Use the Lexology Navigator tool to compare the answers in this article with those from 20+ other jurisdictions.
How would you describe the regulatory policy for fintech products and services in your jurisdiction?
Thus far, the German government has pursued a strict no-sandboxing approach when it comes to fintech companies. Therefore, authorisation requirements and administrative rules apply, depending on the service offered by the respective company. Some facilitations may apply based on the size of the company (principle of proportionality), but no special treatment should be expected simply because a service is using new technologies.
The German legal system is, of course, strongly embedded in the European legal system. National legislation regarding companies in the financial sector is therefore often mere implementations of EU laws (eg, the EU Markets in Financial Instruments Directive II, the EU Capital Requirements Directive IV and the EU Capital Requirements Regulation).
Have any fintech-specific laws or regulations been enacted in your jurisdiction? Are any envisaged?
No. Thus far, fintech companies are subject to the same provisions as traditional companies in the financial sector. In the short term, no changes are expected. The government’s recent coalition agreement stresses the need for “equal regulation for equal risks” with respect to the fintech industry. This can hardly be regarded as a move away from the equal treatment or the no-sandboxing doctrine.
Which government authorities regulate the provision of fintech products and services?
The financial sector in Germany is supervised by a number of authorities. Most prominently, the Federal Financial Supervisory Authority (BaFin) is responsible for any authorisation procedures and publishes regular guidelines on its regulatory fintech treatment. Bundesbank is responsible for the majority of operational banking supervision, but the European Central Bank may come into play in these matters. For specific forms of investment brokerage and investment advice, local trade supervision authorities or local chambers of industry and commerce may be the responsible authority.
Financial regulatory framework
Which laws and regulations governing the provision of financial services apply to fintech businesses?
Depending on the service provided for by the fintech company, the application of the following acts may be triggered:
- the Banking Act;
- the Securities Trading Act;
- the Securities Prospectus Act;
- the Capital Investment Act;
- the Asset Investment Act;
- the Payment Supervision Act;
- the Insurance Supervision Act; and
- various European rules (eg, the EU Market Abuse Regulation).
Although at first glance this may seem like a regulatory minefield for fintech businesses, experienced legal support may help to mitigate or even dispel regulatory risk. Even if licensing requirements apply, fintech companies should not shy away from implementing their business ideas. For example, Bitbond, a bitcoin-based peer-to-peer lending platform, has successfully obtained government authorisation for investment brokerage.
Under what conditions are fintech businesses subject to licensing requirements? Are there any exemptions?
BaFin lists bitcoins as ‘units of account’ within the meaning of the Banking Act. BaFin recently stated that this will likely apply to other forms of tokens too. In particular, the Banking Act may require authorisation when token-related services are offered.
Lending platforms must choose a specific arrangement to avoid having to obtain authorisation under the Banking Act or the Payment Service Supervision Act. Unless they act as mere brokers of loans and receivables for both lending and borrowing, the obligation to obtain one of the aforementioned authorisations applies. This is why many lending platforms chose a bank as their so-called ‘white labelling’ partner. However, for the mere brokerage of loans, authorisation pursuant to the Industrial Code may be required.
Authorisation for payment service providers may be required if the provider is involved in the execution of the payment handling. In contrast, pure technical service providers may be exempt from authorisation requirements.
For alternative financing platforms, authorisation requirements may apply pursuant to the Banking Act, the Payment Services Supervision Act, the Capital Investment Act or the Securities Trading Act. Investment providers may be subject to a prospectus requirement.
Investment, asset and wealth management companies must obtain authorisation pursuant to the Banking Act. Mere distributors of investments may apply for authorisation pursuant to the Industrial Code but must adhere to the Financial Investment Broker Regulation, an ordinance issued by the Federal Ministry of Economic Affairs.
For robo-advice, the question of authorisation requirements largely depends on whether the investment advice, reception and transmission of orders, execution of orders on behalf of client, or portfolio management within the meaning of the Banking Act is offered by the respective service. A service will most likely be deemed investment advice if a client receives advice on the purchase, sale or hold of a specific financial instrument, based on its personal details.
Are any fintech products or services prohibited in your jurisdiction?
In anticipation of the EU Markets in Financial Instruments Directive II product intervention rules, BaFin was given the authority to use methods of product intervention in 2015. This power allows BaFin to restrict or prohibit the marketing, distribution and sale of certain financial products if these present a significant investor protection concern or a threat to the stability or integrity of the financial system or financial markets. By using this power, BaFin has restricted the marketing, distribution and sale of those financial contracts for difference (CFDs) to retail investors, that come with an additional payments obligation (margin calls). Contrary to previous indications, BaFin has recently refrained from imposing a ban on the distribution of credit-linked notes.
The European Securities and Markets Authority (ESMA) has used their product intervention power for the first time, and gone beyond BaFin’s handling of CfDs. ESMA has announced to impose restrictions on the leverage offered for CFDs and introduced elaborate prerequisites for them to be permissible for retail investors. Further, ESMA prohibited the marketing, distribution and sale of binary options to retail investors. However, these interventions are product-related measures and reflect no specific challenges of fintech companies.
Pursuant to the Capital Investment Act, certain alternative investment funds may not be sold to or purchased by average retail investors; instead, only semi-professional retail investors or professional investors can buy or sell these. The differentiation between those types of investor is strict. Semi-professional retail investors must invest a minimum of €200,000 and be sufficiently capable of understanding the risks involved with their investment into the investment fund. Professional investors are, for example, financial institutes, insurers and governments. Any other types of investor are deemed average retail customers.
Data protection and cybersecurity
What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?
When it comes to personal data, both the European General Data Protection Regulation (GDPR), which will enter into force on May 25 2018, and the (amended) Federal Data Protection Act govern the processing and transfer of data. Until the GDPR enters into force, some provisions of the Telemedia Act still apply. However, the Telemedia Act rules will likely be substituted by the future European ePrivacy Regulation. During that transition period, the GDPR will provide the relevant rules. Some provisions from the Banking Act may also apply in specific outsourcing scenarios.
What cybersecurity regulations or standards apply to fintech businesses?
Depending on the service offered, cybersecurity regulations may apply. Banks, for example, must fulfil certain risk management-related IT-precautions based on the Banking Act. BaFin has substantiated these requirements in Circular 10/2017 on Supervisory Requirements for IT in Financial Institutions. For payment service providers, the European Banking Authority has published guidelines on the security of internet payments, which have been endorsed by BaFin in Circular 4/2015 on Minimum Requirements for Internet Payments Security (MaSI). Based on the European Payment Service Directive 2 (PSD2), the European Commission has also enacted the Regulatory Technical Standards on Strong Customer Authentication and Secure Communication under PSD2, which will replace MaSI as soon as it comes into effect (probably in 2019).
If a service provided is deemed to be ‘critical infrastructure’, organisational requirements stipulated in the Act on the Federal Office for Information Security (BSI Act) may come into play as well. Recently, a new section has been added to the BSI Act, stipulating a duty for digital service providers to enact measures for safeguarding their IT systems. As this provision is relatively new, its impact can only be estimated.
In relation to storing and processing personal data, the GDPR includes data protection-related organisational and technical requirements for IT systems.
What anti-fraud, anti-money laundering or other financial crime regulations govern the provision of fintech products and services?
The Anti-Money Laundering Act implemented the EU Fourth Anti-Money Laundering (AML) Directive into German law. Most financial companies subject to authorisation requirements are also deemed obliged entities within the meaning of the Anti-Money Laundering Act. Therefore, due diligence requirements apply, such as the implementation of know-your-customer (KYC) procedures. Some even stricter due diligence requirements apply to credit institutions and financial service institutions within the meaning of the Banking Act. Further, companies that are not registered in the Companies House may need to be entered into the Transparency Register and provide a list of beneficial owners.
For counter-tax evasion reasons, the Federal Tax Act also requires tax-related KYC procedures in place for certain bank-related business, such as opening a bank account.
What precautions should fintech businesses take to ensure compliance with these provisions?
Businesses should carefully examine whether they fall within the scope of any of the aforementioned regulations. German authorities follow a rather strict approach when it comes to the enforcement of anti-money laundering and financial crime provisions.
What consumer protection laws and regulations apply to the provision of fintech products and services?
Most provisions on consumer protection are found within the Civil Code – in particular, revocation rights may apply in case of distance contracts. Further, ex ante information requirements must be fulfilled for many services.
Does the provision of fintech products or services in your jurisdiction raise any particular competition regulatory concerns?
No specific competition regulatory concerns are raised with respect to fintech products or services.
Are there any particular regulatory issues concerning the cross-border provision of fintech products and services (eg, operating jurisdiction rules and currency controls)?
Cross-border access to the German market for fintech products and services is subject to authorisation requirements and can be generally achieved in three different ways:
- Full licence – this involves applying for full authorisation with the competent authorities (eg, for a subsidiary).
- Passporting – EEA branches can, in particular, make use of passporting mechanisms. These are implemented in, for example, the Banking Act and the Securities Trading Act. Passporting can either be used to establish a branch in Germany or for the provision of direct cross-border services. Supervision would largely be carried out by the home country, while a smaller number of German provisions must be met. Apart from EU passporting, Germany has entered into bilateral agreements with the United States, Japan and Australia to allow passporting for financial institutes from these countries. Financial institutes from Switzerland benefit from a simplified authorisation procedure that, if successful, exempts them from the application of many provisions in the Banking Act.
- White labelling – fintech companies can also use existing licences from German domestic financial institutes in order to ‘white label’ their activities. Based on a cooperation agreement, the existing bank would, from a legal standpoint, be considered to have outsourced its activities to the respective fintech company. The fintech company is then able to carry out its service in Germany, notwithstanding the lack of authorisation.
Click here to view the full article.