All questions


The fintech market in general has demonstrated a remarkable resilience against the challenges caused by the covid-19 pandemic. Agile service providers offering reliable and innovative digital solutions for the financial sector may even be considered as beneficiaries of the crisis. This holds particularly true for solutions for cashless payments or 'neo-brokering' (i.e., online brokerage services at low or even nil execution costs).

As a matter of general tendency, the fintech market in Germany has already become relatively consolidated and mature and its influence on the financial sector has been rather revolutionary in nature.2 Although a 'winner-takes-all' phenomenon has been observed (attributed to increased competition and high acquisition costs), fintechs are still expected to benefit from new business opportunities.3 It might also be perceived as an indication of a matured market that fintech companies have increasingly been integrated by banks and financial institutions into their value chains.4

These developments, however, do not mean that the German fintech market has become stagnant. The opposite is true. According to a study, in 2021 there were 639 active fintech companies in Germany, out of which 55 per cent were under five years old.5 The highest proportion of young start-ups was identified in the risk and compliance (96 per cent) and decentralised finance (DeFi) (72 per cent) segments.6 As far as financing and capital access for young fintech companies is concerned, financing activity in Germany was on the rise in 2021, with the total number of financing transactions increasing by an average of 6 per cent per quarter, with early-stage financings most frequent in the fields of asset management and investment, credit and factoring, as well as DeFi.7 In addition, the German fintech market has seen significant funding for neo-banks and neo-brokers. Other significant fintech segments include banking, application programming interface banking and personal finance management.8 Thus, even though overall start-up activity in Germany has declined in the past three years (by an average of 1 per cent per quarter),9 new fintech companies are being established and further developments can be expected.

Fintech-related topics have been frequently and intensively discussed in Germany, not only by participants in the financial sector but also by politicians and regulatory authorities. In particular, the question of whether the present legal framework gives sufficient leeway for the application of blockchain-based business models while simultaneously providing a sufficient level of protection for market participants has been the subject matter of these discussions. As a result, an EU-wide framework for cryptoassets and an EU-level sandbox model have been proposed by the European Commission as part of the Digital Finance Package.10

In 2020, the German federal legislator introduced statutory provisions according to which crypto values qualify as financial instruments for financial licensing purposes and crypto custody business became subject to a licence requirement under the German Banking Act (KWG). Further, in 2021 the German securities law was fundamentally changed: the introduction of electronic securities implemented one of the key points of the German government's blockchain strategy.11 With this step, the German legislator is following the path of other European countries towards securities dematerialisation.12

Further, the German Federal Financial Supervisory Authority (BaFin) has published several statements, explanations and opinions13 on topics such as big data, artificial intelligence (AI) and distributed ledger technologies (DLTs), as well as digitalisation and information security.14 The recent statutory rules on crypto values and the crypto custody business, as well as on blockchain-based dematerialised securities, also indicate that the legislator has realised the need to provide legal certainty for innovative business models and services.

Generally, the German legislator and BaFin apply the technology-neutral principle of 'same business, same risk, same regulation'.15 This is illustrated by the fact that neither the legislator nor BaFin has promulgated rules that privilege fintech companies compared to traditional players in the financial sector. Therefore, a 'sandbox' model that establishes an innovation space where fintech companies may test business models without tight regulation as established in the United Kingdom and in Switzerland has not been introduced in Germany yet.

Hence, BaFin attempts to find a balance between supervisory concerns and the start-up culture that often exists within the fintech sector. As part of its efforts in this regard, BaFin provides fintech companies with information concerning supervisory issues on its website.

There is no special public funding instrument for fintech companies, but the German Ministry of Economics has set up the programme 'INVEST' to help start-ups raise venture capital. If business angels purchase shares of newly founded innovative companies and hold them for more than three years, 20 per cent of their original investment will be reimbursed by the state up to a limit of €100,000.16 To qualify for the programme, investors have to spend at least €10,000. Invested capital must not result from a third-party loan to the investor. Furthermore, the business angel has to participate in the new company's gains and losses. Investors must be natural persons living in the European Economic Area (EEA) or must use special investment companies registered in Germany (e.g., the limited liability company, GmbH).

Generally speaking, German regulatory authorities and the government emphasise that they recognise the potential of fintech for public economic benefit, while the regulation partly still seems rather conservative when the traditional regulatory standards, which stem from the pre-digitalisation era, are applied (although the efforts of BaFin to support fintech companies by offering detailed legal information and by improving the communication channels, as well as recent legislative changes concerning the regulatory requirements for cryptoasset-related services, are evident). The current dynamics in the field of regulating digital finance, blockchain and cryptoassets, both at the EU and a national level, indicates that the legal framework relevant for fintech companies has gained material momentum and may be expected to further evolve quite fast.

The potential of digitalisation has not only been recognised by the participants in the financial industry, but also by central regulators for the purposes of the monetary system. In particular, the Governing Council of the European Central Bank (ECB) has decided to work on the development of a digital euro, which would be an electronic form of a legal tender, introduced for the use by natural persons and firms alongside cash.17 In July 2021, the Governing Council of the ECB decided to launch the investigation phase of the digital euro project, which started in October 2021 and will last two years. It remains to be seen what the outcome of the investigation phase will be and whether the path towards a digital euro will be pursued.18


i Licensing and marketing

The general rules apply to licensing and marketing of fintech companies in Germany. Because there is no specific fintech licence available in Germany, the regulation of fintech companies depends ultimately on the business they carry out. This again results from the technology-neutral 'same business, same risk, same rules' approach. The entire array of licences and marketing restrictions may therefore become relevant for fintech business models.

In particular, the following types of licences have to be taken into account:

  1. licence pursuant to Section 32(1) of the Banking Act (KWG) for providing banking businesses within the meaning of Section 1(1), sentence 2 of the KWG;
  2. licence pursuant to Section 15(1) of the recently introduced Securities Institutions Act (WpIG) implementing Directive (EU) 2019/2034 on the prudential supervision of investment firms or pursuant to Section 32(1) of the KWG for providing financial services within the meaning of Section 2(2) of the WpIG and Section 1(1a), sentence 2 of the KWG (including, since 1 January 2020, the crypto custody business within the meaning of Section 1(1a), sentence 2, No. 6 of the KWG, which is of particular relevance for fintech companies);
  3. licence pursuant to Section 10(1) of the Payment Services Supervisory Act (ZAG) for providing payment services or pursuant to Section 11 of the ZAG for the issuance of e-money;
  4. licence pursuant to Section 20(1) of the Capital Investment Code (KAGB) or, less burdensome, the mere registration pursuant to Section 44(1) of the KAGB for offering collective asset/funds management;
  5. licence pursuant to Sections 34c, 34d and 34f of the Industrial Code (GewO) for the brokerage of loans, insurance contracts and certain financial products; and
  6. licence pursuant to Section 8(1) of the Insurance Supervisory Act for conducting insurance business.

In addition, the EU-wide Regulation (EU) 2020/1503 on European crowdfunding service providers for business (ECSPR) has applied since November 2021; this requires crowdfunding services providers to obtain authorisation from the national supervisory authority (in Germany, BaFin).

Under German law, a licence requirement is generally triggered if one intends to provide, in Germany, commercially, or on a scale that requires commercially, organised business undertaking one of the services listed in the comprehensive catalogues of regulated activities referred to above. Consequently, it needs to be carefully analysed whether a fintech business model falls within the scope of one or several of these regulated services.

Depending on the type of licence, different authorities might be competent to grant the relevant licence. Placing the competent authorities in a hierarchy, the ECB is at the top with its competence for granting licences for institutions that intend to carry out banking business that includes lending and deposit-taking business and for most systemic investment firms. Beneath the ECB, BaFin is the competent authority for institutions that intend to provide banking business except for lending and deposit taking, including investment services (other than most systemic investment firms) and other financial services, payment services, collective asset or funds management and insurance business. The third level in the hierarchy would consist of the authorities that have been endowed under the German federal state laws with the competence to grant licences pursuant to the GewO.

All these types of licences may become relevant for fintech business models. This can be illustrated by the observation that 'fintech banks' were established in Germany as institutions holding a banking licence granted by ECB.

Both the requirements to obtain a licence under the German financial supervisory laws and subsequent ongoing legal requirements depend on the type of licence. For instance, the requirements to obtain a licence pursuant to Section 15(1) of the WpIG for providing investment brokerage or investment advice are less tight than obtaining a licence pursuant to Section 32(1) of the KWG for guarantee or for safe custody business. In this regard, it makes a significant difference for regulatory purposes whether an institution is entitled to hold funds or assets for its clients because in this case the regulatory requirements are stricter and more comprehensive.

The licence requirement for the crypto custody business, introduced under the KWG in 2020, may be considered the first fintech-specific or at least fintech-focused licence requirement under German law. The corresponding changes to the KWG were made in the course of the implementation of the Fifth EU Anti-Money Laundering (AML) Directive19 but without the legal necessity under EU law to make such changes to the KWG. The relevant Section 1(1a), sentence 2, No. 6 of the KWG defines crypto custody business as custody, management and safeguarding of crypto values or private cryptographic keys used to hold, store or transfer crypto values as a service for others. Cryptographic values, which are now explicitly included in the catalogue of financial instruments under Section 1(11), sentence 1, No. 10 of the KWG, are defined as digital representations of value that are not issued or guaranteed by a central bank or a public authority, do not possess statutory status of currency or money, but are accepted by natural or legal persons as a means of exchange or payment, or that serve investment purposes and that can be transferred, stored and traded electronically. Consequently, the term crypto value includes not only cryptocurrencies such as Bitcoin, but also investment tokens. The broad definition of the terms 'crypto value' and 'crypto custody business' (including the activities relating to private cryptographic keys) results in a wide scope of the new licence requirement. The KWG, however, provides for certain relief insofar as crypto custody service providers focusing on this type of financial service (i.e., that do not carry out any other regulated activities) do not have to meet all regulatory obligations applying to other providers of financial services. Instead, these crypto custody service providers are exempted from the general capital and liquidity requirements under the Capital Requirements Regulation (CRR),20 recently amended by CRR II21 and some other rules. However, the requirements on the initial capital, reputation of the board members, proper business organisation and related reporting obligations do apply. Further guidance with respect to crypto custody business has been provided by BaFin.22

At the same time, the licensing regime that may apply to fintech business models is constantly evolving in the EU and so in Germany. This includes the changes of the licensing regime relevant for fintech businesses as introduced by the new EU legislation on European crowdfunding service providers for business (the ECSPR), which also required changes to the German legal framework, the proposed EU Markets in Crypto-assets Regulation (MiCA) and the recent legislation on securities dematerialisation.23 Although it would exceed the given framework to elaborate on the licence requirements for every single fintech-relevant business model, it may be worth illustrating the licence requirement by reference to the robo-advice business model, as these have become popular in Germany in recent years.

Generally speaking, a robo-adviser might be subject to a licence requirement pursuant to Section 15(1) of the WpIG, in particular to provide investment brokerage, investment advice or portfolio management services. BaFin will only grant the necessary licence if, among other requirements, the applicant has at least €75,000 at its free disposal,24 if its managing directors are professionally qualified and with an impeccable reputation and if the applicant can prove that proper risk management will be in place when the regulated business will be commenced.

By way of exception from this general licence requirement under the WpIG, investment brokerage and investment advice may be provided under the less restrictive licence pursuant to Section 34f of the GewO; however, only specific financial products may be brokered or recommended under this privileged licence, which is granted not by BaFin but by the competent authorities in accordance with the laws of the relevant federal state. An additional exception is available for tied agents who closely cooperate with a licensed institution.

When robo-advisory models were introduced, some of the service providers offered robo-advice in the form of investment brokerage by connecting the supply of specific financial products to customers' demand for financial instruments. These models try to implement a structure where the client stays in charge of the investment process so that they make the ultimate decision to buy or sell a financial instrument. There is, however, a thin line between investment brokerage and investment advice. Although BaFin did not pursue a strict approach until 2017, it then made clear that a robo-adviser provides investment advice if clients could get the impression that the investment proposals presented by the robo-adviser are tailored to their individual circumstances.25 The distinction between both types of investment services becomes relevant for the type of licence that is required and, in practice, more important, with respect to the requirements with which the robo-adviser must comply in offering its services. In particular, the suitability report that an investment adviser must prepare and that aims to show how the recommended financial products suit the needs of the client26 is, for many robo-advisers, a bureaucratic obstacle they would like to avoid.

Both the stricter position of BaFin and the preference not to prepare a suitability report for each investment have led to many robo-advisers becoming licensed as portfolio managers.27 Providing this type of investment service, however, involves the obligation to adhere to a comprehensive set of rules of conduct so that robo-advisers must thoroughly analyse which route suits them best and which type of licence they need for their individual business model.

With respect to marketing regulations applicable to fintech companies in Germany, the general rule is that marketing must be fair, transparent and not misleading. These principles follow from the Act against Unfair Competition but are also included in some of the statutory provisions for financial services.28 Whether additional rules have to be taken into account depends primarily on the understanding of the term 'marketing'.

As far as marketing for investment services within the meaning of Section 2(8) of the Securities Trading Act (WpHG) is concerned (including investment brokerage, investment advice, portfolio management and underwriting business), it is rather difficult to distinguish marketing from the rules of conduct for service providers set out in, inter alia, Section 63 et seq. of the WpHG and a regulation promulgated thereunder (the Regulation specifying the rules of conduct and organisational requirements for investment services companies (WpDVerOV)), but also in various delegated regulations promulgated under the second Markets in Financial Instruments Directive (MiFID II).29 These require that offerors of investment services provide their potential clients with mandatory information regarding, for instance, their products (e.g., key information sheets), potential conflicts of interest and inducements, and that they obtain certain information from their clients. Further, investment service providers must comply with detailed requirements set out in the Minimum Requirements for the Compliance Function and Additional Requirements governing Rules of Conduct, Organisation and Transparency (MaComp), which have been promulgated by BaFin.

Similar rules as for investment services apply to the marketing of funds under Section 298 et seq. of the KAGB. The information obligations for professional or semi-professional clients are less comprehensive than those for retail clients.

Regarding marketing for payment services, a comprehensive set of pre-contractual information obligations is provided for in the German Civil Code (BGB) in conjunction with Article 248 of the Introductory Act to the BGB (EGBGB).

Further, marketing for certain fintech-related services might entail the obligation to publish a prospectus. This obligation may be triggered once a public offer for securities or financial assets has been made in accordance with the Prospectus Act (WpPG) or the Asset Investment Act (VermAnlG), unless an exemption under the ECSPR applies.

Fintech companies in Germany should therefore check whether marketing for their business might be captured by one of the comprehensive legal regimes for marketing.

ii Cross-border issues

As a general rule, the German regulations apply to each service provider conducting its business in Germany. This means that the rules – particularly the licensing requirement – not only apply if the service provider has its registered office in Germany, but also if it actively targets the German market cross-border.30

Pure accessibility of the relevant services via the internet in Germany may be considered sufficient to assume that a service provider is actively targeting the German market. The regulations apply if the offeror of the relevant services intends the service to be used by German customers among users of different nationalities.31 If a service provider maintains its website in German, this is considered to be a strong indication of actively targeting the German market.

If, however, the provision of regulated services cross-border is concerned, the privilege to notify German regulators of existing licences from a home Member State within the EEA might offer an exception from this general rule, which may appear very strict at the first glance. The European 'passport' has been introduced for many regulated services, such as certain types of banking business, investment services as set out in Annex 1 of MiFID II, payment services and, recently, by way of the ECSPR, crowdfunding services. If a service provider has been licensed in its EEA-home Member State, it may notify its competent supervisory authority of its intent to also offer the regulated services in Germany.32 Generally speaking, the service provider may commence the regulated business without a separate licence in Germany either on a cross-border basis or through a branch once the competent supervisory authority in the home Member State has informed BaFin, which subsequently has confirmed that the service provider may commence its business in Germany. In this scenario, the supervisory authority in the home Member State is generally responsible for the supervision of the service provider's activities in Germany, subject to certain residual competences of BaFin and the German Federal Bank. Following the withdrawal of the United Kingdom from the EU (and the lapse of the transition period on 31 December 2020) licensed UK companies active in the fintech business may no longer use the EU passport to offer their services in other Member States (and vice versa) and generally need to establish a subsidiary in Germany or another EU Member State to obtain a licence and comply with EU regulatory requirements, basically as any third-country licensed institution.

Another possibility for fintech companies to access the German market without being subject to a licence requirement is to cooperate with a licensed service provider, typically a bank. These ventures are 'white label structures' where a regulated entity (fronting bank) effectively makes available its licence for the business activities of a third party. For this purpose, the third party must subordinate its business to the bank's management by granting instruction and control rights to the bank, which for regulatory purposes is responsible for the regulated services.

Digital identity and onboarding

To date, there is no generally recognised digital identity available in Germany. However, it is possible to identify oneself electronically via the internet if the requirements of the eIDAS Regulation33 are met. Details relating to this have been provided for in the Act on Trust Services.

Regarding the onboarding process as required under the statutory AML and counterterrorism rules, the Anti-Money Laundering Code (GwG), which was revised as part of the implementation of the Fifth EU AML Directive, includes various possibilities for remote identification. However, non-face-to-face business relationships or transactions may indicate higher AML risks34 and thus may trigger enhanced customer due diligence requirements. BaFin has published the standards for video identification35 as well as its guidance on the interpretation of the GwG,36 which are generally rather strict.

Possibly, solutions enabling the creation and management of a digital identity will be available in the EU and therefore also in Germany in the future. At the EU level, efforts can be observed within the European Self-Sovereign Identity Framework to develop solutions that could allow EU citizens to create and use their digital identity and that would be compatible with the eIDAS electronic identification framework. A corresponding initiative is also pursued in Germany within the project IDunion.37

Digital markets, payment services and funding

Innovative funding solutions and business models related to payment services are typical areas in which fintech companies conduct business in Germany. Regulators have been struggling for some years to find a position on collective investment schemes balancing regulation to protect investors, in particular retail investors, and to allow innovative solutions that may also serve retail investors' interests. Eventually, both EU and German legislators concluded that the regulatory requirements applicable to investment business models shall generally (subject to limited privileges) also apply to collective investment schemes. Similarly, with regard to digital markets in general, the German legislator and BaFin apply the technology-neutral principle of 'same business, same risk, same regulation'. Therefore, the exact scope of the applicable requirements, in particular the assessment of whether a licence requirement under the KWG or the WpIG may be triggered, generally requires an in-depth analysis on the specific business model and should be reviewed on a case-by-case basis.

At the same time, in light of this common 'same business, same risk, same regulation' approach, certain significant legislative developments have recently taken place. The implementation of the Fifth EU AML Directive into German law at the beginning of 2020 provided a certain level of clarity on the regulatory qualification of activities in the cryptocurrency or cryptoassets business. As part of the implementation package, the German federal legislator introduced a legal definition of 'crypto values' and explicitly included these in the catalogue of financial instruments under the KWG.38 In line with the Fifth EU AML Directive, the statutory definition of crypto values is broad in scope so that all potential uses of virtual currencies, including as a means of investment, are covered. On the international level, these various types of virtual units of value, also described as coins or tokens, are often referred to collectively as 'cryptoassets'.39

In September 2020, the European Commission published the EU Digital Finance Package40 aiming to develop the digital single market, promote innovation and growth of fintech start-ups and adjust the existing regulatory regime to new technologies such as AI and blockchain. In essence, the EU Digital Finance Package consists of:

  1. a retail payments strategy to facilitate payments in shops and e-commerce;
  2. the proposal for an EU-wide directly applicable regulation on digital resilience for the financial sector addressing cybersecurity and ICT-related risks;
  3. legislative proposals for an EU markets in cryptoassets regulation (MiCA); and
  4. an EU-level pilot regime for market infrastructures based on distributed ledger technology.

In the field of crowdfunding, in October 2020 the EU legislator adopted an EU-wide regulation setting out a comprehensive regulatory regime for EU crowdfunding service providers for business, the ECSPR, which has become directly applicable in all EU Member States as a unified EU standard for lending-based and equity-based crowdfunding since November 2021.

In Germany, recent key developments relevant for digital markets include recent legislation providing for the optional partial dematerialisation of securities. For more details concerning the new rules and proposals referred to above, see Section V.

i Peer-to-peer-lending

Whether and which regulatory rules apply for peer-to-peer-lending depends on the specific business model. Crowdfunding based on donations the investors make to support a special project (crowd-sponsoring) is generally not subject to financial regulation. If, however, the investor benefits financially from his or her investment; for example, by participating in future profits of the project (crowd investing) or by being reimbursed with or without interest (crowd-lending), special regulations apply.41 These regulations may be distinguished as falling under supervisory law, consumer law and capital market law. Since 10 November 2021, the special regime for crowdfunding service providers under the ECSPR and the corresponding provisions of the German law have applied.

Supervisory law

Peer-to-peer lending in the form of crowd investing or crowd-lending may entail consequences under financial supervisory law for the lender, the borrower and the platform.42 The key concern relates to possible licensing requirements. In particular, the licensing requirement for lending business must be considered.43 A licence requirement is triggered if the lender acts commercially or in a manner that requires a commercially established business operation. It is sufficient if the lender intends to repeatedly engage in the lending business to make profits.

The taking of deposits commercially or on a scale that requires a commercially established business operation is also subject to a licensing requirement.44 These requirements may become relevant for all involved parties; for example, the platform if it keeps the funds extended by the lenders until the funds are transferred to a single or several borrowers. If the platform performs this function and transfers funds from the investors to the borrowers, the platform may also be subject to a licensing requirement under the ZAG for providing payment services. The licensing requirement under the KWG may become relevant for the investors who provide the funds extended to a single or various borrowers too. Even the borrowers may be subject to a licensing requirement for conducting the deposit-taking business when they receive the funds from the platform or the investors.

Given these regulatory restrictions, peer-to-peer-lending business models in Germany typically include a fronting bank that holds a licence for the lending and deposit-taking business. In these models, the fronting bank extends the loans to the borrowers, and the bank refinances the loans by selling the repayment claims arising under them to the platform for on-selling to investors or directly to investors who ultimately receive the repayment claim against the borrower. The various business transactions between the involved parties relating to the extension of a loan are interdependent by way of conditions precedent. Therefore, the bank is only obliged to extend the loan if investors have committed to provide sufficient funds for the purchase of the repayment claims arising under the loan. The platform, which is typically a fintech company, is acting in this model as a broker that brings together investors and borrowers.

This structure is usually not critical for the investors as they only acquire a repayment claim, which is not subject to a licensing requirement, provided that the acquisitions do not occur under a framework agreement. In the latter case, a licensing requirement for providing factoring business could be triggered.45 For the borrowers, this model is not problematic either. One might consider whether they engage in deposit-taking business. However, it is generally recognised under German law that borrowing funds from a licensed bank does not constitute deposit-taking. The fronting bank has in this model the necessary licences so the remaining question is whether the platform performs business activities subject to a licence requirement. The platform might conduct the factoring business if it acquires the repayment claims from the bank prior to selling them on to investors. Usually, however, the factoring business can be avoided by certain structural arrangements. In this case, the regulated activities of the platform consist of brokering loans (between the bank and the borrowers) and investments (between the platform or the bank and investors as purchasers of the repayment claims). These are activities that can be structured to avoid regulation under the KWG and the WpIG and to ensure that 'only' the licence requirements under Sections 34c and 34f of the GewO need to be met. BaFin considers the repayment claims brokered by the platform to be financial assets within the meaning of the VermAnlG and, therefore, financial instruments within the meaning of the WpIG, so that, in principle, the brokering activity could also be subject to a licensing requirement pursuant to Section 15(1) of the WpIG, which is, however, typically avoided by taking advantage of an exception.

New crowdfunding regulatory regime

Since November 2021, crowdfunding service providers in the EU have been subject to a single regulatory regime set out in the ECSPR. The key notion of the ECSPR is the 'crowdfunding service' defined as the matching of business funding interests of investors and project owners through the use of a crowdfunding platform and which consists of the facilitation of granting loans or placing without a firm commitment basis, as referred to in MiFID II, of transferable securities and admitted instruments for crowdfunding purposes issued by project owners or a special purpose vehicle, and the reception and transmission of client orders in relation to those transferable securities and admitted instruments for crowdfunding purposes.

The following are outside the scope of the ECSPR:

  1. crowdfunding services provided to project owners that are consumers (consumer loans are already subject to a separate regulatory regime provided for in the Consumer Credit Directive);46
  2. services related to crowdfunding services provided in accordance with national laws; and
  3. crowdfunding offers with consideration thresholds exceeding €5 million calculated over 12 months.

In this regard, the EU Prospectus Regulation47 has been amended accordingly so that the obligation to publish a prospectus does not apply to an offer of securities to the public from a crowdfunding service provider authorised under the ECSPR provided that it does not exceed the above threshold. A respective clarifying provision referencing the exemption under the EU Prospectus Regulation has been included in the German WpPG.

Pursuant to the ECSPR, crowdfunding services providers need to apply for authorisation from the national supervisory authority in their EU Member State and shall be registered in a European Securities and Markets Authority (ESMA) register comprising all operating crowdfunding platforms. The ECSPR sets out unified requirements on the provision of crowdfunding services, including prudential requirements (safeguards of generally no less than €25,000), effective and prudent management, minimum due diligence requirements in respect of project owners to be offered on the crowdfunding platform and requirements on complaints handling and conflicts of interest. ESMA has published 12 draft regulatory technical standards under the ECSPR on matters such as complaints handling, conflicts of interest, application for authorisation, key investment information and information and reporting obligations, which are currently in the consultation stage.

It is expected that the ECSPR will facilitate the development of crowdfunding platforms and the provision of cross-border crowdfunding services. It remains to be seen how the ECSPR will impact crowdfunding business in the future.

Consumer law

In Germany, as in the European Union generally, relatively strict consumer protection rules apply. This is also the case for consumer loans. Consequently, a direct contract between the lender and the borrower brokered by a peer-to-peer lending platform triggers far-reaching information obligations for the lender under Section 491 et seq. of the BGB, provided that the lender acts commercially and the borrower is a consumer. Given the typical structure for peer-to-peer lending platforms in Germany, the fronting bank implemented in the structure must typically comply with these obligations.

Further, given that peer-to-peer lending platforms typically offer their services online, the consumer protection rules on distance selling must be considered (Section 312a et seq. of the BGB). These rules are based on EU law and should in general not differ between EU Member States.

Additional statutory provisions aimed to protect consumer interests were recently promulgated and have already become applicable or will become effective shortly. These provisions include, in particular, specific rules for the sale of digital products and increased information obligations for online marketplaces.

Capital market law

Generally speaking, from the German capital market point of view, the WpPG and the VermAnlG have to be considered.

The VermAnlG generally applies to profit participating loans and subordinated loans and all other investments that grant a claim to interest and repayment. If these investments are publicly offered, a prospectus or at least an information sheet concerning the investment must be published, unless certain exceptions apply. The VermAnlG does not apply to a public offer by a crowdfunding service provider authorised under the ECSPR provided that it does not exceed the above-mentioned €5 million threshold. Further, under Section 2a of the VermAnlG, the obligation to publish a prospectus does not apply to investments that are only brokered via the internet and do not exceed low thresholds ranging from €1,000 to €10,000 per investment (however, even if this exception applies, an information sheet must be published).

In the case of public offer of securities within the meaning of the WpPG, a prospectus must, subject to certain limited exceptions, also be published. However, as mentioned above, the obligation to publish a prospectus does not apply to an offer of securities to the public from a crowdfunding service provider authorised under the ECSPR, provided that it does not exceed the €5 million threshold.

The WpPG obligations have not yet gained material significance in the German fintech market, except for the very few fintech companies that have used securitisation to refinance. This might change in the future owing to the rise of initial coin offerings (ICOs).48

ii Payment services

The payment services sector was one of the first in the German financial industry in which fintech companies became active and visible. This is one of the reasons for fragmentation of the payment services market, which has recently begun to consolidate. Significant changes from the fintech perspective came with the second Payment Services Directive (PSD II),49 implemented into German law at the beginning of 2018. The revised payment services regime has offered new business opportunities, especially for nimble fintech companies. The reason behind this was that account information services and payment initiation services as new payment services were introduced under the revised ZAG. The providers of these services have been granted a legal claim for access to payment accounts against the banks that maintain these payment accounts for their customers. This has been perceived as a game changer insofar as traditional banks can no longer prevent their competitors from accessing the accounts of customers who consent to this access (open banking). However, experiences so far suggest that providing the required application programming interfaces is a time-consuming process. In addition, some market observers have criticised credit institutions for using the PSD II rules as an instrument to prevent competition by fintechs (e.g., by no longer offering the previously established connections via the German independent online banking protocol (FinTS)).

Further business opportunities have come with additional regulatory burdens. Providing payment services is generally subject to a licence requirement, unless certain exceptions apply. The scope of this licence requirement extends to providers of account information and payment initiation services even though these service providers do not acquire possession of their customers' funds at any time. On account of this consideration, the regulatory requirements for a licence to provide payment initiation or account information services are less strict than for a licence to provide traditional payment services.

The revised ZAG aims to foster technological innovation and competition on the payment market.50 Under the relevant provisions (Section 58a of the ZAG) – which have been labelled by some market observers as 'Lex Apple Pay' – payment services providers and e-money issuers have been granted the right to obtain access to certain key technical infrastructure. 'System companies' contributing through technical infrastructure services to the provision of payment services or the conduct of e-money business in Germany are obliged, upon request of a payment services provider or e-money issuer, to make these technical infrastructure services available and provide necessary access against consideration and without undue delay. The obligation does not apply if the relevant technical infrastructure is used by no more than 10 payment services providers or e-money issuers or if the company has no more than 2 million registered users. The company may also deny access for objective reasons; for example, if the security and integrity of the technical infrastructure services would be jeopardised. The recent statutory rules are not based on EU law and are considered to be a reaction to some system providers refusing to open their systems to facilitate more competition in the area of mobile payments.

Cryptocurrencies, initial coin offerings (ICO) and security tokens

i Cryptocurrencies

Cryptocurrencies such as Bitcoin have undoubtedly created a challenge for the German law from regulatory, civil law and tax perspectives. Certain clarity has been achieved by the legal definition of crypto values (such as Bitcoin) in connection with the implementation of the Fifth EU AML Directive into German law in 2020. Crypto values are now included in the catalogue of financial instruments under the KWG and the WpIG so that various activities relating to crypto values are clearly within the scope of certain licence requirements. Further, the crypto custody business has been introduced as a new type of financial service, which is subject to a licence requirement under the KWG.

Crypto values are defined as digital representations of a value that is not issued or guaranteed by a central bank or public authority and does not possess a statutory status of currency or money, but that is accepted by natural or legal persons as a means of exchange or payment, or that serves investment purposes and that can be transferred, stored and traded electronically. This broad definition is aimed at comprising all uses of virtual currencies, including as a means of investment. So far, the definition of crypto values includes not only tokens with exchange and payment functions (including cryptocurrencies), which may fall under the scope of financial instruments as the 'units of account' within the meaning of Section 1(11), sentence 1, No. 7 of the KWG and Section 2(5), No. 7 of the WpIG, but also tokens used for investment. These security or investment tokens may also qualify as investment products, debt instruments or units in collective investment schemes under Section 1(11), sentence 1, Nos. 2, 3 or 5 of the KWG and Section 2(5), Nos. 2, 3 or 5 of the WpIG.51

Not covered by the definition of crypto values are domestic and foreign legal tender, electronic money, monetary value stored on payment instruments falling under the limited network exemption within the meaning of PSD II and payment transactions of providers of electronic communications networks or services.52 Also not covered are electronic vouchers for the purchase of goods or services from the issuer or a third party that are intended to have an economic function in relation to the issuer only through redemption and that are therefore not tradable and, as a result of their design, do not reflect investor-like expectations regarding the performance of the voucher or the general business performance of the issuer or a third party in terms of value or accounting.53

The amendments with respect to crypto values reflect, to a certain extent, the previous administrative practice of BaFin that took the first steps towards the regulation of cryptocurrencies in Germany by adopting a broad interpretation of the term 'financial instrument' within the meaning of the KWG. This approach was partially criticised and not shared in a ruling of a higher regional court in criminal proceedings.54

The recent changes of the KWG, which subsequently have been reflected in the WpIG, have resolved the controversy on the qualification of cryptocurrencies as financial instruments and have, in doing so, contributed to more legal clarity. However, the German legislator only changed the definition of 'financial instrument' for the purpose of the licensing requirement but not with regard to the conduct rules set out in the WpHG, which effectively reflect the MiFID II provisions. Therefore, a service provider operating a marketplace for cryptocurrencies may fall within the licence requirement for an operator of multilateral trading facilities within the meaning of the KWG and WpIG but may not be obliged to adhere to the rules of conduct set out for these operators in the WpHG.

Against this background, one should thoroughly analyse the legal risks related to relevant business models and assess whether and which licence requirements and conduct rules may apply. In particular, buying and purchasing cryptocurrencies in the service provider's own name for the account of others may constitute banking business in the form of principal brokering business.55 Further, brokering cryptocurrencies may constitute for licensing purposes investment brokerage,56 whereas advising on the purchase or sale of cryptocurrencies may be considered investment advice.57 Also, the operation of a platform on which cryptocurrencies can be traded may qualify as a multilateral trading platform within the meaning of Section 2(2), No. 6 of the WpIG and may, therefore, be subject to a licence requirement.58 The activity involving custody, management and safeguarding of crypto values or private cryptographic keys may also fall within the scope of the recently regulated crypto custody business. This new type of financial service and the related licence requirement may be relevant for domestic companies as well as cross-border service providers and their agents that intend to offer, or have already been offering, these services.59

However, neither the mining nor the purchase or sale of cryptocurrencies in one's own name and for one's own account is subject to a licence requirement. Therefore, cryptocurrencies may generally be used as means of payment and generated by mining without any special permission.

From a civil law perspective, many questions have not yet definitively been answered. The uncertainty starts with the applicable jurisdiction and laws generally for a cryptocurrency. These questions become relevant if, for instance, cryptocurrency units are transferred or pledged. Further, it is still unclear which disclosure and information obligations apply in cryptocurrency transactions.

Interestingly, the usually complex tax analysis has at least partly been clarified for cryptocurrencies through a decision by the European Court of Justice.60

According to the principles of this decision that were incorporated into German tax law,61 exchanging regular currencies into Bitcoin (or comparable cryptocurrencies) and vice versa shall be tax-free with respect to value added tax according to Section 4, No. 8b of the Turnover Tax Code. In addition, using Bitcoin or comparable cryptocurrencies as payment and the process of mining are tax-free.

Other transactions concerning cryptocurrencies may, however, be affected by tax law.

From an accounting perspective, cryptocurrency units such as Bitcoin are transferable so that it appears necessary to account for them as assets on the balance sheet.

If they qualify as assets that support the business for only a short period (current assets), they may have to be recorded as 'other assets' according to Section 266(2), B II, No. 4 of the Commercial Code (HGB).62 If the cryptocurrency units qualify as assets that support the business for a long period (fixed assets) they should be accounted for as acquired immaterial assets according to Section 266(2), A I, No. 2 of the HGB.63

ii Initial coin offerings

ICOs are sales of virtual tokens to raise funds for general corporate purposes or a specific project typically described in more detail in a white paper. Depending on the structure of the ICO, tokens may be bought with regular or virtual currencies and may grant specific rights, such as participation rights and profit shares, or no right at all. While the discussions and structures of ICOs and tokens are still in flux, tokens that can be offered in an ICO may be categorised as follows:

  1. cryptocurrency tokens are meant to pay for goods or services external to the platform or not only exclusively between the platform and its users but also between users;
  2. utility tokens are supposed to convey some functional utility to token holders other than or in addition to payment for goods or services, in the form of access to a product or service. These tokens come with particular rights, such as a right of access to a future service, a right to redeem the token for another token or service or voting rights, which are often designed to shape the functionality of the product; and
  3. security tokens are comparable to traditional securities set out in Article 4(1)(44) of MiFID II, such as conventional debt or equity instruments.64

This rough categorisation – which corresponds to the general approach pursued by BaFin – illustrates that tokens may differ significantly. Following the amendments to the KWG, as from 1 January 2020, tokens with exchange and payment functions and tokens used for investment (for example, security tokens and investment tokens) are likely to fall within the broad definition of cryptographic values and thus constitute financial instruments under the KWG (aside from possible classification of these tokens as other types of financial instruments, which is to be assessed on a case-by-case basis) and the WpIG.65

Consequently, each ICO must be thoroughly analysed with respect to its regulatory and capital market requirements. BaFin determines the applicability of the relevant legislation, including the KWG, the WpIG, the ZAG, the WpPG, the KAGB and the VermAnlG, case by case, depending on the specific contractual arrangements. Where tokens resemble participation rights that might be classified as securities under the WpPG or capital investments under the VermAnlG, a prospectus for the marketing of the tokens may be required unless an exemption, especially for crowdfunding services under the ECSPR, applies.

The issue of fully digitalised offerings of securities has been the subject matter of extensive discussions in recent years and was supported through a joint paper published by the German Federal Ministry of Finance and the German Federal Ministry of Justice concerning the future regulatory framework for blockchain-based securities and crypto-tokens.66 In light of the objectives pursued by this paper, the German legislator adopted a new law (the Act on Electronic Securities (eWpG), in force as from June 2021), which introduced optional and partial dematerialisation of securities. The eWpG introduces the notion of an 'electronic security' defined as a property object that is subject of a right in rem. The new law gives the issuers the choice between two types of dematerialised securities. The first type is subject to registration with a central securities depository within the meaning of the Central Securities Depository Regulation67 (Clearstream Banking AG in Germany) or with a licensed custodian. The second type are crypto securities, registered in a crypto securities registry, typically based on DLT, kept by the issuers themselves or by other entities. In this regard, keeping crypto securities registries requires a licence from BaFin and is subject to the regulatory supervision. With this step, the German legislator is following the path of other European countries towards securities dematerialisation.68

In addition to a prospectus requirement, any professional service provided in connection with the trading of tokens – including an agreement to acquire, or the sale or purchase of tokens, when qualified as units of account or crypto values – would, as a general rule, require a licence from BaFin.69 Further, issuers of tokens should be aware that consumer protection laws might apply to the sale of tokens via the internet. So, the underlying contract may qualify as a distance contract resulting in information obligations according to Section 312(i) of the BGB. Provided that the contract is considered as a financial service, further information must be provided according to Section 312(d) of the BGB.70

At the EU level, the issue of cryptoassets and, thus, also ICOs, has been recently addressed by the European Commission as part of the EU Digital Finance Package published in September 2020.71 The Commission submitted a proposal for an EU-wide directly applicable regulation on markets in cryptoassets (MiCA). The proposal generally applies a comprehensive full harmonisation approach, including a unified regime on: transparency and disclosure requirements for the issuance and admission to trading, operation, organisation and governance of issuers and in-scope service providers; consumer protection rules; preventing market abuse and ensuring integrity of cryptoassets markets. The proposal differentiates between the categories of cryptoassets, including cryptoassets (as such), asset-referenced tokens (often referred to as 'stablecoins'), electronic money tokens and utility tokens. Generally, all cryptoassets (defined as digital representation of value or rights that may be transferred and stored electronically, using DLT or similar technology) shall be in the scope of MiCA if not already covered by the existing EU financial services regime (e.g., as financial instruments under MiFID II). Regulated cryptoasset services shall include custody and administration on behalf of third parties, operation of a trading platform, exchange of cryptoassets for fiat currency that is legal tender and for other cryptoassets, execution of orders on behalf of third parties, placing, reception and transmission of orders on behalf of third parties and providing advice. Certain relief, including exemption from the rather detailed white paper requirement, shall apply to small and medium issuers where the total consideration of an offer to the public does not exceed €1 million over 12 months. Stringent requirements shall generally apply to stablecoins.

MiCA is expected to provide legal clarity and certainty, promote safe development of cryptoassets and the use of DLT in financial services, support competition and innovation while protecting consumers and investors and address potential financial stability and monetary risks. In addition, the proposal is expected to increase the funding of companies through ICOs and securities token offerings.

EU-wide regulation of cryptoassets, which are the major application of DLT and blockchain technology in finance, goes hand in hand with the proposed EU-level pilot blockchain sandbox regime. As part of the EU Digital Finance Package, the European Commission proposed EU regulation for market infrastructures based on DLT. The proposed regulation, if adopted, will provide rules for a pan-European blockchain regulatory sandbox aimed at allowing fintech companies active in the field of DLT and blockchain technology to benefit from temporary derogation of regulatory requirements under regulatory supervision ensuring the keeping of appropriate safeguards and it will enable the regulators to deepen their understanding of the innovative fintech models and emerging technologies.

iii Money laundering rules

Tokens and cryptocurrencies in general are perceived as highly susceptible to money laundering and terrorism financing. In this respect, a certain clarity with regard to the applicability of the AML regime has been provided by the law implementing the Fifth EU AML Directive in Germany, in force since 1 January 2020. As outlined above, the law introduced a broad definition of crypto values and classified them as financial instruments under the KWG and the WpIG. In principle, the scope of the definition generally includes tokens with exchange and payment functions (e.g., cryptocurrencies) and tokens used for investment (e.g., security tokens and investment tokens).72 This generally means that services concerning cryptocurrencies and tokens – for instance, buying and purchasing cryptocurrencies in the service provider's own name for the account of others, advising on the purchase or sale of cryptocurrencies or operation of a platform on which cryptocurrencies can be traded – may fall under the scope of regulated services and require a KWG licence for, in particular, principal brokering business,73 investment brokerage,74 investment advice75 or operation of a multilateral trading platform.76 In addition, the management and safeguarding of crypto values or private cryptographic keys may require obtaining a KWG licence if other general statutory prerequisites under the KWG (in essence, commercial character or a scale that requires a commercially organised business undertaking) are fulfilled. Services providers whose activities fall within the scope of KWG or WpIG licence requirements are obliged entities within the meaning of the GwG and must, therefore, adhere to the duties set out therein. These include the obligation to conduct adequate customer due diligence, to implement adequate risk management systems aimed at preventing money laundering and terrorism financing and, as appropriate, notifying the Financial Intelligence Unit of any suspect transactions as well as fulfilling respective reporting obligations in relation to the transparency register. Nonetheless, even prior to the implementation of the Fifth EU AML Directive into German law, cryptocurrency and ICO service providers were often required to obtain a KWG licence and, as a result, comply with the German AML requirements. This was owing to the broad interpretation of the term 'financial instrument' within the meaning of the KWG according to BaFin's previous administrative practice.77

Even aside from the significant developments concerning the licensing regime under which certain new entities involved in the fintech business may require a licence from BaFin and, thus, become – as obliged entities – subject to the AML requirements, the AML regime is also constantly evolving. Pursuant to its action plan for a comprehensive EU policy on preventing money laundering and terrorist financing of May 2020,78 in July 2021 the European Commission published an AML/countering the financing of terrorism (CFT) package,79 which includes proposals for three EU-wide regulations and a directive. In addition to establishing an EU AML/CFT authority with direct supervisory powers over some of the riskiest cross-border financial sector obliged entities, the package aims to ensure that various types of cryptoasset and crowdfunding service providers, as well as mortgage credit intermediaries and consumer credit providers, become obliged entities subject to the AML/CFT regime. The package further provides for a recast of Regulation (EU) 2015/847 on information accompanying transfers of funds (i.e., the Wire Transfer Regulation (WTR)), which shall also apply to the transfer of cryptoassets. As far as the latter is concerned, the German Federal Ministry of Finance issued the interim German Crypto Asset Transfer Regulation (CATR) to ensure the traceability of cryptoasset transfers until the WTR revisions come into force. The CATR provides for duties of care applicable to institutions and branches seated in Germany that are engaged in conducting cryptoasset transfers. It entered into force in October 2021 and shall apply until the WTR recast is finalised.

Other new business models

Generally speaking, one can observe various trends in the fintech sector, including accommodating the needs caused by the covid-19 pandemic as well as enhanced efforts to find specific uses for blockchain technology and for AI.

These efforts can be illustrated by the cooperation of Deutsche Bundesbank, Deutsche Börse and Germany's Finance Agency that developed and, in 2021, successfully tested a DLT-based securities settlement in central bank money with the use of a 'trigger' solution and a transaction coordinator in TARGET2, the Eurosystem's large-value payment system.80 Participants in the capital markets in general appear to seek increasingly successful business models exploiting the potential of fintech. The first placings of promissory notes and commercial papers (even though these papers have not been governed by German law) have been made in Germany by taking advantage of the blockchain technology and of highly digitalised platforms. Further developments are to be expected in connection with the recent introduction of securities dematerialisation under the eWpG in 2021.

A relatively new and successful phenomenon on the German fintech market is the development of 'neo-brokerage apps' operating mostly on a commission-free (or almost commission-free) basis. The neo-brokerage firms offer trading in a variety of products, from very selective to a wide range, including stocks, foreign exchange, commodities, exchange traded funds and digital assets. The neo-brokers have recently become very popular because of the nil cost (or very low flat fee) for users and also as a result of the growing interest in investments and capital markets among retail investors trying to find new investment opportunities beyond bank deposits bearing no or even negative interest. Neo-brokers operate either on the basis of their own BaFin licence for the provision of financial services or they use the services of a fronting BaFin-licensed institution that ensures compliance with the regulatory requirements. Whether, however, the business model of neo-brokers will continue to thrive depends to a material extent on future regulation. Certainly, neo-brokers strive for profits. Some neo-brokers derive their income from third parties such as trading venues. The European Commission has clearly expressed its concern that this practice of 'payment for order flow' jeopardises the interests of investors and has tabled a proposal to prohibit this practice. If this proposal were to become applicable law, various neo-brokers would have to adapt their business model.

A current DLT and blockchain-related trend known as DeFi is a recent phenomenon in the fintech business that could potentially become a part of digital disruption. As a digital environment of a wide range of financial applications built on blockchain, including borrowing, lending, exchange and issuance of tokens and asset-backed cryptoassets (stablecoins), DeFi has raised significant interest and a financial boost since mid-2020, including development of software solutions for the tokenisation of securities as well as blockchain custody services.

A sub-trend in the fintech world that has recently started to develop is 'wealthtech', focused on wealth and property management as well as general personal financial management with the use of fintech tools. Further, the fintech risk and compliance segment offers solutions supporting regulatory, AML compliance and the compliance function in general, sometimes also called 'digital compliance'. This is also a segment in which AI is expected to be increasingly deployed. In this regard, however, it still seems too early to discuss fully established business models on the German market. In general, the operation of business models involving the use of AI is subject to the regulatory requirements applicable to business models in line with the technology-neutral approach of 'same business, same risk, same regulation'. This means that for each relevant fintech business model, careful analysis should judge whether it falls within the scope of one or several regulated services and which regulatory requirements apply. In essence, the licensed institutions using programs and algorithms involving AI must ensure that they maintain a proper business organisation,81 in particular, adequate and effective risk management, and that the use of these programs and algorithms is in line with the general regulatory requirements. This includes processes for determining and safeguarding the sustainability of services, internal control procedures and internal control systems, adequate contingency plans, especially for IT systems and complete documentation of business operations permitting seamless monitoring by BaFin as well as compliance with outsourcing requirements. The exact arrangement of the business organisation should be appropriate for the nature, scope, complexity and risk content of the institution's business activities. In this regard, the minimum requirements for risk management in BaFin's Circular No. 09/201782 and with the supervisory requirements for IT in BaFin's Circular No. 10/201783 have to be met. Further developments as regards the AI segment may be expected in connection with the European Commission's proposal for a regulation laying down harmonised rules on AI, published in April 2021.84

With respect to the use of algorithms, BaFin has confirmed its approach in that it does not grant general a priori approvals for the use of algorithms in decision-making processes and that its administrative practice is technology-neutral.85 The legal reasoning behind this approach is generally twofold: the nature of the risk-oriented and ad hoc financial supervision on the one hand and the lack of a statutory basis for general a priori algorithm approvals on the other.86 As to the former, the supervisory requirements do not primarily concern the algorithm itself; instead, the focus of supervision is on the entire decision-making process in which the relevant algorithm is embedded; therefore, compliance with general requirements on proper business organisation and risk management plays a key role.87 With respect to the lack of a statutory legal basis for algorithm approval, two exceptions should be noted in which the regulation of the use of algorithms may be derived from the law itself (e.g., determination of capital and solvency requirements). However, even in these cases, the supervisory authorities will not grant an a priori approval. Instead, they conduct a risk-oriented assessment of the relevant decision-making and other procedures taking into account the available data and its quality.88

The approach of technological neutrality also applies generally to the regulation of KWG and WpIG licence requirements. In this respect, one might consider high-frequency trading (a special form of proprietary trading)89 as an exception. Per definition, high frequency trading includes the use of algorithms for the sale and purchase of financial instruments.90 While German supervisory rules generally do not provide for specific notification obligations in the case of the use of particular software or algorithms, high-frequency trades have to adhere to specific notification requirements.91

Worth mentioning in the context of recent and successful fintech-related business models is the increasing digitalisation in the insurance sector. New service providers have evolved that primarily broker insurance via smartphones quickly and simply. Certainly, these brokers must also comply with the general information duties relating to the brokerage of insurance contracts.

Also successful, but not strictly new, are product comparison websites, which have become very popular with price-conscious consumers. The influence of these offerings on the market is governed by the general competition rules. These include that price comparison tests must be performed in a competent manner, seek to be objectively accurate and be neutral.92 Also, the incorporation of 'fintech banks' is noteworthy in connection with new business models. These fintech banks hold a comprehensive licence to conduct banking business but still perceive themselves to be fintech companies. Their business model is based on digitalisation, and they partly offer white-label solutions, namely they may seek to cooperate with other fintech companies that need licensed banks for their business model. This illustrates that some fintech banks position themselves as 'platform banks', where cooperation partners may find specific service offerings that they can use to complement their own products or services.

Intellectual property and data protection

i Intellectual property

A business model, as such, cannot be protected by copyright law. Therefore, it is not uncommon for successful fintech business models to be copied and optimised. Computer programs, however, that are characterised by a minimum of individuality and originality are subject to copyright protection according to Section 2 of the Act on Copyright and Neighbouring Rights (UrhG).93

Under German law, copyright can be neither registered nor transferred, as the copyright itself emerges the moment the piece of work, such as the software, is created by its actual originator.94 The capacity of being the originator is strictly connected to a natural person and may therefore not be transferred.95 Obviously, the lack of registration leads to various practical problems that often result in lawsuits. Nonetheless, a licence may be granted enabling the holder to make use of the piece of work in every matter or in particular matters (Section 31 of the UrhG). Employees and their employers implicitly agree on a full licence by drafting the employment contract.96 Therefore, the employer is allowed to make use of the piece of work. Concerning computer programs, another rule applies (Section 69b of the UrhG), which grants the employer even more rights. Unless agreed otherwise, the employee is owed no compensation.97

ii Data protection

Generally speaking, data protection is governed by the General Data Protection Regulation (GDPR), which replaced, to a material extent, the previous version of the Federal Act on Data Protection on 25 May 2018 without, however, changing the fundamental principles of German data protection law. The GDPR intends to prevent the collection and use of data related to individuals unless it is duly necessary to do so (Article 1 of the GDPR). Data are considered to be related to individuals if the responsible body has the legal means that enable it to identify the data subject.98

Collection and processing of data related to individuals is only permitted if it is explicitly allowed by law or if the data subject consents (Article 6(1) of the GDPR). Additionally, the user must be informed about the nature, extent and purpose of data collection.

Digital profiling has to comply with the general principles stated above. The GDPR does not regulate digital profiling, as such, but focuses on some of its typical forms: first, the automated individual decision-making, including profiling, must comply with Article 22 of the GDPR; and second, a decision that produces legal effects on the data subject or has a similarly significant influence on the data subject must not be based solely on automated processing (Article 22(1) of the GDPR). However, Article 22(1) of the GDPR shall not apply if the decision: (1) is necessary for entering into, or the performance of, a contract between the data subject and the data controller; (2) is authorised by law to which the controller is subject and that also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or (3) is based on the data subject's explicit consent (Article 22(2) of the GDPR).

Year in review

Considering the developments in the fintech sector over recent months and years, the following trends appear worth emphasising.

Overall, it seems that the fintech market in Germany has continued to demonstrate growing maturity and has reached a consolidation phase. This, and the fact that fintech companies in Germany have been able to implement commercially viable business models, is illustrated by recent financings, which resulted in market evaluations of some German fintech companies exceeding €1 billion. However, scaling their operations is still difficult for many local fintechs, which may also be a result of the increasing efforts of incumbent institutions to take advantage of the lessons learned from fintechs in terms of innovation and customer experience. Traditional players in the financial sector use these insights not only by establishing cooperation and partnerships with fintech companies and including fintechs in their value chains, but also by developing their own digital offerings.

Certain challenges for the regulatory sector in Germany have been identified in the aftermath of the Wirecard insolvency considered to be the result of an extensive fraud. In consequence, the German legislator adopted the Act on Strengthening the Financial Market Integrity, some of which came into effect in July 2021 and some in January 2022, which provides for a significant increase on the liability caps of auditors, mandatory rotation rules and auditors' rights and regulators' supervisory powers with regard to outsourcing service providers. Also, BaFin has been allowed to apply 'mystery shopping' in relation to licensed entities by engaging trained fieldwork customers to support the identification of infringements. This legislative activity and the recent administrative practice suggest that BaFin will adhere to its principle 'same business, same risk, same regulation' approach and pursue it even more diligently.

The importance of digital technologies for financial markets and the need for legal clarity has been visibly recognised by the legislators and supervisors. At the EU level, this is particularly reflected by several proposals of legislative packages on matters such as cryptoassets, cryptocurrencies, stablecoins and ICOs, providing for a unified regulatory and licensing regime in the EU. Also, the European Commission has proposed to introduce an EU-level sandbox model to facilitate the development of DLT and blockchain-based technologies and increasing the regulators' understanding of these technologies.

In Germany, the recent implementation of the Fifth EU AML Directive providing for a broad legal definition of crypto values not only resulted in enhanced AML obligations for service providers engaging in the cryptocurrency business, but also introduced a licence requirement for the crypto custody business. Also, the recently introduced eWpG outlined the legal framework for partial dematerialisation of securities with the use of DLT and blockchain technologies in Germany.

Outlook and conclusions

Given the numerous initiatives at an international, EU and national level dealing with the regulatory challenges of fintech, both those recently adopted and those still in the legislative procedure, it seems that the legal framework for the operation of fintech business models is becoming significantly more harmonised and expressly regulated. This, however, does not necessarily need to be detrimental to fintechs and their offerings. The new regulatory and licensing regime is likely to bring more clarity for the market participants as well as further increase the transparency for, and protection of, customers.

A clear and harmonised licensing regime in all EU Member States, addressing certain fintech-related services such as in the field of the cryptoasset market, once adopted, would facilitate the use of the EU passport. Fintech and DLT and blockchain technology will most likely benefit from the adoption of the proposed EU sandbox model. However, because various key legislative proposals have been adopted, but are not yet applicable, and because some of these are still undergoing the legislative procedure, it remains to be seen how the harmonised regime will influence the fintech market in practice and how the regulators will deal with the application of an increasingly detailed regulatory framework to the constantly evolving fintech environment. It is not yet certain whether fintechs will continue with their ability to find innovative solutions or whether the regulatory restrictions will turn out to be an inhibiting factor for their future success.

Aside from further DLT and blockchain development and the possible related challenges (including compliance with GDPR requirements and the 'right to be forgotten' fenced with a harsh sanctions regime), new developments can be expected in the areas of big data and AI.

Finally, it remains to be seen whether, and how permanently, the current pandemic will impact the fintech market.