Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
How would you describe the regulatory policy for fintech products and services in your jurisdiction?
Austrian law and the Austrian regulator are neutral as to which technology is used. Accordingly, fintech products and services operate in the same regulatory environment as ‘traditional’ market participants. If and to what extent the financial regulatory regime applies to them primarily depends on their actual business activities. In addition, supplementary provisions might apply depending on clientele (particularly in the case of business with consumers).
The Austrian regulator is open to new technology and has therefore established a fintech contact point, which handles all fintech-related questions and can be contacted by fintech companies planning to become active in the Austrian market. However, no regulatory sandbox is currently available.
Have any fintech-specific laws or regulations been enacted in your jurisdiction? Are any envisaged?
No fintech-specific laws have been enacted in Austria. The Ministry of Finance has established an advisory board and proclaimed that it aims to foster growth in the fintech sector.
Which government authorities regulate the provision of fintech products and services?
The Financial Market Authority (FMA) is responsible for banking, insurance, securities and pension company supervision. Accordingly, a fintech company will be supervised by the FMA, provided that it conducts activities subject to financial market regulation.
Financial regulatory framework
Which laws and regulations governing the provision of financial services apply to fintech businesses?
The use of a particular product or technique (eg, an app, interface or distributed ledger technology) does not restrict the applicability of laws and regulations governing the provision of financial services. Relevant for the applicability of those regulations is always the activity being conducted by the respective fintech company.
Depending on the specific business model, fintech company operations may be subject to regulatory licensing requirements and governed by:
- the Banking Act – if the business operations involve banking activities such as accepting third-party funds for management by investing in a virtual currency, when loans are brokered or granted or when payment instruments are issued);
- the Payment Services Act 2018 – for example, where money is received and transferred to third parties, information of several accounts is consolidated or payments are initiated;
- the Securities Supervision Act 2018 – for example, if providing investment advice or portfolio management, receiving or transmitting orders or operating a multilateral trading facility;
- the Act on Alternative Investment Fund Managers – for example, when collecting investors capital to invest in virtual currencies according to a pre-defined investment strategy;
- the Electronic Money Act – when issuing electronic money;
- the Insurance Supervision Act – when offering contract insurance; and
- the Act on Anti-Money Laundering in the Financial Market.
Further, public offers of securities or investments will usually trigger a prospectus requirement pursuant to the Capital Market Act; although, the Capital Market Act itself – as well as the Act on Alternative Financing – provides for certain reliefs and exemptions. Whether an offer of coins and tokens (initial coin and initial token offerings) triggers a prospectus requirement depends on the features of the coin or token and requires careful examination of the case at hand.
Other commercial activities are subject to the Trade Act, provided that they are not expressly exempt.
Given that the financial industry is highly regulated, fintech companies should understand that their business model may subject them to substantial regulatory requirements. Depending on the business model, careful structuring may result in eased or no requirements at all.
Under what conditions are fintech businesses subject to licensing requirements? Are there any exemptions?
In determining whether a licence is required, the activity of the fintech companies concerned is decisive, but not the use of a particular product or technique (eg, an app, interface or distributed ledger technology).
Digital currencies, initial coin offerings
Bitcoin – the most prominent blockchain-based cryptocurrency – is not subject to FMA supervision because it is not classified as a payment or financial instrument under Austrian law.
However, for the operation of various business models based on cryptocurrencies, a licence from the FMA (eg, according to the Banking Act, the Act on Alternative Investment Fund Managers or the Payment Services Act 2018) or a prospectus according to the Capital Market Act may be required.
Due to differences in the technical, functional and economic design of initial coin offerings, each offering must be assessed on a case-by-case basis. The regulatory assessment must always be based on the specific form of the initial coin offering in each individual case and may result (for example) in the applicability of the Banking Act, the Act on Alternative Investment Fund Managers, the Act on Securities Supervision 2018 or in a prospectus requirement according to the Capital Market Act.
Alternative lending platforms
Alternative lending platforms are difficult to implement without triggering a licence requirement. Connecting potential lenders with potential borrowers requires either a licence according to the Banking Act (the brokerage of loans constitutes banking business) or a respective trade licence according to the Trade Act.
A licence according to the Payment Services Act 2018 may be required if the fintech company is involved executing payment services – for example, initiating or executing payment transactions, enabling cash placements or withdrawals on a payment account, or money remittance.
The provision of mere technical services (to be construed on a narrow basis) is generally exempt from the Payment Services Act 2018. The Electronic Money Act or the Banking Act may apply to commercial issuances of payment instruments.
Alternative financing platforms
A licence from the FMA pursuant to the Banking Act, the Act on Alternative Investment Fund Managers or the Payment Services Act 2018 may be required. A prospectus according to the Capital Market Act may be required, although the Capital Market Act itself as well as the Act on Alternative Financing provide for certain relief and exemptions.
Investment, asset and wealth management/robo-advice
Fintech companies that offer investment, asset and wealth management services or robo-advice may require a licence under the Securities Supervision Act 2018, implementing the EU Markets in Financial Instruments Directive II (MiFID II) into Austrian law.
Are any fintech products or services prohibited in your jurisdiction?
No, but some activities are subject to licensing requirements. Conducting such activities without the required authorisation may result in (among other things) substantial administrative fines.
Data protection and cybersecurity
What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?
The processing and transfer (domestic and cross-border) of data relating to fintech products and services is subject to the EU General Data Protection Regulation (GDPR), which in Austria is supplemented by national data protection law.
The GDPR applied as of 25 May 2018 and provides for substantial fines (up to €20 million or 4% of the company’s annual turnover) in case of material violations (eg, illegal transfers of data to countries outside the European Union).
What cybersecurity regulations or standards apply to fintech businesses?
Regulators have become focused on cybersecurity and its associated risks. Accordingly, both European and national regulators have issued guidelines on IT security with which credit institutions must comply.
These guidelines are also relevant for fintech companies because such businesses are either licensed themselves or cooperate with licenced institutions that will hold them to the same level of accountability.
What anti-fraud, anti-money laundering or other financial crime regulations govern the provision of fintech products and services?
Due diligence obligations to combat money laundering and terrorist financing are regulated in the Act on Anti-money Laundering in the Financial Market. They are based on the Fourth EU Money Laundering Directive. Fintech companies must observe these due diligence requirements if they perform activities which require a licence and are therefore subject to the supervision of the FMA.
The obligation to exercise such anti-money laundering due diligence may also arise on the basis of the Trade Act.
The Fifth EU Money Laundering Directive will apply anti-money laundering obligations to cryptocurrency exchanges and custodian wallet providers for digital currencies.
What precautions should fintech businesses take to ensure compliance with these provisions?
The provisions are based on the ‘know your customer’ principle, which aims to deprive money launderers of their anonymity.
Accordingly, customers must be identified by means of an official photo ID (eg, upon entering into a business relationship).
If money laundering or terrorist financing is suspected, a report must be submitted to the Money Laundering Reporting Office.
What consumer protection laws and regulations apply to the provision of fintech products and services?
Under Austrian law, the level of protection afforded to consumers generally does not depend on the type of product or service. Contracts between entrepreneurs and consumers must meet the requirements of the Consumer Protection Act. Contracts concluded at a distance (eg, via telephone, e-mail or the Internet) or outside business premises are subject to the Distance Selling Act.
Those provisions – to a large extent based on EU law – aim to ensure that consumers are informed in a transparent way and are not subject to unusual or unfair provisions. The Austrian legislature provides for special information obligations and rights of withdrawal for the benefit of consumers. These are largely based on EU law.
Does the provision of fintech products or services in your jurisdiction raise any particular competition regulatory concerns?
The provision of fintech products or services raises no particular competition regulatory concerns per se.
General competition law restrictions may have to be complied with when entering into long-term cooperation agreements.
Are there any particular regulatory issues concerning the cross-border provision of fintech products and services (eg, operating jurisdiction rules and currency controls)?
Foreign companies wishing to access the Austrian market for fintech products and services have the following options:
- obtain a licence from the Austrian regulator (provided that the fintech engages in a regulated activity);
- if applicable, passport their existing EEA licence to Austria and either establish a branch or directly provide cross-border services;
- collaborate with a company that holds the required licences; or
- adapt the business model for the Austrian market to avoid licence requirements.
Click here to view the full article.