Use the Lexology Navigator tool to compare the answers in this article with those from 20+ other jurisdictions.
How would you describe the regulatory policy for fintech products and services in your jurisdiction?
The government has specific policies aimed at promoting fintech business and investments and for supporting Copenhagen as an international fintech hub. Recently, this has resulted in increased funding for the Financial Supervisory Authority enabling it to dedicate resources to a specialised fintech office as well as creating a regulatory sandbox.
Have any fintech-specific laws or regulations been enacted in your jurisdiction? Are any envisaged?
Which government authorities regulate the provision of fintech products and services?
The main financial regulator is the Financial Supervisory Authority which also oversees compliance with anti-money laundering regulation.
Compliance with certain business conduct rules and other consumer and competition-oriented rules is overseen by the Competition and Consumer Authority.
The Data Protection Agency oversees compliance with data protection rules.
Finally, the Central Bank has limited oversight over systemically important payment and securities clearing and settlement infrastructures and similar systems.
Financial regulatory framework
Which laws and regulations governing the provision of financial services apply to fintech businesses?
Depending on the nature of the activity, fintech businesses may be subject to one or more of the following, each of which include associated delegated regulations:
- the Financial Business Act – implementing the EU Capital Requirements Directive IV (2013/37/EU), the EU Solvency II Directive (2009/138/EU) and the EU Markets in Financial Instruments II Directive (2014/65/EU), if the activity involves deposit-taking, investment services or insurance activities;
- the Payments Act – implementing the EU Payment Services Directive 2 (2015/2366), if the activity involves the offering of payment services or the issuing of e-money;
- the Capital Markets Act – implementing a number of EU financial directives, including parts of the EU Markets in Financial Instruments II Directive, the EU Prospectus Directive (2003/71/EU), the EU Transparency Directive (2004/109/EU) and the EU Financial Collateral Directive (2002/47/EU), if the activity involves the offering of investment services;
- the Act on Financial Advisers, Investment Advisers and Residential Credit Intermediaries – implementing the EU Directive on Credit Agreements for Consumers Relating to Residential Immovable Property (2014/17/EU) and certain parts of the EU Markets in Financial Instruments II Directive, if the activity involves certain forms of advice or intermediation;
- the Investment Association Act – implementing the EU Undertakings for Collective Investment in Transferable Securities Directive (2009/65/EU), if the activity involves the establishment or management of undertakings for collective investment in transferable securities;
- the Act on Alternative Investment Fund Managers – implementing the EU Alternative Investment Fund Managers Directive (2011/61/EU), if the activity involves the establishment or management of an alternative investment fund;
- the Credit Contracts Act – implementing parts of the EU Consumer Credit Directive (2008/48/EU), if the activity involves lending or other forms of credit primarily to consumers;
- (from 1 July 2019 assuming that the current proposal is passed into law) - the Act on Consumer Loan Undertakings, if the activity involves extending certain forms of loans/credit to consumers and the provider is not a bank or other type of (licensed) financial business;
- the Act on Measures to Prevent Money Laundering and Financing of Terrorism – implementing the Fourth EU Anti-money Laundering Directive (2015/849/EU) (and, from 10 January 2020 assuming that the current proposal is passed into law) the Fifth EU Anti-Money Laundering Directive (2018/843/EU); and
- the Insurance Mediation Act - –– implementing the EU Insurance Distribution Directive (2016/97/EU), if the activity involves insurance distribution.
Under what conditions are fintech businesses subject to licensing requirements? Are there any exemptions?
Banking Deposit-taking activities generally require a banking licence under the Financial Business Act to legally operate in Denmark. There are no de minimis or similar exemptions available.
It should be noted that lending in itself is not an activity requiring a licence in Denmark –although a registration under the Act on Measures to Prevent Money Laundering and Financing of Terrorism may be required (as described below) – except that under the Financial Supervisory Authority's current guidance, EU banking institutions may be required to passport their licence into Denmark if they wish to perform lending activities in Denmark.
In February 2019, a new Act on Consumer Loan Undertakings was put before Parliament which, if passed, will create an exception to the absence of a requirement for a license to lend in Denmark. The new Act will apply to most types of consumer loans/credit agreements unless (1) they are provided by an already licensed bank or other financial business, (2) the agreement is for a zero interest and fee loan, or (3) the agreement is a leasing agreement without any obligation to purchase. Under the new Act, providers of consumer loans/credits in scope will be required to obtain a license from the Financial Supervisory Authority (as part thereof, management of a consumer loan undertaking is subject to customary fit and proper requirements) and will be subject to ongoing conduct of business rules. If passed by Parliament in its present form, the new Act is scheduled to enter into force on 1 July 2019.
Payment services or e-money issuance Performing payment services – as defined in the Annex to the Payments Act implementing Annex I to the EU Payment Services Directive 2 (2015/2366/EU) or issuing e-money requires a licence under the Payments Act.
The Payments Act generally reflects the catalogue of exemptions to the licence requirement in Article 3 of the EU Payment Services Directive 2 and Article 1 of the Second EU Electronic Money Directive (2009/110/EU), except that technical services covered by the exemption in Article 3(j) of the EU Payment Services Directive 2 are subject to certain fee regulations in the Payments Act.
Specifically regarding the limited network exemption (Article 3(k) of the EU Payment Services Directive 2 and Article 1(4) of the Second EU Electronic Money Directive), it is important to note that although limited network products are exempted from the licence requirement, they are still required to comply with the disclosure, business conduct and fee rules of the Payments Act, as well as the regulation on issuance and redemption of e-money (corresponding mainly to Titles III and IV of the EU Payment Services Directive 2 and Article 11 of the Second EU Electronic Money Directive). However, the disclosure, business conduct and fee rules do not apply to e-money issued within a limited network if:
- the instrument cannot load a value of more than Dkr3,000;
- the instrument cannot be re-loaded; and
- the issuer's aggregate outstanding e-money liabilities do not exceed an amount equivalent to €5 million, in which case only the rules on redemption of e-money apply.
Denmark has not elected to use the options in Article 32 of the EU Payment Services Directive 2 and Article 9 of the Second EU Electronic Money Directive, to exempt low volume and low value payment services or e-money from the licensing requirement, but the Payments Act does provide for a less burdensome licensing process for such providers and issuers and they are also exempt from the own funds requirements.
Foreign exchange Unless performed by a licensed bank, foreign exchange activities require a licence under the Act on Measures to Prevent Money Laundering and Financing of Terrorism. Exemptions from certain parts of the act are available for entities where the foreign exchange activities are de minimis – including a requirement that the foreign exchange business does not account for more than 5% of the entity's aggregate annual turnover – and purely ancillary to the entity's main business.
In addition to the above, a legislative proposal is expected to be put before Parliament in Q1 2019 which will amend the Act on Measures to Prevent Money Laundering and Financing of Terrorism. Part of the purpose of the amendments is to implement the Fifth EU Anti-Money Laundering Directive (2018/843/EU) in Denmark. If passed into law, the amendment will subject, among others, providers of exchange services between virtual and fiat currencies to regulation under the Act on Measures to Prevent Money Laundering and Financing of Terrorism just as such operators will be required to be registered under the Act. The amendments are proposed to enter into force on 10 January 2020.
Investment activities The provision of investment services – as defined in the EU Markets in Financial Instruments II Directive – as well as custody services triggers a licensing requirement under Danish law.
There are three different sizes of investment firms in terms of own funds requirements:
- Small investment firms are subject to a minimum own funds requirement of €50,000 and a share capital of Dkr500,000 and the Capital Requirements Regulation own funds requirements and are permitted to provide:
o reception and transmission of orders;
o execution of orders;
o discretionary portfolio management; and
o investment advice.
- Medium investment firms permitted to provide the same investment services as small investment firms in addition to safe keeping (which is a core service in Denmark) are subject to a minimum own funds requirement of €125,000 and a share capital of Dkr500,000 and Capital Requirements Regulation own funds requirements.
- Large investment firms permitted to provide all types of investment services are subject to a minimum own funds requirement of €730,000 and a share capital of Dkr500,000 and Capital Requirements Regulation own funds requirements.
The licensing exemptions set out in Article 2 of the EU Markets in Financial Instruments II Directive have generally been implemented without material changes.
Investment advice Undertakings that provide investment advice must be licensed as an investment adviser if the undertaking does not hold another licence that permits it to provide investment advice. Investment advisers may also provide the service of reception and transmission of orders.
Financial advice Undertakings that provide advice on financial products to consumers must be licensed as a financial adviser. For this purpose "financial products" means credit agreements, except for residential credit agreements, deposits, insurances, pension and investment products. Investment products means transferable securities, units or shares in collective investment schemes, deposits in banks where the return depends on the performance of one or more underlying assets, guarantee certificates, cooperative certificates and mortgage deeds.
Residential credit intermediation Undertakings that provide advice on or arrange or facilitate residential credit agreements to consumers must be licensed as a residential credit intermediary. Residential credit agreements essentially cover the granting of loans secured on real estate.
Alternative investment funds Managing alternative investment funds triggers a registration or licensing requirement depending on the size of the assets of the managed investment fund. The threshold for authorisation rather than registration is assets under management by the manager of €100 million (or €500 million if certain conditions are complied with). A manager that is authorised has to comply with all the requirements of the legislation implementing the EU Alternative Investment Fund Managers Directive, whereas a registered manager only has to comply with a few limited requirements.
Alternative investment funds must appoint an alternative investment fund manager or be self-managed. If an alternative investment fund is self-managed it must comply with the requirements as if it were being managed by an alternative investment fund manager. Accordingly, a self-managed alternative investment fund will also need to be either registered or licensed as an alternative investment fund manager depending on the value of the assets in the fund.
The definition of alternative investment funds have been implemented from the EU Alternative Investment Fund Managers Directive without material changes.
Insurances Insurance activities generally trigger a licensing requirement. The Financial Business Act provides certain specific exemptions to the licensing requirement, none of which would be expected to be relevant for fintech businesses.
If the activity does not amount to being an insurance company but does involve insurance distribution, the activity will require a licence if it constitutes insurance or reinsurance mediation.
There are no exemptions to this requirement. On the other hand, intermediaries who only perform "ancillary insurance intermediation" are only required to be registered.
In the Insurance Mediation Act, insurance distribution is defined as in the EU 2016 Insurance Distribution Directive as being the activities of advising on, proposing or carrying out other work introductory to the conclusion of contracts of insurance, but also concluding the contracts or assisting in the administration and performance of such contracts. Also included is the activity of operating a portal through a medium where the customer can compare different insurance products and through which the insurance contract can be concluded (directly or indirectly). Certain insurance distribution activities are explicitly excluded from the scope of the new act, however, none of which would be expected to be relevant for fintech businesses.
An insurance (or reinsurance) intermediary is defined as any natural or legal person who against remuneration takes up or pursues the activity of (re)insurance distribution and who is not a (re)insurance company or employees of a (re)insurance company or an ancillary insurance intermediary.
An ancillary insurance intermediary is defined as any natural or legal person (save for credit institutions and investment companies) that against remuneration takes up or pursues the activity of insurance distribution on an ancillary basis, which means that the distribution must not be their main business. Further, the insurance that the company sells must be supplementary to goods or services provided by the company. Further, it is a condition to fall within the term "ancillary insurance intermediary" (and thereby not subject to licensing requirements, but only registration) that the intermediary does not provide life assurance or liability risks, unless such coverage is supplementary to the goods or services.
Anti-money laundering Fintech businesses that are not otherwise required to have a licence under any of the above regulations must be registered with the Financial Supervisory Authority if they perform any of the activities set out in Annex I to the Act on Measures to Prevent Money Laundering and Financing of Terrorism, including:
- financial leasing;
- assistance in offering securities and services ancillary thereto; and
- storage, administration and management of securities.
In addition to the above, a legislative proposal is expected to be put before Parliament in Q1 2019 which will amend the Act on Measures to Prevent Money Laundering and Financing of Terrorism to implement the Fifth EU Anti-Money Laundering Directive (2018/843/EU) in Denmark. If passed into law, the amendment will subject, among others, custodian wallet providers and providers of exchange services between virtual and fiat currencies to regulation under the Act on Measures to Prevent Money Laundering and Financing of Terrorism just as such operators will be required to be registered under the Act. The amendments are proposed to enter into force on 10 January 2020.
Are any fintech products or services prohibited in your jurisdiction?
No, subject to appropriate licences being obtained. However, it should be noted that use and processing of payment data for value-added and other services is significantly more restricted in Denmark than what follows from the EU Payment Services Directive 2.
Data protection and cybersecurity
What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?
The EU General Data Protection Regulation ("GDPR") and the Danish Data Protection Act ("DDPA"), which both entered into effect on 25 May 2018, both apply to fintech products and services if personal data is processed The regulations apply to all data processing relating to an identified or identifiable natural person (eg, name, account and credit card information, other customer identification data and internet protocol address).
The GDPR has introduced new requirements such as documentation and record keeping of processing activities and allows the Data Protection Agency to impose fines up to 4% of a company's total worldwide annual turnover or €20 million, whichever is higher. The DDPA supplements the GDPR with national Danish rules, including special rules on the processing of national identification numbers ("CPR nr.").
Fintech products and services that involve the processing of personal data on behalf of another company (the customer or data controller) require that a written data processing agreement is entered into. Further, if data is transferred outside the European Union, a legal basis for the transfer must be in place. Such a legal basis may be the EU Commission's "Standard Contractual Clauses" for the transfer of personal data to third countriesor the EU-US Privacy Shield for the transfer of data to the United States.
What cybersecurity regulations or standards apply to fintech businesses?
Financial businesses (eg, banks, investment firms and insurance companies), payment institutions and e-money institutions are generally subject to requirements to have prudent IT and cybersecurity systems, procedures and policies. However, apart from these general regulatory requirements, there are no generally applicable statutory cybersecurity regulations or standards.
In addition, under the auspices of the Central Bank, the Financial Sector Forum for Operational Resilience (FSOR) provides a forum for discussion and coordination of joint measures to ensure financial sector resilience to major operational incidents, including cyberattacks.
Furthermore, particularly within payment services there are a number of important IT and cyber security standards including:
- the European Banking Authority Guidelines on the Security of Internet Payments – these guidelines form part of the Financial Supervisory Authority's supervision and will continue to do so until gradually replaced by the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Open Standards of Communication and by the Guidelines on the Security Measures for Operational and Security Risks of Payment Services;
- the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Open Standards of Communication (Commission Delegated Regulation (EU) 2018/389), which will apply from 14 September 2019;
- the Guidelines on the Security Measures for Operational and Security Risks of Payment Services (promulgated under the EU Payment Services Directive 2); and
- the IT industry security standards promulgated by the Payment Card Industry – particularly the Data Security Standard and the Payment Application Data Security Standard. It should be noted that although constituting widely accepted industry standards, the Payment Card Industry standards do not constitute public law regulation and as such are not directly enforced by the Financial Supervisory Authority.
What anti-fraud, anti-money laundering or other financial crime regulations govern the provision of fintech products and services?
Fraud and financial crimes in general are regulated by the Criminal Code. The most relevant offences are set out in Chapter 28 of the Criminal Code. These are offences where the perpetrator seeks an unlawful gain or directly or indirectly harms and endangers property belonging to others. This includes classic provisions (eg, on theft, embezzlement, deceit, fraud, including defrauding creditors, misappropriation of funds and breach of fiduciary duties, including providing the authorities with false or misleading information concerning a company's accounts).
It is specifically set out in Section 279a of the Criminal Code that computer fraud can be punished if any person who, for the purpose of obtaining for him or herself or others an unjustified gain by doing the following:
- unlawfully changes, adds or erases information or programmes for the use of electronic data processing; or
- attempts to affect the results of data processing in any other manner.
As a general rule, criminal liability according to the Criminal Code requires intent to commit a criminal fraudulent act for the purpose of gain, which causes a corresponding loss to the victim.
The main piece of anti-money laundering legislation is the Act on Measures to Prevent Money Laundering and Financing of Terrorism, which implements the Fourth EU Anti-Money Laundering Directive (and which is currently expected, from 10 January 2020, to also implement the Fifth EU Anti-Money Laundering Directive). To the extent that the relevant service involves money transfers, the act is supplemented by the EU Regulation on Information Accompanying Transfers of Funds.
Corporate crime and business fraud is investigated by the National Police and the State Prosecutor for Serious Economic and International Crime.
What precautions should fintech businesses take to ensure compliance with these provisions?
Compliance with anti-money laundering regulations can to a certain extent be addressed by ensuring proper legal and compliance advice is sought at the product or service design phase.
However, the primary protection against any type of financial crime is establishing and operating a robust internal compliance programme – including, where appropriate, whistleblowing procedures – and ensuring that the business is supported by a sufficiently staffed and empowered compliance department (eg, if relevant, taking size and complexity of the business into consideration, a three-line defence structure). Being able to demonstrate that an appropriate compliance programme has been put in place may also assist the business in reducing the severity of supervisory enforcement action if – notwithstanding an appropriate compliance programme being in operation – the business does become the subject of some kind of financial crime (eg, breaches of anti-money laundering regulations).
What consumer protection laws and regulations apply to the provision of fintech products and services?
The main applicable consumer protection laws include the following:
- the Consumer Contracts Act – implementing parts of the EU Directive on Consumer Rights (2011/83/EU) and the EU Directive on Distance Marketing of Consumer Financial Services (2002/65/EU), which contains rules on pre-contractual information requirements, right of withdrawal, termination and binding periods;
- the Marketing Practices Act – implementing the EU Directive on Unfair Commercial Practices (2005/29/EU), which in addition to the rules implementing the Unfair Commercial Practices Directive contains rules on, among other things:
o unsolicited marketing;
o comparative advertisements;
o marketing of consumer credit; and
o rules governing the Consumer Ombudsman's activities. The Marketing Practices Act also contains the general rule that businesses must comply with good marketing practices;
- the Payments Act – implementing the EU Payment Services Directive 2, which contains rules implementing the disclosure, business conduct and fee rules set out in Titles III and IV of the directive and corresponding provisions of the Second EU E-money Directive (2009/110/EU);
- the Credit Contracts Act – implementing parts of the EU Consumer Credit Directive (2008/48/EU), which applies to credit arrangements with consumers and which contains, inter alia:
o mandatory disclosure requirements;
o rules on changes to interest rates;
o walk-away rights; and
o rules on term and termination;
- (from 1 July 2019 assuming that the current proposal is passed into law) - the Act on Consumer Loan Undertakings, which applies to certain forms of loans/credit to consumers provided by lenders who are not banks or other forms of licensed financial businesses;
- the Executive Order on Good Business Practices for Financial Businesses – implementing parts of the EU Directive on Consumer Rights, which contains rules on duty of care to the customer, disclosure requirements, the giving of advice to customers and restrictions on amending or terminating customer contracts and applies to inter alia:
o mortgage banks; and
- investment firms; the Executive Order on Good Business Conduct for Insurance Distributorsimplementing parts of the EU Insurance Distribution Directive (2016/97/EU), if the activity involves insurance distribution.
Does the provision of fintech products or services in your jurisdiction raise any particular competition regulatory concerns?
The fintech nature of a product or service does not in itself give rise to particular competition law issues.
However, there are aspects of the fintech business model which mean that certain competition law considerations – of general application – often become relevant in the context of fintech businesses.
One example of this is the widespread use of partnerships between fintech businesses and incumbent financial institutions which, depending on the nature of the partnership, may raise competition law questions about horizontal or vertical cooperation.
At the other end of the spectrum, fintech products or services which require the fintech business to have access to a financial institution's systems or its customer data, where reluctance to provide such access may, in certain circumstances, raise questions of anti-competitive behaviour.
Are there any particular regulatory issues concerning the cross-border provision of fintech products and services (eg, operating jurisdiction rules and currency controls)?
Denmark does not have currency controls.
To the extent that the relevant fintech product or service involves a regulated activity, fintech businesses from other EU member states may need to passport an existing licence from their home member state into Denmark and fintech businesses from other third countries may need to obtain a separate licence under the relevant Danish regulatory framework, depending on the nature of the product or service.
Although Danish law does not generally require foreign businesses operating in Denmark to establish a Danish branch, the activities may ultimately reach a scale where general principles of Danish company law will require the relevant fintech business to establish a Danish branch. The determination of when the local activities reach such a scale is highly fact-specific.
Click here to view the full article.