. Digital payment tokens are regulated under the PS Act. However, if a digital token constitutes a capital Distributed ledger technology markets product (eg, securities, futures contracts and contracts or 28 Are there rules or regulations governing the use of distributed arrangements for purposes of leveraged foreign exchange trading), the ledger technology or blockchains? offer or issue of these digital tokens will be regulated under the SFA and (in certain cases) the FAA. For example, digital tokens may represent There are no specific regulations or guidelines in relation to the use of ownership or a security interest over an issuer’s assets or property. distributed ledger technology (DLT) in Singapore. MAS has been encour- These tokens may, therefore, be considered an offer of shares or units aging the industry to look at DLT in relation to the financial system in in a collective investment scheme (as defined in the SFA). Digital tokens Singapore. For example, in early 2017, MAS announced the successful may also represent a debt owed by an issuer and be considered a conclusion of the proof-of-concept project to conduct domestic interbank debenture under the SFA. payments using DLT, and in late 2017 an industry consortium led by In this regard, MAS has issued ‘A Guide to Digital Token Offerings’ MAS and the Association of Banks in Singapore released source-codes (updated May 2020), which provides general guidance on the applica- of successful DLT prototypes publicly to encourage innovation in inter- tion of the securities laws administered by MAS in relation to offers or bank payments. issues of digital tokens in Singapore. MAS recommends that all issuers of digital tokens, intermediaries facilitating or advising on an offer of Crypto-assets digital tokens and platforms facilitating trading in digital tokens should 29 Are there rules or regulations governing the use of crypto- seek independent legal advice to ensure they comply with all applicable assets, including digital currencies, digital wallets and laws, and consult MAS where appropriate. e-money? On 24 May 2018, MAS warned eight digital token exchanges in Singapore not to facilitate trading in digital tokens that are securities Singapore’s parliament has passed the new Payment Services Act (the or futures contracts without MAS’s authorisation. It also warned an PS Act) to regulate the following activities in relation to digital curren- ICO issuer to discontinue the proposed offering of its digital tokens in cies, digital wallets and e-money: Singapore (the tokens in question would be considered as securities • account issuance; under the SFA and the offer had been made without a MAS-registered • electronic money issuance; and prospectus). While it is unclear how much was raised from inves- • digital payment tokens. tors in Singapore, the ICO issuer has since ceased the offer and is taking remedial actions to comply with the local laws and regulations, The PS Act repeals the Payment Systems (Oversight) Act. A multipur- including returning all funds received from Singapore-based investors. pose stored value facility (ie, one that is or is intended to be used for the Ultimately, MAS’s position in respect of digital token exchanges and payment of goods or services provided by a service provider apart from ICOs is indicated clearly in the following statement: ‘We do not see a the holder of that stored value facility) is now subject to the licensing need to restrict them if they are bona fide businesses. But if any digital requirements under the PS Act. token exchange, issuer or intermediary breaches our securities laws, Singapore does not otherwise have any specific regulatory meas- MAS will take firm action.’ ures in respect of digital currencies or digital wallets, but the existing Under the new PS Act, entities will require licences to provide laws provide for protection against unlawful activities in general, for payment services, including the issuance of electronic money and example, anti-money laundering, fraud and terrorism financing. digital payment tokens. Based on the definition of digital payment token as well as e-money found in the PS Act, many tokens in the market today can be viewed as either e-money or digital payment tokens, and any service provider who issues tokens falling within these categories through an ICO can be deemed as providing a digital payment token service or e-money issuance by the PS Act.

There is an exception applicable for tokens that have a limited financial institutions must put in place to manage cyber threats, which purpose (ie, non-monetary consumer loyalty or reward points, in-game could include: assets or similar digital representations of value that cannot be returned • addressing system security flaws in a timely manner; to the issuer or sold, transferred or exchanged for money). • establishing and implementing robust security for systems; and • deploying security devices to secure system connections. DATA PROTECTION AND CYBERSECURITY OUTSOURCING AND CLOUD COMPUTING Data protection 32 What rules and regulations govern the processing and Outsourcing transfer (domestic and cross-border) of data relating to 34 Are there legal requirements or regulatory guidance with fintech products and services? respect to the outsourcing by a financial services company of a material aspect of its business? There are no legal requirements or regulatory guidance relating to personal data that are specifically aimed at fintech businesses. However, On 5 October 2018, the Monetary Authority of Singapore (MAS) issued fintech companies must have regard to Chapter 6 on Online Activities revised Guidelines on Outsourcing. Various industry guidelines on of the Personal Data Protection Commissioner's (PDPC) Advisory outsourcing have also been issued by the Investment Management Guidelines on the PDPA for Selected Topics. Association of Singapore and the Association of Banks in Singapore. The PDPC has recently announced new initiatives to facilitate The MAS Guidelines on Outsourcing set out risk management the movement and use of data to support innovation, and strengthen practices to be complied with when a regulated entity has entered into accountability among organisations. The first is the PDPC’s response any outsourcing or is planning to outsource its business services to a note to the public consultation on proposed data portability and data service provider (whether this outsourcing is done on an intra-group innovation provisions, as part of the review of the PDPA. The proposed or a third-party basis, or a material or non-material basis). Certain key data portability provision will provide individuals with greater control requirements in the Outsourcing Guidelines include maintaining an over their personal data and enable greater access to more data by Outsourcing Register and ensuring that all outsourcing contracts are organisations to facilitate data flows and increase innovation, while the written agreements containing the minimum prescribed clauses. The proposed data innovation provision makes it clear that organisations can Outsourcing Guidelines also detail the responsibilities of the board use data for appropriate business purposes without individuals’ consent. and senior management in this regard (eg, approving a risk evalua- The second is the PDPC’s introduction of new guides, such as: the tion framework, setting a suitable risk appetite statement, laying down Guide on Active Enforcement, as part of its drive for organisations to appropriate approval authorities, assessing management competencies shift from compliance to accountability; an updated Guide to Managing to develop sound and responsive outsourcing risk management poli- Data Breaches 2.0, to help organisations manage and respond to data cies and procedures that are commensurate with the nature, scope and breaches more effectively; and a new Guide to Notification, which illus- complexity of the outsourcing arrangements). trates good notification practices for organisations to comply with their Moving forward, in a consultation paper issued 7 February 2019, Notification Obligations under the PDPA . MAS has proposed to issue Outsourcing Notices that set out requirements for banks and merchant banks in relation to material outsourcing Cybersecurity arrangements. These changes include: 33 What cybersecurity regulations or standards apply to fintech • introducing a new section in the Banking Act (Chapter 19) businesses? to empower MAS to impose requirements relating to banks’ outsourcing arrangements; and While there is a new cybersecurity law, the Cybersecurity Act 2018, that • introducing identical powers to impose requirements relating to came into force in August 2018, it is unlikely to directly affect unregu- merchant banks’ outsourcing arrangements. lated fintech start-ups as it is intended to regulate systems involved in the provision of essential services within Singapore. The Cybersecurity As for the proposed new Outsourcing Notices, they will impose Act provides an overarching legislative framework for the regulation of requirements on banks and merchant banks relating to their material owners of critical information infrastructure and cybersecurity service outsourcing arrangements in the areas of: providers. • management of these arrangements; With regard to regulated fintech companies, the Monetary Authority • assessment of service providers; of Singapore (MAS) issued a consultation in March 2019 seeking feed- • accessing information by MAS and the bank or merchant bank; back to expand the Technology Risk Management Guidelines to include • protection of customer information; guidance for the following: • audit; and • technology risk governance and oversight; • termination of these arrangements. • best practices for software development; • additional guidance for new technologies (ie, application program- MAS published its response to the consultation paper on 5 November ming interfaces, smart electronic devices and virtualisation); and 2019 and intends to seek feedback on the draft Outsourcing Notices in • effective cyber surveillance, secure software development, adver- due course. sarial attack simulation and management of cyber risks posed by the internet of things. Cloud computing 35 Are there legal requirements or regulatory guidance with In September 2018, MAS also sought to strengthen the rules on cyber respect to the use of cloud computing in the financial services security through its Notice on Cyber Hygiene in view of the deep- industry? ening cyber threat landscape and to further strengthen the overall cyber resilience of financial institutions. It intends to eventually Yes, financial institutions regulated by MAS should have regard mainly prescribe a set of legally binding essential cyber security practices that to the MAS Guidelines on Outsourcing. MAS considers cloud services www.lexology.com/gtdt 177 © Law Business Research 2020 Singapore Simmons & Simmons JWS

operated by service providers to be a form of outsourcing. In this Joint ownership respect, MAS also considers that the types of risks in cloud services 38 Are there any restrictions on a joint owner of intellectual that confront institutions are not necessarily distinct from that of other property’s right to use, license, charge or assign its right in forms of outsourcing arrangements. Accordingly, institutions should intellectual property? still perform the necessary due diligence and apply sound governance and risk management practices required by the Outsourcing Guidelines Yes, unless amended by agreement, joint owners of a copyright hold their when subscribing to cloud services. shares as tenants in common. Any use, licence, charge or assignment of Nevertheless, to the extent that cloud services have certain typical the copyright must, therefore, be done by the joint owners as a whole characteristics, such as multi-tenancy, data commingling and the higher or by one of the joint owners with the consent of the other joint owners. propensity for processing to be carried out in multiple locations, insti- However, this position is different for patents notwithstanding tutions should take measures to address those risks, bearing in mind that these co-owners hold the ownership of the patent as tenants-in- the materiality of those risks specific to each institution. In this regard, common. Except where the statutory provisions have been amended by the institution would have to deal with risks associated with data, to agreement between the joint owners, the Patents Act provides that a ensure the service provider can identify and segregate customer data, co-owner is entitled to do any otherwise infringing act for his or her own and robust access controls to protect customer information. benefit, by him or herself or by his or her agents, without requiring the consent of (or the need to account to) any of the other co-owners. INTELLECTUAL PROPERTY RIGHTS Nevertheless, a co-owner may not, without the consent of the other co-owners, grant a licence under the patent or assign or charge a share IP protection for software in the patent. 36 Which intellectual property rights are available to protect software, and how do you obtain those rights? Trade secrets 39 How are trade secrets protected? Are trade secrets kept Computer programs (and preparatory design materials for computer confidential during court proceedings? programs) are protected by copyright as literary works under the Copyright Act (Chapter 63). Copyright arises automatically as soon Confidential information can be protected against misuse, provided as the computer program is recorded. Registration of copyright is not the information in question has the necessary quality of confidence, is required and is not possible in Singapore. subject to an express or implied duty of confidence, or no registration is If the software code has been kept confidential it may also be necessary (or possible). Confidential information can be kept confiden- protected as confidential information. No registration is required. tial during civil proceedings with the permission of the court. Patents for software (source code) are not currently applicable for patent registration and protection. The Intellectual Property Office Branding of Singapore (IPOS) has issued the Examination Guidelines for Patent 40 What intellectual property rights are available to protect Applications at IPOS, which takes the view that ‘claims to software that branding and how do you obtain those rights? How can are characterised only by source code, and not by any technical features, fintech businesses ensure they do not infringe existing is unlikely to be considered an invention on the basis that the actual brands? contribution would be a mere presentation of information’. Brands can be protected as registered trademarks in Singapore. A IP developed by employees and contractors brand can also be protected under the common law tort of passing-off if 37 Who owns new intellectual property developed by an it has acquired sufficient goodwill. employee during the course of employment? Do the same Certain branding, such as logos and stylised marks, can also be rules apply to new intellectual property developed by protected by design rights and may also be protected by copyright as contractors or consultants? artistic works. The IPOS trademark database can be searched to identify poten- Copyright created by an employee in the course of his or her employ- tially problematic trademarks that have been registered or applied for. ment is automatically owned by the employer unless otherwise agreed. It is highly advisable for new businesses to conduct trademark An invention made by an employee belongs to the employer if it was searches to check whether earlier registrations exist that are identical made in the course of the normal duties of the employee or in the course or similar to their proposed brand names. It may also be advisable to of duties falling outside his or her normal duties, but specifically assigned conduct internet searches for any unregistered trademark rights that to him or her, and the circumstances in either case were such that an may prevent the use of the proposed mark. invention might reasonably be expected to result from the carrying out of his or her duties; or if the invention was made in the course of the duties Remedies for infringement of IP of the employee and, at the time of making the invention, because of 41 What remedies are available to individuals or companies the nature of his or her duties and the particular responsibilities arising whose intellectual property rights have been infringed? from the nature of his or her duties, he or she had a special obligation to further the interests of the employer’s undertaking. Remedies include: Except in certain narrow circumstances, copyright or inventions • preliminary and final injunctions; created by contractors or consultants in the course of their duties • damages or an account of profits; are owned by the contractor or consultant unless otherwise agreed • delivery up or destruction of infringing products; in writing. • disclosure orders; and • costs.

COMPETITION Increased tax burden 44 Are there any new or proposed tax laws or guidance that Sector-specific issues could significantly increase tax or administrative costs for 42 Are there any specific competition issues that exist with fintech companies in your jurisdiction? respect to fintech companies in your jurisdiction? Yes; the Goods and Services Tax Act was amended in 2020 to require There is a competition regime in Singapore that applies to all entities overseas digital service providers with a yearly global turnover of carrying out business in Singapore unless otherwise exempted. There more than S$1 million, which sell more than S$100,000 worth of digital are no particular aspects of this regime that would affect fintech busi- services to customers in Singapore in a 12-month period, to register for nesses disproportionately to other businesses. and charge goods and services tax (GST). With effect from 1 January 2020, the Inland Revenue Authority of TAX Singapore has required these digital services providers, who are registered under this Overseas Vendor Registration regime, to charge GST on Incentives their sale of digital services to Singapore consumers. 43 Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the IMMIGRATION fintech sector in your jurisdiction? Sector-specific schemes At present, there are no tax incentives specifically targeted at fintech 45 What immigration schemes are available for fintech companies. However, new start-up companies in general can benefit businesses to recruit skilled staff from abroad? Are there from a tax exemption scheme. All companies are eligible for the exemp- any special regimes specific to the technology or financial tion except companies whose principal activity is investment holding sectors? and companies that undertake property development for sale, investment or both. To qualify for the exemption, an eligible company must: There are no sector-specific immigration schemes available for busi- • be incorporated in Singapore; nesses in Singapore to recruit skilled foreign employees. The rules on • be tax-resident in Singapore for the relevant tax year of assess- hiring staff from abroad apply to all companies operating in Singapore; ment; and prior to applying for an Employment Pass, companies will need to • have its share capital held by no more than 20 persons (all of advertise the vacancy on the National Jobs Bank for at least 14 days whom must be individuals) throughout the period of that tax year unless a specific exemption applies. of assessment, where at least one shareholder is an individual holding at least 10 per cent of the shares in the company, typically UPDATE AND TRENDS a founder. Current developments The exemption applies for the company’s first three consecutive tax 46 Are there any other current developments or emerging years of assessment. With effect from tax year of assessment 2020, trends to note? companies will benefit from a reduced 75 per cent exemption from tax on the first S$100,000 of normal chargeable income and then a 50 per On 28 June 2019, the Monetary Authority of Singapore (MAS) announced cent exemption on the next S$100,000 of normal chargeable income. that it will issue up to five new digital banking licences, welcoming appli- Under the Angel Investors Tax Deduction Scheme, investors who cations from both traditional banking groups and non-bank players. The are able to commit a minimum of S$100,000 of investment to a qualifying move has been recognised as marking the next chapter in Singapore’s start-up can, subject to approval and satisfaction of certain conditions, banking liberalisation journey. benefit from a tax deduction of 50 per cent of the amount of their invest- On 7 January 2020, the MAS announced that it received 21 appli- ment at the end of a two-year holding period. This scheme lapsed after cations for digital bank licences. The majority of the applicants are 31 March 2020, and investors can no longer obtain new approvals or consortiums, with entities seeking to combine their individual strengths renewal of the ‘angel investor’ status for any period commencing after to enhance the digital bank’s value proposition. 31 March 2020. However, angel investors will continue to enjoy tax As at the time of writing, MAS has extended the assessment period deduction in respect of qualifying investments made during the period for the award of digital bank licences, and successful applicants will of the approved status, subject to existing conditions of the scheme. be informed in the seond half of 2020 instead of June 2020 as it was For institutional investors, section 13H of the Income Tax Act originally intended. (S13H) allows approved venture capital and private equity funds to benefit from zero-rated tax relief for up to 10 years in respect of gains Coronavirus from the divestment of approved portfolio holdings, dividend income 47 What emergency legislation, relief programmes and other from approved foreign portfolio holdings and interest income arising initiatives specific to your practice area has your state from approved foreign convertible loan stock. In addition, the Fund implemented to address the pandemic? Have any existing Management Incentive (FMI) gives an approved fund management government programmes, laws or regulations been amended company tax relief at a concessionary rate of 5 per cent for a period of to address these concerns? What best practices are advisable up to 10 years in respect of both management fees and performance for clients? bonus received from an approved venture capital fund. Tto benefit from both S13H and FMI, the venture capital or private equity funds and On 31 March 2020, MAS, together with the Association of Banks in fund management companies must, at a minimum, be incorporated and Singapore, the Life Insurance Association, the General Insurance based in Singapore and otherwise approved or licensed by the Monetary Association, and the Finance Houses Association of Singapore, Authority of Singapore to conduct their activities. announced a package of measures to help ease the financial strain on

small and medium-sized enterprises (SMEs) caused by the covid-19 pandemic. A second package was also announced on 30 April 2020. The package will support SMEs with access to bank credit and insurance cover. First, MAS announced that SMEs may opt to defer principal payments on their secured term loans up to 31 December 2020, subject to banks’ and finance companies’ assessment of the quality of the SMEs’ security. SMEs will also be able to extend the tenure of their loans by up to the corresponding principal deferment period if they wish. Grace Chong [email protected] Second, MAS also announced that banks and finance companies may apply for low-cost funding through a new MAS Singapore Dollar Jason Valoti Facility for loans granted under Enterprise Singapore’s SME Working [email protected] Capital Loan scheme and Temporary Bridging Loan Programme. Calvin Tan Third, MAS announced that corporates, including SMEs, holding [email protected] general insurance policies that protect their business and property risks Benedict Tan may apply to their insurer for instalment payment plans. [email protected] Additionally, on 8 April 2020, MAS rolled out a S$125 million covid-19 support package to bolster the financial and fintech sectors Marcus Teo and buttress their recovery and future growth. The package features [email protected] three broad pillars: Ng Aik Kai • support for worker costs (in the form of a Training Allowance [email protected] Grant, jobs support scheme and salary subsidy for polytechnic Sun Zixiang graduate hires); [email protected] • support for operational costs (including a Digital Acceleration Grant designed specifically for fintech companies, a 90 per cent Low Si Rong course fee subsidy and discounts on rental costs); and Seah Ern Xu • support for access to business opportunities (six months free access to the API Exchange (APIX), a digital self-assessment tool 168 Robinson Road, #11-01 and a Digital Acceleration Grant for financial institutions). Capital Tower Singapore 068912 Finally, on 13 May 2020, the MAS announced the launch of a S$6 million Singapore MAS-Singapore FinTech Association-AMTD Fintech Solidarity Grant Tel: +65 6831 5600 to support Singapore-based fintech firms amid the challenging busi- Fax: +65 6831 5688 ness climate. The Grant comprises two components. First, as part of www.simmons-simmons.com the S$1.5 million Business Sustenance Grant, eligible Singapore-based fintech firms can receive a one-time grant for up to S$20,000 to cover day-to-day working capital expenditures, such as salaries and rental costs. The short-term assistance will help fintech firms sustain their operations and retain their employees. Second, as part of the S$4.5 million Business Growth Grant (BGG), eligible Singapore-based fintech firms can receive up to S$40,000 for their first Proof of Concept (POC) with financial institutions on the APIX platform and S$10,000 for each subsequent POC, subject to a total cap of $80,000 per firm for the entire duration of the grant. The BGG will also provide funding for the salaries of undergraduate interns, capped at S$1,000 per month per intern. This situation is subject to change. The latest information on the MAS response to covid-19 can be accessed at: www.mas.gov.sg/ regulation/covid-19.

David Geral, Kirsten Kern, Livia Dyer, Claire Franklyn, Xolani Nyali and Bright Tibane Bowmans

FINTECH LANDSCAPE AND INITIATIVES industry. The IFWG Innovation Hub was launched in April 2020. At this stage, it is too early to assess and comment on its efficacy. General innovation climate In January 2019, the CARWG published a consultation paper 1 What is the general state of fintech innovation in your containing policy proposals for the development of regulatory jurisdiction? responses, proposing its intended regulatory approach in respect of priority areas and heralding an initial focus on anti-money laundering, South Africa has a vibrant fintech environment, including: token-based transacting, capital raising, cryptographic derivative prod- • fintech start-ups as well as product development teams at tradi- ucts and market provisioning. tional, established financial institutions, primarily in remittances, In January 2020, the IFWG published its first fintech landscaping microfinance, personal and commercial insurance, investment, report (‘Fintech Scoping in South Africa'), the object of which was to mobile payments, peer-to-peer lending offerings and virtual token obtain a ‘clearer understanding of the Fintech market to enable policy- exchanges; makers and regulators to better manage risk and enable innovation’. • funders servicing the spectrum from venture capital through to In April 2020, the IFWG issued a policy position paper on crypto- more traditional equity and debt funding arrangements; assets that aimed to provide recommendations for the development of a • a range of incubation and acceleration facilities, some independent regulatory framework for crypto-assets. (including commercial and academic providers) and some hosted by established financial institutions; and FINANCIAL REGULATION • relatively transparent efforts at developing a coherent regulatory framework involving most of the relevant regulatory authorities. Regulatory bodies 3 Which bodies regulate the provision of fintech products and Government and regulatory support services? 2 Do government bodies or regulators provide any support specific to financial innovation? If so, what are the key There are currently no fintech product and services-specific laws or benefits of such support? regulatory bodies. However, certain fintech products and services may fall within the In 2016, the Intergovernmental FinTech Working Group (IFWG) was scope and ambit of general financial services regulatory frameworks established (comprising members from the South African Reserve and, thus, will be subject to the supervision of regulatory bodies charged Bank, the National Treasury, the Financial Sector Conduct Authority, the with the monitoring of those frameworks. As such, the Financial Sector Financial Intelligence Centre and the South African Revenue Service) Conduct Authority (FSCA), the Prudential Authority (PA), the National with the purpose of developing a common understanding among Credit Regulator (NCR), the South African Reserve Bank (SARB) and regulators and policymakers of financial technology developments the Financial Intelligence Centre may each have regulatory over- as well as policy and regulatory implications for the financial sector sight in respect of various aspects of the offering of fintech products and economy. and services. In early 2018, a joint working group was formed under the auspices of the IFWG to specifically review the position on cryptocurrencies. Regulated activities The working group is called the Crypto Assets Regulatory Working 4 Which activities trigger a licensing requirement in your Group (CARWG). jurisdiction? The IFWG Innovation Hub comprises a regulatory guidance unit, a regulatory sandbox unit and an innovation accelerator. The regula- Financial services tory guidance unit helps market innovators resolve specific questions The Financial Advisory and Intermediary Services Act 2002 (FAIS) regarding the policy landscape and regulatory requirements and requires any person who seeks to market or provide financial services provides a central point of entry for market innovators to submit to clients or investors, whether from within South Africa or on a cross- enquiries related to fintech and innovation-oriented policies and regu- border basis from offshore, as a regular feature of its business, to be lations. The regulatory sandbox unit provides market innovators with appropriately authorised under FAIS (as a financial services provider or, an opportunity to test new products and services that challenge the under certain circumstances, as a representative). The term ‘financial formulation or application of existing regulation under the supervision services’, for the purposes of FAIS, comprises ‘advice’ and ‘intermediary of relevant regulators. The innovation accelerator exists to provide a services’ in relation to ‘financial products’. In turn, the term ‘financial collaborative, exploratory environment for financial sector regulators products’ is broadly defined to include, among other things, shares, to learn from and work with each other on emerging innovations in the derivatives, money market instruments, bonds, participatory interests www.lexology.com/gtdt 181 © Law Business Research 2020 South Africa Bowmans

in collective investment schemes, certain investment instruments, includes in its definition of a credit provider a person who acquires the deposits as well as ‘any other product similar’. Therefore, depending on rights of a credit provider under an NCA-regulated credit agreement its specific characteristics and function, it is possible for a virtual token after that agreement has been entered into. Secondary market loan to meet one or more of the criteria for a financial product, accordingly trading will be subject to the NCA under circumstances where the orig- triggering the relevant regulation and supervision. inal loan being traded was subject to the NCA (in other words, where an FAIS falls under the purview of the FSCA. Services that are currently exemption from the NCA applied to the original loan, secondary market subject to licensing by the FSCA under FAIS (as intermediary services) trading in respect of that loan will also be exempt from the NCA). The include (but are not limited to) arranging investment deals, making NCA falls under the purview of the NCR. arrangements with a view to investment transactions and dealing in investments as an agent. Acting as an agent or intermediary in rela- Banking and deposit-taking activities tion to forex investments by local clients or investors is also licensable The Banks Act 1990 (the Banks Act) requires any person seeking to under FAIS. At present, dealing in investments or financial products as conduct ‘the business of a bank’ in South Africa to be registered as a principal is not licensable under FAIS, although an amendment to the local bank or to be licensed as a local branch of a foreign banking insti- definition of an intermediary service, brought about in 2018 (but which is tution. Two of the key activities included in the concept of the business of not yet in force), will subject principal dealing in investments with local a bank are the marketing or solicitation of deposits (which would include clients to FAIS licensing requirements in future. the promotion of bank deposit accounts) and the acceptance of deposits, Services that are subject to licensing under FAIS (as ‘advice’) among other things. The Banks Act falls under the purview of the PA, include (but are not limited to) advising on investments and advising from a prudential perspective, and the FSCA, from a market conduct on forex trades. In terms of FAIS, a FAIS-unlicensed financial services perspective. Licensing under the Banks Act is considered by the PA. provider may not promote or market its business or capabilities to any South African-resident person, whether onshore in South Africa or from Payment services offshore on a cross-border basis. The National Payment System Act 1998 (NPSA) provides for the management, administration, operation, regulation and supervision of payment, OTC derivatives clearing and settlement systems in South Africa. It also provides for the Regarding over-the-counter (OTC) derivatives as investment instru- establishment of the Payments Association of South Africa (PASA) as ments, Regulations under the Financial Markets Act 2012 (the FMA the body mandated by the SARB to organise, manage and regulate the Regulations) provide that a person who, as a regular feature of business participation of its members in the payment system. The NPSA makes and transacting as principal, originates, issues, sells or makes a market provision for various role players (both bank and non-bank) in the in an OTC derivative must be registered as an OTC derivative provider. payment system and requires the role players seeking to participate in The FMA Regulations fall under the purview of the FSCA. the payment system to be formally authorised to do so. The NPSA falls under the purview of the SARB and PASA. Credit and lending activities The provision of loans or any form of credit is regulated under South Trading in currencies African law by the provisions of the National Credit Act 2005 (NCA), Where forex trading involves the buying and selling of foreign currency, which requires lenders in respect of whose credit agreements the NCA those activities can be performed only by authorised dealers in South applies, to formally register as ‘credit providers’ with South Africa’s Africa (generally, commercial banks in South Africa that have been NCR. The NCA generally applies to every credit agreement between appointed as such by the SARB) or, to a limited extent, by authorised parties dealing at arm’s length and made within, or having an effect in, dealers with limited authority. This falls under the purview of the SARB South Africa. in terms of South Africa’s legislated exchange control regime. The NCA provides for certain general exemptions from its application (the NCA Exemptions). In this regard, the NCA will not apply to: Consumer lending • a credit agreement in respect of which the credit receiver (borrower) 5 Is consumer lending regulated in your jurisdiction? is a juristic or legal person (as opposed to a natural person or individual) whose net asset value or annual turnover, together with the Credit and lending activities combined net asset value or annual turnover of all persons related The provision of loans or any form of credit is regulated under South to the juristic person credit receiver, equals or exceeds 1 million African law by the NCA, which requires lenders in respect of whose rand at the time of conclusion of the credit agreement; credit agreements the NCA applies, to formally register as ‘credit • a ‘large’ credit agreement (eg, a credit transaction, in respect of providers’ with South Africa’s NCR. The NCA generally applies to every which the principal debt under that transaction falls at or exceeds credit agreement between parties dealing at arm’s length and made 250,000 rand, where the consumer for the purposes of the NCA is a within, or having an effect in, South Africa. juristic person having a net asset value or annual turnover falling The NCA does provide for certain general exemptions from its below 1 million rand); and application. In this regard, the NCA will not apply to: • a local applicant credit receiver can formally apply to the Ministry • a credit agreement in respect of which the credit receiver (borrower) of Trade and Industry for a credit agreement that the credit receiver is a juristic or legal person (as opposed to a natural person or indi- seeks to enter into with an offshore (foreign) credit provider to be vidual) whose net asset value or annual turnover, together with the formally exempt from the application of the NCA. combined net asset value or annual turnover of all persons related to the juristic person credit receiver, equals or exceeds 1 million Lending will be subject to the NCA unless an exemption from the NCA rand at the time of conclusion of the credit agreement; applies. While there is no specific licensing regime for factoring or • a ‘large’ credit agreement (eg, a credit transaction, in respect of invoice discounting, where the NCA applies to the underlying agree- which the principal debt under that transaction falls at or exceeds ments in respect of which the factoring or discounting takes place, the 250,000 rand, where the consumer for the purposes of the NCA is a person acquiring the rights to the debts under those underlying agree- juristic person having a net asset value or annual turnover falling ments must also be licensed under the NCA. This is because the NCA below 1 million rand); and

• a local applicant credit receiver can formally apply to the Ministry established as companies, bewind trusts (in which the trust founder of Trade and Industry for a credit agreement that the credit receiver transfers ownership of the trust assets to the beneficiaries with control seeks to enter into with an offshore (foreign) credit provider to be vested in the trustees) or en commandite partnerships (a form of limited formally exempt from the application of the NCA. partnership) and are, therefore, subject to the laws that govern those arrangements. AIFs could trigger the application of CISCA; however, as Lending will be subject to the NCA unless an exemption from the NCA no express carve-out for them is provided for in CISCA, AIFs should be applies. While there is no specific licensing regime for factoring or carefully structured and marketed discriminatively to selected (sophis- invoice discounting, where the NCA applies to the underlying agree- ticated) local investors. The application (or non-application) of CISCA to ments in respect of which the factoring or discounting takes place, the an AIF must be considered on a case-by-case basis. person acquiring the rights to the debts under those underlying agree- Where CISCA is triggered, the manager or operator of a foreign CIS ments must also be licensed under the NCA. This is because the NCA will be indirectly regulated by the FSCA. Where CISCA does not apply includes in its definition of a credit provider a person who acquires the to an AIF, the manager of the AIF is likely to be caught by the licensing rights of a credit provider under an NCA-regulated credit agreement provisions of FAIS, in that investments in AIFs constitute financial prod- after that agreement has been entered into. Secondary market loan ucts for the purposes of FAIS. trading will be subject to the NCA under circumstances where the orig- In its policy position paper on crypto-assets (the Crypto Position inal loan being traded was subject to the NCA (in other words, where an Paper), the Intergovernmental FinTech Working Group made a recom- exemption from the NCA applied to the original loan, secondary market mendation that the pooling of crypto-assets be regarded as constituting trading in respect of that loan will also be exempt from the NCA). The an AIF, which should, therefore, become a licensable activity in terms of, NCA falls under the purview of the NCR. and following the enactment of, the Conduct of Financial Institutions Bill. The Crypto Position Paper indicates, however, that a CIS should not be Secondary market loan trading allowed to include crypto-assets in its portfolios. 6 Are there restrictions on trading loans in the secondary market in your jurisdiction? Peer-to-peer and marketplace lending 9 Describe any specific regulation of peer-to-peer or Secondary market loan trading will be subject to the NCA under circum- marketplace lending in your jurisdiction. stances where the original loan being traded was subject to the NCA (in other words, where an exemption from the NCA applied to the orig- There is no specific regulation of peer-to-peer or marketplace lending inal loan, secondary market trading in respect of that loan will also be in South Africa. Activities in relation to peer-to-peer lending, however, exempt from the NCA). are likely to trigger licensing or regulatory requirements under South Africa’s general financial services regulatory frameworks (eg, the NCA, Collective investment schemes the Banks Act, CISCA or the NPSA), where the offering entails engage- 7 Describe the regulatory regime for collective investment ment in regulated activities or regulated ancillary activities. schemes and whether fintech companies providing In the main, peer-to-peer or marketplace lending will be regu- alternative finance products or services would fall within its lated under the NCA unless an exemption from the NCA applies. The scope. NCA requires lenders in respect of whose credit agreements the NCA applies, to formally register as ‘credit providers’ with South Africa’s The solicitation of investments in foreign collective investment schemes NCR. The NCA generally applies to every credit agreement between (CISs) from local investors (including institutional investors) is governed parties dealing at arm’s length and made within, or having an effect in, by the Collective Investment Schemes Control Act 2002 (CISCA), South Africa. The NCA provides for the following general exemptions: together with the regulations and notices promulgated under CISCA. • a credit agreement in respect of which the credit receiver (borrower) In terms of CISCA, no person may market, or solicit investments in, is a juristic or legal person (as opposed to a natural person or indi- a foreign CIS unless the foreign CIS has itself been formally approved in vidual) whose net asset value or annual turnover, together with the accordance with CISCA’s requirements by the FSCA. This prohibition is combined net asset value or annual turnover of all persons related strictly enforced (such that even the naming of an unapproved foreign to the juristic person credit receiver, equals or exceeds 1 million CIS to a South African prospect of any classification is strictly prohib- rand at the time of conclusion of the credit agreement; ited). Breach of the prohibition constitutes a criminal offence. • a ‘large’ credit agreement (eg, a credit transaction, in respect of The definition of a CIS includes an open-ended investment company, which the principal debt under that transaction falls at or exceeds and it provides for a scheme where members of the public are invited to 250,000 rand, where the consumer for the purposes of the NCA is a invest money or other assets in a portfolio where investors hold partici- juristic person having a net asset value or annual turnover falling patory interests (any interest, shares, units, etc) and share pro rata in below 1 million rand); and terms of their investment in the risks and benefits of the scheme. • a local applicant credit receiver can formally apply to the Ministry The applicability (or non-applicability) of CISCA depends entirely of Trade and Industry for a credit agreement that the credit receiver on whether the definition of a CIS under CISCA is met. As such, certain seeks to enter into with an offshore (foreign) credit provider to be fintech product offerings could trigger the application of CISCA (eg, formally exempt from the application of the NCA. crowdfunding offerings could trigger CISCA in circumstances where investments are pooled in a portfolio as defined under CISCA). The offering and structure of the service would also generally need to be assessed for compliance with the Banks Act, CISCA or the NPSA to Alternative investment funds ensure that those frameworks are not inadvertently breached (ie, to 8 Are managers of alternative investment funds regulated? ensure that the offering does not involve the business of a bank, the pooling of investments or the processing of payments in the regu- Alternative investment funds (AIFs) themselves, including private equity lated space). funds (but excluding hedge funds, which have been declared to be CISs), are not currently specifically regulated in South Africa. AIFs are usually www.lexology.com/gtdt 183 © Law Business Research 2020 South Africa Bowmans

Crowdfunding Open banking 10 Describe any specific regulation of crowdfunding in your 13 Are there any laws or regulations introduced to promote jurisdiction. competition that require financial institutions to make customer or product data available to third parties? Crowdfunding is not specifically regulated in South Africa. However, crowdfunding activities may be subject to existing regulation under No. South Africa’s general financial services regulatory frameworks. For example, the activities may fall within the ambit of: Robo-advice • the Banks Act, where activities could be seen as deposit-taking 14 Describe any specific regulation of robo-advisers or other (which constitutes the business of a bank); companies that provide retail customers with automated • the Companies Act 2008 (the Companies Act), where the business access to investment products in your jurisdiction. in question is a company, and the crowdfunding activities amount to offers to the public of securities, which would necessitate compli- The Determination of Fit and Proper Requirements for Financial Services ance with certain requirements, including the filing of a Companies Providers 2017 (the Fit and Proper Requirements), published under Act-compliant prospectus; FAIS, specifically regulates ‘automated advice’, which is defined as ‘the • CISCA, where investments are pooled; furnishing of advice through an electronic medium that uses algorithms • FAIS, where the crowdfunding platform can be seen to provide an and technology, without the direct involvement of a natural person’. A intermediary service or advice in relation to a financial instrument person that provides robo-advice is expected to be licensed under FAIS or product; as a financial services provider (FSP) to do so and to meet certain criteria. • the Financial Markets Act 2012 (FMA), where the online platform In addition to the standard governance requirements applicable to can be seen to operate as an exchange, matching investors with an FSP in the Fit and Proper Requirements, an FSP that provides auto- issuers or product providers; and mated advice must meet additional requirements relating to, among • the NCA, where crowdfunding is based on a lending model (inter- other things, human resources, policies and procedures relating to the mediation of loans is not regulated per se). monitoring and reviewing of algorithms, the testing of algorithms and technological resources. Invoice trading 11 Describe any specific regulation of invoice trading in your Insurance products jurisdiction. 15 Do fintech companies that sell or market insurance products in your jurisdiction need to be regulated? While there is no specific licensing regime for invoice discounting or trading per se, where the NCA applies to the underlying agreements Yes. Insurers and underwriters must be licensed under the Insurance in respect of which the discounting or trading takes place, the person Act 2017, while persons seeking to broker or market insurance products acquiring the rights to the debts under those underlying agreements on behalf of an insurer or underwriter require authorisation under FAIS must also be licensed under the NCA. This is because the NCA includes (as insurance products constitute financial products under FAIS and in its definition of a credit provider a person who acquires the rights of broking insurance constitutes an intermediary services). a credit provider under an NCA-regulated credit agreement after that Insurers and underwriters are supervised, in the main, by the PA agreement has been entered into. (with the FSCA supervising insurers on market conduct). Insurance brokers (regulated under FAIS) are supervised by the FSCA. Payment services 12 Are payment services regulated in your jurisdiction? Credit references 16 Are there any restrictions on providing credit references or Yes. The NPSA provides for the management, administration, opera- credit information services in your jurisdiction? tion, regulation and supervision of payment, clearing and settlement systems in South Africa. It also provides for the establishment of PASA Yes. These services are likely to trigger registration requirements under as the body mandated by the SARB to organise, manage and regulate the NCA as being the services of a credit bureau. the participation of its members in the payment system. Although not expressed in the NCA itself, from a practical perspec- The National Payment System Department of the SARB has formally tive, the NCR permits persons seeking to pull credit information from clarified that the South African payment system encompasses the entire existing registered credit bureaux (as opposed to maintaining that infor- payment process from a payer to a beneficiary and ‘. . . includes all mation themselves, on their own database) to register as ‘reseller credit the tools, systems, mechanisms, institutions, agreements, procedures, bureaux’. Reseller credit bureaux are subject to a lighter-touch regu- rules or laws applied or utilised to effect payment’. latory regime than that to which credit bureaux are subject, and are The NPSA makes provision for various role players (both bank exempt from compliance with certain obligations imposed by the NCA and non-bank) in the payment system, and requires the role players on credit bureaux proper. seeking to participate in the payment system to be formally authorised to do so. Fintech companies that seek to provide mobile money-type CROSS-BORDER REGULATION products are likely to be subject to licensing under one of the roles provided for under the NPSA. Electronic money is also regulated in Passporting South Africa (albeit under a position paper published by the SARB), and 17 Can regulated activities be passported into your jurisdiction? only a registered South African bank is permitted to issue e-money. This requirement often means that fintech companies will need to partner No. The relevant licences and authorisations must be obtained under with a bank to provide certain services within South Africa. each relevant regulatory framework. The applicable legislation also applies to services provided on a cross-border basis from offshore into South Africa.

Requirement for a local presence • holds more than 15 per cent of the shares in the company; 18 Can fintech companies obtain a licence to provide financial • is able to exercise or control the exercise of more than 15 per cent services in your jurisdiction without establishing a local of the voting rights associated with securities of the company; or presence? • has the right to appoint or elect, or control the appointment or elec- tion of, directors of that company who control more than 15 per The Collective Investment Schemes Control Act 2002, the Financial cent of the votes at a meeting of the board. Advisory and Intermediary Services Act 2002 and the National Payment System Act 1998 allow the acquisition of licences by foreign entities Acquisition of shares or any other interest in excess of 49 per cent in without having a physical, staffed presence in South Africa. a market infrastructure requires the prior approval of the Minister of Finance. SALES AND MARKETING A CIS manager requires the prior approval of the FSCA where there is a change in its shareholding, irrespective of the extent or materiality Restrictions of the change. 19 What restrictions apply to the sales and marketing of Changes to the direct shareholding of a financial services provider financial services and products in your jurisdiction? requires formal, post-notification to the FSCA, within 15 business days after the change has occurred. The marketing or offering of financial products (including collective A registered credit provider must notify the National Credit investment schemes, insurance and deposit-taking, among other things) Regulator of a change to its shareholding post-registration, in accord- requires the appropriate licences from the Financial Sector Conduct ance with the conditions attached to its registration. Authority to be held. The marketing of lending products regulated by the National Credit Act 2005 (NCA) is also prohibited unless a person FINANCIAL CRIME is registered as a credit provider by the National Credit Regulator. The marketing of payment services is not regulated or restricted per se, Anti-bribery and anti-money laundering procedures but a person will not be permitted to provide the relevant regulated 21 Are fintech companies required by law or regulation to have services in the absence of the required licence or registration with the procedures to combat bribery or money laundering? Payments Association of South Africa. No anti-corruption, anti-money laundering or other financial crime regu- CHANGE OF CONTROL lations specifically govern fintech products and services in South Africa. The Prevention and Combating of Corrupt Activities Act 2004 is the Notification and consent primary law governing bribery and corruption prevention and enforce- 20 Describe any rules relating to notification or consent ment in South Africa. The Act criminalises public and private corruption requirements if a regulated business changes control. (ie, corruption committed between private parties) and criminalises both the payment and receipt of a bribe (referred to as ‘gratification’ under In relation to banks, a person who seeks to acquire 15 to 49 per cent South African legislation). The Act may also apply extraterritorially where of shares in a bank requires prior approval of the Prudential Authority there is a sufficiently close connection. The Act does not prescribe any (PA), and seeking to acquire 49 per cent or more of shares in a bank specific anti-bribery procedures that would apply to fintech companies. requires prior approval of the Minister of Finance. The two most significant pieces of anti-money laundering legisla- Prior approval must be obtained by a person who seeks to be a tion in South Africa are the Prevention of Organised Crime Act 1998 ‘significant owner’ of a bank, an insurer, a collective investment scheme (POCA) and the Financial Intelligence Centre Act 2001 (FICA). In broad (CIS) manager or a market infrastructure (such as a stock exchange terms, POCA creates statutory money laundering offences, and FICA or central securities depository). In respect of insurers and banks, establishes the broad legal and administrative framework for combating approval must be obtained from the PA, and in respect of CIS managers anti-money laundering in South Africa. and market infrastructures approval, approval must be obtained from FICA’s anti-money laundering provisions are more stringent for the Financial Sector Conduct Authority (FSCA). A person is regarded as companies that are ‘accountable institutions’ in terms of the Act. A a significant owner if the person, directly or indirectly, alone or together fintech company may have to register as an accountable institution with a related or interrelated person, has the ability to control or influ- under FICA and would be subject to the anti-money laundering (AML) ence materially the business or strategy of the institution. In turn, a regime set up by that Act, for example, where a particular fintech-based person has the ability to control or influence materially the business or product meets the definition of a financial product under the Financial strategy of an institution if: Advisory and Intermediary Services Act 2002. • the person, directly or indirectly, alone or together with a related Fintech businesses that fall under the definition of accountable or interrelated person, has the power to appoint 15 per cent of the institutions in FICA are subject to demanding compliance obligations, members of the board of directors; including: • the consent of the person, alone or together with a related or inter- • ensuring that there are measures being taken to identify and verify related person, is required for the appointment of 15 per cent of the their clients; board members; or • conducting due diligence on clients; • the person, directly or indirectly, alone or together with a related • filing suspicious transactions reports; and or interrelated person, holds a qualifying stake in the institution. • conducting enhanced ongoing monitoring procedures on clients that fall under the definition of ‘foreign prominent public official’ or Any acquisition of shares or any other instrument in a market infra- ‘domestic prominent influential person’. structure that will entitle that person to exercise direct or indirect control over the institution requires the prior approval of the FSCA. For South Africa also belongs to the Financial Action Task Force (FATF) and this purpose, a person exercises control if that person, alone or with the Eastern and Southern Africa Anti-money Laundering Group. In 2019, associates: the FATF amended FATF Recommendation 15 (on new technologies). The www.lexology.com/gtdt 185 © Law Business Research 2020 South Africa Bowmans

amendment requires jurisdictions to regulate crypto-assets and crypto- quotation, pre-agreement statement and loan agreement, and adhere to asset service providers (CASPs) for anti-money laundering and combating several pre- and post-agreement rules and restrictions). the financing of terrorism (AML/CFT). Jurisdictions must ensure that A credit agreement regulated by the NCA entered into on a peer- CASPs are licensed or registered and subject to AML/CFT systems. to-peer or marketplace lending platform may be declared void and In addition to the above, the Intergovernmental FinTech Working unenforceable in certain instances (eg, where a lender who is required to Group’s policy position paper on crypto-assets (the Crypto Position be registered as a credit provider in terms of the NCA is not registered). Paper) recommends that Schedule 1 of the Financial Intelligence Centre It is probably unlikely that peer-to-peer and marketplace lending Act 2001 (FICA) be amended to include CASPs to the list of accountable arrangements will fall under any of the general NCA exemptions, but the institutions (that is, for CASPs to be listed as their own category). This NCA will not apply in those cases. The exemptions are: would encompass CASPs becoming accountable institutions in respect • a credit agreement in respect of which the credit receiver (borrower) of those CASPs that are not already accountable institutions (by virtue is a juristic or legal person (as opposed to a natural person or indi- of being, for example, an FSP). vidual) whose net asset value or annual turnover, together with the No single law enforcement agency is charged with the investigation combined net asset value or annual turnover of all persons related of corruption and money laundering offences in South Africa. Agencies to the juristic person credit receiver, equals or exceeds 1 million with investigation powers include the South African Police Service, the rand at the time of conclusion of the credit agreement; National Prosecuting Authority and Asset Forfeiture Unit, the Public • a ‘large’ credit agreement (eg, a credit transaction, in respect of Protector and the Special Investigations Unit. The circumstances of which the principal debt under that transaction falls at or exceeds each case determine who investigates it. 250,000 rand, where the consumer for the purposes of the NCA is a juristic person having a net asset value or annual turnover falling Guidance below 1 million rand); and 22 Is there regulatory or industry anti-financial crime guidance • a local applicant credit receiver can formally apply to the Ministry for fintech companies? of Trade and Industry for a credit agreement that the credit receiver seeks to enter into with an offshore (foreign) credit provider to be There is currently no specific regulatory or industry anti-financial formally exempt from the application of the NCA. crime guidance for fintech companies in South Africa. In January 2019, however, the Crypto Assets Regulatory Working Group, in a consultation Assignment of loans paper containing policy proposals for the development of regulatory 24 What steps are required to perfect an assignment of responses, proposed that crypto-asset service providers be required to: loans originated on a peer-to-peer or marketplace lending • register as accountable institutions with the Financial platform? What are the implications for the purchaser if the Intelligence Centre; assignment is not perfected? Is it possible to assign these • conduct customer due diligence; loans without informing the borrower? • file reports on suspicious and unusual transactions; and • implement appropriate record keeping. Where the loan agreement is regulated under the NCA (ie, where an The Crypto Position Paper recommends, among other things: exemption from the NCA does not apply), the assignee must be regis- • the implementation of an anti-money laundering and counterter- tered as a credit provider in terms of the NCA for the assignment to rorism financing regime; and be lawful. This is because the NCA includes in its definition of a ‘credit • a regulatory regime for the monitoring of cross-border finan- provider’ any person who acquires the rights of a credit provider under cial flows. an NCA-regulated agreement after the agreement has been entered into.

Fintech companies should also be aware of how the compliance provi- Securitisation risk retention requirements sions of the Cybercrimes and Cybersecurity Bill may affect them in 25 Are securitisation transactions subject to risk retention future. The Bill has not yet been promulgated and, at present, has no requirements? legal effect, but it is currently before the relevant South African legislative authority. The Bill aims to create a number of new offences relating Currently, no risk retention requirements are applicable in the South to cybercrime and to assist in the prosecution and investigation of African market. However, given that South Africa has implemented the those offences. For example, the present draft of the Bill would oblige Basel III requirements via regulations to the Banks Act 1990 (the Banks financial institutions and electronic communications service providers Act), it is likely that securitisation transactions in South Africa may soon to report offences implicating its computer system within 72 hours of be subject to similar risk retention requirements as those promulgated the commission of the offence, taking steps to preserve any evidence across the European Union, including the Securitisation Regulation related to the offence. (Regulation (EU) 2017/2402) and the Counterparty Credit Risk Amending Regulation (Regulation (EU) 2017/2401), requiring, among other things, PEER-TO-PEER AND MARKETPLACE LENDING securitising entities to have a new direct obligation to retain risk and the implementation of the revised Basel securitisation framework. Execution and enforceability of loan agreements 23 What are the requirements for executing loan agreements or Securitisation confidentiality and data protection requirements security agreements? Is there a risk that loan agreements 26 Is a special purpose company used to purchase and securitise or security agreements entered into on a peer-to-peer or peer-to-peer or marketplace loans subject to a duty of marketplace lending platform will not be enforceable? confidentiality or data protection laws regarding information relating to the borrowers? Loan agreements (and, indirectly, related security agreements) regulated under the National Credit Act 2005 (NCA) as credit agreements must In South Africa, a special purpose vehicle that is set up to issue comply with the onerous prescripts of the NCA to be valid (eg, a regis- commercial paper, as well as to acquire, own and deal in the under- tered credit provider must provide a borrower with an NCA-compliant lying receivables acquired by the originator (the issuer SPV), may only

186 Fintech 2021 © Law Business Research 2020 Bowmans South Africa issue commercial paper if it complies with certain conditions set out in Crypto-assets the Securitisation Regulations issued in terms of the Banks Act 1990, 29 Are there rules or regulations governing the use of crypto- which exempts a securitisation structure from falling under the regula- assets, including digital currencies, digital wallets and tory framework for banks. The issuer SPV can be formed in South Africa e-money? or another jurisdiction, depending on the location of the securitisation originator and other applicable commercial factors. It is well established (and confirmed by the relevant regulators) that In cases where the SPV is set up in South Africa and is subject crypto-assets are currently not regulated. Accordingly (in very broad to South Africa laws and regulations, there are no specific rules and terms), any activities in respect of those types of assets are not regu- regulations governing confidentiality and data protection as it relates lated in South Africa. However, crypto-assets may have a different to issuer SPVs in relation to the borrower in the context of securiti- regulatory treatment if they have characteristics similar to those of sation (peer-to-peer or marketplace loans). However, the Protection existing regulated financial instruments or products in the South African of Personal Information Act 2013 (POPIA) governs the processing and landscape. Whether crypto-assets have characteristics similar to those transfer of personal data relating to securitisation transactions. The of existing regulated financial instruments or products in South Africa is operative provisions and related regulations of POPIA were due to come a factual question and can be determined only on a case-by-case basis. into effect on 1 April 2020, but this was delayed owing to the covid-19 In our experience, some crypto-assets constitute collective invest- pandemic. The operative provisions and related regulations of POPIA ment schemes (CISs) under the Collective Investment Schemes Control came into effect on 1 July 2020. Act 2002 (CISCA). In light of this, the key considerations in determining In South Africa, there are also common law and constitutional whether a crypto-asset is a regulated instrument under CISCA are as rights to privacy, including privacy of personal information. In practice, follows: whether the crypto-asset involves the pooling of investors’ South African institutions (including financial institutions and Issuer funds for investment in crypto-assets; whether the investors hold partic- SPVs) already comply with POPIA in the treatment of personal data and ipatory interests (howsoever called); and whether the investors share confidentiality because POPIA enshrines the common law and constitu- the risk and the benefit of investment in proportion to their participatory tional rights to privacy already in place. interests. The Intergovernmental FinTech Working Group’s policy position paper on crypto-assets (the Crypto Position Paper) recommends ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER that the pooling of crypto-assets be regarded as constituting an alterna- TECHNOLOGY AND CRYPTO-ASSETS tive investment fund, which should become a licensable activity in terms of the Conduct of Financial Institutions Bill. The Crypto Position Paper Artificial intelligence indicates that a CIS should not be allowed to include crypto-assets in 27 Are there rules or regulations governing the use of artificial its portfolios. intelligence, including in relation to robo-advice? Some crypto-assets, such as stablecoins, have the potential to be seen as derivative instruments (forex derivatives), which are regulated Yes, in respect of certain products. The National Payment System Act by both the Financial Markets Act 2012 (FMA) (regulating securities 1998 (NPSA) regulates system operators whose business is to assist traded on a stock exchange) and the Financial Advisory and Intermediary participants in the South African payment system with the sending or Services Act 2002 (FAIS) (regulating the provision of financial services receiving of instructions in respect of payment transactions, mainly in respect of listed and unlisted financial products). Similarly, owner- through the provision of technical infrastructure. The NPSA regulates ship tokens that meet the functional definition of securities could be such technical infrastructure. regulated under the FMA and FAIS. The Determination of Fit and Proper Requirements for Financial E-money is not dealt with in any legislation, including the Banks Act Services Providers 2017 (the Fit and Proper Requirements), published 1990 (the Banks Act), but it has been addressed in the E-Money Position under the Financial Advisory and Intermediary Services Act 2002 Paper, issued by the South African Reserve Bank (SARB). According to (FAIS), specifically regulates ‘automated advice’, which is defined as the E-Money Position Paper, the SARB will allow only registered South ‘the furnishing of advice through an electronic medium that uses algo- African banks to issue e-money, subject to section 52 of the Banks Act, rithms and technology, without the direct involvement of a natural which allows for non-banks to enter into arrangements with banks person’. A person that provides robo-advice is expected to be licensed that may permit those non-banks to offer payment-related services in under FAIS as a financial services provider (FSP) to do so and to meet relation to e-money, in conjunction with the bank. Some digital wallets certain criteria. qualify as e-money, and the activities surrounding those wallets are In addition to the standard governance requirements applicable to subject to the E-Money Position Paper. an FSP in the Fit and Proper Requirements, an FSP that provides automated advice must meet additional requirements relating to, among Digital currency exchanges other things, human resources, policies and procedures relating to the 30 Are there rules or regulations governing the operation of monitoring and reviewing of algorithms, the testing of algorithms and digital currency exchanges or brokerages? technological resources. Virtual currencies are not specifically regulated in South Africa. South Distributed ledger technology Africa is, however, a common law-based jurisdiction that follows a princi- 28 Are there rules or regulations governing the use of ples-based, conduct-centric approach to financial regulation; therefore, distributed ledger technology or blockchains? some of the activities relating to virtual currencies may be subject to regulation if they have characteristics similar to the vanilla instru- No. ments that are currently regulated in South Africa. The FMA applies to all exchanges that facilitate transactions in ‘securities’ as defined; therefore, the functional characteristics of each of the digital currencies traded on an exchange must be considered to determine whether the exchange should be licensed under the FMA.

Initial coin offerings including the unlawful accessing of data using software or hardware 31 Are there rules or regulations governing initial coin offerings tools. The intention is that new cybersecurity legislation will also be (ICOs) or token generation events? made, although there is no firm timing on this and draft legislation has not yet been released for comment. There are no such rules specifically referring to ICO’s or other token The Intergovernmental FinTech Working Group’s policy position generation events. However, to the extent that the tokens issued, gener- paper on crypto-assets (the Crypto Position Paper) notes the increased ated or sold meet the functional definition of equity securities or debt cybersecurity risk in relation to crypto-assets and recommends that securities under the Companies Act 2008, their issuance and sale may crypto-asset service providers (CASPs) ensure they meet the interna- be subject to the existing (and complex and onerous) rules for initial tional cybersecurity standards for the safeguarding of crypto-assets. public offerings, or for primary or secondary offerings of equity or debt. The Crypto Position Paper recommends implementing a regulatory framework with guidelines to ensure that proper cybersecurity controls DATA PROTECTION AND CYBERSECURITY are adopted by CASPs.

Data protection OUTSOURCING AND CLOUD COMPUTING 32 What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to Outsourcing fintech products and services? 34 Are there legal requirements or regulatory guidance with respect to the outsourcing by a financial services company of Subject to the South African Reserve Bank’s Directive D3/2018 a material aspect of its business? and Guidance Note G5/2018 addressing cloud computing and data offshoring, there are no specific rules and regulations governing the Yes, depending on the nature or activities of the financial services processing and transfer (domestic and cross-border) of data relating to company. Outsourcing by insurers and underwriters is subject to fintech products and services, or specifically aimed at fintech companies. Prudential Standard GOI 5 ‘Outsourcing by Insurers’, which requires There are also no sector-specific rules relating to the anonymisation an insurer to have an outsourcing policy for the outsourcing of mate- and aggregation of personal data. rial business activities to comply with prescribed requirements and for However, the Protection of Personal Information Act 2013 (POPIA) the outsourcing be notified to the Prudential Authority at least 30 days will govern the processing and transfer of personal data relating to before it takes place. fintech products and services. Although certain provisions of POPIA Outsourcing by banks is subject to Guidance Note 5/2014 issued have been in effect for some time, the operative provisions (such as by the South African Reserve Bank (SARB), which requires a bank to when and how personal data may be lawfully processed) only came into have an outsourcing policy and for the outsourcing of material busi- effect on 1 July 2020. That said, it is already common practice for business activities of a bank to comply with certain requirements. Further, nesses in South Africa to comply, given that POPIA gives effect to the Directive 8/2016 specifies reporting requirements regarding banks existing common law and constitutional rights protecting personal data. outsourcing material functions. Any data controller processing personal data in South Africa will The Determination of Fit and Proper Requirements for Financial be bound by the provisions of POPIA, which may include fintech compa- Services Providers 2017 requires the outsourcing of certain func- nies if they are responsible for determining the purpose of and means tions (such as functions that are integral to the nature of the financial for processing the personal data (ie, if they act as a data controller). services for which the financial services provider is authorised or any In terms of POPIA, personal data may be collected only for a specific, material important operational function of the FSP) to be compliant with explicitly defined and lawful purpose, processed on the basis of a valid prescribed requirements. justification for the processing (eg, consent and necessity for pursuing In certain limited circumstances, the outsourcing by a company the legitimate interests of the data controller) and kept only until that of a material aspect of its business may trigger merger notification purpose has been served. obligations under the Competition Act 1998 (the Competition Act) if There are also restrictions on using personal data collected for the outsourcing arrangement constitutes the ‘acquisition of control of direct marketing by electronic communications, including via email the whole or part of a business’ of the company for purposes of the and text. Data subjects have the right to know who is processing their Competition Act, and if the thresholds for mandatory notification are met. personal data and why, and to prevent it from being used for direct marketing without their consent. Cloud computing POPIA also specifically prohibits the transfer of personal data by a 35 Are there legal requirements or regulatory guidance with data controller to a third party in a foreign country unless, among other respect to the use of cloud computing in the financial services grounds, that country has an ‘adequate’ level of protection or that third industry? party is subject to binding corporate rules or a binding agreement that provides an adequate level of protection. In 2018, the SARB issued Directive D3/2018 and Guidance Note G5/2018 addressing cloud computing and data offshoring. In particular, the Cybersecurity Directive and Guidance Note detail items that banks must consider when 33 What cybersecurity regulations or standards apply to fintech choosing to adopt cloud computing as a service or any offshoring of data. businesses? In short, the SARB requires that banks elect a risk-based and mitigation approach, having consideration to the bank’s risk profile, size and South Africa does not have a single, overarching legal and regulatory operations; for example, banks are directed to ensure that a formal board- framework for cybersecurity. Instead, cybersecurity is dealt with in approved data strategy and governance framework is in place, ensure various pieces of legislation, some with overlapping mandates. that the offshoring of data and use of cloud computing does not inhibit New legislation dealing specifically with cybercrimes, the any regulators’ ability to fulfil their duties, and ensure that any cloud Cybercrimes Bill, is currently before Parliament. The Bill updates the computing arrangement does not prevent the bank’s ability to conduct current regulatory framework and creates various cybercrime offences, forensic audits or investigations. Banks are also required to consider the

188 Fintech 2021 © Law Business Research 2020 Bowmans South Africa classification of data, the materiality of the activity outsourced, the level • the intention of the parties to conclude a contract of employment; of risk, the mode and form of cloud computing and the offshoring of data. • the existence of a relationship of authority (whether the employer No such similar directives or guidance notes have been issued in exercises control and supervision over the employee); respect of any other financial services providers in South Africa at present. • the remuneration of the employee (including an assessment of economic dependence on the alleged employer); INTELLECTUAL PROPERTY RIGHTS • the period of the contract of employment; and • the rendering of personal services by the employee. An agreement IP protection for software to the contrary can, however, be concluded between the employer 36 Which intellectual property rights are available to protect and the employee. software, and how do you obtain those rights? Importantly, the above exception does not apply to independent contrac- If it complies with the relevant requirements, software (or a computer tors (ie, contractors or consultants). Independent contractors retain program) is afforded protection in South Africa as a ‘work’ eligible for ownership of all intellectual property rights attaching to their work, copyright under the Copyright Act 1978 (the Copyright Act). unless agreed otherwise. Therefore, where an independent contractor Copyrights cannot be registered, but their protection arises auto- is creating software for payment, it is important to confirm that the matically in law. As soon as a work comes into existence and meets the contract makes provision for the assignment of the copyright to the requirements set out in the Copyright Act, it is protected in terms of person commissioning the work. For the assignment to be valid, it must South African common law as a copyright work. be in writing and must show the necessary animus to transfer and Copyright protects the product of an idea, or the ‘work’, rather receive ownership of the copyright on both sides of the transaction. than an idea itself and entitles the copyright holder to prevent any All other forms of intellectual property do not automatically vest other person from doing, directly or indirectly, any act in relation to the in the employer and must be assigned. Therefore, employment agree- relevant work that the copyright owner has the exclusive right to do or ments (and independent contractor agreements) must include an authorise. assignment of all intellectual property rights developed in the course There are a number of types of works that are eligible for copyright and scope of employment. under the Copyright Act, including, but not limited to, literary works and computer programs. A program only constitutes a computer program Joint ownership in terms of the Copyright Act if it is a finished product that is capable of 38 Are there any restrictions on a joint owner of intellectual directing the operation of a computer to bring about an intended result. property’s right to use, license, charge or assign its right in It is commonly understood that, until the time the program is capable of intellectual property? doing so, it constitutes a literary work. As a result, software is afforded protection under the Copyright Act. The protection of intellectual property software is only dealt with in An important consideration for copyright protection is the identity terms of the Copyright Act. According to the Copyright Act, a ‘work of the author. As a general rule, copyright automatically vests in the of joint ownership’ means a work produced by two or more authors author of a work (although there are exceptions). In addition, to qualify in which the contribution of each author is not separable from the for protection under the Copyright Act, the author must be an ‘eligible contribution of the other author or authors. The inseparability of the person’, which means either a South African citizen or an entity incor- authors’ contributions gives rise to joint authorship (ie, co-ownership). porated according to South African laws, and the work must be original Co-ownership may also arise where the copyright is assigned to more and reduced to material form. than one assignee. In South African law, each co-owner obtains an indi- Certain forms of copyright are subject to ‘moral rights’, which belong visible share in the copyright and may not use or dispose of such share to the author. These are rights of paternity (ie, the right to claim owner- without the consent of the other co-owner. ship) and integrity (ie, the right to object to any distortion, mutilation or other modification of the work). However, the author of a computer Trade secrets program or a work associated with a computer program may not prevent 39 How are trade secrets protected? Are trade secrets kept or object to modifications that are absolutely necessary on technical confidential during court proceedings? grounds or for the purpose of commercial exploitation of the work. The Patents Act 1978 expressly excludes a program for a computer Confidential information from being a patentable invention in South Africa. Confidential information is information that has the necessary quality of confidentiality to justify legal protection, where confidentiality is more IP developed by employees and contractors than value or usefulness of the information. To be treated as confidential 37 Who owns new intellectual property developed by an information, information must be: employee during the course of employment? Do the same • capable of application in trade and industry; rules apply to new intellectual property developed by • secret or confidential, that is, it must be known only to certain people contractors or consultants? or be something that is not public property or public knowledge; and • the information must have economic value to the person trying to The protection of intellectual property software is only dealt with in protect it. Whether information is confidential is a question of fact, terms of the Copyright Act. Generally, copyright automatically vests and information may lose its confidential nature over time. in the author of the work. One of the exceptions in the Copyright Act is in the case of an employment relationship, in which case the copy- Legal framework right in any work made during the course of the author’s employment There is no specific legislation or regulation that deals directly with under a contract of service or apprenticeship will vest in the employer. confidential information in South Africa. Confidential information is, ‘Employment’ is not specifically defined in the Copyright Act, so it is accordingly, regulated under the common law. In certain instances, generally understood to have the meaning given to it under applicable confidential information may be protected under the Copyright Act where law. In this regard, the following criteria are generally taken into account: the information constitutes a literary work and is reduced to writing. www.lexology.com/gtdt 189 © Law Business Research 2020 South Africa Bowmans

Protections and remedies • marks that exclusively comprise a sign or indication that designates The common law provides various mechanisms that can be used to various characteristics of goods or services; or protect confidential information, trade secrets and know-how, including: • marks that exclusively comprise a sign or an indication that has • contractual protection (this may either be express or implied); become customary in the current language or bona fide established • delictual protection, comparable to tort under English law (specifi- practices in the trade. cally protection from unlawful competition); • interdict (equivalent to an injunction under English law); and The process of registering a trademark involves making an application, • protection arising from a fiduciary relationship (eg, an agent, which is then examined. mandatory or director). Examination first considers the formal requirements (ie, that the mark is distinctive and capable of registration), and second considers Most importantly, the person wishing to protect confidential information whether any conflict or third-party rights based on prior applications must take practical steps to keep the information confidential. or registrations would be contravened using the trademark. The registrar may accept the application unconditionally, or the registrar may Trade secret accept the application subject to conditions, amendment or modification. A trade secret is essentially a sub-category of confidential information Conversely, the registrar may also refuse the application provisionally, in that it is a formula, practice, process, design, instrument, pattern, or the registrar may refuse the application altogether. commercial method or compilation of information not generally known If the application is accepted, the acceptance must be advertised or reasonably ascertainable by others by which a business can obtain in the Patent Journal. Any interested person may, within three months an economic advantage or competitive edge over competitors or following the advertisement of the trademark application in the Patent customers. Usually, only a strategic and limited number of persons hold Journal, lodge an opposition to the registration of the trademark. An such information. opposition can be lodged on any of the grounds that the trademark is not capable of registration under the Trade Marks Act. Legal framework If the application is advertised and no objection is raised, the regis- There is no specific legislation or regulation that deals directly with trar will register the trademark and issue a certificate of registration. trade secrets in South Africa. Trade secrets are, accordingly, regulated Trademark registration is effective for an initial period of 10 years under the common law. from the date of filing the application and, thereafter, is renewable for similar periods in perpetuity. A trademark that has lapsed may be Protection and remedies restored upon payment of a fine or additional fee and provided that the The protection and remedies for trade secrets are the same as those registrar is satisfied that it is just to do so. discussed above for confidential information. The general rule is that A trademark may be infringed in the following circumstances: confidential information will be disclosed during court proceedings. The 1 the unauthorised use in the course of trade in relation to the same exception would be that the information would not be disclosed if it falls goods or services in respect of which the mark is registered, of an within the ambit of legal privilege. In addition, a witness can be subpoe- identical mark or a mark so nearly resembling the registered mark naed to provide confidential information. The only ground for refusing as to be likely to deceive or cause confusion; to provide documents or information in terms of a subpoena is legal 2 the unauthorised use in the course of trade of a mark that is iden- privilege. tical or similar to the registered trademark, in relation to goods or services so similar to the goods or services in respect of which the Branding mark is registered that such use has a likelihood of deception or 40 What intellectual property rights are available to protect confusion; branding and how do you obtain those rights? How can fintech 3 the unauthorised use in the course of trade in relation to any goods businesses ensure they do not infringe existing brands? or services of a mark that is identical or similar to the registered trademark if the registered trademark is well known in South Africa Branding may be protected through the use of trademarks, which are and the use of the mark is likely to take unfair advantage of, or be regulated in terms of the Trade Marks Act 1993 (the Trade Marks Act). A detrimental to, the distinctive character or repute of the well-known trademark provides the owner thereof with the exclusive rights to use registered trademark, notwithstanding the absence of confusion or the mark. Trademarks are registerable; however, registration is not a deception; and requirement for the holder to have a remedy in the event of infringe- 4 the unauthorised use of a trademark that constitutes, or the ment. The registration of a trademark, nevertheless, provides a clear and essential part of which constitutes, a reproduction, imitation or enforceable right to that trademark. Accordingly, it is recommended that translation of a trademark that is entitled to protection under the trademarks be registered as the remedies in respect of infringement of Paris Convention as a well-known mark (even though not registered a registered trademark are more comprehensive and easily enforceable in South Africa), if the use is in relation to goods or services that are than those under common law in respect of an unregistered trademark. identical or similar or to goods or services for which the mark is In terms of the Trade Marks Act, a trademark can be registered if: well known, and the use is likely to cause deception or confusion. • the trademark is capable of distinguishing between goods and services of one person from those of another; and The Trade Marks Act sets out the following defences to an infringement • a mark is capable of making a distinction as it is either inherently claim (with an exception to point (4) above): capable of distinguishing between goods and services of one trader • any bona fide use by a person of his or her own name, the name of from another, or capable of making a distinction through prior use. his or her place of business, the name of any of his or her prede- cessors in business, or the name of any such predecessor’s place The Trade Marks Act excludes certain trademarks from registration, of business; including without limitation: • the use by any person of any bona fide description or indication of • marks that do not constitute a trademark; the kind, quality, quantity, intended purpose, value, geographical • marks that lack the general or inherent ability to make a distinction; origin or other characteristics of his or her goods or services, or

the mode or time of production of the goods or the rendering of TAX the services; • the bona fide use of the trademark in relation to goods or services Incentives where it is reasonable to indicate the intended purpose of those 43 Are there any tax incentives available for fintech companies goods, including spare parts and accessories, and such services; and investors to encourage innovation and investment in the • the importation into or the distribution, sale or offering for sale in fintech sector in your jurisdiction? South Africa of goods to which the trademark has been applied by or with the consent of the proprietor thereof; No. • the bona fide use by any person of any utilitarian features embodied in a container, shape, configuration, colour or pattern that is regis- Increased tax burden tered as a trademark; 44 Are there any new or proposed tax laws or guidance that • the use of a trademark in any manner in respect of or in rela- could significantly increase tax or administrative costs for tion to goods to be sold or otherwise traded in, or services to be fintech companies in your jurisdiction? performed, in any place, or in relation to goods to be exported to any market, or in any other manner in relation to which, having No. regard to any conditions or limitations entered in the register, the registration does not extend; and IMMIGRATION • the use of any identical or confusingly or deceptively similar trademark that is registered. Sector-specific schemes 45 What immigration schemes are available for fintech Remedies for infringement of IP businesses to recruit skilled staff from abroad? Are there 41 What remedies are available to individuals or companies any special regimes specific to the technology or financial whose intellectual property rights have been infringed? sectors?

The protection of confidential information, trade secrets and know-how Foreign nationals require work permits to work in South Africa. The is almost exclusively governed by common law; hence, there are protec- Immigration Act 2002 provides for various permits. The most commonly tive mechanisms that provide for common law remedies. In addition to used permits are general work permits and intra-company transfer the common law protective mechanisms that are available, legislation permits. General work permits are typically only granted if no suitable also provides protection of intellectual property rights. South African is available to perform the work concerned. In terms of the Copyright Act and the Trade Marks Act, the infringement of certain provisions is a criminal offence, the penalty for which UPDATE AND TRENDS is a fine or imprisonment. In addition, both the Copyright Act and the Trade Marks Act provide for civil proceedings to be instituted where Current developments intellectual property rights have been infringed, affording the following 46 Are there any other current developments or emerging possible relief: trends to note? • in the case of copyright: • damages (but only where the defendant was aware or had Financial regulatory reasonable grounds for suspecting that copyright subsisted In January 2019, the Crypto Assets Regulatory Working Group (CARWG) in the work); published a consultation paper containing policy proposals for the • an interdict; development of regulatory responses. The paper points out that a • delivery of infringing copies or plates used for making useful starting point for regulatory intervention is through registration. infringing copies; The objective of the registration process is specifically to gain further • in lieu of damages, at the option of the plaintiff, a reasonable insights from market participants. According to the proposals, the royalty; or crypto-asset service providers that will require registration are: • additional damages as the court may deem fit, in certain • crypto-asset trading platforms or any other entity facilitating exceptional circumstances; and crypto-asset transactions; • in the case of trademarks: • crypto-asset digital wallet providers (custodial wallets); • an interdict; • crypto-asset safe custody service providers (custodial services); • an order for the removal of the infringing mark from all mate- • crypto-asset payment service providers; and rial and where inseparable or incapable of being removed • merchants and service providers accepting payments in from the material, an order that all such material be delivered crypto-assets. to the proprietor; • damages; or The policy position paper of the Intergovernmental FinTech Working • in lieu of damages and at the option of the proprietor, a Group (IFWG) on crypto-assets (the Crypto Position Paper) recommends reasonable royalty. the development of a regulatory framework for crypto-assets, including recommending that crypto-assets remain without legal tender status COMPETITION and not be recognised as electronic money. The Crypto Position Paper recommends that the Financial Sector Sector-specific issues Conduct Authority (FSCA) should become the responsible authority for 42 Are there any specific competition issues that exist with the licensing of ‘services related to the buying and selling of crypto- respect to fintech companies in your jurisdiction? assets’ and that Schedule 1 of the Financial Intelligence Centre Act 2001 (FICA) be amended to include crypto-asset service providers (CASPs) to No. the list of accountable institutions. www.lexology.com/gtdt 191 © Law Business Research 2020 South Africa Bowmans

In terms of Recommendation 1 of the Crypto Position Paper, the following entities and activities are classified within CASP functions: • crypto-asset trading platforms (or any other entity facilitating or providing the mentioned services); • crypto-asset vending machine providers; • crypto-asset token issuers; • crypto-asset funds or derivative service providers; • crypto-asset digital wallet providers (custodial wallet); and • crypto-asset safe custody service providers (custodial service). David Geral [email protected]

The Crypto Position Paper also outlines the principle-based approach Kirsten Kern that should be adopted by South Africa’s regulatory response, which [email protected] includes: Livia Dyer • adopting a risk-based approach; [email protected] • adopting a unified regulatory approach: Claire Franklyn • adopting a phased approach; [email protected] • being technology-neutral and primarily principles-based; and • being resilient and adaptive. Bright Tibane [email protected] The implementation plan provided in the Crypto Position Paper provides estimated timelines ranging from six to twelve months to implement the 11 Alice Lane theme outlined in the recommendations. Most notable is the implemen- Sandton tation of a regulatory regime for anti-money laundering and combating Johannesburg 2146 the financing of terrorism, which the IFWG and CARWG estimate will South Africa take six to nine month, noting, however, the possibilities of delays in the Tel: +27 11 669 9000 administrative process. www.bowmanslaw.com The Conduct of Financial Institutions Bill provides (following its enactment) for the requirements for the granting of a financial product or service licence to be adapted to ‘facilitate financial inclusion’ or to promote ‘innovative technology, processes and practices’. specific frameworks. The PA has also provided relief to the banking sector in the form of minimum capital requirements for banks relating Intellectual property to credit risk and temporary capital relief to alleviate risks posed by The Copyright Amendment Bill was tabled in Parliament in May 2017 the pandemic. and aims to provide greater protection to South African performers and authors by ensuring that they receive fair remuneration. The Bill Competition law has been criticised for not achieving this desired purpose, particu- The Minister of Trade, Industry and Competition (the Minister) published, larly because it introduces a ‘fair use’ clause that is critiqued as being among other things, the Covid-19 Block Exemption for the Banking too broad, thereby weakening the protection afforded to authors and Sector 2020 Regulations on 23 March 2020 (the Banking Exemption). publishers. The Banking Exemption was published in terms of sections 10(10) and 78(1) of the Competition Act 1998 (the Competition Act), which permit Coronavirus the Minister to issue regulations exempting a category of agreements 47 What emergency legislation, relief programmes and other or practices from the application of Chapter 2 of the Competition Act. initiatives specific to your practice area has your state Chapter 2 of the Competition Act deals with prohibited conduct implemented to address the pandemic? Have any existing (ie, horizontal and vertical restraints and abuse of dominance). The government programmes, laws or regulations been amended Banking Exemption exempts, in coordination with or at the request of to address these concerns? What best practices are advisable the Minister or, if applicable, the Minister of Finance, certain agreements for clients? or practices between banks (as registered in terms of the Banks Act) that would otherwise constitute contraventions of section 4 (horizontal Financial regulatory prohibited conduct) and section 5 (vertical prohibited conduct) of the As at the time of writing, no emergency legislation has been promul- Competition Act for the duration of the declaration of a state of national gated to address the pandemic; however, the FSCA and the Prudential disaster in terms of the Disaster Management Act, and only for the Authority (PA) have published a number of communications and notices purpose of responding to the disaster (eg, providing payment holidays to mitigate the strain on resources and the financial and operational to debtors or maintaining the functioning and integrity of the national capacity of financial institutions owing to the pandemic. These commu- payment system). The scope of the Banking Exemption was extended nications and notices have provided relief in a number of ways, such as on 5 May 2020 to include all financial institutions registered as such in providing relaxations and extensions to regulatory and filing deadlines terms of the FSRA. in terms of the FSRA, the Financial Advisory and Intermediary Services Act 2002, the Financial Markets Act 2012 and FICA. Tax law The FSCA and PA have also provided relief by communicating Various tax measures have been introduced to provide relief to expectations of regulated entities, such as insurers and collective taxpayers, including the measures set out below. These measures are investment schemes, as well as publishing implementation dates for only applicable for a specific time period: specific regulatory frameworks in advance to provide certainty and • qualifying employers may defer a percentage of their employees’ allow financial institutions to prepare for the implementation of the tax payments in respect of remuneration paid to employees during

April to July 2020. The deferred portion must be settled in six equal instalments, with repayment commencing with the August payroll; • qualifying taxpayers may defer a percentage of their provisional tax payments. The deferred portion must be settled by way of a top-up payment within six months after year end; • payment of excise taxes on alcoholic beverages and tobacco products for May and June 2020 were deferred by 90 days; • the first carbon tax payments would have been due by 31 July 2020, but were postponed until 31 October 2020; • various tax administrative time periods were extended during the initial lockdown period; • covid-19 disaster relief organisations qualify for exemptions in respect of income tax and donations tax, and donations to those organisations are tax deductible subject to certain limits; • the normal limits applicable to the deductibility of donations to approved non-profit organisations were relaxed in respect of donations to the government’s solidarity fund; • from April to July 2020, employers may claim an employment tax incentive in respect of all employees earning less than 6,500 rand per month; • employers do not have to pay skills development levies for the period from May to August 2020, although there was subsequently a request by the Department of Higher Education for this to be a deferral rather than an exemption; • smaller businesses that normally file value added tax (VAT) returns on a bimonthly basis, could submit VAT returns on a monthly basis to accelerate VAT refunds; • various anti tax-avoidance measures, which were announced in February 2020, will be deferred until at least January 2021; and • individuals who receive annuity income from living annuities can generally only increase or decrease their annuity income once a year, on the anniversary date of the annuities; however, these rules were relaxed to allow for increases or decreases from May to August 2020.

Securitisation With regard to securitisation structures in particular, there has been no new legislation or relief programme specifically enacted to address the covid-19 pandemic. However, as the South African economy suffers from the effects of the pandemic, some types of assets underlying South African securitisation structures (ie, auto and equipment lease and debtor books) will similarly be affected. As such, some types of securitisations will suffer some degree of credit weakening. Advisable best practice for clients is to re-examine covenant headroom in the trans action documentation as well as material adverse change provisions.

Alfredo De Lorenzo, Álvaro Muñoz, Carlos Jiménez de Laiglesia, Ignacio González, Juan Sosa and María Tomillo Simmons & Simmons LLP

FINTECH LANDSCAPE AND INITIATIVES FINANCIAL REGULATION

General innovation climate Regulatory bodies 1 What is the general state of fintech innovation in your 3 Which bodies regulate the provision of fintech products and jurisdiction? services?

The Spanish fintech community is one of the biggest in Europe. In The regulator in charge of supervision of fintech products and services this regard, Spain continues to promote this type of business, and the is the Spanish Securities Market Commission (CNMV) together with the number of companies that use innovation and technology in the financial Bank of Spain and the General Directorate for Insurance and Pension industry increases each year. Recent studies show that 70 per cent of Funds, depending on the type of entity intending to provide services in the total number of fintech companies provide services linked to credit Spain and the exact nature of those services. activities. The number of companies focused on electronic payments is increasing as well as those dedicated to investment solutions. Regulated activities 4 Which activities trigger a licensing requirement in your Government and regulatory support jurisdiction? 2 Do government bodies or regulators provide any support specific to financial innovation? If so, what are the key There are a large number of activities that, when carried out in Spain on benefits of such support? a professional and ongoing basis in respect of specified financial instruments, trigger licensing requirements. These are set out in a number The Spanish Securities Market Commission (CNMV) has set up a of different regulations, including those implementing the second point of contact for business initiatives related to financial innovations Markets in Financial Instruments Directive in Spain as well as legisla- currently available on the online portal of the CNMV (the CNMV Fintech tion that governs activities carried out by financial institutions, such as Portal). This site gives online support to promote fintech initiatives that credit entities. deliver better outcomes for consumers and that improve the efficiency The most common activities that may require a licence with respect and competitiveness of the Spanish financial markets. Through this site, to specified financial instruments include: the CNMV collaborates with fintech businesses and financial institu- • the reception and transmission of orders; tions, providing guidance regarding the interpretation and application of • the execution of orders on behalf of clients; rules and regulations where appropriate. In February 2020, the draft act • portfolio management; that regulates a fintech sandbox in Spain, following the models already • providing investment advice (which requires that specific recom- established in other jurisdictions, was approved. Under this draft act, mendations are made as opposed to providing generic advice only); among others, the following objectives are met: financial sustainability • the underwriting or placing of financial instruments, or both; control and risk minimisation, mitigation and adaptation of the regu- • dealing in investments as the principal or agent; latory burden, creation of an space to boost the development of open • arranging or bringing about deals in investments; and financial innovation and attraction of international investment. The final • making arrangements with a view to transactions in investments. implementation will create opportunities for this country and important advantages to better the position of the Spanish fintech sector. The To carry on any of these activities in relation to specified financial instru- Spanish Association of Fintech and Insurtech actively participated in the ments on a professional and ongoing basis in Spain, the relevant entity or creation of this fintech sandbox. The sandbox is designed to position natural person must obtain the appropriate authorisation or passport. In Spain as a leader in financial innovation. addition to this authorisation, registration is a requirement to operate in Spain. Authorisation is also required to carry out marketing or canvassing of clients on a professional basis, as well as prior or preliminary activities related to investment services and offering of financial instruments. A similar regime applies to the provision of services that are typical activities carried out by credit entities. The Spanish implementing text of the Capital Requirements Directive expressly states that the activity of taking repayable funds from the public (whether in the form of deposits, loans or temporary transfers of financial assets or other analogous

194 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP Spain actions) is a licensable activity that can only be carried out by credit CISs are a regulated product in Spain and must be locally regis- entities that are authorised to operate in Spain and duly registered with tered. Management and distribution of CISs (ie, marketing, promotion the Bank of Spain. Taking repayable funds from the public using capital and advertising) may only be carried out by licensed entities in Spain markets through the issuance and placement of instruments with the as these activities trigger licensing requirements. Marketing of CISs is aim of giving credit is a reserved activity. defined as those activities aimed at raising funds from clients by way Notably, the provision of loans does not trigger licensing require- of any advertising activity for their investment into the CIS. Advertising ments, even though it is a typical activity of credit entities. However, activity consists of targeting the public through telephone calls initi- while the activity of extending credit is not a reserved activity, it is ated by the CIS or its management company, home visits, personalised usually connected to other regulated activities that trigger licensing letters, emails or any other electronic media forming part of a dissemi- requirements. nation, promotional or marketing campaign. Regarding payment services, it is prohibited for entities or natural Whether a fintech company falls within the scope of this regulatory persons who are not payment service providers (apart from certain regime will depend on the exact nature of its business and the type of exceptions derived from the second Payment Services Directive (PSD2)) activities being carried out. to provide payment services in Spain on a professional basis. Alternative investment funds Consumer lending 8 Are managers of alternative investment funds regulated? 5 Is consumer lending regulated in your jurisdiction? Managers of alternative investment funds are regulated in Spain Although it has traditionally been an activity carried out in Spain by under the AIFMD, which was implemented in Spain by Act 22/2014, credit institutions and financial credit establishments, in the case of a of 12 November, governing private equity entities, other closed-ended non-financial institution (ie, neither a credit institution nor a financial collective investment undertakings, and the management companies of credit establishment) that is dedicated solely to the activity of granting closed-ended collective investment undertakings, which amended Act consumer loans, this non-credit institution (formed as a company) may 35/2003, of 4 November, on Collective Investment Schemes. carry out this activity without a licence. The number of persons who tend to get credit from non-financial institutions offering personal loans rather Peer-to-peer and marketplace lending than other traditional means (eg, banking credit cards and banking loans) 9 Describe any specific regulation of peer-to-peer or is increasing. marketplace lending in your jurisdiction. The regulatory regime for consumer credit is governed by Act 16/2011, of 24 June, on Credit Agreements for Consumers. This regula- Peer-to-peer lending is considered a crowd-lending activity under tory regime applies to all contracts where entities or natural persons in Spanish legislation and is regulated by Act 5/2015, of 27 April, on the the course of their business activity, profession or craft, grant or promise Promotion of Business Financing. to grant a consumer credit in the form of a deferred payment, loan, opening credit or any other equivalent means of financing, with the aim Crowdfunding of covering personal needs outside of his or her professional or busi- 10 Describe any specific regulation of crowdfunding in your ness activity and amounting to at least €200. This regulation broadly sets jurisdiction. out the requirements that lenders need to comply with in relation to the provision of information, documents and statements, and the detailed Crowdfunding is regulated by Act 5/2015, of 27 April, on the Promotion requirements as to the form and content of the credit agreement itself, of Business Financing. This law affects reward-based crowdfunding, including advertising, information to consumers, content, form of the equity crowdfunding and crowd lending, and governs, among other contracts, cases of null-and-void contracts, right of withdrawal and costs. things, the normal operating model and regime of the platforms, the In addition, Spanish Legislative Decree 1/2007, of 16 November, accreditation of the investor and the limits established for the amount for the Protection of Consumers and Users also applies to consumer of the investment. These limits, which are some of the most restrictive lending. Depending on the circumstances, other Spanish supplementary elements established in the law, include limitations on: regulations may also be relevant. • raising funds for start-ups that amount to €5 million for accredited investors (ie, professional investors) and to €2 million for non- Secondary market loan trading accredited investors; 6 Are there restrictions on trading loans in the secondary • equity crowdfunding projects, which cannot exceed 125 per cent of market in your jurisdiction? the project’s projected target; and • platforms and projects to be invested in by non-accredited inves- Provided that the loan itself is being traded, and not the loan instrument tors, which are capped at €10,000 and €3,000 respectively. (the financial instrument creating or acknowledging indebtedness), there are no restrictions on trading loans in the secondary market. It is expressly established that these types of investments are not covered by the guarantee fund. Collective investment schemes 7 Describe the regulatory regime for collective investment Invoice trading schemes and whether fintech companies providing alternative 11 Describe any specific regulation of invoice trading in your finance products or services would fall within its scope. jurisdiction.

The general regulatory regime for collective investment schemes (CISs) There is no specific regulation of invoice trading in Spain. As a general in Spain consists of the transposition of the Undertakings for Collective rule, there are no restrictions on invoice trading; however, the activities Investment in Transferable Securities Directive and the Alternative and structure of a firm engaged in invoice trading should be analysed Investment Fund Managers Directive (AIFMD), in addition to the regime to determine whether a regulated activity that requires permission or that applies specifically to Spanish CISs. authorisation is taking place. www.lexology.com/gtdt 195 © Law Business Research 2020 Spain Simmons & Simmons LLP

Payment services Robo-advice 12 Are payment services regulated in your jurisdiction? 14 Describe any specific regulation of robo-advisers or other companies that provide retail customers with automated Payment services are regulated by Royal Decree 736/2019, of 20 access to investment products in your jurisdiction. December, on the legal regime on payment services and payment entities, which completes the transposition of PSD2 in Spain, which was There is no specific regulation of robo-advisers or other companies that partially implemented by means of the Royal Decree 19/2018, of 23 provide retail customers with automated access to investment products November, on payment services and other financial measures. in Spain. In terms of licensing requirements, Spanish legislation does Payment services include: not distinguish based on the profiles of targeted investors, whether • services enabling cash to be placed on a payment account, as well professional or retail. Automated access to investment products as all the operations required for operating a payment account; through fintech companies in Spain is only possible if relevant licences • services enabling cash withdrawals from a payment account, as are duly obtained. Fintech companies may provide automated activities well as all the operations required for operating a payment account; related to investment advice (when referred to specific financial instru- • execution of payment transactions; ments taking into account the personal circumstance of the investor) • transfers of funds on a payment account with the user’s payment and portfolio management in Spain, but these activities imply the provi- service provider or with another payment service provider; sion of certain services that trigger licensing requirements. In any • execution of payment transactions where the funds are covered by case, authorisation and registration with the CNMV will be mandatory. a credit line for a payment service user; In Spain, there are a number of entities providing this type of service, • issuing and acquiring of payment instruments; most of them being investment firms exclusively dedicated to providing • money remittance; and investment advice. • execution of payment transactions where the consent of the payer to execute a payment transaction is given by means of any tele- Insurance products communication, digital or IT device, and a payment is made to the 15 Do fintech companies that sell or market insurance products telecommunication, IT system or network operator, acting only in your jurisdiction need to be regulated? as an intermediary between the payment service user and the supplier of the goods and services. Selling or marketing insurance products in Spain is a regulated activity and entities providing this service fall under the relevant Spanish regu- To provide payment services in Spain, a firm must fall within the defini- lation. In this regard, a fintech company must act under the form of tion of a ‘payment service provider’, which includes: a regulated entity (eg, insurance company or insurance intermediary • credit institutions; as broker or agent). The Association of Fintech and Insurtech has • electronic money institutions; published a white paper on fintech regulation in Spain, aimed at creating • the national postal service of Spain; an adequate framework for these types of entities and to encourage • the Bank of Spain; and alternatives to the existing Spanish regulations for financial services • the Spanish general government administration, autonomous providers in Spain, including insurance services providers. In addi- communities and local bodies. tion, there is draft legislation relating to the distribution of insurance products in Spain, which will make significant changes to the insurance A firm that provides payment services in or from Spain as a regular product market sector. occupation or business activity (and is not exempt) must apply for registration as a payment institution. Sanctions may be imposed Credit references on any natural or legal person providing payment services without 16 Are there any restrictions on providing credit references or authorisation. Since December 2019, entities wishing to act as payment credit information services in your jurisdiction? institutions must follow the specific procedure established under the aforementioned Royal Decree 736/2019, of 20 December, and submit The rules on credit ratings laid down in Regulation (EC) 1060/2009 (as a request with the Bank of Spain to obtain relevant authorisation. The amended) apply in Spain. A credit-rating agency is required to adopt, cross-border business of payment institutions will be possible in Spain implement and enforce adequate measures to ensure that its credit as far as relevant passports to set up a local branch or agents have ratings are based on a thorough analysis of all the information that been received by the Bank of Spain from entities located within the is available and that is relevant to its analysis according to its rating territory of the European Union. The provision of services without the methodologies. At present, there are only two credit-rating agencies presence of these entities in Spain will be also available if relevant noti- domiciled in Spain and included in the official register of the CNMV. fications are received by the Bank of Spain. Spanish entities will provide services abroad if the Bank of Spain has received relevant notifications. CROSS-BORDER REGULATION In the case of the provision of activities in or from entities located out of the European Union, express authorisation is needed. In certain cases, Passporting the Bank of Spain may reject this authorisation. 17 Can regulated activities be passported into your jurisdiction?

Open banking An EEA firm may exercise passport rights to provide services in Spain 13 Are there any laws or regulations introduced to promote and may provide services through a local branch, agent or on a cross- competition that require financial institutions to make border basis without presence in the territory. A non-EEA firm or an customer or product data available to third parties? EEA firm that is not undertaking an activity that can be passported into Spain, must establish a local presence, obtain an appropriate licence No. or, in some cases, receive authorisation from the relevant regulator to operate on a cross-border basis

Requirement for a local presence legal provision is complemented by Circular 6/2010, of 28 September, 18 Can fintech companies obtain a licence to provide financial for Credit and Payment Entities, on Advertising of Banking Services services in your jurisdiction without establishing a local and Products. presence? This Circular determines general principles and criteria to be followed when preparing marketing materials and procedures and An EEA firm may exercise passport rights to provide services in Spain. controls that entities must have in place in connection with banking A non-EEA firm or an EEA firm that is not undertaking an activity that services and products. Other rules such as Order EHA/2899/2011, of 28 can be passported into Spain, must establish a local presence, obtain October, on Transparency and Protection of Clients of Banking Services an appropriate licence or, in some cases, receive authorisation from the may also apply. relevant regulator to operate on a cross-border basis. Although this regime is still in place (this regime basically follows ex post control of advertising material), it is clear that a review of this SALES AND MARKETING system is needed to adapt it to digital technology and guarantee compliance. In this regard, on 1 July 2019, a draft of a new Circular of the Bank Restrictions of Spain was published in respect of advertising of banking services 19 What restrictions apply to the sales and marketing of and products, which will give clarity to the advertising of these type financial services and products in your jurisdiction? of services and products and will enhance client protection. This new regulation, if finally enacted, may lead to significant changes in adver- Investments tising as it would be the first time that social networks and audiovisual Although general rules on marketing and advertising shall apply to the media are regulated in Spain. investment business, there are specific regulations covering the sales The CNMV has supervisory functions in respect of the marketing and marketing of investment services and products in Spain. In accord- and advertising of investment services and products. ance with the Spanish Securities Market Act (which transposes the second Markets in Financial Instruments Directive (MiFID II) in Spain), CHANGE OF CONTROL this activity must be only carried out by entities that are authorised or passported to provide the relevant investment service. Notification and consent Although the sales and marketing of financial services is not an 20 Describe any rules relating to notification or consent investment service itself, the activity consisting of marketing as well as requirements if a regulated business changes control. the canvassing of clients triggers licensing requirements in Spain. Advertising and marketing of investment services and prod- There are specific rules relating to change of control of regulated enti- ucts are covered under sectorial regulations, in particular the Order ties. Where a person (whether acting separately or with others) decides EHA/1717/2010, of 11 June, of Regulation and Control of Advertising to acquire, directly or indirectly, shares in a credit institution, insurance of Investment Services and Products covers this type of advertising in company or investment firm that imply acquiring a significant holding Spain and includes a definition of advertising activity. In this regard, or taking control of the entity, the relevant regulators (the Bank of advertising activity includes a communication to the general public Spain, Spanish Securities Market Commission or General Directorate aimed to promote, directly or indirectly through third parties, the for Insurance and Pension Funds) must first be notified and provide contracting of a specific investment service or product (covering finan- their consent. The notification must be accompanied by documents and cial instruments under MiFID), as well as those communications made information that will enable the relevant regulator to analyse the suit- in the course of a public offer with the aim of impacting its result. It is ability of the potential acquirer. Once the relevant regulator expressly expressly contemplated that advertising activity shall exist in respect states that there are no grounds to prevent the acquisition, the acquisi- of communications to the general public on management or marketing tion may take place. of collective investment schemes, private equity schemes or securitisa- A prior request must always be sent to the relevant supervisory tion vehicles, although these communications do not refer to a specific authority and the acquisition may not take place before receiving rele- product. This legal provision determines those procedures and controls vant authorisations. There are specific procedures and standardised that entities must have in place when producing advertising materials forms that must be used in these circumstances. in connection with investment services and products. The content of the advertising material in no case may contradict FINANCIAL CRIME or play down the importance contained in the prospectus and the key investor information document. Advertising materials must be clearly Anti-bribery and anti-money laundering procedures recognisable as such and the promotional character of the message 21 Are fintech companies required by law or regulation to have must be explicit and evident. All information included in the materials procedures to combat bribery or money laundering? must be fair, clear and not misleading, with the ultimate goal of abiding by the general obligation to act in an honest, loyal and professional There is no specific legal or regulatory requirement for fintech manner and in the best interests of clients while rendering invest- companies to have anti-money laundering procedures. The Spanish ment services. Anti-Money Laundering Act applies to a number of regulated entities The Spanish Securities Market Commission (CNMV) has supervi- and persons carrying out certain activities. Compliance with the Anti- sory functions in respect of marketing and advertising of investment Money Laundering Act is compulsory and includes an obligation to have services and products. appropriate policies and procedures in place to combat money laundering and terrorism financing. Banking Spanish legislation does not regulate anti-bribery and corruption In respect of banking activities, Order EHA/1718/2010, of 11 June, on separately. The relevant regulation establishes monitoring mechanisms the Regulation and Control of Advertising of Banking Services and to avoid illicit activity in organisations while also providing a range of Products regulates this type of advertising in Spain. In addition, this sanctions, including the suspension of the activities and the dissolution of the company engaged in illegal activities. Regardless of whether www.lexology.com/gtdt 197 © Law Business Research 2020 Spain Simmons & Simmons LLP

they are regulated, fintech companies should adopt a proactive position Assignment of loans to establish preventive criminal monitoring measures and appropriate 24 What steps are required to perfect an assignment of policies and procedures as a matter of good governance and risk loans originated on a peer-to-peer or marketplace lending management. platform? What are the implications for the purchaser if the Where initial coin offerings (ICOs) fall under the classification of a assignment is not perfected? Is it possible to assign these public offer, procedures to combat bribery or money laundering should loans without informing the borrower? be in place. In May 2018, the EU approved new anti-money laundering legisla- Under Spanish law, the transfer of a loan originated on a peer-to-peer tion targeting anonymity in the cryptocurrency market. (P2P) marketplace lending platform requires only the agreement of the In September 2018, Spanish Royal Decree Act 11/2018 was transferor and the transferee. The loan agreement could impose addi- published to partially implement the EU’s fourth Anti-Money Laundering tional requirements that would then be required for the effectiveness Directive and this new text is now in force, although further regulations of the assignment in relation to the borrower, but this is not customary are still pending approval. except in large loans. The transfer is valid even if no notice is given to the borrower. However, until this notice is given, or the borrower is Guidance aware of the transfer, the transfer is not effective against the borrower 22 Is there regulatory or industry anti-financial crime guidance and he or she may discharge his or her obligations by payment to the for fintech companies? transferor, without any liability to the transferee. In addition, the transfer will not be fully effective against third parties (including the transferor’s There is no anti-financial crime guidance specifically for fintech firms. creditors) unless the transfer agreement is executed and notarised with However, firms that are subject to the Anti-Money Laundering Act for the intervention of a public notary. As a result, transfer agreements are carrying out certain types of activities subject to anti-money laundering usually notarised, and the parties notify the transfer to the borrower as checks should comply with it. In addition, these entities should follow soon as it is effective. the general recommendations for internal monitoring to prevent money Any security interest that secures the loan will transfer auto- laundering and terrorism financing issued by the Spanish Executive matically with the loan and will secure the new creditor. In practice, Service of the Commission for the Prevention of Money Laundering. however, it is necessary to carry out certain additional acts to put the Regulatory and financial crime rules apply as far as the entities security under the name of the new lender. In the case of mortgages, it are subject to these regulations considering the type of activity or the is necessary to register the transfer in the land registry and in the case type of entity (banks, insurance companies, asset managers, investment of pledges over shares, claims or bank accounts, notice should be given firms, etc). In this regard, there is an initiative proposing the creation of to the company, the debtor or the account bank respectively. a specific regulatory framework for the fintech sector. Securitisation risk retention requirements PEER-TO-PEER AND MARKETPLACE LENDING 25 Are securitisation transactions subject to risk retention requirements? Execution and enforceability of loan agreements 23 What are the requirements for executing loan agreements or Application of the EU risk retention rules to securitisations security agreements? Is there a risk that loan agreements of loans originated on a peer-to-peer or marketplace lending or security agreements entered into on a peer-to-peer or platform (P2P securitisations) marketplace lending platform will not be enforceable? The risk retention requirements set out in the sectoral EU legislation will apply to P2P securitisations that are offered to European banks, invest- Spanish law does not generally impose any formal requirements for ment firms, alternative investment funds or insurers. Under the current executing loans. An exception to this is in respect of consumer loans for sectoral EU risk retention rules, certain investors (such as credit insti- which there is a requirement that the agreement has to be drawn up tutions, Markets in Financial Instruments Directive-regulated firms and on paper or another durable medium. Electronically signed documents alternative investment fund managers) will be subject to higher regula- are recognised and are enforceable. The market practice, however, is tory capital charges where they invest in securitisation positions that do that loan agreements are generally made in writing and are notarised not comply with the risk retention rules. Those rules require that either by a Spanish public notary for the lenders to be able to enforce the loan the sponsor, originator or original lender in respect of the securitisa- through certain special summary foreclosure procedures for notarised tion explicitly discloses to the investor that it will retain, on an ongoing agreements. Only loans of small amounts are not executed in this way. basis, a material net economic interest in the securitisation (which in Security agreements, on the other hand, are subject to strict any event is not less than 5 per cent) using one of five prescribed reten- formalities and they will not be enforceable if these formalities are not tion methods. Those methods include (among other things) retention of: met. All security agreements (with the exception of financial collateral • the most subordinated tranche or tranches, so that the retention arrangements) have to be notarised and certain other formalities are equals no less than 5 per cent of the nominal value of the securi- required depending on the type of security. Real estate mortgages have tised exposures; to be registered with the land registry. In the case of ordinary pledges, • 5 per cent of the nominal value of each of the tranches sold to the possession of the charged asset has to be delivered to the creditor investors; or or to someone acting on its behalf. Pledges over shares, claims or bank • randomly selected exposures equivalent to no less than 5 per cent accounts have to be notified to the company, the debtor or the account of the nominal value of the securitised exposures. The definitions bank, respectively. of ‘sponsor’ and ‘originator’ as used in the sectoral EU legislation are set out in the legislation. The term ‘original lender’ is undefined.

The risk retention rules set out in the sectoral EU legislation have been replaced as of 2 January 2019 with the risk retention rules set out in the EU Securitisation Regulation. The retention requirement and the

198 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP Spain methods of retention remain the same under the EU Securitisation want to ensure that there are no restrictions in the loan documents that Regulation. However, there is now a direct requirement on the sponsor, would prevent it from complying with its disclosure obligations under originator and original lender to agree on an entity that will act as reten- Spanish and EU law (such as those set out in the Credit Rating Agency tion holder and to ensure compliance with the retention requirement. Regulation). Again, if these restrictions are included in the underlying In the absence of agreement among the originator, sponsor or original loan documents, the SPV would be required to obtain the relevant lender as to who will be the retention holder, the originator will be borrower’s consent to this disclosure. In addition, if the borrowers the retention holder. Definitions of ‘sponsor’, ‘originator’ and ‘original are individuals, the SPV, its agents and the P2P platform will each be lender’ are set out in the EU Securitisation Regulation. required to comply with the statutory data protection requirements The EU Securitisation Regulation does not explicitly set out the juris- under Spanish law. dictional scope of the ‘direct’ retention obligation, but there is a helpful note in the Explanatory Memorandum to the European Commission’s ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER original proposal for the EU Securitisation Regulation that the intention TECHNOLOGY AND CRYPTO-ASSETS is that the direct approach would not apply to securitisations (including P2P securitisations) where none of the originator, sponsor or original Artificial intelligence lender is ‘established in the EU’. ‘Establishment’ is typically described 27 Are there rules or regulations governing the use of artificial by reference to the jurisdiction in which the legal entity is incorporated intelligence, including in relation to robo-advice? or has its registered office. Therefore, the non-EU subsidiary of an EU entity may not be subject to the direct retention obligation because a The Spanish Securities Market Commission (CNMV) has stated that the subsidiary is typically a separate legal entity, whereas a non-EU branch fact that the investment advice or portfolio management is automated of an EU entity may be caught within this provision because a branch is does not make a difference in the way that the service is regulated and typically not a separate legal entity. Market participants are still seeking that the relevant conduct of business rules, suitability assessments and clarity on this and it is expected that this point will be raised as part other rules apply in the normal way. In this regard, there are no specific of the ongoing European Banking Authority (EBA) consultation on risk rules or regulations governing the use of artificial intelligence. retention. Distributed ledger technology Possible retaining entities in respect of P2P securitisations 28 Are there rules or regulations governing the use of Typically, a P2P lending platform will not qualify as the sponsor, origi- distributed ledger technology or blockchains? nator or original lender of a P2P securitisation, and another entity with the capacity to retain will therefore need to be identified. The range of No. entities with capacity to retain is broader under the EU Securitisation Regulation than under the current EU sectoral legislation and, there- Crypto-assets fore, the ability of an entity to retain will depend on the rules that apply 29 Are there rules or regulations governing the use of crypto- at the time the securitised notes are issued. Any entity that retains in assets, including digital currencies, digital wallets and the capacity of originator is expected to be an entity of substance, and e-money? the EU Securitisation Regulation expressly provides that an entity shall not be considered to be an originator where it has been established Although not a regulation, the CNMV has published a joint warning with or operates for the sole purpose of securitising exposures. The EU the Bank of Spain regarding the risks of investing in cryptocurrencies Securitisation Regulation does not specify in what circumstances an and initial coin offerings (ICOs). entity will be considered to have been established for the sole purpose of securitising exposures but, in December 2017, the EBA published a Digital currency exchanges consultation paper that proposed that an originator will not be consid- 30 Are there rules or regulations governing the operation of ered to have been established with the ‘sole purpose’ of securitising digital currency exchanges or brokerages? exposures if it satisfies certain conditions, including that: • it has a broader business enterprise and strategy; No. • it has sufficient decision makers with the required experience; and • its ability to make payment obligations depends neither on the Initial coin offerings exposures to be securitised nor on any exposures retained for the 31 Are there rules or regulations governing initial coin offerings purposes of the risk retention regulations. (ICOs) or token generation events?

Securitisation confidentiality and data protection requirements Given the complexity of the phenomenon, criteria in this regard 26 Is a special purpose company used to purchase and securitise are subject to review in light of the experience accumulated and the peer-to-peer or marketplace loans subject to a duty of debate that is currently taking place at an international level and, in confidentiality or data protection laws regarding information particular, within the European Securities and Markets Authority. The relating to the borrowers? CNMV and Bank of Spain are jointly working on this topic, setting out criteria applying in relation to ICOs. There is an official document that The entity assigning loans to the special purpose vehicle (SPV) must provides guidance on, mainly, the consideration of tokens as transfer- ensure that there are no confidentiality requirements in the loan docu- able securities, the need and scope of intervention of entities authorised ments that would prevent it from disclosing information about the loans to provide investment services, as well as representation of tokens and and the relevant borrowers to the SPV and the other securitisation the consequence of their trading on trading platforms, and, finally, the parties. If there are these restrictions in the underlying loan documen- requirement for a prospectus. tation, the assignor will require the consent of the relevant borrower to disclose to the SPV and other securitisation parties the information they require before agreeing to the asset sale. In addition, the SPV will www.lexology.com/gtdt 199 © Law Business Research 2020 Spain Simmons & Simmons LLP

DATA PROTECTION AND CYBERSECURITY OUTSOURCING AND CLOUD COMPUTING

Data protection Outsourcing 32 What rules and regulations govern the processing and 34 Are there legal requirements or regulatory guidance with transfer (domestic and cross-border) of data relating to respect to the outsourcing by a financial services company fintech products and services? of a material aspect of its business?

On 25 May 2018, the EU General Data Protection Regulation (GDPR) There are no regulations specific to the outsourcing of IT systems, came into force with direct effect across the entire EU. The GDPR including in relation to cloud computing and the internet of things. governs the storage, viewing, use of, manipulation and other However, depending on the activities contemplated, consideration processing by businesses of data that relates to a living individual. In will need to be given to restrictions on the processing of personal summary, the GDPR requires that businesses only process personal data under the General Data Protection Regulation, aspects of the data where that processing is done in a lawful, fair and transparent Intellectual Property Act approved by Royal Legislative Decree manner, as further described in the GDPR. 1/1996, of 12 April, and parts of the General Telecommunications Act The GDPR requires that any processing of personal data be 9/2014, of 9 May. done pursuant to one of six lawful bases for processing. The most Financial services companies planning to outsource certain commonly used lawful basis for processing is to obtain the consent services or activities may be subject to specific regulations. In general, of the data subject to that processing – in relying on this lawful basis, credit institutions may delegate the provision of certain services and the business must ensure that the consent is freely given, specific, the carrying on of certain functions to a third party provided that: informed and unambiguous, and capable of being withdrawn as easily • there is no resulting void in the credit institution’s functions or as it is given. This places a significant burden on businesses to ensure reduction in its internal control capacities; and that their customers are fully informed as to what their personal data • supervisory authorities can continue to perform their supervisory is being used for, which is a crucial change to the previous regime responsibilities. under which disclosure did not need to be so transparent. Other lawful bases for processing data include where that processing is necessary Importantly, outsourcing does not reduce a credit institution’s liability for the business to perform a contract it has with the data subject, or for its legal obligations. where required to comply with an obligation the business has at law Additional restrictions apply to the delegation by a credit institu- (not a contractual obligation). tion of essential services or essential functions. Generally, a service or The GDPR further differs from the previous regime in that it function is considered essential if it could affect compliance with the places a significantly increased compliance burden on businesses, terms of a credit institution’s authorisation, financial results, solvency including, for example, mandatory requirements to notify regulators or the continuity of banking activity. Financial institutions must notify of data breaches, obligations to keep detailed records on processing any agreements delegating essential services or functions to the and requirements for most entities to appoint a data protection officer. Bank of Spain, the Spanish Securities Market Commission or both one Businesses that infringe the GDPR may be subject to adminis- month in advance. trative fines of an amount up to €20 million or 4 per cent of global Bank of Spain Circular 2/2016 sets out further details regarding turnover, whichever is higher. the extent to which outsourcing is permitted. The Spanish parliament approved the Organic Act 3/2018, of 5 Credit institutions providing investment services must comply December, to implement the measures and sanctions developing the with additional requirements set out in Royal Legislative Decree GDPR. The main topics included in the new law are: 4/2015, of 23 October. • data inspection and the appointment of an agency with responsibility for inspections; Cloud computing • penalties, including some exemptions from fines under the GDPR; 35 Are there legal requirements or regulatory guidance with • proceedings in the case of a breach with different conditions respect to the use of cloud computing in the financial depending on whether the breach is solely within Spain or services industry? whether other jurisdictions are involved; and • setting new digital rights as net neutrality, universal access to Not at the national level. the internet, rights to security and digital education, right of The EU Agency for Network and Information Security (ENISA) digital disconnection, digital last will, portability and right to be guidance entitled ‘Secure Use of Cloud Computing in the Finance forgotten. Sector’ contains analysis of the security of cloud computing systems in the finance sector and provides recommendations. Cooperation Likewise, Organic Act 3/2018, of 5 December, also covers the rights of between financial institutions, national financial supervisory authori- freedom of speech on the internet and the right to reply or clarify in ties and cloud service providers is encouraged. ENISA advocates a relation to online news. risk-based approach to developing cloud computing systems in the Oversight of compliance with the GDPR and related legislation is finance sector. carried out by the Spanish Data Protection Agency. INTELLECTUAL PROPERTY RIGHTS Cybersecurity 33 What cybersecurity regulations or standards apply to IP protection for software fintech businesses? 36 Which intellectual property rights are available to protect software, and how do you obtain those rights? There are no local rules on cybersecurity for fintech companies, although Directive (EU) 2016/1148 on cybersecurity has been trans- Computer programs are protected by copyright as literary works. posed by means of Royal Decree Act 12/2018, of 7 September. Registration is recommended.

IP developed by employees and contractors TAX 37 Who owns new intellectual property developed by an employee during the course of employment? Do the same Incentives rules apply to new intellectual property developed by 43 Are there any tax incentives available for fintech companies contractors or consultants? and investors to encourage innovation and investment in the fintech sector in your jurisdiction? Copyright and database rights created by an employee in the course of his or her employment are owned by the employer. Contractors or No specific tax incentives are available for fintech companies. General consultants are also governed by the same disposition. R&D tax credits are available, amounting to 25 per cent (up to 42 per cent under certain scenarios) for expenses incurred for R&D activities. Joint ownership Further tax credits available for R&D staff expenses (17 per cent), tech- 38 Are there any restrictions on a joint owner of intellectual nological innovation (12 per cent) and R&D fixed assets and properties property’s right to use, license, charge or assign its right in (8 per cent). For R&D, outsourcing is permitted (only with EU companies) intellectual property? as long as the economic risk of the innovation project can be supported.

Spanish law differentiates between works made in a collaborative way Increased tax burden and collective works. The first is made by the collaboration of different 44 Are there any new or proposed tax laws or guidance that authors and its division must be agreed by all the authors, although no could significantly increase tax or administrative costs for author can unreasonably hold his or her consent for any exploitation fintech companies in your jurisdiction? once division has been agreed. Each author is able to exploit his or her part of the work unless it prejudices the common work. The collective Yes; the new government proposed in the last budget bill some tax work is made by different authors but under the initiative and coordina- measures that were not finally approved. However, it is expected that in tion of another person, who has the rights over it. the coming year these measures will be introduced. Among others we can highlight the following. Trade secrets 39 How are trade secrets protected? Are trade secrets kept Digital services tax confidential during court proceedings? A digital services tax was pre-drafted as an indirect tax assessed on a quarterly basis. The taxable event would be the provision of certain Confidentiality is mainly protected under the agreements or contracts digital services in Spain such as the sale of online advertising space, that pertain to it, although its breach can be construed in certain cases online intermediary services and the transfer of user-related data as a criminal offence. The Trade Secrets Directive has been implemented gathered from digital platforms. The tax rate would be 3 per cent of in Spain by means of Act 1/2019, of 20 February, on trade secrets. gross revenue.

Branding Financial transaction tax 40 What intellectual property rights are available to protect The Spanish government decided to unilaterally propose a local finan- branding and how do you obtain those rights? How can fintech cial transaction tax (FTT) given the lack of real progress of the enhanced businesses ensure they do not infringe existing brands? cooperation procedure for the adoption of an FTT. It was pre-drafted as an indirect tax. The taxable events for the financial transactions Brands can be protected as registered trademarks either in Spain alone tax would be: (as a Spanish trademark) or across the EU (as an EU trademark). Certain 1 the acquisition of qualifying shares of Spanish companies (ie, branding, such as logos and stylised marks, can also be protected by shares listed on a regulated Spanish or EU stock exchange with design rights and may also be protected by copyright as artistic works. a market capitalisation as at 1 December of the year before the The Spanish Patent and Trademark Office has a database that can acquisition exceeding €1 billion); be searched to identify which trademarks are already registered. In 2 the acquisition of securities corresponding to depositary receipts addition, the EU trademark database can be searched to identify regis- representing qualifying shares; and tered or applied-for trademark rights with effect in Spain. 3 the acquisition of qualifying shares or securities (as provided in (1) or (2) above) derived from the execution or settlement of convert- Remedies for infringement of IP ible or exchangeable notes or bonds, financial derivatives, any 41 What remedies are available to individuals or companies financial instruments or certain financial agreements. whose intellectual property rights have been infringed? The tax basis would be defined as the consideration for acquisitions The main remedy is legal action with interim measures or preliminary subject to the tax. The tax rate would be 0.2 per cent. measures. Both measures can be taken before filing a legal action, but this has to be filed within a certain period of time to keep the protection Modification of participation exemption regime granted by them. There are no injunctions in Spanish law. Currently, corporate income tax law provides for a full participation exemption for domestic and foreign dividends and capital gains derived COMPETITION by Spanish corporations, provided certain holding requirements are met. The participation exemption regime would be revised so that only Sector-specific issues 95 per cent of the relevant income is exempt. 42 Are there any specific competition issues that exist with respect to fintech companies in your jurisdiction?

IMMIGRATION

EEA nationals do not require a work or residence permit. Alfredo de Lorenzo [email protected] Non-EEA nationals must obtain work and residence permits to live and work in Spain. A range of licences can be issued by employers, each Álvaro Muñoz licence has its own specific requirements. [email protected] As a general rule, for the technology and financial sectors, the Carlos Jiménez de Laiglesia quickest and easiest way to recruit skilled staff from abroad is through [email protected] the highly qualified foreign professionals (HQP) permit. This type of Ignacio González permit is for professionals who are graduates or postgraduates of [email protected] universities and prestigious business schools who will be employed in Spain and whose fixed annual salary will be set at least at €45,000. The Juan Sosa HQP permit has a streamlined process: according to the law, an applica- [email protected] tion for a residence permit must be resolved by the Spanish authorities María Tomillo within a maximum of 20 working days from when it was duly registered, [email protected] attaching all necessary documents. Once the permit has been granted, the candidate will need to request a visa at the Spanish consulate of the Calle Miguel Ángel 11 candidate’s country of residence. 5th floor 28010 Madrid UPDATE AND TRENDS Spain Tel: +34 91 426 2640 Current developments Fax: +34 91 578 2157 46 Are there any other current developments or emerging www.simmons-simmons.com trends to note?

There are no relevant developments to note currently. From time to time, the Spanish Securities Market Commission updates a question- and-answer document answering the most relevant questions raised by the industry in Spain.

In view of the covid-19 pandemic, from 14 March 2020 (the date of the declaration of the state of alarm in Spain), the Spanish government and the majority of regional and local authorities approved several sets of legal measures to mitigate the adverse effects that this situation is having on the Spanish economy. Emergency legislation and relief programmes have been published that impact the financial sector; however, no specific measures have been put in place for the fintech sector. In addition, fintech associations at a global level are working together to propose a series of measures in the regulatory, legislative and political environment to improve the ability of clients to access financial digital services and improve the financing of fintech companies. The objective is to offer solutions in view of covid-19 to boost the digital market and harmonise the legislative measures, creating a unique market for digital financial services. The main purpose of these proposed measures, and, specifically, financing solutions, is to protect fintech companies from collapse as they may greatly help the economy to recover.

Emma Stuart-Beck, Caroline Krassén, Anton Sjökvist, Mikaela Lang, Henrik Schön, Trine Osen Bergqvist, Nicklas Thorgerzon, Karl-Hugo Engdahl, Maria Schultzberg, Viveka Classon and Malin Malm Waerme Vinge

FINTECH LANDSCAPE AND INITIATIVES All marketing activities that have the purpose of furthering the sale of any product in Sweden, including fintech products of various General innovation climate nature, are subject to the Swedish Marketing Practices Act (2008:486 1 What is the general state of fintech innovation in your (MPA)), which requires, for example, that marketing is carried out in jurisdiction? accordance with generally accepted marketing practices. The Swedish Consumer Agency, which includes the Consumer Ombudsman, is the During its long history of fintech innovation, Sweden has produced primary authority responsible for ensuring that marketing material is companies such as Klarna, iZettle, Trustly, Lendify, BehavioSec and compliant with the MPA. Safello, just to name a few. Innovation is diverse, and fintech products span areas such as banking services, payment and payment settle- Regulated activities ment services, lending, biometrics and cryptocurrency. The Swedish 4 Which activities trigger a licensing requirement in your fintech industry is still growing rapidly, and multiple fintech companies jurisdiction? have emerged in, inter alia, the Swedish housing credit market. This phenomenon may indicate a structural change for housing loan origi- The following activities trigger a licensing requirement: nation in Sweden and a reduced market share for Sweden’s largest • consumer lending; banks. However, the Swedish Financial Supervisory Authority (SFSA) • mortgage lending; has indicated plans to introduce additional regulations in this area, and • consumer credit mediation; the longevity of the new market actors remains to be seen. • lending in combination with accepting repayable funds from the public; Government and regulatory support • factoring and invoice discounting (when combined with accepting 2 Do government bodies or regulators provide any support repayable funds from the public); specific to financial innovation? If so, what are the key • deposit taking (for deposits over 50,000 kronor); benefits of such support? • management of alternative investment funds (AIFs) or undertakings for collective investment in transferable securities (UCITS); The Minister for Financial Markets has expressed interest in setting up • foreign exchange trading; regulatory sandboxes where fintech start-ups may develop in an unreg- • insurance mediation; ulated environment or only comply with a regulation-light regime, but • provision of payment services; and the SFSA disagreed in a report published on 1 December 2017. In the • activities under the Capital Requirements Regulation No. 575/2013 same report, the SFSA proposed the introduction of the SFSA Innovation (the Capital Requirements Regulation). Centre. The Innovation Centre was opened on 16 March 2018 and serves to act as a point of contact for fintech companies and to facilitate a A licence is, furthermore, required for offering the services and products dialogue with the SFSA. Furthermore, the Innovation Centre is intended covered by the Markets in Financial Instruments Directive 2014/65/EU to provide guidance on applicable regulations for new financial services (MiFID II), such as the reception and transmission of orders in relation products and fintech start-ups. to one or more financial instruments, the execution of orders on behalf of clients, dealing on own account, portfolio management, advising on FINANCIAL REGULATION investments in financial instruments, underwriting of financial instruments or placing of financial instruments on a firm commitment basis, Regulatory bodies and placing of financial instruments without a firm commitment basis. 3 Which bodies regulate the provision of fintech products and The following activities trigger a registration requirement: services? • currency exchange; • management or trading in virtual currencies; The Swedish Financial Supervisory Authority (SFSA) generally acts as • deposit taking (for deposits up to 50,000 kronor); and the competent regulator responsible for ongoing supervision of fintech • lending and credit mediation to non-consumers (if not combined products and services and for the issuance of supplementary regula- with deposit taking). tions and formal guidance. The SFSA is responsible for ensuring that the business of (regulated) fintech companies is carried out in accordance with applicable laws and regulations. www.lexology.com/gtdt 203 © Law Business Research 2020 Sweden Vinge

Consumer lending neutral and factual as possible and may not be intrusive (by way of, 5 Is consumer lending regulated in your jurisdiction? for example, targeting certain types of possible consumers via digital means). The marketing should also be balanced in the sense that certain Yes, consumer lending is regulated through, inter alia, the Swedish terms of the credit should not be disproportionately highlighted, thereby Consumer Credit Act (2010:1846), which includes relevant provisions reducing the consumer’s ability to make a well-founded decision. relating to, among other things, sound lending practices, marketing of consumer loans, credit assessments, information prior to the conclu- Secondary market loan trading sion of and in relation to documentation of loan agreements, interest, 6 Are there restrictions on trading loans in the secondary fees and repayment of loans. market in your jurisdiction? To offer or provide consumer loans, the relevant company is required to be authorised by the SFSA under, for example, the There are no particular restrictions on trading loans in the secondary Swedish Consumer Credit (Certain Operations) Act (2014:275 (CCCOA)) market in Sweden. (should the company solely provide or act as intermediary in relation to consumer loans), the Swedish Banking and Financing Business Collective investment schemes Act (2004:297) (should the company instead, given the operations 7 Describe the regulatory regime for collective investment carried out, be considered a credit institution (as defined in the Capital schemes and whether fintech companies providing Requirements Regulation)) or the Swedish Housing Credit Operations alternative finance products or services would fall within its Act (2016:2014 (HCOA)) (should the company solely provide, act as an scope. intermediary in relation to or provide advice regarding consumer loans in the form of mortgages). Collective investment undertakings are regulated through the Swedish Since 1 September 2018, new rules regarding high-cost credits UCITS Act (2004:46), stipulating that the management of a Swedish apply, defined as credits granted to consumers that have an interest UCITS, the sale and redemption of units in the fund and administra- rate of 30 percentage points above the reference rate according to the tive measures relating thereto may only be conducted following Swedish Interest Act (1975:635), as determined by the Swedish Central authorisation from the SFSA (with foreign EEA management companies Bank, and that do not primarily relate to a credit purchase or residential authorised in their respective home state being able to rely on pass- immovable property. porting regulations to carry out operations in Sweden). Pursuant to the new rules, certain caps have been introduced Fintech companies would generally not fall within the scope of the whereby: (1) the maximum amount of interest, as well as any default above-mentioned regulatory regime. interest, that may be charged under a credit agreement may not exceed 40 percentage points above the aforementioned reference rate; and (2) Alternative investment funds the maximum amount of fees under a credit agreement may not exceed 8 Are managers of alternative investment funds regulated? the credit amount. For the purposes of (2), fees are defined as costs for the credit Yes, managers of AIFs (AIFMs) are regulated through the Swedish (comprising the aggregate amount of interest rate, credit fees and other Alternative Investment Fund Managers Act (2013:561 (AIFMA)), imple- costs that the consumer is obliged to pay under the loan, inclusive of menting the Alternative Investment Fund Managers Directive 2011/61/ necessary costs for valuation but excluding notarisation fees), default EU (AIFMD). Small AIFMs (ie, AIFMs managing AIFs below the thresh- interest and costs pursuant to the Swedish Compensation for Collection olds specified in article 3(2) of the AIFMD) may be exempted from the Costs Act (1981:739), comprising costs that the creditor has incurred for licensing requirements but must register with the SFSA and may not measures taken for the purposes of obtaining payment including, for passport the registration into any other EU member state. example, payment reminders and collection demands. Similar to the case in relation to UCITS, fintech companies would The marketing of consumer credits has previously been subject generally not fall within the scope of the AIFMA. to certain requirements regarding moderation and restraint. The new rules also include an explicit requirement for all such marketing to be Peer-to-peer and marketplace lending moderate. The new requirement is applicable to all types of consumer 9 Describe any specific regulation of peer-to-peer or credits and, thus, not solely to high-cost credits (as defined above). marketplace lending in your jurisdiction. It is not entirely clear what the meaning of moderation entails, and it remains to be seen how this requirement will be applied by Swedish Companies facilitating peer-to-peer or marketplace lending, comprising courts and authorities in practice. loan intermediation or brokering, are regulated by and require authori- The authorities have paid more attention to the moderation sation pursuant to the CCCOA (if the borrowers are consumers) or the requirement recently, and it is clear that a comprehensive assessment HCOA (if the borrowers are consumers and the loans relate to purchases of all relevant circumstances will be made. In particular, the authorities of residential immovable property). Both the CCCOA and the HCOA and courts will assess: contains regulations on, for example, anti-money laundering measures, • whether the credit is presented in a way that misleads the sound practices for loan intermediation operations, and ownership and consumer about the financial consequences of the credit or brings management assessments. the consumer to make an unfounded decision to enter into a credit Business operators providing those services to borrowers that are agreement; not consumers are required to register its operations with the SFSA • whether the credit is presented as a carefree solution to the (by way of notification to the SFSA) in accordance with the Swedish consumer’s financial problems; and Certain Financial Operations (Reporting Duty) Act (1996:1006) and • whether the credit is neutral in a way that enables the consumer to comply with provisions relating to, for example, anti-money laundering, decide whether the credit is favourable or not. as well as undergo ownership and management assessments. Should the relevant company also be responsible for the transactions of funds Pursuant to the Swedish government preparatory works implementing between lenders and borrowers (including keeping funds on a client the above changes, it is stipulated that the marketing should be as account, or similar), the operations would instead fall under and require

204 Fintech 2021 © Law Business Research 2020 Vinge Sweden authorisation pursuant to the Swedish Payment Services Act (2010:751 Payment services (PSA)), which imposes additional requirements relating to, for example, 12 Are payment services regulated in your jurisdiction? own funds and information and technical processes relating to the execution of payment transactions. Yes. Payment services are regulated under the Second Payment Services Directive (EU) 2015/2366 (PSD2), which has been imple- Crowdfunding mented into Swedish law through the PSA. Money remittance, execution 10 Describe any specific regulation of crowdfunding in your of payment transactions, acquisition of payment instruments, payment jurisdiction. initiation and account information services are among the services currently regulated under the PSA. There is currently no specific regulation of crowdfunding under Swedish law. Certain crowdfunding schemes may, however, fall within the scope Open banking of the general financial services framework. In the case of equity-based 13 Are there any laws or regulations introduced to promote crowdfunding, the Swedish Companies Act (2005:551) prohibits a private competition that require financial institutions to make company or a shareholder thereof from attempting to sell shares or customer or product data available to third parties? subscription rights in the company or debentures or warrants issued by the company to the public. The obligation for financial institutions to make customer or product In July 2016, the Swedish government appointed a special data available to third parties under PSD2 has been implemented committee to analyse the need for further regulations with regard to, and without change in Sweden. to improve the legal and regulatory opportunities for, peer-to-peer and grassroots financing in Sweden. A legislative proposal was published Robo-advice in February 2018 that proposes the introduction of a new Swedish 14 Describe any specific regulation of robo-advisers or other Financing Mediation Act (SFA). The proposed SFA includes licensing companies that provide retail customers with automated requirements for the activities that fall within the scope of the SFA and access to investment products in your jurisdiction. provisions on operational requirements, supervision and sanctions. The SFSA would be the authority responsible for licensing, registration and There is no specific regulation of automated investment advice in supervision, and companies authorised under the proposed SFA would Sweden. The SFSA defines automated investment advice as personal be subject to the provisions of the Money Laundering and Terrorist advice regarding financial instruments that is provided without, or with Financing Prevention Act (2017:630), implementing the Fourth Anti- limited, human interaction. In Sweden, automated investment advice Money Laundering Directive 2015/849/EU, as amended. The proposed (eg, robo-advice) constitutes regulated investment advice under the SFA would apply to business activities where the purpose is to – in Swedish Securities Markets Act (2007:528), implementing MiFID II, and exchange for payment – bring together natural or legal persons who is consequently subject to all the substantive provisions of the Swedish intend to acquire financing from other natural or legal persons, where MiFID II implementation, including the SFSA’s regulations regarding the financing is in the form of: investment services and activities (2017:2). • loan-based crowdfunding (credit granted by companies in exchange for payment, where the creditor is not licensed by the SFSA to Insurance products conduct lending or loan mediation); 15 Do fintech companies that sell or market insurance products • share-based crowdfunding (financing through the transfer of debt in your jurisdiction need to be regulated? or ownership rights in the legal person seeking financing); • reward-based crowdfunding (financing through the offer to provide Yes, if the selling and marketing is classified as ‘insurance distribu- a service or commodity by the person seeking financing); or tion’. Insurance distribution is regulated under the Swedish Insurance • donation-based crowdfunding (financing without an obliga- Distribution Act (2018:1219 (IDA)) implementing Directive (EU) 2016/97 tion for the person seeking financing to provide any payment or on Insurance Distribution (IDD). The IDA entered into force in Sweden on performance). 1 October 2018. The IDD is a minimum harmonisation directive, enabling member states to impose stricter regulation. The IDA includes the same Licensing will mainly be required for share-based and loan-based definition of ‘insurance distribution’ and the same exemptions from crowdfunding. Companies that receive authorisation to mediate share- regulation as the IDD. Sweden has, however, imposed stricter regula- based or loan-based crowdfunding will be referred to as licensed capital tions regarding third-party remunerations, conditions for providing mediators. The proposal has, however, not yet been adopted into law. advice on a fair and personal analysis, certain marketing prohibitions and information to a customer on remuneration. The stricter regulatory Invoice trading framework introduced by the IDD regarding insurance-based invest- 11 Describe any specific regulation of invoice trading in your ment products also applies to the distribution of pension insurance that jurisdiction. is exposed to market volatility.

In accordance with the Certain Financial Operations (Reporting Duty) Credit references Act, a company participating in financing, for example, by acquiring 16 Are there any restrictions on providing credit references or claims (invoice trading), is required to register its operations with the credit information services in your jurisdiction? SFSA (by way of notification to the SFSA), and it is further obliged to comply with provisions relating to, for example, anti-money laundering, Yes. Credit references and credit information services are regulated and to undergo ownership and management assessments. under the Swedish Credit Information Act (1973:1173) and the Swedish Credit Information Regulation (1981:955). A licence from the Swedish Data Protection Authority is required when carrying out credit-rating operations in Sweden.

CROSS-BORDER REGULATION In addition, marketing of funds is further specifically regulated through the Swedish Investment Fund Association’s guidelines, which – albeit Passporting not being hard law – are considered as codifying good marketing prac- 17 Can regulated activities be passported into your jurisdiction? tice in Sweden in respect of the marketing of undertakings for collective investment in transferable securities. Yes. An undertaking that has been authorised in its home EU member state may, as a general rule, passport such authorisation into Sweden, CHANGE OF CONTROL where the Swedish legislation is based on EU law. Notification and consent Requirement for a local presence 20 Describe any rules relating to notification or consent 18 Can fintech companies obtain a licence to provide financial requirements if a regulated business changes control. services in your jurisdiction without establishing a local presence? Consent from the Swedish Financial Supervisory Authority (SFSA) is required where a legal or natural person intends to directly or indirectly An undertaking that has been authorised in its home EU member state acquire a qualified holding in a regulated business. may, as a general rule, passport such authorisation into Sweden, where The holding is considered qualified when the acquirer directly or the Swedish legislation is based on EU law. However, in relation to indirectly receives 10 per cent or more of the votes or shares, or other- activities that fall under the Consumer Credit (Certain Operations) Act, a wise is enabled to exercise significant influence over the management Swedish licence is required (ie, passporting is not available). of the regulated business. Additional consent is required if the ownership amounts to or exceeds 20, 30 or 50 per cent of the votes or shares. SALES AND MARKETING The consent requirement, generally referred to as an ‘ownership assessment’, means that the SFSA will examine all qualified owners in Restrictions the envisaged ownership chain. The process is rather extensive, and 19 What restrictions apply to the sales and marketing of the exercise involves collating and producing a substantial amount financial services and products in your jurisdiction? of information (including documentation that supports the financing of the transaction). Each person included in the management body Marketing of financial services falls under the Marketing Practices (comprising board members, the CEO and the deputies thereof) of an Act (2008:486 (MPA)), which applies to all marketing activities that entity subject to assessment must complete and sign an application, have the purpose of furthering the sale of any product or service in including responding to questions regarding, for example, previous Sweden, including, for example, the distribution of brochures and other criminal proceedings. marketing materials and electronic marketing activities (if primarily SFSA consent must be obtained prior to the transaction. The SFSA directed to Swedish entities or individuals). The MPA provides that all has an expected processing period of the applications of 60 business marketing must be consistent with good marketing practice and be fair days, with a possible extension of 20 business days if the SFSA requests and reasonable towards the person to whom or which it is directed. additional information during the assessment process. Good marketing practice is defined in the MPA as generally accepted business practices or other established norms aimed at protecting FINANCIAL CRIME consumers and traders in the marketing of products. Thus, all marketing must be designed and presented in such a way as to make it apparent that Anti-bribery and anti-money laundering procedures it constitutes marketing and the party responsible for the marketing shall 21 Are fintech companies required by law or regulation to have be clearly indicated. Statements or other descriptions that are or may be procedures to combat bribery or money laundering? misleading may not be used. Marketing that contravenes good marketing practice is regarded as unfair if it appreciably affects or probably affects Companies licensed by or registered with the Swedish Financial the recipient’s ability to make a well-founded transaction decision. Supervisory Authority (SFSA) and a significant number of companies In relation to financial services, and to comply with ‘good marketing and other professionals outside the financial sector are obliged to practice’ for the purposes of the MPA, among other things: prevent money laundering and financing of terrorism by complying • placements of capital or returns should not be described in terms with the Money Laundering and Terrorist Financing Prevention Act and such as ‘safe’, ‘guaranteed’ or similar value judgements if it cannot subsequent regulations. Pursuant to the anti-money laundering (AML) be verified that it is guaranteed that an investor’s capital will be regulations, companies are required to adopt internal AML procedures. repaid or that a given return will be earned; Companies launching initial coin offerings would be subject to these • the return earned during a particular successful period on an requirements to the extent their operations would be covered by any of investment product should not be highlighted in a way that gives the relevant rules under, for example, the Certain Financial Operations a distorted overall impression of the performance of the invest- (Reporting Duty) Act and the Securities Markets Act. ment product; The SFSA is tasked with ensuring that the financial companies • words such as ‘secure’ and similar value judgements should not adhere to the AML regulations. The County Administrative Board super- be used for marketing purposes if they are not placed in a rele- vises companies and professionals outside the financial sector. vant context; Bribery is criminalised under the Swedish Penal Code (1962:700), • unconditional words expressing value, such as ‘best’, ‘biggest’ and which is applicable to all types of Swedish companies. Most financial ‘leading’, should not be used if the claim is not capable of verifi- companies are required to adopt ethical guidelines setting out, inter alia, cation; and the company’s procedures to combat bribery. • if an investment product involves risk, it should always be made clear when marketing the product that an investment in the product involves risk.

Guidance Provided that the company processes personal data as part of its 22 Is there regulatory or industry anti-financial crime guidance operations, it would further, in respect of borrowers’ personal data, be for fintech companies? subject to the EU General Data Protection Regulation and Swedish data protection laws. Yes. The SFSA has adopted regulations and guidelines in respect of AML, setting out the detailed provisions applicable for relevant companies. ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER TECHNOLOGY AND CRYPTO-ASSETS PEER-TO-PEER AND MARKETPLACE LENDING Artificial intelligence Execution and enforceability of loan agreements 27 Are there rules or regulations governing the use of artificial 23 What are the requirements for executing loan agreements or intelligence, including in relation to robo-advice? security agreements? Is there a risk that loan agreements or security agreements entered into on a peer-to-peer or There is no specific regulation of automated investment advice in Sweden. marketplace lending platform will not be enforceable? The Swedish Financial Supervisory Authority (SFSA) defines automated investment advice as personal advice regarding financial instruments Loan origination is regulated under the Banking and Financing Business that is provided without, or with limited, human interaction. In Sweden, Act as well as in subsequent regulations and guidelines issued by the automated investment advice (eg, robo-advice) constitutes regulated Swedish Financial Supervisory Authority (SFSA) and the Swedish investment advice under the Securities Markets Act (SMA), implementing Consumer Agency (SCA). The SFSA and the SCA have recently raised the EU Markets in Financial Instruments Directive (MiFID II), and is conse- demands on lenders’ investigation of creditworthines s prior to entering quently subject to all the substantive provisions of the Swedish MiFID II into loan agreements with consumers. Furthermore, the loan agree- implementation, including the SFSA’s regulations regarding investment ments are subject to the Consumer Credit Act. services and activities (2017:2). If the use of artificial intelligence would The risk that loan agreements entered into on a peer-to-peer or include decisions based solely on automated processing of personal marketplace lending platform would not be enforceable under Swedish data, including profiling, this would be subject to the requirements in law is minimal. article 22 of the EU General Data Protection Regulation (GDPR).

Assignment of loans Distributed ledger technology 24 What steps are required to perfect an assignment of 28 Are there rules or regulations governing the use of loans originated on a peer-to-peer or marketplace lending distributed ledger technology or blockchains? platform? What are the implications for the purchaser if the assignment is not perfected? Is it possible to assign these There are no rules or guidelines specifically addressing the use of loans without informing the borrower? distributed ledger technology, but general rules and regulations, such as anti-money laundering regulations and consumer protection, where Perfection of an assignment against third parties depends on whether applicable, must be complied with. The SFSA has, in a report from March the loan is represented by a negotiable (physical) promissory note or 2016, identified distributed ledger or blockchain technology as an area a non-negotiable promissory note. In the former scenario, the prom- of interest for the supervisor and where it is expected that rules and issory note must be transferred to the assignee, whereas in relation regulations need to be adopted in the future. If the distributed ledger to non-negotiable promissory notes, the borrower must be notified of technology or blockchains include personal data, general requirements the assignment so that the debtor can solely make its payments to the under the GDPR and Swedish data protection laws will be applicable. assignee with discharging effect. In the event the assignment is not perfected, the loan would be Crypto-assets included in the bankruptcy estate of the assignor, in relation to which 29 Are there rules or regulations governing the use of crypto- the assignee would only have a non-secured claim. assets, including digital currencies, digital wallets and e-money? Securitisation risk retention requirements 25 Are securitisation transactions subject to risk retention Digital currencies, digital wallets and e-money are regulated under requirements? the Payment Services Act, the Swedish Electronic Money Act (2011:755 (EMA)), the SFSA’s regulations regarding institutions for electronic Loans originated on a peer-to-peer lending platform may only be trans- money and registered issuers (2011:49), the SFSA’s regulations and ferred without informing the borrower where the loan is represented by general guidelines regarding institutions for electronic money and regis- a negotiable promissory note. tered issuers (2010:3) and the Swedish Certain Financial Operations (Reporting Duty) Act for cryptocurrencies. Securitisation confidentiality and data protection requirements 26 Is a special purpose company used to purchase and securitise Digital currency exchanges peer-to-peer or marketplace loans subject to a duty of 30 Are there rules or regulations governing the operation of confidentiality or data protection laws regarding information digital currency exchanges or brokerages? relating to the borrowers? Although digital currencies, as a rule of thumb, do not constitute financial Yes. Provided that the company’s operations comprise providing credit instruments subject to the provisions of trading venues and brokerages to consumers (by way of purchasing loans), the company would gener- under the SMA implementing MiFID II in Sweden, an operator of a digital ally have to be authorised by the SFSA, in accordance with, for example, currency exchange or brokerage may be subject to the provisions of the the Consumer Credit (Certain Operations) Act, which would entail that a Certain Financial Operations (Reporting Duty) Act to the extent their oper- duty of confidentiality (similar to bank secrecy) would be imposed. ations would constitute management or trading in virtual currencies. www.lexology.com/gtdt 207 © Law Business Research 2020 Sweden Vinge

Initial coin offerings Cybersecurity 31 Are there rules or regulations governing initial coin offerings 33 What cybersecurity regulations or standards apply to fintech (ICOs) or token generation events? businesses?

Business operators conducting ICOs would be subject to the provisions Under the GDPR, controllers must have ‘appropriate technical and of the Certain Financial Operations (Reporting Duty) Act to the extent organisational measures’ in place to ensure a level of security appro- their operations constitute management or trading in virtual currencies. priate to the risk. There is, therefore, no prescribed level of security, but Moreover, should the coins or tokens qualify as financial instruments an analysis must be carried out to ascertain what level of security is under the SMA, the issuers may become subject to, inter alia, the SMA, appropriate to the type of processing of personal data being carried out. the Alternative Investment Fund Managers Act, the Swedish imple- The EU Directive on security of network and information systems mentation of the Prospectus Directive (2003/71/EC) and the Money (the NIS Directive) has been implemented into Swedish law (2018:1174) Laundering and Terrorist Financing Prevention Act. and supplemented by a regulation (2018:1175). These Acts impose cybersecurity requirements for digital services providers and opera- DATA PROTECTION AND CYBERSECURITY tors of essential services. Companies in the financial industry that are deemed as operators of essential services within the banking or finan- Data protection cial market infrastructure are covered by the Acts and are, therefore, 32 What rules and regulations govern the processing and obliged, among other things, to: transfer (domestic and cross-border) of data relating to • notify the Swedish Financial Supervisory Authority immediately; fintech products and services? • demonstrate a systematic and risk-based approach to matters regarding information security, and The EU General Data Protection Regulation (GDPR) and the Swedish Act • report incidents to the Swedish Civil Contingencies Agency. on Supplementary Provisions to the GDPR (2018:218) generally apply to the processing of personal data by data controllers established in OUTSOURCING AND CLOUD COMPUTING Sweden. The main requirements relating to the processing of personal data include the following. Outsourcing • Personal data may only be processed (ie, collected, used and 34 Are there legal requirements or regulatory guidance with stored) if there are legal grounds (ie, consent) for the processing. respect to the outsourcing by a financial services company of However, there are several exemptions from the requirement of a material aspect of its business? consent (eg, where the processing is necessary to fulfil a contract or a legal obligation or is necessary to pursue a legitimate interest There are multiple legal and regulatory requirements in respect of of the data controller, unless this interest is overridden by the outsourcing by financial services companies, including, inter alia, the interest of the registered person to be protected against undue Banking and Financing Business Act, the Consumer Credit (Certain infringement of privacy). Operations) Act, the Securities Markets Act, the Electronic Money Act, • Certain fundamental requirements must be met (eg, personal the Payment Services Act, the regulations of the Swedish Financial data must be adequate, relevant and non-excessive in relation to Supervisory Authority (SFSA) (2010:3) and (2011:49), detailed provisions the purpose of the processing and must not be kept longer than set out in the Markets in Financial Instruments Directive Commission necessary). Delegated Regulation 600/2014/EU and the European Banking Authority • Data subjects must, as a general rule, be informed of the processing (EBA) Guidelines on Outsourcing Arrangements (EBA/GL/2019/02), as of their personal data, and data subjects have certain rights (eg, well as questions and answers provided by the SFSA on the application right of access, rectification, erasure and data portability). of the EBA Guidelines. • Processing of sensitive personal data and criminal offence data The provisions are subject to some variation, but in general impose may only be performed in limited circumstances. In general, that financial services companies are required to exercise the requisite consent from the person concerned is required for sensitive data. skill, care and diligence when entering into, managing and terminating As a general rule, it is prohibited to process criminal offence data outsourcing arrangements. Furthermore, the rights and obligations (there are a few exemptions, for example, regarding whistle- of the financial services company and the services provider must be blowing systems, where it is permitted to process criminal offence clearly documented in an outsourcing agreement. If the financial data under certain conditions). services company intends to outsource a significant part of the licensed • There are specific requirements that must be met in case of export operations, or activities that have a natural connection with financial of personal data to countries outside the European Union or the operations or their support functions, the financial services company European Economic Area (eg, consent or model clause agreements is required to notify the SFSA thereof in advance and also provide the may justify such export). SFSA with a copy of the relevant outsourcing agreement. • A data controller must take appropriate technical and organi- The SFSA requires outsourcing agreements to be in writing and sational measures to protect personal data. Data processing to regulate clearly the rights and obligations of the financial services agreements must be entered into with data processors. company and the third-party service provider. The SFSA further expects • The GDPR also includes requirements regarding, inter alia, the financial services company to be able to assess and monitor how appointment of data protection officers, personal data breaches, well the third-party service provider is carrying out its duties and to data protection by design and by default, records of processing terminate the agreement should the third-party service provider lack activities, data protection impact assessments, consultation and the skills, capacity and authorisations required by law to reliably and cooperation with the data national protection authority. professionally perform the outsourced duties and manage risks related • The GDPR applies to pseudonymised data but not to fully to these duties. anonymised data (ie, where it is not possible to directly or indirectly identify an individual by any means).

Cloud computing • inventions developed within the employer’s line of business 35 Are there legal requirements or regulatory guidance with but developed by an employee that is not employed to conduct respect to the use of cloud computing in the financial services research and development work may be utilised by the employer, industry? and the employer has priority over others in acquiring ownership of the invention; and The EBA Guidelines, applicable for credit institutions and investment • inventions developed within the employer’s line of business but firms subject to Directive 2013/36/EU, as amended, electronic money developed without any connection to the employment may be institutions and payment institutions, offer guidance in respect of acquired by the employer, with priority over others, if agreed upon outsourcing to cloud service providers and have integrated and replaced with the employee. the previously issued EBA Recommendations on Outsourcing to Cloud Service Providers (EBA/REC/2017/03). Collective bargaining agreements (if applicable) may also contain On 3 June 2020, the European Securities and Markets Authority provisions on employers’ rights to intellectual property developed by issued Draft Guidelines on Outsourcing to Cloud Service Providers for, employees similar to the three categories described above. inter alia, investment firms and credit institutions that carry out invest- In relation to contractors and consultants, the main rule is that all ment services and activities. They are expected to be implemented in rights in results vest in the originator. This means that a company must the fourth quarter of 2020 or the first quarter of 2021. explicitly acquire the rights in those results through agreements with the originator. The inclusion of appropriate intellectual property clauses INTELLECTUAL PROPERTY RIGHTS in the agreement with contractors and consultants are, thus, essential.

IP protection for software Joint ownership 36 Which intellectual property rights are available to protect 38 Are there any restrictions on a joint owner of intellectual software, and how do you obtain those rights? property’s right to use, license, charge or assign its right in intellectual property? Computer programs are protected as copyrighted works in accordance with the Swedish Copyright Act (1960:729 (CA)). The copyright protec- The Swedish legislation does not fully regulate the matter of joint tion arises automatically, and there is, thus, no registration procedure ownership of intellectual property. Only the CA regulates the matter for obtaining copyright protection. explicitly, whereby the main rule is that co-authors have a joint Software-implemented inventions and business methods can right to the copyright-protected work. The same should reason- be registered and protected as patents if they meet all the necessary ably also apply to the other categories of intellectual property. requirements. Program code or mere business methods, however, Unless agreed otherwise between the co-owners, the Swedish Act cannot be patented in Sweden, but a technical invention that includes a on Joint Ownership (1904:48 (AJO)) is applicable. The AJO states that business method, or which is implemented or can be implemented by a consent from all co-owners is necessary for all decisions concerning the computer program, can be patentable. management of the jointly owned property. All co-owners are, however, entitled to sell their share in the jointly owned intellectual property IP developed by employees and contractors without consent from the other owners. 37 Who owns new intellectual property developed by an In light of this, co-owners of intellectual property are restricted employee during the course of employment? Do the same from utilising, licensing, charging or assigning the intellectual property rules apply to new intellectual property developed by in whole without the other co-owner’s consent. The co-owners must, contractors or consultants? thus, settle the joint ownership and agree on how to use and manage the intellectual property to avoid uncertainty. In general, intellectual property developed during the course of employment vests with the employee unless explicitly transferred to the Trade secrets employer. However, the employer has a more or less extensive right to 39 How are trade secrets protected? Are trade secrets kept acquire or utilise the intellectual property depending on the category of confidential during court proceedings? intellectual property and the category of invention (see below) as well as the provisions in the applicable employment or collective bargaining Protection for trade secrets is granted through the Swedish Trade Secrets agreements. There are also specific statutory provisions concerning Act (2018:558 (TSA)). For the purposes of the TSA, trade secrets are certain intellectual property. Below is a summary of the general prin- defined as information concerning business or operational circumstances ciples regarding an employer’s rights to inventions developed by its in a trader’s business, which is secret in the sense that it is not, as a body employees. or in the precise configuration and assembly of its components, gener- According to the CA, copyright in a computer program created in ally known among or readily accessible to persons within the circles that the course of employment is automatically transferred to the employer normally deal with the kind of information in question, which the trader unless otherwise agreed in, for example, the employment agreement. has taken reasonable measures to keep confidential and the disclosure However, the scope of the concept of ‘computer program’ is not clear of which is likely to cause damage to the trader from a competition under Swedish law. Therefore, it is recommended that employers perspective. Trade secrets cannot be registered for protection, and the include an appropriate clause in the employment agreement that explic- only statutory protection for such information is granted under the TSA. itly transfers all rights to the employer. Court proceedings, as well as all evidence and other information An employer has certain rights to patentable inventions developed submitted to the court, are generally public in Sweden. However, for by its employees. Those inventions are divided into three categories, information concerning business or operational circumstances, the and the employer’s rights differ between the categories: parties may request secrecy when submitting information or during • inventions developed by employees that are employed to conduct the proceedings as well as afterwards. However, a Swedish court is not research and development work, and which are developed within the required to adhere to such request, and there is no way of knowing scope of employment, may be acquired or utilised by the employer; whether the court will grant a request of secrecy in advance. www.lexology.com/gtdt 209 © Law Business Research 2020 Sweden Vinge

Branding 40 What intellectual property rights are available to protect branding and how do you obtain those rights? How can fintech businesses ensure they do not infringe existing brands?

The general provisions for protection of trademarks and trade symbols are provided in the Swedish Trademark Act (2010:1877). A trade symbol can be registered for protection in Sweden if it is distinctive (ie, capable Emma Stuart-Beck [email protected] of distinguishing goods or services of one business activity from those of another). A trademark registered for protection in the European Union Caroline Krassén also grants protection in Sweden. Exclusive rights to a trade symbol [email protected] may also be obtained, without registration, if the symbol is considered Anton Sjökvist established on the market. A trade symbol is deemed established on [email protected] the market if it is known by a significant part of the relevant public as Mikaela Lang an indication for the goods or services that are being offered under it. [email protected] New businesses can either perform searches themselves in relevant public databases for trademarks identical or similar to the trademarks Henrik Schön they intend to use (eg, in the Swedish Patent and Registration Office’s [email protected] database, which covers both Swedish and EU trademarks) or engage a Trine Osen Bergqvist trademark attorney to assist with such preliminary investigations. [email protected] General branding can be protected by the Marketing Practices Act. Nicklas Thorgerzon The Act protects unfair competition and can, thus, inter alia, protect a [email protected] business against other business taking unfair advantage of the reputation associated with the first business, including its trademark, business Karl-Hugo Engdahl name or other distinctive marks. [email protected] Maria Schultzberg Remedies for infringement of IP [email protected] 41 What remedies are available to individuals or companies Viveka Classon whose intellectual property rights have been infringed? [email protected]

There are numerous remedies available when suing an alleged infringer Malin Malm Waerme [email protected] in court. For example, preliminary injunctions and prohibitions under penalty of fine as well as damages for infringement, loss of profit and impaired goodwill are available in all Swedish intellectual property Stureplan 8 laws. Infringements committed intentionally or through gross negli- Box 1703 gence can also result in fines or imprisonment. 111 87 Stockholm Sweden COMPETITION Tel: +46 10 614 3000 Fax: +46 10 614 3190 Sector-specific issues www.vinge.se 42 Are there any specific competition issues that exist with respect to fintech companies in your jurisdiction?

There are no specific competition rules for fintech companies. The Increased tax burden general Swedish competition rules, which are based on EU competition 44 Are there any new or proposed tax laws or guidance that law, apply. The rapid growth of the Swedish fintech industry in recent could significantly increase tax or administrative costs for years has given rise to many new payment solutions and increased fintech companies in your jurisdiction? competition between the old and the new. Although we have seen issues relating, inter alia, to the interoperability between the traditional No. banking systems and the new digital solutions, case law regarding the application of the competition rules in the fintech industry is still limited. IMMIGRATION

TAX Sector-specific schemes 45 What immigration schemes are available for fintech Incentives businesses to recruit skilled staff from abroad? Are there 43 Are there any tax incentives available for fintech companies any special regimes specific to the technology or financial and investors to encourage innovation and investment in the sectors? fintech sector in your jurisdiction? There are no specific immigration schemes available for fintech busi- There are no special Swedish tax incentives for fintech companies or nesses to recruit skilled staff, nor are there any special regimes specific investors to encourage innovation and investment in the fintech sector to the technology or financial sectors. Whether a work permit is required in Sweden. for the specific role is subject to a case-by-case assessment. The main

210 Fintech 2021 © Law Business Research 2020 Vinge Sweden rule under Swedish law is that for a citizen of a non-EU country to be The Swedish government, the Swedish Financial Supervisory able to work and reside in Sweden, a work permit and a residence permit Authority and the Swedish Central Bank have, furthermore, presented is required. EU citizens are, however, entitled to work in Sweden without a number of initiatives to avoid credit supply problems and to support any kind of permit. Swiss citizens are entitled to work in Sweden without business, including but not limited to the Central Bank making avail- a work permit, but are still required to apply for a residence permit. able up to 500 billion kronor in loans for Swedish banks to be used Certain other categories of employees may also temporarily for on-lending to Swedish non-financial companies, the Central Bank’s work in Sweden without a specific work permit, provided that certain purchase of up to 300 billion kronor of securities (in government and requirements are fulfilled. For example, a work permit is not required municipal bonds, covered bonds and securities issued by non-finan- for individuals employed by a multinational corporate group where the cial companies) and state guarantees for 70 per cent of new bank employees will undergo practical training, on-the-job training or other financing of up to 75 million kronor in each case to otherwise viable in-service training at a company in Sweden that is part of the group (a small and medium-sized enterprises facing difficulties owing to the maximum aggregate period of three months). In the absence of any of covid-19 pandemic. the aforementioned exemptions, all non-EU citizens must obtain a work permit to be entitled to work in Sweden. The application procedure is generally the same for all applicants regardless of occupation or industry. Applications are assessed by the Swedish Migration Agency (MA), and the application processing time varies. It currently takes up to four months for the MA to examine a complete first-time application registered through the regular queue. There are, however, particular certified firms (such as certain law firms) with access to the MA’s fast-track system when applying for work permits on behalf of a client company and its employees. Certified firms are entitled to a significantly shorter turnaround time (10 days for complete first-time applications). In cases where the employer is not bound by a collective bargaining agreement and the concerned Swedish trade union does not oppose the absence thereof, the official fast-track turnaround time is 60 days.

UPDATE AND TRENDS

Current developments 46 Are there any other current developments or emerging trends to note?

According to the Stockholm Fintech Guide, Stockholm received 18 percent of all private placements in fintech companies across Europe between 2013 and 2018, and around 400 fintech companies are active in Stockholm, as compared to the end of 2017 when there were around 150. The Swedish National Bank has, furthermore, owing to the margin- alisation of cash usage in Sweden, initiated a pilot project to construct a technical platform for the e-krona, based on distributed ledger technology, and while no decision on the issuing of an e-krona has been made, the project is expected to run until February 2021 and explore the possibility of a digital currency to complement cash in society. Sweden in general – and Stockholm in particular – are vibrant for fintech companies, and the coming years will likely provide for further developments on the Stockholm fintech scene.

Sweden has introduced several measures to mediate the negative effects for business operators owing to the pandemic; however, none are specifically tailored to the fintech industry. The measures include financial support and lower requirements for companies whose employees are on sick leave or on temporary short-term work, the lowering of employer’s social security contributions and the easing of the rules to carry out general meetings without physical attendance. www.lexology.com/gtdt 211 © Law Business Research 2020 Switzerland

Clara-Ann Gordon and Thomas A Frick Niederer Kraft Frey

FINTECH LANDSCAPE AND INITIATIVES conclusion of such contracts). Various other changes to the relevant laws were already made or initiated to further enhance the fintech ecosystem. General innovation climate 1 What is the general state of fintech innovation in your FINANCIAL REGULATION jurisdiction? Regulatory bodies Switzerland strongly supports innovation both at the government and 3 Which bodies regulate the provision of fintech products and corporate level. This includes fintech innovation. The country has a services? strong and mature financial market and strong service industries that support such initiatives. Well-known internationally is the Crypto Valley, The provision of fintech products and services is governed by the general a fintech hub focused on crypto offerings located in Zug, a small canton laws and regulations applicable to the financial market, which in general close to the financial centre of Zurich. Google, IBM, Disney, Thomson is supervised by the Financial Market Supervisory Authority (FINMA). Reuters and the Federal Institute of Technology ETH have all established FINMA regulates the provision of these products and services in more research laboratories in and around Zurich, adding to the technical detail by issuing circulars and guidelines, such as the guideline for initial innovation network. Zurich University is in the process of creating 18 coin offerings (ICOs). FINMA is the competent supervisory authority for new chairs for digital innovation studies; Zurich University also intends banks, insurance companies and asset managers managing assets of to further enhance its research on artificial intelligence. There are collective investment schemes. numerous companies focusing on digital offerings, specialised ones such Financial intermediaries, which were not prudentially supervised as Swissquote, Temenos and Avaloq, and others providing IT support prior to 1 January 2020, became subject to prudential supervision (in and IT-focused financial services. In addition, major Swiss banks such as particular, asset managers). They must join a self-regulatory organisa- UBS and Credit Suisse both have fintech innovation laboratories. Banks tion (SRO) for the purpose of anti-money laundering (AML) compliance focused on crypto offerings (eg, SEBA and Sygnum) received a banking and one of the newly set up special supervisory bodies for asset licence in summer 2019; other projects are currently aiming to set up managers. These in turn are supervised by FINMA but are privately run trading platforms and exchanges (eg, SIX Swiss Exchange and its SDX organisations. project) and to obtain a licence from the Financial Market Supervisory Finally, certain ICOs were made by foundations domiciled in Authority (FINMA). FINMA also recently granted the first two of the new Switzerland and these foundations are supervised by separate supervi- fintech licenses. sory authorities at the communal, cantonal and federal level; foundations set up for the purpose of making an ICO are usually supervised by the Government and regulatory support Federal Authority for Foundation Supervision. 2 Do government bodies or regulators provide any support specific to financial innovation? If so, what are the key benefits Regulated activities of such support? 4 Which activities trigger a licensing requirement in your jurisdiction? There are numerous initiatives by government bodies and regulators to provide support to financial innovation. The most comprehensive FINMA provides on its website (www.finma.ch) an overview of activi- one is the Digital Switzerland initiative that coordinates various private ties that may trigger a licensing requirement. Fintech companies are initiatives and provides government support to them. FINMA set up a particular likely to fall within the scope of the Banking Act, the Financial special fintech desk as a competence centre for fintech applications and Institutions Act, the Financial Market Infrastructure Act (FMIA) and the enquiries. Through this desk, FINMA issued, for instance, guidelines Anti-money Laundering Act (AMLA). for initial coin offerings (ICOs) in 2018 and confirmed its willingness to Anyone who accepts deposits from the public on a commer- review submissions for ICOs and provide clearance letters for these cial basis is subject to banking licence requirements. This is the case offerings confirming that an ICO will not be in breach of Swiss regu- if either deposits of more than 20 investors are actually held or if the lations. Through the state agency Innosuisse, the Swiss Federation entity publicly announces to a non-limited number of persons that it is supports technology-based innovation in Swiss enterprises. Innosuisse willing to accept these deposits. Bond issues do not qualify as deposits offers coaching, thereby helping start-ups to raise capital. and capital contributions that do not entail a repayment obligation also Furthermore, the government initiated various changes to Swiss do not qualify as deposits. Since 1 August 2017, the holding of client law. Among others, relevant rules for the on-boarding of clients or for funds no longer triggers banking licence requirements if the funds do entering into asset management agreements were adapted to render not at any time exceed 1 million Swiss francs, the funds are neither rein- them technology neutral (ie, to enable online on-boarding and online vested nor interest-bearing and the depositors have been informed in

212 Fintech 2021 © Law Business Research 2020 Niederer Kraft Frey Switzerland writing prior to making the deposits that their funds are not covered by FINMA. Collective investment schemes are highly regulated in by the Swiss depositor protection regime and that the institution is not Switzerland and subject to investment and borrowing restrictions as supervised by FINMA. On 1 January 2019, a special licence was intro- well as to strict rules applicable to the sales of its units in or from duced whereby undertakings accepting deposits from the public of up to Switzerland. No specific regulations apply for fintech companies. 100 million Swiss francs may qualify for a banking licence light, a licence There is a project pending for a change of law, which could intro- that subject these undertakings to rules less stringent than the rules duce a non-licensed fund structure for professional investors only. applicable to banks, providing no interest is paid on such deposits and the funds are not reinvested (fintech licence). Alternative investment funds An entity that commercially buys and sells securities on the primary 8 Are managers of alternative investment funds regulated? market for its own account for short term resale or for the account of third parties, which offers them publicly on the primary market or create Switzerland not being a member state of the European Union, the or publicly offers derivatives, may require a securities house licence. Alternative Investment Fund Managers Directive is not applicable. As The term ‘securities’ is now defined in the FMIA and is understood as a rule, an asset manager domiciled in Switzerland of a Swiss or foreign meaning ‘standardised certified and uncertified securities, derivatives collective investment scheme requires a licence from FINMA. However, and intermediated securities, which are suitable for mass trading’. if the investment fund is open to qualified investors only, the asset Further clarification is provided by the ordinance on financial market manager may not fall under the licence requirement if the assets under infrastructures and market conduct in securities and derivatives trading, management do not exceed 100 million Swiss francs, or if the assets do which clarifies that only such securities that are publicly offered for sale not exceed 500 million Swiss francs, provided that the portfolio is not in the same structure and denomination or are placed with more than leveraged and the investors do not have a redemption right for a period 20 clients, insofar as they have not been created especially for individual of five years, or if the investor is part of the same financial group as the counterparties, will fall under the regulation. asset manager. While advising on investments will not be subject to licence requirements, asset management based on a power of attorney subjects Peer-to-peer and marketplace lending the asset manager to the obligation to join a SRO, to comply with the 9 Describe any specific regulation of peer-to-peer or relevant rules of the Swiss AMLA and to obtain a licence from FINMA. marketplace lending in your jurisdiction. AMLA regulations also extend to persons who carry out credit transactions, such as consumer loans or mortgages, factoring, commercial If the fintech company organising the marketplace is acting as a mere financing or financial leasing, and persons who provide services relating marketplace and does not accept or forward any funds, it will not be to payment transactions. subject to any specific regulation. However, if the fintech organising the Payment systems may under certain conditions require a licence marketplace or the peer-to-peer lending accepts funds or controls the under the FMIA. forwarding of these funds to another party of the marketplace, it will be subject to AML regulations and will need to join an SRO to comply with Consumer lending the AML regulations. 5 Is consumer lending regulated in your jurisdiction? Crowdfunding Consumer lending activities will require membership in a SRO and 10 Describe any specific regulation of crowdfunding in your compliance with the applicable AML rules. Furthermore, consumer jurisdiction. lending may fall under the Consumer Credit Act; a consumer lending company must obtain a licence (from a cantonal authority, unless it Crowdfunding is not specifically regulated under Swiss law, but FINMA holds a banking licence), must hold own assets in the amount of 8 per issued a fact sheet outlining the applicable rules. Therefore, the general cent of the issued consumer loans and is subject to various rules on rules apply to crowdfunding systems. As a rule, crowdfunding platforms providing transparency on the terms of the consumer loan and the obli- will not be subject to prudential supervision. If the crowdfunding plat- gation to verify the creditworthiness of the counterparty. form only organises the funding but does not control the flow of funds, it will not be subject to licensing requirements. If the crowdfunding Secondary market loan trading platform accepts funds and forwards these funds to the recipient within 6 Are there restrictions on trading loans in the secondary a time period of up to a maximum of 60 days without paying interest market in your jurisdiction? on the funds, the crowdfunding platform will be subject to AML regulations and will need to become a member of an SRO. If a crowdfunding There is no licence requirement for trading loans in the secondary platform holds funds for a period longer than 60 days, it may require a market. However, if an investment company is buying and selling securi- fintech licence under the Banking Act, if the funds held do not exceed ties for their own account with the intent of reselling them within a short the amount of 100 million Swiss francs. If the funds held exceed this time period or for the account of third parties, these companies must amount or if interest is paid on the amount held, a banking licence will be obtain a securities house licence from FINMA. required. Not only the platform may require a licence, but also the project developer, if it accepts deposits or advertises that it will accept deposits. Collective investment schemes 7 Describe the regulatory regime for collective investment Invoice trading schemes and whether fintech companies providing alternative 11 Describe any specific regulation of invoice trading in your finance products or services would fall within its scope. jurisdiction.

As a rule, peer-to-peer lenders, marketplace lenders or crowdfunding Invoice trading and factoring is not specifically regulated in Switzerland platforms will not fall under the rules applicable to collective investment and does not require a prudential licence. However, trading in invoices schemes. Collective investment schemes and companies managing qualifies the fintech company as a financial intermediary and the fintech collective investment schemes are subject to prudential supervision company will have to comply with AML regulations and join an SRO. www.lexology.com/gtdt 213 © Law Business Research 2020 Switzerland Niederer Kraft Frey

Payment services basis, this activity may trigger reporting obligations to the Swiss 12 Are payment services regulated in your jurisdiction? Foreign Department under the Federal Act on private Security Services Abroad. Switzerland not being a member of the European Union, the European Payment Services Directive 2 (PSD2) does not apply and Switzerland CROSS-BORDER REGULATION does not have a corresponding regulation. Therefore, no prudential licence is required for payment services. However, any provider of Passporting payment services will need to comply with AML rules and will have 17 Can regulated activities be passported into your jurisdiction? to join an SRO. If a payment system is deemed to be of systemic relevance, or if FINMA is of the opinion that supervision is required for the No passporting of regulated activities into Switzerland is possible. protection of the participants of a payment system, FINMA can at its discretion require a payment system to obtain a licence under the FMIA Requirement for a local presence and such systems will furthermore be subject to reporting obligations 18 Can fintech companies obtain a licence to provide financial to the Swiss National Bank. The Swiss National Bank has the compe- services in your jurisdiction without establishing a local tence to subject foreign payment systems that are of systemic relevance presence? to Switzerland to its supervision. However, most payment systems are not subject to prudential supervision or licence requirements. FINMA As a rule, a licence will only be granted to a company established in declared that the LIBRA stablecoin, Facebook’s project, would be of Switzerland (ie, if it has local presence either in the form of a company systemic relevance. or in the form of a branch of a foreign legal entity). Product offerings, however, are possible on a cross-border basis provided that the prod- Open banking ucts (such as investment funds) are approved in Switzerland. While 13 Are there any laws or regulations introduced to promote the distribution of insurance products, collective investment schemes, competition that require financial institutions to make derivatives and securities is regulated, general banking services may customer or product data available to third parties? be offered by foreign banks in Switzerland without licensing requirements; however, since 1 January 2020, client advisers working for The PSD2 does not apply in Switzerland and no equivalent regulation foreign financial service providers need to register in a Swiss advisory exists. Swiss banks are sceptical and, at the time of writing, do not open register. Exempt from this are client advisers working for banks, securi- up interfaces to their client data. However, as banks are criticised for ties houses and asset managers and client advisers working for other that approach and as banks usually also provide cross-border services, foreign prudentially supervised financial institutions if they only advice it is expected that certain banks will in the future start to apply the PSD2 professional or institutional clients. rules voluntarily by granting third parties access to certain data, subject When marketing financial products, such as investment funds and to customer consent. structured products, the local Swiss rules on the marketing of such products must be complied with (eg, prospectus requirements under Robo-advice Swiss law). 14 Describe any specific regulation of robo-advisers or other companies that provide retail customers with automated SALES AND MARKETING access to investment products in your jurisdiction. Restrictions There are several robo-advisers active on the Swiss market. The 19 What restrictions apply to the sales and marketing of rules applicable to them are the same as those that apply to normal financial services and products in your jurisdiction? asset managers. When marketing financial products, such as investment funds and struc- Insurance products tured products, the local Swiss rules on the marketing of such products 15 Do fintech companies that sell or market insurance products must be complied with (eg, prospectus requirements under Swiss law). in your jurisdiction need to be regulated? CHANGE OF CONTROL Insurance companies operating in Switzerland must obtain a licence for their specific activities from FINMA. As the sale and marketing of Notification and consent insurance products is highly regulated, any marketing of these products 20 Describe any rules relating to notification or consent (including cross-border marketing into Switzerland) needs to be evalu- requirements if a regulated business changes control. ated in detail prior to any marketing activities. If a prudentially supervised legal entity changes control, the legal entity Credit references and the new controlling shareholder must obtain an additional licence 16 Are there any restrictions on providing credit references or from the Financial Market Supervisory Authority. The same applies if credit information services in your jurisdiction? 10 per cent or more of the capital or of the voting rights in a foreign- controlled prudentially supervised legal entity are transferred. In the There is no general licensing requirement for providing credit refer- application, full information must be provided on the new shareholder ences or credit information services. However, any company providing and on the persons controlling this new shareholder up to the ultimate this information must comply with the Swiss Federal Act on Data beneficial owner. Protection, which applies not only to natural persons but also to legal entities. Furthermore, the gathering of information from non-public sources may qualify as activity of private detective, which is subject to licensing requirements in certain cantons. If done on a cross-border

FINANCIAL CRIME A security assignment of rights will also only be valid if entered into in writing by the assignee. Mortgages can only be entered into in Anti-bribery and anti-money laundering procedures the form of a public deed. 21 Are fintech companies required by law or regulation to have procedures to combat bribery or money laundering? Assignment of loans 24 What steps are required to perfect an assignment of There are no specific rules applicable to fintech companies. All Swiss loans originated on a peer-to-peer or marketplace lending legal entities and persons are subject to the anti-bribery rules of the platform? What are the implications for the purchaser if the Swiss Criminal Code and need to comply with these provisions. For assignment is not perfected? Is it possible to assign these prudentially supervised companies, compliance with such anti-bribery loans without informing the borrower? rules is part of the supervisory concept and any breaching of these rules may endanger the licence. An assignment of a claim can be done unilaterally without informing the Anti-money laundering (AML) provisions apply as soon as a debtor under the loan. However, such assignment of a claim must be company controls foreign assets or issues a currency. In the framework done in writing. An assignment of a contract is possible without such of an initial coin offering (ICO), therefore, a company launching an ICO formal requirements (unless the contract itself requires a certain form, and issuing currency tokens will have to comply with AML provisions. which is not the case for loan agreements) but needs the consent of the A company issuing pure utility tokens or security tokens may not have counterparty (ie, of the debtor under the loan). to comply with AML provisions, provided that the tokens are operative. Even if a company issuing tokens may not be under strict obligations to Securitisation risk retention requirements comply with AML provisions, it may find it difficult if not impossible to 25 Are securitisation transactions subject to risk retention find a Swiss bank willing to provide a bank account unless it identifies its requirements? investors (in the case of the issuing of security tokens) according to AML standards compatible with the AML standards applied by Swiss banks. The EU Securitisation Regulation does not apply in Switzerland and its Digital currency exchanges may be subject to AML requirements rules are not part of the Swiss regulatory framework. as exchanges from one cryptocurrency to the other are deemed to be monetary transactions. Securitisation confidentiality and data protection requirements In a recent major legislative project, new rules on the application of 26 Is a special purpose company used to purchase and securitise Swiss AML law to crypto-assets have been proposed. The new proposals peer-to-peer or marketplace loans subject to a duty of are pending in Parliament but may not become effective until 2021. confidentiality or data protection laws regarding information relating to the borrowers? Guidance 22 Is there regulatory or industry anti-financial crime guidance Switzerland has strong confidentiality and data protection laws appli- for fintech companies? cable to client relationships. However, the well-known banking secrecy and similar secrecy obligations of financial intermediaries apply to rela- There is no general regulatory or industry anti-financial crime guidance tionships with banks, securities traders and fund administrators only and for fintech companies. However, the Swiss Bankers Association (www. not to each and every company. Therefore, the duty of confidentiality may swissbanking.org) recently issued guidelines for banks on the applica- depend on the origin of the loans: if such loans originate from a bank, tion of AML rules to crypto-assets and to accounts of bank customers the bank must ensure that the SPV complies with the relevant secrecy dealing in crypto-assets (such as in the case of an ICO). Furthermore, obligations (unless the bank customers consented and gave a waiver of private associations such as the Capital Markets and Technology their secrecy rights). However, a special purpose company domiciled in Association are currently working on guidelines on how AML rules Switzerland will be subject to the Swiss Data Protection Act and will need should be applied to crypto-assets, in particular tokenised shares and to treat the data received in accordance with these provisions, which do non-voting shares. Finally, the Financial Market Supervisory Authority not only protect natural persons but also legal entities. Furthermore, a issued interpretative guidelines relating to cryptocurrency transfers. transfer of data abroad may be subject to additional limitations.

PEER-TO-PEER AND MARKETPLACE LENDING ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER TECHNOLOGY AND CRYPTO-ASSETS Execution and enforceability of loan agreements 23 What are the requirements for executing loan agreements or Artificial intelligence security agreements? Is there a risk that loan agreements 27 Are there rules or regulations governing the use of artificial or security agreements entered into on a peer-to-peer or intelligence, including in relation to robo-advice? marketplace lending platform will not be enforceable? Switzerland currently does not have special rules regarding the applica- A loan agreement may be executed without formal requirements (ie, tion of artificial intelligence. Different institutions are conducting studies an oral agreement is valid). Therefore, a loan agreement can also be to answer questions regarding topics such as ethics or the risks and entered into by, for example, email. Hence, a loan agreement entered opportunities of AI innovation (State Secretariat for Economic Affairs into on a peer-to-peer or marketplace lending platform will be enforce- press release ‘The pros and cons of artificial intelligence’, www.seco. able provided that the party wishing to enforce the agreement can admin.ch/seco/en/home/seco/nsb-news.msg-id-71639.html). In addi- provide sufficient evidence that the agreement was entered into by the tion, the Swiss federal government funded research programmes on counterparty. the effective and appropriate use of big data and has incorporated a Regarding security agreements, form requirements apply. A pledge new federal working group specialised in artificial intelligence (see the under Swiss law is valid only if entered into in writing (ie, in the written Swiss Confederation on ‘The Swiss Digital Action Plan’, 5 September form with an original (or valid electronic) signature of the pledgor). 2018; also see the Swiss Confederation on ‘Digital Switzerland Strategy’, www.lexology.com/gtdt 215 © Law Business Research 2020 Switzerland Niederer Kraft Frey

September 2018). On 13 December 2019, the report ‘Challenges of prudential licence requirement. However, if not only digital currencies Artificial Intelligence’ was published, but without specific requests for but also security tokens will be traded on the exchange; the exchange changes to Swiss law. may qualify as an organised or a multilateral trading facility under the A company providing robo-advice may qualify as an asset manager Financial Market Infrastructure Act and must comply with the rules if the company automatically implements the advice on a client portfolio, applicable to these institutions. may be subject to anti-money laundering (AML) rules and may have to become a member of a self-regulatory organisation. Initial coin offerings 31 Are there rules or regulations governing initial coin offerings Distributed ledger technology (ICOs) or token generation events? 28 Are there rules or regulations governing the use of distributed ledger technology or blockchains? Switzerland has a technology-neutral approach to digital assets. Blockchain projects fall under the regulatory regimes of the industries There are no special rules or regulations governing the use of such they apply to, such as the finance industry. On 16 February 2018, FINMA technology and the general laws apply. published ‘Guidelines for enquiries regarding the regulatory framework for initial coin offerings’ wherein it describes in detail how it deals with Crypto-assets the supervisory and regulatory framework for ICOs under Swiss law. On 29 Are there rules or regulations governing the use of crypto- 26 August 2019, further specifications were given relating to payments assets, including digital currencies, digital wallets and on the blockchain (Supervisory Notice 02/2019). FINMA will consider, e-money? among other things, the investor categories and ICO targets, compliance with AML regulations and the functionalities of the token generated but Switzerland has a technology-neutral approach to digital assets. also the technologies used, the technical standards and wallets and Blockchain projects fall under the regulatory regimes of the industries technical standards to transfer tokens. In its guidelines, FINMA distin- they apply to, such as the finance industry. On 16 February 2018, the guishes three token categories, namely payment tokens, which are Financial Market Supervisory Authority (FINMA) published ‘Guidelines intended to be used as a means of payment and do not grant any claims for enquiries regarding the regulatory framework for initial coin offer- against the issuer of the token, utility tokens, which grant access to an ings’ wherein it describes in detail how it deals with the supervisory application or service, and asset tokens, which represent assets such as and regulatory framework for initial coin offerings (ICOs) under Swiss a debt or equity claim against the issuer or that enable physical assets law. On 26 August 2019, further specifications were given relating to to be traded on the blockchain. If a token combines functions of more payments on the blockchain (Supervisory Notice 02/2019). FINMA will than one of these categories, it is considered a hybrid token and has to consider, among other things, the investor categories and ICO targets, comply with the requirements of all categories concerned. compliance with AML regulations and the functionalities of the token generated but also the technologies used, the technical standards and DATA PROTECTION AND CYBERSECURITY wallets and technical standards to transfer tokens. In its guidelines, FINMA distinguishes three token categories, namely payment tokens, Data protection which are intended to be used as a means of payment and do not grant 32 What rules and regulations govern the processing and any claims against the issuer of the token, utility tokens, which grant transfer (domestic and cross-border) of data relating to access to an application or service, and asset tokens, which represent fintech products and services? assets such as a debt or equity claim against the issuer or that enable physical assets to be traded on the blockchain. If a token combines func- There are no specific rules and regulations that would apply to fintech tions of more than one of these categories, it is considered a hybrid token products and services. Hence, the existing data protection law and the and has to comply with the requirements of all categories concerned. guidelines from the Swiss Federal Data Protection and Information The issuance of digital currencies will render the issuer subject Commissioner (FDPIC) apply. The Swiss Federal Data Protection Act is to AML regulations. The offering of digital wallets, as a rule, will also currently being revised. subject the provider to AML regulations. The safekeeping of digital currencies in a wallet will, as a rule, not be considered as an activity Cybersecurity requiring a banking licence by FINMA, provided that the private keys 33 What cybersecurity regulations or standards apply to fintech do not fall into the bankrupt estate of the custodian. However, if the businesses? custodian had control over the wallet (ie, is capable of disposing of the currencies therein without interference of the beneficiary), the holding There are no specific cybersecurity regulations or standards that apply of the wallet may render the custodian subject to banking licence to fintech businesses. Hence, the existing data protection law and the requirements. In the recent proposals submitted by the Federal Council guidelines from the FDPIC apply. In particular the ‘Guide on Technical for discussion, further clarifications regarding the treatment of digital and Organisational Measures’ (see file://srvzhfile02/users$/cgo/VDI/ wallets in the bankruptcy of the custodian are proposed. Downloads/guideTOM_en_2015%20(1).pdf).

Furthermore, if a financial services company subject to pruden- Joint ownership tial supervision outsources part of its business, it will need to comply 38 Are there any restrictions on a joint owner of intellectual with the guidelines provided by the Financial Market Supervisory property’s right to use, license, charge or assign its right in Authority (FINMA) in its outsourcing circular (2018/3 FINMA ‘Guideline intellectual property? on Outsourcing – banks and insurers’) and in Annex 3 of the Operational Risk Circular (dealing with customer identification data). Under these No, there are no restrictions in this respect. In Switzerland, one is very rules, outsourcing of material aspects of a business is generally flexible and free to agree on rules. However, if nothing is agreed on, permitted, provided that the financial service provider is capable of then the general provisions of the applicable laws (eg, the Swiss Code supervising the outsourcing provider, is safeguarding security rights of Obligations and the Copyright Act) apply. In particular, with regard to of its clients, is securing in its contracts with the outsourcing provider joint ownership, it is advisable to set out the applicable rules in writing that itself, its auditing company and FINMA will at all time be capable of in a contract, because the rules set out in the applicable laws usually inspecting compliance by the outsourcing provider with the Swiss finan- are not specific enough for each individual case. cial market rules and that it properly selects, instructs and supervises the outsourcing provider. Furthermore, the cybersecurity measures of Trade secrets the outsourcing provider need to be adequate and in line with the rele- 39 How are trade secrets protected? Are trade secrets kept vant measures of the financial intermediary. confidential during court proceedings?

Cloud computing In Switzerland, trade secrets are mainly protected by non-disclosure 35 Are there legal requirements or regulatory guidance with agreements or confidentiality clauses in contracts. There is, unlike in respect to the use of cloud computing in the financial services the EU, no specific law in Switzerland dealing with the protection of industry? trade secrets. There are provisions in individual laws dealing with trade secret protection (eg, in the Criminal Code or in the Unfair Competition There are no specific rules on cloud computing, but financial services Act). In court proceedings, a party can request the court keep trade companies need to secure confidentiality of their client data and, as secrets confidential and not disclose them to the counterparty. a rule, comply with the outsourcing circulars. In addition, the Swiss Federal Data Protection and Information Commissioner’s ‘Guideline on Branding Cloud Computing’ applies (see www.edoeb.admin.ch/edoeb/en/home/ 40 What intellectual property rights are available to protect data-protection/Internet_und_Computer/cloud-computing/guide-to- branding and how do you obtain those rights? How can cloud-computing.html) . fintech businesses ensure they do not infringe existing brands? INTELLECTUAL PROPERTY RIGHTS In Switzerland trademarks can be applied for fintech services and IP protection for software products. An application for a trademark must be filed with the Swiss 36 Which intellectual property rights are available to protect Federal Institute of Intellectual Property. By first conducting a trade- software, and how do you obtain those rights? mark research in online databases or with special trademark agents, fintech businesses can check whether prior identical or similar trade- Under Swiss copyright law, only works that are considered an intel- marks exist. lectual creation with an individual character are protected by copyright (article 2, paragraph 1 of the Swiss Copyright Act). AI as software gener- Remedies for infringement of IP ally meets these requirements. However, works created by AI cannot 41 What remedies are available to individuals or companies be considered intellectual creations as they are not made by humans. whose intellectual property rights have been infringed? These works currently cannot be copyrighted and the author cannot acquire copyright derivatively. Copyrighted works are protected for 70 There are civil and criminal law remedies. Under the applicable laws years after the death of the author (50 years with regard to computer (eg, the Swiss Code of Conduct, Copyright Act, Patents Act, Trademark programs). As a rule, computer programs cannot be patented under Act and Unfair Competition Act) a party whose intellectual property Swiss law. rights are infringed can file for injunctive relief, a claim for damages, etc. Under the Criminal Code the party can file a criminal complaint for IP developed by employees and contractors an offence relating to intellectual property infringements. 37 Who owns new intellectual property developed by an employee during the course of employment? Do the same COMPETITION rules apply to new intellectual property developed by contractors or consultants? Sector-specific issues 42 Are there any specific competition issues that exist with As long as the intellectual property is developed by an employee during respect to fintech companies in your jurisdiction? the course of employment and in fulfilment of his or her working tasks, then the intellectual property belongs by virtue of law to the employer. No specific rules have been issued under competition law applicable With regard to contractors or consultants, these rules do not apply. Here to fintech companies, so that the general rules of Swiss competition it is decisive that the respective rights are transferred and assigned to law apply. Swiss competition law is to a large extent aligned with EU the principal. competition law and the discussion in the EU relating to completion law in the digital economy is closely followed in Switzerland. Therefore, it can be expected that once the EU applies additional rules to the digital economy, Switzerland will follow and apply similar rules. With respect to certain business set-ups involving the exchange of data between www.lexology.com/gtdt 217 © Law Business Research 2020 Switzerland Niederer Kraft Frey

various parties, Switzerland follows the approach of the EU on the applicability of competition law rules to the exchange of data between competitors or potential competitors, and a company intentionally facilitating this exchange of market relevant data may be held to be in breach of competition law as well, even if it is not active on the same market.

TAX

Incentives Clara-Ann Gordon [email protected] 43 Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the Thomas A Frick fintech sector in your jurisdiction? [email protected]

There are no tax incentives specifically designed for fintech companies Bahnhofstrasse 53 and investors. However, both companies and investors benefit from the 8001 Zurich generally favourable Swiss tax environment. The corporate tax rate Switzerland depends on the exact location of the company but may be as low as 12 Tel: +41 58 800 8000 per cent, the VAT rate is significantly lower than in most EU member Fax: +41 58 800 8080 states and individual investors resident in Switzerland do not pay taxes www.nkf.ch on gains realised on the sale of equity investments. Very low taxes apply to capital gains from the sale of equity investments by corporate shareholders if the participation was held for at least one year and was 10 per cent or more of the equity of the company. UPDATE AND TRENDS

Increased tax burden Current developments 44 Are there any new or proposed tax laws or guidance that 46 Are there any other current developments or emerging could significantly increase tax or administrative costs for trends to note? fintech companies in your jurisdiction? There are various developments in Switzerland regarding fintech. There are no new or proposed tax laws that will significantly increase On the regulatory site, an act on establishing a legal and a distribu- tax. On the contrary, it is envisaged that corporate taxes will be lowered tion framework for a generally accepted digital identity was proposed significantly in connection with the abolition of certain privileges and may be in a final form by the end of 2019. Furthermore, a draft of a currently granted to holding companies. Administrative costs for fintech new Data Protection Act, which is currently on hold, will be discussed in companies may increase to a certain extent for fintech companies quali- Parliament in 2020. But, first and foremost, the proposal for a federal act fying as an asset manager as asset managers will become prudentially on adapting the federal law to developments of the distributed ledger supervised under the new Financial Institutions Act, which is expected technology was submitted for discussion in spring 2019; after initial feed- to become effective by 1 January 2020. back was positive, the final proposal of the government to Parliament was submitted by the end of 2019. It is currently pending in Parliament but IMMIGRATION will not become effective prior to 2021. In this draft act, various proposals for changes to existing Swiss laws are made, in particular regarding new Sector-specific schemes (integrated) financial infrastructures enabling integrated token trading 45 What immigration schemes are available for fintech platforms, clarifications regarding the law applicable to the transfer of businesses to recruit skilled staff from abroad? Are there tokens, clarifications and provisions of the anti-money laundering rules any special regimes specific to the technology or financial and various provisions on the treatment of digital assets in a bankruptcy. sectors? On the commercial side, there are various initiatives that focus on establishing wallet providers, trading platforms and other projects There are no special immigration schemes available for fintech busi- in Switzerland. Two banks obtained a banking licence focused on nesses or regimes specific to the technology or financial sector. However, digital assets in 2019; a third application is pending, and a number of citizens of EU member states are entitled to receive a work permit in other banks publicly announced that they will target crypto-markets. Switzerland under the bilateral agreements between Switzerland and Therefore, 2020 will again see massive developments in connection with the EU. Furthermore, Switzerland and the United Kingdom prepared the setting-up of infrastructures for the crypto and fintech industry in a treaty to ensure that UK and Swiss nationals will continue to benefit Switzerland. from the privileges granted to EU member state citizens after Brexit. There are now also various projects to enable the issuance of secu- Nationals of a country outside the European Economic Area will require rity tokens and to set up companies with tokenised shares. It is generally a work permit, which may be subject to quotas. As a rule, work permits expected that 2020 and 2021 will be the years of the asset token. for highly qualified persons, such as senior managers or technical Various Swiss universities (EPFL, ETH, Basle University and Zurich experts, will always be available. University) have initiatives regarding further development of research on fintech. Among others, the Swiss Fintech Innovation Lab at Zurich University brings together researchers from banking and finance, business informatics, management, social sciences, etc. While the crypto boom of 2017 may be history, the future has only started for the Swiss financial industry and it can be expected that the Swiss ecosystem will remain highly dynamic.

The covid-19 pandemic has brought about some emergency legislation, in particular government guarantees for bank loans to enterprises. As the amount of the loan available was linked to turnover, for many startups the loans were not available. However, several cantons have special initiatives to secure access to capital, in particular for start-ups in the tech sector. It is advisable for any start-up to enquire with the local authorities about what support is available.

Abe T S Sung and Eddie Hsiung Lee and Li Attorneys at Law

FINTECH LANDSCAPE AND INITIATIVES and explore the possibility of amending the existing rules that pose obstacles to the experimented financial innovation if put in the real General innovation climate world. However, depending on the review result of the FSC, the sandbox 1 What is the general state of fintech innovation in your entity or individual might still be required to apply for a relevant licence jurisdiction? or approval from the FSC to formally conduct the activities as previously tested in the sandbox. Taiwan’s law for the fintech regulatory sandbox, the FinTech Development and Innovation and Experiment Act (the Sandbox Act), was FINANCIAL REGULATION promulgated on 31 January 2018 and took effect on 30 April 2018. At the time of writing, seven applications have been approved by the Financial Regulatory bodies Supervisory Commission (FSC) to enter into the sandbox, as summa- 3 Which bodies regulate the provision of fintech products and rised below: services? • to facilitate digital banking business (eg, online credit (credit card, credit facility)) by means of a mobile phone identity verifica- In Taiwan, the Financial Supervisory Commission (FSC) is the govern- tion system; ment body regulating all financial products and services. There are • the outbound remittance by foreign workers through local conveni- four bureaux established under the FSC: the Banking Bureau (BB), the ence stores (two cases); Securities and Futures Bureau (SFB), the Insurance Bureau (IB) and the • to use blockchain technology for the transmission of fund transfer Financial Examination Bureau (EB) (collectively the Bureaux). Each of information between financial institutions; the BB, SFB and IB is separately responsible for regulating the banking, • to enable customers to purchase travel insurance through the securities and insurance industries. The EB is in charge of financial website of a travel agency by means of API connections; inspection and audits of financial institutions regulated by the FSC. • to provide the ‘fund exchange’ service by means of blockchain tech- Currently, none of the four bureaux has been specifically designated to nology; and regulate fintech products and services. Therefore, it should depend on • to shorten the fund transmission gap by means of ‘T+0 contract the nature of such products and services to determine which bureau mechanism’. would be the body regulating the relevant fintech products or services. As to the mechanism of the regulatory sandbox, the FSC is the In addition to the sandbox mechanism described above, in 2018, the competent authority; nonetheless, if the tested fintech product and Taiwan government also supported fintech developments by, for service relates to the regulatory regime of other competent authorities example, establishing a ‘FinTechSpace’, which is a physical location situ- (such as the Central Bank), the opinion of these relevant authority will ated in the city of Taipei with an aim to provide relevant assistance to also be consulted by the FSC. fintech start-ups, such as acting as an intermediary between fintech start-ups and financial services entities (with respect to potential coop- Regulated activities eration between the parties), a ‘regulatory clinic’ (ie, free preliminary 4 Which activities trigger a licensing requirement in your advice provided by government officials regarding regulations), etc. jurisdiction?

Government and regulatory support In Taiwan, conducting finance-related activities generally requires a 2 Do government bodies or regulators provide any support licence from the FSC. These activities include the following, without specific to financial innovation? If so, what are the key limitation. benefits of such support? • Securities-related activities: securities underwriting, securities brokerage, securities dealing (ie, proprietary trading), securities The regulatory sandbox offers a platform to test new applications of investment trust (ie, asset management) and securities investment fintech technologies. According to the Sandbox Act, an applicant (who consulting. can be an entity or individual) needs to obtain an approval from the FSC • General consulting business, such as acting as financial advisers before entering the sandbox and beginning the experiment. During the or agents to arrange investments or bring about merger or acqui- experiment period, the experimental activities may enjoy exemptions sition deals, does not require any licence. In addition, acting as from certain laws and regulations (such as FSC licensing requirements principal in an investment deal does not require any licence (except and certain legal liability exemptions). After completion of the approved for if a foreign investor should need a foreign investment approval experiments, the FSC will analyse the results of them. If the result is and investment in regulated industries needs special approvals). positive, the FSC may review the existing financial laws and regulations • Bank-related activities:

• lending: lending activities do not fall within the business to Offshore funds be exclusively conducted by a local licensed bank. However, Offshore funds with the nature of a securities investment trust fund as no financing company may be registered in Taiwan, it is may also be publicly offered (subject to FSC prior approval) or privately currently not possible for an entity to register as a financing placed (subject to post-filing with the FSC or its designated institution) company to carry on lending activities in Taiwan; to Taiwan investors, subject to certain qualifications and conditions. An • factoring and invoice, discounting and secondary market offshore fintech company, which does not have the nature of a securities loan trading; investment trust fund, will not be allowed to be offered in Taiwan. • deposit taking; • foreign exchange trading; Alternative investment funds • remittance; and 8 Are managers of alternative investment funds regulated? • electronic payment, credit cards and electronic stored-value cards. Currently, only securities investment funds, real property trust funds and futures trust funds (which focus on investment in futures and deriv Consumer lending atives) are permitted in Taiwan (except that SITEs and securities firms 5 Is consumer lending regulated in your jurisdiction? are now permitted to set up a subsidiary to act as the general partner of a private equity fund under the structure of limited partnership). These A local licensed bank may carry on consumer lending activities. funds may only be offered and managed by FSC-licensed entities, such Although lending activities do not fall within the business to be exclu- as SITEs, banks or futures trust enterprises. A fintech company, which sively conducted by a local licensed bank, carrying out lending activities is not a SITE, a bank or a future trust enterprise, will not be allowed to as one of a company’s registered business activities is still not permitted manage these funds in Taiwan. in Taiwan. Peer-to-peer and marketplace lending Secondary market loan trading 9 Describe any specific regulation of peer-to-peer or 6 Are there restrictions on trading loans in the secondary marketplace lending in your jurisdiction. market in your jurisdiction? While to date there are no laws or regulations specifically regulating or The general principle under Taiwan’s Civil Code is that any receivable is governing peer-to-peer lending, the Bankers Association of the Republic assignable unless (1) the nature of the receivable does not permit this of China (the Bankers Association), the self-disciplinary organisation of transfer; (2) the parties to the loan have agreed that the receivable shall the banking industry, has promulgated the Self-Disciplinary Rules of not be transferred; or (3) the receivable, in nature, is not legally attach- Business Cooperation between Member Banks of Bankers Association able. The receivables under loan, subject to (2) above, are generally and Peer-to-Peer Lending Operators (the P2P Self-Disciplinary Rules) transferable. However, a bank is subject to stricter rules that, gener- and such P2P Self-Disciplinary Rules have been filed with the FSC ally, loans that remain performing cannot be transferred by a bank, for record. with some limited exceptions (such as for the purpose of securitisation). According to the P2P Self-Disciplinary Rules, banks may work For this reason, Taiwan does not currently have an active secondary together with the peer-to-peer lending operators on the following loan market. matters: • providing fund custodian services; Collective investment schemes • providing cash-flow services; 7 Describe the regulatory regime for collective investment • providing credit review and rating services; schemes and whether fintech companies providing • extending facility by a bank to the customer (ie, the people-to-busi- alternative finance products or services would fall within its ness model); scope. • advertising and marketing activities; and • providing credit document custody services. Local funds (securities investment trust funds) The most common form of collective investment scheme in Taiwan is Crowdfunding securities investment trust funds, which may be offered to the general 10 Describe any specific regulation of crowdfunding in your public or privately placed to specified persons. Public offering of a jurisdiction. securities investment trust fund needs prior approval or effective regis tration with the FSC or the institution designated by the FSC. No prior Equity-based crowdfunding approval is required for a private placement of a securities investment The following two ways of fundraising are generally known as the trust fund; however, it can only be placed to eligible investors and within equity-based crowdfunding platforms in Taiwan. These ways of crowd five days after the payment of the subscription price for initial invest funding are exempted from the prior approval or effective registration ment offering, a report on the private placement shall be filed with normally required under the Securities and Exchange Act (SEA). the FSC or the institution designated by the FSC. Generally, the total number of qualified non-institutional investors under a private place The Go Incubation Board for Startup and Acceleration Firms of the ment shall not exceed 99. Under current laws and regulations, public Taipei Exchange offering and private placement of securities investment trust funds may The Taipei Exchange (TPEx), one of the two securities exchanges in only be conducted by FSC-licensed securities investment trust enter Taiwan, established the Go Incubation Board for Startup and Acceleration prises (SITEs). Currently, the paid-in capital of a SITE should not be Firms (GISA) in 2014 for the purpose of assisting innovative and creative lower than NT$300 million, and there exist certain qualifications for the small non-public companies in capital raising. shareholders of a SITE. A fintech company, which is not a SITE, will not A company with innovative or creative ideas with the potential for be able to raise funds as a SITE does. development is qualified to apply for GISA registration with the TPEx. After the TPEx approves the application, the company will first start www.lexology.com/gtdt 221 © Law Business Research 2020 Taiwan Lee and Li Attorneys at Law

receiving counselling services from the TPEx regarding accounting, In 2015, the Act Governing Electronic Payment Institutions (the internal control, marketing and legal affairs. After the counselling E-Payment Act) was enacted. This E-Payment Act regulates the activities period, there is another TPEx review to examine, among other things, of an electronic payment institution, acting in the capacity of an interme- the company’s management teams, the role of board of directors, diary between payers and recipients to engage, principally, in (1) collecting accounting and internal control systems, and the reasonableness and and making payments for real transactions as an agent; (2) accepting feasibility of the plan for raising capital, and if the TPEx deems appro- deposits of funds as stored value funds; and (3) transferring funds priate, the company may raise capital on the GISA. The amount raised between e-payment accounts. According to the E-Payment Act, an elec- by the company through the GISA may not exceed NT$30 million unless tronic payment institution should obtain approval from the FSC unless it otherwise approved. In addition, an investor’s annual maximum amount engages only in (1) above and the total balance of funds collected, paid and of investment through the GISA should not exceed NT$150,000, except for kept by it as an agent does not exceed the specific amount set by the FSC. in the case of angel investors defined by the TPEx or wealthy individuals In July 2019, the FSC announced a proposed amendment to the with assets exceeding an amount set by the TPEx and with professional E-Payment Act. The amendment will merge the E-Payment Act and knowledge regarding financial products or trading experience. E-Card Act. In addition, according to the proposed amendment, if approved by the FSC, an electronic payment institution or non-elec- Equity-based crowdfunding on the platforms of securities firms tronic payment institution would be able to provide limited remittance A securities firm may also establish a crowdfunding platform and services, which is currently a service exclusive to banks. With the expan- conduct equity crowdfunding business. Currently, a company with sion of the services that electronic payment institutions can provide, it paid-in capital of less than NT$50 million may enter into a contract with is anticipated that this amendment will promote the development of the a qualified securities firm to raise funds through the crowdfunding plat electronic payment market in Taiwan. The amendment to the E-Payment form maintained by the securities firm, provided that the total amount of Act is expected to be discussed in the Legislative Yuan of Taiwan and will funds raised by the company through all securities firms’ crowdfunding hopefully be passed in 2020. platforms in a year may not exceed NT$30 million. The amount of investment made by an investor on a securities firm’s platform may not exceed Open banking NT$50,000 for each subscription, and may not exceed NT$100,000 in 13 Are there any laws or regulations introduced to promote aggregate in a year, except for in the case of angel investors as defined competition that require financial institutions to make in the relevant regulations. customer or product data available to third parties?

Non-equity-based crowdfunding While the FSC has the general power to request the provision of In 2013, the TPEx established the ‘Gofunding Zone’ on its official website. customer or product data by financial institutions to the FSC, in practice, This mechanism allows the non-equity-based crowdfunding platform the FSC's relevant regulations, directions or guidelines also require that operators, once approved by the TPEx, to post information regarding financial institutions provide relevant customer and product data (such their proposals and projects on the Gofunding Zone. However, in May as data relating to credit extensions, credit cards and derivatives) to the 2018, the TPEx announced that owing to the significant developments Joint Credit Information Center (JCIC) for banks' use of credit check in in the crowdfunding business, the phased task of the TPEx to support terms of credit extension. this business had been completed, and, thus, it decided to close the In addition, in response to support of 'open banking' from some Gofunding Zone and annulled relevant rules. industry experts and market players, the FSC has demanded that the Bankers Association set out relevant self-regulatory rules to implement Invoice trading the concept of open banking in Taiwan. The FSC did not wish to set 11 Describe any specific regulation of invoice trading in your out mandatory disclosure rules for banks and, instead, asked the self- jurisdiction. regulatory organisation (ie, the Bankers Association) and the Financial Information Service Company to set out relevant rules and information The general principle under Taiwan’s Civil Code is that any receivable is security standards for banks to follow. The first stage of open banking assignable unless (1) the nature of the receivable does not permit this was launched in late 2019, which allowed public product information transfer; (2) the parties to the loan have agreed that the receivable shall to be searchable by third parties (ie, third-party service providers). not be transferred; or (3) the receivable, in nature, is not legally attach- According to relevant news reports, the newly appointed FSC chair- able. The receivables under loan, subject to (2) above, are generally person, Mr Huang, announced that the second stage of open banking transferable. However, a bank is subject to stricter rules that, gener- (which involves customer-related information) will be launched in 2020. ally, loans that remain performing cannot be transferred by a bank, with some limited exceptions (such as for the purpose of securitisation). Robo-advice In general, no company may carry out the activities of receivable 14 Describe any specific regulation of robo-advisers or other transfer for business. Purchase of accounts receivable may only be companies that provide retail customers with automated conducted by a licensed bank. access to investment products in your jurisdiction.

Payment services In June 2017, the Securities Investment Trust and Consulting Association 12 Are payment services regulated in your jurisdiction? of Taiwan, the self-disciplinary organisation of the asset management industry, issued the Operating Rules for Securities Investment Yes. Traditionally, payments by wire transfer can only be made through Consulting Enterprises Using Automated Tools to Provide Consulting a licensed bank. Payments via cheques and credit cards are also run Service (Robo-Adviser) (the Robo-Adviser Rules), which was approved through banks. by the FSC. Pursuant to the Robo-Adviser Rules, securities invest- Non-banks engaging in credit card-related business and issuance ment consulting enterprises may provide online securities investment of electronic stored-value cards should also obtain approval from the consulting services by using automated tools through an algorithm FSC, pursuant to the Act Governing Issuance of Electronic Stored Value (Robo-Advisor Services) and they must comply with certain rules, which Cards (the E-Card Act). include, among others, the following:

• periodical review of the algorithm; SALES AND MARKETING • relevant know-your-customer procedures should be conducted before the provision of advice; Restrictions • a special committee should be established to supervise the 19 What restrictions apply to the sales and marketing of adequacy of the Robo-Adviser Services; and financial services and products in your jurisdiction? • customers should be informed of precautions before using Robo- Adviser Services. The Financial Consumer Protection Act (FCPA) and its related regulations provide for the general marketing rules applicable to the marketing Insurance products materials for financial services. In general, under the FCPA, when 15 Do fintech companies that sell or market insurance products carrying out advertising, promotional or marketing activities, financial in your jurisdiction need to be regulated? services providers should not falsify, conceal, hide or take any action that would mislead financial consumers and they should ensure the In Taiwan, selling insurance products will be considered conducting truthfulness of the advertisements. In addition to the general marketing insurance business, which requires an insurance licence from the rules under the FCPA, the financial service providers may also be FSC. A fintech company is not permitted to sell any insurance products subject to additional marketing rules as specified in the laws and regu- without an insurance licence from the FSC. lations governing the specific types of financial services or products.

Credit references CHANGE OF CONTROL 16 Are there any restrictions on providing credit references or credit information services in your jurisdiction? Notification and consent 20 Describe any rules relating to notification or consent Yes. Pursuant to the Banking Act and relevant regulations, an entity requirements if a regulated business changes control. collecting credit-related information from financial institutions, processing this information and maintaining the relevant database and The rules relating to notification or approval requirements for change of providing credit-related information and records to financial institu- control of a financial services company vary among the types of compa- tions for credit-checking purposes must obtain prior approval from the nies. For example: FSC. Currently, the JCIC is the only FSC-authorised entity that offers • bank: a prior approval must be obtained from the Financial these services. In practice, a bank would normally review the credit Supervisory Commission (FSC) if an investor or its related parties information or records provided by the JCIC as part of the bank’s credit has individually, jointly or collectively acquired or held more than investigation on an applicant for a credit extension. 10 per cent, 25 per cent or 50 per cent of the voting shares of a bank; If an entity does not offer these services, no FSC approval is • securities firm: no prior approval from the FSC is required; required, but it will still be subject to the Personal Data Protection Act • securities investment trust enterprise (SITEs): if the professional regarding its collection and use of any personal data. shareholder of a SITE intends to transfer its shareholding in the SITE, the SITE should report to the FSC the transfer of shares CROSS-BORDER REGULATION before the transfer is conducted; and • securities investment consulting enterprise: no prior approval Passporting from the FSC is required. 17 Can regulated activities be passported into your jurisdiction? FINANCIAL CRIME

There is no concept of passporting right in Taiwan. To engage in regu- Anti-bribery and anti-money laundering procedures lated financial activities, a company needs to apply for the relevant 21 Are fintech companies required by law or regulation to have licences to the Financial Supervisory Commission (FSC). Depending on procedures to combat bribery or money laundering? the types of regulated activities, the applicant must meet certain qualifications as required under relevant laws and FSC regulations. Money laundering activities are mainly regulated by the Money Laundering Control Act (MLCA) (last amended on 7 November 2018) and Requirement for a local presence its related regulations. Under the MLCA, in order to prevent money laun- 18 Can fintech companies obtain a licence to provide financial dering activities, financial institutions are required to implement their services in your jurisdiction without establishing a local own internal anti-money laundering guidelines and procedures and presence? submit them to the Financial Supervisory Commission (FSC) for record. With respect to digital currency platform operators or transac- No. Foreign companies cannot carry on regulated business (which tions, it was reported that, according to Mr Koo, the ex-chairperson of include financial services) without a licence, and the FSC licences the FSC, the FSC will regulate the anti-money laundering activities of required for providing financial services are not issued to foreign cryptocurrency trading platforms or exchanges under the MLCA after companies without establishing a subsidiary or a branch in Taiwan. the Executive Yuan officially authorises the FSC as the regulator. As at the time of writing, the Executive Yuan has not granted this authorisation to the FSC. In addition, it is unclear at this stage what requirements will be imposed by the FSC on anti-money laundering activities of cryptocurrency trading platforms or exchanges.

PEER-TO-PEER AND MARKETPLACE LENDING Personal information is protected by the Personal Data Protection Act (PDPA) and the collection and use of any personal data is subject to Execution and enforceability of loan agreements notice and consent requirements. If a special-purpose company, when 23 What are the requirements for executing loan agreements or purchasing and securitising loans, acquires any personal data, it will be security agreements? Is there a risk that loan agreements subject to the obligations under the PDPA. or security agreements entered into on a peer-to-peer or marketplace lending platform will not be enforceable? ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER TECHNOLOGY AND CRYPTO-ASSETS There are no particular formality requirements for executing loan agreements. As to security agreements, under Taiwan law, different types of Artificial intelligence asset are subject to different formality requirements for perfection of a 27 Are there rules or regulations governing the use of artificial security interest created over them. The formality requirements for the intelligence, including in relation to robo-advice? most commonly seen security interests are as follows. • Chattels: there must be a written agreement to create a chattel The Taiwan government announced the 5+2 Industrial Innovation Plan mortgage. The mortgagor needs not deliver the possession thereof (the 5+2 Plan) in 2008, in which artificial intelligence played an impor- to the mortgagee; however, a registration with the competent tant role. The 5+2 Plan mainly focuses on seven industries (ie, intelligent authority will be necessary for the mortgagee to claim the chattel machinery, Asia Silicon Valley, green energy, biomedicine, national mortgage against a bona fide third party. defence and aerospace, new agriculture and the circular economy), • Real properties: security interest over real properties is taken by and is considered the core generator for Taiwan’s next generation of way of a mortgage registered with the relevant land registration industrial development. To facilitate the 5+2 Plan, the government also offices. The parties must enter into a written agreement to agree launched the AI Talent Programme, which aims to: on the creation of the mortgage and apply for registration of the • cultivate 1,000 high-calibre talents in intelligent technologies; mortgage before the mortgage can take effect. • train 5,000 talents in practical intelligent technologies; and • Shares: to create a pledge over shares, the pledgor and pledgee • attract foreign professionals by the year 2021. should enter into a written agreement. If the shares are represented by physical certificates, the pledged share certificates Nevertheless, the development of application of artificial intelligence in should also be duly endorsed by the pledgor and physically deliv financial business in Taiwan is still at a preliminary stage. The main ered into the pledgee’s possession. A notice of pledge to the issuing application involves correspondence with clients, such as through company is also required. If the shares are listed and deposited to Chatbot and Robo-Adviser Services. or registered with the local securities depository (ie, the Taiwan Depositary and Clearing Corporation (TDCC)), the above endorse- Distributed ledger technology ment, physical delivery of the shares and notification to the issuing 28 Are there rules or regulations governing the use of company are not required; instead, a pledge registration of the distributed ledger technology or blockchains? shares in the TDCC’s book-entry system in accordance with the TDCC’s regulations will suffice. No. No different rules apply to cases of peer-to-peer lending. Crypto-assets Assignment of loans 29 Are there rules or regulations governing the use of crypto- 24 What steps are required to perfect an assignment of assets, including digital currencies, digital wallets and loans originated on a peer-to-peer or marketplace lending e-money? platform? What are the implications for the purchaser if the assignment is not perfected? Is it possible to assign these Digital currencies (such as virtual currencies or cryptocurrencies with loans without informing the borrower? the applications of blockchain technology) that are not linked or tied to the currency of any nation are currently not accepted by the Central An assignment will not be effective against the borrower until the Bank of the Republic of China (Taiwan) (the Central Bank) as currencies. borrower has been notified of this assignment. If the borrower is not In December 2013, both the Central Bank and the Financial Supervisory notified of the assignment, the borrower may still make the repayment Commission (FSC) expressed the government’s position toward bitcoin to the assignor and discharge its repayment obligation by doing so. by issuing a joint press release (the 2013 Release). According to the 2013 Release, the two authorities held that bitcoin should not be consid- Securitisation risk retention requirements ered a currency, but a highly speculative digital virtual commodity. In 25 Are securitisation transactions subject to risk retention another FSC press release in 2014 (the 2014 Release), the FSC ordered requirements? that local banks must not accept bitcoin or provide any other services related to bitcoin (such as exchange bitcoin for fiat currency). The FSC There are no mandatory risk retention requirements for securitisation further issued a press release on 19 December 2017 (the 2017 Release), as prescribed for in the Financial Asset Securitisation Act of Taiwan. in which the FSC reiterated the government’s positions as specified in the 2013 Release and 2014 Release. Other than the above, no laws, regulations or rulings have been officially issued, promulgated or amended

224 Fintech 2021 © Law Business Research 2020 Lee and Li Attorneys at Law Taiwan to specifically deal with the rise of digital currencies, except for the Regulations on issuance (primary market): regulations governing tokens with the nature of securities. • Qualifications of the issuer: the issuer must be a company limited by Non-banks engaging in credit card-related business and issuance shares incorporated under the laws of Taiwan and not a company of electronic stored-value cards should also obtain approval from the listed on the Taiwan Stock Exchange, the TPEx or traded on the FSC, pursuant to the Act Governing Issuance of Electronic Stored Value Emerging Stock Market. This indicates that a foreign entity may not Cards. Banks providing mobile payment services must comply with act as an issuer of an STO programme. relevant FSC rules on, among others, security control. • Types of security tokens that can be issued: the issuer can only issue profit-sharing or debt tokens without shareholders’ rights, Digital currency exchanges meaning that shares, being a type of securities under SEA, with 30 Are there rules or regulations governing the operation of regular shareholders’ rights of an issuer cannot be issued in the digital currency exchanges or brokerages? form of security tokens, while bonds can be issued as debt tokens. • Eligible investors and amount limits: only professional inves- So far no Taiwanese laws or regulations have been promulgated tors are eligible to participate in STOs; where the professional or amended to formally regulate the operation of digital currency investor is a natural person, the maximum subscription amount is exchanges or brokerages in Taiwan, except for the regulations governing NT$300,000 per STO. ICO tokens with the nature of securities as well as the platform operator • Issuance process: issuers must conduct STOs on a single plat- for these tokens. form, and the platform operator has the obligation to ensure that the issuer meets the qualification requirements and that the Initial coin offerings prospectus is well prepared. Where the platform operator itself is 31 Are there rules or regulations governing initial coin offerings an STO issuer, this issuer should not launch an STO without a prior (ICOs) or token generation events? review by the TPEx. Regulations on trading (secondary market): In response to the rising amount of ICOs and other investment activi- • Trading mechanism for security tokens: the platform oper- ties regarding digital currencies and cryptocurrencies, the FSC also ator should obtain a securities dealer licence and handle the expressed the following views on ICOs through the 2017 Release. trading by way of price negotiation. The platform operator • The classification of an ICO should be determined on a case-by-case should be the counterparty to every transaction and should basis. If an ICO involves offering and the issuance of securities, it offer a reasonable reference quotation based on the market should be subject to the Securities and Exchange Act (SEA). The conditions. In addition, each security token under an STO issue of whether tokens in an ICO would be deemed securities programme may be traded only on a single platform. under the SEA would depend on the facts of each individual case. • Maximum transaction amount: where the professional investor • If any misrepresentations with respect to technologies or their is a natural person, the maximum amount of holding under outcomes or promises of unreasonably high returns are used by an STO programme is NT$300,000. In addition, the maximum the issuer of virtual currencies or an ICO to attract investors, the daily transaction limit for each STO is 50 per cent of the total issuer would be deemed as committing fraud or illegal fundraising. issuance amount under such STO programme.

On 3 July 2019, the FSC issued a ruling that officially designated cryp- An STO platform operator: tocurrencies the nature of securities, (ie, security tokens, described • Qualifications of the platform operator: the platform operator as 'securities' under the SEA (the 2019 Ruling)). According to the 2019 should obtain a securities dealer licence, have minimum paid-in Ruling, security tokens refer to those that: capital of NT$100 million and provide an operation bond in the • utilise cryptography, distributed ledger technology or other similar amount of NT$10 million. technology to represent the value that can be stored, exchanged or • Total offering amount capacity: the total offering amount of all STOs transferred through digital mechanisms; on a single platform should not exceed NT$100 million. A platform • are transferable; and can accept to process a second STO only one year after the security • encompass all of the following attributes of an investment: tokens of the first STO have been traded on the platform. • funding is provided by investors; • Transfer and record keeping: the platform operator should enter • funding provides for a common enterprise or project; into an agreement with the Taiwan Depository and Clearing • investors expect to receive profits; and Corporation (TDCC) and transmit the trading information, such as • profits are generated primarily from the efforts of the issuer balance changes and the balance statement, to the TDCC for its or third parties. record on a daily basis. The TDCC should provide an STO balance inquiry service to investors. In addition to the 2019 Ruling, the FSC issued a press release on 27 June 2019 to illustrate the key points of the FSC's policy on security token Subscription and trading offerings (STOs). Since then, the FSC and the Taipei Exchange (TPEx) Subscription and trading of security tokens should be conducted on a have set out the regulations governing STOs (the STO Rules), and the real-name basis and the transactions must be conducted in New Taiwan STO Rules were finalised in January 2020. Specifically, the FSC differ- Dollar under the same name as the account name of the bank account. entiates the regulation of different STOs using the threshold of NT$30 million. For an STO of NT$30 million or less, the STO may be conducted in compliance with the STO Rules; an STO above NT$30 million must first apply to be tested in the ‘financial regulatory sandbox’ pursuant to the FinTech Development and Innovation and Experiment Act and, if the experiment has a positive outcome, should be conducted pursuant to SEA. Below is a summary of certain other major provisions of the STO Rules (ie, for STOs of NT$30 million or less). www.lexology.com/gtdt 225 © Law Business Research 2020 Taiwan Lee and Li Attorneys at Law

DATA PROTECTION AND CYBERSECURITY As for other financial services companies, there exists no single regulation that governs their outsourcing activities, and, generally, Data protection outsourcing is allowed only if the FSC has issued any ruling permitting 32 What rules and regulations govern the processing and it. For example, a securities investment trust enterprise is permitted to transfer (domestic and cross-border) of data relating to outsource its operation of evaluating fund assets, calculation of a fund’s fintech products and services? net worth and fund accounting to a professional institution, subject to applicable requirements specified under the relevant FSC rulings. In Taiwan, personal data is generally protected by the Personal Data When the use of cloud computing involves outsourcing the Protection Act (PDPA). Under the PDPA, unless otherwise specified operations of a financial institution, relevant laws and regulations under law, a company is generally required to give notice to (notice governing outsourcing activities should be complied with. In general, requirement) and obtain consent from (consent requirement) an indian outsourcing activity should follow the internal rules and procedures vidual before collecting, processing or using any of this individual’s of the financial institutions, and in certain circumstances, prior approval personal information, subject to certain exemptions. To satisfy the from the FSC would be required. The use of cloud computing should notice requirement, certain matters must be communicated to the indi- also comply with the Personal Data Protection Act. vidual, such as the purposes for which his or her data is collected, the type of the personal data and the term, area and persons authorised to Cloud computing use the data. 35 Are there legal requirements or regulatory guidance with respect to the use of cloud computing in the financial services Cybersecurity industry? 33 What cybersecurity regulations or standards apply to fintech businesses? When the use of cloud computing involves outsourcing the operations of a financial institution, relevant laws and regulations governing Different cybersecurity regulations or standards may apply to different outsourcing activities should be complied with. In general, an types of financial service entities or their products or services. For outsourcing activity should follow the internal rules and procedures of example, if a type of fintech business is considered to fall within the the financial institutions, and, in certain circumstances, prior approval scope of electronic banking business, in addition to the relevant licensing from the FSC would be required. The use of cloud computing should requirements under certain financial regulations, it should also comply also comply with the Personal Data Protection Act. with the rules governing the security control for this business. According to the Regulations Governing Internal Operating Systems With respect to the 'regulatory sandbox' under the FinTech and Procedures for the Outsourcing of Financial Institution Operation as Development and Innovation and Experiment Act, relevant description last amended on 30 September 2019, a prior approval from the FSC is regarding the information system and security control is required for an required if an outsouring of operations by a financial institution involves application for entering the sandbox. cloud-based services and the outsourcing of operations is consid- The Cyber Security Management Act (CSMA) was enacted in June ered ‘material’ or the operation is outsourced to an overseas service 2018. According to the CSMA, financial services firms would be required provider. Further, when the outsourcing involves cloud-based services, to comply with relevant obligations (including, among other things, the financial institution must, among other things: ensure appropriate requirements for meeting a specific security level, setting up relevant diversification of cloud service providers; retain full ownership of the internal rules for implementing plans for maintaining information data outsourced to cloud service providers; and ensure the location for security and reporting to the government in case of any cyber security processing and storage is within Taiwan (with certain exceptions). incident) under the CSMA if they are designated by the Taiwan government as the ‘critical infrastructure provider’ (CIP) under the CSMA. INTELLECTUAL PROPERTY RIGHTS While we think that no specific fintech business would be designated as a CIP, the CSMA would still apply to fintech businesses if the types IP protection for software of financial service entities carrying out these fintech business activities 36 Which intellectual property rights are available to protect are considered Financial Supervisory Commission-regulated entities software, and how do you obtain those rights? and are designated as CIPs by the Taiwan government. Software can be protected by intellectual property rights such as patent, OUTSOURCING AND CLOUD COMPUTING copyright or trade secret. As to patent, an inventor may file an applica tion with Taiwan’s Intellectual Property Office, and the patent right will Outsourcing be obtained once the application is approved. For copyrights and trade 34 Are there legal requirements or regulatory guidance with secrets, there are no registration or filing requirements for a copyright respect to the outsourcing by a financial services company of or a trade secret to be protected by law. However, there are certain a material aspect of its business? features that qualify a copyright or trade secret, such as ‘originality’ and ‘expression’ for copyrights, and ‘economic valuable’ and ‘adoption The legal requirements with respect to the outsourcing by a financial of reasonable protection measures’ for trade secrets. services company vary among the types of companies. For example, According to the Patent Act of Taiwan, the subject of a patent right a bank’s outsourcing must comply with the Regulations Governing is ’invention’ and an invention means the creation of technical ideas, Internal Operating Systems and Procedures for the Outsourcing of utilising the laws of nature. As a general rule, business methods are Financial Institution Operation (the Banks Outsourcing Regulations), regarded as using social or business rules rather than laws of nature, under which only the activities enumerated in the Banks Outsourcing and therefore may not be the subject of a patent right. As for software- Regulations can be outsourced (subject to relevant requirements, implemented inventions, if it coordinates the software and hardware to such as supervision of the outsourced party and the contract with the process the information, and there is a technical effect in its operation, it outsourced party), and outsourcing of some activities would require might become patentable. For instance, a ‘method of conducting foreign prior approval from the Financial Supervisory Commission (FSC). exchange transaction’ would be deemed as a business method and thus

226 Fintech 2021 © Law Business Research 2020 Lee and Li Attorneys at Law Taiwan unpatentable; however, a ‘method of using financial information system order should not use the trade secrets for purposes other than those to process foreign exchange transactions’ might be patentable. related to the court trial or disclose the trade secrets to those who are not subject to the order. IP developed by employees and contractors 37 Who owns new intellectual property developed by an Branding employee during the course of employment? Do the same 40 What intellectual property rights are available to protect rules apply to new intellectual property developed by branding and how do you obtain those rights? How can fintech contractors or consultants? businesses ensure they do not infringe existing brands?

Intellectual property developed by an employee during the course The Trademark Act in Taiwan provides for the protection of brands. The of employment rights of trademarks can be obtained through registration with Taiwan’s With regard to a patent, the right of an invention made by an employee Intellectual Property Office. The term of protection is 10 years from the during the course of performing his or her duties under employment date of publication of the registration and may be renewed for another will be vested in his or her employer and the employer should pay 10 years by filing a renewal application. the employee reasonable remuneration unless otherwise agreed by Every registered trademark will be published on the official website the parties. maintained by the Intellectual Property Office and the trademark search A trade secret is the result of research or development by an system is accessible by the general public. On the search system, a employee during the course of performing his or her duties under fintech business may check whether an identical or similar trademark employment and it will belong to the employer unless otherwise agreed exists and who the proprietor of a registered trademark is. by the parties. For copyright, where a work is completed by an employee within Remedies for infringement of IP the scope of employment, the employee is the author of the work but 41 What remedies are available to individuals or companies the economic rights to this work will be enjoyed by the employer unless whose intellectual property rights have been infringed? otherwise agreed by the parties. Patent Intellectual property developed by contractors or consultants With regard to infringement of an invention patent, the patentee may In respect of patent rights and trade secrets, the agreement between claim for damage suffered because of the infringement. The amount the parties will prevail, or these rights will be vested in the inventor or of damages may be calculated by the damage suffered and the loss of developer in the absence of such agreement. However, if there is a fund profits as a result of the infringement; profit earned by the infringer as provider, the funder may use this invention. a result of patent infringement; or the amount calculated on the basis In respect of copyright, the contractor or the consultant who actu of reasonable royalties. If the infringement is found to be caused by the ally makes the work is the author of the work unless otherwise agreed infringer’s wilful act of misconduct, the court may triple the damages to by the parties; the enjoyment of the economic rights arising from the be awarded. Patent infringements have been decriminalised since 2003. work should be agreed by the parties, or these rights will be enjoyed by the contractor or the consultant in the absence of such agreement. Copyright However, the commissioning party may use the work. The damage suffered because of copyright infringement may be claimed in the process of civil procedure. As for criminal liabilities, there are Joint ownership different levels depending on different types of infringement, ranging 38 Are there any restrictions on a joint owner of intellectual from imprisonment, of no more than three years, and detention to a fine property’s right to use, license, charge or assign its right in of no more than NT$750,000. intellectual property? Trademark In respect of patents and trademarks, each joint owner may use the The damage suffered because of trademark infringement may be jointly owned rights at his, her or its discretion; however, a joint owner claimed in the process of civil procedure. As for criminal liabilities, any may not license or assign the jointly owned rights without consent of all person shall be liable to imprisonment for a period not exceeding three the other joint owners. In respect of copyrights and trade secrets, each years or a fine not exceeding NT$200,000, or both, if he or she: joint owner may not use, license or assign the rights without unanimous • uses a trademark that is identical to the registered trademark in consent of the other joint owners, while the other joint owners may not relation to identical goods or services; withhold the consent without reasonable cause. • uses a trademark that is identical to the registered trademark in relation to similar goods or services and hence there exists a likeli Trade secrets hood of confusion for relevant consumers; or 39 How are trade secrets protected? Are trade secrets kept • uses a trademark that is similar to the registered trademark in confidential during court proceedings? relation to identical or similar goods or services and there exists a likelihood of confusion for relevant consumers. Trade secrets are protected if they satisfy the following constituent elements: information that may be used in the course of production, Trade secrets sales or operations; having the nature of secrecy; economic value; and The damage suffered because of infringement of trade secrets may be adoption of reasonable protection measures. claimed in the process of civil procedure. As for criminal liabilities, a To keep the trade secrets confidential during court proceedings, person may be sentenced to a maximum of five years imprisonment and, the court trial may be held in private if the court deems it appropriate in addition, a fine between NT$1 million and NT$10 million if he or she: or it is otherwise agreed upon by the parties. The parties and a third 1 acquires a trade secret by an act of theft, embezzlement, fraud, party may also apply to the court for issuing a ‘confidentiality preserva threat, unauthorised reproduction or other wrongful means, or tion order’, and the person subject to this confidentiality preservation uses or discloses a trade secret that has been acquired; www.lexology.com/gtdt 227 © Law Business Research 2020 Taiwan Lee and Li Attorneys at Law

2 carries out an unauthorised reproduction of, or uses or discloses, a trade secret that he or she has knowledge or possession of; 3 fails to delete or destroy a trade secret in his or her possession as the trade secret holder orders, or disguises it; or 4 knowingly acquires, uses or discloses a trade secret known or possessed by others that is under the circumstances specified in points (1) to (3) above.

COMPETITION Abe T S Sung [email protected] Sector-specific issues Eddie Hsiung 42 Are there any specific competition issues that exist with [email protected] respect to fintech companies in your jurisdiction? 8F, No. 555, Sec 4, Zhongxiao E Road In April 2016, the Financial Supervisory Commission (FSC) issued a Taipei 11072 press release pointing out the regulatory issues that may arise from Taiwan peer-to-peer lending activities. According to this and other sources, the Tel: +886 2 2763 8000 FSC is of the view that: Fax: +886 2 2766 5566 • if it is arranged that the lender (as a member of the platform) www.leeandli.com splits the original credit into several parts and in turn allocates and ‘sells’ the divided parts to other ‘members’ for investment with high return, it might involve regulatory issues regarding multilevel marketing; or IMMIGRATION • if the platform operators claim that the transaction has the nature of high return, low cost and low risk, it might constitute false or Sector-specific schemes misleading advertising and would result in a violation of the Fair 45 What immigration schemes are available for fintech Trade Act. businesses to recruit skilled staff from abroad? Are there any special regimes specific to the technology or financial The above two issues are under the supervision of the Fair Trade sectors? Commission. The Act for the Recruitment and Employment of Foreign Professionals, TAX as enacted in 2017, aims to attract foreign talents to increase Taiwan’s competitiveness. Although this Act was not specifically enacted for the Incentives area of fintech, we believe that fintech talents would be among those that 43 Are there any tax incentives available for fintech companies Taiwan wants to attract. The key measures proposed under this Act are: and investors to encourage innovation and investment in the • the relaxation of regulations on work, visa and residence; fintech sector in your jurisdiction? • the easing of provisions concerning the stay or residence of parents, spouses and children; and Currently, there are no tax incentives specifically provided for fintech • providing benefits regarding retirement, insurance and tax. companies. Generally, a company may choose to credit either up to 15 per UPDATE AND TRENDS cent of its total expenditure on research and development against its corporate income tax payable for that year; or up to 10 per cent of its Current developments total expenditure on research and development against its corporate 46 Are there any other current developments or emerging income tax payable for each of the three years starting from that year, trends to note? provided that the deduction amount did not exceed 30 per cent of the corporate income tax payable for the company in that year and that it did Digital-only banks not commit any material violation of any law on environmental protec- In 2018, the Financial Supervisory Commission (FSC) promulgated tion, labour or food safety and sanitation in the past three years. To relevant regulations governing the application for establishment of apply such tax credits, a company must apply to and receive approval digital-only banks (ie, banks without physical branches). Three applica- from the government. tions were filed with the FSC by 15 February 2019 and all of them were approved 30 July 2019, and they are expected to start operating in 2020. Increased tax burden The establishment of digital-only banks is anticipated to encourage 44 Are there any new or proposed tax laws or guidance that cross-industry combinations and fintech applications for everyday life could significantly increase tax or administrative costs for by building a fintech ecosphere. fintech companies in your jurisdiction?

Currently there are no such new tax laws or guidance and, to our understanding, currently there are no such proposals.

No. There is no covid-19-related emergency legislation nor are there measures with respect to fintech in Taiwan.

Cigdem Ayozger Ongun and Begum Erturk SRP-Legal Law Firm

FINTECH LANDSCAPE AND INITIATIVES Law No. 4691 and its implementing regulation. This law provides lower corporate income tax, withholding tax, income tax exemptions, employer General innovation climate social security contribution support payments and value-added tax 1 What is the general state of fintech innovation in your exemptions for fintech start-ups. Moreover, the Presidential Decree on jurisdiction? State Incentives Provided to Investments, which entered into force on 7 August 2019, saw a recent amendment that scrapped large-scale infra- There is a dynamic fintech climate in Turkey and all areas of the market structure project investments from the incentive regime and introduced are ripe for investment. The fintech ecosystem in Turkey in 2019 was increased incentives for R&D activities and value-added technology one of the most important areas, as eight fintech companies (ie, credit production. scoring, payment and e-money institutions) were launched, and, accord- Besides this, government support may be seen in the 11th ingly, they were partially or totally acquired by local and foreign fintech Development Plan of Turkey (the 11th Plan), which was published in or technology companies. the Official Gazette on 23 July 2019. The 11th Plan includes objectives In the Turkish fintech ecosystem there are services (ie, payment directly related to the Turkish financial technology ecosystem. and e-money services, money transfer and remittance, bill payment Finally, the Amendment to the Law on Payment and Securities and system operator services) that are regulated under Turkish law, Settlement Systems, Payment Services and Electronic Money while others (ie, lending and credit scoring, digital wallet and applica- Institutions (the Amendment), in line with the requirements of the tion programming interface providers) are not. However, in less than a Payment System Services Directive II (Directive 2015/2366), entered year, new regulations with regard to open banking, equity and lending- into force on 1 January 2020. The Amendment set forth a provision based crowdfunding entered into force. Therefore, the upcoming years of the establishment of the Turkish Payment Services and Electronic are expected to contain more new developments in Turkish fintech law. Money Association (the Association), which entered into force on 22 May 2020. Accordingly, all payment and electronic money institutions Government and regulatory support are required to become members of the Association. The duties of the 2 Do government bodies or regulators provide any support Association include, among other things, carrying out professional specific to financial innovation? If so, what are the key training, research and advertising activities, establishing standards for benefits of such support? the industry and helping ensure coordination among members and with the regulator. In Turkey, investments have been supported pursuant to the Decision on State Aid in Investments brought into force with Decision of the FINANCIAL REGULATION Council of Ministers No. 2012/3305 and its Implementing Communiqué No. 2012/1; the Decision on Providing Project Based State Aid to Regulatory bodies Investments brought into force with Decision of the Council of Ministers 3 Which bodies regulate the provision of fintech products and No. 2016/9495; and Communiqué No. 30892 on the Code of Practice of services? Technology-Oriented Industrial Movements Programme (Communiqué No. 30892). Latest developments concern the Communiqué No. 30892: The Legislative Proposal to Amend the Law on Payment and Security its amendments were published in the Official Gazette No. 30969 on, and Settlement Systems, Payment Services, and Electronic Money were effective from, 5 December 2019. Institutions and Other Laws (the Amending Law) was published in Investment incentives are provided to all entities that meet the the Official Gazette No. 30956 on 22 November 2019 and entered requirements pursuant to the above-mentioned laws and regulations. into force on 1 January 2020. On the effective date of the Amending One of the purposes of the incentives is supporting high and medium-high Law, the powers of the Banking Regulation and Supervision Agency technology investments that will provide technological transformation. (BRSA) set forth under the Law on Payment and Securities Settlement Unlike many other information technology or e-commerce projects, Systems, Payment Services and Electronic Money Institutions (Law No. fintech projects are more likely to benefit from R&D incentives because 6493) were transferred to the Central Bank of the Republic of Turkey of the nature of fintech and its requirements, such as security, payment (CBRT). Accordingly, the CBTR has the authority to monitor legal rela- infrastructure, user experience and mobility. tions to which the payment service providers are a party owing to their During the establishment phase of fintech start-ups, there are activities in order to determine issues and areas for development. The alternatives, such as private incubation centres, techno-centres and Amending Law also grants the CBTR the authority to determine the collaboration offices, that may allow fintech start-ups to benefit from tax rules and procedures of the legal relations therein and form working advantages. In addition to these investment incentive-focused regula- committees if it deems the relevant activities harmful to the area of tions, fintech start-ups may also benefit from Technology Development payments. Finally, the CBRT is entitled to issue payments, e-money and

230 Fintech 2021 © Law Business Research 2020 SRP-Legal Law Firm Turkey system operator licences pursuant to the Law No. 6493, the Regulation There are no registration requirements with the authorities in Turkey on Payment Services and Electronic Money Issuance and Payment for a transfer or assignment to be effective. Institutions and the Communiqué on the Management and Supervision On the other hand, debt instruments, which can only be provided for Information Systems of the Payment E-Money Institutions. by the above-mentioned institutions, can be purchased and sold in the In addition to the CBRT, the Turkish Financial Crimes Investigation secondary market under the Capital Markets Law and regulations. (MASAK), which acts as Turkey's financial intelligence unit, effectively As the secondary regulation regarding lending-based crowdfunding fights money laundering and terrorist financing (AML). MASAK checks has not yet been prepared by the Turkish Capital Markets Board (CMB), whether financial institutions meet the requirements of AML regula- the situation of the trading of the funds in the secondary market, which tions and laws. Therefore, fintech companies, such as payment service will be provided through a lending-based crowdfunding platform, has providers, cryptocurrency trading platforms and crowdfunding plat- not been determined yet. forms, must fulfil their AML obligations. Collective investment schemes Regulated activities 7 Describe the regulatory regime for collective investment 4 Which activities trigger a licensing requirement in your schemes and whether fintech companies providing alternative jurisdiction? finance products or services would fall within its scope.

A large number of financial services and activities are regulated in In Turkey, the general rules and principles regarding investment funds Turkey. Some of these activities, which trigger licensing, authorisation are mainly regulated under the Capital Markets Law and regulations. In or registration requirements in Turkey, include, and are regulated by, this respect, further details regarding the establishment and activities of the following. investment funds are regulated under the Communiqué on the Principles • The Central Bank of the Republic of Turkey authorises payment of Investment Funds (III.52.1). Accordingly, the Investment Funds Guide services, invoicing services, e-money services and system oper- clarifies the rules and principles stipulated in this Communiqué. ator services. The regulatory regime for collective investment schemes is new, • The Banking Regulatory and Supervisory Agency issues licences and equity and lending-based crowdfunding platforms have been highly for banking and finance activities, such as banking services, regulated under Turkish Capital Markets Law. The Communiqué on factoring and financial leasing services. Equity Based Crowdfunding III-35/A.1 was issued by the CMB and was • The Capital Market Authority is responsible for authorising equity published in the Official Gazette No. 30907 on 3 October 2019. As per and lending-based crowdfunding platform services, trading and this Communiqué, only the platforms authorised and listed by the CMB carrying out intermediation activities in securities and other capital may carry out equity-based crowdfunding activities. On the other hand, markets instruments. a communiqué for lending-based crowdfunding platforms, has not yet • The Ministry of Treasury and Finance authorises insurance been prepared and, accordingly, carrying out lending-based crowd- activities. funding activities is not yet allowed. • The Central Securities Depository of the Turkish Capital Markets provides its members with registration (public offering, etc), settle- Alternative investment funds ment and custody services. 8 Are managers of alternative investment funds regulated?

Consumer lending Alternative investment funds (AIFs) are operated and managed by port- 5 Is consumer lending regulated in your jurisdiction? folio management companies on behalf of their investors in exchange for a consideration, namely ‘a participation share’. Managers of AIFs are Consumer lending is regulated within the scope of the Banking Law, subject to the Communiqué on Portfolio Management Companies and the Law on Bank Cards and Credit Cards, the Regulation on Credit Activities of Such Companies (III-55.1) issued by the CMB. Operations of Banks and by the Ministry of Commerce through the Portfolio management companies are required to be established Consumer Law, the Regulation on Consumer Loan Agreements and the as joint-stock companies with the main objective of operating and Regulation on Housing Finance Agreements. managing investment funds. Compliance with certain conditions and obtaining the CMB licence as set forth under the above Communiqué Secondary market loan trading are required for establishing and operating a portfolio management 6 Are there restrictions on trading loans in the secondary company (PMC). The manager can either be the founder (founding a market in your jurisdiction? PMC or real estate PMC (REPMC)) or hold another role in the PMC or REPMC pursuant to a portfolio management contract. Fintech compa- In Turkey, in principle, loans can only be provided by bank and credit nies do not fall under the scope of the legislation concerning alternative institutions, which do not include payment service or e-money insti- investment fund managers. tutions. These banks and credit institutions must be established and authorised by the Banking Regulation and Supervision Agency. Peer-to-peer and marketplace lending Additionally, loan-based transactions are subject to the Turkish Banking 9 Describe any specific regulation of peer-to-peer or Law and regulations. Transferring a loan by way of novation (ie, marketplace lending in your jurisdiction. discharging the original debt) will have the effect of extinguishing the Turkish law-governed security. In these cases, there is a requirement Lending activities are highly regulated by the BRSA. For instance, to re-establish the security for the new lender. A parallel debt struc- according to the Banking Law or the Financial Leasing Law, only the ture may be a way of preventing the fall of the accessory security as a entities with a licence granted by the BRSA can legally conduct lending result of novation. The transfer of debts is also possible and made by an activities. According to the Turkish Criminal Code No. 5237, money agreement between the transferor, the transferee and the debtor. The lending and earning interest from that money without holding a licence agreement does not have to be in writing. However, security providers is a crime, defined as usury, that is subject to imprisonment between two for these debts should provide their consent in written form as well. to five years and a monetary fine of an amount up to 500,000 Turkish lira. www.lexology.com/gtdt 231 © Law Business Research 2020 Turkey SRP-Legal Law Firm

In addition, lending-based crowdfunding platforms, which can Open banking be considered peer-to-peer lending, have just been regulated under 13 Are there any laws or regulations introduced to promote Turkish Capital Markets Law. However, a communiqué for these plat- competition that require financial institutions to make forms has not been prepared yet by the CMB. Accordingly, carrying out customer or product data available to third parties? lending-based crowdfunding activities is not yet allowed. The Amending Law was published in the Official Gazette No. 30956 and Crowdfunding dated 22 November 2019 and entered into force on 1 January 2020. 10 Describe any specific regulation of crowdfunding in your The Amending Law extended the list of payment services to include jurisdiction. ‘payment initiation services’ and ‘account information services’, which were introduced by the Directive (EU) 2015/2366 on payment services Reward-based crowdfunding platform activities are not regulated in (PSD2). However, unlike the PSD2, banks are not legally required to Turkey. Donation-based crowdfunding platforms may be subject to offer third-party providers access to their customers’ accounts via certain regulations. Both reward- and donation-based crowdfunding open application programming interfaces (APIs), at least until the CBRT platform activities have been performed by several companies in Turkey. issues its secondary legislation on data-sharing practices; although, a In addition, equity and lending-based crowdfunding platforms are number of Turkish banks already publish their APIs to promote third- highly regulated under Turkish Capital Markets Law. The Communiqué party developers. Foreign exchange buying and selling transactions in on Equity Based Crowdfunding III-35/A.1 was issued by the CMB and was cash, without the use of a payment account, are not considered payment published in the Official Gazette No. 30907 on 3 October 2019. According services under the scope of Law No. 6493. Therefore, to conduct these to this Communiqué, only the platforms authorised and listed by the kind of transactions, there is no need to obtain any licence from the CBRT. CMB may carry out equity-based crowdfunding activities. On the other In addition, the Banking Regulatory and Supervisory Authority laid hand, a communiqué for lending-based crowdfunding platforms has not down the legal infrastructure of open banking with the Regulation on been prepared yet by the CMB. Accordingly, carrying out lending-based Banks’ Information Systems and Electronic Banking Services, issued on crowdfunding activities is not yet allowed. 15 March 2020. Under this regulation, which entered into force on 1 July 2020, Turkish banks will be able to utilise open banking to carry out Invoice trading many activities to provide an unprecedented user experience. 11 Describe any specific regulation of invoice trading in your jurisdiction. Robo-advice 14 Describe any specific regulation of robo-advisers or other The accounts receivable are usually, but not always, in the form of companies that provide retail customers with automated cheques or cashier’s cheques assigned or transferred to the assignee access to investment products in your jurisdiction. by the assignor in return for immediate payment. The Law on Financial Leasing, Factoring, and Financing Companies and its secondary regula- In Turkey, unlike other countries, there is no legal regulation specifi- tions are the primary pieces of legislation that govern this field in Turkey. cally regarding robo-advisory or automatic consultancy. For this reason, In addition, establishing a platform to provide information and there is no automated consultancy company that serves in an open services regarding electronic invoices to merchants, is not regulated in architectural structure, can provide investment consultancy services Turkish jurisdiction. However providing services for mediating invoice to its customers and can act on their behalf. The institutions that are payments is subject to Law No. 6493. allowed to conduct consultancy activities regarding fund allocation and to provide fund advice to the participant, are portfolio management Payment services companies subject to the Turkish Capital Markets Law. 12 Are payment services regulated in your jurisdiction? Even though automatic consultancy services are not directly available to the participant, currently, Turkish automatic consultancy Payment services are regulated in Turkey under Law No. 6493. According products are used by companies such as pension companies. to Law No. 6493, the following activities are defined as payment services: • all the operations required for operating a payment account, Insurance products including the services enabling cash to be placed on a payment 15 Do fintech companies that sell or market insurance products account and cash withdrawals from a payment account; in your jurisdiction need to be regulated? • payment transactions, including transfers of funds from the payment account of a payment service user before the payment Insurance services and, accordingly, selling insurance products are service provider; direct debits, including one-off direct debits, highly regulated under the Turkish Insurance Law and regulations. execution of payment transactions through a payment card or a Companies that decide to perform these activities must obtain authori- similar device; and the execution of money transfers, including sation from the Ministry of Treasury. As the activities of insurance regular standing orders; companies are restricted, they are not allowed to perform activities • issuing or acquiring payment instruments; other than providing insurance services. In this respect, fintech compa- • money remittance; nies must pay attention not to be considered insurance companies by • executing payment transaction where the consent of the payer to facilitating activities in the insurance market. execute a payment transaction is given by means of any information technology or electronic telecommunication device and the Credit references payment is made to the information technology or electronic tele- 16 Are there any restrictions on providing credit references or communication operator, acting only as an intermediary between credit information services in your jurisdiction? the payment service user and the supplier of the goods and services; and Kredi Kayıt Bürosu (KKB) offers its services not only to financial insti- • services for mediating invoice payments. tutions, but also to individuals and the real sector through the cheque report, risk report and electronic report systems launched in January

2013. As of September 2014, KKB gathered its services aimed at indi- FINANCIAL CRIME viduals and the real sector under the umbrella of Findeks, the consumer service platform of KKB. Anti-bribery and anti-money laundering procedures Providing credit references or credit information services in Turkey 21 Are fintech companies required by law or regulation to have is a regulated activity under the Banking Law (Law No. 5411). The Risk procedures to combat bribery or money laundering? Centre was established within the Banks Association of Turkey (TBB) for the purpose of collecting the risk data and information of clients of credit Turkish money laundering and terrorist financing legislation, namely the institutions and other financial institutions to be deemed eligible by the Law for Preventing Laundered Criminal Income (Law No. 5549) and its Banking Regulatory and Supervisory Board and ensuring that this infor- supplementary regulation, requires that fintech companies implement mation is shared with these institutions or with the relevant persons or procedures to combat bribery. The appointment of a compliance officer, entities themselves or with real persons and 61 private law legal enti- identity verification of account holders and reporting of suspicious ties if approved and consented to. The KKB was founded in accordance transactions are commonplace requirements the regulation imposes with article 73/4 of the Banking Law and it conducts all operational and on fintech companies. The Turkish Financial Crimes Investigation Board technical activities through its own organisation as an agency of the Risk (MASAK), also regulates fintech products and services in terms of Centre of the TBB and provides data collection and sharing services to money laundering proceedings for crime and terrorist financing. the 180 financial institutions that are members of the Risk Centre. Guidance CROSS-BORDER REGULATION 22 Is there regulatory or industry anti-financial crime guidance for fintech companies? Passporting 17 Can regulated activities be passported into your jurisdiction? Yes, both industry and regulatory authorities provide assistance to entities active in regulated industries. MASAK, mandated by Ministry of Regulated activities cannot be passported into Turkey as regulated Treasury and Finance, provides guidance and education. MASAK has in the Markets in Financial Instruments Directive II for the European issued Sectoral Guidance Notes addressing Financial Institutions and Economic Area. Banks but not specifically addressing the fintech companies.

Requirement for a local presence PEER-TO-PEER AND MARKETPLACE LENDING 18 Can fintech companies obtain a licence to provide financial services in your jurisdiction without establishing a local Execution and enforceability of loan agreements presence? 23 What are the requirements for executing loan agreements or security agreements? Is there a risk that loan agreements A fintech company is required to be incorporated and licensed in the local or security agreements entered into on a peer-to-peer or Turkish jurisdiction. Apart from being licensed by the Banking Regulation marketplace lending platform will not be enforceable? and Supervisory Authority, it needs to be incorporated as a corporation, with minimum capital requirements (approximately US$170,000) and Transferring loans is possible and is done by entering into an agree- limitations on the controlling ownership of shares and share transfers. ment between the transferor, the transferee and the debtor. The agreement does not have to be in writing. However, security providers SALES AND MARKETING for these debts should provide their consent in written form as well. The Compulsory Use of Turkish Language Law No. 805, dated 10 April Restrictions 1926, requires all agreements by Turkish parties to be made in Turkish. 19 What restrictions apply to the sales and marketing of Loan agreements or security agreements are not allowed to be financial services and products in your jurisdiction? entered into on peer-to-peer or marketplace lending platforms, which have not been regulated or allowed to run yet. The sale and marketing of financial services and products may fall under the surveillance of the Capital Markets Board (CMB) or the Banking Assignment of loans Regulation and Supervision Agency (BRSA). The CMB’s Principles on 24 What steps are required to perfect an assignment of Investment Services and Activities and Ancillary Services No. III-37.1 loans originated on a peer-to-peer or marketplace lending and the BRSA’s Regulation on Bank’s Procurement of Support Services platform? What are the implications for the purchaser if the impose certain restrictions on financial service providers and on the assignment is not perfected? Is it possible to assign these vendors providing the sale and marketing of financial services in Turkey. loans without informing the borrower?

CHANGE OF CONTROL There are no registration requirements with the authorities in Turkey for a transfer or assignment of loans to be effective. However, peer-to-peer Notification and consent or marketplace lending platforms have not been allowed to run yet. 20 Describe any rules relating to notification or consent requirements if a regulated business changes control. Securitisation risk retention requirements 25 Are securitisation transactions subject to risk retention Some companies performing in the banking and finance sector, such as requirements? payment service providers, crowdfunding platforms, banks and financial institutions, that are supposed to be parties to business transactions The primary piece of legislation that governs asset-backed securities (ie, mergers, acquisitions or share transfers) must notify the relevant and the risk retention system and requirements that must be put in authorities (ie, the Banking Regulation and Supervision Agency, the place is the Communiqué on Asset Backed Securities No. III-59.1. The Central Bank of the Republic of Turkey and the Capital Market Authority). originator must retain the risk. www.lexology.com/gtdt 233 © Law Business Research 2020 Turkey SRP-Legal Law Firm

Securitisation confidentiality and data protection requirements Digital currency exchanges 26 Is a special purpose company used to purchase and securitise 30 Are there rules or regulations governing the operation of peer-to-peer or marketplace loans subject to a duty of digital currency exchanges or brokerages? confidentiality or data protection laws regarding information relating to the borrowers? The Turkish Capital Markets Law and regulations govern the operation of digital currency exchanges and brokerages. However, neither There are two distinct regulations regarding the duty of confidentiality. cryptocurrencies nor crypto-assets can benefit from these rules and The first piece of legislation that governs the confidentiality of banking regulations. and financial information is the Banking Law (Law No. 5411). Additionally, the Personal Data Protection Law (Law No. 6698), codified on 24 March Initial coin offerings 2016, bars and sets limitations on the disclosure, processing and transfer 31 Are there rules or regulations governing initial coin offerings of personal information, which also includes borrower information. (ICOs) or token generation events? In relation to special purpose vehicles (SPVs) being utilised for securitisation confidentiality, with the Communiqué on Principles of Venture Neither initial coin offerings nor security token offerings are allowed in Capital and Private Equity Investment Companies (III-48.3) there are no Turkey. However, cryptocurrency trading platforms are allowed. limitations on using these entities, but the scope of their confidentiality duties is limited to the duty of confidentiality provisions found within the DATA PROTECTION AND CYBERSECURITY Turkish Commercial Code, the Turkish Criminal Code and any bilateral agreement barring disclosure that the SPV involved in the securitisation Data protection transaction may be party to. Consequently, SPVs are not awarded any 32 What rules and regulations govern the processing and special status, and any applicable duties, including the duty of confiden- transfer (domestic and cross-border) of data relating to tiality, still remain intact. fintech products and services?

ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER The Personal Data Protection Law, the Regulation on the Erasure, TECHNOLOGY AND CRYPTO-ASSETS Destruction, or Anonymisation of Personal Data and the other secondary regulations are the main laws that regulate personal data processing Artificial intelligence activities (ie, collection, domestic and cross-border transfers, destruc- 27 Are there rules or regulations governing the use of artificial tion and protection) for all sector players, including fintech companies. intelligence, including in relation to robo-advice? On the other hand, payment service providers must obtain a Payment Card Industry Data Security Standard certificate and comply There are neither rules nor regulations governing the use of artificial with its principles and procedures, which also include rules regarding intelligence in Turkey. data erasure, transfer, destruction and processing. Moreover, they must keep all data in Turkey under the Communiqué on the Administration Distributed ledger technology and Auditing of Payment Institutions and Electronic Money Institutions’ 28 Are there rules or regulations governing the use of distributed Information Systems. ledger technology or blockchains? Finally, there are personal data protection and privacy-specific provisions in other laws and regulations, such as the Turkish Banking There are neither rules nor regulations governing the use of distributed Law and Turkish Capital Markets Law. ledger technology or blockchains. However, distributed ledger technology and blockchains have recently started to be used in various sectors, Cybersecurity including banking and finance sector. Therefore, they are not forbidden. 33 What cybersecurity regulations or standards apply to fintech businesses? Crypto-assets 29 Are there rules or regulations governing the use of crypto- Article 31 of Law No. 6493 on Payment and Securities Settlement assets, including digital currencies, digital wallets and Systems, Payment Services and Electronic Money Institutions levies e-money? the duty to uphold a secure information technology system on the licensed payment service provider. Additionally, the Communiqué on There are neither rules nor regulations governing the use of crypto- the Administration and Auditing of Payment Institutions and Electronic assets, cryptocurrencies or digital wallets. However, the Turkish Money Institutions’ Information Systems sets clear regulatory stand- Financial Crimes Investigation Board published an updated guidebook ards applicable to fintech businesses. that states that fund transfers made to intermediary institutions for the The Communiqué on Principles Applicable to Banking Information purpose of purchasing crypto-assets (ie, bitcoin) will no longer automati- Systems Management published by the Banking Regulation and cally be considered a suspicious movement of funds and will be analysed Supervision Agency also regulates the field of cybersecurity appli- on a know your customer basis. This represents a more flexible approach cable to financial institutions, however, it does not govern payment towards crypto-assets. In addition, the Turkish Banking Regulation and service providers and e-money institutions. Additionally, the Electronic Supervision Agency explicitly states within its public announcement No. Communications Law also governs the issue of cybersecurity pertinent 2013/32 that crypto-assets are not to be considered as e-money. to businesses active in the fintech industry, namely with its supple- The use of digital wallets is allowed, but there are no rules or regula- mental Regulation titled Network and Information Security in the tions governing this tool. Electronic Communications Industry published in the Official Gazette Finally, e-money, which is regulated under Law No. 6493 on No. 29059 on 13 July 2014. Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions, can only be issued by e-money institutions authorised by the Central Bank of the Republic of Turkey.

OUTSOURCING AND CLOUD COMPUTING INTELLECTUAL PROPERTY RIGHTS

Outsourcing IP protection for software 34 Are there legal requirements or regulatory guidance with 36 Which intellectual property rights are available to protect respect to the outsourcing by a financial services company of software, and how do you obtain those rights? a material aspect of its business? Unlike common law jurisdictions that offer patent protection to software- Outsourcing limitations exist in two areas. One is related to outsourcing implemented inventions and upon the fulfilment of certain criteria, even where the outsourcing also needs to carry the qualifications and stand- business methods, Turkey does not afford patent protection to software- ards that are required from the entity (the licensed outsourcer, in other implemented inventions and business methods. Copyright protection is words, the payment service provider) that is being licensed. This is the method that can be utilised for protecting the ownership of rights detailed within the Law No. 6493 on Payment and Securities Settlement over software. Systems, Payment Services and Electronic Money Institutions and its If a copyrighted work such as a piece of software is created, it secondary regulations. is not compulsory to register it, and one owns the copyright and the The second legal requirement concerns outsourcing services protection at the time it is created or made public. Nevertheless, there pertinent to personal data and transferring personal data abroad. There is a non-compulsory registry system at the General Directorate of exists red tape for transfers abroad: practically a de facto rule requiring Copyright of the Ministry of Culture and Tourism that requires little all processing activities be performed within Turkey. proof. The general protection period is the lifetime of the author plus 70 years. Cloud computing There is no application similar to that of a patent application that is 35 Are there legal requirements or regulatory guidance with required of a copyright holder. respect to the use of cloud computing in the financial services Software and programs are classified in the class 09 in the Turkish industry? Classification System published on the Turkish Patent and Trademark Authority’s website; however, each piece of software may contain char- There are no specific requirements focused on the use of cloud acteristics of more than one specific class and this should be taken into computing. However, depending on where the cloud data is physically consideration. located, the use of cloud computing may be restricted, forbidden or conditioned. IP developed by employees and contractors For instance, the Personal Data Protection Law (Law No. 6698) 37 Who owns new intellectual property developed by an regulates the personal data transfer in two subsections concerning employee during the course of employment? Do the same transfers within Turkey and transfers out of Turkey, respectively. rules apply to new intellectual property developed by Therefore, depending on where cloud data is physically located, the contractors or consultants? relevant requirements and conditions must be fulfilled. For instance, if there is a cross-border personal data transfer generated from the use In principle, pursuant to the Industrial Property Law (Law No. 6769), of cloud computing, the data controller may be obliged to enter into an unless otherwise agreed upon because of special contracts made agreement with the cloud computing service provider and apply to the between the parties (employer and employee) or the nature of work, Personal Data Protection Board to get its authorisation. the rights to designs made by employees shall belong to the employer According to the Communiqué on the Management and Supervision according to employees’ job descriptions and obligations arising from for Information Systems of the Payment Institutions and E-Money the labour contract; or owing to the experiences and operations of busi- Institutions, institutions are obliged to have their information systems ness organisation. located in Turkey and cloud computing must be within the scope of For an invention to qualify as an ‘employee service invention’, it these systems. must be realised during the course of employment. The employee is In addition, pursuant to the Information Systems Management obliged to report the invention to his or her employer in writing without Communiqué No VII-128.9 published by the Capital Markets Board, delay. Additionally, free inventions that are the employee’s inventions companies, institutions and other legal entities are obliged to have their outside the scope of employee service inventions are also subject to information systems located in Turkey (cloud computing is included in reporting obligations for employees, who must make a declaration of the scope of these systems). The legal entities listed in the Communiqué the invention to their employer if the invention is made during their include publicly held companies, stock markets and capital markets employment contract. institutions. Finally, according to the Regulation on Bank Information Systems Joint ownership and Electronic Banking Services, customer data may not be transferred 38 Are there any restrictions on a joint owner of intellectual abroad without the explicit request of the customer. Owing to this regu- property’s right to use, license, charge or assign its right in lation, the use of cloud computing services that have servers located intellectual property? abroad may be problematic in terms of banking services, as the use of cloud computing services with servers located abroad is regarded as Certain restrictions and joint ownership provisions exist, both for data transfer abroad by Law No. 6698. copyright and patents. For copyright, joint ownership provisions and restrictions find form within the Law on Intellectual and Industrial Rights (Law No. 5846). For patents, Law No. 6769 provides that joint ownership is permissible and imposes restrictions upon the patent holders of IP rights. Pursuant to Law No. 6769, if an invention is made by more than one person, each of the inventors may apply for a patent and these inventors shall be granted joint ownership. www.lexology.com/gtdt 235 © Law Business Research 2020 Turkey SRP-Legal Law Firm

If the design application or design belongs to more than one Remedies for infringement of IP person, the partnership claim on the right shall be determined pursuant 41 What remedies are available to individuals or companies to the agreement concluded between the parties, and if there is no such whose intellectual property rights have been infringed? agreement between the parties, it is determined in accordance with the provisions related to joint ownership in the Turkish Civil Code No. 4721. According to Law No. 5846, authors whose intellectual property rights For a patent licence to be granted to third parties in relation to have been violated may: the use of an invention, each of the right owners must grant permis- • file a civil lawsuit regarding the prohibition of the infringement; sion unanimously. Even in the case of joint ownership, the rights of the • file a civil lawsuit regarding the prevention of infringement; owners may not be separated in relation to patent application or patent • request compensation; or assignment. Additionally, in the case of joint ownership, the right owners • file a criminal lawsuit. may assign a joint representative. Finally, according to Law No. 5846, if a work is created by more than According to Law No. 6769, persons whose rights are being violated may: one author and if the work is of an inseparable nature, joint ownership • file a civil lawsuit regarding probable infringement; shall be assumed and the provisions regarding ordinary partnerships • file a civil lawsuit to cease infringement; stipulated under Turkish Obligations Law No. 6098 shall apply. • file a civil lawsuit regarding the removal of infringement and request compensation; or Trade secrets • request for necessary precautions to be taken. 39 How are trade secrets protected? Are trade secrets kept confidential during court proceedings? COMPETITION

Trade secrets are protected under several Turkish regulations, including Sector-specific issues the Turkish Criminal Code. 42 Are there any specific competition issues that exist with Duties of confidentiality are established for a variety of parties, respect to fintech companies in your jurisdiction? including but not limited to, board members, shareholders, proxies, auditors, employees and contractors. Trade secrets, such as technical Since 2018, Turkish Competition Authority (TCA) has rendered decisions production secrets, production methods, and research and development in favour as well as against fintech companies. Recently, the TCA made plans, are protected also under Law No. 6769. a series of decisions that may potentially affect the market structure According to Turkish Commercial Law No. 6102, the protection of and the nature of competition in payment systems. Essentially, those trade secrets is stipulated as unfair competition, and persons that act decisions are based on the re-evaluation of earlier granted exemptions in violation of the confidentiality obligation regarding trade secrets and for certain services of the Interbank Card Centre (BKM). In brief, the TCA disclose trade secrets in bad faith; and employees, representatives and found that the BKM’s digital wallet, BKM Express, is not qualified for other contractors that deceive employers into providing trade secrets, exemption as its restrictive effects on competition outweigh the benefits shall be subject to an administrative sanction or imprisonment of up to general welfare, and the TCA ordered the BKM to stop BKM Express to two years. In addition, pursuant this Law, employers may request services no later than 30 June 2020. pecuniary and non-pecuniary damages from persons that violate the confidentiality obligation and non-competition obligation, causing unfair TAX competition. As for the protections offered during litigation processes where Incentives court records become public knowledge, the Turkish Civil Procedure 43 Are there any tax incentives available for fintech companies Code shall apply. Pursuant to Law No. 6100, parties that act in bad faith and investors to encourage innovation and investment in the and unreasonably utilise litigation proceedings to have access to trade fintech sector in your jurisdiction? secrets shall be subject to part of a or whole retainer fee in addition to a disciplinary fine. There exists a variety of tax incentives that are applicable to entities that are active in the technology industry, albeit these incentives are Branding not exclusive to the fintech industry and under most circumstances an 40 What intellectual property rights are available to protect entity’s entitlement to these incentives requires that a sectoral analysis branding and how do you obtain those rights? How can of the applicant be performed on a case-by-case review. fintech businesses ensure they do not infringe existing According to Law No. 4691 on Technology Development Zones, the brands? fintech companies located in technoparks can benefit from numerous tax incentives, including exemption from corporate tax, income tax and There are no specific regulations on intellectual property protection VAT. In addition, if fintech companies are essentially research and devel- regarding fintech innovations. Intellectual and industrial property rights opment companies, these companies have the right to deduct 50 per are generally protected by Law No. 5846 on Intellectual and Artistic Work cent of the social security premium exemption for its employees for a and Law No. 6769. If fintech products or services are subject to indus- period of five years. Further, under the same law, a taxpayer whose trial property rights (ie, a trademark or patent), a patent or trademark primary place of business is located within a designated tech zone shall is required to be registered before the Turkish Patent and Trademark be excluded from the duty of paying corporate tax and income tax until Office. However, there is no registration requirement in terms of intel- 31 December 2023. lectual rights. According to the Law No. 5846, ownership of a fintech innovation will belong to its first creator and he or she will be deemed as an author. If an employee creates an innovation during the employment contract, the author will be his or her employer. The duration of the IP right is the life of the author plus 70 years.

Increased tax burden 44 Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for fintech companies in your jurisdiction?

A new digital service tax was introduced with the Law on the Digital Service Tax and Amendments on Certain Laws and Decree No. 375, which was published in the Official Gazette on 7 December 2019 and became effective after three months following its publication. Revenue Cigdem Ayozger Ongun [email protected] gained from the activities that fall under the definition of digital services and intermediary services provided in the digital environment shall be Begum Erturk subject to digital service tax. Taxpayers exceeding a revenue threshold [email protected] of €750 million in global revenue and 20 million lira in local revenue will be subject to a digital service tax at a rate of 7.5 per cent. 42 Maslak A27/8 The transactions carried out by the fintech companies that fall Maslak 34398 within the scope of the Law on Payment and Securities Settlement Istanbul Systems, Payment Services and Electronic Money Institutions are Turkey subject to banking insurance and transaction tax (BITT) at a rate of 5 per Tel: +90 212 4014401 cent in general (although some transactions are subject to 1 per cent or www.srp-legal.com 0 per cent BITT).

IMMIGRATION in line with the Directive (EU) 2015/2366 on payment services. This Sector-specific schemes Amendment is expected to enable the entry of new players to the fintech 45 What immigration schemes are available for fintech market, increase cooperation with the banking sector and facilitate the businesses to recruit skilled staff from abroad? Are there development of fintech sector in Turkey. any special regimes specific to the technology or financial sectors? Coronavirus 47 What emergency legislation, relief programmes and other There is no specific immigration scheme for fintech businesses to recruit initiatives specific to your practice area has your state staff from abroad. However, in the Turkish legal framework, there are implemented to address the pandemic? Have any existing several laws and regulations for immigration schemes to recruit skilled government programmes, laws or regulations been amended staff from abroad. The main regulations are the Turkish Citizenship Law, to address these concerns? What best practices are advisable the Law on Foreigners and International Protection, the International for clients? Labour Law, the Law on Work Permits for Foreigners and the Law on Residence and Travel of Foreigners in Turkey. During the covid-19 outbreak, certain relief regulations have been stipu- Persons that provide significant investment and employment lated. These include changes to labour law, commercial law, tax law and opportunities or are expected to provide significant improvements to finance law, such as amendments to working conditions, credit opportu- the technology and sciences sector, can receive Turkish citizenship nities, supportive payments to be made to employees, profit distribution under the Turkish Citizenship Law. regulations and the practicalities and delays relating to tax payments. As for work permits, industries that require specific expert employ- Civil and criminal proceedings and enforcement proceedings have been ment or a qualified executive candidate be appointed to director postponed and institutions have started to accept online applications positions, auditor positions that require the supervision of technical only. However, this has not hindered the application of laws. Although and administrative standards, or any other personnel that might be some sectors have been adversely affected, some companies within classified as key personnel will be eligible to receive a residency and specific sectors have considerably profited during this period. work permit. In Turkey, the online education, fitness application, mobile retail and domestic grocery sectors have profited most during this period, UPDATE AND TRENDS whereas the most negatively affected are airlines, entertainment businesses and transport services. Current developments According to the regulations stipulated under tax and finance laws, 46 Are there any other current developments or emerging if a company’s activity decreases by one-third and the company is in a trends to note? poor financial state, we advise that these companies take advantage of the relevant regulations adopted following the covid-19 outbreak.] A spirited and developing fintech industry exists in Turkey. Even though there are no specific definitions of crypto-assets in key legislation, there are no restrictions on engaging in these cryptocurrency transactions in Turkey. There have been developments in the legal and regulatory landscape for equity-based crowdfunding, payments, open banking and the protection of personal data. The recent Amendment to the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions reorganised the regulatory framework in the payment and electronic money services and introduced new definitions of account information services and payment initiation services www.lexology.com/gtdt 237 © Law Business Research 2020 United Arab Emirates

Muneer Khan, Jack Rossiter and Raza Rizvi Simmons & Simmons LLP

FINTECH LANDSCAPE AND INITIATIVES Beyond the DIFC and ADGM financial free zones, there are a number of other initiatives to foster innovation in the UAE that cross over into General innovation climate the UAE fintech sector. The UAE Blockchain Strategy 2021 aims to have 1 What is the general state of fintech innovation in your 50 per cent of all government transactions on the blockchain network jurisdiction? by 2021. In October 2016, the UAE cabinet launched Government Accelerators as a new mechanism to boost the achievement of the There is a generally progressive and ambitious trend around fintech National Agenda to achieve Vision 2021. Additionally, the Smart Dubai innovation in the UAE, with some fintech subsectors generating more initiative is the Emirate of Dubai government office charged with facili- notable and scaled innovation than others. Government and public tating Dubai’s citywide smart transformation, to empower, deliver and sector entities and regulators play a key role in the innovation strate- promote an efficient, seamless, safe and impactful city experience for gies across most industry verticals and this is also the case for fintech. residents and visitors. Among its key initiatives are the development of From a financial services regulatory perspective, the UAE comprises Dubai’s first Artificial Intelligence Smart lab and the Dubai Blockchain three separate and independent jurisdictions: Strategy, which is a collaboration between the Smart Dubai Office and • the Dubai International Financial Centre (DIFC); the Dubai Future Foundation to continually explore and evaluate the • the Abu Dhabi Global Market (ADGM); and latest technology innovations. The UAE created the first Minister of AI • the remainder of the UAE (often referred to as ‘onshore’ or with a mandate that will cross over into fintech innovation. In August ‘onshore UAE’). 2018, it was announced that the DIFC courts has partnered with Smart Dubai to create the world’s first Court of Blockchain. Federal-level financial services regulators have jurisdiction over onshore UAE; however, the DIFC and the ADGM each has its own regula- Government and regulatory support tory bodies, and all the various regulators across all three jurisdictions 2 Do government bodies or regulators provide any support have identified fintech innovation (albeit with some differing flavours) specific to financial innovation? If so, what are the key as a key priority. benefits of such support? In the DIFC, the DIFC FinTech Hive runs a now well-established accelerator programme that has focussed on fintech, insurtech, regtech The UAE’s financial services free zones (namely, the ADGM and the and Islamic fintech start-ups. In tandem, the DIFC’s financial services DIFC) each has its own regulators that have launched initiatives to regulator, the Dubai Financial Services Authority (DFSA) launched its enable fintech businesses to participate and test their solutions in envi- Innovation Testing Licence (ITL), a regulatory sandbox in 2017. These initi- ronments with lighter-touch regulation. atives are in line with the goals of the Dubai Plan 2021 strategy to develop In the ADGM, the FSRA has created a RegLab. Participants in the Dubai’s economy. The DFSA has also signed a number of bilateral fintech RegLab are not subjected to the full suite of authorisation regulation agreements with other regulators globally, such as with the Monetary and rules from the outset; rather, a customised set of rules will be Authority of Singapore in August 2018 and Japan’s Financial Services applied, which will depend on the business model, technology deployed Agency in September 2018, to cooperate in the development of fintech and risk profile of the fintech participant. and to foster innovation in their respective jurisdictions. Other similar Under the RegLab framework, fintech participants are given agreements that the DFSA has entered into include with the Australian two years to develop, test and launch their products and services in Securities and Investment Commission, the Hong Kong Monetary a controlled environment, after which fintech participants with viable Authority, the Hong Kong Securities and Futures Commission, the Hong business models will be transferred to the full authorisation and super- Kong Insurance Authority and the Securities Commission Malaysia. visory regime (provided they meet the authorisation criteria). Firms that Similarly, the ADGM’s financial services regulator, the Financial are not ready after the two-year period will exit the RegLab framework. Services Regulatory Authority (FSRA) launched its regulatory sandbox, In the DIFC, the DFSA has created the ITL, which fintech companies the Regulatory Laboratory (RegLab) following the implementation of its can apply for to test an innovative product or service for six to 12 months. fintech legislative framework. The ADGM has also partnered with the In exceptional cases, the DFSA will consider extending that period. If an Association of Southeast Asian Nations Financial Innovation Network, ITL licensee has met the outcomes detailed in its regulatory test plan, and which launched a digital marketplace – the Application Programming it can meet the full DFSA authorisation requirements, it will migrate to Interface Exchange (APIX) – for South-East Asia to support financial full authorisation. If it does not, the company will have to cease carrying inclusion, to test the cross-border connectivity between the ADGM on activities in the DIFC that need regulation. The DIFC also launched a Digital Sandbox and APIX. Both the DFSA and the FSRA joined the Global fintech fund of US$100 million fund with a stated objective to help prom- Financial Innovation Network (GFIN), to, among other objectives, assist ising start-ups raise growth capital, while also supporting their outreach with cross-border testing. and connections within the wider financial services industry.

To further the ambition of innovation of Dubai and the UAE in • dealing in products and investments (either as principal or agent); the financial world, the DFSA and the FSRA are committed to cross- • underwriting and placing financial products; border testing under the direction of the GFIN. The purpose of such a • offering and providing discretionary investment manage- pilot scheme is to assist in providing efficient ways for fintech firms to ment services; engage with regulators across multiple jurisdictions. • marketing or selling funds (including the provision of investment advice); FINANCIAL REGULATION • accepting deposits; • providing credit; Regulatory bodies • providing money services; 3 Which bodies regulate the provision of fintech products and • arranging deals in investments; services? • managing assets; • managing a collective investment fund; For banking and lending-related activities in onshore UAE, the financial • advising on financial products; and services regulator is the UAE Central Bank, while for securities and • insurance intermediation. capital markets-related matters, the UAE Securities and Commodities Authority (SCA) is the relevant regulator. Onshore UAE also has an insur- Securities and financial products that are regulated by the respective ance-sector regulator, which is the UAE Insurance Authority (IA). For all financial services regulators across onshore UAE, the DIFC and the regulated financial activities in the Dubai International Financial Centre ADGM include, but are not limited to, equity securities, debt securi- (DIFC), the regulator is the Dubai Financial Services Authority (DFSA). For ties, linked products, derivatives, structured products, deposits, notes all regulated financial activities in the Abu Dhabi Global Market (ADGM), and warrants. the regulator is the Financial Services Regulatory Authority (FSRA). Consumer lending Regulated activities 5 Is consumer lending regulated in your jurisdiction? 4 Which activities trigger a licensing requirement in your jurisdiction? Yes. Article 65 of UAE Decretal Federal Law No. 14 of 2018 Regarding the Central Bank and Organisation of Financial Institutions and Activities The onshore UAE regulatory regime is separate and different from the provides that the UAE Central Bank will regulate, among other things, regulatory regime found in the DIFC and the ADGM. So, when consid- the activities of ‘providing credit facilities of all types’, ‘providing stored ering the UAE, it is important to first ask which specific jurisdiction and values services, electronic retail payments and digital money services’ financial regulatory regime is applicable. and ‘providing virtual banking services’. As financial free zones, both the DIFC and the ADGM have their own With regard to the provision and booking of these services ‘in common law-based commercial and civil legal and financial services or from’ either the DIFC or the ADGM, these activities are likely to be regulatory frameworks, as well as their own dedicated courts. The DFSA considered as ‘providing credit’, which will require a licence from either is the financial services regulator for activities conducted in or from the the DFSA or FSRA respectively. To the extent that these services are DIFC and the FSRA regulates financial services activities in or from the only ‘advised’ on or ‘arranged’ from the same jurisdictions, an appro- ADGM. The relevant federal onshore UAE (ie, in the UAE but outside priate licence would also be required from either the DFSA or FSRA. If the DIFC and ADGM) financial regulators are the SCA, the UAE Central these services are merely promoted (with no ‘advising’ or ‘arranging’) Bank and the IA. The UAE Central Bank is the prudential regulator for ‘in or from’ either financial free zone, unless an exemption applies, a onshore UAE and mainly regulates activities relating to banking and Representative Office licence would be required from either the DFSA lending activities such as: or the FSRA respectively. • deposit taking (including sweep deposit accounts); • foreign exchange trading; Secondary market loan trading • guarantees and commitments; 6 Are there restrictions on trading loans in the secondary • payment services (including the issuance of payment instruments market in your jurisdiction? and other means of payments); • primary lending; Secondary market loan trading is an activity regulated by the UAE • factoring; Central Bank. It constitutes primary lending and is regulated whether or • invoice discounting; not the loan has been fully drawn. The trading of loans would also consti- • arranging primary loans; tute a regulated financial services activity in the DIFC and the ADGM. • secondary market loan trading; and • secondary market loan intermediation. Collective investment schemes 7 Describe the regulatory regime for collective investment Outside the banking and lending context, the UAE Central Bank was schemes and whether fintech companies providing historically the sole financial services regulator for onshore UAE prior alternative finance products or services would fall within its to the establishment of the SCA (in 2001) and the IA (in 2007). There are scope. therefore some other areas of financial activity that the UAE Central Bank continues to regulate – such as, among other things, currency In onshore UAE, there is a general prohibition on marketing unregis- brokerage, money exchange and some activities that would be typically tered collective investment schemes (ie, funds) unless they have been associated with investment banking. registered with the SCA accordingly (either for private or public promo- Generally, the types of regulated activities in onshore UAE, the tion). However, the onshore UAE marketing prohibition does not apply DIFC and the ADGM include, among other things: to the promotion of foreign funds to a non-natural ‘qualified investor’. A • the marketing and sale of securities; non-natural qualified investor is defined in the SCA rules and includes • providing investment advice; the federal government, among others. www.lexology.com/gtdt 239 © Law Business Research 2020 United Arab Emirates Simmons & Simmons LLP

There is a private placement regime under the SCA rules, where • benefit from a new financial activity and licence for operating such if the potential investor is a natural person, foreign funds can be regis- a platform; tered for private placement by an SCA-licensed promoter subject to • apply appropriate prudential and conduct of business require- several conditions. ments for these platforms; With regard to the DIFC, there is a prohibition on marketing unreg- • disseminate appropriate risk warnings and disclosures to lenders istered funds in the DIFC except through a DFSA-licensed intermediary and borrowers; with the appropriate type of licence, unless an exemption applies. The • conduct suitable due diligence on the borrowers as well as checks prohibition on the offer or sale of a fund only applies where this activity on lenders; is carried out ‘in or from’ the DIFC. It is not possible to register a foreign • deploy a business cessation plan in the event that it ceases oper- fund for distribution in the DIFC. Funds need only be registered with the ations; and DFSA if they are domiciled in the DIFC. There are currently relatively few • follow rules in relation to transfer of rights and obligations funds domiciled in the DIFC and so most funds marketed in the DIFC are between lenders. foreign (ie, non-DIFC-domiciled) and, therefore, unregistered. However, all funds and collective investment schemes promoted ‘in or from’ the On 1 August 2017, changes to the DFSA rules came into force that intro- DIFC need to meet a fund eligibility criteria. duced rules relevant to crowdfunding. Additional rules, which included Once a marketing entity holds the appropriate licence it may investment limits and property valuation requirements in the context of market foreign domiciled funds or DIFC-domiciled funds, provided it property crowdfunding, came into force on 1 July 2019. markets only to investors within the scope of its licence, and in the case of any foreign fund: Crowdfunding • the fund qualifies as a ‘designated’ or ‘non-designated fund’; 10 Describe any specific regulation of crowdfunding in your • the marketing entity has a reasonable basis for recommending a jurisdiction. fund as suitable to a particular client; or • the fund offered discreetly to persons who are professional clients Financial services in the UAE are regulated either by the UAE Central and the minimum subscription per investor is US$50,000. Bank, the IA or the SCA depending on the nature of the activity. In Similar provisions exist with regard to the ADGM. respect of financial free zones in the UAE, such activities are regulated by the DFSA in the DIFC, and the FSRA in the ADGM. In particular, Following public consultation, with effect from 31 August 2017, the DFSA issues of securities by UAE companies are regulated under the UAE updated its rules to include ‘operating a crowdfunding platform’ as a Companies Law (Federal Law No. 2 of 2015) and regulations issued regulated activity. by the SCA. As such, under the UAE Companies Law, only public joint- With regard to onshore UAE, while the UAE Central Bank is stock companies may offer securities by way of a public subscription reported to be in the process of drafting regulations relevant to crowd- through a prospectus. Other companies, whether incorporated in the funding, no specific regulatory regime has been introduced. However, UAE (onshore or in a free zone) or in a foreign jurisdiction, are prohib- depending on the specific activities undertaken (ie, where the platform ited from advertising including the invitation to a public subscription merely introduces two independently contracting parties or if the plat- without the approval of the SCA. In practice, private joint-stock compa- form is actively establishing a fund or offering securities), the activity nies are entitled to issue securities to sophisticated investors by way may potentially fall under existing UAE Central Bank or SCA regulation. of a private placement. Accordingly, this regulatory limitation restricts the ability of limited liability companies, the legal form adopted by Alternative investment funds most SMEs in the UAE, from raising funds through equity-based 8 Are managers of alternative investment funds regulated? crowdfunding. On 1 August 2017, changes to the DFSA rules came into force that Yes, managers of alternative investment funds are regulated in onshore introduced rules relevant to crowdfunding. Additional rules, which UAE, the DIFC and the ADGM. included investment limits and property valuation requirements in the context of property crowdfunding, came into force on 1 July 2019. Peer-to-peer and marketplace lending 9 Describe any specific regulation of peer-to-peer or Invoice trading marketplace lending in your jurisdiction. 11 Describe any specific regulation of invoice trading in your jurisdiction. Lending is a regulated activity whereby intermediary platforms are required to obtain approvals to operate from the UAE Central Bank, Invoice trading currently falls within the activity of ‘arranging credit’ which would trigger compliance requirements on the platform including within the DIFC and is regulated as such by the DFSA. Similar provi- the proper vetting of borrowers and anti-money laundering checks. sions exist in the ADGM. With regard to onshore UAE, invoice trading will While interest is prohibited under articles 409 to 412 of the Penal require a form of regulatory licence either from the UAE Central Bank Code and is void under articles 204 and 714 of the Civil Code, interest is (if providing credit) or the SCA (if invoices were to be considered as permitted under articles 77 and 90 of the Commercial Code, provided it a financial product falling within the SCA’s Promoting and Introducing does not exceed 12 per cent. In any case, UAE Federal Supreme Court Regulations – Regulation 3/RM of 2017). To the extent that services Decision No. 14/9 of 28 June 1981 permits the charging of simple are merely promoted within onshore UAE, the DIFC or the ADGM, interest (presumably as opposed to compound interest) in connection a Representative Office licence in the respective jurisdiction would with banking operations. be required. The DFSA issued a consultation paper in early 2017 called ‘Crowdfunding: SME Financing through Lending’, which proposed a regulatory framework to operate loan-based crowdfunding platforms in the DIFC. In summary, the DFSA proposed a regime whereby loan-based crowdfunding platforms in the DIFC:

Payment services criminal liability under article 379 of the UAE Penal Code. Further, 12 Are payment services regulated in your jurisdiction? article 106 of the Banking Law requires the UAE Central Bank to keep confidential all banking data that it receives. Yes. On 1 January 2017, the UAE Central Bank published its Regulatory Framework for Stored Values and Electronic Payment Systems Robo-advice (the Digital Payment Regulation), which covers the following digital 14 Describe any specific regulation of robo-advisers or other payment services: companies that provide retail customers with automated • cash-in services: enabling cash to be placed in a payment account; access to investment products in your jurisdiction. • cash-out services: enabling cash withdrawals from a payment account; The FSRA has issued a regulatory framework for digital investment • retail credit and debit digital payment transactions; managers (robo-advisers) operating in the ADGM. To supplement this, • government credit and debit digital payment transactions; the FSRA has also released guidance to illustrate how its regulatory • peer-to-peer digital payment transactions; and framework applies to robo-advisers in the ADGM. In particular, the guid- • money remittances. ance outlines: • the regulatory permission that may be required to provide digital The Digital Payment Regulation does not apply to the following payment investments services in or from the ADGM; and services or providers, although it states that the list below may be • how the FSRA will apply its authorisation criteria in key existing subject to other Central Bank laws and regulations: areas of technology governance, suitability and disclosure, and • payment transactions in cash without any involvement from an newer areas such as algorithm governance. intermediary; • payment transactions using a credit or debit card; Insurance products • payment transactions using paper cheques; 15 Do fintech companies that sell or market insurance products • payment instruments accepted as a means of payment only to in your jurisdiction need to be regulated? make purchases of goods or services provided from the issuer or any of its subsidiaries (ie, closed-loop payment instruments); Nothing in current UAE legislation (whether onshore UAE, DIFC or • payment transactions within a payment or settlement system ADGM) specifically regulates fintech companies that wish to sell or between settlement institutions, clearinghouses, central banks and market insurance products, and, therefore, the general regulation payment service providers (PSPs); around the sale and marketing of insurance products in the relevant • payment transactions related to transfer of securities or assets jurisdictions applies. (including dividends, income and investment services); The IA was established under Federal Law No. 6 of 2007 (the • payment transactions carried out between PSPs (including their Insurance Law). The IA, through the powers given to it under the agents and branches) for their own accounts; and Insurance Law, regulates insurance and reinsurance operations in • technical services providers. onshore UAE. Insurance operations include insurance activities such as life assurance and funds accumulation operations, properties insurance The Digital Payment Regulation specifies four categories of PSPs: retail and life liability insurance. PSPs, micropayment PSPs, government PSPs and non-issuing PSPs. Detailed financial regulations around insurance companies were In November 2019, the DFSA published Consultation Paper No.125 published at the end of 2014. The IA has issued various guidance and on Proposals for Money Services. circulars that affect the scope of regulation around the insurance In the paper, the DFSA set out its proposal to allow certain activities industry in the UAE. Insurtech businesses looking at the UAE market relating to money services that have emerged owing to rapid advance- will need to observe additional guidance from the IA. ments in technology, with the DFSA recognising that these activities could promote the growth of regulated financial services activities in Credit references the DIFC and provide greater protection and choices to users of money 16 Are there any restrictions on providing credit references or services. One of the activities it proposed to allow was the provision of credit information services in your jurisdiction? money services (as defined in the DFSA Rulebook Conduct of Business Module (COB)) in respect of electronic currency. The consultation has On 15 April 2018, the SCA issued Chairman of the SCA Board of Directors’ since closed and amendments to the DFSA Rulebook COB Module came Decision No. 18/RM of 2018 Concerning the Regulations as to Licensing into force on 1 April 2020, introducing requirements for the provision of Credit Rating Agencies. Under these regulations, a credit rating is ‘a money services in relation to electronic money in the DIFC. periodic measure to determine and assess the ability of the rated entity to meet its financial liabilities, and potential risks that may affect it, and Open banking to evaluate the financial products and potential risks of acquiring them 13 Are there any laws or regulations introduced to promote by the investor’ and credit rating activities are regulated. To be eligible competition that require financial institutions to make for a licence to carry on credit rating activities, an entity must have, customer or product data available to third parties? among other things, a minimum of 2 million UAE dirhams in capital and consent from the UAE Central Bank or the IA (should the licence applica- Other than in the context of a regulatory or official investigation, there tion be subject to their mandate). is no specific obligation in UAE legislation requiring the disclosure of In the DIFC, ‘operating a credit rating agency’ is a regulated activity data to third parties. However, the Digital Payment Regulation maintains that would require a DFSA licence. Similar provisions exist in the ADGM. the UAE Central Bank’s rights to impose access regimes and interoper- However, individual credit reference and information services ability obligations on PSPs. are possible in the UAE through the Al Etihad Credit Bureau (AECB), The general position is that financial institutions that are in a posi- which is a public joint stock company wholly owned by the UAE federal tion to collect and store data from the public are bound by a duty of government. According to UAE Federal Law No. 6 of 2010 concerning confidentiality. A breach of this duty of confidentiality could attract Credit Information, the AECB is mandated to regularly collect credit www.lexology.com/gtdt 241 © Law Business Research 2020 United Arab Emirates Simmons & Simmons LLP

information from financial and non-financial institutions in the UAE. SALES AND MARKETING The AECB aggregates and analyses this data to calculate credit scores and produce credit reports that are made available to individuals and Restrictions companies in the UAE. The AECB collects information on individuals 19 What restrictions apply to the sales and marketing of and companies from banks, finance companies and telecoms compa- financial services and products in your jurisdiction? nies. Additional information from other sources such as utilities, real estate, government and other entities are planned to be added in the There are a number of restrictions on the offering or promotion of finan- future. Financial institutions in the UAE are mandated by law to supply cial services in onshore UAE, the Dubai International Financial Centre the AECB with all credit information on a monthly basis. and the Abu Dhabi Global Market, and in many cases corresponding exemptions relating to these promotions, all of which differ according to CROSS-BORDER REGULATION the type of product or service offered.

Passporting CHANGE OF CONTROL 17 Can regulated activities be passported into your jurisdiction? Notification and consent There is currently no general passport regime either into the Dubai 20 Describe any rules relating to notification or consent International Financial Centre (DIFC), the Abu Dhabi Global Market requirements if a regulated business changes control. (ADGM) or onshore UAE, or between these jurisdictions. It was announced in May 2017 that the Dubai Department of Under the Dubai International Financial Centre and Abu Dhabi Global Economic Development (the relevant commercial registry for onshore Market frameworks, there are detailed provisions relating to changes UAE within the Emirate of Dubai) and the DIFC Authority had signed of control, including where notifications need to be made with the a memorandum of understanding to allow companies operating within Dubai Financial Services Authority or the Financial Services Regulatory DIFC and holding a commercial licence issued by the DIFC Registrar of Authority respectively, or where their prior approval needs to be Companies to obtain licences to operate in mainland Dubai. However, obtained. In both cases, these are contained in the general modules legislation and regulation to facilitate this remains forthcoming. of the respective regulator’s rulebook. Similar, although less detailed, Notwithstanding the efforts to create a facilitative cross-border regime provisions exist within the regulatory frameworks relevant to the between onshore UAE within the Emirate of Dubai and the DIFC at a UAE Central Bank, the Securities and Commodities Authority and the commercial licence level, passporting with regard to financial services Insurance Authority. between any of the onshore UAE regulators and the Dubai Financial Services Authority (DFSA) or Financial Services Regulatory Authority FINANCIAL CRIME (FSRA) has yet to be formally announced (other than in the case of marketing a domestic (ie, DIFC, ADGM or onshore UAE) domiciled fund Anti-bribery and anti-money laundering procedures across the three financial services jurisdictions within the UAE. 21 Are fintech companies required by law or regulation to have procedures to combat bribery or money laundering? Requirement for a local presence 18 Can fintech companies obtain a licence to provide financial There are express restrictions on insider dealing and market abuse that services in your jurisdiction without establishing a local would apply to UAE-licensed counterparties. presence? For there to be an anti-money laundering (AML) offence, there needs to be actual awareness that such funds are derived from an It is possible for fintech companies to market on a cross-border basis offence or misdemeanour. into onshore UAE without having to obtain a licence. If marketing activi- In addition to various administrative penalties, the Federal UAE ties are undertaken on a true cross-border basis (ie, by telephone, AML Law states that whoever commits or attempts to commit money website or email from outside the UAE) they should not be subject to laundering shall be punished by imprisonment for a term not exceeding UAE regulation. To ensure that marketing activities are conducted on 10 years or by a fine of between 100,000 and 500,000 dirhams, or both. a true cross-border basis and not deemed to be conducting business In the Dubai International Financial Centre (DIFC), under article in the UAE, several guidelines should be followed, which include not 71(1) of the DIFC Regulatory Law, the DIFC regime requires compli- having a physical or legal presence in the UAE, marketing only towards ance with the federal regime. The federal legislation governing money non-natural qualified investors and making any subscription payments laundering and terrorist financing is also applicable in the DIFC. The made outside the UAE. Anti-Money Laundering, Counter-Terrorist Financing and Sanctions In relation to cross-border marketing into the DIFC, there are several Module to the Dubai Financial Services Authority (DFSA) Rulebook guidelines that should be followed to reduce the risk of marketing activi- applies to entities in respect of their activities carried on in or from ties being treated as having taken place ‘in’ the DIFC, such as not having the DIFC. The procedures that must be put in place include applying a physical or legal presence in the DIFC, keeping marketing materials a risk-based approach that is objective and proportionate to the risks, generic and only made to certain types of pre-identified ‘professional based on reasonable grounds, properly documented and reviewed and clients’ (as defined under the DFSA’s Conduct of Business Rules) and updated at appropriate intervals. Effective AML systems and controls performing all generic marketing from outside the DIFC. must also be established and maintained to prevent opportunities for With regard to regulated activities where a licence is required money laundering. A risk-based assessment must be undertaken for from a UAE financial services regulator (including the UAE Central every customer in order to assign the customer a risk rating propor- Bank, Securities and Commodities Authority, DFSA or FSRA), a fintech tionate to the customer’s money laundering risks. Customer due company would need to be locally established in the relevant jurisdic- diligence must be undertaken to verify the identity of the customer and tion to obtain a licence. Note, however, that the initiatives launched by the beneficial owner and understand the source of funds. This should the ADGM and the DIFC require lighter regulatory oversight for qualified be ongoing by monitoring transactions and complex and unusual trans- participants. actions. A money laundering reporting officer must be appointed with

242 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP United Arab Emirates responsibility for implementing and overseeing compliance; the officer Assignment of loans must have an appropriate level of seniority and independence to act in 24 What steps are required to perfect an assignment of the role and be resident in the UAE. loans originated on a peer-to-peer or marketplace lending Similar to the DIFC, the federal legislation governing money laun- platform? What are the implications for the purchaser if the dering and terrorist financing also applies within the Abu Dhabi Global assignment is not perfected? Is it possible to assign these Market (ADGM). The ADGM’s AML rules are contained in the Anti-Money loans without informing the borrower? Laundering and Sanctions Rules and Guidance Module to the Financial Services Regulatory Authority Rulebook (the ADGM AML Module). In onshore UAE, an assignment of rights requires only notification from According to the ADGM AML Module, an entity must have policies, proce- the assignor to the counterparty, confirming the assignment to the dures, systems and controls that ensure compliance with the federal assignee. Where this is not possible, the bank may require this income law, enable suspicious customers and transactions to be detected and to be deposited into a collection account, which will be covered by an reported, ensure the entity is able to provide an appropriate audit of trail accounts pledge. of a transaction, and ensure compliance with any other obligations as In the DIFC, an assignment is perfected when it attaches (ie, when contained in the ADGM AML Module. it becomes enforceable against the debtor or third party). The position in the ADGM is similar. Guidance Assuming there are no contractual restrictions on transfers, the 22 Is there regulatory or industry anti-financial crime guidance position in each of the relevant jurisdictions is as follows. for fintech companies? Onshore UAE There is no guidance specifically targeted at fintech companies. The Article 1109 of the UAE Civil Code (Federal Law No. 5 of 1985) provides regulatory guidance on financial crime is contained in the DFSA AML that the assignor, the assignee and the borrower must consent for there rules, the ADGM AML rules and the applicable federal laws. to be a valid assignment. There are Federal Supreme Court judgments Further federal legislation in relation to financial crime regarding holding that, in commercial matters, the consent to the assignment by corporate and business fraud is contained in articles 399 to 402 of the the borrower is not necessary, although evidence will be required that UAE Penal Code (Federal Law No. 3 of 1987), provisions of the Dubai the borrower has been notified of the assignment. Recovery of Public Funds (Dubai Law No. 37 of 2009) and other specific UAE law does not generally recognise the concept of beneficial offences set out in legislation including the UAE Cyber Crimes Law ownership. Accordingly, an assignee of certain rights otherwise than in (Federal Law No. 5 of 2012) and the UAE Commercial Transactions Law accordance with the UAE will not be recognised as having a beneficial (Federal Law No. 18 of 1993). interest in the rights to be assigned.

PEER-TO-PEER AND MARKETPLACE LENDING DIFC The DIFC makes a distinction between assignment of rights and assign- Execution and enforceability of loan agreements ment of obligations. The DIFC Contract Law No. 6 of 2004 (the DIFC 23 What are the requirements for executing loan agreements or Contract Law) sets out several limitations on assignments and delega- security agreements? Is there a risk that loan agreements tions. Under section 94 of the DIFC Contract Law, a contractual right can or security agreements entered into on a peer-to-peer or be assigned unless the substitution of a right of the assignee for the marketplace lending platform will not be enforceable? right of the assignor would: • materially change the duty of the borrower; If any security is based within the UAE, the agreements should be • materially increase the burden or risk imposed on the borrower by entered into with a local security agent whereby the local security agent his or her contract; holds security on behalf of the service provider. Security may need to be • materially impair the borrower’s chance of obtaining return perfected, depending on the type of asset to which the security relates. performance; or In the Dubai International Financial Centre (DIFC), there is no • materially reduce its value to the obligor. licensing or registration requirement for a lender to take security over DIFC-based assets. Any real estate mortgages must be registered with A contractual obligation can be transferred unless the obligee has the DIFC Register of Real Property without delay. For all other types of a substantial interest in having the obligor perform or control the security interest, a security interest will be considered perfected if it acts promised. has ‘attached’ and a financing statement has been filed with the DIFC While there are no explicit requirements under the DIFC Contract Security Register. For security to ‘attach’, different procedures will need Law to notify borrowers of an assignment or transfer, it is advisable that to be taken depending on the type of security interest under either the the borrower be notified of this assignment or transfer. DIFC Real Property Law or the DIFC Law of Security (land, shares in a DIFC company, bank accounts, receivables, insurance, floating charges, ADGM etc). Similar protection requirements exist within the Abu Dhabi Global In the ADGM, as per the ADGM Application of English Law Regulations Market (ADGM). 2015, the principles of English law relating to the assignment of rights and transfer of obligations would apply. Under English law, an assignment is perfected once notice is given to the borrower. In the absence of such notice, the assignee’s rights under the assignment become an equitable right. The transfer of an obligation would require the consent of the borrower. Borrower consent may be required prior to any assignment of loans.

Securitisation risk retention requirements The UAE federal government and certain emirate-level govern- 25 Are securitisation transactions subject to risk retention ments have publicly committed to the creation of problem statements requirements? and use cases to enable government services to benefit from DLT and, in particular, blockchain. Examples of this include the government of There are currently no risk retention requirements within the onshore Dubai’s public commitment to have all government services and trans- UAE legislation or the legislation of the DIFC or ADGM. However, while actions on the blockchain by 2020. not imposed by UAE law, securitisations originating in the UAE may still In some areas, UAE law is permissive as regards the use of DLT be subject to risk retention rules depending on the relevant investor and distributed digital ledgers or databases in scenarios where parties base that is being marketed to. intend to create legal relations; for example, article 12 of Federal Law No. 1 of 2006 on Electronic Commerce and Transactions, which seems to Securitisation confidentiality and data protection requirements have foreseen ‘smart contracts’ by confirming the validity and enforce- 26 Is a special purpose company used to purchase and securitise ability of contracts formed through computer programs that include two peer-to-peer or marketplace loans subject to a duty of or more electronic information systems present and preprogrammed to confidentiality or data protection laws regarding information carry out the transaction, even if no individual is directly involved. relating to the borrowers? Crypto-assets There are likely to be contractual duties of confidentiality in the relevant 29 Are there rules or regulations governing the use of crypto- local documentation that may require borrower consent prior to disclo- assets, including digital currencies, digital wallets and sure concerning the loans or the borrowers. Further, if the borrowers e-money? are data subjects for the purposes of the DIFC Data Protection Law or the ADGM Data Protection Law, the special purpose vehicle may be Virtual currencies are defined in the Regulatory Framework for treated as a processor for the purposes of those laws. Stored Values and Electronic Payment Systems (the Digital Payment Regulation) as: ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER TECHNOLOGY AND CRYPTO-ASSETS Any type of digital unit used as a medium of exchange, a unit of account, or a form of stored value. Virtual Currency is not recog- Artificial intelligence nised by this Regulation. Exceptions are made to a digital unit that: 27 Are there rules or regulations governing the use of artificial (a) can be redeemed for goods, services, and discounts as part intelligence, including in relation to robo-advice? of a user loyalty or rewards programme with the Issuer; and (b) cannot be converted into a fiat/virtual currency. The Financial Services Regulatory Authority (FSRA) has issued a regulatory framework for digital investment managers (robo-advisers) The Digital Payment Regulation contained a provision which that stated operating in the Abu Dhabi Global Market (ADGM). To supplement this, that ‘all virtual currencies (and any transactions thereof) are prohib- the FSRA has also released guidance to illustrate how its regulatory ited’. A month after the Digital Payment Regulation was published, the framework applies to robo-advisers in the ADGM. In particular, the guid- Governor of the UAE Central Bank issued a statement to the state media ance outlines: to say that the regulations ‘do not cover digital currency’ but are under • the regulatory permissions that may be required to provide digital further review and likely to be subject to new regulations in due course. investments services in or from the ADGM; and For now, there remains a grey area around the specific legal status • how the FSRA will apply its authorisation criteria in key existing of virtual currencies (eg, bitcoin) in the UAE, which affects how they areas of technology governance, suitability and disclosure, and are treated and any restrictions around specific use. However, while newer areas such as algorithm governance. there are currently no laws in force that specifically regulate crypto- assets in the UAE, in October 2019, the UAE Securities and Commodities Otherwise, there are currently no rules or regulations governing the Authority (SCA) issued draft legislation – the Regulation for Issuing and use of artificial intelligence or automated investment advice (ie, robo- Offering Crypto Assets – that, when implemented, will directly regulate advisory services) in the Dubai International Financial Centre (DIFC) crypto-assets in the UAE. The draft regulations cover all aspects of the or onshore UAE. Those conducting these automated investment activi- crypto-asset industry, such as safekeeping practices and compliance ties will need to ensure that they are authorised to provide investment with financial crime prevention measures. advice, irrespective of the method of delivery. The ADGM regulatory framework for virtual assets (first introduced The Dubai Financial Services Authority's (DFSA) Innovation Testing on 25 June 2018 and amended in February 2020) features a number of Licence regime has been used to issue licences relevant to automated guidance points related to virtual assets and digital wallets. investment advisory services. In these cases, there are bespoke disclo- In November 2019, the DFSA published Consultation Paper No.125 sures, reporting conditions and monitored progress in line with an on Proposals for Money Services. In the paper, the DFSA set out its agreed ‘regulatory test plan’. Firms intending to provide robo-advi- proposal to allow certain activities relating to money services that have sory services have also been accepted into the ADGM’s Regulatory emerged owing to rapid advancements in technology, with the DFSA Laboratory (which provides a controlled environment for fintech partici- recognising that these activities could promote the growth of regulated pants to develop and test innovative fintech solutions). financial services activities in DIFC and provide greater protection and choices to users of money services. One of the activities it proposed Distributed ledger technology to allow was the provision of money services (as defined in the DFSA 28 Are there rules or regulations governing the use of Rulebook Conduct of Business Module (COB)) in respect of electronic distributed ledger technology or blockchains? currency. Amendments to the DFSA Rulebook COB Module came into force on 1 April 2020, introducing requirements for the provision of There are currently no dedicated rules or guidelines regarding the use money services in relation to electronic money in the DIFC. of distributed ledger technology (DLT) or blockchain.

Digital currency exchanges Initial coin offerings 30 Are there rules or regulations governing the operation of 31 Are there rules or regulations governing initial coin offerings digital currency exchanges or brokerages? (ICOs) or token generation events?

Following a public consultation, on 25 June 2018 the ADGM FSRA issued Not specifically. its framework for the regulation of spot crypto-asset activities, including On 13 September 2017, the DFSA issued a General Investor Statement those undertaken by exchanges, custodians and other intermediaries in on Cryptocurrencies that warned that it considered initial coin offerings the ADGM. Specifically, the FSRA introduced the new regulated activity (ICOs) to be high-risk investments owing, in part, to the complex systems of ‘Operating a Crypto Asset Business’ that covers, among other things, and technology on which they are based. According to the DFSA General the arranging, buying, selling, custody provision, marketing and advising Statement, cryptocurrencies and ICOs have their own unique risks, which on the merits of the buying or selling of ‘Accepted Crypto Assets’. The may not be easy to identify or understand. The statement urged potential regime also included a regulatory framework for the operation of a investors to conduct due diligence and exercise caution. This is a similar ‘Crypto Assets Exchange’ and a ‘Crypto Asset Custodian’. approach to that taken by the UK’s Financial Conduct Authority, which On 14 May 2019, the FSRA issued its updated guidance addressing, released a consumer warning on the risks of ICOs on 12 September 2017. among other things: In the ADGM, the FSRA is moving towards greater regulation of • Stablecoins and fiat tokens: stablecoins that are fully backed by virtual currencies under its principal financial services legislation, the fiat currencies (fiat tokens) will be treated as a form of digital ADGM FSMR, as amended. The FSRA issued its Supplementary Guidance representation of money. Where used as a payment instrument – Regulation of Initial Coin/Token Offerings and Virtual Currencies under for the purposes of money transmission as defined under the the FSMR on 9 October 2017, which is aimed at those wanting to use ICOs ADGM’s Financial Services and Markets Regulations 2015 (FSMR), to raise funds, investors and generally anyone considering transacting the activity will be licensed and regulated as ‘providing money in virtual currencies. It states that whether or not an ICO is regulated services’. under the FSMR, it will be assessed by the FSRA on a case-by-case • Custody: further clarity on the types of crypto-asset custody activi- basis. If the tokens in an ICO are assessed to exhibit the characteris- ties that can be undertaken and setting out FSRA expectations in tics of a security (as defined in the FSMR, such as, among other things, terms of custody governance and operations. ‘certificates representing certain financial instruments’ or ‘instruments • Technology governance: further enhancements and clarifications giving entitlements to investments’), the FSRA may deem them to be a are introduced, including in relation to changes in the underlying security under section 58(2)(b) of the FSMR, which empowers the FSRA protocol of a crypto-asset that results in a fork (coding change), to deem any investment a security under ADGM regulation. The ADGM and the associated governance and control expectations for crypto- Guidance also outlines that derivatives of virtual currencies or secu- asset exchanges and licence-holders. rity tokens will be regulated as ‘specified investments’ under the FSMR. • FSRA Anti-Money Laundering and Sanctions Rules and Guidance: However, the ADGM Guidance states that other virtual tokens that do as the Anti-Money Laundering Rulebook applies in full to the regu- not exhibit the features and characteristics of a regulated investment lated activity of crypto-asset operators or holders, the guidance or instrument under the FSMR will be treated as commodities and not has been updated with the latest local and global changes and regulated as specified investments under the FSMR. provides further clarity on the use of new regulatory and surveil- Outside the UAE’s financial free zones in onshore UAE, the UAE lance technologies in this area. Central Bank issued a Regulatory Framework for Stored Values and Electronic Payment Systems on 1 January 2017, under powers vested As part of its ongoing commitment to regularly update and improve its in the UAE Central Bank under the UAE Decretal Federal Law No. 14 crypto-regulatory framework based on global developments, the FRSA of 2018 Regarding the Central Bank and Organisation of Financial updated its virtual asset regulatory framework in February 2020. Institutions and Activities. The Regulatory Framework for Stored Values Among other things, the key amendments included: and Electronic Payment Systems states that its purpose is to facilitate • changing the definition of ‘crypto-asset’ to ‘virtual asset’ (to align the robust adoption of digital payments across the UAE in a secure the terminology in the legalisation with that of the Financial Action manner. However, it then states that virtual currencies (and any trans- Task Force); and actions thereof) are prohibited. • moving the applicable regulations and rules from the bespoke A virtual currency is defined as ‘any type of digital unit used as category of ‘Operating a Crypto Asset Business’ to the respective a medium of exchange, a unit of account, or a form of stored value, underlying regulated activities (eg, providing custody, operating a although there are exceptions for digital units that can be redeemed mulitlateral trading facility and dealing in investments). This is to for goods, services, and discounts as part of a user loyalty or rewards be better reflect the nature of the underlying activities in relation programmes with the issuer, and which cannot be converted into a fiat to virtual assets. or virtual currency’. On the face of it, the Regulatory Framework for Stored Values and Currently, there are no other rules in onshore UAE, the DIFC or the Electronic Payment Systems seemed to cover the major virtual or cryp- ADGM specific to the operation of digital currency exchanges or broker- tocurrencies on the market. However, on 23 October 2017, the Governor ages. However, in October 2019, the SCA issued draft legislation of the UAE Central Bank stated that the Regulatory Framework for – the Regulation for Issuing and Offering Crypto Assets – that, when Stored Values and Electronic Payment Systems did not apply to all implemented, will directly regulate cryptoassets in the UAE, including virtual currencies. The Governor then clarified the UAE Central Bank’s crypto-exchanges. As of 21 May 2020, these regulations are yet to enter policy on virtual currencies on 23 October 2017 by warning against use into force and so, for the time being, the existing regulations relevant of ‘digital coins’ saying it had not issued a licence to allow virtual curren- to exchanges or authorised market institutions generally may apply if cies in the local UAE market. The Governor also warned of the risks of a digital currency is deemed to be a security. However, with the draft using digital currencies as a medium for exchange, stating that because crypto-asset regulations having been published, this is an area where virtual currencies do not go through official channels and cannot be regulation is susceptible to change at short notice. monitored or controlled, they pose a risk of being used for money laundering or terrorist financing purposes. www.lexology.com/gtdt 245 © Law Business Research 2020 United Arab Emirates Simmons & Simmons LLP

Similarly, the SCA issued a public warning on ICOs in February • impose conditions concerning the disclosure of personal data to 2018, cautioning investors to be aware of some risks associated with third parties and the transfer of personal data outside the respec- these investments, such as the potential for fraud, high volatility in tive free zone. light of speculation, and the fact they are not specifically catered for under existing SCA regulations. Whether the SCA will consider ICOs as a The DIFC law is enforced by the Commissioner of Data Protection, while ‘foreign security’ under existing legislation, such as the SCA Promoting the Registrar is responsible for enforcing the ADGM law. and Introducing Regulations (SCA Decision No. 3/R of 2017), remains to be seen. Fintech-specific rules and regulations Of particular relevance to fintech products and services is the Regulatory DATA PROTECTION AND CYBERSECURITY Framework for Stored Values and Electronic Payment Systems (the Digital Payment Regulation), which requires payment service providers Data protection (PSPs) to keep users’ identification and transaction data confidential 32 What rules and regulations govern the processing and and to only disclose this data to the relevant user, the Central Bank, transfer (domestic and cross-border) of data relating to another regulatory authority approved by the Central Bank or by order fintech products and services? of a UAE court. There is a separate requirement to ensure that personal data is only processed and shared for the purposes of compliance with The UAE does not yet have a specific, standalone data protection law. anti-money laundering and terrorist financing legislation. The Digital Instead, various general and sector-specific laws and regulations govern Payment Regulation also provides for minimum retention periods for aspects of the processing of personal data in the UAE. For example, the user and transaction data. There are no other legal requirements or UAE Constitution provides for a right to freedom and secrecy of commu- regulatory guidance relating to personal data that are specifically aimed nications; the Penal Code and Cybercrime Law provide for a range of at fintech companies. criminal offences prohibiting the disclosure or publication of private information and the interception of personal communications; the Civil Anonymisation and aggregation of personal data Code and Labour Law set out certain obligations on employers when There are no specific legal requirements or regulatory guidance in the dealing with employee information; another law governs the collection, UAE dealing with the anonymisation or aggregation of personal data processing and disclosure of credit-related information; and telecoms used for commercial gain. This, and the absence of a specific data operators are subject to special regulations regarding the protection of protection law in the UAE (outside the financial free zones), has the subscriber information. result that there is a wider scope for the commercial exploitation of data While there has been no formal confirmation or release, a draft for commercial purposes in the UAE. data protection law is generally known to be under consideration by the The definitions of ‘personal data’ in the ADGM and DIFC data UAE government. protection laws each require the individual to whom the data relates The Abu Dhabi Global Market (ADGM) and Dubai International to be identifiable. The guidance published by the DIFC Commissioner Financial Centre (DIFC) have each introduced standalone laws of Data Protection suggests that, as data that is stripped of all personal governing the processing of personal data by organisations operating in identifiers will no longer relate to an identifiable individual, the DIFC their respective zones. The DIFC’s much anticipated new and refreshed data protection law will no longer apply. data protection law was enacted on 1 June 2020 and set to become The guidance cautions that complete anonymisation may be diffi- enforceable after 1 October 2020. cult to achieve in practice, as data will still be protected if it is possible Although the new DIFC data protection law sets a high benchmark to identify an individual indirectly using the data. The guidance also and aligns more closely with the GDPR, it does share some common reminds organisations that the act of anonymisation is itself an activity elements with the data protection law in the ADGM. For instance, each that must be conducted in compliance with the DIFC data protection law. law requires that personal data is processed in a manner that is fair, The guidance published in respect of the ADGM data protection regime lawful and secure. does not provide further comment on the anonymisation or aggregation The most common methods used by businesses in each free zone of personal data. to ensure that their processing of personal data is fair and lawful are: In light of the restrictions on the processing of user and transac- • obtaining the consent of the relevant individual to the processing tion data introduced by the Digital Payment Regulation, PSPs seeking to of their data; use personal data for commercial gain will need to consider employing • processing the data based on the ‘legitimate interests’ of the anonymisation and aggregation techniques in respect of the data company undertaking the processing (provided that these inter- they hold. ests are not overridden by the interests of the individual); • processing in order for the company undertaking the processing to Cybersecurity comply with a legal requirement (not a contractual requirement); and 33 What cybersecurity regulations or standards apply to fintech • processing in order to perform or enter into a contract with the businesses? individual. Fintech businesses must comply with the UAE Cyber Crimes Law The ADGM and DIFC data protection laws also require organisations to: (Federal Law 5 of 2012 on Combatting Cybercrimes), the provisions of • provide specific information to individuals before collecting their which broadly relate to IT security, state security and political stability, personal data; morality and proper conduct and financial and commercial issues arising • create various rights for individuals, including rights to obtain from the use of the internet or IT infrastructure. The Cyber Crimes Law a copy of personal data, to require the correction or deletion of has extraterritorial effect. personal data, and to object to the processing of personal data, that a company holds about them; • require organisations to implement appropriate security measures; and

OUTSOURCING AND CLOUD COMPUTING As computer programs are not specifically excluded from patentability under UAE legislation, so long as registration formalities are Outsourcing followed, it is possible in principle to obtain patent protection for 34 Are there legal requirements or regulatory guidance with software-implemented inventions and business methods. It is likely to respect to the outsourcing by a financial services company of be more difficult, however, for these inventions to meet the criteria of a material aspect of its business? novelty, inventiveness and industrial applicability as required by UAE legislation. There is no regulatory guidance setting out notification or approval requirements where a financial services company in the UAE intends IP developed by employees and contractors to outsource a material aspect of its business. However, depending on 37 Who owns new intellectual property developed by an the nature of the company and the functions being outsourced, there employee during the course of employment? Do the same may be other restrictions. For example, the Regulatory Framework for rules apply to new intellectual property developed by Stored Values and Electronic Payment Systems (the Digital Payment contractors or consultants? Regulation) imposes restrictions upon certain payment service providers (PSPs) looking to outsource operational functions where, Copyright in works created by an employee in the course of employ- among other things, the functions being outsourced are deemed mate- ment will not automatically be owned by the employer. Such a work will rially important or where a defect or failure in performance of the be owned by the individual employee or, if created alongside others, outsourced functions would materially impact continued compliance may be protected as a joint work. It may be possible for the employer with licensing requirements. to assert that a work created under the supervision or direction of the employer meets the conditions for protection as a collective work under Cloud computing UAE legislation. 35 Are there legal requirements or regulatory guidance with In most cases, however, employers seeking to take ownership of respect to the use of cloud computing in the financial services copyright-protected works created by employees must do so by way of industry? written assignment. Under the Copyright Law, a provision in a contract that purports to assign the copyright in more than five future works There are regulations that set parameters around the use of cloud will be void. computing in the context of outsourcings, which includes those within In the context of patents, provided that an employee’s role includes the financial services industry. inventive activities, inventions created by an employee in the course Organisations carrying out functions that are regulated by the of an employment contract are automatically owned by the employer, Dubai Financial Services Authority (in the Dubai International Financial unless otherwise agreed. Different rules apply if the employee’s role Centre) or the Financial Services Regulatory Authority (in the Abu Dhabi does not include inventive activities. In these cases, the employer may Global Market) have specific obligations in relation to material outsourc- exercise an option to take ownership of the invention within four months ings, which in practice will include many cases of the use of cloud of becoming aware of the invention and the employee is entitled to computing services. In respect of each material outsourcing, the organi- receive fair compensation. sation must implement policies and risk management programmes, The same rules that apply to employee creators of copyright- enter into an appropriate contract with the service provider incorpo- protected works apply in respect of works created by contractors and rating certain minimum terms, and notify the relevant regulator of the consultants. These works will be owned by the individual creator or, if outsourcing arrangement. created alongside others, may be protected as joint works. The Digital Payment Regulation regulates how PSPs (other than non- As against employee creators, different rules apply in respect of issuing PSPs) may outsource operational functions, which could include inventions created by a contractor or consultant during the course of a outsourcings to cloud service providers. In respect of each outsourcing, contract. In these cases, the contractor or consultant will own the inven- the PSP must obtain approval from the Central Bank. The outsourced tion, unless otherwise agreed. services are required to be carried out in the UAE (outside the financial free zones). Special rules apply when an outsourcing is considered to Joint ownership relate to a material operational function, although no specific distinction 38 Are there any restrictions on a joint owner of intellectual or guidance is given in relation to cloud computing solutions. property’s right to use, license, charge or assign its right in intellectual property? INTELLECTUAL PROPERTY RIGHTS Joint owners of a copyright-protected work in which it is not possible IP protection for software to separate the contributions of each owner cannot exercise their rights 36 Which intellectual property rights are available to protect to use, license or assign the work individually, unless otherwise agreed software, and how do you obtain those rights? in writing. Where multiple authors contribute different kinds of art to a single Original computer programs and related software applications are work, they may each exploit their individual contributions provided that protected by copyright as literary works. Databases underlying soft- this does not damage the exploitation of the joint work. The legal posi- ware programs can also attract copyright protection. Copyright arises tion is less clear in relation to works that include contributions of the automatically as soon as the relevant literary work is created, so when same kind of art from multiple contributors. a computer program is recorded, software lines are coded or a database A joint owner of a patented invention may exploit or assign his or is created. There is no requirement to register these rights to be able to her rights independently of the other patentees. However, joint paten- have them recognised or enforce them against a third party in the UAE. tees may only license the exploitation of the patent jointly with the other If the software code has been kept confidential, it may also be patentees. protected as confidential information and unauthorised disclosure can attract criminal sanctions. No registration is required. www.lexology.com/gtdt 247 © Law Business Research 2020 United Arab Emirates Simmons & Simmons LLP

Trade secrets scope. One of these wholly excluded sectors is the financial sector. The 39 How are trade secrets protected? Are trade secrets kept list of excluded sectors and other important aspects of the competition confidential during court proceedings? regime in the UAE are within the discretion of the Ministry of Economy, and fintech businesses in the UAE will need to consider their specific The UAE legislation dealing with patents and industrial designs also competition law issues to assess their exposure. Looking ahead, there includes specific protection for trade secrets and know-how. Employees is expected to be increased consolidation in the banking sector and an have specific statutory duties to keep the commercial and industrial expectation of greater collaboration, information-sharing and other secrets of their employers confidential and may be criminally liable in horizontal arrangements, all of which could give rise to competition law cases of unlawful use or disclosure of information. Trade secrets and risks in the UAE. confidential information more broadly are commonly protected by way of contractual obligations. TAX Court proceedings in the UAE are not held in public and there is thereore less of a concern around maintaining the confidentiality of Incentives trade secrets in this context. 43 Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the Branding fintech sector in your jurisdiction? 40 What intellectual property rights are available to protect branding and how do you obtain those rights? How can fintech There are no special incentives. However, onshore UAE, the Dubai businesses ensure they do not infringe existing brands? International Financial Centre and Abu Dhabi Global Market are all currently low or zero-tax jurisdictions. Brands can be protected as registered trademarks in the UAE. An application for registration and other formalities must be pursued to Increased tax burden obtain protection. A law recognising a unified trademark regime for Gulf 44 Are there any new or proposed tax laws or guidance that Cooperation Council countries has been decreed in the UAE but has not could significantly increase tax or administrative costs for yet entered into force. fintech companies in your jurisdiction? The UAE trademark database can be used to identify registered trademark rights and, therefore, help ensure that a fintech business There are no relevant new or proposed tax laws or guidance. does not infringe existing brands. The database is not available to the public but the law provides for a right to obtain a certified extract of IMMIGRATION the contents of a register upon payment of a fee. Applicants must pay a separate fee to search each class for existing trademark rights. Sector-specific schemes It is highly advisable for new businesses, perhaps using the 45 What immigration schemes are available for fintech services of specialist trademark attorneys, to check whether the data- businesses to recruit skilled staff from abroad? Are there base enquiry results indicate earlier registrations that are identical or any special regimes specific to the technology or financial similar to their proposed brand names and marks. It may also be advis- sectors? able to conduct internet searches for any unregistered trademark rights that may prevent use of the proposed mark. Once an employee enters the UAE on an entry permit, the employer must make an application for a residence visa to the immigration authorities. Remedies for infringement of IP Before the visa is granted, the employee must pass a medical exami- 41 What remedies are available to individuals or companies nation. These requirements must be satisfied within 60 days of the whose intellectual property rights have been infringed? employee’s entry into the UAE on the entry permit. Residence visas are typically valid for two years outside the free zones and three years for Remedies available to individuals or companies include: employees within a free zone. The total cost of the residence visa and • precautionary measures, including requirements to cease the use the required permits depends on the nature of the company’s activity of an infringing item; and whether the employee is hired within or outside the UAE. The cost • confiscation or destruction of infringing items; outside the free zones ranges from US$400 to US$1,200. Free zone • damages; and costs can differ. • publication orders. Both financial free zones in the UAE offer start-up-specific licences that, if obtained, provide for the recruitment of skilled staff from outside The UAE legislation dealing with intellectual property rights, including of the UAE. In 2018, the Abu Dhabi Global Market (ADGM) introduced in respect of patents, designs, trademarks and copyright, provides for the ADGM Tech Start-up Commercial Licence, under which it is possible criminal liability in various cases of infringement. to secure up to four UAE residence visas. In the Dubai International Financial Centre (DIFC), the DIFC FinTech Commercial Licence enables COMPETITION fintech start-ups to apply for residence visas for their staff, the number of which is dependent on office space (generally one visa per 80 Sector-specific issues square feet). 42 Are there any specific competition issues that exist with Investor visas are available to shareholders and proprietors. respect to fintech companies in your jurisdiction?

Since the enactment of Federal Law No. 12 of 2012, the UAE has had a standalone, federally applicable competition law that covers anticompetitive agreements, abuse of dominance and merger control; however, the law also has a list of sectors that are entirely excluded from its

UPDATE AND TRENDS

Current developments 46 Are there any other current developments or emerging trends to note?

No updates at this time.

Coronavirus Muneer Khan [email protected] 47 What emergency legislation, relief programmes and other initiatives specific to your practice area has your state Jack Rossiter implemented to address the pandemic? Have any existing [email protected] government programmes, laws or regulations been amended Raza Rizvi to address these concerns? What best practices are advisable [email protected] for clients?

UAE economic initiatives Level 7, The Gate Village, Building 10 Dubai International Financial Centre UAE authorities have introduced a series of temporary measures PO Box 506688 intended to support the citizens of the UAE and businesses affected by Dubai the covid-19 outbreak. United Arab Emirates In March 2020, the UAE Cabinet announced that it would be Tel: +971 4 709 6600 providing 126 billion dirhams of financial support to the economy. As of Fax: +971 4 709 6601 5 April 2020, this support package was doubled. www.simmons-simmons.com The UAE Central Bank also introduced the Targeted Economic Support Scheme to facilitate temporary relief from the payments of principal and interest or profit on outstanding loans for all affected private sector corporates, small and medium-sized companies (SMEs) and Obligations in the UAE in the context of the Covid-19 Crisis. The and individuals. The relief will not apply, however, to government loans guidance recognises that the pandemic could lead to altered patterns nor loans from foreign entities. of normal and suspicious transactions behaviour. Among other actions, financial institutions are required to revisit and consider their govern- Establishment of Dubai’s Startup Hub and remote access ance, operational and risk frameworks in response to these exceptional The Dubai Chamber of Commerce and Industry’s entrepreneurship circumstances to ensure that they remain compliant with their regu- initiative – the Dubai Startup Hub – has provided its first wholly online latory obligations. The guidance also reminds financial institutions to event for its members. Forty new members participated and can benefit maintain their customer due diligence requirements as a priority and from online mentorship to support entrepreneurs in their new ventures encourages the use of technology to address the difficulties in verifying during this difficult period. identities during this time.

Small businesses initiatives in Abu Dhabi The Abu Dhabi Department of Economic Development and the Abu Dhabi Department of Finance, in conjunction with Abu Dhabi registered banks, have introduced a series of initiatives to assist SMEs that are experiencing the effects of the outbreak. These measures include (but are not limited to) reducing banking fees and charges, reducing interest charges on new borrowing and deferring instalments on existing loans.

Stabilisation initiatives of market values The UAE Securities and Commodities Authority (SCA) has introduced a 5 per cent limit on the reduction of stock prices across all sectors in the UAE. The cap specifies the maximum permissible decline in the price of stocks during one trading day and applies from 18 March 2020 until further notice.

Dubai free zone initiatives Free zones operating within Dubai will benefit from the Dubai Free Zone Council’s package. Along with other free zones, the DIFC has introduced additional measures for new and existing DIFC entities, including discounted application fees, a waiver of certain fees and extensions to returns and reports filing deadlines.

Financial crime risks The supervisory bodies of the UAE (including the Central Bank, SCA, Dubai Financial Services Authority and Abu Dhabi Global Market) have issued the Joint Guidance on the Treatment of Financial Crime Risks www.lexology.com/gtdt 249 © Law Business Research 2020 United Kingdom

Angus McLean, George Morris, Jo Crookshank, Kate Cofman-Nicoresti, Olly Jones, Penny Miller and Peter Broadhurst Simmons & Simmons LLP

FINTECH LANDSCAPE AND INITIATIVES • the Global Financial Innovation Network is an international group of financial regulators and related organisations, including the FCA, General innovation climate committed to supporting financial innovation internationally; 1 What is the general state of fintech innovation in your • supporting regtech by encouraging the development of new jurisdiction? technologies to help overcome regulatory challenges in financial services; and The United Kingdom has been at the forefront of innovation in tech- • engaging with firms across the UK and internationally to maximise nology and finance for many years. Despite the ongoing uncertainty the reach of the FCA’s Innovate initiatives. over the terms of the UK’s departure from the EU and the effects of the covid-19 pandemic, this remains the case today. As the worlds of tech- The Bank of England is also interested in fintech. Its FinTech Hub nology and finance become increasingly linked, London, in particular, includes the FinTech Accelerator Project, which works with businesses has the unique advantages of being the national centre of govern- on fintech proofs of concept. ment and finance and having many world class universities nearby. Fintech businesses also benefit from the UK’s time zone, language and FINANCIAL REGULATION legal system. Perhaps mindful of the potential effect of Brexit, the UK government Regulatory bodies remains committed to attracting start-ups and scale-up entrepreneurs 3 Which bodies regulate the provision of fintech products and and investors. The UK remains the leading jurisdiction within Europe for services? fintech activity. According to data from the UK's fintech trade association, Innovate Finance, in 2019 fintech companies in the UK attracted The Financial Conduct Authority (FCA) is the financial services regulator more capital and completed more deals than the rest of the top 10 for most regulated activities and services that a fintech would provide. European countries combined. Seven of the top 10 deals in Europe The Prudential Regulation Authority is the regulator for banks in the UK. involved UK fintech companies. Overall, investment was up 38 per cent The FCA regulates conduct matters for banks. to $4.9 billion. This moved the UK up to second in the global rankings for fintech venture capital investment. Regulated activities While the UK is home to fintech innovation across the water- 4 Which activities trigger a licensing requirement in your front, there is particular strength and expertise in AI and automation, jurisdiction? blockchain and distributed ledger technology, cloud computing, crypto- assets, cybersecurity, big data, insurtech, open banking, payments, There are a large number of activities (‘specified activities’) that, when peer-to-peer lending and crowdfunding, and regtech. carried on in the UK by way of business in respect of specified kinds of investments, trigger licensing requirements in the UK. These are set Government and regulatory support out in the Financial Services and Markets Act 2000 (Regulated Activities) 2 Do government bodies or regulators provide any support Order 2001 (RAO). While it is not practical to list them all, the most specific to financial innovation? If so, what are the key common include the following. benefits of such support? • Accepting deposits: this is mainly carried on by banks and building societies. An institution will accept a deposit where it lends the Fintech in the UK is promoted by a range of government and regula- money it receives to others or uses it to finance its business. tory bodies. • Dealing in investments (as principal or agent): buying, selling, The Financial Conduct Authority (FCA) started ‘Project Innovate’ subscribing for or underwriting particular types of investments. In in 2014 to encourage innovation and promote competition. Currently, respect of dealing as principal, the specified investments are ‘secu- Project Innovate includes six initiatives: rities’ and ‘contractually based investments’. In respect of dealing • the Regulatory Sandbox allows businesses to test innovative prop- as agent, the specified kinds of investments are ‘securities’ and ositions in the market with real consumers; ‘relevant investments’: • the Innovation Hub provides tailored regulatory support for inno- • securities include shares, bonds, debentures, govern- vative firms; ment securities, warrants, units in a collective investment • the Advice Unit provides feedback to firms developing automated scheme (CIS) and rights under stakeholder and personal advice and guidance models; pension schemes;

• contractually based investments include rights under statements and the detailed requirements as to the form and content of certain insurance contracts (excluding contracts of general the credit agreement itself. insurance), options, futures, contracts for differences and The CONC chapter in the FCA Handbook sets out detailed rules that funeral plan contracts; and regulated consumer credit firms must comply with and covers areas • relevant investments include the same investments as such as conduct of business, financial promotions, pre-contractual disclo- contractually based investments but also include contracts of sure of information, responsible lending, post-contractual requirements, general insurance. arrears, default and recovery, cancellation of credit agreements and • Arranging deals in investments (this is split into two activities and agreements that are secured on land. specified investments in respect of arranging include securities In addition to the CONC, authorised consumer credit firms must also and relevant investments): comply with other applicable chapters of the FCA Handbook. • arranging (bringing about) deals in investments, which applies Failing to comply with the requirements of the CCA may result in to arrangements that have the direct effect of bringing about those agreements being unenforceable against borrowers and the FCA a deal; and imposing financial penalties on the firm in question. • making arrangements with a view to transactions in invest- Entering into a regulated mortgage contract is a regulated activity. ments, which is much wider and includes arrangements that Such contracts are loans where: facilitate others entering into transactions. • the contract is one under which a person (lender) provides credit to • Advising on investments: advising a person in their capacity as an an individual or trustee (borrower); investor on the merits of buying, selling, subscribing for or under- • the contract provides for the obligation of the borrower to repay to writing a security or relevant investment or exercising any right be secured by a mortgage on land in the EEA (this will change to conferred by that investment to buy, sell, subscribe for or under- land in the UK from 31 December 2020); and write such an investment. • at least 40 per cent of that land is, or is intended to be, used: • Managing investments: managing assets belonging to another • in the case of credit provided to an individual, as or in connec- person, in circumstances involving the exercise of discretion, where tion with a dwelling by the borrower; or the assets include any investment that is a security or contractu- • in the case of credit provided to a trustee that is not an indi- ally based investment. vidual, as or in connection with a dwelling by an individual who • Establishing, operating or winding up a CIS. is a beneficiary of the trust, or by a related person. • Certain lending activities: entering into a regulated mortgage contract or a regulated (consumer) credit agreement (or consumer Secondary market loan trading hire agreement) as lender. 6 Are there restrictions on trading loans in the secondary • Certain insurance activities: effecting a contract of insurance as market in your jurisdiction? principal and carrying out a contract of insurance as principal. • Payment services: providing payment services. Provided that the loan itself is being traded, and not the loan instrument • Electronic money: issuing electronic money. (eg, an instrument creating or acknowledging indebtedness), then there are no restrictions on trading loans in the secondary market. Consumer lending 5 Is consumer lending regulated in your jurisdiction? Collective investment schemes 7 Describe the regulatory regime for collective investment The general position is that lending by way of business to consumers is schemes and whether fintech companies providing alternative regulated in the UK. The FCA is responsible for authorising and regu- finance products or services would fall within its scope. lating consumer credit firms. There are two categories of regulated lending: regulated credit Establishing, operating or winding up a CIS is a regulated activity in the agreements and mortgages. UK for which firms must be authorised by the FCA. Any person (A) who enters into an agreement with an individual (or The definition of a CIS is set out in section 235 of the Financial a ‘relevant recipient of credit’, which includes a partnership consisting Services and Markets Act 2000 (FSMA). Broadly, a CIS is any arrange- of two or three persons not all of whom are bodies corporate and an ment with respect to property of any description, the purpose or effect of unincorporated body of persons that does not consist entirely of bodies which is to enable the persons taking part in the arrangements to partici- corporate and is not a partnership) (B) under which A provides B with pate in or receive profits or income arising from the acquisition, holding, credit of any amount must be authorised by the FCA – unless an appro- management or disposal of the property or sums paid out of such profits priate exemption applies. or income. The persons participating in the arrangements must not have Two of the most common exemptions are: where the amount of day-to-day control over the management of the property. The arrange- credit exceeds £25,000 and the credit agreement is entered into wholly ments must also have either or both of the following characteristics: or predominantly for business purposes; and where the borrower certi- • the contributions of the participants and the profits or income out of fies that they are ‘high net worth’ and the credit is more than £60,260. which payments are to be made to them are pooled; or Other complex exemptions are available that relate to, among other • the property is managed as a whole by, or on behalf of, the operator things, the total charge for the credit, the number of repayments to be of the scheme. made under the agreement and the nature of the lender. If an exemption applies, the lender does not need to comply with Whether a fintech company falls within the scope of this regime will the detailed legislative requirements that apply to regulated credit depend on the nature of its business. For example, fintech companies that agreements contained in the Consumer Credit Act 1974 (CCA) (and manage assets on a pooled basis on behalf of investors should consider secondary legislation made under it) and the FCA’s Consumer Credit carefully whether they may be operating a CIS. On the other hand, fintech Sourcebook (CONC). companies that only provide advice or payment services may be less Broadly, the CCA sets out the requirements lenders need to likely to operate a CIS. Fintech companies are advised to seek legal advice comply with in relation to the provision of information, documents and on this subject and to have regard to their other regulatory obligations. www.lexology.com/gtdt 251 © Law Business Research 2020 United Kingdom Simmons & Simmons LLP

The management of two forms of regulated collective investment • setting out the minimum information that a platform should provide schemes, UCITS and AIFs, are also regulated activities. to investors; and • introducing a requirement to monitor the investors that can use Alternative investment funds a platform, including that platforms assess investors’ knowledge 8 Are managers of alternative investment funds regulated? and experience of platform lending where no advice has been given to them. Firms are required to ensure that retail clients: Managers of alternative investment funds are regulated in the UK under • are certified or self-certified as ‘sophisticated investors’ or the Alternative Investment Fund Managers Directive, which has been ‘high net worth investors’; or implemented in the UK by the Alternative Investment Fund Managers • confirm before a promotion is made that they will receive Regulations 2013 and rules and guidance contained in the FCA Handbook. regulated investment advice or investment management services from an authorised person; or Peer-to-peer and marketplace lending • do not invest more than 10 per cent of their net investible 9 Describe any specific regulation of peer-to-peer or assets in P2P agreements in the 12 months following marketplace lending in your jurisdiction. certification.

Peer-to-peer (P2P) lending is a term that generally refers to loan-based Crowdfunding crowdfunding. In the UK, the FCA regulates loan-based crowdfunding 10 Describe any specific regulation of crowdfunding in your platforms. jurisdiction. Under article 36H of the RAO, operating an electronic system that enables the operator (A) to facilitate persons (B and C) becoming the In the UK, reward-based crowdfunding (where people give money in lender and borrower under an article 36H agreement is a regulated return for a reward, service or product) and donation-based crowd- activity (and a firm will require FCA authorisation) where the following funding (where people give money to enterprises or organisations they conditions are met: wish to support) are not currently regulated in their own right. • the system operated by A is capable of determining which agree- Equity-based crowdfunding is where investors invest in shares in, ments should be made available to each of B and C; typically, new businesses. Equity-based crowdfunding is not specifically • A (or someone acting on its behalf) undertakes to receive payments regulated in the UK (in the same way as loan-based crowdfunding). due under the article 36H agreement from C and make payments to However, a firm operating an equity-based crowdfunding service B that are due under the agreement; and must ensure that it is not carrying on any other regulated activity • A (or someone acting on its behalf) takes steps to procure the without permission. Examples of regulated activities that equity-based payment of a debt under the article 36H agreement or exercises crowdfunding platforms may carry on (depending on the nature and or enforces rights under the article 36H agreement on behalf of B. structure of their business) include: • establishing, operating or winding up a CIS; An article 36H agreement is an agreement by which one person provides • arranging deals in investments; and another with credit in relation to which: • managing investments. • A does not provide the credit, assume the rights of a person who provided credit or receive credit; and Additionally, equity-based crowdfunding platforms must not market to • either the lender is an individual or the borrower is an individual retail clients unless an appropriate exemption applies. and the credit is less than £25,000, or the agreement is not entered In the FCA’s policy statement on P2P lending, investment-based into by the borrower wholly or predominantly for the purposes of a crowdfunding platforms were also covered. Recent work has focused business carried on, or intended to be carried on, by the borrower. on restrictions on the types of clients these platforms can market to and how this is managed. In addition to falling within the definition of an article 36H agreement, a loan may also constitute a regulated credit agreement, unless an exemp- Invoice trading tion applies and so a lender, through a platform authorised under article 11 Describe any specific regulation of invoice trading in your 36H, may also be required to have permission to enter into a regulated jurisdiction. credit agreement as lender. Two of the most common exemptions are: where the amount of credit exceeds £25,000 and the credit agreement is Currently, there are no regulations relating specifically to invoice trading. entered into wholly or predominantly for business purposes; and where However, depending on how the business is structured, a firm the borrower certifies that they are ‘high net worth’ and the credit is that operates an invoice-trading platform may be carrying on regulated more than £60,260. activities for which it must have permission, including: Other complex exemptions are available that relate to, among other • establishing, operating or winding up a CIS; and things, the total charge for the credit, the number of repayments to be • managing an alternative investment fund. made under the agreement and the nature of the lender. The FCA produced a policy statement in June 2019 that confirmed There is also a possibility that the firm may need to register with the new rules that came into place in December 2019 in relation to FCA as an Annex 1 financial institution because it carries on commer- P2P lending. These changes are found in the Conduct of Business cial lending. As an Annex 1 financial institution, the firm would need Sourcebook and Senior Management Arrangements, Systems and to comply with all the detailed anti-money laundering requirements Controls, and include: under the Money Laundering, Terrorist Financing and Transfer of Funds • enhanced requirements for platform governance arrangements (Information on the Payer) Regulations 2017. including in relation to credit risk assessment, risk management and fair valuation practices; • strengthening rules on wind-down planning in the event of platform failure;

Payment services requires banks to allow third-party payment service providers to initiate 12 Are payment services regulated in your jurisdiction? payments from their customers’ accounts.

Payment services are regulated under the Payment Services Regulations Robo-advice 2017, which implement the second Payment Services Directive (PSD2) 14 Describe any specific regulation of robo-advisers or other in the UK. Payment services include: companies that provide retail customers with automated • services enabling cash to be placed on a payment account and all access to investment products in your jurisdiction. the operations required for operating a payment account; • services enabling cash withdrawals from a payment account and There are no specific regulations to cover robo-advisers. The rules all the operations required for operating a payment account; applying to investment advisers or arrangers and discretionary invest- • the execution of the following types of payment transaction: ment managers are technology-neutral and cover face-to-face as well • direct debits, including one-off direct debits; as online or automated services. Therefore, a licence would generally • payment transactions executed through a payment card or a be required, and robo-advisers would be subject to the usual conduct similar device; and of business requirements, for example, around suitability assessments, • credit transfers, including standing orders; disclosure of costs and charges, and marketing (which must be fair, • the execution of the following types of payment transaction where clear and not misleading). the funds are covered by a credit line for the payment service user: • direct debits, including one-off direct debits; Insurance products • payment transactions executed through a payment card or a 15 Do fintech companies that sell or market insurance products similar device; and in your jurisdiction need to be regulated? • credit transfers, including standing orders; • issuing payment instruments or acquiring payment transactions; Effecting or carrying out a contract of insurance, arranging contracts • money remittance; of insurance, or dealing in insurance as an agent are a regulated activi- • payment initiation services (initiating a payment order at the ties and fintech companies that wish to do this must be regulated. request of a payment service user with respect to an account held Companies that wish to market insurance products must either be with another payment service provider); and regulated, have their marketing material approved by a regulated firm • account information services (online service to provide consoli- or fall within an applicable exclusion. For example, exemptions may be dated information on one or more payment accounts held by the available for communications to high net worth individuals, companies, payment service user with another one (or more) payment service sophisticated individuals and other investment professionals. provider). Credit references The PSD2 broadens the scope of transactions governed by its provi- 16 Are there any restrictions on providing credit references or sions, narrows the scope of certain exclusions, amends the conduct of credit information services in your jurisdiction? business requirements and introduces security requirements. To provide payment services in the UK, a firm must fall within the Providing credit information services and providing credit references definition of a ‘payment service provider’. Payment service providers are regulated activities for which firms must be regulated. A firm include ‘authorised payment institutions’, ‘small payment institutions’, provides credit information services where it takes any of the following credit institutions, electronic money institutions, the post office, the steps (or gives advice in relation to any of the following steps) on behalf Bank of England and government departments and local authorities. of an individual or relevant recipient of credit: A firm that provides payment services in or from the UK as a • ascertaining whether a credit information agency holds informa- regular occupation or business activity (and is not exempt, or a bank) tion relevant to the financial standing of an individual or relevant must apply for authorisation or registration as a payment institution. recipient of credit; • ascertaining the contents of such information; Open banking • securing the correction of, the omission of anything from, or the 13 Are there any laws or regulations introduced to promote making of any other kind of modification of, such information; and competition that require financial institutions to make • securing that a credit information agency that holds such customer or product data available to third parties? information: • stops holding the information; or Following its investigation into the retail and small and medium-sized • does not provide it to any other person. enterprise (SME) banking sectors between 2013 and 2016, the UK’s competition authority (the Competition and Markets Authority (CMA)) Providing credit references involves providing people with infor- ordered a number of remedies to help promote greater competition in mation relevant to the financial standing of individuals or relevant the retail and SME banking markets. recipients of credit where the person has collected the information One of the core remedies ordered by the CMA requires the nine for that purpose. largest retail banks in Great Britain and Northern Ireland to develop In addition, the Small and Medium-Sized Business (Credit and implement an open banking standard application programming Information) Regulations 2015 (the SMB Regulations) require: interface (API) to give third parties access to information about their • designated banks to share specified credit information about SMEs services, prices and service quality in order to improve competition, effi- with designated credit reference agencies (with the permission of ciency and stimulate innovation. The open APIs also allow retail and SME the relevant SME); and customers to share their own transaction data with trusted intermedi- • designated credit reference agencies to provide this information aries, which can then offer advice tailored to the individual customer. to finance providers at the request of the SME and to the Bank These measures are intended to make it easier for customers of England. to identify the best products for their needs. Additionally, the PSD2 www.lexology.com/gtdt 253 © Law Business Research 2020 United Kingdom Simmons & Simmons LLP

While the provision of this information is not a regulated activity under SALES AND MARKETING the FSMA, the FCA does monitor and enforce compliance with the SMB Regulations. Restrictions 19 What restrictions apply to the sales and marketing of CROSS-BORDER REGULATION financial services and products in your jurisdiction?

Passporting The UK has a comprehensive set of rules relating to financial promo- 17 Can regulated activities be passported into your jurisdiction? tions. These are set out in Chapter 4 of the Financial Conduct Authority's (FCA) Conduct of Business Sourcebook (COBS). An EEA firm that has been authorised under one of the EU single market The definition of a financial promotion is very wide and includes directives may provide cross-border services into the UK. For these an invitation or inducement to engage in investment activity that is purposes, the relevant single market directives include the: communicated in the course of business. Marketing materials for finan- • Capital Requirements Directive; cial services are likely to fall within this definition. • Solvency II Directive; The basic concept is that financial promotions must be fair, clear • second Markets in Financial Instruments Directive (MiFID II); and not misleading. FCA guidance suggests that: • Insurance Distribution Directive; • for a product or service that places a client’s capital at risk, it • Mortgage Credit Directive; makes this clear; • fourth Undertakings for Collective Investment in Transferable • where product yield figures are quoted, this must give a balanced Securities Directive; impression of both the short- and long-term prospects for the • the Alternative Investment Fund Managers Directive; investment; • the second Payment Services Directive; and • where the firm promotes an investment or service with a complex • Electronic Money Directive. charging structure or the firm will receive more than one element of remuneration, it must include the information necessary to To passport a regulated activity into the UK, a firm must first provide ensure that it is fair, clear and not misleading and contains suffi- notice to its home regulator. The directive under which the EEA firm is cient information taking into account the needs of the recipients; seeking to exercise passport rights will determine the conditions and • the FCA, Prudential Regulation Authority (PRA) or both (as appli- processes that the firm must follow. cable) are named as the firm’s regulator and any matters not Operating an electronic system that enables the operator to facili- regulated by either the FCA, PRA or both are made clear; and tate persons becoming the lender and borrower under an ‘article 36H • where if it offers ‘packaged products’ or ‘stakeholder products’ agreement’, that is, over a peer-to-peer lending platform, is not currently not produced by the firm, it gives a fair, clear and not misleading an activity that may be passported. impression of the producer of the product or the manager of the It is unclear at this point how Brexit might affect the ability for underlying investments. EEA firms to passport services into the UK, and UK firms to passport services into the EEA, in the future. However, an exemption may be available to keep marketing materials outside the scope of the financial promotion rules. For example, exemp- Requirement for a local presence tions may be available for communications to high net worth individuals, 18 Can fintech companies obtain a licence to provide financial companies, sophisticated individuals and other investment professionals. services in your jurisdiction without establishing a local Even authorised firms are prohibited from the promotion of unreg- presence? ulated collective investment schemes, except in specific circumstances set out in the Financial Services and Markets Act 2000 (Promotion An EEA firm may exercise passport rights to provide services in the of Collective Investment Schemes) (Exemptions) Order 2001 (SI UK. Alternatively, in the case of a non-EEA firm or an EEA firm that 2001/1060). is not undertaking an activity that can be passported into the UK, it Only authorised persons may make financial promotions and it is a must establish a local presence and obtain an appropriate licence. For criminal offence for an unauthorised person to communicate a financial example, an equity crowdfunding platform with the relevant permis- promotion. Any agreements entered into with customers as a result of sions in another EEA state may be able to passport into the UK without an unlawful financial promotion are unenforceable. establishing a local presence. Operating an electronic system that enables the operator to facili- Lending tate persons becoming the lender and borrower under an article 36H In relation to lending, there is also a comprehensive set of rules and the agreement is not currently an activity that can be passported. position is similar, but not identical, to that set out in COBS. Therefore, peer-to-peer (P2P) or marketplace lending platforms In respect of credit agreements, the FCA’s Consumer Credit that are licensed under local rules governing P2P or marketplace Sourcebook 3.3 applies and provides that a financial promotion must lending in other jurisdictions (whether inside or outside the EEA) would be clear, fair and not misleading. In addition, firms must ensure that have to establish a local presence and become appropriately regulated. financial promotions: • are clearly identifiable as such; • are accurate; • are balanced (without emphasising potential benefits without giving a fair and prominent indication of any relevant risks); • are sufficient for, and presented in a way that is likely to be understood by, the average member of the group to which they are directed, or by which they are likely to be received; • are presented in a way that does not disguise, omit, diminish or obscure important information, statements or warnings;

• present any comparisons or contrasts in a fair, balanced and mean- • each exiting controller notifying the FCA of the change of ingful way; control; and • use plain and intelligible language; • the FCA-regulated firm notifying the FCA of these changes. • are easily legible and audible (if given orally); • specify the name of the person making the communication (or In practice, a joint notification is usually made, coordinated by the whom they are communicating on behalf of, if applicable); and FCA-regulated firm with the new controllers and exiting controllers. • do not state or imply that credit is available regardless of the Any potential controllers must provide detailed information, including in customer’s financial circumstances or status. respect of its group structure, senior management, commercial activities, any criminal or civil proceedings against the company, and details Various other detailed requirements apply depending on the type of of the acquisition. credit (eg, peer-to-peer, secured, unsecured or ‘high-cost short-term’ The FCA has a statutory assessment period of 60 working days to credit) and the type of agreement (eg, whether it is secured on land), determine change-of-control applications. This can be interrupted for a which govern things such as: period of 30 days. In practice, determinations are made more quickly. • the requirement to include particular risk warnings and how those There is no application fee. warnings must be worded; • when and how annual percentage rates and representative exam- FINANCIAL CRIME ples must be included and displayed; and • expressions that cannot be included in financial promotions. Anti-bribery and anti-money laundering procedures 21 Are fintech companies required by law or regulation to have In relation to mortgages, chapter 3A of the Mortgages and Home Finance: procedures to combat bribery or money laundering? COBS applies. In addition to being clear, fair and not misleading, financial promotions must: Generally, fintech companies are only required to have anti-money laun- • be accurate; dering (AML) procedures if the company is authorised by the Financial • be balanced (without emphasising any potential benefits without Conduct Authority (FCA) or carries out business that is subject to the also giving a fair and prominent indication of any relevant risks); Money Laundering Regulations 2017 (MLRs 2017). The UK implemented • be sufficient for, and presented in a way that is likely to be under- the Fifth Money Laundering Directive (5MLD) on 10 January 2020, by stood by, the average member of the group to whom it is directed, way of updates to the MLRS 2017 effected by the Money Laundering or by whom it is likely to be received; and Terrorist Financing (Amendment) Regulations 2019 (the 2019 • make it clear, where applicable, that the credit is secured on the Regulations). Under 5MLD, the 2019 Regulations (in line with the 5MLD), customer’s home; the types of entities required to have money laundering procedures has • be presented in a way that does not disguise, omit, diminish or been widened to include crypto-asset exchange providers and custo- obscure important items, statements or warnings; and dian wallet providers. The 2019 Regulations also capture peer-to-peer • where they contain a comparison or contrast, be designed in such exchange providers, crypto-asset automated teller machines and the a way that the comparison or contrast is presented in a fair and issuing of new crypto-assets (eg, an initial coin offering (ICO) or initial balanced way and ensures that it is meaningful. exchange offering (IEO)). Entities subject to UK money laundering regulations are required As with credit agreements, other provisions apply depending on the to, among other things: particular type of mortgage, covering, among other things: • identify and assess the firm’s exposure to money laundering risk • the inclusion and presentation of annual percentage rates and by, for example, undertaking a risk assessment; other credit-related information; • perform customer due diligence to an adequate standard depending • points of contact; and on the risk profile of the customer; • when and how financial promotions can be made. • keep appropriate records; • monitor compliance with the AML regulations, including internal CHANGE OF CONTROL communication of policies and procedures; and • report suspicious transactions. Notification and consent 20 Describe any rules relating to notification or consent With respect to anti-bribery policies and procedures, all companies requirements if a regulated business changes control. (including fintech companies) that are incorporated in or carry on business, or a part of their business, in the UK are subject to the Bribery Part 12 of the Financial Services and Markets Act 2000 sets out a strict Act 2010. While the Bribery Act does not require the implementation of system concerning changes of control of regulated firms, and failure policies or procedures to combat bribery, it creates a de facto require- to adhere to the appropriate statutory requirements can be a criminal ment to do so. This is because a company charged with ‘failing to offence, depending on the nature of the breach. prevent bribery’ may rely on the statutory defence that the company had Controllers or potential controllers of FCA-authorised firms are adequate policies and procedures in place designed to prevent bribery. required to make notifications to and obtain approval from the Financial It is not just large companies that need to be concerned with this law. Conduct Authority (FCA) when a change of control occurs. The notifica- The successful prosecution of Skansen Interiors Ltd (a company with tion must be made before a change of control takes place. A person fewer than 30 employees) for failing to prevent bribery in 2018 indicates who fails to obtain the appropriate FCA approval will be guilty of a crim- that UK prosecutors will target smaller companies for such an offence. inal offence. The notification process takes place under three parallel processes: • each new controller submitting the appropriate controller notification form to seek the FCA’s pre-approval; www.lexology.com/gtdt 255 © Law Business Research 2020 United Kingdom Simmons & Simmons LLP

Guidance of simple contracts (such as loan agreements) is accepted as creating 22 Is there regulatory or industry anti-financial crime guidance enforceable agreements, subject to complying with regulatory require- for fintech companies? ments (eg, in respect of regulated lending). E-signing can take a range of forms, including typing the signatory’s name, signing through biody- There is no anti-financial crime guidance issued by the FCA specifi- namic software (ie, the signatory signing on a screen or on a digital pad) cally for fintech firms. However, firms that are authorised by the FCA or clicking an 'I accept' (or similar) icon on a web page. Certain limita- should comply with its ‘Financial Crime Guide: A firm’s guide to coun- tions on e-signing generally need to be borne in mind: tering financial crime risks’ (www.handbook.fca.org.uk/handbook/FCG. • English law prohibits e-signing in respect of certain types of pdf) and may find the FCA’s outline to its supervision of crypto-assets contract, including but not limited to documents required to be helpful (www.fca.org.uk/firms/financial-crime/cryptoassets-aml-ctf- registered at HM Land Registry; regime). In addition, the Joint Money Laundering Steering Group issues • there may be restrictions within a company’s articles of associa- detailed guidance for the financial sector, and is currently in the process tions that may restrict or forbid the use of e-signing, and these of drafting guidance specific to the crypto-asset sector(https://jmlsg. should be checked prior to any signing; and org.uk/consultations/consultation-part-ii-sector-22/). • questions arise as to whether the prescribed formalities for It is important for fintech firms to understand the concerns and executing deeds can be satisfied by e-signing. In particular, diffi- policy drivers that financial institutions have with respect to their culties are likely to arise in satisfying the attestation requirement fintech clients. In June 2018, the FCA sent a ‘Dear CEO’ letter to financial (where a deed is executed by an individual or by a single director institutions, advising them to take ‘reasonable and proportionate meas- of a company in the presence of a witness) by electronic means. ures to lessen the risk of your firm facilitating financial crimes which are enabled by cryptoassets’. This will have a consequential effect on Even if it were possible to satisfy these formalities, there may be prac- fintech companies, as financial institutions are likely to apply the FCA’s tical reasons (such as certainty and evidential issues) why executing a guidance when conducting due diligence on and monitoring their deed with a ‘wet-ink’ signature (rather than e-signing it) may be prefer- relationships with crypto-businesses as a result of this letter. While able. As such, best practice remains for deeds to be executed with a not addressed to fintech companies, they may also find this guidance wet-ink signature. helpful in mitigating financial crime risks in their own relationships with On 3 September 2019, the Law Commission published Law Com individuals and entities whose wealth, funds or revenue derives from report No. 386 concerning e-signatures. Of particular importance, the crypto-related activities. Law Commission confirmed that e-signing is capable in law of being used to execute documents (including deeds), provided that (1) the PEER-TO-PEER AND MARKETPLACE LENDING executing party ‘intends to authenticate’ the document, which it clarified as the same as intending to be bound, and (2) any formalities relating to Execution and enforceability of loan agreements the execution of such document are satisfied. 23 What are the requirements for executing loan agreements or With respect to the attestation requirement, however, the Law security agreements? Is there a risk that loan agreements Commission’s views are that the physical presence of a witness is or security agreements entered into on a peer-to-peer or required, even when both the signatory and the witness are executing marketplace lending platform will not be enforceable? or attesting the document using e-signature. The Law Commission was not satisfied that the witness’s ‘virtual’ or ‘remote’ presence would Provided the essential elements of a contract are present, loan suffice, and this is also the position that is followed by the HM Land agreements governed by English law can be executed in the form of Registry. These views, and the law in respect of physical witness, remain agreements by signatories of the respective parties with due authority. unchanged since the beginning of the covid-19 pandemic. The execution requirements for an English law security agreement will depend on the form of security agreement. However, most English Assignment of loans law security agreements will be executed in the form of a deed to ensure 24 What steps are required to perfect an assignment of that no challenge can be made on the grounds of a lack of considera- loans originated on a peer-to-peer or marketplace lending tion or owing to the form of property being secured. It is also common platform? What are the implications for the purchaser if the for a security agreement to grant the lender a power of attorney, which assignment is not perfected? Is it possible to assign these must be executed as a deed to be enforceable. Certain formalities are loans without informing the borrower? required for the execution of a deed: • the deed must be in writing; To perfect a legal assignment of loans originated on a P2P lending • it must be clear on its face that it is intended to take effect as a deed; platform, various criteria must be met. Most importantly, notice of the • it must be validly executed as a deed, the requirements of which assignment must be received by the other party to the loan agreement. will vary according to the executing party (for example, whether it In addition to this, the benefit under the loan that is being assigned must is an individual or a company). In particular, if the executing party be absolute, unconditional and not purporting to be by way of charge is a company and if the deed is signed by a director (rather than only, the contract effecting the assignment of the loans must be in through the affixing of the company seal or the signature of two writing and signed by the assignor, and the assignment must be of the authorised signatories), the signature of such director must be whole of the debt under the loan agreement. attested by a witness (in other words, an individual must observe Subject to certain exceptions, notice by email will comprise notice the execution of the deed and record, on the deed itself, that he or in writing under English law and, therefore, sending a notice to the other she has made such observation); and party to the loan agreement by email should not preclude it from being • it must be delivered as a deed, which is to say that the parties must effectively delivered. However, a question remains over whether notice demonstrate an intention to be bound. of assignment can be effectively delivered solely by updating the relevant party’s account on the P2P lending platform. It is therefore best Typically, peer-to-peer (P2P) marketplace lending platforms require practice to notify the other party to the loan agreement of the assign- agreements to be entered into electronically (e-signing). The e-signing ment both by email and an update to their P2P account.

If the assignment does not comply with the above criteria for a legal registered office. Therefore, the non-EU subsidiary of an EU entity may assignment, it may nevertheless take effect as an equitable assignment. not be subject to the direct retention obligation because a subsidiary One of the key distinctions between a legal and an equitable assignment is typically a separate legal entity, whereas a non-EU branch of an EU is that, in the case of an equitable assignment, the person to whom the entity may be caught within this provision because a branch is typically loan has been transferred would not be able to bring an action under not a separate legal entity. the contract in their own name. Further, there was an unexpected and unintended consequence of the drafting under article 1(11) in Regulation (EU) 2017/2401, which Securitisation risk retention requirements amended article 14 of Regulation (EU) No. 575/2013 (CRR) effective 25 Are securitisation transactions subject to risk retention from 1 January 2019. The effect of such amendment was to require requirements? non-EU subsidiaries to comply with the direct obligations under Chapter 2 of the EU Securitisation Regulation on a consolidated basis (ie, those The risk retention requirements set out in Regulation (EU) 2017/2402, relating to due diligence, risk retention, transparency, banning re-secu- which came into force on 1 January 2019 (the EU Securitisation ritisation and criteria for credit granting). This raised challenges for Regulation) will apply directly to the ‘originators’, ‘sponsors’ and ‘original third-country entities that are consolidated into European groups (eg, lenders’ of a ‘securitisation’ transaction (as each such term is defined in EU banks operating in third countries through their non-EU subsidi- the EU Securitisation Regulation) where any of the originator, sponsor aries), as these non-EU subsidiaries may be required to comply with or original lender is established in the EU, and indirectly to originators, potentially conflicting sets of requirements under the EU risk retention sponsors and original lenders of securitisation transactions that are rules and the locally applicable rules. offered to ‘institutional investors’ (as defined in the EU Securitisation Following concerns from market participants, the position on the Regulation) regulated by a competent authority of an EU member jurisdictional scope is now clarified through article 1(9) of Regulation state (in each case, including any P2P securitisation that falls within (EU) 2019/876 (the CRR II Regulation), which further amended article 14 the definition of ‘securitisation’ in the EU Securitisation Regulation), as of the CRR. CRR II Regulation entered into force on 27 June 2019 (except described further below. for certain provisions) and limited the application article 14 of the CRR to article 5 of the EU Securitisation Regulation such that only the due What are the risk retention requirements? diligence requirements will continue to apply on a consolidated basis to The EU Securitisation Regulation requires the originator, sponsor or non-EU subsidiaries. original lender in respect of a securitisation to retain on an ongoing basis a material net economic interest in such securitisation of not less Possible retaining entities in respect of P2P securitisations than 5 per cent using one of five prescribed risk retention methods, Typically, a P2P lending platform will not qualify as the ‘sponsor’ or including (among other things) retention of: ‘original lender’ of a P2P securitisation. However, it may qualify as an • the most subordinated tranches, so that the retention equals no less ‘originator’ if it was (either itself or through related entities) directly or than 5 per cent of the nominal value of the securitised exposures; indirectly involved in the original agreement that created the P2P loans • 5 per cent of the nominal value of each of the tranches sold to being securitised. Whether or not the P2P lending platform comprises investors; or an originator will ultimately be a question of fact, but it is likely that • randomly selected exposures equivalent to no less than 5 per cent some P2P lending platforms in the market will (by virtue of their docu- of the nominal value of the securitised exposures. mentation structure and role as operator of the platform) comprise originators for the purposes of the EU Securitisation Regulation. If this Direct and indirect approaches is the case, any such P2P lending platform will be required to retain a The retention requirement applies on a direct basis, as originators, 5 per cent economic interest in any securitisation of loans originated sponsors and original lenders are required to agree on an entity that on their platform unless the originator, sponsor or original lender have will act as retention holder and to ensure compliance with the retention agreed between them that another entity will retain. requirements, and on an indirect basis, as it is incumbent upon investors If a P2P lending platform does either not qualify as an originator in securitisation transactions to ensure that the retention requirement or does qualify as an originator but does not wish to retain, another has been complied with. In the absence of agreement among the origi- entity with the capacity to retain will need to be identified and this entity nator, sponsor or original lender as to who will be the retention holder, will need to agree to retain in accordance with the terms of the EU the originator shall be the retention holder. Originators, sponsors and Securitisation Regulation. Any entity that retains in the capacity of ‘origi- original lenders may potentially be subject to a broad range of adminis- nator’ is expected to be an entity of substance, and the EU Securitisation trative sanctions (including significant fines) or remedial measures, or Regulation expressly provides that an entity will not be considered an even criminal sanctions, where the they have negligently or intentionally originator where it has been established or operates for the sole purpose infringed the risk retention requirements under the EU Securitisation of securitising exposures. The EU Securitisation Regulation does not Regulation. Investors in a securitisation that is non-compliant will be specify in what circumstances an entity will be considered to have been subject to higher regulatory capital charges. established for the sole purpose of securitising exposures but, in the Final Draft Regulatory Technical Standards relating to risk retention pursuant Jurisdictional scope to article 6(7) of the EU Securitisation Regulation (published on 31 July The EU Securitisation Regulation does not explicitly set out the juris- 2018), the European Banking Authority (EBA) proposed that an originator dictional scope of the direct retention obligation (which is where the will not be considered to have been established with the ‘sole purpose’ originator, sponsor or original lender would be required to comply of securitising exposures if it satisfies certain conditions, including that: with the risk retention requirements), but there is a helpful note in the • it has a broader business enterprise and strategy; Explanatory Memorandum to the original Commission proposal for the • it has sufficient decision makers with the required experience; and EU Securitisation Regulation that the intention is that the direct approach • its ability to make payment obligations does not depend on the would not apply where none of the originator, sponsor or original lender exposures to be securitised or on any exposures retained for the is ‘established in the EU’. ‘Establishment’ is typically described by refer- purposes of the risk retention regulations. ence to the jurisdiction in which the legal entity is incorporated or has its www.lexology.com/gtdt 257 © Law Business Research 2020 United Kingdom Simmons & Simmons LLP

Impact of Brexit on EU Securitisation Regulation ARTIFICIAL INTELLIGENCE, DISTRIBUTED LEDGER As an EU Regulation, the scope of the EU Securitisation Regulation is TECHNOLOGY AND CRYPTO-ASSETS directly applicable only to EU member states, which brings into consideration its applicability following the UK’s departure from the EU. The Artificial intelligence EU Securitisation Regulation will not apply directly to originators, orig- 27 Are there rules or regulations governing the use of artificial inal lenders or sponsors in the UK for new securitisations post-Brexit. intelligence, including in relation to robo-advice? However, EU investors required to comply with the EU Securitisation Regulation will only be able to invest in a UK securitisation transac- There are not yet any significant rules or regulations that specifically tion that complies with the EU Securitisation Regulation requirements. govern the use of AI in the UK (including in respect of robo-advice), Accordingly, we would expect many UK deals to continue to be struc- except in respect of some limited regulatory provisions; most notably tured to comply with the EU Securitisation Regulation post-Brexit for in the EU General Data Protection Regulation (GDPR), which sets out liquidity purposes. requirements in respect of ‘automated’ decision-making (which would Although the UK left the EU on 31 January 2020, the European include AI) involving personal data. In particular, Article 22 provides that Union (Withdrawal Agreement) Act 2020, which implements the UK-EU a data subject has the right not to be subject to a decision based solely Withdrawal Agreement into UK domestic law, provides that a transition on automated processing except in certain circumstances (eg, with the period will apply until 31 December 2020 (the transition period). EU law, data subject’s explicit consent). Articles 13(2) and 14(2) also require including the EU Securitisation Regulation, will continue to apply during a data controller to provide ‘meaningful information about the logic the transition period, and it is only following the end of the transition involved’ in an automated decision-making process. For fintech busi- period that the interactions of EU laws into the UK becomes uncertain. nesses using personal data in the context of AI (eg, in assessing loan In the event of a ‘no deal’ Brexit, all of the UK’s statutory instru- applications), this is likely to mean that the business should be able to ments that amend EU laws will come into force at the end of the explain how the AI system operates in that context and why, in any given transition period. This includes the Securitisation (Amendment) (EU case, it has arrived at its decision. Exit) Regulations 2019, which facilitates the onshoring of the EU The obligation in articles 13(2) and 14(2) reflects a growing Securitisation Regulation as UK domestic law. The Securitisation consensus on the importance of transparency and explainability in (Amendment) (EU Exit) Regulations 2019 also make some drafting the context of responsible or ethical AI. Regulators and policy groups, changes to the implementation of the EU Securitisation Regulation in particularly in the financial services sector, have emphasised that, the UK, for example, clarifying the application of the investor due dili- while there are considerable benefits to be harnessed from the use of gence obligations for third country securitisations and the definition of AI, businesses should understand and be able to explain how they are sponsor. However, the current Securitisation (Amendment) (EU Exit) using AI and the impact on stakeholders, particularly consumers. This Regulations 2019 may still be subject to further amendments and/or is particularly so given the increasing complexity of AI systems and the supplements until the end of the transition period. corresponding difficulty in understanding how they operate. The Financial Conduct Authority (FCA) published two papers Securitisation confidentiality and data protection requirements on AI in 2019 – ‘Explaining why the computer says no’ and ‘Artificial 26 Is a special purpose company used to purchase and securitise Intelligence in the boardroom’ – which both emphasise that financial peer-to-peer or marketplace loans subject to a duty of institutions (including their board members) should be able to explain confidentiality or data protection laws regarding information AI-based decisions, particularly in sensitive contexts (for example, in relating to the borrowers? consumer loan applications). While there are not yet any specific legislative requirements in The entity assigning loans to the special purpose vehicle (SPV) must this regard, it should be remembered that fintech businesses using ensure that there are no confidentiality requirements in the loan docu- AI, including for robo-advice, may still be subject to the FCA’s regu- ments that would prevent it from disclosing information about the loans latory regime more generally, particularly as the advice offered by a and the relevant borrowers to the SPV and the other securitisation robo-adviser will be a regulated activity where that advice involves an parties. If there are such restrictions in the underlying loan documen- element of personal recommendation regarding investments. tation, the assignor will require the consent of the relevant borrower to disclose to the SPV and other securitisation parties the information Distributed ledger technology they require before agreeing to the asset sale. In addition, the SPV will 28 Are there rules or regulations governing the use of want to ensure that there are no restrictions in the loan documents that distributed ledger technology or blockchains? would prevent it from complying with its disclosure obligations under English and EU law (such as those set out in the EU Securitisation There are no specific rules or regulations specifically governing the use Regulation and the CRR). of distributed ledger technology or blockchains in the UK. Again, if such restrictions are included in the underlying loan docu- Regulators in the UK in general seek to adopt a technology-neutral ments, the SPV would be required to obtain the relevant borrower’s stance, regulating the outputs of systems rather than how they operate consent to such disclosure. In addition, if the borrowers are individ- in the background. For example, the FCA in 2017 undertook a review uals, the SPV, its agents and the P2P platform would each be required of distributed ledger technology and its use in the financial services to comply with the statutory data protection requirements under industry and concluded that no technology-specific regulation is English law. required to govern its use. However, some rules and regulations applicable in the UK indirectly have an effect on the deployment of distributed ledger technologies and blockchains as a result of the nature of the operation of these types of systems. For example, the GDPR generally requires personally identifiable information to be capable of erasure once it is no longer needed, which causes difficulties for those seeking to use distributed ledger technology to govern the use of that type of data,

258 Fintech 2021 © Law Business Research 2020 Simmons & Simmons LLP United Kingdom given the technology's generally ‘immutable’ (ie, unchangeable) nature. Therefore, in broad terms, the approach in the UK to the regulation Another example is the Centralised Securities Depositary Regulation of crypto-assets at present varies. (an EU-level regulation applicable in the UK), which requires dema- • Unregulated tokens (classic exchange tokens such as bitcoin terialised securities to be settled through a centralised securities and utility tokens) are unregulated, although to offer services depositary, which is a hurdle to be overcome for those fintech busi- concerning them, a business may need to be registered nesses seeking to settle securities via distributed ledger technologies with the FCA. (security tokens). • E-money tokens (crypto-assets that have the characteristics of e-money) are regulated as if they were e-money, and businesses Crypto-assets dealing in them need to be properly authorised by the FCA as 29 Are there rules or regulations governing the use of crypto- appropriate under the Electronic Money Regulations and the assets, including digital currencies, digital wallets and Payment Services Regulations. e-money? • Security tokens (crypto-assets that have the characteristics of regulated financial products) are regulated in the same way as the In the UK, there are specific rules relating the operation of certain types type of security that the crypto-asset shares characteristics with, of crypto-businesses in the UK, requiring the following businesses to be and any businesses dealing in them need to be properly authorised registered with the FCA: by the FCA as appropriate. • those that provide a facility to enable the exchange of one crypto- asset for another or the exchange of fiat currency for crypto-assets Crypto-asset regulation in the UK continues to be a developing area. (or vice versa), or any business that makes arrangements with a There are two outstanding regulatory consultations that have been view to any such exchange; announced but not yet published – one on extending the FCA’s powers • those that provide custodial crypto-asset wallet services; in respect of regulation of currently unregulated crypto-assets, and • any business that issues new crypto-assets (eg, a business another on potentially applying certain rules to the promotion of crypto- conducting an initial coin offering); and assets, both of which are likely to be relatively transformative if and • businesses that operate crypto-asset automated teller machines. when they are published.

Prior to operating any such business, the business must first register Digital currency exchanges with the FCA. The registration process is complex and requires the 30 Are there rules or regulations governing the operation of submission of a number of different information requirements. Once a digital currency exchanges or brokerages? complete application has been submitted, the FCA has three months to consider the application and accept or reject it as it sees fit. At the Any digital currency exchange or brokerage operating in the UK needs time of writing, there is currently a grace period for registration oper- to be registered with the FCA. The registration process is complex and ating, whereby any in-scope business that was operating crypto-asset requires the submission of a number of different information require- services as at 10 January 2020 has until 10 January 2021 to register. For ments. Once a complete application has been submitted, the FCA has any business launching after 10 January 2020, they must be registered three months to consider the application and accept or reject it as it with the FCA before they can begin providing crypto-asset services sees fit. At the time of writing, there is currently a grace period for regis- in the UK. tration operating, whereby any in-scope business that was operating Other regulatory processes regarding crypto-assets continue in crypto-asset services as at 10 January 2020 has until 10 January 2021 other areas. These follow on from the FCA, Bank of England and HM to register. For any business launching after 10 January 2020, they must Treasury’s Crypto Assets Task Force report of 2018, which announced be registered with the FCA before they can begin providing crypto-asset the intention to launch a series of consultations on regulation of the services in the UK. crypto-assets industry, including on: Beyond the registration requirement noted above, there are no • the transposition of the Fifth Anti-Money Laundering directive rules or regulations specifically governing the operation of digital into UK law (which resulted in the registration requirements currency exchanges or brokerages where they deal in spot transac- noted above); tions of unregulated crypto-assets. If a digital currency exchange or • guidance around the application of existing financial services regu- brokerage deals in regulated crypto-assets or any other regulated lation to the crypto assets market (see below); product (even if in tokenised form), FCA regulations will apply around • the potential extension of the FCA’s regulatory perimeter to authorisation and compliance to the same extent that they would apply encompass certain assets and activities within the crypto- to a traditional exchange or brokerage. assets sector (which, as at the date of writing, has not yet been Regulation around crypto-assets in the UK is undergoing some published); and change at the time of writing. • a potential ban on the offering of derivative products to retail customers, where those products reference crypto-assets (which Initial coin offerings was published in 2019, but the results of which have not been 31 Are there rules or regulations governing initial coin offerings released at the time of writing). (ICOs) or token generation events?

On the consultation for guidance on crypto-asset regulation, this was Any business intending on carrying out an initial coin offering (ICO) in launched in January 2019, and finalised guidance was released in July the UK needs to be registered with the FCA. The registration process 2019. The guidance details the FCA’s taxonomy covering ‘exchange is complex and requires the submission of a number of different infor- tokens’ (decentralised assets such as bitcoin), ‘security tokens’ (block- mation requirements. Once a complete application has been submitted, chain-traded products that have similar characteristics to traditional the FCA has three months to consider the application and accept or regulated securities), and ‘utility tokens’ (blockchain-traded products or reject it as it sees fit. At the time of writing, there is currently a grace other items that do not have similar characteristics to traditional regu- period for registration operating, whereby any in-scope business that lated securities). had launched its ICO as at 10 January 2020 has until 10 January 2021 www.lexology.com/gtdt 259 © Law Business Research 2020 United Kingdom Simmons & Simmons LLP

to register. For any ICO launching after 10 January 2020, they must be to transfer personal data between the UK and the EU). The oversight of registered with the FCA before they can begin their ICO in the UK. UK businesses’ compliance with the GDPR and related legislation, and Beyond the registration requirement noted above, here are no enforcement of them, is carried out by the UK regulator, the Information rules or regulations specifically governing ICOs, token generating Commissioner’s Office. events or any other analogous token distribution process, provided that There are no rules or regulations in the UK relating to personal the tokens being issued as part of the process in question do not have data that are specifically aimed at fintech companies. the same or similar rights to regulated securities or e-money in the UK. If the token being issued has the same or similar rights attached to it Cybersecurity as regulated securities or e-money in the UK, strict FCA regulations will 33 What cybersecurity regulations or standards apply to fintech apply on issuing, holding, dealing in or otherwise selling those tokens. businesses? Regulation around crypto-assets in the UK is undergoing some change at the time of writing. There are no rules or regulations in the UK that provide cybersecurity requirements for fintech businesses specifically. More generally, DATA PROTECTION AND CYBERSECURITY the GDPR imposes more general requirements on businesses in the UK to ensure a high standard of security over personal data that they Data protection process, including the general obligation to have in place reasonable 32 What rules and regulations govern the processing and technical and organisational measures to ensure the security of that transfer (domestic and cross-border) of data relating to data, compliance with which requires measures relating to cybersecu- fintech products and services? rity to be put in place. Further, for FCA-regulated businesses, the Financial Conduct On 25 May 2018, the EU General Data Regulation (GDPR) came into force Authority (FCA) has significant powers of oversight and enforcement in with direct effect across the entire EU. The GDPR governs the storage, respect of those businesses’ internal systems and controls relating to viewing, use of, manipulation and other processing by businesses of protection of confidential client information. The FCA actively manages data that relates to a living individual. In summary, the GDPR requires and oversees these requirements and, in recent years, has imposed that businesses may only process personal data where that processing significant fines on entities that have failed to meet these requirements. is done in a lawful, fair and transparent manner, as further described in the GDPR. OUTSOURCING AND CLOUD COMPUTING The GDPR requires that any processing of personal data must be done pursuant to one of six lawful bases for processing. The most Outsourcing commonly used lawful basis for processing is to obtain the consent 34 Are there legal requirements or regulatory guidance with of the data subject to that processing – in relying on this lawful basis, respect to the outsourcing by a financial services company of the business must ensure that the consent is freely given, specific, a material aspect of its business? informed and unambiguous, and capable of being withdrawn as easily as it is given. This places a significant burden on businesses to ensure The position on regulation of outsourcing by financial services compa- that their customers are fully informed as to what their personal data is nies in the UK is a complex picture, encompassing a number of different being used for, which is a crucial change to the previous regime under requirements that apply in different ways, depending on the type of which disclosure did not need to be so transparent. Other lawful bases financial services business in question. for processing data include where that processing is necessary for the The most important of these requirements is the new European business to perform a contract it has with the data subject, or where Banking Authority (EBA) guidelines. On 25 February 2019, the EBA required to comply with an obligation the business has at law (not a published revised (final) guidelines on outsourcing arrangements (the contractual obligation). Guidelines) for credit institutions and certain investment firms as well The GDPR further differs from the previous regime in that it places as payment and electronic money institutions. The Guidelines amend a significantly increased compliance burden on businesses, including for and finalise previously published draft guidelines in light of extensive example mandatory requirements to notify regulators of data breaches, consultation responses from the industry and industry bodies. Therefore, obligations to keep detailed records on processing, and requirements the Guidelines are consistent with, and build upon, the previous Senior for most entities to appoint a data protection officer. Management Arrangements, Systems and Controls Chapter 8 (SYSC 8) The GDPR does not apply to personal data that has been truly requirements (which now operate mostly as guidance rather than as anonymised – as anonymised data cannot, by definition, be personal requirements); however, they apply to a broader set of businesses than data. However, to ensure that GDPR does not apply to a certain data set, SYSC 8 – most noteworthy is the inclusion of payment and electronic that data set must be truly anonymised. The GDPR itself gives limited money institutions, which are not subject to SYSC 8. guidance on anonymisation in Recital 26, requiring data controllers to In broad terms, the Guidelines provide more granular detail around consider a number of factors in deciding if personal data has been truly requirements that relevant businesses must comply with when carrying anonymised, including the costs and time required to de-anonymise, out outsourcing (including in relation to internal processes and proce- the technology available at the time to attempt de-anonymisation and dures), compared to the SYSC 8 requirements. further developments in technology. The Guidelines took effect on 30 September 2019 and have been Businesses that infringe the GDPR may be subject to administra- adopted in the UK. All new outsourcing contracts entered into after this tive fines of an amount up to €20 million or 4 per cent of global turnover, date should be compliant with the Guidelines, and relevant institutions whichever is higher. are expected to review and update any internal processes and proce- In the UK, the Data Protection Act 2018 came into force at the same dures to meet the Guidelines' requirements. There is also a backstop time as the GDPR. Among other things, it replaces the Data Protection date for upgrading pre-existing contracts to comply with the Guidelines Act 1998, fills in gaps in the GDPR and ensures that on leaving the EU, by 31 December 2021. The Guidelines support harmonisation of existing the UK will have an ‘adequate’ data protection regime compared to that regulation and guidance applicable to different types of financial of the EU (with the aim of ensuring an unhindered ability for businesses services firms.

Cloud computing However, copyright and inventions created by contractors or 35 Are there legal requirements or regulatory guidance with consultants in the course of their duties are owned by the contractor respect to the use of cloud computing in the financial services or consultant unless otherwise agreed in writing. Database rights are industry? owned by the person who takes the initiative and assumes the risk of investing in obtaining, verifying and presenting the data in question. There are no specific legal requirements in the UK regarding the use of Depending on the circumstances, this is likely to be the business that cloud computing in the financial services industry. However, there does has retained the contractor or consultant. exist a body of guidance on the subject and a number of legal requirements that apply to indirectly regulate the use of cloud computing in Joint ownership financial services. 38 Are there any restrictions on a joint owner of intellectual The primary legal requirements relevant to this question relate to property’s right to use, license, charge or assign its right in the EBA and other outsourcing requirements, which apply to financial intellectual property? services businesses when outsourcing material functions within their businesses. In many different contexts, the use of cloud services will Restrictions on a joint owner’s ability to use, license, charge or assign be of sufficiently significant importance to the business’s operations its right in intellectual property will depend on the intellectual property to bring this requirement into scope and require the business to meet right in question. For example, the restrictions on a joint owner of a those outsourcing requirements in undertaking outsourcing. patent are different from those on a joint owner of copyright. A joint copyright owner cannot copy, license or grant security over INTELLECTUAL PROPERTY RIGHTS jointly owned copyright without the consent of the other joint owners (see sections 16(2) and 173(2) of the Copyright, Designs and Patents Act IP protection for software 1988). Each joint owner may assign their own interest, but consent is 36 Which intellectual property rights are available to protect required for an assignment of the whole right. A joint copyright owner is software, and how do you obtain those rights? also able to grant security over their interest. In the case of UK patents and patent applications, a joint owner is Computer programs (and preparatory design materials for computer entitled to work the invention concerned for his or her own benefit and programs) are protected by copyright as literary works. Copyright does not need the consent of the other joint owners to do so (section arises automatically as soon as the computer program is recorded. No 36(2) PA 1977). However, the consent of the other joint owners is registration is required. required to grant a licence under the patent or patent application and to Databases underlying software programs may also be protected assign or mortgage a share in the patent or patent application (section by copyright and, in certain circumstances, by database right. Database 36(3) PA 1977). right is a standalone right that protects databases that have involved The situation is similar for UK-registered trademarks. Each joint a substantial investment in obtaining, verifying or presenting their owner is entitled to use the registered trademark for their own benefit contents (see section 14(1) of the Copyright and Rights in Databases without the consent of the other joint owners (section 23(3) Trade Regulations 1997). Both database copyright and database rights arise Marks Act 1994 (TMA 1994)), but the consent of the other joint owners is automatically without any need for registration. required to grant a licence of the trademark and to assign or charge a If the software code has been kept confidential, it may also be share in the trademark (section 23(4) TMA 1994). protected as confidential information. No registration is required. Given the variations in the rights and restrictions of joint owners, Programs for computers, and schemes, rules or methods of doing and given that the rights of joint owners also differ on a country-by- business ‘as such’, are expressly excluded from patentability under country basis, it is highly advisable in any situation where parties work the Patents Act 1977 (PA 1977). These exclusions ultimately flow from together on a project to agree at the outset how the results are to be the European Patent Convention. Notwithstanding these exclusions, owned by the parties and their individual rights to exploit the results. it is possible to obtain patents for computer programs and business In general, joint ownership of intellectual property should be avoided if methods if it can be shown that the underlying invention makes a possible because of the complexities described above. ‘technical contribution’ over and above that provided by the program or business method itself, such as an improvement in the working of Trade secrets the computer. Accordingly, a well-drafted patent may be able to bring 39 How are trade secrets protected? Are trade secrets kept a computer-based, software or business method invention within this confidential during court proceedings? requirement, but this may be difficult to do and will not always be possible. Registration formalities must be followed to obtain protection. Protection of trade secrets in the UK is regulated by The Trade Secrets (Enforcement, etc) Regulations 2018 (the Trade Secrets Regulations), IP developed by employees and contractors which implement the Trade Secrets Directive in the UK and came into 37 Who owns new intellectual property developed by an force on 9 June 2018. Trade secrets are also protected by the law employee during the course of employment? Do the same on breach of confidence, which provides broadly the same level of rules apply to new intellectual property developed by protection as is required under the Trade Secrets Directive. The Trade contractors or consultants? Secrets Regulations define what qualifies as a protectable trade secret, providing protection for information that: Copyright and database rights created by an employee in the course • is secret, in the sense that it is not generally known among, or of their employment are automatically owned by the employer unless readily accessible to, persons within the circles that normally deal otherwise agreed. Inventions made by an employee in the course of with the kind of information in question; their normal duties (or, in the case of employees who owe a special • has commercial value because it is secret; and obligation to further the interests of their employer’s business, in the • has been subject to reasonable steps (under the circumstances) by course of any duties) are automatically owned by the employer (see the holder of the information to keep it secret. section 11(2) of the Copyright, Designs and Patents Act 1988). www.lexology.com/gtdt 261 © Law Business Research 2020 United Kingdom Simmons & Simmons LLP

The Trade Secrets Regulations also implement aspects of the Trade • issues around the anticompetitive use of algorithms and Secrets Directive that differ from, or add to, the existing law applying machine learning. to the protection of confidential information. This includes specifying the limitation period for bringing a trade secrets claim and the rules The Competition and Markets Authority (CMA), Financial Conduct regarding awarding damages and interim and corrective measures. Authority (FCA) and Payment Systems Regulator (all of which are Confidential information (which may include non-public information concurrent competition law enforcement authorities in the UK) gener- that is not captured by the definition of ‘trade secret’) can be protected ally consider fintech to represent a pro-competitive force, leading to against misuse, provided the information in question has the necessary change in markets and encouraging innovation. For example, the FCA is quality of confidence and is subject to an express or implied duty of an active participant in the Global Financial Innovation Network. confidence. In the case of both trade secrets and the confidential infor- The CMA has been undertaking a number of initiatives to formulate mation, no registration is necessary (or possible). Trade secrets and its approach to the regulation of competition in the UK digital markets, confidential information can be kept confidential during civil proceed- with a view to focusing on the protection of the consumer. As well as ings with the permission of the court. undertaking an investigation into the retail banking market, seeking to implement open banking and improve the quality of information Branding provided to customers, the CMA has also taken advice from external 40 What intellectual property rights are available to protect experts, advocating a more involved approach to competition regula- branding and how do you obtain those rights? How can fintech tion. The CMA has been advised to perform more sophisticated analyses businesses ensure they do not infringe existing brands? of digital mergers, consider the role of big data in creating barriers to entry, and take account of network affects to create more effective rules Brands can be protected as registered trademarks either in the UK for large digital platforms (see Furman and Lear reports for further alone (as a UK trademark) or across the EU (as an EU trademark). A information). As a result, the CMA issued its Digital Markets Strategy in brand can also be protected under the common law tort of passing-off if July 2019: a vision for how it proposes to protect consumers in complex it has acquired sufficient goodwill. and rapidly-changing digital markets while continuing to protect inno- Certain branding, such as logos and stylised marks, can also be vation. One concrete outcome of this has been the creation of a Digital protected by design rights and may also be protected by copyright as Markets Taskforce, a dedicated unit with the role of monitoring develop- artistic works. ments in digital markets and advising the Government on how best to The UK and EU trademark databases can all be searched to iden- approach them. tify registered or applied for trademark rights with effect in the UK. It is The CMA has also taken an increasingly interventionist stance highly advisable for fintech businesses to conduct trademark searches in UK merger cases. In part, this is probably as a result of it having to check whether earlier registrations exist that are identical or similar received more resources in preparation for Brexit; but also because of to their proposed brand names. It may also be advisable to conduct a growing feeling that it may have been missing transactions that have searches of the internet for any unregistered trademark rights that may negatively impacted competition. This more interventionist approach prevent use of the proposed mark. has been present in all sectors to some extent, but it has been particularly noticeable in relation to fintech deals – a number of Phase II Remedies for infringement of IP (in-depth) investigations have been related to transactions involving 41 What remedies are available to individuals or companies fintech players in the last 12 months. whose intellectual property rights have been infringed? The future of fintech competition regulation will depend in some part on the UK’s relationship with the EU post-Brexit. The FCA has as Remedies include: one of its priorities the development of future bilateral arrangements • preliminary and final injunctions; with the EU and the rest of the world to promote its expertise in fintech • damages or an account of profits; regulation. • delivery up or destruction of infringing products; • publication orders; and TAX • costs. Incentives COMPETITION 43 Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the Sector-specific issues fintech sector in your jurisdiction? 42 Are there any specific competition issues that exist with respect to fintech companies in your jurisdiction? The UK has introduced a wide range of tax incentives that are available to fintech companies and investors in such companies. The key incen- Competition authorities in the UK (and elsewhere) face a range of poten- tives are set out below, although there are a number of conditions to be tially complex competition law issues in relation to fintech offerings. met to qualify for each scheme: These include: • seed enterprise investment scheme (SEIS): 50 per cent income tax • the risks around the exchange of competitively sensitive relief and exemption from capital gains tax for investors in high- information; risk start-up trading companies; • the risks of a fintech firm or platform obtaining a dominant posi- • enterprise investment scheme (EIS): 30 per cent income tax relief tion in the market and any behaviour that could potentially exclude and exemption from capital gains tax for investors in small high- other market players; risk trading companies; • the development and participation in technical standards; • venture capital trust (VCT) scheme: 30 per cent income tax relief • exclusivity arrangements between parties to a fintech offering; and exemption from capital gains tax for investors in venture • the limits of any specified tying or bundling of products or services capital trusts, which subscribe for equity in, or lend money to, small to the fintech solution; and unquoted companies;

• business asset disposal relief (formerly entrepreneurs’ relief): a From April 2021, large businesses will be required to notify HMRC reduced 10 per cent capital gains tax rate for entrepreneurs selling when they take a tax filing position HMRC is likely to challenge. The business assets (only available to directors and employees of government is consulting on how this will operate and there are still businesses); many details to be ironed out. However, the rules are expected to apply • investors’ relief: an additional reduced 10 per cent capital gains to businesses with a turnover above £200 million or a balance sheet tax rate that allows other types of shareholders to benefit from total over £2 billion. Large fintech businesses are advised to watch out the same relief as is provided under business asset disposal for developments in this area. relief when they sell their shares. Unlike business asset disposal relief, this reduced rate is only available to investors who have IMMIGRATION not been officers or employees in the company whose shares are being sold; Sector-specific schemes • research and development tax credits: tax relief for expenditure on 45 What immigration schemes are available for fintech research and development; businesses to recruit skilled staff from abroad? Are there • patent box regime: a reduced 10 per cent corporation tax rate any special regimes specific to the technology or financial for profits from the development and exploitation of patents and sectors? certain other intellectual property rights; • innovative finance ISA eligibility: peer-to-peer (P2P) loans are Nationals from EU countries, Iceland, Liechtenstein, Norway and eligible for inclusion in tax-free ISAs; Switzerland • tax relief for P2P bad debt: an income tax relief for irrecoverable Despite the UK’s departure from the EU, Fintech businesses are P2P loans, or P2P bad debt; and currently still able to recruit workers from EU countries, Iceland, • P2P interest withholding tax exemption: P2P loan interest payments Liechtenstein, Norway and Switzerland in the same way and on the are exempt from UK withholding tax. same basis as they recruit British nationals. However, this is set to change with nationals from EU countries, Subject to applicable lifetime limits, a company may raise up to £150,000 Iceland, Liechtenstein, Norway and Switzerland who enter the UK after under the SEIS over a three-year investment period and up to a total 31 December 2020 becoming subject to the same working visa require- of £5 million (£10 million for knowledge-intensive companies) over 12 ments as nationals from other countries. months from ‘relevant investments’, which includes investments under the SEIS and EIS and investments by VCTs. While financial activities Nationals from other countries are an excluded activity for the SEIS, EIS and VCT scheme, as long as Workers from other countries may only be recruited by UK fintech busi- a fintech company is only providing a platform through which financial nesses if they meet the relevant eligibility criteria and are awarded activities are carried out, such a fintech company should still qualify for sufficient points under a tiered points-based system. The relevant tiers those schemes assuming it meets the other conditions. for fintech businesses are likely to be tier 1 and tier 2. Tier 1 is open to investors and, until recently, included the Increased tax burden Exceptional Talent visa. This is now closed to new applicants and has 44 Are there any new or proposed tax laws or guidance that been replaced by a Global Talent visa, which is available to highly expe- could significantly increase tax or administrative costs for rienced and internationally recognised professionals in a wide range of fintech companies in your jurisdiction? disciplines, including digital technology. The application depends on an endorsement by an approved body that, in the case of digital technology In the Budget 2020, the lifetime limit for business asset disposal relief applicants, is Tech Nation. (formerly entrepreneurs’ relief) was reduced from £10 million to £1 Tier 1 also includes options for entrepreneurs who may apply for million for any qualifying disposals made on or after 11 March 2020. either a ‘start-up visa’ or an ‘innovator visa’, depending on their level This significantly decreases the relief available from capital gains tax for of experience. In many cases, entrepreneurs and other workers will investors disposing of businesses where the investor meets the quali- require an assessment or endorsement by a relevant UK body, which fying conditions. for fintech related roles is likely to be Tech Nation The Budget 2020 announced a review of VAT on fund management Tier 2 is open to skilled workers who are sponsored by a licensed fees alongside the establishment of an industry working group to review organisation where the role is being transferred to the UK from over- how financial services are treated for VAT purposes. Fintech companies seas or cannot be filled by someone living in the UK. A worker with skills are advised to keep an eye on what emerges from the working group, deemed to be in short supply receives a number of advantages under given the potential impact on their tax position. the tiered points-based system. Roles currently deemed to be in short The digital services tax (DST) was introduced from 1 April 2020 supply include IT business analysts, architects and system designers, following a government consultation. This 2 per cent tax applies to the programmers and software development professionals, and other infor- revenues of search engines, social media services and online market mation technology and communications professionals. Finance roles places, which derive value from UK users. The DST applies where a are not currently considered to be in short supply. group’s worldwide revenue from digital activities is more than £500 million and more than £25 million of the revenue is derived from the UPDATE AND TRENDS UK. As such, the tax is expected to impact a small number of large multinationals. Financial services providers are excluded from the Current developments online market places definition, meaning fintech companies should 46 Are there any other current developments or emerging generally fall out of the scope of this tax. However, where there are trends to note? unified platforms with social media, marketplace and search engine elements and the threshold conditions are met, then fintech companies The authorities in the UK continue to develop their approach to the could fall in scope for revenue from the social media and search engine regulation of fintech businesses. While we expect the next six months income streams. of regulatory and policy activity to focus on supporting all aspects of www.lexology.com/gtdt 263 © Law Business Research 2020 United Kingdom Simmons & Simmons LLP

the financial services sector (including the fintech sector) through the impact of the coronavirus pandemic and Brexit uncertainty, there is still a large amount of fintech-specific regulator activity on the horizon. In May 2020, The Financial Conduct Authority (FCA) launched a regulatory grid to help financial firms prepare for upcoming regulatory work. Upcoming regulatory work relevant to the fintech sector includes: • a review of the UK fintech sector to identify measures to maintain growth and competitiveness; • a consultation on a measure to bring certain crypto-assets into the Angus McLean [email protected] scope of financial promotions regulation; • the Cryptoasset Task Force consultation on the broader regula- George Morris tory approach to crypto-assets, including new challenges from [email protected] stablecoins; Jo Crookshank • changes to the regulatory regime to prohibit investment products [email protected] referencing certain crypto-assets; Kate Cofman-Nicoresti • a project involving the Bank of England (BOE) and seven firms to [email protected] explore the viability of testing machine-readable and -executable regulatory reporting; Olly Jones • the establishment of a joint FCA and BOE forum with industry to [email protected] look at the impact of AI on financial services; Penny Miller • the implementation of new rules to enhance the security of [email protected] payments and limit fraud during the authentication process; and Peter Broadhurst • an assessment of the opportunities and risks arising from open [email protected] finance and the FCA’s role in ensuring that it develops in the best interests of consumers. CityPoint In its 2020/2021 business plan, the Prudential Regulation Authority One Ropemaker Street has outlined its intention to focus on digital currencies and RegTech. London EC2Y 9SS United Kingdom It also intends to examine its regulatory framework to identify any Tel: +44 20 7628 2020 changes required. Fax: +44 20 7628 2070 The BOE has launched a review in discussion with banks, insurers www.simmons-simmons.com and financial market infrastructures to reform regulatory data over the next decade. The review will seek ways to decrease the burden on industry and to increase the timeliness and effectiveness of data in supporting supervisory judgements, with the outputs helping inform up to £2,500. The scheme will run until October 2020, but the level appropriate next steps. of government funding will taper from August 2020, with employers The Payment Systems Regulator’s key projects for the coming year being expected to contribute the balance of the payments; include a commitment to supporting Pay.UK’s development of the New • a £500 million Future Fund for Innovative UK-based companies, Payments Architecture and ensuring that it delivers a resilient medium which allows them to apply for a convertible loan of between for making digital payments. It has also strengthened its commitment £125,000 and £5 million from the UK government. The government to ensuring that the market for card-acquiring services work well; high- loans need to be matched by private investors; and lighted the need for greater efforts to tackle authorised push payment • £750 million grant and loan funding to be provided to small and scams; and committed to ensuring that payment systems and markets medium-sized enterprises focusing on research and development. are more competitive. The funding will be administered by Innovate UK.

Coronavirus Fintech businesses should carefully consider the appropriateness of 47 What emergency legislation, relief programmes and other these schemes to determine whether any of them are suitable for their initiatives specific to your practice area has your state business needs. Further information about the various schemes can be implemented to address the pandemic? Have any existing found on the business support pages of the government coronavirus government programmes, laws or regulations been amended website at www.gov.uk/coronavirus/business-support. to address these concerns? What best practices are advisable The government also introduced changes to insolvency law for for clients? businesses that get into significant financial difficulty. These are likely to include temporary measures intended to deal with specific issues The UK government has launched a number of schemes to support arising from the covid-19 pandemic and permanent changes that businesses with the impact of the covid-19 pandemic. To date, there were trailed during consultations carried out in 2016 and 2018 but are no government measures specifically focused on the fintech sector. never implemented. The draft legislation is currently being consid- However, several of the general support measures may be relevant to ered by the UK Parliament in the form of the Corporate Insolvency and fintech firms. These include: Governance Bill. • the Bounce Back Loan Scheme, which provides small businesses with a quick and easy option to apply for an 100 per cent government-backed loan of up to £50,000; • the Coronavirus Job Retention Scheme under which the government pays up to 80 per cent of the salaries of furloughed workers

Acquisition Finance Distribution & Agency Investment Treaty Arbitration Public M&A Advertising & Marketing Domains & Domain Names Islamic Finance & Markets Public Procurement Agribusiness Dominance Joint Ventures Public-Private Partnerships Air Transport Drone Regulation Labour & Employment Rail Transport Anti-Corruption Regulation e-Commerce Legal Privilege & Professional Real Estate Anti-Money Laundering Electricity Regulation Secrecy Real Estate M&A Appeals Energy Disputes Licensing Renewable Energy Arbitration Enforcement of Foreign Life Sciences Restructuring & Insolvency Art Law Judgments Litigation Funding Right of Publicity Asset Recovery Environment & Climate Loans & Secured Financing Risk & Compliance Management Automotive Regulation Luxury & Fashion Securities Finance Aviation Finance & Leasing Equity Derivatives M&A Litigation Securities Litigation

Aviation Liability Executive Compensation & Mediation Shareholder Activism & Fintech 2021 Banking Regulation Employee Benefits Merger Control Engagement Business & Human Rights Financial Services Compliance Mining Ship Finance Cartel Regulation Financial Services Litigation Oil Regulation Shipbuilding Class Actions Fintech Partnerships Shipping Cloud Computing Foreign Investment Review Patents Sovereign Immunity Commercial Contracts Franchise Pensions & Retirement Plans Sports Law Competition Compliance Fund Management Pharma & Medical Device State Aid Complex Commercial Litigation Gaming Regulation Structured Finance & Construction Gas Regulation Pharmaceutical Antitrust Securitisation Copyright Government Investigations Ports & Terminals Tax Controversy Corporate Governance Government Relations Private Antitrust Litigation Tax on Inbound Investment Corporate Immigration Healthcare Enforcement & Private Banking & Wealth Technology M&A Corporate Reorganisations Litigation Management Telecoms & Media Cybersecurity Healthcare M&A Private Client Trade & Customs Data Protection & Privacy High-Yield Debt Private Equity Trademarks Debt Capital Markets Initial Public Offerings Private M&A Transfer Pricing Defence & Security Insurance & Reinsurance Product Liability Vertical Agreements Procurement Insurance Litigation Product Recall Dispute Resolution Intellectual Property & Antitrust Project Finance

Also available digitally lexology.com/gtdt

ISBN 978-1-83862-339-5