How would you describe the regulatory policy for fintech products and services in your jurisdiction?
The Commission de Surveillance du Secteur Financier (CSSF) is an open regulator and is generally flexible when it comes to financial innovation matters; it usually takes a technologically neutral view when assessing a new fintech project. Nadia Manzari, head of innovation, payments, markets infrastructures and governance at the CSSF, has stated that: “Luxembourg’s innovative regulatory approach has contributed to develop an important payment services industry which generates nowadays an ecosystem of highly innovative products.”
The CSSF was one of the first European regulators to adopt a clear position in favour of virtual currencies and, through its dedicated division for financial invocation and technology, has launched a number of initiatives to facilitate fintech innovations (notably through the introduction of simplified due diligence for low-value online payment transactions).
Have any fintech-specific laws or regulations been enacted in your jurisdiction? Are any envisaged?
No, but further legislation may be introduced as fintech industries mature and evolve – for example, in relation to virtual currencies and initial coin offerings.
Which government authorities regulate the provision of fintech products and services?
In order to be established in Luxembourg to carry out financial sector activity, a fintech entity must have authorisation from the minister of finance and be subject to supervision by the CSSF. The same rules apply to financial technologies and new digital services. Far from preventing innovation, this supports the development of a level playing field for fintech products and services and offers security for customers and investors.
Financial regulatory framework
Which laws and regulations governing the provision of financial services apply to fintech businesses?
The main legislation and codes of practice that govern the traditional financial services industry include the following:
- the Law of April 5 1993 on the financial sector (as amended), which regulates and controls entities undertaking financial services business in Luxembourg;
- the Law of November 10 2009 on payment services (as amended) which regulates payment institutions and electronic money institutions;
- the Law of November 12 2004 on the fight against money laundering and terrorist financing (as amended) and the Law of October 27 2010 enhancing the anti-money laundering and counter terrorist financing legal framework, organising the controls of physical transport of cash entering, transiting through or leaving the Grand Duchy of Luxembourg (as amended);
- the Law of August 2 2002 relating to the protection of individuals as regards the processing of personal data (as amended), to be repealed and replaced by the law implementing the EU General Data Protection Regulation (GDPR) in Luxembourg; and
- the Law of December 6 1991 on the insurance industry (as amended) and the Grand Ducal Regulation of December 14 1994 (as amended), which regulate and control insurers and their activities in Luxembourg.
The extent to which these apply to fintech businesses in any given case will depend on the nature of the business and the way in which a fintech product or service is structured and delivered. Engaging in these businesses without complying with the licence or registration requirements may lead to criminal penalties.
Under what conditions are fintech businesses subject to licensing requirements? Are there any exemptions?
Depending on the services offered, it is possible that the law on the financial sector could apply, which would require the fintech company to obtain a specific licence from the CSSF in order to perform its activities.
If regulated, fintech solutions will be accepted only if they fully comply with the legal requirements, particularly in the fields of data privacy and data protection, know-your customer regulations and IT security requirements.
Are any fintech products or services prohibited in your jurisdiction?
Any fintech product or service falling within the ambit of existing legislation will be prohibited if it does not comply with the applicable regulatory framework
Data protection and cybersecurity
What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?
Luxembourg's data protection legislation will be updated in May 2018 to bring it in line with GDPR. This local legislation will apply to all Luxembourg businesses, including fintech businesses, and is expected to include provisions relating to the processing and transfer of data consistent with GDPR.
What cybersecurity regulations or standards apply to fintech businesses?
Luxembourg data protection law (as it will be amended by GDPR) provides that data controllers and data processors must implement all appropriate technical and organisational measures to ensure the protection of the data they process against accidental or unlawful destruction or accidental loss, falsification, unauthorised dissemination or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
The Luxembourg Criminal Code also sets down penalties for cybercrime, including illegal access, hacking and deletion of computer data.
As well as this developed legal framework, Luxembourg has launched initiatives to enhance awareness of the risks linked to information and communications technology, and to contribute to a more secure use of those technologies.
What anti-fraud, anti-money laundering or other financial crime regulations govern the provision of fintech products and services?
Please see above in relation to the anti-money laundering legislation.
The Luxembourg Bankers’ Association and the University of Luxembourg recently launched a joint research project on the distributed ledger prototype and data analytics for Know Your Customer (KYC). This project aims to develop and test new conceptual and technological approaches to KYC procedures in the financial services sector, enabling financial institutions to use more efficient methods of customer identification.
What precautions should fintech businesses take to ensure compliance with these provisions?
What consumer protection laws and regulations apply to the provision of fintech products and services?
Privacy and consumer protection in the fintech domain is guaranteed by the Consumer Code of April 8 2011 regarding distance contracts on financial services (as amended) and the Law of August 2 2002 on the protection of persons about the processing of personal data (as amended).
The CSSF is competent to receive complaints from customers of fintech entities subject to its supervision and to act as an intermediary to seek the amicable settlement of such complaints.
The CSSF acts in its capacity as a dispute resolution body, notably pursuant to the EU legislation on the out-of-court resolution of consumer disputes, as transposed into Luxembourg national law and introduced into the Consumer Code in 2016.
The CSSF is registered on the list of the alternative dispute resolution (ADR) bodies and on the list of ADR entities established and published by the European Commission.
Does the provision of fintech products or services in your jurisdiction raise any particular competition regulatory concerns?
Luxembourg is the only country in the European Union without a prior merger control system. Nevertheless, a merger or acquisition and the parties involved may be subject to a postiori control by the Luxembourg Competition Council pursuant to the Law of October 23 2011 on competition (as amended).
Are there any particular regulatory issues concerning the cross-border provision of fintech products and services (eg, operating jurisdiction rules and currency controls)?
GDPR and the equivalent local data protection legislation to be introduced in Luxembourg will regulate the cross-border transfer of data.
Click here to view the full article.