fintech - acc.com

Contributing Editors: Todd W. Beauchamp, Stephen P. Wink & Yvette D. Valdez

Fintech

Third Edition

Global Legal InsightsFintech

2021, Third EditionContributing Editors: Todd W. Beauchamp, Stephen P. Wink & Yvette D. Valdez

Latham & Watkins LLPPublished by Global Legal Group

GLOBAL LEGAL INSIGHTS – FINTECH 20212021, THIRD EDITION

Contributing EditorsTodd W. Beauchamp, Stephen P. Wink & Yvette D. Valdez, Latham & Watkins LLP

PublisherJames Strode

Production EditorJane Simmons

Senior EditorSam Friend

Head of ProductionSuzie Levy

Chief Media OfficerFraser Allan

CEOJason Byles

We are extremely grateful for all contributions to this edition. Special thanks are reserved for Todd W. Beauchamp, Stephen P. Wink & Yvette D. Valdez of Latham &

Watkins LLP for all of their assistance.

Published by Global Legal Group Ltd.59 Tanner Street, London SE1 3PL, United KingdomTel: +44 207 367 0720 / URL: www.glgroup.co.uk

Copyright © 2021Global Legal Group Ltd. All rights reserved

No photocopying

ISBN 978-1-83918-138-2ISSN 2632-8666

This publication is for general information purposes only. It does not purport to provide comprehensive full legal or other advice. Global Legal Group Ltd. and the contributors accept no responsibility for losses that may arise from reliance upon information contained in this publication. This publication is intended to give an indication of legal issues upon which you may need advice. Full legal advice should be taken from a qualified professional when dealing with specific situations. The information contained herein is accurate as of the date of publication.

Printed and bound by TJ Books LimitedTrecerus Industrial Estate, Padstow, Cornwall, PL28 8RW

AUGUST 2021

CONTENTS

Preface Todd Beauchamp, Latham & Watkins LLPExpert analysis Crypto-Asset Trading Platforms: Another Regulatory Trip Around the World chapters Todd W. Beauchamp, Stephen P. Wink & Yvette D. Valdez, Latham & Watkins LLP 1

When Beeple Met Howey – A Token by Any Other Name Could Still Be a Security: The Regulation of Non-Fungible Tokens in the United States Richard B. Levin & Kevin Tran, Nelson Mullins 17

Fintech SPAC Transactions in Europe and the United States Jonathan Cardenas, Financial Services Technology Joint Subcommittee 30Country chaptersAustralia Peter Reeves, Robert O’Grady & Emily Shen, Gilbert + Tobin 40Brazil Vanêssa Fialdini & Tatiana Facchim Ribeiro, Fialdini Advogados 50Canada Brigitte Goulard, Konata Lake & Molly Reynolds, Torys LLP 56China Jun Wan, Xun Li & Ye Li, Han Kun Law Offices 71Denmark Morten Schultz, Kasper Laustsen & Christian Blicher Møller, Bruun & Hjejle Advokatpartnerselskab 79France Hubert de Vauplane & Victor Charpiat, Kramer Levin Naftalis & Frankel LLP 88Hungary Dr. Márton Kovács, Dr. András Zsirai & Dr. Roland Osvald, HBK Partners Attorneys at Law 100India Shilpa Mankar Ahluwalia, Himanshu Malhotra & Vrinda Pareek, Shardul Amarchand Mangaldas & Co 107Ireland Joe Beashel & Ian O’Mara, Matheson 117Japan Ken Kawai, Shunsuke Aoki & Keisuke Hatano, Anderson Mōri & Tomotsune 124Korea Won H. Cho, Jeong Hwa Jang & Chi Eui Hong, D’LIGHT Law Group 134Luxembourg Prof. Jean-Louis Schiltz & Nadia Manzari, Schiltz & Schiltz S.A. 146Malaysia Mohamed Ridza Abdullah & Mohamad Nazran Basirun, Mohamed Ridza & Co. 159Netherlands Lous Vervuurt, BUREN 173Nigeria Prof. Gbolahan Elias, Ebimobowei Jikenghan & Novo Edojariogba, G. Elias & Co. 181Norway Ole Andenæs, Snorre Nordmo & Stina Tveiten, Wikborg Rein Advokatfirma AS 192Romania Simona Petrişor, Diana E. Ispas & Alexandru Achim, Bondoc și Asociații SCA 201Singapore Lim Chong Kin & Benjamin Gaw, Drew & Napier LLC 213Spain Alfonso López-Ibor Aliño, Olivia López-Ibor Jaume & Alejandro Sosa Röhl, López-Ibor Abogados 226Sweden David Frydlinger & Caroline Olstedt Carlström, Cirio law firm 236Switzerland Dr. Lukas Morscher, Fedor Poskriakov & Isy Isaac Sakkal, Lenz & Staehelin 246

Taiwan Robin Chang & Eddie Hsiung, Lee and Li, Attorneys-at-Law 257Thailand Sappawit Jansuparerg & Thaya Uthayophas, Weerawong, Chinnavat & Partners Ltd. 265United Kingdom Ian Mason, Sushil Kuner & Samantha Holland, Gowling WLG (UK) LLP 278USA Andrew Lorentz & Thomas Kost, Davis Wright Tremaine LLP 290Vietnam Philip Ziter, Chu Bao Khanh & Nguyen Huu Minh Nhut, Russin & Vecchi 307

PREFACE

W elcome to the 2021 Edition of Global Legal Insights – Fintech. Latham & Watkins LLP is delighted to serve as contributing editors

for this edition, which hopefully will provide some helpful clarity on this fast-evolving area of the law.“Fintech” has become a catch-all term used to refer to a varied array of products and services, and regardless of how one might define it, fintech is certainly having an ever-increasing impact on the way we live our lives. The COVID-19 pandemic has greatly influenced the fintech landscape, rapidly accelerating the mainstream acceptance of contactless payment methods (and corresponding shift away from cash), and further underscoring the importance of e-commerce for all types of businesses. The digital asset space continues to evolve at a lightning pace; while Bitcoin and Ethereum remain the most popular cryptocurrencies, a multitude of others continue to enter the market, including central bank-issued digital currencies (“CBDC”) and other stablecoins. In addition, non-fungible tokens (“NFTs”) have drawn great interest and gained tremendous traction in the markets. Special-purpose acquisition companies (“SPACs”) have allowed earlier stage fintech companies to enter the public market on tighter timelines and budgets, providing companies with greater opportunities to attract additional capital to further develop their products and services. Further, increased focus on the industry from retail investors (as buyers and traders of NFTs or cryptocurrency, stockholders of newly public fintech companies) brings regulatory scrutiny, but also attracts additional market participants and thus greater competition – we look forward to fintech’s next phase.

Todd W. Beauchamp, Stephen P. Wink & Yvette D. ValdezLatham & Watkins LLP

Crypto-Asset Trading Platforms: Another Regulatory Trip Around the World

Todd W. Beauchamp, Stephen P. Wink & Yvette D. ValdezLatham & Watkins LLP

GLI – Fintech 2021, Third Edition 1 www.globallegalinsights.com

Crypto-asset trading is a fast-growing part of the financial sector.1 Some countries have wholeheartedly embraced crypto-assets, some have been reticent to permit widespread adoption, others have actively clamped down on crypto-assets and the platforms they trade on. Generally, countries have interpreted existing laws and regulations to apply to crypto-assets or adopted new laws or regulations to specifically address crypto-assets – or embarked on some combination of the two. Due to their use of blockchain and other distributed ledger technology, crypto-assets are, in most cases, inherently cross-border and cross-jurisdictional. Thus, most issuers of crypto-assets and operators of trading platforms must address multiple legal and regulatory frameworks when attempting to enter the market.While this chapter will explore the regulation of crypto-assets and trading platforms in the European Union, the United States, Hong Kong, Singapore, Thailand, and Japan, it is important to note that there are, generally speaking, two types of crypto-asset trading platforms: centralised; and decentralised. Centralised crypto-asset trading platforms usually act as custodian for the crypto-assets and are responsible for legal and regulatory compliance (in this way, traditional exchanges provide a relatively straightforward analogue). Decentralised trading platforms are different. Instead of taking custody of a user’s crypto- assets, and facilitating and executing trades itself, a decentralised trading platform may simply provide the trade-matching technology, with users retaining control/custody of their crypto- assets and automatically transferring crypto-assets between wallets pursuant to triggered smart contracts and without the involvement of a clearly identifiable intermediary. Centralised trading platforms have been targets of hackings (both informational and monetary) because, as the name suggests, they act as central repositories of funds (i.e., crypto-assets and/or fiat currency) and information (e.g., personal information provided by users to satisfy know-your-customer (“KYC”) requirements). Given they generally operate in a non-custodial fashion, decentralised trading platforms, on the other hand, have not been an immediately attractive target for these sorts of attacks since they hold no funds and limited, if any, personal information. With that said, decentralised platforms are certainly not immune from other forms of hacks and exploits. Indeed, decentralised applications (“DApps”) have recently been subject to: sophisticated hacks that exploit bugs in the underlying blockchain protocol code; exploit bugs in the smart contracts governing how the DApp operates; or by execution of a 51% attack, whereby hackers gain control of more than half of a crypto-asset’s mining process, and therefore gain control of the network for malicious ends.Due to the generally hands-off, non-custodial approach of decentralised finance and DApps, whether and to what extent certain legal and regulatory regimes may be applicable is often unclear. In many cases, if the decentralised trading platform does not hold or transfer funds, and transactions happen peer-to-peer, then it may not be captured by existing regulatory

Latham & Watkins LLP Crypto-Asset Trading Platforms: Another Regulatory Trip Around the World


regimes that were devised with centralised entities and agents in mind. Hence, as the market for decentralised trading platforms continue to grow and evolve, regulators continue to grapple with the increasingly complex questions of whether and how these platforms should or can be regulated. It is increasingly clear, however, that regulators are no longer taking a wait-and-see approach and are now focused on measuring compliance by decentralised finance markets and platforms with the existing regulatory mandates applicable to centralised finance, including those intended to address consumer protection risks, financial crime risks, and financial system risks.

European Union

The EU has an overarching financial regulatory framework principally made up of regulations (which are directly applicable in EU Member States) and directives (which must be adopted into national law by each EU Member State). While this framework ensures a degree of harmonisation across EU Member States, it does not guarantee uniform regulation.Crypto-asset regulation provides a good illustration of this issue. When considering whether EU financial regulation applies to crypto-assets, a threshold question to ask is: do the crypto-assets constitute a “financial instrument” or “electronic money”? A platform that facilitates trading in crypto-assets that are financial instruments or electronic money will typically be subject to licensing and other regulatory requirements. The definitions of financial instrument and electronic money are set out in Directive 2014/65/EU (“MiFID II”) and Directive 2009/110/EC (“2EMD”), respectively. EU Member States have interpreted and implemented these directives differently; thus, it is possible that the same crypto-asset could be a financial instrument in one jurisdiction and not in another.2 In addition, national laws, such as long- standing domestic securities laws, financial promotion and public offer laws, and newly introduced laws or regulations specifically addressing crypto-assets, may impose additional regulation on crypto-assets (whether or not they fall within the scope of MiFID II or 2EMD).3 In addition to the variance in national laws, Member State-specific guidance increases the risk of regulatory divergence throughout the EU. Given this fragmentation, it is necessary to classify a given crypto-asset in accordance with the national laws of each EU Member State in which it is to be marketed, distributed, traded, or otherwise used.The European Securities and Markets Authority (“ESMA”), which is the European Supervisory Authority (“ESA”) with jurisdiction over financial markets and investor protection in the EU, and the European Banking Authority (“EBA”), the ESA with jurisdiction over banking activity in the EU, both noted the fragmented state of affairs in their respective advice to the European Commission (“Commission”) and European Parliament on regulating crypto-assets (“ESMA Advice”4 and “EBA Report”,5 respectively).The ESMA Advice highlighted areas of the EU regulatory framework (e.g., the requirements relating to settlement under the European Central Securities Depositories Regulation, which are critical to trading activities in financial instruments in the EU) that may be difficult to apply to crypto-assets that are classified as transferable securities (a type of MiFID II financial instrument). The ESMA Advice also cautioned that the introduction of Member State-specific regulatory regimes addressing crypto-assets will create an unequal playing field for crypto- assets across the EU. Considering the inherently cross-border nature of most crypto-assets, the ESMA Advice encouraged an “EU-wide approach” to the regulation of crypto-assets not otherwise captured by MiFID II and 2EMD.While definitive classification remains subject to EU Member States’ laws, some high-level principles for classification of crypto-assets can be extracted from ESMA’s survey of Member States:



• ESMA did not include “pure payment-type” crypto-assets (including Bitcoin) in the survey on the basis that they “are unlikely to qualify as financial instruments”.

• For a majority of the regulators surveyed, the existence of attached profit rights (whether or not alongside ownership or governance rights) was sufficient for a crypto-asset to constitute a transferable security, provided the crypto-asset was freely tradable and not a payment instrument.

• None of the regulators surveyed characterised “pure utility-type” crypto-assets as financial instruments on the basis that the “rights that they convey seem to be too far away from the financial and monetary structure of … a financial instrument”.

Similarly, while the EBA Report recognised that crypto-assets must be classified on a case-by-case basis, it stated that crypto-assets are not considered “funds”6 or equivalent to fiat currency in any EU Member State for the purposes of EU financial regulation,7 and indicated that crypto-assets are most likely to satisfy the definition of electronic money in circumstances where the value of the crypto-asset is pegged to the value of fiat currency (e.g., stablecoins) and the crypto-asset is redeemable for fiat currency.Indeed, what the ESMA Advice and the EBA Report suggest is that for the purposes of regulation, the characterisation of crypto-assets proceeds predominantly on the basis of an intrinsic assessment of a given crypto-asset, focused on the rights or entitlements granted to holders, rather than on the basis of extrinsic factors, such as the intended or actual use of the crypto- asset or other contextual factors relating to the crypto-asset (such as whether a platform to which the crypto-asset relates is currently operational or whether the network underlying the crypto-asset is decentralised). On December 19, 2019, the Commission launched a public consultation to review the suitability and effectiveness of the current EU regulatory framework applicable to crypto-assets.8 The purpose of the consultation was to examine crypto- assets that are within the scope of the existing regulatory framework and determine whether a separate EU regulatory framework should be adopted for crypto-assets that do not fall within scope, either by introducing an EU directive or an EU regulation. The Commission recognised that different interpretations and applications of existing requirements can lead to divergent approaches by national competent authorities, resulting in uncertainty, difficulties with the cross-border provision of crypto-asset services, and a fragmentation of the existing EU regulatory approach toward crypto-assets. The public consultation closed in March 2020, and the Commission’s proposals were published on 24 September 2020 as (among other things) the draft Markets in Crypto-Assets Regulation (“MiCAˮ). The proposal is part of the EU Digital Finance package, a set of measures designed to make the EU fit for the digital age and to further enable and support the potential of digital finance in terms of innovation and competition while mitigating the risks involved.As an EU regulation, MiCA would create a new, uniform EU-wide licensing regime for crypto-asset issuers and service providers along with substantive conduct of business and consumer protection requirements. Broadly, MiCA would apply in relation to crypto-assets that are not otherwise regulated at an EU level (for example, as financial instruments under MiFID II) to persons that are either: (i) engaged in the issuance of such crypto-assets; or (ii) provide services related to such crypto-assets in the EU. The proposals would impose regulatory requirements on issuers of crypto-assets, and also subject crypto-asset service providers to authorisation requirements and a broad range of general prudential, conduct of business, and governance requirements, as well as additional requirements that apply depending on the types of crypto-asset services being provided. A market abuse regime for



in-scope crypto-assets in line with that applicable to traditional financial instruments under the EU Market Abuse Regulation is also included in the draft. MiCA would also introduce a new EU-wide passport that is available to market participants who become licensed under the MiCA regime in their home Member State.MiCA has been designed to interplay with existing EU financial services legislation and authorisation requirements. Many of the requirements it imposes on crypto-asset issuers and service providers will be familiar to legal and compliance professionals in traditional financial services, although adapted to meet the idiosyncracies of the crypto-asset market. MiCA is currently making its way through the EU legislative process and whilst the precise timetable for its implementation is currently unclear, the Commission’s ambition is for MiCA to be in force by 2024. Under the proposals, crypto-asset service providers that began providing their services before the date MiCA comes into force would have 18 months from the date that MiCA comes into force to become authorised and would only be required to comply with the requirements of MiCA once granted an authorisation within that period. However, until authorised, crypto-asset service providers would need to continue to comply with the existing national laws of Member States. The proposals also contain a grandfathering provision meaning that certain crypto-assets issued before the date on which MiCA comes into force will not be subject to it, but this will not apply to “asset-referenced tokens” or “e-money tokens” (each as defined in MiCA) in respect of which MiCA will apply even if such tokens were issued prior to it coming into force.Separately, EU Directive 2018/843 (“5MLD”) extended EU anti-money laundering (“AML”) and counter-terrorism financing (“CFT”) regimes to capture certain crypto-asset service providers (broadly, persons engaged in cryptocurrency exchange and custodial wallet providers). Notably, the definition of a crypto-asset for these purposes is very broad (and not related to the definition of financial instruments under MiFID II or electronic money under 2EMD) and so the EU AML regime may nevertheless apply to crypto-asset market participants that otherwise fall outside the scope of EU financial services regulation. While 5MLD was required to be implemented by EU Member States on or before January 10, 2020, a number of EU Member States have not yet fully done so. And the Member States that have implemented 5MLD have taken divergent approaches (e.g., some Member States have gold-plated the requirements of 5MLD and imposed licensing regimes on in-scope entities), which again raises the question of fragmentation of the EU regulatory approach toward crypto-assets and may amplify the calls for a directly applicable EU regulatory regime implemented through EU regulations rather than directives.

United States

In the US, crypto-asset markets and related activities are regulated under several federal and state regulatory regimes. At the federal level, the Securities and Exchange Commission (“SEC”) is concerned with whether a crypto-asset is a “security”, the Commodity Futures Trading Commission (“CFTC”) asks whether a crypto-asset is a “commodity”, and the Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) regulates certain activities involving “convertible virtual currency”. A crypto-asset can be one or more of these things simultaneously, and may also be subject to any number of state-level money transmitter, securities, and tax regimes. The applicability of these laws and regulations to a decentralised trading platform will depend on how the platform operates and is marketed; its decentralised nature is not the determining factor in analysing whether it is subject to regulation.Acting as a Security. If a crypto-asset fits within the definition of a security, it is regulated by the SEC and subject to existing laws and regulations.9 If so, the issuer of the crypto-



asset needs to either register the offering and sales of the crypto-asset under section 5 of the Securities Act of 1933 or find an applicable exemption.10

Further, the Securities Exchange Act of 1934 regulates intermediaries that engage in securities transactions. Thus, those crypto-asset exchanges that engage with securities are required to register as a securities exchange or, depending on their business model, a broker-dealer.11 For centralised exchanges and broker-dealers acting as custodians of digital asset securities, the SEC issued a joint staff statement with the Financial Industry Regulatory Authority (“FINRA”) on July 8, 2019, highlighting the importance of compliance with Rule 15c3-3 of the Securities Exchange Act of 1934 (the “Customer Protection Rule”). It also issued a related statement on December 23, 2020 (“Custody of Digital Asset Securities by Special Purpose Broker-Dealers”), clarifying its position on how broker-dealers can establish possession or control of digital assets in compliance with the Customer Protection Rule to mitigate the risk of the loss or theft.Any investment funds that invest in crypto-assets that are securities are subject to the same laws applicable to pooled vehicles that invest in securities generally, such as the Investment Company Act of 1940 and the Investment Advisers Act of 1940.Notably, while the SEC regulates crypto-assets that are securities, the SEC staff has indicated that they do not consider the two most well-known crypto-assets – Bitcoin and Ether – to be securities. If, however, these non-security crypto-assets were bundled into investment vehicles (such as exchange-traded funds), they would become securities and subject to SEC regulation.Acting as a Commodity. The CFTC considers crypto-assets (including Bitcoin and Ether) that are not securities to be commodities for purposes of the Commodity Exchange Act. The CFTC regulates futures, options on futures, and swaps (i.e., derivatives) on commodities (including crypto-assets) (collectively, “Commodity Interests”), subjecting market participants and transactions in such Commodity Interests to certain regulatory oversight and registration requirements. While the CFTC does not have general regulatory jurisdiction and oversight with respect to spot crypto-assets markets, the CFTC does retain general enforcement authority to police against manipulation and fraud in the spot commodities markets (including spot crypto-asset markets). Thus, the CFTC regulates the crypto-asset spot markets by enforcement, and has done so aggressively over the past few years.12

In addition to transactions in Commodity Interests, the CFTC also regulates commodity transactions with retail customers that are entered into or offered on a leveraged, margined or financed basis as if they were futures contracts (the “Retail Leveraged Rules”). However, if a transaction results in “actual delivery” of the relevant commodity within 28 days, such leveraged transaction will not be subject to regulation as a futures contract. Crypto-asset markets have exhibited increasing use of leverage and margin for the trading of crypto-assets, and the application of the Retail Leveraged Rules to transactions in crypto-assets has been an area of CFTC regulatory and enforcement emphasis. The CFTC has finalised interpretive guidance (“Guidance”) on what constitutes “actual delivery” in the context of crypto-assets which serve as a medium of exchange (i.e., virtual currency),13 providing two primary factors for what would constitute “actual delivery” for purposes of the Retail Leveraged Rules: first, the purchaser must have possession and control over the virtual currency; and second, the purchaser must be able to use the virtual currency in commerce. Under the CFTC’s regulatory framework, certain intermediaries are subject to regulation and registration. Thus, in general, futures or options on crypto-assets (and crypto-asset transactions regulated as if they were futures contracts under the Retail Leveraged Rules)



may only be offered to retail customers by designated contract markets (“DCMs”) subject to CFTC regulation and oversight. Other intermediaries involved in soliciting or accepting orders for such transactions may be required to register, absent an applicable exemption, as a futures commission merchant (“FCM”) or introducing broker. The CFTC has issued a primer with respect to the heightened scrutiny of futures contracts on crypto-assets, and CFTC Commissioners have publicly stated that the agency will be paying strict attention to this market.14 On the other hand, bilateral swaps on crypto-assets may only be entered into between sophisticated counterparties that qualify as “eligible contract participants” under the Commodity Exchange Act and markets and facilities for the trading of swaps must generally register with the CFTC as a swap execution facility (“SEF”). On October 21, 2020, the CFTC’s Division of Swap Dealer and Intermediary Oversight (“DSIO”) issued CFTC Staff Letter No. 20-34, clarifying its views on the acceptance, holding, and reporting of virtual currency (e.g., Bitcoin or Ether) in segregated accounts by FCMs and the development of appropriate risk management programmes in relation thereto. Specifically, the advisory related to virtual currencies deposited by customers with FCMs in connection with physically delivered futures contracts or swaps. Due to the “custodian risk” associated with holding virtual currency as segregated funds, the Advisory lays out specific guidance for FCMs on virtual asset acceptance and custody, and their responsibility to implement appropriate policies, procedures, and oversight programmes.Although not a binding rule or regulation, a recent speech by CFTC Commissioner Dan M. Berkovitz on June 8, 2021 provides a stern reminder that the existing regulatory requirements under the Commodity Exchange Act, including the DCM and SEF registration requirements, extend to decentralised finance markets and platforms. In this regard, Commissioner Berkovitz emphasised that the Commodity Exchange Act does not contain any registration exceptions for smart contracts and decentralised finance applications, and decentralised trading markets and platforms would be in violation of the law absent appropriate registration. Acting as a Currency. If the crypto-asset is intended to act as a medium of exchange, it may be treated similarly to fiat currency for purposes of the Bank Secrecy Act of 1970 and its implementing regulations (collectively, the “BSA”), which serves as the principal AML regulatory regime in the US.15

The BSA applies to “financial institutions”, which includes banks and other entities, such as money services businesses (“MSBs”).16 MSBs include multiple categories of entities, the most relevant to crypto-asset exchanges being a “money transmitter”.17 A money transmitter is “[a] person that provides money transmission services”,18 which, in turn, is defined as “the acceptance of currency, funds, or other value that substitutes for currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means”.19 Generally, any person falling within the definition of money transmitter must register with FinCEN and comply with the attendant requirements under the BSA. However, if an entity is functionally regulated by the SEC or the CFTC, it does not need to register as an MSB even if it otherwise meets the criteria.While the BSA does not expressly reference or contemplate crypto-assets or crypto-asset- related activities, in 2013 FinCEN published initial guidance, and subsequently issued a series of administrative rulings, regarding the application of the BSA to certain crypto-asset- related activities. In an effort to further clarify its previously articulated positions, FinCEN issued consolidated guidance on the topic in May 2019 (“2019 Guidance”), which included additional discussion regarding what constitutes “convertible virtual currency”20 (“CVC”),



which is the central focus of FinCEN’s regulatory efforts. The 2019 Guidance also included further discussion regarding the application of the BSA to the different types of participants in certain CVC arrangements, which FinCEN has defined as follows:• A “user” is “a person that obtains virtual currency to purchase goods or services”.• An “exchanger” is “a person engaged as a business in the exchange of virtual currency

for real currency, funds, or other virtual currency”.• An “administrator” is “a person engaged as a business in issuing (putting into circulation)

a virtual currency, and who has the authority to redeem (to withdraw from circulation) such virtual currency”.21

FinCEN has stated that a user of CVC is not an MSB, but that an administrator or exchanger of CVC22 that “(1) accepts and transmits CVC or (2) buys or sells CVC for any reason is a money transmitter under FinCEN’s regulations”.23

Finally, on December 23, 2020, FinCEN issued a proposed rule that would impose significant new obligations on market participants in the cryptocurrency and digital asset market (“Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets”). The proposal would require banks and MSBs to submit reports, keep records, and verify the identity of customers (and counterparties) in relation to transactions involving CVC or digital assets with legal tender status held in unhosted wallets, or held in wallets hosted in a jurisdiction identified by FinCEN, if the transaction is greater than US$10,000. The proposal, controversial in the crypto-asset for the significant compliance burdens it would impose, has not yet been finalised. Broadly speaking, based on FinCEN’s guidance, if a trading platform engages in the purchase or sale of crypto-assets as a customer business, provides services involving the receipt and transmission of crypto-assets, or provides customers with a hosted wallet (or similar custodial solution), then it is a money transmitter under the BSA and must register with FinCEN and comply with the applicable rules. On the other hand, if the trading platform simply provides information and the opportunity for customers to match and execute their own trades, like most decentralised trading platforms, then it likely is not a money transmitter. However, as reflected in FinCEN’s prior guidance and rulings, analysing whether certain activities are subject to the BSA is often very fact-specific, and given the rapidly evolving landscape drawing lasting bright lines of distinction is increasingly difficult. Therefore, any person involved in the space should stay abreast of all regulatory developments and continually evaluate the potential impact of any updated guidance or new rulings on their prior analysis.Finally, US states and territories regulate the provision of money transmission services to residents of their respective jurisdiction.24 Although the requirements and related definitions vary slightly from state to state, money transmission services typically include: (i) traditional money remittance; (ii) issuing or selling open-loop stored value or prepaid access; or (iii) issuing or selling payment instruments. Generally, if an entity is engaged in any one of those activities, it must be: (i) licensed as a money transmitter under the relevant state law; (ii) appointed and serve as the authorised agent of a money transmitter licensed in the relevant state; or (iii) an entity or activity that is exempt under the relevant money transmitter statute.The states have not taken a uniform approach with respect to regulating the transmission of crypto-assets. Some states have expressly amended their existing money transmission statutes to contemplate crypto-assets, some have issued guidance and/or interpretations that incorporate crypto-assets into their current money transmission statutes, and others have issued guidance finding that crypto-asset-related activities do not constitute money transmission under their statutes. The State of New York is unique in that its financial services regulator issued



a standalone regulation specific to crypto-asset-related activities.25 As a general rule, though, if a trading platform accepts money or crypto-assets from one person or place and stores it and/or sends it to another person or place, in most instances, that activity constitutes money transmission.26 Also unique among the 50 states is Wyoming. On July 1, 2021, a law came into effect making Wyoming the first state in the nation to allow decentralised autonomous organisations (“DAOs”) to obtain legal company status. A DAO is a form of DApp, and the legislation would allow DAO protocol creators to pursue development and growth post-token launch by registering in Wyoming as a limited liability company (“LLC”) (a popular business structure first established by Wyoming in 1977). DAOs would benefit immensely from the ability to incorporate, register, transact, hire employees, and scale like any other LLC can. The legislation would therefore provide legal structure, regulatory clarity, and operational legitimacy for many fledgling digital asset projects and decentralised trading platforms.

Hong Kong

‘Opt-in’ licensing regime for security virtual assets trading platformsIn November 2019, the Securities and Futures Commission (“SFC”) published a position paper (“Position Paper”)27 setting out its approach on the regulation of virtual asset trading platforms (“VATPs”),28 whereby VATPs can opt-in to be regulated by the SFC in a manner similar to licensed securities brokers and automated trading venues.VATPs that operate in Hong Kong and trade at least one virtual asset considered to be a “security” under the Securities and Futures Ordinance (“SFO”) must apply for a licence from the SFC for Type 1 (dealing in securities) and Type 7 (providing automated trading services) regulated activities. Upon becoming licensed, a VATP will operate in the SFC’s regulatory sandbox under close supervision (i.e., subject to frequent reporting, monitoring, and reviews).The SFC will impose certain conditions for licensure, along with terms and conditions on licensed VATP operators, including that the VATP must:• Only offer services to “professional investors”29 (meaning the general public/retail

investors will not be able to trade on SFC-licensed VATPs), and such clients must have sufficient knowledge of virtual assets.

• Adhere to stringent criteria for the inclusion of virtual assets to be traded on the VATP.• Submit to the SFC written legal advice in the form of a legal opinion or memorandum on the

legal and regulatory status of every virtual asset that will be made available in Hong Kong.• Not conduct any offering, trading, or dealing activities of virtual asset futures contracts

or related derivatives.• Not provide any financial accommodation (e.g., loans) for its clients to acquire virtual assets.• Adopt a reputable external market surveillance system to supplement its own market

surveillance polices and controls.• Ensure that an insurance policy covering the risks associated with custody of virtual

assets is in effect at all times.• In relation to virtual assets that are “securities”, only include virtual assets that:

(i) are asset-backed; (ii) are approved or qualified by, or registered with, regulators in comparable jurisdictions; and (iii) have a post-issuance track record of 12 months.

The SFC’s regulatory framework applies to VATPs on a holistic basis, even though the trading of non-security virtual assets technically is not a “regulated activity” under the SFO. In other words, licensed VATPs must comply with all the relevant regulatory requirements when conducting their virtual asset trading business, whether it involves security tokens or non-security tokens (e.g., Bitcoin) and whether it occurs on or off the trading platform.



The regulatory framework is only available for operators of centralised VATPs. In the Position Paper, the SFC states that it is focusing its efforts on the regulation of VATPs that provide trading, clearing, and settlement services for virtual assets and have control over investors’ assets (i.e., centralised VATPs), and will not be accepting licensing applications for VATPs that only provide a direct peer-to-peer marketplace for transactions by investors who typically retain control over their own assets (i.e., decentralised trading platforms).Mandatory licensing regime for non-security virtual assets exchanges Having licensed the first VATP in November 2020, the SFC and the Financial Services and the Treasury Bureau of the Hong Kong government (“FSTB”) immediately turned their attention towards regulating exchanges that only facilitate trading in non-security virtual assets (e.g., Bitcoin) by issuing a consultation paper outlining a new regulatory framework to bring operators of non-security virtual asset exchanges within a formal regulatory regime under the supervision of the SFC. The conclusions to the consultation were issued in May 2021 and the FSTB intends to introduce a Bill to Hong Kong’s law making body, the Legislative Council, to give effect to the new regime during the 2021–2022 legislative session. Upon commencement of the new regulatory regime, market participants are expected to have a transitional period of 180 days to comply with the new requirements.The new regulatory regime will mark a significant change to the way in which virtual assets are regulated in Hong Kong. It will also implement the latest requirements of the Financial Action Task Force in relation to virtual asset service providers (“VASPs”). Under the new regulatory regime, the operation of a non-security virtual assets exchange (“VA Exchange”) will be a regulated virtual asset activity under the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (“AMLO”), and persons operating a VA Exchange will need to apply for a VASP licence from the SFC. Licensed VA Exchange operators will be subject to AML and CFT requirements stipulated under the AMLO and other regulatory requirements. VATPs that are already regulated by the SFC under the opt-in regime described above will be exempt from the new regime. Decentralised VA Exchanges and other peer-to-peer trading platforms would also not be covered by the definition of a VA Exchange, provided that virtual asset transactions are conducted outside the platform and the platform is not involved in the underlying transaction by coming into possession of any money or any virtual asset at any point in time.Controversially, the new regime will initially only permit licensed VA Exchanges to deal with “professional investors”, thus excluding the general public/retail investors from dealing with regulated VA Exchanges. It appears that retail customers could continue to trade in virtual assets through: (i) peer-to-peer trading platforms, which are excluded from the new regulatory regime; (ii) overseas exchanges, if the retail customers have sought out these exchanges on their own initiative without any active marketing by the exchanges (i.e., on a reverse solicited basis); and/or (iii) over-the-counter virtual asset brokerage firms that do not meet the definition of an VA Exchange.

Singapore

In Singapore, the regulatory regime applicable to any crypto-asset exchange depends on what type of crypto-asset is being traded. A crypto-asset exchange that offers any “digital payment token service” is regulated under the Payment Services Act (“PSA”), which came into effect on January 28, 2020. Under the PSA, a crypto-asset exchange that deals (i.e., buys and sells)



digital payment tokens or facilitates the exchange of digital payment tokens on a regular, centralised basis will require a licence from the Monetary Authority of Singapore (“MAS”).A crypto-asset exchange that facilitates trading in security tokens must apply to the MAS to become an approved exchange or a recognised market operator (“RMO”), unless otherwise exempted. In May 2018, the MAS proposed expanding the existing RMO regime from a single tier to three tiers to accurately reflect the risks posed by different market operators (“MOs”).30 Under the current regime, RMOs are only permitted to deal with “accredited investors” and cannot deal with retail investors.31 Under the proposed multi-tiered RMO regime, the permissible activities and customer base would vary depending on the tier. For example:• Tier 1 would be the most heavily regulated. A Tier 1 RMO would have limited access to

Singapore-based retail investors and would thus be subject to more stringent regulatory requirements than other RMOs. A Tier 1 RMO would be required to comply with all the requirements imposed on Tier 2 RMOs, along with additional requirements designed to protect retail investors (e.g., prospectus requirements, continuing obligations, and change-of-control transactions).

• Tier 2 would capture those MOs that qualify under the existing RMO regime. MOs that are authorised under the existing RMO regime would be re-classified as Tier 2 RMOs.

• Tier 3 is aimed at smaller MOs that target the non-retail market segment (e.g., banks). Tier 3 RMO applicants would need to fulfil a reduced set of capital requirements under Singapore’s Securities and Futures Act and a simplified set of technology risk management and outsourcing compliance requirements. The application process for Tier 3 RMO applicants would also be simplified: such applicants would be able to self-certify their compliance with a checklist of requirements prepared by the MAS. However, Tier 3 RMO applicants would continue to be subject to the “fit and proper requirements” that are imposed on existing RMOs.32

In July 2020, the MAS published a consultation paper on a new Omnibus Act, setting out its approach on the regulation of VASPs which are incorporated in Singapore, but may not be captured under existing legislation as they offer such services outside of Singapore.33

Under the MAS’ proposal, the activities that would bring a Singapore-incorporated entity within scope of this regulatory regime include: (a) dealing in, or facilitating the exchange of, digital tokens (“DTs”); (b) inducing or attempting to induce persons to enter into agreements with a view to buying or selling DTs in exchange for money or other DTs; (c) accepting DTs for the purposes of transferring, or arranging for the transfer of, the DTs; (d) safeguarding or administration of a DT or DT instrument; and (e) advisory services relating to the offer or sale of DTs.If within scope, the MAS proposed requiring such entities to fulfil certain criteria in order to ensure that they have a meaningful presence in Singapore such that the MAS has sufficient supervisory oversight over them. These criteria include: (i) having at least one executive director who is resident in Singapore; (ii) having a permanent place of business in Singapore where books of all transactions in relation to DT services are kept; (iii) appointing at least one person to be available for the MAS to contact regarding AML/CFT queries or complaints; (iv) fulfilling the MAS’ financial requirements as may be prescribed by notice; and (v) fulfilling the MAS’ fit and proper requirements for directors and CEOs.

Thailand

Digital asset business operators are required to obtain a licence from the Minister of Finance upon the recommendation of the Thailand Securities and Exchange Commission (“Thai SEC”).34 To obtain a crypto-asset exchange licence, the company must, among other things:



(i) be established under Thai law; (ii) meet certain financial thresholds (as determined by the Thai SEC); and (iii) maintain policies, systems, and measures (including KYC and AML programmes, IT systems, and internal control measures) that comply with the Thai SEC’s standards.

Japan

On May 1, 2020, Japan implemented certain amendments to the Payment Services Act (“Japan PSA”) and the Financial Instruments and Exchange Act (“Japan FIEA”) to address crypto-assets. Under the Japan PSA, crypto-asset exchange service providers35 are required to be registered with the Financial Services Agency (“FSA”).36 Further, crypto-asset-related derivatives businesses are now subject to the Japan FIEA.37 Thus, if the FSA-registered crypto-asset exchange service provider trades crypto-assets that are securities that entitle investors to a distribution of profits or assets, both the crypto-asset exchange and the crypto- assets could be subject to regulations promulgated under the Japan FIEA.Japan has also established a self-regulatory body for crypto-asset exchanges, the Japanese Virtual Currency Exchange Association, which provides additional regulation and guidance, as well as the imposition of disciplinary sanctions for non-compliance, applicable to licensed crypto-asset exchange service providers.

Conclusion

As the various regulatory approaches outlined here indicate, most jurisdictions are still determining how to regulate crypto-assets without stifling innovation. In the EU, despite the existence of a centralised regulatory system, Member States have not been uniform in their interpretation of directives, leaving a crypto-asset exchange that hopes to operate EU- wide with the unenviable task of attempting to understand and comply with more than 20 regulatory regimes. In the US, the key takeaway is that all crypto-assets and crypto-asset exchanges are likely to be captured under some regulatory regime, but it can be difficult, at both the state and federal levels, to determine which one best applies. In Hong Kong, regulators created a licensing regime for certain crypto-asset exchanges. In Singapore, the MAS implemented a more tailored regulatory regime to address the disparate needs of crypto-asset exchanges. In Thailand and Japan, crypto-asset exchanges are required to be registered (or licensed) with their respective regulator and to meet ongoing compliance requirements.Although the vision of a global financial system where crypto-assets facilitate instantaneous execution and borderless trades may still be remote, the growing popularity of crypto-assets and the trading of these instruments is forcing countries to re-examine their existing legal and regulatory frameworks and their application to crypto-assets and the platforms that trade them. The coming years will be critical for the development of regulatory regimes that address crypto-assets and crypto-asset trading platforms. Striking the right balance between consumer protection and market integrity and resilience without stifling innovation is the challenge all regulators face.

* * *

Endnotes1. For ease of reading, we use the term “crypto-asset” as a catch-all for the variety of financial

instruments that a cryptocurrency, token, or coin can represent, including currency, securities, and commodities. Some jurisdictions’ regulatory regimes differentiate between the type of instrument that is being traded, while others simply address the trading of crypto-assets, generally. If a governmental agency has defined a different



term to capture the same concept, we have used that term in the discussion of that agency’s regulation of crypto-asset-related activities.

2. The same is true for electronic money, although the definition has been implemented with a greater degree of uniformity across EU Member States than the definition of financial instruments.

3. Examples of such additional regulation notably exist in France, Germany, Gibraltar, Italy, and Malta.

4. ESMA, Advice – Initial Coin Offerings and Crypto-Assets (Jan. 9, 2019) (https://www. esma.europa.eu/sites/default/files/library/esma50-157-1391_crypto_advice.pdf ).

5. EBA, Report with advice for the European Commission on crypto-assets (Jan. 9, 2019) (https://eba.europa.eu/documents/10180/2545547/EBA+Report+on+crypto+assets.pdf ).

6. Unless they otherwise fall within the definition of electronic money.7. A position with which both the Bank of England and the European Central Bank (as well

as other Member State central banks and monetary authorities) have publicly concurred on many occasions.

8. Commission, Consultation Document on an EU Framework for Markets in Crypto-assets (December 2019) (https://ec.europa.eu/info/sites/info/files/business_economy_euro/ banking_and_finance/documents/2019-crypto-assets-consultation-document_en.pdf ).

9. Whether the crypto-asset is a security is decided pursuant to regulation but also to the threshold test imposed by the Supreme Court in Securities and Exchange Commission v. W. J. Howey Co., 328 U.S. 293 (1946) (often referred to as the Howey test). Under the Securities Act of 1933, an instrument is an investment contract (or a security) if it is a “contract, transaction or scheme whereby a person invests his money in a common enterprise and is led to expect profits solely from the efforts of the promoter or a third party”.

10. For example, SEC Regulation D and Regulation A both offer issuers potential exemptions.11. See, e.g., SEC Order Release No. 84553, Administrative Proceeding File No. 3-18888, In

the Matter of Zachary Coburn, Respondent (Nov. 8, 2018), where the SEC settled with the owner of a decentralised trading platform, EtherDelta, on charges that the platform operated as an unregistered national securities exchange (https://www.sec.gov/litigation/ admin/2018/34-84553.pdf).

12. See, e.g., CFTC v. Patrick McDonnell and CabbageTech Corp. d/b/a Coin Drop Markets, 18-CV-361, E.D.N.Y. (Mar. 6, 2018).

13. Retail Commodity Transactions Involving Certain Digital Assets, 85 Fed. Reg. 37,734 (June 24, 2020) ( https://www.govinfo.gov/content/pkg/FR-2020-06-24/pdf/2020-11827.pdf).

14. CFTC, A CFTC Primer on Virtual Currencies, Oct. 17, 2017 (https://www.cftc.gov/ sites/default/files/idc/groups/public/documents/file/labcftc_primercurrencies100417.pdf).

15. FinCEN is responsible for administering the BSA. 16. 16. 31 C.F.R. § 1010.100(ff).17. Id. § 1010.100(ff )(5).18. Id. § 1010.100(ff )(5)(i)(A).19. Id.20. FinCEN distinguishes “convertible virtual currency” from “virtual currency”, neither of

which are specifically referenced in the BSA. FinCEN defines “virtual currency” as “a medium of exchange that operates like a currency in some environments, but does not have all the attributes of real currency”. “Convertible virtual currency” is more narrow and includes “virtual currency [that] either has an equivalent value in real currency, or acts as a substitute for real currency”. FinCEN’s rulings address CVC.



21. Id.22. Id.23. Id. (emphasis in original).24. Only the State of Montana does not regulate money transmission.25. The New York State Department of Financial Services adopted an entirely new regulatory

regime specific to crypto-assets acting as currency: the Virtual Currency Business Activity licence (“Bitlicense”) regime.

26. Some states have stated that their laws do not apply if there is no fiat currency involved in the transaction, see, e.g.: Pennsylvania Department of Banking and Securities, Money Transmitter Act Guidance for Virtual Currency Businesses (Jan. 23, 2019) and Texas Department of Banking, Supervisory Memo 1037, Regulatory Treatment of Virtual Currencies Under the Texas Money Services Act (Apr. 1, 2019). Others have revised their statutes or issued interpretations to capture the activity, see, e.g., Washington State, which defines “money transmission” in part as “receiving money or its equivalent value (equivalent value includes virtual currency) to transmit, deliver, or instruct to be delivered to another location … by any means”. Wash. Rev. Code § 19.230.010(18) (emphasis added).

27. See the SFC’s Position Paper: Regulation of Virtual Asset Trading Platforms (Nov. 6, 2019) (https://www.sfc.hk/web/EN/files/ER/PDF/20191106%20Position%20Paper%20 and%20Appendix%201%20to%20Position%20Paper%20(Eng).pdf ).

28. The SFC’s term for crypto-asset trading platforms.29. The term “professional investor” is defined in Part 1 of Schedule 1 to the SFO. The definition

includes institutional investors (e.g., licensed banks, broker-dealers, insurance companies), corporates that satisfy minimum assets tests, and high-net-worth individual investors.

30. While public comments are no longer being accepted, the MAS has not yet published its response, and no bill has been introduced in Parliament to implement this proposal.

31. Accredited investors (both individuals and corporations) are defined in section 4A of the Securities and Futures Act and section 2 of the Securities and Futures (Classes of Investors) Regulations 2018.

32. The “fit and proper requirements” are the criteria that the MAS expects all persons carrying out regulated activities to meet. These include, but are not limited to, the: (i) honesty, integrity, and reputation; (ii) competence and capability; and (iii) financial soundness of the applicant. See MAS Guidelines on Fit and Proper Criteria (http:// www.mas.gov.sg/~/media/MAS/Regulations%20and%20Financial%20Stability/Regulations%20Guidance%20and%20Licensing/Securities%20Futures%20and%20Fund%20Management/Regulations%20Guidance%20and%20Licensing/Guidelines/Guidelines%20on%20Fit%20and%20Proper%20Criteria%20October%202018%20 Guideline%20No%20FSGG01.pdf ).

33. See MAS Consultation Paper on the New Omnibus Act for the Financial Sector (https://www.mas.gov.sg/publications/consultations/2020/consultation-paper-on-the-new-omnibus-act-for-the-financial-sector).

34. Digital asset business operators include digital asset exchanges, brokers, dealers, and a catch-all for “other businesses relating to digital assets as prescribed by the Minister under the recommendation of the [Thai SEC]”. Emergency Decree on Digital Asset Businesses B.E. 2561 (2018).

35. A crypto-asset exchange service provider is a person that engages in the sale, purchase, intermediation of a sale or purchase, or the custody of crypto-assets.

36. The Japan PSA only captures certain types of crypto-assets (those that satisfy all of the conditions in one of the two categories below), and only exchanges trading those types of crypto-assets need to be licensed.



Category No. 1: the token: (i) can be used as a means of payment for goods and/or services (to the extent that the merchants with whom the tokens can be used are not limited to certain persons designated by the issuer); (ii) is exchangeable for any fiat currency; and (iii) is electronically transferable. Category No. 2: the token is both: (i) exchangeable for Category No. 1 crypto-assets; and (ii) is electronically transferable.

37. The Japan FIEA has been amended to state that “crypto-assets” are included in the definition of “financial instruments”, and investment interests that are transferrable through a blockchain are to be treated as “securities”, both subject to the Japan FIEA. As such, fraudulent and deceptive acts with respect to regulated crypto-assets are now illegal and subject to criminal sanctions.

* * *

AcknowledgmentsStuart DavisTel: +44 20 7710 1821 / Email: [email protected] Davis is a partner in the London office of Latham & Watkins and a member of the Financial Institutions and Financial Regulatory Practices and the FinTech Industry Group. Mr. Davis has a wide range of experience advising broker-dealers; investment, retail, and private banks; technology companies; market infrastructure providers; investment managers; hedge funds; and private equity funds on complex regulatory challenges. Mr. Davis counsels clients on the domestic and cross-border regulatory aspects of cutting-edge FinTech initiatives, including technology innovations in legislation, market infrastructure, tokenisation, trading, clearing and settlement, lending (including crowdfunding), payments, and regulatory surveillance. He also advises financial institutions on the impact of regulatory change on their businesses, including MAR and MiFID II, CASS, CSDR, PSD2, AIFMD, and Brexit, as well as strategically advising on their FX remediation projects, market conduct issues, best execution compliance, systems and controls, and governance.

Simon HawkinsTel: +852 2912 2733 / Email: [email protected] Hawkins is a partner in the Hong Kong office of Latham & Watkins and a member of the Corporate Department and Financial Institutions Group. Mr. Hawkins serves a leading role in handling the firm’s non-contentious financial regulatory work in Asia and is Co-Chair of the firm’s Global Blockchain and Cryptocurrency Task Force. Mr. Hawkins advises clients on financial regulation, including licensing matters, prime brokerage arrangements, securities dealing, financial market regulations, intermediary and distribution arrangements, product development and structuring, and FinTech. Mr. Hawkins also advises on the regulatory aspects of capital markets and M&A deals involving financial institutions, and he has particular experience in structuring and negotiating bancassurance arrangements.

Sam MaxsonTel: +44 20 7710 1823 / Email: [email protected] Maxson is an associate in the London office of Latham & Watkins. Mr. Maxson regularly advises a wide range of clients (including banks, insurers, investment firms, financial markets infrastructure providers, and technology companies) on all aspects of financial regulation. Mr. Maxson has a particular focus on FinTech and InsurTech, advising both established and emerging businesses on the application of global financial regulation to new and novel



uses of technology in finance and insurance. His expertise also extends to the increasingly widespread interest in crypto-assets and “tokenisation” of financial markets.

Adam Bruce FoventTel: +1 212 906 1200 / Email: [email protected] Fovent is an associate in the New York office of Latham & Watkins and advises clients on regulatory, compliance, and transactional issues relating to commodities, securities, and derivatives products. Mr. Fovent also has experience advising clients on regulatory aspects of FinTech, cryptocurrency, and digital asset products and initiatives.

Gen Huong TanTel: +65 6437 5349 / Email: [email protected] Huong Tan is an associate in the Singapore office of Latham & Watkins and a member of the firm’s Technology Transactions Practice. He has experience advising clients on data privacy matters, mergers and acquisitions, technology and commercial transactions.

Loyal T. HorsleyTel: +1 202 637 2396 / Email: [email protected] Horsley is an associate in the Washington, D.C. office of Latham & Watkins and a member of the Payments & Emerging Financial Services Practice and Financial Institutions Industry Group. Ms. Horsley’s practice focuses on a broad range of regulatory, transactional, and enforcement matters related to electronic and mobile payments, money services businesses, and other emerging payment technologies, including those related to money transmission, virtual currencies, payment instruments, and stored value offerings.

Charles WeinsteinTel: +1 202 637 3343 / Email: [email protected] Weinstein is an associate in the Washington, D.C. office of Latham & Watkins and a member of the Financial Institutions Industry Group, FinTech Industry Group, and Payments & Emerging Financial Services Practice. Mr. Weinstein focuses primarily on regulatory, transactional, and enforcement matters related to electronic and mobile payments, money services businesses (“MSBsˮ), and other emerging payment technologies, including those related to money transmission, virtual currencies, payment instruments, and stored value offerings. Mr. Weinstein also has experience advising clients on consumer credit issues.

Deric BeharTel: +1 212 906 4534 / Email: [email protected] Behar is a knowledge management lawyer in the New York office of Latham & Watkins. He is a member of the Financial Regulatory Practice, and the Global Financial Institutions and Fintech Industry Groups. Mr. Behar brings experience in US and cross-border financial services regulation and regulatory enforcement affecting banking, securities, commodities, and derivatives markets. He focuses on the regulation of fintech, digital assets, and blockchain innovation, and is an active member of the firm’s Blockchain and Cryptocurrency Task Force. He also regularly handles environmental, social, and governance (“ESG”) issues and regulation as they relate to financial institutions and fintechs.

Todd W. BeauchampTel: +1 202 637 2294 / Email: [email protected] W. Beauchamp is a partner in the Washington, D.C. office of Latham & Watkins and a member of the firm’s Financial Institutions Industry Group. He serves as Global Co-Chair of the FinTech Industry Group and leads the Payments & Emerging Financial Services Practice. Mr. Beauchamp represents financial institutions, non-bank financial services companies, as well as technology companies, on a full spectrum of regulatory, transactional, and general corporate matters. He has comprehensive knowledge of emerging payment technologies, including those related to money transmission, virtual currencies, electronic payments, and stored value. Mr. Beauchamp counsels clients on a wide variety of federal, state, and international regulatory issues, as well as legislative developments. Additionally, he represents clients in matters before various state and federal bank regulatory agencies. Mr. Beauchamp advises clients in the structuring and negotiation of corporate transactions and commercial arrangements related to the offering of payments and credit products and services. In addition, he represents clients in the acquisition and sale of financial institutions and non-bank financial services companies, such as state-licensed money transmitters.Stephen P. WinkTel: +1 212 906 1229 / Email: [email protected] P. Wink is a partner in the New York office of Latham & Watkins, a member of the firm’s Financial Institutions and FinTech Industry Groups, and Co-Chair of the firm’s Blockchain & Cryptocurrency Task Force. Mr. Wink advises a diverse mix of clients, including broker-dealers, robo-advisors, crowdfunding platforms, cryptocurrency platforms, marketplace lenders, and payments providers on the financial regulatory considerations inherent in their proprietary FinTech transactions. He has in-depth knowledge and broad experience advising financial institutions on regulatory and related matters, gained in part from a decade as general counsel of a full-service investment bank.

Latham & Watkins LLP1271 Avenue of the Americas, New York, NY 10020, USA

Tel: +1 212 906 1200 / URL: www.lw.com



Yvette D. ValdezTel: +1 212 906 1797 / Email: [email protected] D. Valdez is a partner in the New York office of Latham & Watkins and a member of the Derivatives Practice and Financial Institutions and FinTech Industry Groups. Ms. Valdez advises emerging companies, financial institutions, and investment managers on complex regulatory challenges in the development of bespoke financial crypto-asset and cryptocurrency technologies, including token sales, market infrastructure, trading, clearing, and settlement solutions on distributed ledger technology. She also advises clients on domestic and cross-border FinTech initiatives in the derivatives markets. In addition, Ms. Valdez has significant experience representing dealers, intermediaries, and end-users in connection with derivatives (swaps and futures) legal and regulatory matters under the Dodd-Frank Act, the Commodity Exchange Act, as well as related CFTC, SEC, and prudential regulation.

When Beeple Met Howey – A Token by Any Other Name Could Still Be a Security:

The Regulation of Non-Fungible Tokens in the United States

Richard B. Levin & Kevin TranNelson Mullins


As noted by William Shakespeare, “[a] rose by any other name would smell as sweet”.1 The U.S. Securities and Exchange Commission (“SEC”) often views many digital assets as a rose – a security. The growth of a popular new form of digital asset, non-fungible tokens (“NFTs”), has already drawn the attention of the SEC. The authors of this chapter provide an introduction to NFTs and discuss when NFTs may be deemed a security in the United States. The authors also address when platforms that facilitate the offer, sale, and secondary trading of NFTs may be acting as a broker-dealer or an exchange that must register with the SEC.

Introduction

NFTs have taken the world by storm and are quickly gaining notoriety as a popular means of buying and selling digital collectibles representing tangible and intangible assets across multiple industries, including art, sports, music, fashion and gaming. Since November 2017, there has been approximately $200 million spent on NFTs, with perhaps the most famous sale occurring on March 11, 2021, when artist Mike Winkelmann, also known as Beeple, used an NFT to sell his digital art “Everydays – The First 5000 Days” for $69 million.2 The sale was the third-highest price paid for a piece of art by a living artist. Four days prior to Beeple’s sale, an NFT of a video clip of Lebron James dunking a basketball sold for $208,000 on NBA Top Shot.3 Meanwhile, Jack Dorsey, the creator of Twitter, auctioned his first-ever tweet as an NFT for $2.9 million. Though the eye-popping numbers related to these NFT auctions are attention-drawing, NFTs are not just limited to digital collectibles. One of the more exciting possibilities for NFTs lies in the creation of new markets and forms of investments whereby certain physical assets can be fractionalised and sold to multiple consumers. However, as NFTs proliferate across multiple mediums and technologists develop new ways to deploy NFTs, particularly in the financial services sector, these innovators will inevitably run headfirst into regulators tasked with the challenge of protecting investors and maintaining safe, sound and efficient markets.

Background

A. What is a digital asset?The past several years have seen a proliferation of digital assets, including NFTs. Broadly, digital assets are intangible assets that rely on distributed ledger technology, commonly known as blockchain, and exist in a variety of forms and provide industry actors with a variety of benefits.4 Cryptocurrencies and tokens are unique subsets of digital assets that utilise cryptography to assure the authenticity of digital assets by creating a secure, distributed network for transactions.5 From the perspective of regulators, the SEC has defined digital assets as “an asset that is issued and transferred using distributed ledger or blockchain technology”.6 Although a

Nelson Mullins The Regulation of Non-Fungible Tokens in the United States


“digital asset” is not explicitly defined in U.S. securities laws, a digital asset may in certain instances be deemed a security and, in such instances, the SEC often refers to these digital assets that are securities as a “digital asset security”.7 Similarly, the U.S. Treasury Department Financial Crimes Enforcement Network (“FinCEN”) and the U.S. Commodities Futures Trading Commission have issued guidance on the regulatory treatment of digital assets.B. What is an NFT?NFTs are not like cryptocurrencies such as Bitcoin and Ethereum, which function as the native asset of a blockchain. NFTs are created as part of a platform built on an existing blockchain (like the Ethereum blockchain) and are not fungible like other cryptocurrencies, meaning NFTs cannot be traded or exchanged for one another without inherent diminution in value (i.e., one dollar is always worth one dollar and one Bitcoin is always equal to another Bitcoin).8 Instead, NFTs are individually unique and use blockchain technology to establish authenticity, ownership and transferability of a unique asset. An NFT is created from digital objects that represent both tangible and intangible property, including, but not limited to: (i) artwork; (ii) videos; (iii) collectibles and antiques; (iv) video game avatars; and (v) music. When an individual buys an NFT, the purchaser can receive exclusive ownership rights to the underlying asset as well as a digital token with unique data verifying the provenance of the underlying asset. Blockchain technology and NFTs can provide artists, athletes and celebrities a unique opportunity to leverage their fame and talent in the digital space and monetise themselves and their products.9 For example, artists can create and digitise their own content and sell it directly to consumers as an NFT and, in doing so, capture most of the revenue generated from such sale. The utility of NFTs, however, can go far beyond digitising popular culture content. NFTs also carry with it the potential to revolutionise financial services, particularly investment activities among retail investors. For example, NFTs can be used to fractionalise certain assets, such as real estate, making the underlying real estate asset easier to divide among multiple owners. These fractionalised NFTs can then be tradeable on an appropriate exchange platform, which introduces new investment opportunities for investors to diversify their portfolios.

NFTs as securities

A. GenerallyThe SEC evaluates digital assets in the same manner as traditional assets to determine whether they are securities. Unlike initial coin offerings, which are a type of digital asset that has drawn a considerable level of attention from SEC staff,10 NFTs have not been the subject of interpretative guidance or rulemaking by the SEC. The SEC has not initiated an enforcement action against the creator of an NFT or the operator of a platform that facilitates the offer and sale of NFTs. On May 12, 2021, a plaintiff sued Dapper Labs, Inc., the creator of popular NFT platform NBA Top Shot, alleging that Dapper Labs sold unregistered securities (in the form of NFTs that capture video highlights, or “Moments”) through its platform. The litigation remains pending in New York state courts.11 Absent guidance from regulators, and with the first challenge to the legality of NFTs and the platforms that facilitate secondary trading of NFTs still pending, the issue of when an NFT is considered a security remains unclear.B. What is a security?The definitions of “security” under the Securities Act of 1933 (the “Securities Act”) and the Securities Exchange Act of 1934 (the “Exchange Act”) are nearly identical and broad enough to cover some NFTs. Section 2(a)(1) of the Securities Act defines a “security” as:



“any note, stock, treasury stock, security future, security-based swap, bond, debenture, evidence of indebtedness, certificate of interest or participation in any profit-sharing agreement, collateral-trust certificate, preorganization certificate or subscription, transferable share, investment contract, voting-trust certificate, certificate of deposit for a security, ... or, in general, any interest or instrument commonly known as a “security.”12

It was the intent of Congress to define a “security” to include the many types of instruments that in the commercial world fall within the concept of a security,13 and courts have interpreted the definition of security broadly.14 The definition of security is sufficiently expansive to grant the SEC broad authority to regulate a variety of products as securities, including instruments like stocks, bonds, and notes, as well as the various collective investment pools and common enterprises devised by persons seeking to generate profits from the efforts and investments of others (i.e., investment contracts and instruments commonly known as securities).15 In determining whether an instrument is a security, courts will look at the economic reality and focus on the substance rather than form.16 In enforcement actions, the SEC has argued that offerings of digital assets are investment contracts.17 While the definition of security is very broad, it does not explicitly include digital assets or NFTs. However, in certain circumstances, an NFT could be deemed an investment contract.C. When Beeple met HoweyWhat constitutes an investment contract is determined based on the test articulated by the U.S. Supreme Court in Securities and Exchange Commission v. W. J. Howey Co. Under the Howey test, an investment contract is a contract, transaction, or scheme involving (i) an investment of money, (ii) in a common enterprise, (iii) with the expectation that profits will be derived from the efforts of the promoter or a third party. The Howey test brings many non-traditional offerings within the scope of the term security.1. Investment of money The SEC has taken the position that the investment does not have to be in the form of

“money”, but it can be any “specific consideration in return for a separable financial interest with the characteristics of a security”.18 The first prong of the Howey test is typically satisfied in an offer and sale of a digital asset because the digital asset is purchased or otherwise acquired in exchange for value, whether in the form of fiat currency or another digital asset as consideration.19

2. Common enterprise Courts have generally analysed “common enterprise” as a distinct element of an

investment contract. However, there is a split in authority among the federal circuit courts regarding what constitutes a “common enterprise”. The courts are divided regarding whether horizontal or vertical commonality is required (and, in the latter case, whether the broad or narrow variety is required) to satisfy the Howey common enterprise requirement.(a) Horizontal commonality A majority of the circuit courts require or recognise a showing of “horizontal

commonality”, which involves the pooling of assets from multiple investors in such a manner that all share in the profits and risks of the enterprise.20 In horizontal commonality, the fortunes of each investor depend upon the profitability of the enterprise as a whole.

(b) Vertical commonality Other circuit courts, including the Ninth Circuit that includes California, have

held that a “common enterprise” exists by virtue of “vertical commonality”, which



focuses on the relationship between the promoter and the body of investors.21 In this approach, an investor’s fortunes are tied to the promoter’s success rather than to the fortunes of his or her fellow investors. This approach focuses on the community of interest between the individual investor and the manager of the enterprise.22 In vertical commonality, the investors’ fortunes need not rise and fall together, and a pro rata sharing of profits and losses is not required.23 It is also not necessary that the funds of investors be pooled.24

3. Reasonable expectation of profits derived from the profits of others Under the Howey test, profits can be either capital appreciation resulting from the

development of the initial investment, or a participation in earnings resulting from the use of investors’ funds.25 Profits are income or return that investors seek on their investment, not the profits of the scheme in which they invest.26 Profits include, for example, dividends, other periodic payments, or the increased value of the investment. The determining factor under this prong of the Howey test is that the investor is “attracted solely by the prospects of a return” on his investment.27 The investor may not have been motivated by a desire to use or consume the item purchased.28 In determining whether an investor was “attracted or led” by the expectation of profits, courts look at whether the promoter has induced prospective investors with proposed or promised profits.

While the SEC has not provided guidance on when an NFT is a security, the SEC staff have noted:

“The main issue in analyzing a digital asset under the Howey test is whether a purchaser has a reasonable expectation of profits (or other financial returns) derived from the efforts of others. A purchaser may expect to realize a return through participating in distributions or through other methods of realizing appreciation on the asset, such as selling at a gain in a secondary market.”29

If an NFT relates to an existing asset and is marketed as a collectible with a public assurance of authenticity on the blockchain, it should not be deemed a security. If an NFT promises a return on investment from the efforts of others, the NFT will likely be deemed a security. However, as noted by the SEC staff in its 2019 Framework for “Investment Contract” Analysis of Digital Assets:

“Price appreciation resulting solely from external market forces (such as general inflationary trends or the economy) impacting the supply and demand for an underlying asset generally is not considered ‘profit’ under the Howey test.”30

D. Fractionalised NFTsAs NFTs proliferate, new regulatory questions will arise. Fractionalised NFTs could be considered a security. While NFTs are meant to be non-fungible, fractional NFTs that allow numerous purchasers to acquire a partial ownership interest in the NFT increases the likelihood the NFT should be deemed a security.

Regulation of NFT platforms

If an NFT is a security, the platform facilitating the sale and secondary trading of the NFT may have to register with the SEC as an exchange or a broker-dealer and alternative trading system (“ATS”). A. Securities exchangeSection 3(a)(1) of the Exchange Act defines an “exchange” as “any organization, association, or group of persons, whether incorporated or unincorporated, which constitutes, maintains,



or provides a market place or facilities for bringing together purchasers and sellers of securities or for otherwise performing with respect to securities the functions commonly performed by a stock exchange as that term is generally understood ….”31 Exchange Act Rule 3b-16(a) provides a functional test to assess whether a trading system meets the definition of exchange. Under Rule 3b-16(a), an organisation, association, or group of persons will be deemed to provide “a marketplace or facilities for bringing together purchasers and sellers of securities or for otherwise performing with respect to securities the functions commonly performed by a stock exchange”, if such organisation, association, or group of persons: (1) brings together the orders for securities of multiple buyers and sellers; and (2) uses established, non-discretionary methods (whether by providing a trading facility or by setting rules) under which such orders interact with each other, and the buyers and sellers entering such orders agree to the terms of the trade.As the SEC noted in the DAO Report, a system that meets the definition of an exchange and is not excluded under Rule 3b-16(b) must register as a national securities exchange or operate pursuant to an appropriate exemption.32 One frequently used exemption is for ATSs. Rule 3a1-1(a)(2) exempts from the definition of “exchange” under Section 3(a)(1) an ATS that complies with Regulation ATS. An ATS that operates pursuant to the Rule 3a1-1(a)(2) exemption and complies with Regulation ATS would not be subject to the registration requirement of Section 5 of the Exchange Act.If an NFT is a security, any platform that brings together multiple buyers and sellers of the NFT using non-discretionary methods, will likely be deemed an exchange.B. Alternative Trading SystemIn 1998, the SEC adopted Regulation ATS, which allows an ATS to choose whether to register as a national securities exchange or to register as a broker-dealer and comply with additional requirements of Regulation ATS. An “ATS” means any organisation, association, person, group of persons, or system: (i) that constitutes, maintains, or provides a market place or facilities for bringing together purchasers and sellers of securities or for otherwise performing with respect to securities the functions commonly performed by a stock exchange within the meaning of Rule 3b-16 under the Exchange Act; and (ii) that does not set rules governing the conduct of subscribers other than the conduct of such subscribers’ trading on such organisation, association, person, group of persons, or system; or discipline subscribers other than by exclusion from trading.33

An NFT platform may be required by the SEC to register as an ATS if it maintains a marketplace or facilities for bringing together purchasers and sellers of digital assets that are deemed securities, and it does not set rules governing the conduct of subscribers other than the conduct of such subscribers’ trading on such platform. If the platform is not required to register as an ATS, the operator of the platform may be required to register as a broker-dealer.C. Broker-dealerSection 15 of the Exchange Act requires registration with the SEC of all broker-dealers using interstate commerce or the facilities of any national securities exchange to effect transactions in securities (other than exempted securities and certain short-term debt instruments). Section 3(a)(4)(A) of the Exchange Act defines a “broker” as “any person engaged in the business of effecting transactions in securities for the account of others”. The Exchange Act and the rules thereunder do not define these terms. The SEC and the courts have taken an expansive view of the scope of these terms.34 The SEC and the courts apply a “facts and circumstances” analysis in evaluating whether a person has acted as a broker, with no single element being dispositive.35



Depending on the circumstances, the operator of an NFT platform may be deemed a broker-dealer if the operator of the platform is deemed to be engaged in the business of effecting transactions in securities for the account of others.1. Engaged in the business Courts have read “engaged in the business” as connoting a certain regularity of

participation in purchasing and selling activities rather than a few isolated transactions.36 Two factors are important in determining whether there is “regularity of business”: the number of transactions and clients, and the dollar amount of securities sold, as well as the extent to which advertisement and investor solicitation were used.37 Besides “regularity of business”, courts and the SEC have identified several other factors which indicate that a person is “engaged in the business”.38 These factors include: (i) receiving transaction-related compensation; (ii) holding oneself out as a broker, as executing trades, or as assisting others in settling securities transactions; and (iii) soliciting securities transactions.

The operator of an NFT platform could be deemed to be engaged in the business of effecting transactions in securities because it will more than likely receive transaction-related compensation, execute trades for users of the platform, and solicit users to engage in such transactions.

2. “For the account of others” A “broker” is a person that effects transactions in securities for others, not itself. A firm

that effects transactions solely on its own behalf should not be considered to be acting as a “broker”.39 Unless the operator of an NFT platform is executing all transactions as a principal to the transaction, the platform operator could be deemed to be effecting transactions in securities for others.

3. Role of compensation in analysis SEC guidance and enforcement actions have noted the receipt of commissions or

other transaction-related compensation is an important factor in deciding whether a person is a “broker” subject to the registration requirements under the Exchange Act.40 Transaction-related compensation refers to compensation based, directly or indirectly, on the size, value or completion of any securities transactions. The SEC will look behind the terms of a compensation arrangement to determine its economic substance, that is, to determine whether it is transaction-related. The receipt of transaction-based compensation often indicates that a person is engaged in the business of effecting transactions in securities.41

If the operator of an NFT platform receives transaction-related compensation, in the sale of an NFT that is deemed a security, the platform could be deemed to be acting as a broker-dealer.

4. Effecting transactions in securities Courts and the SEC have determined that a person “effects transactions in securities” if

the person participates in such transactions “at key points in the chain of distribution”.42 Participation may include: (i) assisting an issuer to structure prospective securities transactions; (ii) helping an issuer to identify potential purchasers of securities; (iii) screening potential participants in a transaction for creditworthiness; (iv) soliciting securities transactions (including advertising); (v) negotiating between the issuer and the investor; (vi) making valuations as to the merits of an investment or giving advice; (vii) taking, routing or matching orders, or facilitating the execution of a securities transaction; (viii) handling customer funds or securities; and (ix) preparing and sending transaction confirmations (other than on behalf of a broker-dealer that executes the trades). Handling



customer funds may also include handling a customer’s digital currencies, such as Bitcoin, in connection with Bitcoin denominated securities transactions.43

The SEC could deem a platform that is facilitating transactions in digital assets to be effecting securities transactions if it is helping an issuer to identify potential purchasers of securities. An NFT platform that solicits securities transactions and facilitating negotiations between the issuer and the investor could be deemed to be effecting securities transactions. The operator of an NFT trading platform that takes, routes, or matches orders, or facilitates the execution of a securities transaction, could be viewed as effecting transactions in securities. Finally, the operator of an NFT trading platform that handles customer funds (even if the funds are a digital currency) or securities could be deemed to be effecting transactions.Even if an NFT is not deemed a security, NFTs could be considered a “commodity” under U.S. laws that are subject to regulation by the CFTC.

NFTs and money services business

A. Money transmissionSince 2011, (“FinCEN”) has regulated money services business (“MSB”) models involving money transmission in virtual currencies through a series of administrative rulings and guidance.44 In 2019, FinCEN issued guidance that consolidated its regulations and related administrative rulings and guidance applicable to MSBs utilising models that involve convertible virtual currencies.45 According to FinCEN, “money transmission” includes the “acceptance…of…other value that substitutes for currency”,46 where “other value that substitutes for currency” encompasses transmission activities that involves something that the parties to the transaction recognise has value that is equivalent to or can substitute for currency, which may include virtual currencies.47 FinCEN defines “virtual currency” as a “medium of exchange that can operate like a currency but does not have all the attributes of ‘real’ currency, including legal tender status”.48 The guidance further clarifies that convertible virtual currencies (“CVCs”) are a type of currency that either has an equivalent value as currency, or acts as a substitute for currency, and is therefore a type of “value that substitutes for currency”.49 Accordingly, the definition of money transmitter does not differentiate between real currencies and CVCs; accepting anything of value that substitutes for currency therefore makes that person a money transmitter.Whether an NFT may be deemed a CVC by FinCEN will depend on the facts, circumstances and features of the NFT. Although FinCEN has yet to provide guidance on NFTs, it is reasonable to consider that an NFT’s functionality will be determinative of its status as a CVC. For most NFTs that are digital representations of a unique, underlying asset, the NFT likely will be viewed more as a digital collectible and not a CVC. However, as an NFT includes increased functionality, such as the ability to redeem the NFT for fiat, other CVC or goods and services and the opportunity to purchase and sell the NFT in secondary transactions, the NFT appears more likely to be considered “value that substitutes for currency”.At the state level, 49 states regulate money transmitters with laws that vary from state to state.50 Most state money transmitter laws include a broad statutory definition, which is typically limited by a few narrowly drawn exceptions.51 Despite definitional differences between state laws, money transmission potentially encompasses almost any commercial activity in which money is taken from one person or place and delivered to another. While a business could be exempted or excluded from regulation as a money transmitter in one state, that same business could be required to obtain a licence in a different state. To date, a number of states have issued guidance or passed legislation related to virtual currencies.



Treatment of virtual currency ranges depending upon the state. The states of New York and Louisiana now have a statutory requirement that requires companies engaged in virtual currency business activities to obtain a licence separate from a state money transmitter licence. On 1 August 2020, Louisiana adopted similar legislation through its Virtual Currency Business Act, which, much like in New York, requires businesses operating in virtual currency to obtain a licence for conducting business in Louisiana or otherwise seek an exemption. California currently has proposed legislation pending in a committee in the California Assembly to exempt certain digital assets from being considered securities. The states of Washington and North Carolina passed legislation that formally clarifies the respective states’ jurisdiction over virtual currency under each state’s money transmission laws. Other states have taken a different approach. The state of New Hampshire passed a law that explicitly excludes businesses using transactions in virtual currency from the state’s money transmitter licence. In addition, states such as Kansas, Tennessee, and Illinois have issued guidance that virtual currency transactions that do not implicate fiat currency (e.g., an exchange) are not subject to licensure. Much like at the federal level, no state regulator with oversight of virtual currencies has issued guidance on the regulatory treatment of NFTs. Nonetheless, a state regulator may claim jurisdiction over NFTs depending on how the state applies its own regulations defining “stored value” and “money transmission” on NFTs and business activities related to NFTs. B. Bank secrecy act/anti-money laundering considerationsIf FinCEN considers an NFT to be “value that substitutes for currency” and entities engage in “money transmission” activities utilising NFTs, FinCEN may consider NFTs (and the actors engaging in certain business activities utilising NFTs) to be subject to Bank Secrecy Act (“BSA”) regulations. Compliance with BSA regulations would necessitate: (i) the preparation of a written anti-money laundering (“AML”) compliance programme that is designed to mitigate risks associated with a specific business and customer mix, and to ensure compliance with other BSA requirements; (ii) the filing of BSA reports, including suspicious activity and currency transaction reports; (iii) maintaining records for certain types of transactions at specific thresholds; and (iv) obtaining customer identification information sufficient to comply with the AML programme and recordkeeping requirements.52 Depending on the facts and circumstances, certain business activities related to the transfer, sale, and custody of NFTs may implicate BSA and FinCEN regulations.In addition, a virtual currency money transmitter that is a U.S. person must, like all U.S. persons, comply with all Office of Foreign Assets Control (“OFAC”) financial sanctions obligations. Similar to FinCEN, OFAC has not provided guidance specific to NFTs, but it has explicitly stated that U.S. entities that engage in online commerce or process transactions using digital currency are responsible for ensuring they do not engage in unauthorised transactions prohibited by OFAC.53 While the facts and circumstances will vary among NFTs with different structures and features, the potential lack of transparency and decentralisation associated with the use of blockchain technologies can raise concerns regarding preventing OFAC-sanctioned persons from engaging in U.S. activities using NFTs. Further, NFTs may present many of the same issues that OFAC recently identified as associated with high-value artwork, including a high degree of mobility, concealability, and subject valuation that can further exacerbate vulnerabilities to sanctions evasion,54 the use of intermediaries, concealability, and subjective valuation. As a result, persons engaging in NFT transactions should be mindful that such activities do not run afoul of OFAC sanctions.



Conclusion

While many in Silicon Valley, the arts, and the sports and entertainment industry believe in the potential of NFTs, regulators will likely view this new form of digital asset with a degree of concern. The most pro-crypto member of the SEC, Commissioner Hester Peirce, has warned the NFT community that fractionalised NFTs could be deemed a security.55 More cautions to SEC Commissioners, including Chairman Gensler, have indicated that other digital assets, including Ethereum, were illegally offered securities. It is unlikely that Chairman Gensler and other SEC Commissioners will take a less expansive approach to the regulation of NFTs. Based on the explosion of ICOs in 2017 followed by a raft of SEC enforcement actions against ICO issuers, promoters, and market operators, the authors anticipate a similar reaction to NFTs. If FinCEN does consider NFTs to be “value that substitutes for currency” and entities engage in “money transmission” activities utilising NFTs, FinCEN may consider NFTs (and the actors engaging in certain business activities utilising NFTs) to be subject to BSA regulations.While the technology is not fully mature, NFTs represent an attractive option for owners of distinct intellectual property to monetise their property. However, there are regulatory barriers to widespread adoption of the technology. Before NFTs can be widely adopted with a degree of confidence, it is imperative that regulators in the United States, Europe, and Asia provide meaningful guidance to the industry on the legal status of NFTs and whether platforms that host the sale and secondary trading of NFTs are required to register as broker-dealers, ATSs, or exchanges.

* * *

Endnotes1. Romeo and Juliet.2. Leech, Ollie. “What are NFTs and How do they Work?” (Coindesk, March 23, 2021),

available at: https://www.coindesk.com/what-are-nfts (Last visited June 28, 2021); see also Reyburn, Scott., “JPG File Sells for $69 Million, as ‘NFT Mania’ Gathers Place” (New York Times, March 11, 2021), available at: https://www.nytimes.com/2021/03/11/arts/design/nft-auction-christies-beeple.html. (Last visited June 28, 2021.)

3. NBA Top Shot is a blockchain-based platform that allows customers to buy, sell and trade numbered versions of specific, officially licensed video highlights of professional basketball players.

4. Levin, Richard, et al. “Real Regulation of Virtual Currencies”, (Handbook of Digital Currency, 328–31 (2015)).

5. See Id. at 331–32.6. Statement on Digital Asset Securities Issuance and Trading, Division of Corporation

Finance, Division of Investment Management, and Division of Trading and Markets, SEC (November 16, 2018), available at: https://www.sec.gov/news/public-statement/digital-asset-securites-issuuance-and-trading; see also https://www.gemini.com/cryptopedia/cryptocurrencies-vs-tokens-difference#section-what-is-a-digital-asset (last visited June 28, 2021) and Richard B. Levin, et al., “Untying the Gordian Knot: custody of digital assets”, 198 (2021).

7. Id.8. Conti R. and Schmidt, J. “What You Need to Know about Non-Fungible Tokens

(NFTs)” (Forbes, May 14, 2021), available at: https://www.forbes.com/advisor/investing/nft-non-fungible-token/. (Last visited June 28, 2021.)



9. Id.10. The explosion of ICOs in 2017 prompted several responses from the SEC, including

an investigation conducted by the SEC regarding whether the DAO, a decentralised autonomous organisation created by Slock.it UG (Slock.it), a German corporation, and Slock.it’s co-founders, violated US securities laws with their ICO. See SEC Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: The DAO (July 25, 2017) (the “DAO Report”).

11. Complaint at 8, Jeeun Friel v. Dapper Labs, Inc. (N.Y. Sup. Ct. 2021), available at: https://iapps.courts.state.ny.us/fbem/DocumentDisplayServlet?documentId=0gfOgjsIUYbTc7Cxd2cGCw==&system=prod. (Last visited June 29, 2021.)

12. Securities Act of 1933 § 2(a)(1).13. H.R. REP. NO. 85, at 11 (1933).14. See Reves v. Ernst & Young, 494 U.S. 56 (1990); see also SEC v. Edwards, 540 U.S. 389

(2004).15. “Untying the Gordian Knot”; see also Levin, R., et. al. “Betting Blockchain Will Change

Everything – SEC and CFTC Regulation of Blockchain Technology” (Handbook of Blockchain, Digital Finance, and Inclusion, Volume II (2016)).

16. See Tcherepnin v. Knight, 389 U.S. 332 (1967); SEC v. W.J. Howey Co., 328 U.S. 293 (1946); Reves, 494 U.S. 56.

17. See e.g., SEC v. FLiK, et al. (September 10, 2020), available at: https://www.sec.gov/litigation/complaints/2020/comp-pr2020-207.pdf; In the Matter of Boon.Tech, et al. (August 13, 2020), available at: https://www.sec.gov/litigation/admin/2020/33-10817.pdf; SEC v. ICOBox, et al. (September 18, 2019), available at: https://www.sec.gov/litigation/complaints/2019/comp-pr2019-181.pdf; SEC v. Kik Interactive Inc. (June 4, 2019), available at: https://www.sec.gov/litigation/complaints/2019/comp-pr2019-87.pdf; In the Matter of Gladius Network LLC (February 20, 2019), available at: https://www.sec.gov/litigation/admin/2019/33-10608.pdf; In the Matter of Floyd Mayweather, Jr. (November 29, 2018), available at: https://www.sec.gov/litigation/admin/2018/33-10578.pdf; In the Matter of Khaled (“DJ Khaled”) (November 29, 2018), available at: https://www.sec.gov/litigation/admin/2018/33-10579.pdf; In the Matter of Paragon Coin, Inc. (November 16, 2018), available at: https://www.sec.gov/litigation/admin/2018/33-10574.pdf; In the Matter of CarrierEQ, Inc., d/b/a Airfox (November 16, 2019), available at: https://www.sec.gov/litigation/admin/2018/33-10575.pdf; In the Matter of Zachary Coburn (November 8, 2018), available at: https://www.sec.gov/litigation/admin/2018/34-84553.pdf; SEC v. Blockvest LLC, et al. (October 11, 2018), available at: https://www.sec.gov/litigation/complaints/2018/comp-pr2018-232.pdf; TokenLot LLC, Lenny Kugel, and Eli Lewitt (September 11, 2018), available at: https://www.sec.gov/litigation/admin/2018/33-10543.pdf; In the Matter of Tomahawk Exploration LLC and David T. Laurance (August 14, 2018), available at: https://www.sec.gov/litigation/admin/2018/33-10530.pdf; SEC v. Titanium Blockchain Infrastructure Services Inc., et al. (May 22, 2018), available at: https://www.sec.gov/litigation/complaints/2018/comp-pr2018-94.pdf; SEC v. Sharma, et al. (April 2, 2018), available at: https://www.sec.gov/litigation/complaints/2018/comp-pr2018-53.pdf; In the Matter of Munchee, Inc. (December 11, 2017), available at: https://www.sec.gov/litigation/admin/2017/33-10445.pdf; SEC v. REcoin Group Foundation, LLC, et al. (September 29, 2017), available at: https://www.sec.gov/litigation/complaints/2017/comp-pr2017-185.pdf.

18. Int’l Bhd. Teamsters v. Daniel, 439 U.S. 551, 559 (1979). An investment of money



need not be in traditional currency. See, e.g., SEC v. Shavers, 2013 U.S. Dist. LEXIS 110018 (E.D. Tex. August. 6, 2013) (finding that making investments denominated in Bitcoin, a form of digital virtual currency, constituted an investment of money subject to federal securities laws); see also SEC v. Shavers, No. 4:13-CV-416 (E.D. Tex. August 26, 2014) (upholding on rehearing).

19. Framework for “Investment Contract” Analysis of Digital Assets, Division of Corporation Finance, SEC (April 3, 2019), available at: https://www.sec.gov/corpfin/framework-investment-contract-analysis-digital-assets. (Last visited June 29, 2021.)

20. The First, Second, Third, Fourth, Sixth, Seventh and D.C. Circuits have recognised “horizontal commonality” as satisfying the requirement of “common enterprise”. See, e.g., SEC v. SG Ltd., 265 F.3d 42 (1st Cir. 2001); Revak v. SEC Realty Corp., 18 F.3d 81 (2d Cir. 1994); SEC v. Infinity Grp. Co., 212 F.3d 180, 188 (3d Cir. 2000), cert. denied, 532 U.S. 905 (2001); Teague v. Bakker, 35 F.3d 978 n.8 (4th Cir. 1994); cert. denied, 513 U.S. 1153 (1995); Newmyer v. Philatelic Leasing, Ltd., 888 F.2d 385 (6th Cir. 1989), cert. denied, Trager, Glass & Co. v. Newmyer, 495 U.S. 930 (1990); Union Planters Nat’l Bank of Memphis v. Commercial Credit Bus. Loans, Inc., 651 F.2d 1174 (6th Cir.), cert. denied, 454 U.S. 1124 (1981); Cooper v. King, 114 F.3d 1186 (6th Cir. 1997); SEC v. Lauer, 52 F.3d 667, 670 (7th Cir. 1995); Wals v. Fox Hills Dev. Corp., 24 F.3d 1016 (7th Cir. 1994); SEC v. Banner Fund Int’l, 211 F.3d 602 (D.C. Cir. 2000); SEC v. Life Partners, Inc., 87 F.3d 536, 543 (D.C. Cir. 1996), reh’g denied, 102 F.3d 587 (D.C. Cir. 1996).

21. SEC v. Koscot Interplanetary, Inc., 497 F.2d 473, 479 (5th Cir. 1974).22. See, e.g., Long v. Shultz Cattle Co., 881 F.2d 129 (5th Cir. 1989).23. Revak, 18 F.3d 81.24. SEC v. Goldfield Deep Mines Co., 758 F.2d 459 (9th Cir. 1985).25. United Hous. Found., Inc. v. Forman, 421 U.S. 837, 852, reh’g denied, 423 U.S. 884

(1975).26. SEC v. Edwards, 540 U.S. 389, 394 (2004).27. W.J. Howey Co., 328 U.S. at 300.28. Id. (Finding that the investors had no desire to occupy the land or to develop it

themselves, and they were attracted solely by the prospects of a return on their investment; if the purchasers wanted to occupy the land or to develop it themselves, the securities laws would not apply.)

29. Framework for “Investment Contract” Analysis of Digital Assets (2019), available at: https://www.sec.gov/corpfin/framework-investment-contract-analysis-digital-assets#_edn1.

30. Id.31. 15 U.S.C. § 78c(a)(1).32. Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of

1934: The DAO, Securities and Exchange Commission Release No. 81207 (July 25, 2017), available at: https://www.sec.gov/litigation/investreport/34-81207.pdf.

33. Regulation ATS, Rule 300(a).34. Levin, R., “Betting Blockchain”.35. Id.36. Id.37. Id.38. Id.39. Id.40. Securities and Exchange Commission Study on Investment Advisers and Broker-Dealers

(January 2011), available at: https://www.sec.gov/news/studies/2011/913studyfinal.pdf.



41. See Betting Blockchain.42. Mass. Fin. Servs., Inc. v. Sec. Investor Prot. Corp., (1977) 411 F. Supp. 411, 415 (D.

Mass.), aff’d, 545 F.2d 754.43. (1st Cir. 1976), cert. denied, 431 U.S. 904 (1977); see also Levin, R., “Betting

Blockchainˮ. In re BTC Trading, Corp., SEC Release No. 34-73783, 2014, available at: https://www.sec.gov/litigation/admin/2014/33-9685.pdf; see also Levin, R., “Betting Blockchainˮ.

44. See Dept. of the Treasury, FinCEN Guidance, FIN-2013-G001, Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies (March 18, 2013); see also Dept. of the Treasury, Interpretive Ruling, FIN-2014-R011, Request for Administrative Ruling on the Application of FinCEN’s Regulations to a Virtual Currency Trading Platform (October 27, 2014); see also Dept. of the Treasury, Interpretive Ruling, FIN-2014-R012, Request for Administrative Ruling on the Application of FinCEN’s Regulations to a Virtual Currency Payment System (October 27, 2014).

45. See Dept. of the Treasury, FinCEN Guidance, FIN-2019-G001, Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies (May 9, 2019).

46. See supra Fn. 6.47. See Fin-2019-G001.48. Id.49. Id. See also Division F of the National Defense Authorization Act (the “Anti-Money

Laundering Act of 2020”), which explicitly expands the BSA to include businesses that engage in trade of “value that substitutes for currency”, such as CVCs.

50. Montana currently does not have a money transmitter statute.51. See, e.g., Ariz. Rev. Stat. Ann. §6-1201(17) (2007); MD. Code Ann., Fin. Inst. §12-

401(m)(1) (2011).52. See 31 C.F.R. §§ 1010 and 1022.53. See OFAC Frequently Asked Questions (FAQs) No. 560, available at: https://home.

treasury.gov/policy-issues/financial-sanctions/frequently-asked-questions/ofac-consolidated-frequently-asked-questions. (Last visited June 29, 2021.)

54. See Department of the Treasury, “Advisory and Guidance on Potential Sanctions Risks Arising from Dealings in High-Value Artwork”, (October 30, 2020), available at: https://home.treasury.gov/system/files/126/ofac_art_advisory_10302020.pdf. (Last visited June 29, 2021.)

55. Kiderlin, S., The SEC’s ‘Crypto Mom’ Hester Peirce says selling fractionalized NFTs could be illegal, Business Insider (May 26, 2021), available at: https://markets.businessinsider.com/currencies/news/sec-crypto-mom-hester-peirce-selling-nft-fragments-illegal-2021-3.

Richard B. LevinTel: +1 303 583 9929 / Email: [email protected] is chair of the FinTech and Regulation Practice and was one of the first lawyers to focus on the regulation of blockchain and digital assets. He is considered a thought leader in the FinTech space. Richard brings his experience as a senior legal and compliance officer on Wall Street and in London to bear in advising clients on corporate, FinTech, securities, and regulatory issues. A problem-solver by nature, he has been advising FinTech clients on legal and regulatory issues since the start of electronic trading in the late 1990s. His practice focuses on helping financial services and technology clients identify and address regulatory issues as they build their businesses.Richard has been identified by Chambers and Partners as one of the leading lawyers in the Blockchain and Cryptocurrencies category since the inception of the category. He has been recognised by Chambers for his knowledge on regulatory matters, great relationships with regulators, for helping clients push the boundaries of the FinTech sector, and for his advice on matters such as broker-dealer licensing and alternative trading systems.

Kevin TranTel: +1 615 664 5322 / Email: [email protected] assists clients in matters related to financial regulatory, FinTech, corporate and securities issues. He gained experience at the Federal Reserve Board in Washington, D.C., where he was a Financial Policy Analyst in the Capital and Regulatory Policy group in the Division of Supervision and Regulation. He also served the Board as the Policy Staff Adviser/Chief of Staff to the Deputy Director for Policy. In these roles, Kevin focused on developing regulations and guidance affecting banks and bank holding companies of all sizes, assisting the director with the day-to-day operations of the policy groups, and helping financial institutions and industry trade groups with regulatory interpretations.

Nelson Mullins1400 Wewatta Street, Suite 500, Denver, CO 80202, USA

Tel: +1 303 583 9900 / URL: www.nelsonmullins.com



Fintech SPAC Transactions in Europe and the United States

Jonathan CardenasFinancial Services Technology Joint Subcommittee


1. Introduction

Public listings through reverse mergers with special purpose acquisition companies (SPACs) have returned to the capital markets spotlight and are being utilised at record-breaking levels as an expedited alternative to traditional initial public offerings (IPOs).1 Often referred to as “blank check companies”, SPACs are publicly traded shell corporations that raise capital through an IPO of the SPAC (a SPAC IPO) in order to subsequently acquire and take public a privately-held target company in what is known as either a SPAC merger, a “De-SPAC” transaction or an initial business combination (a SPAC IBC).2 The volume of SPAC IPOs and related SPAC mergers (collectively, SPAC transactions) skyrocketed in 2020 as a result of COVID-19-related financial market uncertainty, as well as sponsor, investor and target company appetite for liquidity and exit opportunities.3 2021 is projected to be another potentially strong year for SPAC transactions with approximately $172 billion in SPAC merger value already recorded in the first quarter of the year.4 Technology is considered to be the dominant sector for SPAC investment,5 and an increasing number of SPACs are being formed worldwide to combine with target companies in the financial technology (Fintech) sector. This chapter provides a brief overview of the rise of Fintech SPAC transactions in the European and United States (U.S.) Fintech ecosystems.

2. Fintech SPAC IPOs2.1 The SPAC sponsor viewFintech-focused SPAC sponsors view the Fintech sector as ripe for SPAC business combinations as a result of the “deep supply”6 of privately-held Fintech targets that are well positioned to be taken public, as well as the increased demand for Fintech-related products and services that has resulted from the COVID-19 pandemic.7 Recognition of the Fintech sector’s potential from a public market standpoint resulted in the launch of over 30 Fintech SPAC IPOs in 2020, along with over 100 Fintech SPAC IPOs that have either formally launched or that have been announced in the first quarter of 2021 alone.8

Among the largest Fintech SPAC IPOs of 2020 were: Foley Trasimene Acquisition Corp. II’s $1.4 billion New York Stock Exchange (NYSE)-listed IPO;9 FTAC Olympus Acquisition Corp.’s $750 million NASDAQ-listed IPO;10 Dragoneer Growth Opportunities Corp.’s $690 million NYSE-listed IPO;11 Far Peak Acquisition Corp.’s $550 million NYSE-listed IPO;12 FinTech Acquisition Corp. V’s $250 million NASDAQ-listed IPO;13 and Dutch Star Companies Two B.V.’s €110 million Euronext Amsterdam-listed IPO.14 Among the largest Fintech SPAC IPOs of 2021 to date are: Austerlitz Acquisition Corporation II’s $1.2 billion NYSE-listed IPO;15 FTAC Hera Acquisition Corp.’s $800

Financial Services Technology Joint Subcommittee Fintech SPAC Transactions in Europe and the United States


million NASDAQ-listed IPO;16 Gores Guggenheim, Inc.’s $750 million NASDAQ-listed IPO;17 SVF Investment Corp.’s $525 million NASDAQ-listed IPO;18 Lazard Growth Acquisition Corp. I’s $500 million NASDAQ-listed IPO;19 Independence Holdings Corp.’s $435 million NASDAQ-listed IPO;20 European FinTech IPO Company 1 B.V.’s €415 million Euronext Amsterdam-listed IPO;21 ACQ Bure AB’s SEK 3.5 billion ($406 million) Nasdaq Stockholm-listed IPO;22 and Lakestar SPAC I SE’s €275 million Frankfurt Stock Exchange-listed IPO.23

2.2 The Fintech target company viewFrom the Fintech target company’s perspective, going public via a SPAC business combination offers a number of strategic advantages over a traditional IPO, including: a faster listing process thanks to the avoidance of lengthy roadshows with prospective investors; certainty over valuation thanks to the target company’s ability to predetermine its valuation in direct negotiation with the SPAC sponsor prior to listing; contractual flexibility thanks to the target company’s ability to negotiate SPAC merger agreement terms directly with the SPAC sponsor; and an opportunity to enter the public markets in partnership with a SPAC management team composed of reputable Fintech investors and financial services industry professionals who can enhance the target company’s value and overall prospects. Examples of prominent financial services industry professionals who form a part of the management teams of Fintech SPACs launched in 2020 include: Douglas L. Braunstein, former CFO of JPMorgan Chase, who currently serves as President and Chairman of the Board of Hudson Executive Investment Corp.;24 Betsy Z. Cohen, former CEO of The Bancorp, Inc., who currently serves as Chairman of the Board of Fintech Acquisition Corps. IV and V;25 Robert E. Diamond Jr., former CEO of Barclays, who currently serves as Chairman of the Board of Concord Acquisition Corp.;26 and, Xavier Rolet, former CEO of the London Stock Exchange, who currently serves as a Director of Golden Falcon Acquisition Corp.27 Management teams of high-profile Fintech SPACs formed in 2021 include: Marcelo Claure, Executive Vice President and COO of SoftBank Group Corp, who currently serves as Chairman and CEO of LDH Growth Corp I;28 Steven J. McLaughlin, Founder and CEO of Financial Technology Partners (FT Partners), who currently serves as Co-Chairman of the Board of Independence Holdings Corp.;29 and Martin Blessing, former CEO of Commerzbank, who currently serves as Executive Director of European FinTech IPO Company 1 B.V.30

For these reasons, entering the public equities markets through a reverse merger with a SPAC can be an appealing proposition to growth stage Fintech companies that are looking to expand quickly in a globally competitive market.

3. Distinguishing characteristics of Fintech SPACs

Fintech SPACs come in a variety of shapes and sizes, with some focused on acquiring targets in specific Fintech product or geographic markets, while others focus on targets whose enterprise value falls within a specified range. 3.1 Fintech product marketsFrom a product market standpoint, some Fintech SPACs are focused on Fintech in its most general sense, while others are focused on specific Fintech verticals. Motive Capital Corp., for example, is focused on Fintech targets active in “Banking & Payments, Capital Markets, Data & Analytics, Insurance and Investment Management”,31 while others, such as North Mountain Merger Corp., take a more wide-ranging approach that includes targets in the



“financial technology segment of the broader financial services industry”.32 Some Fintech SPACs, such as Far Peak Acquisition Corporation,33 Ribbit LEAP, Ltd.,34 Figure Acquisition Corp. I35 and FinServ Acquisition Corp. II,36 include blockchain technology, crypto-assets and cryptocurrency-related services within the scope of their Fintech target company search, while others do not. Moreover, certain Fintech SPACs, such as INSU Acquisition Corp. III,37 Delwinds Insurance Acquisition Corp.38 and Pine Technology Acquisition Corp.,39 focus on insurance technology (InsurTech), while PropTech Investment Corporation II40 and Tishman Speyer Innovation Corp. II41 focus on real estate technology (PropTech). 3.2 Fintech geographic marketsFrom a geographic standpoint, some Fintech SPACs consider targets located in multiple continents, while others focus more narrowly on a particular region or country. Golden Falcon Acquisition Corp., for example, is focused on Fintech and other technology targets headquartered in “Europe, Israel, the Middle East or North America”,42 while byNordic Acquisition Corporation is focused on Fintech targets in Northern Europe, specifically defined as including “the Nordic and Scandinavian countries, the Baltic states, UK and Ireland, Germany, France and the Benelux countries”.43 Although the recent Fintech SPAC phenomenon has taken off primarily in the U.S., an increasing number of Fintech SPACs are being launched in European stock exchanges, particularly in Amsterdam, Frankfurt and Stockholm, in order to take European Fintech companies public.44 Euronext Amsterdam-listed European FinTech IPO Company 1 B.V., for example, is focused on financial services and Fintech companies that are headquartered or operate in Europe, the UK or Israel,45 while Frankfurt Stock Exchange-listed Lakestar SPAC I is focused on Fintech and other technology companies with principal operations in the European Economic Area, the UK or Switzerland.46

3.3 Company valuationsFrom a valuation standpoint, some Fintech SPACs limit their search to targets within a specific valuation range, while others do not specify a particular range at all. VPC Impact Acquisition Holdings, for example, is focused on Fintech targets with an enterprise value of approximately $800 million to $2 billion,47 while Fusion Acquisition Corp. II is focused on Fintech targets with an enterprise value of approximately $1.5 billion to $5 billion.48

4. Fintech SPAC mergers

Fintech investment bank FT Partners has described 2020 as the “most active year ever” for SPAC mergers in the Fintech sector, with 15 Fintech SPAC mergers announced in 2020, 12 of which were valued at over $1 billion.49 The SPAC trend is projected to continue in 2021,50 which has already seen 17 Fintech SPAC mergers announced in Q1 2021 alone, 14 of which have been valued at over $1 billion.51 Among the largest Fintech SPAC mergers of 2020 were: United Wholesale Mortgage’s merger with Gores Holdings IV Inc. at a $16.1 billion valuation in September 2020;52 MultiPlan’s merger with Churchill Capital Corp III at an $11 billion valuation in July 2020;53 UK-based Paysafe’s merger with NYSE-listed Foley Trasimene Acquisition Corp. II at a $9 billion valuation in December 2020;54 and Paya Inc.’s merger with FinTech Acquisition Corp III at a $1.3 billion valuation in August 2020.55 Of the Fintech SPAC mergers that have been announced in Q1 2021, some of the largest include: eToro’s merger with Fintech Acquisition Corp. V at a $10 billion valuation in March 2021;56 SoFi’s merger with Social Capital Hedosophia Holdings V at an $8.6 billion



valuation in January 2021;57 CCC Information Services’ merger with Dragoneer Growth Opportunities Corp. at a $6.5 billion valuation in February 2021;58 and Payoneer’s merger with FTAC Olympus Acquisition Corp. at a $3.3 billion valuation in February 2021.59 Given the large number of Fintech SPACs that were launched in 2020 and Q1 2021 that are now actively searching for Fintech targets, additional Fintech SPAC mergers are expected in 2021 and 2022.60

Conclusion

Although some analysts view the recent surge in SPAC transactions as unsustainable,61 particularly in light of anticipated regulatory reform in the U.S.,62 others remain optimistic and predict that the SPAC boom will not only continue further into 2021,63 but will expand internationally,64 particularly in Europe.65 SPAC transactions in the Fintech sector are likely to persist at a steady pace in 2021 given the sector’s strong revenue and growth projections,66 as well as continued demand for Fintech products and services in response to ongoing COVID-19-related challenges.67 As a result, SPAC-focused capital markets and M&A attorneys on both sides of the Atlantic should continue paying close attention to developments in this space.

* * *

Disclaimer

This chapter represents the views and opinions of the author alone and should not be construed to reflect the views and opinions of either the Financial Services Technology Joint Subcommittee, the American Bar Association, the ABA Business Law Section or Paul Hastings LLP. Nothing contained herein is to be considered as the rendering of legal advice for specific cases or as investment advice. Readers are responsible for obtaining such advice from their own legal counsel or from their own investment advisors. These materials and any forms and agreements referenced herein are intended for educational and informational purposes only.

* * *

Endnotes1. “2020 Annual US PE Breakdownˮ, PitchBook, January 11, 2021. Available at: https://

pitchbook.com/news/reports/2020-annual-us-pe-breakdown. See also “2020 Annual European PE Breakdownˮ, PitchBook, January 19, 2021. Available at: https://pitchbook.com/news/reports/2020-annual-european-pe-breakdown. See also “Q3 2020 PitchBook Analyst Note: The 2020 SPAC Frenzyˮ, PitchBook, August 31, 2020. Available at: https://pitchbook.com/news/reports/q3-2020-pitchbook-analyst-note-the-2020-spac-frenzy. See also “Q2 2020 PitchBook Analyst Note: SPACs Resurface in a Volatile Marketˮ, PitchBook, May 4, 2020. Available at: https://pitchbook.com/news/reports/q2-2020-pitchbook-analyst-note-spacs-resurface-in-a-volatile-market. See also “The Resurgence of SPACs: Observations and Considerationsˮ, Harvard Law School Forum on Corporate Governance, August 22, 2020. Available at: https://corpgov.law.harvard.edu/2020/08/22/the-resurgence-of-spacs-observations-and-considerations/.

2. “Update on Special Purpose Acquisition Companiesˮ, Harvard Law School Forum on Corporate Governance, August 17, 2020. Available at: https://corpgov.law.harvard.edu/2020/08/17/update-on-special-purpose-acquisition-companies/.



3. “SIFMA Insights, Spotlight: 2020, the Year of the SPAC: Explaining SPACs and Analyzing Issuance Trendsˮ, SIFMA, August 2020. Available at: https://www.sifma.org/wp-content/uploads/2020/08/SIFMA-Insights-Spotlight-SPACs.pdf. See also “SPAC Transactions — Considerations for Target-Company CFOsˮ, Cooley & Deloitte, October 2, 2020. Available at: https://www.cooley.com/news/insight/2020/2020-10-02-spac-transactions-considerations-for-targetcompany-cfos.

4. “SPAC boom fuels strongest start for global mergers and acquisitions since 1980ˮ, Financial Times, March 31, 2021. Available at: https://www.ft.com/content/bacdf86f-e78 6-4439-966e-f5958adb1c59.

5. Source: Dealogic Insights, 2020.6. “VPC Impact Acquisition Holdingsˮ, Prospectus, September 22, 2020. Available at: https://

www.sec.gov/Archives/edgar/data/1820302/000119312520253319/d10733d424b4.htm.7. “Ex-UniCredit CEO Plans SPAC Amid ‘Transformation’ in Financeˮ, Bloomberg,

February 15, 2021. Available at: https://www.bloomberg.com/news/articles/2021-02-15/ex-unicredit-ceo-mustier-plans-spac-backed-by-bernard-arnault. See also “Q3 2020 Emerging Tech Research: Fintechˮ, PitchBook, November 3, 2020. Available at: https://pitchbook.com/news/reports/q3-2020-emerging-tech-research-fintech.

8. Sources: Nasdaq, Renaissance Capital, SPAC Alpha, SPACInsider and SPAC Research. 9. “Foley Trasimene Acquisition Corp. II Closes Partial Exercise of IPO Over-Allotment

Optionˮ, BusinessWire, August 26, 2020. Available at: https://www.businesswire.com/news/home/20200826005729/en/Foley-Trasimene-Acquisition-Corp.-II-Closes-Partial-Exercise-of-IPO-Over-Allotment-Option.

10. “Fintech-focused SPAC FTAC Olympus Acquisition closes IPOˮ, S&P Global Market Intelligence, August 31, 2020. Available at: https://www.spglobal.com/marketintelligence/en/news-insights/latest-news-headlines/fintech-focused-spac-ftac-olympus-acquisition-closes-ipo-60136338.

11. “Dragoneer Growth Opportunities Corp. Announces Pricing of $600,000,000 Initial Public Offeringˮ, BusinessWire, August 13, 2020. Available at: https://www.businesswire.com/news/home/20200813005845/en/Dragoneer-Growth-Opportunities-Corp.-Announces-Pricing-of-600000000-Initial-Public-Offering.

12. “Former NYSE President’s second SPAC Far Peak Acquisition prices $550 million IPO at $10ˮ, Renaissance Capital, December 3, 2020. Available at: https://www.renaissancecapital.com/IPO-Center/News/73715/Former-NYSE-Presidents-second-SPAC-Far-Peak-Acquisition-prices-$550-million.

13. “FinTech Acquisition Corp. V Announces Completion of $250,000,000 Initial Public Offering, Including Exercise of Over-Allotment Optionˮ, Globenewswire, December 8, 2020. Available at: https://www.globenewswire.com/news-release/2020/12/09/2141839/0/en/FinTech-Acquisition-Corp-V-Announces-Completion-of-250-000-000-Initial-Public-Offering-Including-Exercise-of-Over-Allotment-Option.html.

14. “Dutch Star Companies TWO celebrates listing on Euronext Amsterdamˮ, Euronext, November 19, 2020. Available at: https://www.euronext.com/en/about/media/euronext-press-releases/dutch-star-companies-two-celebrates-listing-euronext-amsterdam.

15. “Bill Foley’s SPAC Austerlitz Acquisition II prices upsized $1.2 billion IPOˮ, NASDAQ, February 26, 2021. Available at: https://www.nasdaq.com/articles/bill-foleys-spac-austerlitz-acquisition-ii-prices-upsized-%241.2-billion-ipo-2021-02-26.

16. “Fintech-focused SPAC FTAC Hera Acquisition prices upsized $800 million IPO ,ˮ Renaissance Capital, March 4, 2021. Available at: https://www.renaissancecapital.com/IPO-Center/News/78773/Bancorp-led-SPAC-FTAC-Hera-Acquisition-prices-upsized-$800-million-IPO.



17. “SPAC Gores Guggenheim prices $750 million IPO, formed by The Gores Group and Guggenheim Partnersˮ, NASDAQ, March 23, 2021. Available at: https://www.nasdaq.com/articles/spac-gores-guggenheim-prices-%24750-million-ipo-formed-by-the-gores-group-and-guggenheim.

18. “SoftBank’s AI-focused SPAC SVF Investment Corp. prices $525 million IPO at $10ˮ, NASDAQ, January 8, 2021. Available at: https://www.nasdaq.com/articles/softbanks-ai-focused-spac-svf-investment-corp.-prices-%24525-million-ipo-at- %2410-2021-01-08.

19. “SPAC Lazard Growth Acquisition I prices $500 million IPOˮ, NASDAQ, February 10, 2021. Available at: https://www.nasdaq.com/articles/spac-lazard-growth-acquisition-i-prices-%24500-million-ipo-2021-02-10.

20. “Fintech banker McLaughlin hunts bigger deal after upsized SPAC IPOˮ, Reuters, March 9, 2021. Available at: https://www.reuters.com/article/independence-ipo-idCNL8N2L76PP.

21. “Fintech-focused SPAC EFIC1 to begin trading on Euronext Amsterdamˮ, NASDAQ, March 26, 2021. Available at: https://www.nasdaq.com/articles/fintech-focused-spac-efic1-to-begin-trading-on-euronext-amsterdam-2021-03-26.

22. “First SPAC in Scandinavia Has Institutional Funds Piling Inˮ, Bloomberg, March 25, 2021. Available at: https://www.bloomberg.com/news/articles/2021-03-25/first-spac-in- scandinavia-has-institutional-investors-piling-in.

23. “Lakestar SPAC I SE listed on the Regulated Market in Frankfurt since todayˮ, February 22, 2021, Deutsche Börse Cash Market. Available at: https://deutsche-boerse.com/dbg-en/media/press-releases/Lakestar-SPAC-I-SE-listed-on-the-Regulated-Market-in-Frankfurt-since-today-2451570. See also “S&C Advises Lakestar SPAC in Europe’s First Tech-Focused SPAC IPOˮ, February 19, 2021, Sullivan & Cromwell LLP. Available at: https://www.sullcrom.com/client-highlight-sandc-advises-lakestar-spac-in-europes-first-tech-focused-spac-ipo.

24. “Hudson Executive Investment Corp.ˮ, Prospectus, June 10, 2020. Available at: https://www.sec.gov/Archives/edgar/data/1803901/000119312520165740/d846732d424b4.htm.

25. “FinTech Acquisition Corp. Vˮ, Prospectus, December 3, 2020. Available at: https://www.sec.gov/Archives/edgar/data/1829328/000121390020041405/f424b41220_fintechacqv.htm. “FinTech Acquisition Corp. IVˮ, Prospectus, September 24, 2020. Available at: https://www.sec.gov/Archives/edgar/data/1777835/000121390020028485/f424b4 _fintechacqcorp4.htm.

26. “Concord Acquisition Corpˮ, Prospectus, December 7, 2020. Available at: https://www.sec.gov/Archives/edgar/data/1824301/000121390020041867/f424b4_con cordacquicorp.htm.

27. “Golden Falcon Acquisition Corp.ˮ, Prospectus, December 1, 2020. Available at: https://www.sec.gov/Archives/edgar/data/1823896/000119312520307287/d167933ds1.htm.

28. “LDH Growth Corp Iˮ, Prospectus, March 18, 2021. Available at: https://www.sec.gov/Archives/edgar/data/0001842373/000114036121009493/nt10019203x8_424b4.htm.

29. “Independence Holdings Corp.ˮ, Prospectus, March 8, 2021. Available at: https://www.sec.gov/Archives/edgar/data/0001837393/000119312521076685/d134197d424b4.htm.

30. “European Fintech IPO Company 1 B.V.ˮ, Prospectus, March 22, 2021. Available at: https://live.euronext.com/sites/default/files/2021-03/EFIC1%20-%20Final%20Prospectus.pdf.

31. Motive Capital Corp, Amendment No. 1 to Form S-1, December 8, 2020. Available at: https://www.sec.gov/Archives/edgar/data/1827821/000110465920133130/tm2032742-6_s1.htm.



32. “North Mountain Merger Corp.ˮ, Prospectus, September 18, 2020. Available at: https://www.sec.gov/Archives/edgar/data/1819157/000114036120020889/nt10014112x7_424b4.htm.

33. “Far Peak Acquisition Corpˮ, Prospectus, December 3, 2020. Available at: https://www.sec.gov/Archives/edgar/data/1829426/000119312520309439/d26326d424b4.htm.

34. “Ribbit LEAP, Ltd.ˮ, Prospectus, September 14, 2020. Available at: https://www.sec.gov/Archives/edgar/data/ 1818346/000104746920004858/a2242371z424b4.htm.

35. “Figure Acquisition Corp. Iˮ, Prospectus, February 18, 2021. Available at: https://www.sec.gov/Archives/edgar/data/0001839550/000095010321002699/dp146494_424b4.htm.

36. “FinServ Acquisition Corp. IIˮ, Prospectus, February 17, 2021. Available at: https://www.sec.gov/Archives/edgar/data/0001834336/000121390021010588/f424b40221_finserv2.htm.

37. “INSU Acquisition Corp. IIIˮ, Prospectus, December 17, 2020. Available at: https://www.sec.gov/Archives/edgar/data/0001829889/000121390020043838/f424b4_insu3.htm.

38. Delwinds Insurance Acquisition Corp., December 10, 2020. Available at: https://www.sec.gov/Archives/edgar/data/0001812360/000121390020042232/f424b41220_del winds.htm.

39. “Pine Technology Acquisition Corp.ˮ, Prospectus, March 10, 2021. Available at: https://www.sec.gov/Archives/edgar/data/0001838238/000121390021014815/f424b40321_pine techacq.htm.

40. “PropTech Investment Corporation IIˮ, Prospectus, December 3, 2020. Available at: https://www.sec.gov/Archives/edgar/data/0001821075/000121390020041192/f424b41220_proptechinvest2.htm.

41. “Tishman Speyer Innovation Corp. IIˮ, Prospectus, February 11, 2021. Available at: https://www.sec.gov/Archives/edgar/data/0001832737/000119312521041920/d25618d424b4.htm.

42. “Golden Falcon Acquisition Corp.ˮ, Prospectus, December 17, 2020. Available at: https://www.sec.gov/Archives/edgar/data/0001823896/000119312520323308/d82019d424b4.htm.

43. byNordic Acquisition Corporation, Form S-1, August 28, 2020. Available at: https://www.sec.gov/Archives/edgar/data/1801417/000121390020024311/fs12020_bynordicacq.htm.

44. “After U.S. SPAC frenzy, blank-check firms eye deals in Europe’s burgeoning tech sectorˮ, CNBC, February 12, 2021. Available at: https://www.cnbc.com/2021/02/12/spac-frenzy-blank-check-firms-eye-deals-in-europes-tech-sector.html. “US SPAC Boom Spreads to Europe with Recent Amsterdam and Frankfurt SPAC Listings and Potential Reform in Londonˮ, Freshfields Bruckhaus Deringer LLP, March 10, 2021. Available at: http://knowledge.freshfields.com/en/Global/r/4416/us_spac_boom_spreads_to_europe_with_recent_amsterdam_and. See also “US SPACs look beyond their backyard to Europeˮ, White & Case LLP, March 12, 2021. Available at: https://mergers.whitecase.com/highlights/us-spacs-look-beyond-their-backyard-to-europe. See also “SPACs Cross the Atlanticˮ, Baker McKenzie, December 21, 2020. Available at: https://www.bakermckenzie.com/en/insight/publications/2020/12/spacs-cross-the-atlantic.

45. “European Fintech IPO Company 1 B.V.ˮ, Prospectus, March 22, 2021.46. Lakestar SPAC I SE: Company Details, Deutsche Börse. Available at: https://www.

boerse-frankfurt.de/equity/lakestar-spac-i-se/company-details. 47. “VPC Impact Acquisition Holdingsˮ, Prospectus, September 24, 2020. Available at: https://

www.sec.gov/Archives/edgar/data/1820302/000119312520253319/d10733d424b4.htm.48. “Fusion Acquisition Corp. IIˮ, Prospectus, February 25, 2021. Available at: https://www.sec.

gov/Archives/edgar/data/0001840225/000121390021012620/f424b40221_fusionacq2.htm.49. “2020 Annual Fintech Almanac: Global Financing and M&A Statisticsˮ, FT Partners

Research, March 2021. Available at: https://www.ftpartners.com/fintech-research/almanac.



50. “An Avalanche of SPAC M&A Deals Predicted for Q1 of 2021: Lawsuits Certain to Followˮ, Woodruff Sawyer, January 3, 2021. Available at: https://woodruffsawyer.com/mergers-acquisitions/avalanche-spac-ma-deals-predicted-q1-2021/.

51. “Q1 2021 Quarterly Fintech Insights: Global Financing and M&A Statisticsˮ, FT Partners Research, April 2021. Available at: https://ftpartners.docsend.com/view/9pyykg8h9c3bi32y.

52. “United Wholesale Mortgage Goes Public in Biggest SPAC Deal Everˮ, Wall Street Journal, September 23, 2020. Available at: https://www.wsj.com/articles/united-wholesale-mortgage-to-go-public-via-merger-with-gores-spac-11600828200.

53. “MultiPlan to Go Public in Merger with Churchill Capital Entityˮ, Wall Street Journal, July 12, 2020. Available at: https://www.wsj.com/articles/multiplan-to-go-public-in-merger-with-churchill-capital-entity-11594593000.

54. “Foley Trasimene Acquisition Corp. II and Paysafe, A Leading Global Payments Provider Focused on Digital Commerce and iGaming, Announce Mergerˮ, Paysafe Group, December 7, 2020. Available at: https://www.paysafe.com/us-en/paysafegroup/news/detail/foley-trasimene-acquisition-corp-ii-and-paysafe-a-leading-global-payments-provider-focused-on-digital-commerce-and-igaming-announce-merger/.

55. “Paya and FinTech III Announce Merger Agreementˮ, Businesswire, August 3, 2020. Available at: https://www.businesswire.com/news/home/20200803005351/en.

56. “Israel’s eToro to go public through $10.4 billion SPAC deal backed by SoftBank, othersˮ, Reuters, March 16, 2021. Available at: https://www.reuters.com/article/etoro-m-a-fintech-acquisit-int/israels-etoro-to-go-public-through-10-4-billion-spac-deal-backed-by-softbank-others-idUSKBN2B81MQ.

57. “SoFi to go public via SPAC backed by billionaire investor Chamath Palihapitiyaˮ, Business Insider, January 7, 2021. Available at: https://markets.businessinsider.com/news/stocks/sofi-to-go-public-via-spac-backed-by-chamath-palihapitiya-2021-1-1029941577.

58. “CCC Information Services to Go Public in $6.5 Billion SPAC Mergerˮ, Wall Street Journal, February 3, 2021. Available at: https://www.wsj.com/articles/ccc-information-services-to-go-public-in-6-5-billion-spac-merger-11612353600.

59. “Why a Fintech Chose to Go Public With a SPAC. Hint: It’s the Money and the Partnerˮ, Barron’s, February 7, 2021. Available at: https://www.barrons.com/articles/why-a-fintech-chose-to-go-public-with-a-spac-hint-its-the-money-and-the-partner-51612568216.

60. “Goldman Sachs sees Spacs driving a $900bn M&A frenzyˮ, Financial News London, April 22, 2021. Available at: https://www.fnlondon.com/articles/goldman-sachs-sees-spacs-driving-a-900bn-ma-frenzy-20210422.

61. “Goldman chief executive says Spac boom is unsustainableˮ, Financial Times, January 19, 2021. Available at: https://www.ft.com/content/caa33f44-fd08-4049-a20e-3c3fde778b50. See also “The SPAC Bubble Is About to Burstˮ, Harvard Business Review, February 18, 2021. Available at: https://hbr.org/2021/02/the-spac-bubble-is-about-to-burst. See also “ANALYSIS: Investor Hunger for SPACs Is Hitting Limits . . . for Nowˮ, Bloomberg Law, November 16, 2020. Available at: https://news.bloomberglaw.com/securities-law/analysis-investor-hunger-for-spacs-is-hitting-limits-for-now. See also “Q4 2020 PitchBook Analyst Note: 2021 US Venture Capital Outlookˮ, PitchBook, December 11, 2020. Available at: https://pitchbook.com/news/reports/q4-2020-pitchbook-analyst-note-2021-us-venture-capital-outlook.

62. “SPACs, IPOs and Liability Risk under the Securities Lawsˮ, John Coates, U.S. Securities and Exchange Commission, April 8, 2021. Available at: https://www.sec.gov/news/public-statement/spacs-ipos-liability-risk-under-securities-laws. See also “SEC’s New Guidance on



Liability Risks Likens SPACs to IPOsˮ, Fenwick & West LLP, April 9, 2021. Available at: https://www.fenwick.com/insights/publications/secs-new-guidance-on-liability-risks-likens-spacs-to-ipos.

63. “PitchBook Analyst Note: 2021 European Private Capital Outlookˮ, PitchBook, January 14, 2021. Available at: https:// pitchbook.com/news/reports/q1-2021-pitchbook-analyst- note-2021-european-private-capital-outlook. See also “219 ‘blank-check’ companies raised $73 billion in 2020, outpacing traditional IPOs to make this the year of the SPAC, according to Goldman Sachsˮ, Business Insider, December 18, 2020. Available at: https://markets.businessinsider.com/news/stocks/spacs-raised-73-billion-more-than-traditional-ipos-blank-checks-2020-12-1029906693. See also “Dealbook Newsletter: The Year in Deals Can Be Summed Up in 4 Lettersˮ, New York Times, December 19, 2020. Available at: https://www.nytimes.com/2020/12/19/business/dealbook/deals-mergers-acquisitions-2020.html.

64. “Hong Kong Is Set to Target First SPAC Listing by End of Yearˮ, Bloomberg, March 29, 2021. Available at: https://www.bloomberg.com/news/articles/2021-03-28/hong-kong-is-said-to-target-first-spac-listing-by-end-of-year. See also “Singapore Exchange Considers Stricter SPAC Listing Rules Than U.S.ˮ, Bloomberg, March 31, 2021. Available at: https://www.bloomberg.com/news/articles/2021-03-31/singapore-mulls-tighter-rules-than-u-s-as-it-joins-spac-race.

65. “European stock exchanges expect SPAC surge in 2021, but not at US scaleˮ, S&P Global Market Intelligence, March 29, 2021. Available at: https://www.spglobal.com/marketintelligence/en/news-insights/latest-news-headlines/european-stock-exchanges-expect-spac-surge-in-2021-but-not-at-us-scale-63179517. See also “Deutsche Bank bolsters European Spac roster ahead of expected boomˮ, Financial News London, April 9, 2021. Available at: https://www.fnlondon.com/articles/deutsche-bank-bolsters-european-spac-roster-ahead-of-expected-boom-20210409.

66. “Fitch Ratings 2021 Outlook: North America & Europe FinTechˮ, Fitch Ratings, December 3, 2020. Available at: https://www.fitchratings.com/research/corporate-finance/fitch-ratings-2021-outlook-north-america-europe-fintech-03-12-2020. See also The Fintech Industry in 2021, American Banker, December 17, 2020. Available at: https://www.americanbanker.com/leaders/the-fintech-industry-in-2021.

67. “PitchBook Analyst Note: 2021 Emerging Technology Outlookˮ, PitchBook, December 16, 2020. Available at: https://pitchbook.com/news/reports/q4-2020-pitchbook-analyst-note-2021-emerging-technology-outlook. See also “How US customers’ attitudes to fintech are shifting during the pandemicˮ, McKinsey & Company, December 17, 2020. Available at: https://www.mckinsey.com/industries/financial-services/our-insights/how-us-customers-attitudes-to-fintech-are-shifting-during-the-pandemic.

Jonathan CardenasTel: +1 212 318 6018 / Email: [email protected] serves as Chair of the Financial Services Technology Joint Subcommittee of the Commercial Finance Committee and Private Equity & Venture Capital Committee of the American Bar Association Business Law Section. Jonathan is a corporate associate in the New York office of Paul Hastings LLP, and was formerly a Fellow with the Transatlantic Technology Law Forum at Stanford Law School, as well as with the Information Society Project at Yale Law School.Jonathan received his J.D. from New York University School of Law, where he was a Jacobson Leadership Program in Law & Business Scholar, and where he served as a Managing Editor of the NYU Journal of Law & Business. He received an M.Phil. in International Relations from the University of Cambridge, and a B.A. in Political Science, summa cum laude, from the University of Pennsylvania.Jonathan is admitted as an attorney in the District of Columbia, the State of Florida, and the State of New York.

Financial Services Technology Joint SubcommitteePaul Hastings LLP, 200 Park Avenue, New York, NY 10166, USA

Tel: +1 212 318 6018 / Email: [email protected]



AustraliaPeter Reeves, Robert O’Grady & Emily Shen

Gilbert + Tobin


Approaches and developments

Australia has seen a continued proliferation of active fintech businesses, with payments, investment and data emerging as the key sectors for disruption. Despite significant uncertainty in (and in many cases, criticism of ) the financial services industry as a result of the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Royal Commission), the Australian approach to fintech has remained supportive of new and innovative financial services and products. This has been further demonstrated through increased technological capabilities developed in the wake of the COVID-19 pandemic.As discussed below under “Regulatory bodies”, Australian regulators have generally been receptive to the growth of the Australian fintech ecosystem and there has been considerable discussion around the opportunities, risks and challenges that have arisen for market participants, customers and regulators. Australian policy-makers and bodies continue to make regulatory and legislative developments to ensure the scope of emerging services is adequately captured within the existing financial services framework. This has included increased technology-neutral or fintech-specific regulatory guidance to assist businesses in understanding their obligations, amended legislation to bring fintech services providers within the remit of existing regimes, and the introduction of new legislation to provide greater consumer protection.The findings of the Royal Commission were a catalyst for turning regulatory focus to consumer protection and making this the utmost priority for incumbent financial institutions and industry-wide changes to the culture and governance of financial services providers are reflective of this. Regulators have taken a more stringent approach to enforcement. For example, in addition to its “why not litigate” regulatory stance, the Australian Securities and Investments Commission (ASIC) has commenced using its recently acquired product intervention powers to impose conditions and restrictions on the provision of financial products and services that have the potential to cause significant consumer detriment (discussed below). This presents an opportunity for fintechs, which are typically focused on delivering customer-centric outcomes and are often better placed to respond quickly to regulatory change. Various physical distancing restrictions imposed by State and Federal Governments during the COVID-19 pandemic witnessed an increase in the creation and implementation of technology solutions across a broad range of industries. In response to stressed economic conditions, regulators implemented a range of exemptions to facilitate utilising technology to fulfil corporate actions and processes (e.g., electronic signatures). While these measures

Gilbert + Tobin Australia


were not specifically targeted at fintechs (regulators have generally maintained their technology neutral stance), it has led to accelerated digital education and adoption across various financial service and product delivery channels.Use of digital wallets and contactless payment solutions has surged. Recognising that such solutions are growing beyond the scope of current regulation, there is consultation underway. The Council of Financial Regulators (comprised of Australia’s major financial regulators) has made recommendations for a new framework for stored value facilities (i.e., digital wallets that are widely used as a means of payment and store significant value for a reasonable amount of time) to be overseen by the Australian Prudential Regulatory Authority (APRA), Australia’s banking regulator. The Reserve Bank of Australia (RBA) is currently undertaking a holistic review of the regulatory framework for card payments (due late 2021) and the Australian Treasury is undertaking a simultaneous review of the overall regulatory architecture of the Australian payments systems. Businesses have continued to explore new automated service methods including the use of robo-advisors for distributing financial advice. There has been sustained attention on blockchain and distributed ledger technology (DLT) to the extent that fintechs have begun formalising use cases for DLT to manage supply chains, make cross-border payments, trade derivatives, and manage assets and digital currency exchanges. The Australian Securities Exchange (ASX), Australia’s primary securities exchange, is currently in the process of rolling out a DLT-based replacement for its clearing and settlement process. The ASX is currently analysing and testing the technology, and releasing technical documentation. 2020 saw the launch of the new national Consumer Data Right (CDR) framework, initially applied to the banking sector under the “Open Banking” regime. The CDR enables consumers to exercise greater access and control over their banking data and is anticipated to have a profound effect on the financial services industry by encouraging customers to switch service providers and open the market to new fintech businesses. There have been a number of relevant legislative changes in Australia (see “Fintech offering in Australia” below). The Treasury Laws Amendment (Design and Distribution Obligations and Product Intervention Powers) Bill 2019 introduced a design and distribution obligation (DDO) for financial services firms as well as a product intervention power (PIP) for ASIC. The new DDO regime will apply from 5 October 2021 and requires product issuers to ensure products are targeted and offered to the appropriate customers. ASIC has held its PIP since 2019; however, it has only recently commenced intervening in the distribution of products it considers as carrying a risk of significant consumer detriment. More than ever, it will be crucial for financial service providers, including fintechs, to consider the suitability of products and disclosure documents for their own customer base.

Fintech offering in Australia

Fintech businesses have been disrupting the Australian banking, investment and wealth management, payments, advisory, trading and fundraising sectors through offers of alternatives to the relatively concentrated traditional providers of these financial services. These alternative offers generally focus on providing financial services in a way that prioritises customer experience and outcomes, utilises technology solutions such as apps and smart devices in the delivery of financial services, or disintermediates the provision of financial services. Fintech businesses must comply with all existing laws and regulations for financial services and consumer credit activities in Australia. The Government has taken steps to alleviate the



regulatory burden on fintechs looking to test the Australian market prior to a full product or service launch. See “Key regulations and regulatory approaches” below for further discussion.Regulatory guidance has also been updated to address the fintech sector. For example, ASIC has released specific guidance clarifying the licensing, conduct and disclosure obligations that apply to the provision of digital financial product advice. This includes requiring nomination of a person within the business who understands and will be responsible for the ongoing monitoring of the algorithms used to produce advice. ASIC has clarified how Australian financial services laws may apply to a range of cryptocurrency offerings, whether through initial coin offerings or security token offerings as an alternative funding mechanism, non-fungible token offerings or fund offerings with cryptocurrency assets. In summary, the legal status of these offerings depends on the structure, operation and the rights attached to the tokens offered. Issuing tokens may trigger licensing, registration and disclosure requirements if the tokens are financial products (e.g., interests in managed investment schemes, securities, derivatives or non-cash payment facilities). Blockchain technology continues to capture the attention of established businesses, and there is now an awareness of decentralised finance and its potential implications. In the past couple of years, Australia has witnessed the application of DLT in solutions across a broad range of financial market operators, financial institutions, financial service providers and fintechs, which has prompted new regulation. Given the rapidly evolving blockchain sector (particularly as institutional businesses move from observational practices to implementation), regulators have generally maintained a technology neutral stance to the application of the law and regulation. In addition to current reviews being undertaken (see payments review “Approaches and developments”), over the past few years, there have been numerous framework developments to lower barriers to entry for fintech providers. In 2018, ASIC introduced a two-tiered market licensing regime for financial market operators and updated its corresponding regulatory guidance. Specifically, the guidance reflects a risk-based assessment that will be undertaken, which is consistent with the approach taken internationally to the administration of market licensing. Under the revised Australian Market Licence (AML) regime, market venues can be designated as being either Tier 1 or Tier 2, depending on their nature, size, complexity and the risk they pose to the financial system, investor confidence and trust. While Tier 1 market venues are, or are expected to become, significant to the efficiency and integrity of (and confidence in) the Australian financial system, Tier 2 licences will be able to facilitate a variety of market venues and will have reduced obligations to accommodate new and specialised market platforms. The tiered market regime is expected to impact, amongst others, market operators and operators of market-like venues, as well as platforms seeking to offer secondary trading.The Australian banking sector is highly regulated with stringent licensing, conduct (including reporting) and regulatory capital requirements which act as significant hurdles for new businesses entering the market. Any entity that conducts any “banking business”, such as taking deposits (other than as part-payment for identified goods or services) or making advances of money, must be licensed as an authorised deposit-taking institution (ADI). To lower barriers to entry, APRA introduced a Restricted ADI framework which permits new businesses entering the banking industry to conduct a limited range of banking activities for two years while they build their capabilities and resources. After such time, they must either transition to a full ADI licence or exit the industry. Since then, various “neobanks” (which are wholly digital quasi-banks that provide full banking services to



customers via a solely mobile platform) have progressed through the Restricted ADI route and granted full ADI licences. Neobanks have largely been met with a positive response from the market and significant uptake by consumers.Fintech businesses will generally have obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) and Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No.1) (AML/CTF Rules). The AML/CTF Act applies to entities that provide “designated services” with an Australian connection. To address the rise of cryptocurrency offerings, the AML/CTF Act also captures digital currency exchange providers, which must register and enrol with the Australian Transaction Reports and Analysis Centre (AUSTRAC). Registered exchanges are required to implement know-your-customer processes to adequately verify the identity of their customers, adopt and maintain an AML/CTF programme as well as meet ongoing obligations to monitor and report suspicious and large transactions. Buy now, pay later (BNPL) has continued to be a growth area, with some providers now dominating the Australian fintech landscape. Many BNPL providers operate outside the Australian credit licensing regime on the basis of exemptions. This has given rise to calls to action with respect to BNPL industry regulation and in 2020, ASIC undertook a review of the industry, reporting on the impact on consumers and upcoming regulatory developments. Importantly, these regulatory developments rely on existing and impending regulatory changes rather than proposing new industry specific policy and regulation, which ASIC stated “remain[s] a matter for Government and, ultimately, the Parliament”. However, in reaction to various consumer concerns, the Australian Finance Industry Association (which includes a range of BNPL providers in its membership) drafted a voluntary BNPL Code of Practice (BNPL Code), which came into effect on 1 March 2021. The BNPL Code sets out nine Key Commitments regarding how BNPL products are to be designed and distributed to consumers and has been adopted by an estimated 95% of the Australian BNPL market.

Regulatory and insurance technology

The rising cost of compliance has prompted many companies using artificial intelligence (AI), customer due-diligence (e.g., “know-your-customer”) and data breach monitoring (e.g., “know-your-data”) technologies to invest in regulatory technology, or regtech. ASIC has indicated the benefits of regtech to provide better outcomes for consumers and has hosted annual fora for collaboration between businesses and to promote stakeholder engagement. It has also been reported that ASIC has actively encouraged incumbent financial institutions to partner with fintechs to harness regtech to automate regulatory reporting, manage compliance and ensure clarity to how regulation is interpreted. During 2019–2020, ASIC undertook five regtech initiatives (another three were put on hold due to COVID-19), being:1. a machine-learning trial to help ASIC identify potential misconduct in financial services

promotions to vulnerable consumers (in response to COVID-19); 2. engaging a regtech consultancy firm to deliver an organisation-wide voice analytics

operational framework to incorporate into supervisory and investigative projects involving audio file reviews;

3. a proof-of-concept project that aimed to automate data flows and reporting matters of interest to improve licensing and misconduct and breach reporting processes;

4. a first-phase natural language processing application to extract core prospectus information for supervisory analysis; and



5. engaging regtech consultants to develop an enhanced evidence score capability in relation to ASIC’s evidence document system.

Investments in insurance technology in Australia have increased, with companies and fintechs focusing on forging cross-sector alliances in order to embed their offerings into alternative value propositions. Insurance technology has the potential to disrupt individual sections of the insurance value chain, augment the existing processes of underwriting risk and predicting loss, and improve the existing capabilities of insurers, reinsurers, intermediaries and service providers. The increase in partnerships and alliances between insurance fintechs and incumbents with established customer bases will be effective for insurance start-ups to fuel expansion. There have not been any specific changes to legislation or regulation due to regtech or insurance technology; however, this may change in the future as uptake increases and becomes more mainstream.

Regulatory bodies

Australia has a twin peaks model of regulation with respect to financial services:1. ASIC is Australia’s primary corporate, markets, financial services and consumer credit

regulator. It is responsible for regulating consumer protection and maintaining market integrity within the financial system. ASIC supervises the conduct and regulation of Australian companies, financial markets, and financial service and consumer credit providers.

2. APRA is concerned with maintaining the safety and soundness of financial institutions, promoting financial stability in Australia and is tasked with protecting the interests of depositors, policy-holders and superannuation fund members. APRA oversees ADIs (e.g., banks, building societies and credit unions), general and life insurers, friendly societies, reinsurers and superannuation funds.

AUSTRAC is responsible for administering Australia’s anti-money laundering and counter-terrorism financing regime under the AML/CTF Act and the AML/CTF Rules. AUSTRAC may pursue a wide range of enforcement sanctions under the AML/CTF Act which include imposing civil and criminal penalties (which can be significant in value), enforceable undertakings, infringement notices, remedial directions, and power to cancel or suspend registrations of providers of digital currency exchange and designated remittance services. AUSTRAC plays an active role in setting and implementing international standards and is a member of regional and global groups such as the Financial Action Task Force and the Asia/Pacific Group on Money Laundering. The Office of the Australian Information Commissioner (OAIC) administers the Privacy Act 1988 (Cth) (Privacy Act) which regulates the handling of personal information by Federal Government agencies and some private sector organisations. The Privacy Act includes 13 Australian Privacy Principles (APPs), which impose obligations on the collection, use, disclosure, retention and destruction of personal information. The APPs extend to an act done, or practice engaged in, outside Australia by an organisation that has an “Australian link” (including where it carries on business in Australia and has collected or held personal information in Australia, either before or at the time of the act or practice).Fintechs may also be subject to the prohibitions in the Australian Consumer Law, which is enforced by the Australian Competition and Consumer Commission (ACCC). Broadly, these include prohibitions on misleading and deceptive conduct, false or misleading representations, unconscionable conduct and unfair contract terms. Whilst the Australian



Consumer Law does not apply to financial products or services, many of these protections are enforced by ASIC either through mirrored provisions in the Australian Securities and Investments Commission Act 2001 (Cth) (ASIC Act) or through delegated powers.The Reserve Bank of Australia is Australia’s central bank and provides a range of banking services to the Government and its agencies, overseas central banks and official institutions. It is also responsible for maintaining the stability of the financial system through monetary policy and regulating payment systems.The Fair Work Commission is Australia’s national workplace relations tribunal and is responsible for administering the provisions of the Fair Work Act 2009 (Cth) (Fair Work Act), which governs the regulation of employment in Australia. In relation to hiring, minimum terms and conditions of employment for most employees (including professionals) are governed by modern awards, which sit on top of the National Employment Standards. The Fair Work Commission’s powers and functions broadly include dealing with unfair dismissal claims, anti-bullying claims, unlawful termination claims, setting and reviewing minimum wages in modern awards and making orders to stop or suspend industrial action.

Key regulations and regulatory approaches

Regulatory framework for fintech businessesFintech businesses must comply with the applicable licensing, registration and disclosure obligations under Australia’s financial services regime.Fintech businesses carrying on a financial services business in Australia must hold an Australian financial services licence (AFSL) or be exempt from the requirement to be licensed. Financial services are broadly defined under the Corporations Act 2001 (Cth) (Corporations Act), which is administered by ASIC, to include the provision of financial product advice, dealing in financial products (as principal or agent), making a market for financial products, operating registered schemes and providing custodial or depository services. A financial product is a facility through which, or through the acquisition of which, a person makes a financial investment, manages a financial risk or makes a non-cash payment. The Australian credit licence (ACL) regime applies to entities who engage in consumer credit activities in Australia, such as providing credit under a credit contract or consumer lease. Fintech businesses that provide marketplace lending products and related services will constitute consumer credit activities and will generally trigger the requirement to hold an ACL. Consumer credit activity is regulated by ASIC and under the National Consumer Credit Protection Act 2009 (Cth) and associated regulations. Fintech businesses may also need to hold an AML where they operate a facility through which offers to buy and sell financial products are regularly made (e.g., an exchange). If an entity operates a clearing and settlement mechanism which enables parties transacting in financial products to meet obligations to each other, the entity must hold a clearing and settlement facility licence or be otherwise exempt. Generally, fintech businesses that operate as holders of stored value in relation to purchased payment facilities under the Payment Services (Regulation) Act 1998 (Cth) are required to be an ADI unless otherwise exempt (see the above “Fintech offering in Australiaˮ section). A purchased payment facility is a facility (other than cash) where the facility is purchased and can be used to make payments up to the amount available for use under the facility and the payments are made by the provider or a person acting under an arrangement with the provider, rather than the user of the facility.



As discussed above in “Regulatory bodies”, the Privacy Act regulates the handling of personal information by Federal Government agencies and some private sector organisations.

Fintech innovation and regulatory developments

Australian regulators and policy-makers in the financial services sector have sought to improve and engage with technology-focused businesses while continuing to reinforce consumer protection as a key regulatory priority. As noted, regulators have generally adopted and maintained a technology-neutral approach so that services are regulated consistently, irrespective of the delivery method. Regulators have supported the market entry of fintechs by streamlining access and offering informal guidance to enhance regulatory understanding. Both ASIC and AUSTRAC have established Innovation Hubs to assist fintech businesses more broadly in understanding their obligations under Australian law. ASIC’s Innovation Hub provides tailored information and access to informal assistance intended to streamline the AFSL process for fintech start-ups. AUSTRAC’s Fintel Alliance also has an Innovation Hub targeted at combatting money laundering and terrorism financing, improving the fintech sector’s relationship with the Government and regulators and assessing the impact of new technologies such as blockchain and cryptocurrency. Under the Corporations (FinTech Sandbox Australian Financial Services Licence Exemption) Regulations 2020 and National Consumer Credit Protection (FinTech Sandbox Australian Credit Licence Exemption) Regulations 2020, the Government and ASIC have established a sandbox for fintech businesses to test financial services, financial products and credit activities for up to 12 months without holding an AFSL or ACL. There are strict eligibility requirements for both the types of businesses that can enter the regulatory sandbox and the products and services that qualify for the licensing exemption.

Restrictions

At the time of writing, there have not been any explicit prohibitions or restrictions on fintech business types. Australian regulators and policy-makers have generally sought to encourage and support fintech businesses, provided such businesses comply with applicable laws (including financial services and consumer laws).As discussed above in “Regulatory developmentsˮ, the Government has introduced new obligations under the Treasury Laws Amendment (Design and Distribution Obligations and Product Intervention Powers) Act 2019 (Cth) (DDO & PIP Act) for financial products and credit products issued and distributed to retail clients. The DDO & PIP Act introduced DDOs requiring financial product issuers to make a “target market determination” for the product, conduct distribution in accordance with the determination, notify ASIC of significant dealings inconsistent with the determination and regularly review the determination. The DDO & PIP Act also empowered ASIC to intervene using its PIP when it considers a financial product has, will, or is likely to result in significant consumer detriment. The DDOs come into effect on 5 October 2021, while ASIC has already utilised its PIP in relation to short-term credit practices, the sale of add-on financial products by car yard intermediaries, over-the-counter binary options and contracts for difference.

Cross-border business

CollaborationAustralian regulators and policy-makers have sought to improve their understanding of, and engagement with, fintech businesses by regularly consulting with industry on proposed



regulatory changes and entering into international cooperation and information-sharing agreements. ASIC has entered into a number of cooperation agreements and information-sharing agreements with overseas regulators for the purpose of facilitating cross-border financial regulation and removing barriers to market entry. Under these arrangements, there is a sharing of information on fintech market trends, encouraging referrals of fintech companies and sharing insights from proofs of concept and innovation competitions. Through these agreements, regulators hope to further understand the approach to regulation of fintech businesses in other jurisdictions, in an attempt to better align the treatment of these businesses across jurisdictions. ASIC currently has either information-sharing or cooperation agreements with numerous jurisdictions, including the China Securities Regulatory Commission, Hong Kong’s Securities and Futures Commission, the Monetary Authority of Singapore, the Swiss Financial Market Supervisory Authority, the United States Commodity Future Trading Commission, the Capital Markets Authority of Kenya, Indonesia’s Otoritas Jasa Keuangan and Canada’s Ontario Securities Commission. ASIC has also committed to supporting financial innovation in the interests of consumers by joining the Global Financial Innovation Network (GFIN), which was formally launched in January 2019 by a group of financial regulators from around the globe. GFIN currently has over 60 organisations dedicated to facilitating regulatory collaboration in a cross-border context and provides more efficient means for innovative businesses to interact with regulators.Foreign financial services providersThe regulation of foreign financial service providers (FFSPs) in Australia is changing. Up until recently, FFSPs that carry on a financial services business in Australia have typically relied on either “sufficient equivalenceˮ relief (also known as passport relief) and the “limited connectionˮ relief. Passport relief was repealed effective from 31 March 2020, but is subject to a 36-month transitional period available to FFSPs that already relied on the relief as at the date of the repeal. It was available to certain FFSPs providing financial services to wholesale clients only, where such FFSPs are regulated by a foreign regime considered by ASIC to be “sufficiently equivalent” to the Australian regime. Limited connection relief is set to be repealed from 31 March 2023 and is available to an FFSP that is not carrying on a business in Australia under the ordinary tests but is deemed to be carrying on a financial services business in Australia only because it is inducing, or intending to induce, a person in Australia to use its financial services, and where such services are provided to wholesale clients only. Conduct that amounts to inducing includes attempts to persuade, influence or encourage a particular person to become a client. Passport relief and limited connection relief have been replaced by a new foreign Australian financial services licence (FAFSL) regime, which commenced on 1 April 2020). The FAFSL regime is designed to be more streamlined than the AFSL application process. FFSPs must be regulated overseas by specified sufficiently equivalent regulatory regimes to be eligible to apply for a FAFSL to provide certain financial services to wholesale clients in Australia. The FAFSL regime is currently available to entities regulated by certain regulators in Denmark, France, Germany, Hong Kong, Luxembourg, Ontario in Canada, Singapore, Sweden, United Kingdom and the United States. FFSPs from another jurisdiction are entitled to apply to extend the FAFSL regime to other regulatory regimes. ASIC has also unveiled the ASIC Corporations (Foreign Financial Services Providers – Funds Management Financial Services) Instrument 2020/199 (Funds Management Relief Instrument) under which eligible FFSPs will not be required to hold an AFSL if the FFSP is carrying on a financial services business by engaging in “inducing” conduct (as above)



while providing certain funds management financial services to certain Australian investors. FFSPs that are carrying on a financial services business other than because of inducing conduct will not be eligible to rely on the Funds Management Relief Instrument. Funds management licensing relief will commence on 6 April 2023.We note that at the time of writing the future of the FFSP regime as provided by FAFSLs and the Funds Management Relief Instrument is unclear as the 2021–2022 Australian Federal budget announcements indicate that these aspects of the regime are being considered further (and may be unwound). The Australian Commonwealth Treasury is currently undertaking a consultation process on options that could restore regulatory relief for FFSPs and create a fast-track licensing process for FFSP. The consultation period closed on 30 July 2021. Further details regarding timing and implementation of the outcomes of the consultation process are not yet known. New structuresIn June 2018, the Government passed the Corporations Amendment (Asia Region Funds Passport) Act 2018 (Cth), which incorporates the Asia Region Funds Passport (Passport) into the Corporations Act. The Passport is a region-wide initiative to facilitate the offer of interests in certain collective investment schemes established in Passport member economies to investors in other Passport member economies. It aims to provide Australian fund managers greater access to economies in the Asia-Pacific by reducing existing regulatory hurdles. Australia, Japan, the Republic of Korea, New Zealand and Thailand are all signatories to the Passport’s Memorandum of Cooperation. The Passport officially launched on 1 February 2019 and Australia has passed laws to enable the Passport to operate. Broadly, the Passport requires an eligible fund to apply to its home regulator for a passport and comply with home economy requirements in order to be registered (for Australian funds, this effectively requires registration as a managed investment scheme with ASIC). Once registered, the fund must notify the host regulator and meet host economy requirements relating to disclosure, distribution and complaints handling (for offshore funds wishing to be offered in Australia, this effectively requires compliance with the corresponding obligations for registered managed investment schemes).In addition to the Passport, the Australian Treasury has been consulting on the Corporate Collective Investment Vehicle (CCIV) scheme, which will be a new type of investment vehicle that aims to expand the range of collective investment schemes offered in Australia and will enhance the competitiveness of funds by improving access to overseas markets. The CCIV regime is intended to complement the Passport, which will allow Australian fund managers to pursue overseas investment opportunities through a company structure. Two draft Bills implementing the CCIV regime were released for public consultation in January 2019, but no submissions or reports have been issued to date.

Peter ReevesTel: +61 2 9263 4000 / Email: [email protected] is a partner in Gilbert + Tobin’s (G+T) Corporate Advisory group and leads the Fintech practice at G+T. He is an expert and market-leading practitioner in fintech and financial services regulation. Peter advises domestic and off-shore corporates, financial institutions, funds, managers and other market participants in relation to establishing, structuring and operating financial services sector businesses in Australia. He also advises across a range of issues relevant to the fintech and digital sectors, including platform structuring and establishment, payments, blockchain solutions and digital asset strategies. Chambers and Partners 2021 ranks Peter in Band 1 for Fintech and Peter is also ranked by Chambers and Partners 2021 for Financial Services Regulation.

Robert O’GradyTel: +61 2 9263 4241 / Email: [email protected] is a lawyer in G+T’s Corporate Advisory group with a focus on fintech, payments, digital platforms, financial services regulation, funds establishment and management, credit, anti-money laundering and counter-terrorism financing regulation and technology. Robert has specialist expertise and experience across a range of fintech and digital sectors, including digital platform and markets structuring, establishment and management, payments systems, infrastructure and ecosystems, bespoke digital asset and tokenisation implementation, blockchain applications, challenger lenders and neobanks.

Gilbert + TobinLevel 35, Tower Two, International Towers Sydney, 200 Barangaroo Avenue

Barangaroo, Sydney NSW 2000, AustraliaTel: +61 2 9263 4000 / Fax: +61 2 9263 4111 / URL: www.gtlaw.com.au



Emily ShenTel: +61 2 9263 4000 / Email: [email protected] Shen is a lawyer in G+T’s Corporate Advisory group with a focus on fintech, financial services regulation and funds management. She has been involved in advising a range of clients across the financial services, fintech and digital sectors on issues relating to financial services regulation, payments, digital platforms, crypto and other tokenisation deployments, credit and BNPL, funds establishment and structuring, AML/CTF and blockchain solutions.

BrazilVanêssa Fialdini & Tatiana Facchim Ribeiro

Fialdini Advogados



Despite the COVID-19 pandemic, there have been significant changes to the fintech market in Brazil recently.In November 2020, Brazil successfully managed to implement its instant payments system, named PIX, which is a Brazilian Central Bank-hosted system intended to speed up the availability of funds to the payee, lowering costs and increasing safety. The instant payments ecosystem is intended to reduce the number of intermediaries in the payment chain, favouring a lower acceptance cost and promoting financial inclusion. The enriched data processed along with the payment order will also enable the development of integrated technological solutions and the emergence of new business models, leveraging the market competitiveness and efficiency. PIX proved to be a huge success. Up until May 2020, more than 2 billion transactions had been made through PIX, representing more than BRL 1.4 trillion, and adhesion to the instant payment system increases by the day. Even though the vast majority of the transactions still represent peer-to-peer (P2P) transfers, PIX is becoming more popular as a payment method for commerce and even the government, through the use of QR codes and the recently implemented possibility of collection. Soon-to-be implemented functionalities, such as cashback, NFC and payment in instalments, are also likely to increase acceptance of PIX for business transactions.Another quite significant change to the fintech architecture was the beginning of the implementation of the open banking system, which is expected to bring a whole new range of possibilities for the payment and credit markets. The first phase, which started in February 2021, requires the participant financial institutions to make available to the public standardised information about its products and services, enabling more accurate comparisons and informed choices. The second phase, in which clients are able to request their register data, account transactions, credit card information and credit products purchased to be shared with other financial institutions, boosting competition, began in mid-July. The third phase, expected for late August, will enable the sharing of payment initiation services (PIS) and forwarding of credit offers. Finally, the last phase, expected for mid-December, will include sharing of any type of financial information, including foreign exchange, investments, insurance and other information, upon request from the client.In addition to that, a new receivables registration system entered into force in June 2021, allowing each sales transaction to be registered at a central system and offered as security independently. By keeping a ledger of each registered security, the receivables register system increases the safety and reliability of the guarantees, creating a more beneficial scenario for credit granting.

Fialdini Advogados Brazil


Furthermore, the Securities and Exchange Commission (CVM) continues to work on a bill to simplify the structure of Credit Rights Investment Funds, especially with regard to fund custody and administration. All these initiatives show alignment with market trends and proactivity from regulators in Brazil, favouring an innovation environment in the near future, where infrastructure, customer experience and data protection will probably be the biggest challenges.

Fintech offerings in Brazil

Payments market: The predominant players in the payments market are prepaid and postpaid card issuers on one side, and acquirers, sub-acquirers and independent sales organisations (ISOs) on the other side. Sub-acquirers have diversified in the recent past, but the current tendency is for them to concentrate on specific niches or to offer white-label solutions to retail and credit rights investment funds, on an acquirer-as-a-service model. Wallet service providers are becoming more and more popular and tend to flourish in light of the recent instant payments system.Financial market: In the financial market, digital banks are becoming more and more popular, especially amongst younger customers, along with platform-only credit institutions (known as Sociedade de Crédito Direto or SCD), most of which offer a bank-as-a-service model. However, the granting of loans through online platforms supported by “traditional” (non-fintech) banks is still a broadly used alternative. Crowdfunding loan brokers (Sociedade de Crédito entre Pessoas or SEP) are still less popular, with only a few Central Bank-authorised entities so far.Marketplaces: Marketplaces that intermediate payments and currency exchanges are subject to regulation from the Brazilian Central Bank. Currency exchanges must obtain approval from the Brazilian Central Bank prior to operating, but marketplaces are only subject to regulation after reaching specific volume thresholds. Securities exchanges such as stock exchanges, organised and unorganised over-the-counter exchanges and crowdfunding platforms are subject to regulation by CVM.P2P trading platforms: Only small companies (with an annual revenue of up to BRL 10 million) are entitled to use P2P trading platforms and are entitled to obtain up to BR L5 million. The platforms should be authorised to operate by CVM, but the issuing itself is not subject to prior authorisation.Robo-advisers: Robo-advisers are not specifically regulated in Brazil. CVM applies the same fiduciary duties to robo-advisers as it does to guide human advisers, but that approach brings fragilities, especially in the fulfilment of the duties of suitability, disclosure and loyalty. The soon-to-be-implemented sandbox may help address such issues to increase investors’ protection without threatening the development of these technologies.High-frequency and algorithmic trading: There is no specific rule regarding the creation and usage of high-frequency and algorithmic trading. The use of automated systems or algorithms by fund administrators is subject to the same rules as apply to human-based trading. All market makers must be duly registered at the Brazilian Stock Exchange (B3) and may be accredited to act with one or more assets. Market makers must comply with obligations related to the minimum amount of each offer, as defined by B3. Purchase and sales price offers must fall within a pre-defined spread, which varies according to each asset. Offers from market makers compete equally with other offers, but B3 may grant some benefits to incentivise the market maker activity, such as the exemption of fees. The volume of HFT in Brazil, although still low in comparison to other countries, has been growing rapidly in recent years, representing around 35% of the operations.



Financial research platforms: All individuals and entities that prepare analysis reports regarding securities to be disclosed to the public – even if for clients only – are subject to accreditation by an entity authorised by CVM. Participants are required to abide by a code of conduct and commit to use only trustworthy and legitimate information, subject to penalty.Blockchain: There is currently a significant movement for the adoption of blockchain technology by the financial market players, including for the internal use of regulators, which are evaluating the possibility of using blockchain technology for their internal affairs and for some financial products. There are also study groups in place analysing potential regulation for the use of blockchain to register securities. Blockchain assets are not yet regulated in Brazil. The great challenge is to have Congress pass a law acknowledging blockchain assets as valid and enforceable assets, after which regulators would be entitled to issue rulings for the use thereof.Cryptocurrency: Cryptocurrency exchanges are not regulated in Brazil. Both the Brazilian Central Bank and CVM have issued public statements that they are following up on the market and will intervene only if they believe there is significant risk to the market. Investment in crypto assets by investment funds is not forbidden, but raises additional concerns with regard to unlawful transactions, money laundering and fraud, as well as pricing issues. Initial coin offerings (ICOs) might be compared to the issuing of securities and, as such, are subject to prior approval from CVM. The Brazilian Federal Revenue Office considers cryptocurrency as a financial asset that must be declared on the income tax filing, and which is subject to taxation in case of capital gains.


The regtech market is still in development in Brazil and its providers are not subject to specific regulation. As it is strongly based on automation, machine learning and AI, the great challenge is to keep up to date with the laws and regulations which are constantly changing.Insurance companies, on the other hand, have been making increasing use of technological solutions for the collection, organisation and analysis of statistics and the creation of rules and guidelines upon which the insurance underwriting processes will be based, as well as for the execution of the underwriting process itself, assessing the risks involved and deciding whether to accept or refuse insurance proposals, as well as for the proper setting of premiums, conditions for contracting, coverage and limitation of liability for indemnity purposes.Legislation does not regulate the underwriting process, so insurance companies are free to establish the criteria to be observed, provided that they act in compliance with the general rules applicable to the insurance market. However, in case of refusal of an insurance proposal, the Superintendence of Private Insurance (SUSEP) requires the insurance company to notify the proponent of the results of the assessment and the reason for such refusal. The insurance market in Brazil adopts an extensive classification of types of insurance, all of which are subject to a set of rules that applies irrespective of the type, as well as to general rules of law such as consumer protection, data privacy and anti-money laundering rules. However, each type of insurance is subject to additional specific rulings and standard contractual terms defined by SUSEP shall apply in certain cases (such as guarantee insurance and general civil liability insurance).Every product offered in the insurance market is subject to registration with the regulator. The registration procedure is expedited for those products to which standard contractual terms apply. Occasional changes are permitted, as well as the inclusion of coverage and of specific conditions, but these are subject to prior approval by the regulator.



A Special Committee for Innovation and Insurtech was created in 2017 to promote debate amongst participants of the insurance market on relevant themes relating to technology and innovation, aiming to improve regulation. There has been no relevant change so far, but SUSEP is currently selecting projects under a regulatory sandbox that may boost innovation in the insurance market.

Regulatory bodies

The Brazilian Monetary Council (CMN) and the Brazilian Central Bank regulate participants in both the financial and payments markets. CVM regulates the stocks and securities markets, as well as investment funds. SUSEP regulates private insurance markets.The Administrative Council for Economic Defense (CADE) regulates competition issues. When such issues involve financial or payments entities, both the Brazilian Central Bank and CADE are expected to act jointly.


Key regulations• Payment institutions and payment methods schemes are mainly regulated by Resolução

CMN 4282, Circular BCB 3680, Circular BCB 3681, Circular BCB 3682, Resolução BCB 80 and Resolução BCB 81.

• Fintech credit institutions (SCD and SEP) are mainly regulated by Resolução CMN 4656.• P2P trading platforms are mainly regulated by Instrução CVM 588.• Insurtechs are not subject to specific regulation but must abide by Resolução CNSP 294.Regulatory approachFintech and insurtech regulators in Brazil have been showing alignment with market trends and a great deal of proactivity. All major regulators are conducting their first sandbox cycle to encourage innovation, and new cycles are likely to come if the first experiences prove successful.SUSEP has already selected some projects to be developed within its sandbox and is analysing several other projects, which are likely to boost the insurtech market.CVM and the Brazilian Central Bank regulatory sandboxes selection processes are in progress, with 34 and 52 projects presented, respectively.Furthermore, regulators are constantly updating legislation to modernise and adapt to market movements. Such updates are normally preceded by public hearings where stakeholders are given voice, and many of the manifestations end up reflected at the final version of the relevant piece of legislation. However, Brazil still lacks regulation on incipient issues such as regtechs, fi nancial research platforms, HFT, robo-advisers, cryptocurrency and the use of blockchain, as well as more specific regulation for insurtechs. Fintech activities flourished in Brazil once proper regulation was passed, so a clear position from the regulators on those subjects should have the same effect.

Restrictions

There are no specific restrictions on fintechs’ activities that are any different from the restrictions applicable to non-fintechs. On the contrary, there are some incentives: foreign



investors are required to obtain authorisation from the government to hold equity in “regular” financial institutions, while this requirement is waived for credit fintechs (SCD and SEP). And the regulation on SCD and SEP is lighter than that applicable to most financial institutions.P2P trading platforms are subject to many restrictions as to the size of the companies entitled to obtain funding and the amount that may be raised, but on the other hand public offers made through the platform are exempt from registering at the CVM.


Cross-border transactions must be carried out through currency exchange agreements with entities authorised by the Brazilian Central Bank to operate in the currency exchange market.In that regard, most foreign merchants that sell to Brazil or Brazilian merchants that hire services from abroad engage an international payment facilitator (payfac) to support their businesses by collecting and remitting amounts. It is important to point out that international payfacs are not subject to specific regulation in Brazil, but are subject to the regular foreign exchange rules.

Vanêssa FialdiniTel: +55 11 3097 9991 / Email: [email protected]êssa Fialdini is an expert on fintech, payment markets and technology, and has also been active on corporate finance and capital markets. During her career, she has worked with big companies, financial institutions, payment institutions, insurance companies and technology companies, including startups and scaleups. Vanêssa is currently focused on the legal and regulatory structuring of transactions involving payments, insurance, and technology products, creating solutions to meet clients’ needs. She is also a lecturer and a member of the Banking Law Commission of Instituto dos Advogados de São Paulo (IASP) and the Startups and Scaleups Commission of Instituto Brasileiro de Governança Corporativa (IBGC).

Tatiana Facchim RibeiroTel: +55 11 3097 9991 / Email: [email protected] Facchim Ribeiro is an expert on corporate law, contracts, IP and regulatory issues, with more than a decade of experience in the payments market, providing legal counsel and advice to financial institutions, investment funds, card scheme brands, issuers, acquirers, subacquirers, ISO, gateways, software developers and other fintechs of all sizes, from Brazil and abroad, on the structuring and developing of activities, and the drafting, negotiation and implementation of transactions.

Fialdini AdvogadosAv. Brigadeiro Faria Lima, 1478, cj. 1909 a 1916 – CEP 01451-001, São Paulo / SP, Brazil

Tel: +55 11 3097 9991 / URL: www.fialdiniadvogados.com.br



CanadaBrigitte Goulard, Konata Lake & Molly Reynolds

Torys LLP



Canada has a strong, globally competitive financial sector that has proven to be stable, resilient and well respected. However, compared to other developed countries, Canada has experienced delays in rolling out frameworks, including legislation, that enable the fintech ecosystem to evolve in a way that is reliable and safe for end users, while still allowing them to leverage the power of technology.Fortunately, several key government and regulatory efforts are now gaining momentum and will enable Canadians and fintechs to benefit from the following trends:Banking as a serviceBanking as a service describes a model where regulated financial institutions integrate their digital banking services offering directly into the products of other non-regulated entities. This allows retailers and merchants with a strong brand presence to offer their customers digital banking products (debit cards, loans, etc.) without having to incur the substantial costs of obtaining a banking licence. Although the banking as a service offering is currently not as widespread in Canada as in other jurisdictions, this may change as a result of Canada’s plan to give banks greater flexibility to engage with fintechs, to modernise its payment systems and to introduce an open banking framework.Fintech offerings to small- and medium-sized businesses (“SMBs”)The high number of SMBs in Canada have a significant impact on our economy; their vulnerabilities to downturns such as the pandemic highlight the importance of collaboration between financial institutions, businesses and government to develop fintech solutions to support this segment of the economy. As SMBs reopen following the pandemic, they will be very receptive to new digital platforms enabling them to better, and more profitably, serve their customers. Fintech lending sectorThe fintech lending sector – and, in particular, the Buy Now Pay Later offering, which already has a strong presence – in Canada is expected to continue growing. The non-bank lending platforms (sometimes offered in partnerships with regulated entities) offered by retailers provide consumers an alternative payment method to pay for goods and services, allowing them to pay in instalments, generally without fees or interest. Very attractive from a retailer and customer perspective, these products can be challenging from a regulatory perspective, and could result in more scrutiny from regulators as they continue to thrive in the marketplace.

Torys LLP Canada


Fintech offerings in Canada

The Canadian landscapeThe Canadian fintech ecosystem is internationally competitive. In a recent report, Toronto ranked in 8th place among global cities, while Vancouver, Montréal and Calgary placed 12th, 14th and 16th, respectively.1

From coast to coast, fintechs are relatively well distributed across Canada (based on population concentration). Four hundred and fifteen fintechs are based in Ontario, 103 are based in Québec, 165 are based in Western Canada (with the vast majority of those based in British Columbia) and 14 are based in the Atlantic provinces.2

Canadian jurisdictions are also seeing significant in-bound investment from fintechs. Montréal is one of Canada’s leading fintech hubs and houses a number of key investors. While the Atlantic provinces have relatively smaller hubs, there is significant activity such as a US$2.75 billion acquisition of a St. John’s-based fintech by Nasdaq in late 2019. What is captured in fintech

Fintech is a broad term that captures many different verticals. Each of these verticals are large markets in themselves, differentiated by the problems they aim to solve. The most common (and largest) Canadian fintechs categories in operation are Payments, Lending (personal and SMBs), and Back Office. However, fintechs in regtech (i.e., risk management), wealthtech and Personal Financial Management (“PFM”) are also seeing significant growth. Regtech startups continue to set funding records, wealthtech activity has seen a significant increase in retail and enterprise activity and PFM has responded strongly to the financial challenges of the COVID-19 pandemic, with some PFM fintechs responding particularly well to provide financial support to Canadians in economically uncertain times.The ecosystemAny healthy startup ecosystem needs accelerators to support the growth of established firms and incubators to nurture the earliest stages of a company. While competitive to get into, they provide important services for fintech firms such as expert advice, funding, mentorship, networking and training.3 The funding for such programmes typically comes from a variety of sources including financial institutions and technology companies. Well-known accelerators and incubators in Canada include Innovate Calgary, Ryerson’s Digital

Source: Accenture analysis of Crunchbase, Pitchbook, FinCadence, Maple FGS and CB Insights data.

Torys LLP Canada


Media Zone (“DMZ”), and MaRS Discovery District. DMZ has a specific fintech stream: DMZ-BMO Fintech Accelerator.4

The talentIn 2020, CBRE research assessing tech labour and the ability of markets to score tech talent concluded that tech talent is particularly resilient and has proven to be so during the COVID-19 pandemic. Canada has been benefiting from the fintech “brain gain” (the difference between the number of technology degrees granted versus the number of technology jobs created). Toronto ranked fourth just behind San Francisco Bay Area, Washington, D.C. and Seattle, among 50 of the largest markets which were analysed to create a scorecard ranking them comparatively, using metrics such as market depth, vitality, and attractiveness to companies seeking talent and talent seeking employment. Data from the Business Development Bank of Canada (2018) has also demonstrated that Canada’s skilled foreign workers as a percentage of its population has been on the rise and is six times more concentrated than that of the U.S. (attributable to a progressive labour migration policy). Though the pandemic did see a drop off in immigration, initiatives such as virtual work permits have been proposed as economic stability returns. Also contributing to domestic growth has been the strength of Canada’s university-backed incubator system.5

Regulatory bodies and approaches

The Canadian financial regulatory system is fragmented with oversight of various parts of the financial system divided among a variety of federal and provincial regulators. FederalThe three principal federal regulators of financial institutions are: the Office of the Superintendent of Financial Services (“OSFI”); the Canadian Deposit Insurance Corporation (“CDIC”); and the Financial Consumer Agency of Canada (“FCAC”).Policy surrounding federal financial services legislation is driven by the Department of Finance and, although they work independently from the Department, OSFI, CDIC, FCAC and the Bank of Canada (“BOC”) contribute to the development of Canada’s federal financial services legislative and regulatory framework.OSFIEstablished in 1987, OSFI is an independent agency of the federal government and reports to the Minister of Finance. As Canada’s prudential regulator, OSFI has both a regulatory and supervisory role for more than 400 federally regulated financial institutions and 1,200 pension plans. In its regulatory role, OSFI: develops rules and other guidance; helps to create accounting, auditing and actuarial standards; and provides approvals for certain types of transactions. In its supervisory role, OSFI assesses economic data and trends for issues that could have negative impacts on financial institutions, and, at the same time, assesses financial institutions for weaknesses that could raise solvency or similar critical risks. When such risks are identified, OSFI takes steps to work with an affected institution to address these risks. In September 2020, OSFI released its discussion paper, “Developing Financial Sector Resilience in a Digital World, selected themes in technology and related risks”, with the objective of engaging stakeholders in a discussion on how OSFI can best position its regulatory framework in a complex, rapidly changing digital world. The paper focuses on the following three main themes:• operational risk and resilience, and the need for a holistic assessment of the overarching

regulatory “architecture” for technology and other non-financial risks;

Torys LLP Canada


• understanding technology risk and the role of prudential regulators with respect to technology and data risk management; and

• core principles to guide future regulatory guidance development in relation to three priority areas: cybersecurity; advanced analytics; and the technology third-party eco system.

CDICA federal crown corporation established in 1967, CDIC’s objectives are to:• provide insurance against the loss of part or all of deposits;• promote and otherwise contribute to the stability of the financial system in Canada; and• act for the benefit of depositors while minimising loss.CDIC provides deposit insurance for eligible deposits up to a limit of C$100,000 per insured category at CDIC member institutions. Members include banks, federally regulated credit unions, as well as loan and trust companies and associations governed by the Cooperative Credit Associations Act that take deposits. In addition to savings and chequing accounts, CDIC coverage applies to guaranteed investment certificates with terms less than five years and term deposits. Notable exclusions from coverage include mutual funds, stocks, bonds, exchange traded funds and cryptocurrencies. While eligible deposits at banks and federally incorporated credit unions are covered, deposits at provincially incorporated credit unions are not; rather, they are covered by provincial insurance corporations aligned to the CDIC model. CDIC is funded by premiums paid by member institutions and does not receive any public funds to operate.Recognising that Canadian banks have been rapidly partnering with fintech firms, as well as adopting their own innovation, CDIC identifies on its website the Basel Committee on Banking Supervision’s key observations about the impact of fintech on the banking industry. Recognising that the emergence of fintechs presents a new challenge for CDIC, it reiterates its commitment of actively monitoring the increasing profile of fintechs and the risks they represent to Canadian financial institutions. FCACEstablished in 2001, FCAC is Canada’s federal financial consumer protection regulator and ensures that federally regulated financial institutions comply with their market conduct obligations under federal legislation, regulations, codes of conduct and public commitments. Although the Payment Card Networks Act (“PCNA”) also gives the FCAC the authority to supervise payment card network operators (“PCNOs”), its role is limited in this regard since the PCNA lacks implementing regulations. However, FCAC does supervise PCNOs for compliance with market conduct obligations found in voluntary codes of conduct and public commitments. FCAC also monitors and evaluates trends and issues that may affect financial consumers, educates Canadians about their rights and responsibilities in dealing with financial institutions, and collaborates with stakeholders to contribute to and support initiatives that strengthen the financial literacy of Canadians.FCAC’s role as overseer of market conduct obligations is becoming increasingly challenging as existing market conduct obligations which are designed for a “paper-based” world become impractical at best, and unworkable at worst, in a digital world. Unfortunately, the disclosure-heavy approach, which is not aligned with today’s digital world, was preserved in the recent modernisation efforts of the federal financial consumer protection legislative

Torys LLP Canada


framework. Still not yet in force, the new Framework6 consolidates existing consumer provisions and regulations and strengthens consumer protection provisions that apply to banks and authorised foreign banks under the Bank Act. Amendments introduced as part of the new Framework also enhanced FCAC’s powers, most notably by increasing the maximum penalty size available for violations and requiring the FCAC to name institutions following a finding of a violation. The BOCAlthough not considered a financial institutions regulator, the BOC plays an important role in fostering a stable and efficient financial system. The BOC accomplishes this objective by:• providing central banking services, including liquidity and lender-of-last-resort

facilities;• overseeing and acting as the resolution authority for critical financial market

infrastructures;• conducting and publishing analyses and research; and• helping to develop and implement policy.Under the Payment Clearing and Settlement Act, the BOC conducts regulatory oversight of and acts as the resolution authority for designated financial market infrastructures, such as Canada’s Large Value Transfer System (“LVTS”), the Automated Clearing Settlement System (“ACSS”) and other clearing and settlement systems, which are owned and managed by Payments Canada, a public-purpose, non-profit organisation funded by the members that participate in its systems. The Bank’s role in Canada’s payment systems is poised to further expand with the recent introduction of the new retail payment oversight framework which is examined in more detail below.The Financial Transactions and Reports Analysis Centre of Canada (“FINTRAC”)Canada’s financial intelligence unit, FINTRAC, focuses on detecting, preventing, and deterring money laundering and the financing of terrorist activities. FINTRAC fulfils this mandate by engaging in a range of activities including data gathering and analysis (most notably receiving financial transaction reports and voluntary information in accordance with the legislation and regulations) and ensuring compliance by reporting entities with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (“PCMLTFA”).Under the PCMLTFA, a “money services business” (“MSB”) is required to fulfil certain obligations as a reporting entity. This includes registering the MSB’s business with FINTRAC (Canada’s regulator responsible for ensuring compliance with the PCMLTFA), fulfilling reporting and recordkeeping requirements, conducting know-your-client identi-fication, and having a compliance programme. As of June 1, 2021, amendments to the PCMLTFA have expanded the MSB category of reporting entities to include entities dealing in virtual currencies and foreign exchange dealing entities. These amendments bring within scope certain fintechs, both in and outside Canada, that were not previously subject to the PCMLTFA. FINTRAC considers “dealing in virtual currencies” to include both virtual currency exchange services and virtual currency transfer services. These legislative amendments, along with corresponding regulatory guidance from FINTRAC, have significant implications for the regulation of fintechs dealing in digital currencies. In particular, this amendment expands the application of anti-money laundering laws to entities that may not have previously been subject to the PCMTLFA; namely, fintechs (for example, cryptocurrency trading platforms and exchanges).

Torys LLP Canada


Under the new rules for foreign MSBs, businesses dealing in virtual currencies without a place of business in Canada who direct their services at persons or entities in Canada and provide these services to clients in Canada are now subject to the PCMLTFA. This change also has implications for virtual currency exchanges as many operate outside of Canada while servicing Canadian clients.One of the related amendments to the PCMLTFA is the new obligation for all reporting entities to keep “large virtual currency transaction records” for amounts received in virtual currency of C$10,000 or more in a single transaction, or across several virtual currency transactions that equal C$10,000 or more within a 24-hour period. Such records must include the identity of the person from whom the amount was received, as well as other prescribed information including the date, amount and type of currency and exchange rate. Reporting entities must also file large virtual currency transaction reports in certain circumstances, including where the reporting entity receives virtual currency that can be exchanged for C$10,000 or more in cash in the course of a single transaction, or across several virtual currency transactions that equal C$10,000 or more within a 24-hour period. These reports are not required for amounts received from another financial entity or public body, or a person acting on their behalf. As with the expansion of the MSB concept noted above, this amendment to reporting requirements is most likely to impact fintechs.Office of the Privacy Commissioner of Canada (“OPC”)The OPC administers the Personal Information Protection and Electronic Documents Act (“PIPEDA”). PIPEDA applies to federal and provincial businesses in respect of personal information collected, used or disclosed in the course of commercial activity, and to the personal information of employees of federal works, undertakings or businesses (such as banks). PIPEDA has extra-territorial jurisdiction to the extent that a foreign organisation is handling personal information of Canadians or within Canada. PIPEDA may not apply to certain organisations that process personal information entirely within British Columbia, Alberta and Québec that have substantially similar provincial privacy laws. PIPEDA incorporates the 10 fair information processing principles contained in the Canadian Standards Association’s Model Code for the Protection of Personal Information. Among these is the core principle that an individual’s knowledge and consent are required for the collection, use or disclosure of personal information, except where this knowledge and consent are inappropriate (such as in emergencies, or to comply with court orders). The OPC can audit organisations to ensure that they comply with the legislation’s requirements. Individuals can file complaints for investigation by the OPC and have the right to apply to court for a hearing and remedies, which may include an award of damages and an order for the business to change its practices. Obstructing the Privacy Commissioner’s audit or investigation is an offence punishable by a fine of up to C$100,000. Organisations subject to PIPEDA or the Alberta Personal Information Protection Act must notify the regulator and affected individuals of breaches of personal information that create a “real risk of significant harm” to an individual. Organisations must keep internal records of all privacy breaches (even those not reported) for two years to facilitate regulatory audits and the identification of systemic privacy flaws. Non-compliance with breach reporting obligations can result in fines of up to C$100,000.The federal government introduced Bill C-11, the Digital Charter Implementation Act, 2020, into Parliament. Bill C-11 proposes to replace PIPEDA with the Consumer Privacy Protection Act (“CPPA”) and create a new administrative tribunal, the Personal Information and Data Protection Tribunal. Among other changes, CPPA proposes to: (a) impose

Torys LLP Canada


algorithmic transparency requirements; (b) introduce new data subject rights, including the right to data portability (this right aligns with the ongoing Canadian consumer-directed finance proposals); and (c) expand the OPC’s powers, including the ability to impose mandatory orders and to recommend that the Tribunal impose financial penalties of up to C$10 million or 3% of an organisation’s gross global annual revenue for contravention of processing provisions and certain security safeguard provisions.Additionally, at the time of writing, the federal government had recently announced in its 2021 budget that it intends to move forward with plans to create a new federal Data Commissioner role. The government noted that the Data Commissioner’s mandate is to “inform government and business approaches to data-driven issues to help protect people’s personal data and to encourage innovation in the digital marketplace”.Provincial regulatorsConsumer protection regulatorsProvincial agencies or administrative bodies responsible for consumer protection oversee the market conduct obligations of provincially incorporated businesses, including provincially regulated financial institutions/services such as mortgage brokering activities, credit unions, and payday lenders. In a 2014 decision, Canada’s Supreme Court held that banks must comply with disclosure requirements under both the federal Bank Act and applicable provincial consumer protection acts. This gives the provinces leeway to impose disclosure requirements on federally regulated institutions as long as such requirements neither conflict with the federal legislation nor the purpose of such (it was previously believed that federally regulated institutions were exempted from such requirements). Provincial regulators have similar investigative and enforcement tools with which to respond to consumer complaints. Depending on their activities, fintechs are subject to provincial consumer protection law requirements such as provisions in respect of payment card fees, expiry dates and disclosures for open-loop, closed-loop and gift cards, as well as rules with respect to contracts not made in person (e.g., internet contracts). Enforcement tends to aim at resolution of complaints but can include compliance orders, fines, and prosecution.SecuritiesProvincial securities commissions regulate the securities markets with a focus on investor protection and ensuring efficient markets. The securities commissions oversee securities trading, registration requirements for participants, continuous disclosure requirements, and enforcement of securities legislation and rules. Self-regulatory organisations also play a role in securities regulation. The Investment Industry Regulatory Organization of Canada (“IIROC”), overseeing investment dealers, and the Mutual Fund Dealers Association of Canada (“MFDA”), regulating mutual fund dealers, are two examples.Canadian securities regulators have identified as a priority the need to develop and maintain a responsive and aligned regulatory framework to address fintech and other market innovation, while recognising potential benefits and economic opportunities for Canadian businesses that may come from innovation and disruption in the financial services industry. To date, Canadian securities regulators have applied the existing securities regulatory framework to these innovative products and services rather than providing blanket exemptions or exclusions. For example, in 2021, the Canadian securities regulators have taken a number of steps to highlight the risks associated with crypto assets, asserting their oversight of crypto asset trading platforms to bring crypto firms engaging in dealer or marketplace

Torys LLP Canada


activities into compliance with securities laws. This recent work has included developing tailored regulatory approaches to domestic platforms and taking enforcement action against unregistered foreign entities. Fintech businesses have been encouraged to engage with staff of the Canadian securities regulators through a “regulatory sandbox” to discuss novel products and services, the anticipated treatment under applicable securities laws, and to obtain any required approvals and/or exemptive relief to operate in Canada. Areas where new business models have obtained securities regulatory clearances include peer-to-peer lending platforms, startup and venture introduction and capital raising platforms, and online advisory services. Notably, the Canadian securities regulators have also permitted the establishment of exchange-traded funds that invest in bitcoin and other cryptocurrencies, while adopting a restrictive approach to retail distribution of more speculative tokens or initial coin offerings (where compliance with prospectus and dealer/advisor registration requirements is mandated on the basis that these instruments are properly characterised as securities). The regulatory sandbox is also available for discussions with regtech services providers developing solutions that support regulated entities in the financial services industry (including regulatory monitoring, reporting and compliance services), although these services would not be subject to the oversight of Canadian securities regulators.

Regulatory technology

InsuranceAfter a slow start in Canada, insuretech is starting to advance in both the property and casualty and life and health insurance sectors. From underwriting and acquisition, to claims and administration, all aspects of the businesses of each sector are impacted. That said, in 2019, only 12.2% of property and casualty insurers sold insurance through digital channels and only 1.3% of all property and casualty insurance policies were sold online. Forty-six per cent of life and health insurers sold insurance online with only 1% of policy sales completed online.7

The regulation of insurance in Canada is a matter of shared jurisdiction between the provinces and territories and the federal government. Market conduct and regulatory matters most germane to InsureTech fall to provincial/territorial regulation. This has resulted in a lack of harmonisation across the country in the rules applicable to InsureTech. By way of example, something as simple as the electronic proof of automobile insurance is not uniformly accepted across the country, with some, but not all, provinces having adopted measures to allow drivers to provide electronic proof of insurance on devices such as their smartphones. Most notably, L’Autorité des marchés financiers, Québec’s financial market regulator, adopted the Regulation respecting Alternative Distribution Methods. The regulation, which came into effect in June 2019, is intended to clarify the rules applicable to insurers and intermediaries selling insurance through digital means. The regulation also requires online aggregators and comparison-shopping sites to become licensed as insurance intermediaries under most circumstances. The regulation is unlike any other presently in effect in Canada. While intended to support innovation and new distribution approaches, the regulation is prescriptive and rule-based, with significant implications for website and application architecture. The effect has been a retreat of some online and digital insurance offerings previously available in this province.The Province of British Columbia recently enacted amendments to its Financial Institutions Act. These amendments, among other things, allow the BC regulator to make rules regarding

Torys LLP Canada


insurance issued through “electronic agents”. Those rules have not yet been released for public consultation and it is unclear if they will align with the regulation that has been adopted in Québec.The principles for the “Fair Treatment of Customers”8 remain the primary stated concern of market conduct regulators across the country. The regulatory expectations are that both insurers and intermediaries must embed into their operations and cultures principles for the fair treatment of customers.9 These principles must be applied before a contract is entered into and through to the point at which all obligations under the contract have been satisfied. While these are the stated regulatory expectations, no specific laws or regulations have been adopted to explicitly incorporate the core principles into enforceable and clearly articulated requirements. The expectation applies to both InsureTech and traditional approaches and channels.Digital identityIn September, the Digital ID and Authentication Council of Canada (“DIACC”) launched the Pan-Canadian Trust Framework (“PCTF”), a set of digital ID and authentication industry standards that will define how digital ID will roll out across Canada. The alpha testing will inform the launch of DIACC’s PCTF Voila Verified Trustmark Assurance Program, set to launch sometime in 2021. The Ontario government has also announced plans to roll out an optional digital ID for business and individuals in late 2021.

Regulatory developments

Recognising the imperative for a modern payment system that is fast, flexible, secure and promotes innovation, the federal government and Payments Canada are currently leading four significant initiatives which will further accelerate the growth of the Canadian fintech ecosystem.Bank Act amendments to promote innovationAs part of the 2018 Federal Budget, the Bank Act (Canada), Insurance Companies Act (Canada) and Trust and Loan Companies Act (Canada) were amended to support innovation and competition in the Canadian financial sector. These amendments will provide Canadian federal financial institutions with broad new powers to: provide referrals of their customers to fintechs; engage in collecting, manipulating and transmitting information, as well as to engage in a broad range of technology-related activities without any regulatory approval (subject to potential restrictions in regulations); commercialise activities developed in-house and provide them to third parties (subject to potential restrictions in regulations); and invest in entities a “majority” of whose activities consist of financial services activities that a financial institution is permitted to carry on (subject to new regulations that will define the meaning of majority and may impose other restrictions). We would note that while these amendments have been passed, they will not come into force until accompanying regulations are published. As of the time of writing, drafts of those regulations have not yet been published and our expectation is that these provisions will not come into force until at least mid-2022. Open bankingWith an estimated 3.5 to 4 million Canadians already using data-driven services to manage their finances, most often sharing their data through screen-scraping, the federal government recognises that open banking is here to stay and is currently developing its open banking

Torys LLP Canada


framework. In 2018, the Minister of Finance appointed the Advisory Committee on Open Banking (“Committee”) to review the merits of open banking. In 2020, the Minister of Finance released the Committee’s first phase report, “Consumer-directed finance: the future of financial services” (report), which announced that the government will move forward to enable consumer-directed finance.10 The Committee recommended that Canada’s consumer-directed finance should:• focus on enabling consumer choice and meaningful control. Consumers, including

small businesses, should be able to securely direct and control the use of their data in ways that benefit them;

• be secure, respect and enhance privacy, and be an improvement over the status quo;• provide a clear and straightforward accountability mechanism for consumers and a

means to ensure that liability rests with the appropriate party; and• be guided by innovation which is founded on a safe, secure and standardised data-

sharing mechanism.At the end of 2020, the Committee held its phase two consultations with stakeholders that focused on: (a) identifying potential solutions and standards that enhance consumer privacy and security; and (b) the role of a regulator. In May 2021, the Committee presented its second consultation report to the Minister of Finance, who, as of the time of writing, has yet to release the report publicly. Payments modernisationEstablished by the Canadian Payments Act (the “CPA”) in 1980, Payments Canada is a non-profit organisation funded by banks and other deposit-taking institutions. Its legislated mandate includes the following objectives:• Establish and operate national systems for the clearing and settlement of payments and

other arrangements for the making or exchange of payments.• Facilitate the interaction of its clearing and settlement systems and related arrangements

with other systems or arrangements involved in the exchange, clearing or settlement of payments.

• Facilitate the development of new payment methods and technologies.The CPA also authorises Payments Canada to set rules for the daily operations of participants in its national clearing and settlement systems. The Minister of Finance is granted a range of powers, including to issue directives to make, amend or repeal a bylaw, rule, or standard.Payments Canada is in the midst of a multi-year modernisation programme to ensure that Canada’s payment infrastructure is equipped to support innovation, the economy and Canada’s global position. Payments Canada’s Modernization Plan focuses on three deliverables. Retail batch paymentsIn 2020, Payments Canada completed the upgrades to Canada’s existing retail batch system, the ACSS and the U.S. Bulk Exchange, which runs parallel to the ACSS. The work included refreshing existing functionalities and business processes and introducing new and efficient capabilities, such as:• data-rich payments to streamline reconciliation and enable straight-through processing;• the ability to exchange same-day batch payments, which introduces new business opportunities;• increased automation and improved risk management;• the ability to make last-minute, time-sensitive payments;• more frequent daily exchanges, meaning faster funds availability; and• the introduction of a third daily exchange window, increasing convenience for Western

Canada.

Torys LLP Canada


Introduction of a new High-Value Payments System (“LYNXˮ)The LVTS is expected to be replaced in 2021 by the new LYNX system. LYNX will be a real-time gross settlement system that enables the use of the data-rich ISO 20022 messaging standard and includes an enhanced risk model to comply with Canadian and international risk standards. Introduction of a new Real-Time Payments System (“RTRˮ)Operated by Payments Canada and to be regulated by the BOC, Canada’s new RTR to be launched in 2022 will allow Canadians to initiate payments and receive irrevocable funds in seconds at any time. The RTR will have two main components: the RTR Exchange; and the RTR Clearing and Settlement. The RTR Exchange will facilitate the real-time exchange of payment messages, while the RTR Clearing and Settlement will perform the real-time clearing and settlement of transactions. The RTR will provide for immediate benefits, including: • 24/7/365 availability; • real-time message exchange, where payment and transaction processing and settlement

will be fully completed within seconds; • immediate payment finality for payors and payees; and • support for the ISO 20022 messaging standard.The use of the ISO 20022 standard represents an opportunity for payment service providers (“PSPs”) to better understand user behaviour through data analytics, implement safeguards against potentially fraudulent behaviour (through more robust fraud detection algorithms), and develop new customer-facing services or products that are responsive to customer needs. For now, direct participation in the RTR will be available only to financial institutions and members of Payments Canada. The Department of Finance, however, has proposed to expand the scope of membership to include PSPs, but only after the implementation of the new regulatory regime for payments service providers which is examined below.Regulatory regime for PSPsIn April 2021, the federal government took the first step in creating a new regime for PSPs when it tabled the long-awaited Retail Payments Activities Act (“RPAA”). The BOC, who will take on the role of regulator, will oversee “any retail payment activity that is performed by a payment service provider” with a place of business in Canada or by a PSP outside of Canada but which directs retail payment activities for a Canadian end user (natural persons and businesses). A “retail payment activity” is defined as a “payment function” that is performed in relation to an electronic funds transfer made in Canadian currency or the currency of another country or using a unit that meets prescribed criteria. A “payment function” refers to:• the provision or maintenance of an account that, in relation to an “electronic funds

transfer, is made on behalf of end users;• the holding of funds on behalf of end users until they are withdrawn or transferred to

another individual or entity;• the initiation of an “electronic funds transfer” at the request of an end user;• the authorisation of an “electronic funds transfer” or the transmission, reception or

facilitation of an instruction in relation to an “electronic funds transfer”; or• the provision of clearing or settlement services. Equally as key as to whom the RPAA applies, is who is specifically excluded from its application: • regulated entities such as federally or provincial regulated entities, provincial governments

that accept deposits, the BOC and the Canadian Payments Association;

Torys LLP Canada


• certain classes of closed-loop, stored-value and prepaid cards; • cash withdrawals from ATMs;• agents and mandataries of PSPs; and• electronic funds transfers that are made for the purpose of giving effect to an eligible

financial contract such a derivatives and securities lending agreements.Where the RPAA applies, PSPs will have to register with the BOC before engaging in retail payments activities, and provide prescribed information including details on the scope of their business and the services they plan on providing, the number of end users, the safeguard mechanisms for any funds held on behalf of users, a declaration as to whether it is registered with FINTRAC, and details on their mandatory operational risk and incident response framework. PSP applications may be rejected for national security reasons if they are incomplete or contain false or misleading information or if a PSP is not registered as an MSB under the PCMLTFA. PSPs will be subject to three key requirements:1. Establish, implement and maintain a risk management and incident response framework to

identify and mitigate operational risks and to respond to incidents. If a material adverse operational incident occurs which results or is expected to result in the reduction, deterioration or breakdown of any retail payment activity, a PSP will have to notify the affected parties and the BOC.

2. Where the PSP holds end user funds, it will be required to hold such funds in a segregated trust account or an account that is solely used for that purpose and that is insured or guaranteed.

3. Provide various reports to the BOC, including prior notification where a change or a new service is expected to have a material impact on operational risk or how end-user funds are safeguarded.

The RPAA also provides the BOC with a range of enforcement tools to verify and encourage compliance, including administrative and monetary penalties up to a maximum of C$10 million. Since a PSP will be responsible for the acts committed by its employees and its third-party service providers, it will be crucial that the PSP establishes the appropriate oversight mechanisms to address these risks.

Canadian Central Bank Digital Currency

In response to the rising popularity of digital tokens or cryptocurrencies, like many central banks, the BOC has been working with industry and academia to design a Central Bank Digital Currency (“CBDC”) as a protective measure against decentralised technologies that challenge the traditional monetary policy transmission systems.11 The BOC has confirmed that it is well into the development process of a CBDC and is exploring the challenges and opportunities of CBDCs, but sees no rush in implementing one anytime soon.12 Some important policy considerations the BOC has expressed are safety, universal accessibility, privacy, resilience, competition and efficiency, and monetary sovereignty.13 It is also important to consider the legal safeguards for data protection when data is concentrated in the hands of a single entity. The BOC issued a policy note in 2020 discussing the spectrum of CBDC privacy concerns and some potential solutions; however, nothing has officially been decided on yet.14

In order to implement a CBDC, the BOC, as well as other central banks, must seek legislative amendments to current laws and regulation. Even if a digital banknote is a “banknote” that may be issued by a central bank under its note-issuing power,15 legislation and regulation as to distribution and transfers must be passed, defining the roles of commercial banks in the

Torys LLP Canada


process. Legal tender legislation must also be reviewed. The International Monetary Fund has affirmed the importance of properly legislating the necessary domestic legal reforms to issue CBDCs in order to establish strong legal foundations, ensuring the continued integrity of monetary law and policies.16

The Bank of International Settlement recommends17 that CBDCs would best function in a system where central banks and the private sector collaborate, which will encourage commercial banks, credit companies, and digital payment processors to work in partnership with central banks and governments in designing Canada’s digital economic future.18 Aligned with this recommendation, the BOC will work closely with stakeholders, including the private sector, to help inform the design of Canada’s CBDC.

* * *

Endnotes1. https://www.accenture.com/_acnmedia/PDF-149/Accenture-Fintech-report-2020.pdf.2. Page 8: https://www.accenture.com/_acnmedia/PDF-149/Accenture-Fintech-report-2020.

pdf.3. Page 4: “Overview of Fintech in Canada”.4. https://dmz.ryerson.ca/programs/fintech.5. https://www.cbre.us/research-and-reports/Scoring-Tech-Talent-in-North-America-2020.6. Amendments to the Financial Consumer Agency of Canada Act (“FCAC Act”) and to

the Bank Act included in Bill C-86, Budget Implementation Act, 2018, No. 2 (“C-86”).7. Canadian Council of Insurance Regulators, 2019 Annual Statement on Market Conduct,

(December 2020).8. Derived from the International Association of Insurance Supervisors Insurance Core

Principle 19. 9. This means, among other things, due regard paid to the interests and needs of customers,

with accurate and clear information provided to customers, advice given of a high quality and complaints dealt with in a fair and timely manner.

10. https://www.canada.ca/en/department-finance/programs/consultations/2019/open-banking/report.html. The Committee found during its consultation the term “open banking” is often misunderstood and that “consumer-directed finance” more accurately reflects what is intended, providing better control over and protection of their financial data.

11. Ana Pereira, “U of T researchers design Canada’s first digital currency” (4 April 2021), online: The Varsity, http://www.thevarsity.ca/2021/04/04/u-of-t-researchers-design-canadas-first-digital-currency/.

12. Julie Gordon, “Work on digital currency well underway, but no need to issue it just yet: Bank of Canada” (26 May 2021), online: Financial Post, http://www.financialpost.com/news/economy/bank-of-canada-does-not-see-currently-see-strong-case-for-issuing-digital-currency.

13. Bank of Canada, “Contingency Planning for a Central Bank Digital Currency” (25 February 2020), online: Bank of Canada, http://www.bankofcanada.ca/2020/02/contingency-planning-central-bank-digital-currency/.

14. Bank of Canada “Central banks and BIS publish first central bank digital currency (CBDC) report laying out key requirements” (9 October 2020), online: Bank of Canada, http://www.bankofcanada.ca/2020/10/central-banks-and-bis-publish-first-central-bank-digital-currency-cbdc-report/.

Torys LLP Canada


15. As argued by Benjamin Geva, Corinne Zellweger-Gutknecht, and Seraina Grünewald; “The E-banknote as a ‘Banknote’: A Monetary Law Interpreted”, forthcoming, in the Oxford Journal of Legal Studies (“OxJLS”).

16. Bossu et al., “Legal Aspects of Central Bank Digital Currency: Central Bank and Monetary Law Consideration” (2020), International Monetary Fund Working Paper WP/20/254.

17. Bank of International Settlement, CBDCs, an opportunity for the monetary system, Annual Economic Report 2021 Chapter III (June 2021), http://www.bis.org/publ/arpdf/ar2021e3.htm. BIS paper.

18. Supra note 8.

* * *

Acknowledgments

The authors would like to acknowledge the invaluable contribution of their colleagues Peter Aziz, Jill McCutcheon, Glen Johnson, Ronak Shah, Marissa Daniels, William Walters, Eli Monas, Marko Trivun and Robin Asgari in the preparation of this chapter.

Brigitte GoulardTel: +1 416 865 8129 / Email: [email protected] is senior counsel, co-head of the firm’s Consumer Protection Practice and co-head of the firm’s Fintech Practice. She has more than 25 years of experience working in the financial services sector, including the banking, insurance, and financial cooperative sector. Her practice focuses on consumer protection matters and regulatory issues relating to financial institutions and government-related matters.Brigitte’s role as the former Deputy Commissioner of the federal regulatory agency, the Financial Consumer Agency of Canada, and her extensive experience in public policy and advocacy with various associations gives her significant insight and knowledge in legislative and regulatory processes, and in the workings of government in general.

Konata LakeTel: +1 416 865 7677 / Email: [email protected] is a partner and head of the firm’s Emerging Companies and Venture Capital Group. Konata advises founders, investors and other strategic and financial parties in all aspects of investing and divestiture transactions, including shareholders arrangements, majority and minority equity investments and joint ventures. Konata spent over two years practising in New York City both in the firm’s New York office and at a large international law firm.

Torys LLP79 Wellington St. W., 30th Floor (deliveries) / 33rd Floor (reception), Box 270, TD South Tower, Toronto,

Ontario, M5K 1N2, CanadaTel: +1 416 865 0040 / Fax: +1 416 865 7380 / URL: www.torys.com


Torys LLP Canada

Molly ReynoldsTel: +1 416 865 8135 / Email: [email protected] Molly is counsel at the firm, and her practice focuses on digital innovation, cybersecurity, data protection and ethics, and privacy litigation. She regularly advises clients on privacy law compliance in their businesses and in the context of commercial transactions, as well as on data security best practices, breach response, regulatory investigations, and privacy class-action defence. She represents clients in administrative proceedings under access to information, anti-spam, and privacy legislation, as well as in the context of civil litigation. Her dual call allows her to provide advice on personal information handling and marketing regimes that reflect and comply with Canadian and American privacy legislation.

ChinaJun Wan, Xun Li & Ye Li

Han Kun Law Offices



From the Decision of the State Council on Reform of the Financial System (有关金融体制改革的决定) promulgated by the State Council of China in 1993, which states the requirement “to accelerate the construction of electronic finance and popularize the application and development of computers”, to Some Opinions on Promoting Combination of Science and Technology with Finance to Speed up Implementation of Independent Innovation Strategies (关于促进科技和金融结合加快实施自主创新战略的若干意见) issued jointly by the State Administration of Taxation, the Ministry of Finance, the Ministry of Science and Technology, the China Insurance Regulatory Commission (the “CIRC”), the China Banking Regulatory Commission (the “CBRC”), the China Securities Regulatory Commission (the “CSRC”), the State-owned Assets Supervision and Administration Commission of the State Council and the People’s Bank of China (the “PBOC”), which indicates the aim “to fully recognize the importance of the combination of science and technology with financial services”, China has always taken a positive, supportive and encouraging attitude towards FinTech. However, encouragement does not mean no restriction. In the course of its development in China, FinTech is usually restricted by the supervisory policies issued in succession, the promulgation of which means FinTech maintains a strong vitality. In 2019, the PBOC issued Notice by the People’s Bank of China of Issuing the FinTech Development Plan (2019–2021) (金融科技 (FinTech) 发展规划 (2019–2021年)) (the “FinTech Development Plan”), which not only specifies the guiding ideology, basic principles, development goals, key tasks and supportive measures from 2019–2021, but also indicates that “FinTech is technologically enabled innovation in financial services”.The development of FinTech has improved the accessibility of financial services, involved more micro- and small-sized entities in financial activities, reduced the concentration of risk and improved the risk pricing, as well as the risk management capabilities through the application of big data, artificial intelligence, etc. However, when providing cross-market, cross-institution, and cross-regional financial services, FinTech will also make the risks inherent in the financial services industry more contagious and spread to a wider area at a higher speed. Therefore, for the purposes of promoting the sound and sustainable development of FinTech, it is necessary to conduct effective supervision accordingly. China used to apply the institutional supervision model on the traditional financial services industry, which now faces challenges along with the integration of the financial services industry brought about by the development of FinTech. The continuous innovation of financial products gradually breaks the business barrier between financial institutions, leading to the formation of cross-market associations and cross-industry linkage characteristics in relation to the operation of the financial market. As FinTech grows rapidly, the importance

Han Kun Law Offices China


of supervision becomes more prominent. The intelligence and technological qualities of FinTech require corresponding governance and supporting mechanisms to ensure the better integration of technology, Internet and finance, which in turn improves the efficiency of financial services.The year of 2020 was considered a new era of strengthened supervision of FinTech by PRC regulatory authorities. The outbreak of COVID-19 accelerated the digital transformation of the financial services industry and boosted the development of FinTech. In the meantime, issues such as regulatory arbitrage, financial risks, data security and consumer protection have also been fully recognised by regulatory authorities with a number of regulations and rules issued or published for comments.

FinTech offering in China

Although FinTech did not originate in China, the country has seen several years of rapid development and is now one of the countries with the richest variety of FinTech products and the most advanced related technologies.According to the FinTech Development Plan of August 2019, the official definition of FinTech adopted by the Chinese government is: “Financial innovation driven by technology, which aims to use modern scientific and technological achievements to transform or innovate financial products, business models and business processes, and promote the quality and efficiency of the financial services industry.”By reference to the definitions of FinTech provided by the Financial Stability Board (“FSB”) and other leading international organisations, and according to the current market practices of the Chinese FinTech industry, the FinTech products currently offered in China mainly include the following categories:Payment, clearing and settlementThis mainly includes online payment services, offline QR code-based payment services, and the clearing system developed for innovative Internet-based payment services (i.e. NetsUnion Clearing Corporation (网联清算有限公司)). It is worth noting that the PBOC is currently working on the development of the central bank digital currency and is promoting the launch of pilot programmes in several cities. However, the Chinese government has an extremely conservative attitude towards unofficial digital currency, and explicitly prohibits the issuance, circulation and relating financing activities of unofficial digital currency. It does, however, encourage the utilisation of blockchain technology in the real economy.Deposits, lending and financingThis mainly includes Internet banking, peer-to-peer (“P2P”) lending information interm-ediaries, Internet loans (e.g. consumer financing, micro-credit lending, supply chain financing, etc.), loan facilitation services, crowdfunding, etc. In particular, due to uncontrollable risks and frequently occurring risk events in recent years, P2P and crowdfunding has gradually faded out of the Chinese FinTech market and are no longer the core products in the Chinese FinTech industry. According to the announcement of governmental authorities, all P2P intermediaries have been closed down as of the end of 2020. Investment managementThis mainly includes Internet wealth management, Internet securities, Internet insurance, Internet funds, intelligent investment advisors, etc.



With the rapid development of related technologies such as machine learning, cloud computing and big data, the services related to investment management have been vested with more technical attributes, and have become one of the most popular fields in the Chinese FinTech market.Underlying technical servicesThis mainly includes artificial intelligence (such as algorithm models, financing automation, etc.), data application (big data analysis, machine learning, forecasting modelling), distributed accounting technology (blockchain, intelligent contracts), security authentication (user identification, identity authentication), cloud computing, Internet of things, new algorithms (secure multi-party computation, federated learning), etc.


Development of RegTech in ChinaCompared to in the UK and USA, where RegTech originated, in China RegTech is still in the early stages of development. Many aspects of the application of RegTech have yet to be explored, and greater scope for development is expected in the future. In respect of regulatory authorities, on 15 May 2017, the PBOC set up the Financial Technology Committee to actively utilise technologies such as big data, artificial intelligence and cloud computing to improve financial regulatory methods, and to enhance the ability to identify, prevent and resolve cross-market risks and strengthen the application and practice of RegTech.In respect of practices, Chinese financial regulatory agencies are also exploring the application and development of RegTech. For example, the second-generation system of anti-money laundering monitoring and analysis that the PBOC has spent three years developing has been gradually launched in financial institutions since 2019 and the CSRC has gradually begun to use big data analysis technology to find out clues to cases and combat insider trading.Development of insurance technology in ChinaThe development of insurance technology in China is mainly reflected in the field of insurance sales. In China, the traditional insurance sales model is mainly offline sales, which is usually a one-on-one introduction to the customer by the insurance sales staff. However, with the rapid development of Internet technology, the digitalisation of insurance sales has led the development trend of the insurance industry in recent years. The whole process of insurance, including information consulting, insuring, fee repayment, underwriting, insurance acceptance, insurance information inquiry, preservation change, renewal, claims and payment, is networked through technical means, which not only greatly enhances the convenience of insurance sales and user experience, but also promotes the fast development of the insurance products closely related to e-commerce (such as delay insurance and freight insurance).In addition to insurance sales, another important application of insurance technology is insurance risk control. Technology companies provide risk scores to insurance companies based on big data analysis and modelling to help improve the risk control ability of insurance companies.At the end of 2020, the China Banking and Insurance Regulatory Commission (the “CBIRC”, consolidated by CBRC and CIRC) issued the Measures for the Supervision of Internet Insurance Business (互联网保险业务监管办法, the “Insurance Supervision Measures”) which replaced the outdated interim measures and has become the framework regulatory policy in the field of insurance technology. The new rules take requirements on Internet



insurance contemplated in several other sets of rules issued previously and aim to further regulate non-compliance activities due to the rapid development of insurance technology. In addition, laws and regulations in relation to personal data protection have a significant impact on the application of data in the field of insurance technology.

Regulatory bodies

Similar to the regulatory approaches adopted by most of the countries in the world, China has not set up or appointed an independent supervisory authority for the regulation of the FinTech industry.Rather, the relevant businesses of the FinTech industry, based on the specific attributes of the corresponding financial services, shall be subject to the supervision of the traditional financial regulatory authorities. In particular: the CBIRC shall be responsible for the supervision of FinTech businesses which rely on services (or similar services) provided by commercial banks (such as Internet banking, Internet lending, P2P lending, etc.) and insurance companies (such as Internet insurance); the CSRC shall be responsible for the supervision of FinTech businesses which are related to investments in the securities markets, such as Internet funds, Internet securities, intelligent investment advisors, etc.; and the PBOC shall be responsible for the supervision of FinTech businesses related to the issuance, circulation and clearing/settlement of currencies such as third-party payment services, digital currency, etc. In addition, local governments in China also play an important role in regulating the FinTech industry. For P2P platforms and other “quasi-financial businesses” such as financing leasing, financing guarantee and factoring, traditional financial regulatory authorities (i.e. the CBIRC, CSRC and PBOC) will usually not be directly involved in the regulation, but will delegate the relevant regulatory authority to the local financial regulatory bureaus of local governments.Following the principle of “separate supervision”, the PBOC plays a leading and coordinating role among the regulatory authorities in the supervision of the FinTech industry, and will control the development direction and supervisory approaches of the FinTech industry from a more macroscopic perspective. For instance, The Guiding Opinions on Promoting the Healthy Development of Internet Finance (关于促进互联网金融健康发展的指导意见) (the “Internet Finance Development Opinions”) issued in July 2015 by 10 ministries led by the PBOC, as well as the FinTech Development Plan as mentioned above, both provide macro guiding opinions on the regulation and development of the FinTech industry based on market practice at the moment.


In order to regulate the development and application of FinTech in the financial services industry, the Chinese government has issued a series of policies and regulations in recent years. The basic principle is that FinTech shall be used as a technical tool to promote the innovation and development of the financial services industry. The relevant policies and regulations mainly include the macro policies and the regulations for each subdivided field of the FinTech industry.Major macro policiesAs mentioned above, the PBOC is responsible for leading the formulation of FinTech’s macro policies in China, which are intended to provide guidelines and plans for the development of FinTech:



• The Internet Finance Development Opinions.• The 13th Five-Year Development Plan for Information Technology in the Chinese

Financial Industry (中国金融业信息技术 “十三五” 发展规划) issued by the PBOC in June 2017.

• The FinTech Development Plan.Major regulations in subdivided fieldsThe Chinese government has attached great importance to emerging technologies, especially for “Cloud Computing”, “Internet Plus”, “Big Data” and “Artificial Intelligence”. For each of the aforementioned technologies, the State Council has issued the corresponding policies of guidance, mainly including:• Opinions of the State Council on Promoting the Innovative Development of Cloud

Computing and Cultivating New Business Forms of the Information Industry (国务院关于促进云计算创新发展培育信息产业新业态的意见) issued by the State Council in January 2015.

• Guiding Opinions of the State Council on Vigorously Advancing the “Internet Plus” Action (国务院关于积极推进“互联网＋”行动的指导意见) issued by the State Council in July 2015.

• Notice of the State Council on Issuing the Action Outline for Promoting the Development of Big Data (国务院关于印发促进大数据发展行动纲要的通知) issued by the State Council in August 2015.

• Notice of the State Council on Issuing the Development Plan on the New Generation of Artificial Intelligence (国务院关于印发新一代人工智能发展规划的通知) issued by the State Council in July 2017.

With respect to the application of FinTech in the financial services industry, the Chinese financial regulatory authorities issued a series of rules which can be generally divided into three categories:• The regulations in relation to the new business model developed by traditional financial

institutions with FinTech For example: (1) for Internet insurance businesses based on “Internet Plus”, the

CBIRC issued the Insurance Supervision Measures in December 2020, which replaced the outdated interim measures; and (2) for Internet loans of commercial banks, the CBIRC issued the Interim Measures for the Administration of Internet Loans of Commercial Banks (商业银行互联网贷款管理暂行办法) in July 2020 and the Notice on Further Regulating Internet Loan Business of Commercial Banks (关于进一步规范商业银行互联网贷款业务的通知) in February 2021.

• The regulations in relation to the new types of institutions utilising FinTech For example: (1) for non-banking payment institutions, the PBOC promulgated the Administrative Measures for the Payment Services Provided by Non-financial Institutions (非金融机构支付服务管理办法) in June 2010 and a series of rules and regulations regarding the payment services provided by non-financial institutions were issued later. In January 2021, the PBOC further issued the Regulations on Non-banking Payment Institutions (Draft for Comment) (非银行支付机构条例（征求意见稿), which has fundamentally changed the regulatory approaches applicable to the third-party payment industry, and may exert huge influence on the market when it takes effect in the future; (2) for online lending information intermediary institutions, i.e. P2P platforms, four Chinese government departments led by the CBRC (replaced by the CBIRC in April 2018) promulgated the Interim Measures for the Administration of the Business Activities of Online Lending Information Intermediary Institutions



(网络借贷信息中介机构业务活动管理暂行办法) in August 2016 and a series of rules and regulations for rectifying such industry were issued later; and (3) for micro-credit companies conducting online micro-credit businesses, the CBIRC and the PBOC announced they were seeking comments on the Interim Administrative Measures for Online Micro-credit Business (Draft for Comment) (网络小额贷款业务管理暂行办法 (征求意见稿)) in November 2020.

• The regulations in relation to the common issues arising from the application of FinTech For example: (1) for the data management of commercial banks, the CBIRC issued the

Guidelines for the Data Management of Banking Financial Institutions (银行业金融机构数据治理指引) in May 2018; and (2) for the protection of personal information, the Standing Committee of the National People’s Congress promulgated the Cybersecurity Law of the People’s Republic of China (中华人民共和国网络安全法) in November 2016, the PBOC issued the Personal Financial Information Protection Technical Specification (个人金融信息保护技术规范) in February 2020, and the Standing Committee of the National People’s Congress also published the Personal Information Protection Law (Second Draft for Review) (个人信息保护法 (草案二次审议稿)) and the Data Security Law (Second Draft for Review) 数据安全法 (草案二次审议稿) in April 2021.

In addition to the laws and regulations listed above, the Chinese financial regulatory authorities have also promulgated a lot of rules on some aspects of financial services, including online fund sales businesses, loan facilitation services, Internet wealth manage-ment and digital currency.It is worth noting that the PBOC issued a notice in December 2019, announcing that the first pilot scheme of financial technology innovation supervision (i.e. the sandbox regulatory mechanism) will be launched in Beijing (北京). In April 2020, it was announced that the pilot scheme had been expanded to six regions including Shanghai (上海), Chongqing (重庆), Shenzhen (深圳), Hebei Xiong’an New District (河北雄安新区), Hangzhou (杭州) and Suzhou (苏州). Meanwhile, in April 2020, four Chinese government departments led by the PBOC issued Opinions on Financial Support for the Construction of the Guangdong-Hong Kong-Macao Greater Bay Area (关于金融支持粤港澳大湾区建设的意见) in which the mechanism “to study and establish a cross-border financial innovation regulatory ‘sandbox’” was proposed, and it is also the first time that the concept of “sandbox regulation” has been directly stated in the Chinese financial regulatory rules. Correspondingly, the Implementing Rules of the Cross-boundary Wealth Management Connect Pilot Program in Guangdong-Hong Kong-Macao Greater Bay Area (Draft for Comment) (粤港澳大湾区 “跨境理财通” 业务试点实施细则(征求意见稿)) was issued recently, allowing residents of Guangdong-Hong Kong-Macao Greater Bay Area to invest in eligible wealth management products through the connect programme.

Restrictions

Apart from prohibiting the issuance and trading of unofficial digital currencies and the establishment and operation of digital currency trading exchanges, the Chinese financial regulatory authorities have not set up any other strict prohibition regulations in the FinTech industry. For FinTech companies conducting financial services business, the regulatory authorities have set up a bottom line that such companies shall obtain the corresponding financial licences. For technology companies that do not conduct any financial business directly, the current regulatory requirements mainly come from the technical standards and data application specifications.



Another notable trend is that regulators will tighten supervision over large-scale internet platforms, putting forward specific requirements on financial business, corporate governance, fair competition and antitrust, consumer rights and data protection, risk prevention and control, etc. It is predicted that the regulator will further step up investigations into large-scale Internet platforms and require them to rectify their incompliance.


The Chinese financial regulatory authorities take the view that if the cross-border service is a pure technology service, there are no special financial regulatory restrictions; however, if the service has financial attributes, or the service provider provides financial services in one country to natural persons or enterprises in another country through the Internet, namely in the form of the “cross-border supply” model under the framework of the World Trade Organization (the “WTO”), it shall be limited to the following financial areas that China promised to open up to foreign countries in a positive list when joining the WTO in 2001:• Insurance services, including: reinsurance; international marine, aviation, and transport

insurance; and brokerage for large-scale commercial risks, international marine, aviation, and transport insurance, and reinsurance.

• Securities services, for instance: foreign securities institutions may engage directly (without a Chinese intermediary) in B-share business.

• Financial information data services, including: provision and transfer of financial information, and financial data processing and related software by suppliers of other financial services; and advisory, intermediation and other auxiliary financial services on all activities listed in The Schedule of Specific Commitments on Trade in Services (服务贸易具体承诺减让表), including credit reference and analysis, investment and portfolio research and advice, advice on acquisitions and on corporate restructuring and strategy.

Except for the abovementioned financial areas, as it is difficult for Chinese regulatory authorities to supervise overseas institutions, and adopting an overly open attitude may inevitably impact financial safety, Chinese regulatory authorities have adopted a very cautious regulatory attitude towards the provision of financial services in the manner of the “cross-border supply” model, and it is required that in principle any foreign institutions providing financial services to natural persons or enterprises within China through any technological means should obtain the corresponding financial licences issued by the Chinese financial regulatory authorities.

* * *

Acknowledgment

The authors would like to acknowledge the invaluable contribution of Wei Quan in the writing of this chapter.Tel: +86 139 1708 5715 / Email: [email protected]. Quan specialises in FinTech, banking and financing, securitisation, and asset management. In the area of FinTech, Mr. Quan advises FinTech companies on developing financial products, drafting legal documents, and applying for financial licences. He has participated in numerous equity and asset merger and acquisition deals and initial public offerings of FinTech companies. In the area of banking and financing, Mr. Quan advises commercial banks, trust companies, and other financial institutions on syndicated loans, project financing, securitisation, and applications for financial licences.

Jun WanTel: +86 139 1657 3412 / Email: [email protected]. Wan specialises in FinTech, blockchain and cryptocurrency, securitisation and asset management transactions, structured finance, real property finance, financial institution and quasi-financial institution set-up and investment. Mr. Wan assists FinTech enterprises in product design, compliance, due diligence, restructuring, investing in and setting up financial institutions and quasi-financial institutions, and in overseas IPOs. Mr. Wan also represents various international commercial banks, asset management companies, trust companies, and multinational companies in a variety of corporate financing transactions, including structured finance, acquisition finance, real property finance, and pre-IPO/privatisation financing. Mr. Wan’s main clients include FinTech enterprises, international commercial banks, multinational companies, securities and asset management companies, and PE/VC in financial sector investments. Mr. Wan has been honoured as a Tier 1 Leading Individual in FinTech by The Legal 500 from 2019 to 2021, and in 2019 ALB China Top 15 Rising Star Lawyers.

Xun LiTel: +86 139 1791 6676 / Email: [email protected]. Li specialises in FinTech, banking finance, real estate finance and financial institution set-up and investment. In the area of FinTech, Mr. Li provides legal services including designing product structures, drafting transaction documents, daily operation compliance and other legal services, and also advises several FinTech platforms on their investments and mergers. In the area of banking finance, real estate finance and financial institution set-up and investment, Mr. Li provides legal services to various banks, financial institutions and real estate companies for syndicated loans, project financing and financial licence applications.

Han Kun Law Offices33/F, HKRI Centre Two, HKRI Taikoo Hui, 288 Shimen Road (No.1), Shanghai, China

Tel: +86 21 6080 0909 / URL: www.hankunlaw.com



Ye LiTel: +86 188 1731 8751 / Email: [email protected]. Li specialises in corporate M&A, particularly financial institution, tech and FinTech M&A transactions, and the financial industry regulation. She advises international financial institutions and private equity firms on their investments and activities in China, including the investments in insurance companies and banks, the establishment and/or restructuring of securities joint ventures and the acquisition of equity interest in FinTech companies. In addition to transactional work, Ms. Li provides advice in relation to the Chinese financial market to multiple leading international financial institutions and FinTech companies, including advice on the PRC regulatory regime, market access, compliance and trading activities on various domestic markets.

DenmarkMorten Schultz, Kasper Laustsen & Christian Blicher Møller

Bruun & Hjejle Advokatpartnerselskab



Danish fintech at a glanceGenerally, Denmark has embraced the digitalisation wave and has become one of the most digital societies, especially when it comes to its financial sector. Online banking as well as mobile banking and payment apps have become widely accepted in Denmark. The early introduction of NemID (in English: “EasyID”), a digital signature solution to be used for public and private services, has made it easy for Danes to operate online, and as of 2021, almost every Dane uses NemID.1 NemID is being superseded by the upgraded version, MitID, which will be launched later in 2021.Thus, it is hardly surprising that Danes are welcoming fintech and that the fintech industry in Denmark is in constant development, which is evident not only in the increasing number of new startups in the last few years, but also in the increasing number of jobs and the amounts invested in fintech companies. Just between 2014 and 2020, the investment volume in Danish fintech companies increased at a compound annual growth rate of 104%.2 To develop the network and community of fintech, a fintech hub organisation called “Copenhagen Fintech” was established in 2016 by the Financial Services Union Denmark (Finansforbundet), the University of Copenhagen, the City of Copenhagen, and the Danish Bankers Association (Finans Danmark, in English: “Finance Denmark”). Today, Copenhagen Fintech is a well-known non-profit organisation with the aim of developing Denmark, and particularly Copenhagen, into one of the leading fintech ecosystems in the global financial services industry. Building on the Copenhagen Fintech organisation, the “Copenhagen Fintech Policy” was created in 2020, which is a collaboration initiative between the Confederation of Danish Industry, Finance Denmark, the Financial Services Union Denmark and Copenhagen Fintech with the aim of enhancing the fintech ecosystem and the fintech-hub position of the Nordics in Copenhagen as well as in Denmark.Currently, the focus area of many private and public companies is sustainability, not only in Denmark, but also globally, and the demand for sustainability from customers is likely to affect the future fintech scene, particularly in Denmark, where the focus on sustainability goes a long way back. Fintech in the face of COVID-19It is difficult to say anything positive about COVID-19; however, the COVID-19 situation accelerated the need for digitalisation, which meant that developments already taking place within the fintech scene accelerated during the COVID-19 pandemic, with the main

Bruun & Hjejle Advokatpartnerselskab Denmark


example being digital transformation, which has been reflected in automated onboarding processes, video-based services and other related areas. Although the COVID-19 pandemic has perhaps led to less investments from investors, the pandemic has also had a positive effect on Danish fintechs due to the increased demand and need for digitalisation.

Fintech offering in Denmark

Throughout the last decade, Denmark has sought to enhance its presence as a fintech-friendly environment for startups. The main categories of fintech services offered in Denmark are listed below:Payments: Fintech serves as an inherent part of payment transactions. Denmark has generally been a place of both state-sponsored schemes and private entrepreneurship and ingenuity exemplified by the low-fee debit card “Dankort” offered originally by a consortium of banks and later by Nets. In recent years, a variety of Danish banks have sought to boost mobile payments through solutions such as MobilePay and Swipp, the first being a must-have for Danish consumers today, whereas the latter has been withdrawn. Further, Danish fintech companies have benefitted from the European open banking rules implemented as part of PSD2, and innovative solutions are being developed benefitting from financial data previously only being available to market leaders or banks. Additionally, payment companies are continuously working on enhancing customer experience; recently enabling one-click checkout flows for merchants utilising both existing card schemes and account-to-account technology. Finally, the emergence of new crypto solutions has the potential to greatly affect the payment industry. Showcasing this, Danish-owned Concordium seeks to offer low and stable transaction fees without compromising on regulatory requirements and user accountability towards regulators. Danish fintech companies within the payment category include Nets, Cardlay, Coinify, Yourpay, Swiipe and Concordium.Small and medium business tools: Various public offices and administrative and regulatory bodies in Denmark offer a wide range of technology-friendly public records allowing fintech companies access to collect and submit data easily through dedicated application programming interfaces. This basis has allowed companies to provide semi-automated accounting services, greatly enhancing the efficiency of financial reporting and accounting. During recent years, the integration of AI and machine learning has led to great progress in automated invoice and document scanning and employee expense registration. In addition, multiple major online accounting services are now offering real-time creditworthiness assessments of counterparties to small and medium enterprise customers utilising automated data from public records. Danish fintech companies within this category include Tradeshift, Dinero, Economics, Pleo, Paperflow and Acubiz.Personal finance: Danish consumers have widely accepted application-based financial services, ranging from budget and cost management tools intended to incentivise cost-sharing, to pure digital banking and account services offering low-fee, transparent banking services without a physical presence. Fintech companies have also been targeting children with applications aimed to influence children and give them healthy spending habits and encourage savings. Moreover, fintechs with a 360-degree holistic approach to consumer personal finance (not only banking but also securities, insurance and pensions) are also emerging. Danish fintech companies in the personal finance category include LunarWay, Spiir, MyMonii, Dreamplan and Penly.Capital raising: Multiple Danish fintech companies aim to provide funding alternatives to businesses and investment opportunities to consumers. These companies facilitate



crowdlending or crowdfunding, often promising high interest and flexibility to retail investors, whilst providing liquidity to businesses or purchasing real estate. Danish fintech companies in this category include FlexFunding, Lendino and Brickshare. Digital assets: Blockchain and crypto currencies remain a hot topic, and several companies are currently working on solutions aiming at supporting or enabling transaction flows, decreasing transaction costs or ensuring transaction accountability whilst still offering immediate counterparty anonymity. One known player in this area is the Danish stablecoin issuer, e-Money. The credibility of digital assets has slowly been rising, and recently, multiple large banks opened for currency pairs towards Bitcoin, giving Danish consumers an unprecedented opportunity to speculate in Bitcoin. However, looking ahead, the European Commission’s regulation of markets in crypto assets (often referred to as the MiCA Regulation) seems to tighten the regulatory framework pertaining to fintechs dealing in crypto. It will be interesting to see the impact of MiCA on the Danish crypto industry as we get closer to the expected time of implementation in 2024. Fintech compliance tools (including anti-money laundering (AML)): The Danish market for digital compliance tools has seen a substantial growth following AMLD4, the introduction of the GDPR and, most recently, the implementation of the EBA Outsourcing Guidelines. Accordingly, multiple service providers offer tools intended to ease the burdens of such regulations by handling governance or process-related tasks relating to such rules. Certain service providers excel at specific regulatory regimes, whilst a few providers have entered into strategic partnerships with law firms or consultants offering fully-fledged compliance solutions supporting, inter alia, GDPR, AML, EBA Outsourcing and Risk Management. Service providers in this category include Clareply (acquired by Penneo in October 2020), New Banking Identity and Risma. Wealth management: Wealth management solutions offer AI-based portfolio analyses like optimisation of portfolios based on the performance of the underlying assets and the related investment costs. Further, fintech providers offer fractional trading allowing securities to be traded for small amounts, thereby allowing retail to participate in security trade to a larger degree than previously. Danish fintechs within this category include SoftCapital, Algostrata and Nord Investments.


So far, Denmark has not been a major hub for regtech; however, an ever-increasing focus on financial compliance has led to an increased demand for regtech solutions. Just recently, the Danish Central Bank (Danmarks Nationalbank) launched an innovation hub called BIS Innovation Hub Nordic Centre together with the Bank for International Settlements and three other Nordic Banks. Two of the focus areas of BIS Innovation Hub’s working program are: supervisory technology (suptech); and regtech. Further, the Financial Services Union Denmark has created an active network for regtech where colleagues from various financial companies meet to exchange their experience with regtech, which also shows a more political focus on developing regtech. The insurtech scene in Denmark is still experiencing development, and the increasing number of insurtechs has encouraged the Danish insurance companies to step outside their existing business and seek collaboration and invest in technological innovation. As an example, one of the largest insurance providers in the Danish market, Tryg, has invested in the insurtech Undo, which provides tailored insurance policies for its customers built on algorithms and customer data.



One of the biggest challenges remaining for insurtech is the significant regulatory requirements generally pertaining to insurtechs’ major customers, such as pension providers. Also, historically in Denmark, pension schemes are provided by employers and organisations, and this poses another challenge for insurtechs, as it makes it very difficult for new players to enter the market. Some development is taking place, and as regulatory provisions are expected to be transposed, this may facilitate unbundling on the pension market to take place to a greater extent.

Regulatory bodies

Danish fintech companies are subject to a variety of rules, the compliance of which is supervised by independent governmental bodies. The primary supervision being determined by the services offered by the company. The primary regulatory bodies are the Danish Financial Supervisory Authority (Finanstilsynet (DFSA)), the Danish Business Authority (Erhvervsstyrelsen (DBA)), the Data Protection Agency (Datatilsynet (DPA)), and the Danish Consumer Ombudsman (Forbrugerombudsmanden (DCO)). The DFSA supervises regulated financial entities, including banks, pension providers and insurance companies. Further, the DFSA supervises compliance with the AML/CTF rules applicable to companies which are not otherwise required to obtain a financial licence but are encompassed by the AML regime anyway. The DBA is the national authority for corporate matters, including registration of companies, registers of owners, etc. The DBA supervises and monitors data input from Danish businesses, including the control of digital registrations, ultimate beneficial ownership and annual financial statements. For certain companies, the DBA acts as the supervisory authority in relation to AML/CTF requirements. The DPA is the national independent authority responsible for the supervision of compliance with the rules on protection of personal data. The DPA remains very active, publishing guides and offering hotlines aiming to swiftly assist citizens and companies on data protection-related rights and obligations. The DCO is the national independent authority responsible for the supervision of compliance with the Danish Marketing Practices Act. The DCO has recently had a particular focus on consumer lending and online advertising, working together with the DFSA on guidance relevant for both entities.


General approachAll key Danish fintech regulation is generally based on the EU regulatory perimeter and, in particular, the directives. Each provision in the directives is subject to national interpretation, which may differ from that of other Member States, and derogations are applied if deemed appropriate (and allowed pursuant to the relevant directive). Certain areas remain regulated by national law, pursuant to special regulatory focus. Such areas include the consumer-lending industry, which has generally seen its business trailing following very extensive regulatory actions relating to creditworthiness, restrictions in interest rates and in advertising of such services. Consequently, fintech companies often offer services affected by multiple regulatory regimes, each entailing various obligations and requirements. The DFSA has a dedicated fintech team named the department of “Fintech, Payment Services and Governance”. The team consists of specialised employees tasked with supervising and



guiding companies operating inside the fintech and payment service sphere. To this effect, the DFSA has established a fintech hotline intended to provide immediate guidance and clarification on generic matters. In addition, the DFSA has two main initiatives: (i) the Fintech Lab; and (ii) the Fintech Forum. The Fintech Lab is operated by the DFSA and targets new and established businesses that want to test new business models subject to financial regulation. Through the Fintech Lab, the DFSA provides guidance to potential companies and entrepreneurs on what starting a business entails in terms of the financial regulatory perimeter. Further, the DFSA seeks to utilise the Fintech Lab as a tool to keep up to date with the industry and technology, ensuring that regulatory supervision is conducted in a manner consistent with the technological advances. The Fintech Forum consists of a variety of representatives from the industry, including banks, insurance companies, payment institutions, advisors and advocacy groups. The intention is that the Fintech Forum is to serve as an informal venue where the DFSA and industry stakeholders may discuss recent developments in the industry. This includes discussions of any potential regulatory inadequacy. The Fintech Forum meets annually.In general, there is a strong political wish to support startups in Denmark. Further, in an effort to avoid unnecessary burdensome or outdated regulation, any new regulation must be in accordance with five overall principles; it must be (i) applicable to new business models, (ii) simple and purpose-oriented, (iii) technology neutral, (iv) based on a holistic regulatory approach ensuring compatibility across regulatory areas, and, if relevant, (v) support user-friendly public digital solutions making it easier and more affordable to do business in Denmark. Further, many startups may be eligible for startup funding or low-interest loans, and startup incubators are generally becoming more and more available. AML tech, a selected area of interestOrganised financial crime is a genuine threat against our societies, and over the recent years, the topic has gained increasingly political attention with the unmasking of scandals such as the Panama Papers. In Denmark, the fight against the predominant way of organised financial crime, money laundering, has been given significant, political priority. With the political agreements entered between 2017–19, substantial resources have been added to combat money laundering. However, the fight against money laundering is not only a question of resources but also a question of applying resources in an efficient way. As it appears from the Danish FSA’s strategy for its work with new technologies released on 28 June 2021,3 AML is a key area of interest. It is acknowledged that technology can be an important tool in the detection of money laundering activities. Applying the right technology in the right way significantly enhances the efforts against money laundering. In April 2021, the Danish FSA published its report “Project AML/TEK”. The report examined different approaches on how to apply technology to achieve better detection and monitoring mechanisms for AML. The report also shares various regulatory concerns relating to the different approaches.4 In another context but with the same purpose, in January 2021, the Danish Central Bank published a report stating that a databased approach could improve the detection mechanisms of suspicious transactions.5 The report suggests that the detection of suspicious transactions may generally be substantially improved if banks are able to share certain relevant customer data with each other. Due to the constraints in data sharing, banks may not today share this sort of data as it may contravene banking secrecy as well as the conditions for data sharing under the GDPR. Looking forward and bearing in mind all these initiatives to make use of technology for the improvement of money laundering detection, it is the expectation that the AML space will



see more fintech players trying to provide solutions to the many “pains” in the current AML approach.

Restrictions

Generally, there are currently no fintech companies which are restricted in their provision of services in Denmark as such. Financial institutions, however, are subject to comprehensive regulation, and it can be hard to find the way through all the regulatory requirements, especially for minor fintech startups, which leaves them more restricted due to their size and lack of network. This does not only apply to fintech startups which provide a regulated activity,6 but also to fintech companies which intend to sell its services to financial institutions.To highlight one very important area, EBA has recently issued (i) Guidelines on Outsourcing Arrangements, which have been implemented in Danish legislation effective 1 July 2020, and (ii) Guidelines on ICT and Security Risk Management (ICT Guidelines), which – according to the DFSA – will apply to Danish legal entities as of 1 January 2022 (together the Guidelines). The Guidelines on Outsourcing Arrangements are implemented by Act no. 877 of 12 June 2020 regarding Outsourcing arrangements for credit banks etc. (the Outsourcing Act). The Guidelines provide a framework for how to manage and assess risks and introduce several procedures and processes to be implemented by the financial institutions in order to mitigate cybersecurity risks. Over time, the EBA guidelines have become more and more detailed – regulating not only the governance processes and procedures but also the content and specific activities to be conducted by the financial institutions. Fintech companies which constitute a financial institution will obviously be subject to the Guidelines and the Outsourcing Act. However, several of the requirements will also be relevant for fintech companies which intend to sell financial services (either as an outsourcing provider or as a “third-party supplier”) to financial institutions. To illustrate the complexity, we have below included a few examples of requirements relevant to fintech companies selling financial services to financial institutions. • Sufficient internal security protection and procedures. Financial institutions must

ensure that the third-party providers support the risk-mitigating measures defined by the financial institutions.7 This requires insight and transparency in terms of how the fintech company provides its services. Further, the financial institutions must ensure – e.g. through KPIs – that the third-party service provider complies with defined minimum security requirements. As such, third-party service providers must structure not only the services but also the underlying business in a way which is sufficient to comply with the growing security requirements applicable to financial institutions (“compliance by design”). Third-party service providers must also be able to provide transparency and documentation as to how its business and cybersecurity procedures are structured in order to mitigate cybersecurity risks. As such, the third-party service provider must have in place sufficient reporting procedures which provide the financial institution with documentation of its compliance with agreed security requirements (see, e.g., section 23(7) and section 23(8) of the Outsourcing Act). Fintech companies providing services to financial institutions must therefore focus on having the right level of security protection and procedures in place and be able to document this in a sufficient manner.

• Security testing (including penetration tests) and audits. According to the ICT Guidelines, financial institutions must ensure effective “identification of vulnerabilities in their ICT systems and ICT services” – for example through “gap analysis against information security standards, compliance reviews, internal and external audits” – and,



where necessary, through “source code reviews, vulnerability assessments, penetration tests and red team exercises”. These reviews and tests will also include third-party systems implemented into the infrastructure of the financial institution. Fintech companies offering IT solutions to financial institutions should therefore be able to comply with such requirements – including, for instance, the allowance of penetration tests.

• Sub-outsourcing. If the fintech company uses sub-contractors, it has to ensure that these sub-contractors comply with agreed security policies and to allow both the financial institution (as a customer) and the DFSA to conduct audits, etc.

• Security incident procedures and patch management processes. Financial institutions should ensure that adequate incident procedures and patch management procedures are included in the contracts with its third-party service providers, cf. section 3.2.3 of the ICT Guidelines. Fintech companies (providing services to financial institutions) must ensure that it is able to offer such procedures on a level sufficient for the financial institution.

Fintech companies – which are either a financial institution or provide services to financial institutions – must not only focus on developing their product and services but also on how to structure its business and services in order to comply with the above-mentioned terms. Many fintech companies are newly founded and do not have a large internal organisation in place which can handle all these requirements. Consequently, such fintechs are to a certain extent constrained by their inherent nature. In addition, this may also pose a restriction to future partnerships between fintechs and financial institutions.


Copenhagen Fintech has worked hard to become a significant fintech hub on the global scene. As part of its efforts, Copenhagen Fintech has partnered with the Danish Industry Foundation in a project called “Global Fintech Alliances for Growth” with the object of breaking down barriers for Danish fintechs by creating bridges between fintech ecosystems around the world and creating partnerships between Danish fintech companies and foreign partners as well as foreign fintech companies and Danish partners.With the help of the political system and the Danish Ministry of Foreign Affairs, Copenhagen Fintech has been able to enter into formal agreements with similar foreign hubs, enabling Danish fintech startups to gain and build international experience and networks, and similarly providing international startups easy access to Denmark. Agreements have, for example, been entered into with hubs as far away from Denmark as Singapore. In late 2020, four Nordic fintech startups were selected to join the UNDP and Copenhagen Fintech Impact Partnership Program based in Singapore. The Program aims to bring Nordic fintech startups to the ASEAN region to support cross-border collaboration and exchange of technology and innovation.

* * *

Endnotes1. 5.2 million out of 5.8 million Danes, cf. https://digst.dk/tal-og-statistik/ and https://www.dst.

dk/da/Statistik/emner/befolkning-og-valg/befolkning-og-befolkningsfremskrivning/folketal.2. Source: Copenhagen Fintech.3. https://www.finanstilsynet.dk/Nyheder-og-Presse/Pressemeddelelser/2021/Finanstilsynets_

arbejde_med_nye_teknologier_280621.



4. https://www.finanstilsynet.dk/Nyheder-og-Presse/Pressemeddelelser/2021/Syv_bud_bekempelse_hvidvask_290421.

5. https://www.nationalbanken.dk/da/publikationer/Documents/2021/01/ANALYSE%20nr.%201_Databasere t%20indsa t s%20s tyrker%20kampen%20mod%20%C3%B8konomisk%20kriminalitet.pdf.

6. As defined in: (i) section 1(1) of Act no. 877 of 12 June 2020 regarding Outsourcing arrangements for credit banks etc.; and (ii) preamble 9 of the Guidelines on ICT and Security Risk Management.

7. See, e.g., section 3.2.3 of the Guidelines on ICT and Security Risk Management and sections 19–20, 23 of Act no. 877 of 12 June 2020 regarding Outsourcing arrangements for credit banks etc.

* * *

Acknowledgment

The authors would like to acknowledge the invaluable contribution of their colleague Anna-Sophie Bager in the writing of this chapter.Anna-Sophie Bager is an assistant attorney and has assisted Danish and foreign companies within the financial sector on a wide range of regulatory matters, including payment services, consumer loans and AML. In addition, Anna-Sophie works with financing and represents banks and companies in connection with financing-related matters.Tel: +45 20 65 21 28 / Email: [email protected]

Morten SchultzTel: +45 51 99 97 01 / Email: [email protected] Schultz is an experienced business lawyer with 15+ years advising on financial regulation. Morten has in-depth industry experience from secondments with major Danish financial institutions, where he has handled strategically important projects and activities. Together with this former employment with the Danish FSA, Morten holds a distinctive understanding of the financial regulatory perimeter and the different considerations that come into play. Morten’s area of practice mainly relates to collective investment schemes (AIFM and UCITS), banking, securities trading, non-life insurance and pensions and also AML. Morten has strengthened his commercial skills by completing an international MBA from a top European business school.

Kasper LaustsenTel: +45 31 33 53 26 / Email: [email protected] Laustsen is a highly experienced IT lawyer, with 10+ years’ experience within negotiation of IT outsourcing agreements, implementation agreements, licence and cloud agreements, especially within the financial sector. Further, Kasper has assisted in various digital transformation projects with a strong focus on regulatory and compliance-related matters.

Bruun & Hjejle AdvokatpartnerselskabNørregade 21, 1165 Copenhagen K, Denmark

Tel: +45 33 34 50 00 / URL: www.bruunhjejle.dk



Christian Blicher MøllerTel: +45 22 27 08 85 / Email: [email protected] Blicher Møller is an assistant attorney specialised in guiding large payment service providers and banks on various regulatory issues. Recently, Christian has assisted a market leading payment service provider with the drafting and implementation of a cross-border outsourcing framework enabling compliance with the EBA guidelines on outsourcing within multiple European jurisdictions. Besides outsourcing, Christian provides guidance on AML-related matters and has experience acting in a second line of compliance function, helping redesign and recalibrate the AML setups for a pan-European organisation. Christian also assists banks, PE funds and large companies on financing-related matters.

FranceHubert de Vauplane & Victor CharpiatKramer Levin Naftalis & Frankel LLP



There have been significant developments in global approaches to the regulation of Fintech in recent years with new opportunities, risks and challenges for market participants, customers and regulators arising from Fintech. Such areas of Fintech could include electronic payments, “robo-advice”/algorithmic-based advice, trading and lending platforms, cryptocurrencies and related initial coin offerings/token-generating events and other blockchain technology-based applications.In the last few years, France has jumped into the race to become Europe’s top Fintech jurisdiction. Although France cannot boast any world-scale Fintech “unicorn”, the scene is very active and a lot of promising startups were born or reached a significant scale in the last few years. French Fintech startups are supported by a strong network of business angels, venture capital funds, and professional organisations and associations. In addition, established financial institutions have adopted an open stance regarding Fintech. Some of them have created Fintech or Insurtech incubators, and most of them regularly establish business partnerships with startups. Buyouts of Fintech startups by large banks or insurance companies are also common.France does not have per se an approach regarding Fintech regulation. Fintech, “the term used to describe the impact of new technologies on the financial services industry” (according to the European Commission), is not a legal notion. Fintech is firstly understood as an “umbrella term” covering various innovative business models related to the broader financial sector. Therefore, in France, the regulation to which a Fintech company may be subject depends on its activities. Whether a company self-identifies as a Fintech company has no legal impact. Still, both legislators and regulators (the Autorité des marchés financiers or “AMF” – the financial markets authority, and the Autorité de contrôle prudentiel et de régulation or “ACPR” – the banking and insurance regulatory authority) have adopted a welcoming attitude. There is a shared agenda towards improving France’s position on the global Fintech scene and establishing France as the leading European Fintech hub, in the wake of the United Kingdom’s exit from the European Union.During the last few years, the AMF and the ACPR have launched multiple Fintech initiatives, such as the Fintech Forum in July 2016 (a consultative body gathering representatives from Fintech startups and financial institutions), and the creation of internal Fintech teams acting as “innovation hubs” in 2016. On the legislative side, first of all, it is worth noting that most of French financial and banking law derives from EU directives and regulations. As the EU legislative process is rather slow, emerging Fintech-related trends often find themselves “unregulated”. Therefore,

Kramer Levin Naftalis & Frankel LLP France


France regularly makes the first move and initiates the regulation of these emerging trends at national level. For example, France passed a framework regulating crowdfunding and crowdlending in 2014, while the European Commission only issued the first proposal of its regulation on European crowdfunding service providers in March 2018. Similarly, during the first half of 2018, France decided to include a regulation of ICO issuers and crypto-assets service providers in the bill nicknamed “Loi Pacte” (which stands for “Action Plan for the Growth and Transformation of Companies” or “PACTE Act”), which was enacted on 22 May 2019. On the other hand, at the European level, the European Commission published on 24 September 2020 a digital finance proposal package, including a digital finance strategy and legislative proposals on crypto-assets (proposal for a regulation on markets in crypto-assets (“MiCA”) and proposal for a regulation on a pilot regime for market infrastructures based on blockchain (“Pilot Regime”)) and digital resilience. The MiCA proposal is inspired by the French ICO and PSAN regime of the PACTE Act and would feature a European passport for issuers and service providers.During 2020 and early 2021, fintech news focused on the issuance by the central bank of a Central Bank Digital Currency (“CBDC”). In October 2020, during the Paris Europlace International Financial Forum, the governor of the Banque de France (or the French Central Bank), François Villeroy de Galhau, reaffirmed his willingness to issue in the near future a CBDC. The Banque de France is now collaborating with private sector innovators (such as Accenture, Euroclear, HSBC…) to begin testing with eight types of trial runs on a wholesale CBDC. In May 2020, the Banque de France successfully tested the use of a blockchain developed by its teams to conduct a trial run of the use of a wholesale CBDC to settle an issue of digital financial securities by Société Générale Forge.Recent, impending or proposed changes to the Fintech-related regulatory architecture in FranceWhile, as stated above, most of the French legislation applicable to financial markets and banking and payment services derives from EU directives or regulations, three recent or impending Fintech-related reforms are worth mentioning.First, France created in 2014 a comprehensive legal framework for crowdfunding and crowdlending activities. Crowdfunding transactions up to €8 million are now exempted from the obligation to publish a prospectus while, before, issuers willing to raise over €100,000 in equity or bonds were subject to these requirements. In addition, the 2014 reform also introduced a new exemption from the banking monopoly (i.e. the rule prohibiting entities other than licensed banks from granting interest-bearing loans) allowing individuals to grant loans through crowdlending platforms. Crowdfunding and crowdlending platforms have to register with the ACPR and/or the AMF either as crowdfunding/crowdlending intermediaries (for donations and crowdlending platforms) or as crowdfunding investment advisors (for investment-based crowdfunding). Finally, the PACTE Act added an exemption allowing crowdlending platforms to act as intermediaries between employees (or managers, partners, clients or suppliers) of a single company. These persons will be able to borrow from their co-workers (or managers, partners, clients or suppliers of the company) up to €30,000 to fund a personal project.Then, with Ordinance No. 2017-1674 of 8 December 2017 and Decree No. 2018-1226 of 24 December 2018, the French government introduced innovative legislation allowing blockchain technology to be used to issue, register and transfer unlisted securities. The distributed ledger used to register securities must comply with four main technical conditions: (i) the integrity of the information recorded must be preserved; (ii) the distributed ledger must allow the identification of the owners of the securities, and the nature



and number of securities held; (iii) a continuity plan including an external data recording system must be set out; and (iv) the owners of the securities registered on the distributed ledger must be able to access their statements of transactions. This legislation does not specify which of the issuer or its service provider will be responsible for the compliance of the distributed ledger with these technical requirements. The distinction between private and public blockchains is not addressed either. Complying with some of these technical requirements could be more complicated when a public blockchain is used. Finally, the major recent Fintech-related legislation is the PACTE Act, which was enacted in May 2019 and recently supplemented by the order 2020-1544 of 9 December 2020 (strengthening the framework for the prevention of money laundering and terrorist financing applicable to digital assets) which extended the scope of services on crypto-assets requiring registration with the AMF. The PACTE Act contains a patchwork of measures aimed at facilitating the growth of small and medium-sized enterprises (“SMEs”) and giving employees and stakeholders more control over corporations. More importantly, the PACTE Act introduces a comprehensive regulatory framework for token issuances (“ICOs”) and digital assets service providers. (This new framework will not apply to tokens which share the same characteristics as financial instruments: the offerings of “security tokens” will have to comply with existing regulations.) With respect to ICOs and cryptocurrencies, the PACTE Act contains three key measures:• Optional AMF approval for ICOs. The AMF may grant an approval (“visa”) to

public offerings of tokens. This approval is optional and not mandatory: potential token issuers are free to require the AMF’s visa or proceed with their ICO without the AMF’s approval. The AMF expects that the most serious projects will require its approval as the global reputation of the AMF would help token issuers market their ICO in other jurisdictions, as well as allow them to freely sell their tokens to French investors. So far, only three visas have been granted by the AMF, to the companies French ICO in December 2019, WPO in May 2020, and iExec Blockchain Tech in October 2020.

The approval may be granted if the token issuer complies with the following requirements: (i) the issuer is a legal entity incorporated in France, or at least registered in France through a branch; (ii) the disclosure document (i.e. the white paper) and the marketing materials are accurate, written in plain language, non-misleading, and describe the risks associated with the offer; and (iii) the issuer plans to implement adequate procedures to track and safeguard the funds raised in the ICO.

• Digital assets service providers. The PACTE Act creates a new category of regulated entities: digital assets service providers (“DASPs”). The definition of digital assets covers ICO tokens as well as other types of crypto-assets. The services related to digital assets include various kinds of traditional investment services, as soon as they are performed in relation to digital assets: (i) custody of digital assets or cryptographic private keys for third parties; (ii) purchase or sale of digital assets against legal currency (i.e. fiat); (iii) purchase or sale of digital assets against other digital assets; (iv) operation of a digital assets trading platform; and (v) various other services related to digital assets: receipt and transmission of orders on behalf of third parties; asset management; investment advice related to digital assets; underwriting; and placing with or without a firm commitment.

This framework is also partially optional. Any entity may apply for a DASP licence to provide the above-mentioned services. Licensed DASPs are subject to a set of obligations which are quite similar to those of investment services providers. On the other hand, providing the following services requires registration with the AMF: custody services; the



purchase or sale of digital assets against legal currency; and, since the order 2020-1544 of 9 December 2020, the purchase or sale of digital assets against other digital assets and the operation of a digital assets trading platform. During 2020 and early 2021, the AMF approved the registration of 14 digital asset service providers such as COINHOUSE, BITPANDA or LGO.

• Right to open a bank account. Banks now have to set up objective, non-discriminatory and proportionate rules to determine if the following categories of entities should be allowed to open an account in their books: (i) token issuers which have been granted an optional approval by the AMF; (ii) registered digital assets service providers; and (iii) digital assets service providers which obtained an optional licence. Their access to basic banking services shall not be hindered by the bank once the account is open. These provisions create a strong incentive for crypto-assets issuers and intermediaries to obtain an optional visa or an optional licence from the AMF instead of remaining unregulated, as the right to access bank accounts will be tied to such approval or licence. In March 2021, the AMF and the ACPR published the report of a working group on the difficulties faced by DASPs regarding access to bank accounts. The report described the challenges and studied avenues for improvement.

Fintech offering in France

Overview of technologies and applications, and existing or new laws and regulationsVarious disruptive technologies are being applied to the finance and insurance industries by both startups and established institutions in France. Not all of these business models require a regulated status or trigger the application of specific legislation. French Fintech companies are supported by a strong network of business angels and venture capital funds. According to France Fintech, French Fintech startups raised an aggregate amount of EUR828 million in 2020, compared to EUR699 million in 2019. Therefore, and against all expectations, the COVID-19 pandemic had a positive impact on the Fintech sector due to digitalisation and contactless payment development. Recent high-profile deals include Qonto, a neobank for SMEs (EUR104 million), payment solution providers Lydia (EUR112 million) and Swile (EUR70 million), and health insurance policy provider, Alan (EUR50 million). The main Fintech-related business models and their associated legislation are presented below (please note that other regulatory regimes may apply depending on the particularities of each business model):• Mobile payment apps (e.g. Lydia, Pumpkin, Paylib): these apps allow individuals and

companies to send payments directly from their mobile, without having to use their banking app. Mobile payment apps generally integrate additional payment methods (e.g. Apple Pay, QR codes, etc.) and allow their users to monitor their expenses. These companies generally partner with regulated payment service providers to comply with the regulatory requirements which would normally apply to their activities.

• Crowdfunding and crowdlending platforms (e.g. October, Wiseed, Anaxago, Younited, Unilend, Lendopolis): these platforms allow individuals (and, increasingly, some investment funds) to fund projects initiated by SMEs. Crowdfunding platforms allow investors to invest in the companies themselves, through the issuance of shares or bonds, while crowdlending platforms allow their users to grant loans. French crowdfunding and crowdlending platforms have been struggling recently as traditional banks are increasingly willing to lend to SMEs at low rates. In October 2018, crowdlending pioneer Unilend filed for bankruptcy. Platforms are now focusing on promising markets such as real estate and renewable energy infrastructure financing. As described above, crowdfunding and



crowdlending platforms have been subject to an ad hoc regulatory regime since 2014. Crowdfunding and crowdlending platforms may only be operated by licensed entities, although the requirements to obtain this licence are less stringent than those generally applied to investment services providers.

• Group gifting/personal fundraising platforms (e.g. Leetchi, LePotCommun): these companies allow their users to collect money from friends and family to finance gifts or common projects, through the creation of an online money pot. These platforms are also increasingly used to support humanitarian causes (e.g. money pots may be organised to help a low-income family afford a costly surgical intervention, even though most contributors would not know directly the beneficiary of the money pot). Although their business models are similar, Leetchi and LePotCommun do not share the same regulatory status. Leetchi is registered as a crowdfunding intermediary (intermédiaire en financement participatif ), a status which allows the operation of a platform through which individuals may grant loans or donate directly to fund projects. On the other hand, LePotCommun is registered as an intermediary in banking transactions and payment services (intermédiaire en operations de banque et en services de paiement or “IOBSP”).

• Bank accounts aggregators and personal finance apps (e.g. Bankin’, Linxo, Budgea, Budget Insight): these apps allow their users to monitor their budget and their savings by aggregating all the accounts opened in their name (e.g. bank accounts, savings accounts, retirement accounts, securities accounts, etc.). These companies rely on the “open banking” trend which supports the right for third-party providers to access clients’ bank accounts. Most of these companies obtained a licence from the ACPR following the adoption of Directive (EU) 2015/2366 of 25 November 2015 on payment services in the internal market (“PSD 2”) which added the account information and payment initiation services to the list of regulated payment services.

• Neobanks (e.g. Shine, Qonto): these companies allow their users to open bank accounts and access basic banking services (such as using a debit card and transferring funds) through a mobile app. Shine and Qonto both focus on freelancers and small companies. Although these neobanks allow their clients to open bank accounts and use debit cards, they are not regulated as credit institutions, because their business model does not involve granting loans. Qonto was granted a payment institution licence by the ACPR, while Shine is registered with the ACPR as the agent of a regulated payment service provider. Finally, in a statement dated 6 April 2021, the ACPR decided to prohibit the use of the term “neobank” by fintechs that are not licensed as credit institutions. In this sense the ACPR recalls “that a ‘neobank’ must first be a ‘bank’ to be able to refer to this term” and that “using the word ‘bank’ or ‘credit institution’ to qualify a non-banking company, among which are payment and e-money institutions, as well as their agents and distributors, is prohibited by the legislation”.

• Robo-advisors (e.g. WeSave, Advize, Yomoni): robo-advisors are personalised online savings management services that allow individuals to invest their savings in a smart and automated way. Although their business models vary significantly, these companies generally rely on artificial intelligence to suggest an optimal asset allocation, which may vary over time based on the risk profile of the client and their personal savings goals. Most of these robo-advisors are primarily regulated by the AMF as financial investment advisors. Yomoni is also regulated by the ACPR as an insurance broker. Yomoni is the only robo-advisor regulated as an investment management company.

• Insurtechs apply innovative technologies to the insurance sector. Various business models have emerged (see below). Generally speaking, Insurtech companies are



subject to the same legislation as insurance undertakings, unless they merely provide technological services to regulated entities.

• Factoring and short-term financing providers (e.g. Finexkap): Finexkap provides financing to SMEs through factoring (i.e. buying invoices at a discount). Finexkap improves the traditional factoring process by using machine learning, big data, and integrated APIs. Finexkap is regulated by the AMF as an investment management company and manages the securitisation fund ( fonds commun de titrisation) which purchases the invoices.

• Cryptocurrency-related companies (e.g. Ledger, LGO, Coinhouse, Paymium, NapoleonX, etc.): although all these companies are part of the same subcategory, their business models are very different. Ledger sells hardware wallets, LGO and Paymium operate cryptocurrencies exchange platforms, Coinhouse directly sells crypto-assets to its clients, etc. Most of these companies will be required to register as DASPs pursuant to the regime created by the PACTE Act.

• Finally, since 2015 and 2016, most French financial institutions have started to work on implementations of blockchain technology. Several French banks have joined the R3 consortium which develops the private blockchain platform named Corda. Euronext, BNP Paribas, Société Générale, CACEIS, and Caisse des Dépôts have jointly created LiquidShare, a startup aimed at building a blockchain-based settlement system for non-listed securities. In addition, various major French non-financial companies are also experimenting with blockchain technology in their own field: for example, Carrefour is partnering with IBM to develop a blockchain-based food traceability platform. The French Central Bank itself developed a blockchain-based system to manage SEPA creditor identifiers. On 15 April 2021, Societe Generale issued the first structured product in the “Security Token” format directly registered on the Tezos public blockchain. These securities were fully subscribed by Societe Generale Assurances. This transaction follows a first bond issuance of EUR100 million of “Security Tokens” on the Ethereum blockchain which was settled in euros in April 2019, and a second bond issuance of EUR40 million of “Security Tokens”, this time settled in CBDCs issued by the Bank of France in May 2020. In the same line, the European Investment Bank is reportedly about to issue EUR100 million in bonds on the Ethereum blockchain network. The issue of these bonds, with a maturity of two years, will be supervised by Société Générale, among other banks. Other noteworthy projects include the launch by the Casino Group, in partnership with Société Générale, of a stablecoin backed by the euro in March 2021: the Lugh, which is intended as a means of developing a new innovative means of payment and loyalty in the longer term. In the luxury sector, LVMH has joined forces with Prada Group and Cartier to create a blockchain: Aura Blockchain Consortium, which will give the customer, thanks to a digital certificate, direct access to the product purchase history, from its conception to its distribution, as well as providing certificates of authenticity.


RegtechRegtech is a fast-expanding sector within the broader French Fintech industry. The AMF and the ACPR strongly support the Regtech ecosystem, as Regtech is seen as both a means of helping financial institutions comply with an ever-increasing amount of regulatory requirements, and a tool for helping regulatory agencies handle the vast amount of data collected pursuant to their supervision mission (nicknamed “Suptech” – supervision technology).



However, France does not appear to foster big Regtech startups. No significant fundraising related to Regtech startups has been recorded in the last few years. According to KPMG, which published, in December 2019, a study of the European Regtech sector, there are 45 Regtech startups in France. At the beginning of 2021; this number would be around 80 regtechs in France, with 102 million euros raised in 2020. Most of these companies offer products relating to the client identification process (also known as KYC) or electronic signatures.It is also worthwhile to note that LaBChain, a blockchain innovation lab launched by Caisse des Dépôts with various large financial institutions, started working in July 2016 on a business case dedicated to the use of blockchain to manage digital identity and KYC.InsurtechThe major French insurers have all launched internal projects aimed at better integrating technology in their activities. Most of these projects revolve around using technology to reach potential or current customers or using data analysis to better understand their needs. Their goal is to simplify and streamline the key steps of the insurance process: quotation; subscription; payment of premiums; and payment of claims.In addition to this gradual integration of technology, some French insurers have also started launching specific Insurtech-related projects. Axa, the leading French insurance company, launched in 2015 Kamet, an Insurtech incubator “dedicated to conceptualising, launching and accompanying disruptive Insurtech products and services”. In 2017, Axa launched Fizzy, a flight delay insurance product built upon the Ethereum blockchain. Fizzy leverages blockchain technology to provide automatic compensation if the flight is more than two hours late, without requiring the policyholder to formally request the payment of the claim. In March 2019, Axa partnered with Assurely, a U.S. startup, to launch “CrowdProtector”, an insurance product dedicated to equity crowdfunding and security tokens issuers and investors. According to Assurely’s website: “[i]ssuers get protection against investor complaints and lawsuits. Subject to the policy’s terms, investors can get their principal investment returned should the issuer misuse the funds, purposefully misrepresent information in their offering documents or steal the money.”Axa is not the only established financial institution dedicating resources to Insurtech. Société Générale, France’s third-biggest bank, launched Moonshot-Internet, an internal startup specialised in the emerging insurance needs of Internet retailers. Société Générale also supports Chainly, which dematerialises the car insurance claim process through a chatbot.Another noteworthy initiative is the trial of a blockchain-powered system to exchange secure data by 14 French insurers in November 2017, led by the French Insurance Federation.Independent Insurtech startups are also thriving in France. Alan, which sells user-friendly health insurance products to startups and freelancers, raised EUR40 million in February 2019, after a EUR23 million funding round in 2018. Alan obtained a licence from the ACPR in 2016. In March 2019, Shift Technology, which specialises in fraud detection and claims automation, raised EUR53 million. In 2020, Insurtech sector confirmed its growth, notably with Alan, capturing 12% of funds raised with EUR61 million, with the following deals in particular: Alan – 100% digital company mutual insurance, EUR50 million; Akur8 – real-time insurance pricing solution, EUR8 million; Easyblue – BtoB insurtech, EUR1.6 million; and Covered – online smartphone insurance, EUR1.2 million.

Regulatory bodies

French financial institutions are regulated by both the AMF and the ACPR (which is the regulatory arm of the French Central Bank). The AMF’s primary purpose is to protect



investors by ensuring the proper functioning of financial markets, while the ACPR is in charge of preserving the stability of the financial system and supervising the banking and insurance sectors.Whether a Fintech company is subject to the supervision of the AMF or the ACPR depends on the services provided by such company. Some actors only deal with one regulator (e.g. a bank or an insurance company would normally be under the sole supervision of the ACPR) but, in practice, most financial institutions deal with both regulators. For example, an insurance company would be regulated by the ACPR with respect to its insurance activities, but its asset management business would be subject to the AMF’s supervision.The AMF and the ACPR may also share their competences with respect to the authorisation process. For example, the ACPR is responsible for the authorisation of investment services providers, but their “programmes of activity” (i.e. the description of the activities carried out by the entity) must be approved beforehand by the AMF. Once investment services providers have obtained the licence, the ACPR monitors their activity and financial situation, while the AMF monitors their compliance with the applicable code of conduct.


France generally tries to gather all the laws related to the same industry within a single code – which may contain dozens of sections and hundreds of pages. Pursuant to this “codification” approach, most of the French financial and banking law is contained in the Monetary and Financial Code (Code monétaire et financier), rather than in individual bills. The Monetary and Financial Code contains a “legislative” and a “regulatory” section. The rules contained in the legislative section tend to be broad definitions, while the regulatory section generally contains detailed descriptions of the applicable regimes. At an increasingly detailed level, rules may be contained in specific regulations prepared by the regulatory authorities themselves, such as the General Regulation of the AMF or the Order of 3 November 2014 regarding the internal control of banks, payment service providers, and investment services providers subject to the supervision of the ACPR. Therefore, a Fintech startup wishing to identify the regulation to which it is subject should primarily check if an EU regulation covers its activities, and then browse the Monetary and Financial Code and identify the relevant subsections (if any).More specifically, below are the key Fintech-related legislations applicable in France:• Payment service providers are subject to PSD 2 and its transposal into French law.• Banks and financial institutions are mostly subject to the CRD IV package and PSD

2, and their transposal into French law. Part of the regulation applicable to French financial institutions may differ from EU law with respect to certain specific aspects, such as the banking monopoly.

• Insurance companies are mostly subject to the Solvency II and Insurance Distribution Directives, and their transposal into French law.

• Crowdfunding and crowdlending platforms are respectively subject to Articles L. 547-1 et seq. and L. 548-1 et seq. of the Monetary and Financial Code, unless they are managed by an investment services provider.

• Investment management companies and other investment services providers are subject to a wide set of provisions of the Monetary and Financial Code and the General Regulation of the AMF, which partly derive from MiFID II.

• Companies whose business models revolve around the use of crypto-assets are subject to Articles L. 54-10-1 et seq. of the Monetary and Financial Code.



Supra-national regulatory regimes or regulatory bodiesThe major part of French financial and banking law directly derives from the directives and regulations elaborated by the European Commission. The European supervisory agencies (“ESAs”) (ESMA for financial markets, EBA for banking activities, and EIOPA for insurance activities) then elaborate delegated regulations and directives which supplement the regulations and directives on specific aspects and are later adopted by the European Commission. The ESAs are also empowered by the directives or regulations to prepare draft regulatory technical standards (“RTS”) and draft implementing technical standards (“ITS”). Then, the ESAs generally issue guidelines and question and answers (“Q&As”) regarding certain aspects of the EU legislation. The goals of these guidelines and Q&As is to ensure consistency in the application of the legislation. The EU legislation is then implemented at national level by the national government and regulatory authorities.Other supra-national regulatory regimes may also shape EU banking and financial law (e.g. the measures adopted by the Basel Committee on Banking Supervision or the recommendations issued by the Financial Action Task Force), but they would not directly influence French banking and financial law. The recommendations or measures adopted by these supra-national bodies are first included in EU law by the European institutions, before starting to apply in France.Finally, as stated above, with its proposed regulation on Markets in Crypto-assets inspired by the PACTE Act regime and released on September 24, 2020 (MiCA), the European Commission aims to regulate ICOs and DASPs. The proposal for a regulation on a pilot regime for market infrastructures based on distributed ledger technology aims to create a new regime of exemptions to support the development of financial securities registered in blockchain (security tokens). The pilot regime aims to regulate: • market infrastructures: multilateral trading platforms and securities settlement systems

involved in the exchange of security tokens; and• operators: MiFID-accredited investment firms, market undertakings and central

securities depositories as defined in the CSDR. Regulatory authorities’ commitment to FintechAs described above, French lawmakers show an undeniable commitment to making France a leading Fintech hub. Major Fintech-related legislation include the regulation of crowdfunding and crowdlending in 2014 and the law allowing blockchain technology to be used to register and transfer unlisted securities, as well as the regulation of digital assets service providers by the PACTE Act.On the regulatory authorities’ side, the AMF and the ACPR launched in July 2016 the Fintech Forum, a consultative body gathering representatives from Fintech startups, financial institutions, lawyers and consultancy firms. The French cybersecurity agency (“ANSSI”), the French data protection authority (“CNIL”) and the French financial intelligence unit (“TRACFIN”) are also associated with the Fintech Forum. In addition, in June 2016, both the AMF and the ACPR set up internal Fintech teams (the division Fintech, Innovation et Compétitivité at the AMF and the Pôle FinTech Innovation at the ACPR). These teams act as “innovation hubs”, i.e. dedicated points of contact for startups and financial institutions to raise enquiries on Fintech-related issues and seek non-binding guidance on the conformity of their products with regulatory requirements. In October 2017, during the ICO boom, the AMF also created the dedicated taskforce UNICORN.French regulatory agencies do not plan to establish any national regulatory sandbox for the time being. They favour an approach based on proportionality: although a Fintech startup



would be subject to the same rules as an established financial institution, the enforcement of these rules would depend on the size of the entity and the level of risk associated with its activities. However, in a recent publication on security tokens, the AMF suggested that an exemption mechanism, named “digital lab”, be created at the European level, in order to allow national authorities to waive certain requirements related to securities law which currently restrain the development of security tokens.In an opinion issued on 29 April 2021, the French competition authority (l’Autorité de la concurrence) drew up a report on the changes brought about by fintech in various sectors. However, it is concerned about the strengthening of the market power of “BigTech” (i.e. GAFAM (for Google, Amazon, Facebook, Apple, Microsoft) and BATX (for Baidu, Alibaba, Tencent and Xiaomi)). Indeed, the data collected by BigTechs gives them an undeniable competitive advantage in that it allows them to reinforce the attractiveness of their platforms at a lower cost. General attitudes to FintechThe mainstream use of the concept of Fintech in France is rather recent. For example, the term “Fintech” was first used in the 2014 annual report of the ACPR.Technology-enabled financial innovation has never been hindered per se in France. Therefore, the attitude concerning Fintech has not shifted; rather, Fintech emerged as a buzzword in the last few years, and both the lawmakers and the regulatory authorities have launched initiatives to strengthen France’s position in the global and European Fintech ecosystem. Although France is certainly not as advanced as certain European jurisdictions, such as Malta, Liechtenstein, the United Kingdom and the Baltic countries, many efforts have been made and continue to be made in order to develop innovation-friendly Fintech regulation in France. The PACTE Act, in particular, is a notable effort to take the lead with respect to the regulation of ICOs and crypto-assets.Finally, in April 2019, France hosted the Paris Blockchain Week, a week-long event dedicated to blockchain technology and crypto-assets. The event was introduced by a conference organised by the Ministry for the Economy and Finance, during which members of the government reaffirmed their goal of turning France into a leading jurisdiction for blockchain technology.

Restrictions

To our knowledge, there are no specific restrictions regarding Fintech activities in France. The only restriction is that regulated activities must be carried out by regulated entities. However, the process of obtaining authorisation from the ACPR or the AMF is generally long and costly, which prevents many Fintech startups from developing certain business models as soon as part of their business model is subject to the regulator’s authorisation.The main incentive not to engage in certain activities relates to cryptocurrencies. Although the AMF or the ACPR have not issued specific recommendations on the matter, it is highly likely that they would discourage any large financial institution from trying to create an internal cryptocurrency-related business without first having it ring-fenced. Being exposed to the volatility risk of cryptocurrencies would probably not be well perceived by the ACPR or the AMF. Otherwise, the involvement in Fintech is generally well perceived by the French regulatory authorities.To our knowledge, the development of Fintech in France has not created any significant disruption. The development of cryptocurrencies, however, has prompted the AMF and the



ACPR to issue joint statements warning individual investors against the risks of investments in cryptocurrencies.


Most French Fintech startups only address the French market. However, as they grow and raise funds, some of these companies expand into other EU countries. EU law encourages this expansion with the European passport system: entities licensed in a European Economic Area (“EEA”) Member State may provide regulated services on the territory of another EEA Member State either through a branch or subsidiary (freedom of establishment) or directly, without permanent establishment (freedom to provide services).These passporting rules also allow foreign Fintech startups to offer regulated services in France after having obtained a licence from the regulatory authority of any EU country, including “small” ones. For example, in December 2018, neobank Revolut obtained in December 2018 a banking licence from the Bank of Lithuania. Some worry that the regulatory agencies of these small EU countries may engage in a form of regulatory dumping by offering Fintech startups a “fast-track” payment or banking licence. The licensing process of the Bank of Lithuania is reportedly as short as three months, while obtaining the same licence in France may take between six and 12 months.To our knowledge, no French startup has used this strategy to accelerate its growth. However, various Fintech startups (in particular those active in the blockchain industry) find themselves compelled to partner with entities regulated in small EEA countries (such as Liechtenstein), because French banks are reluctant to work with them.Cross-border collaboration with global regulatorsThe AMF and the ACPR are involved in supranational working groups regarding various Fintech-related issues. For example, the ACPR is a member of the Committee on Consumer Protection and Financial Innovation (organised by the EIOPA) and the Standing Committee on Consumer Protection and Financial Innovation (organised by the EBA), the latter of which notably focuses on the risks associated with crowdfunding and crypto-assets. Generally speaking, the AMF and the ACPR extensively participate in the Fintech-related working groups organised by the ESAs.In addition, the AMF and the ACPR have both established Fintech-related partnerships with various non-EU regulatory agencies. The ACPR partnered with Hong Kong, South Korea, Japan, Singapore, Taiwan, and the New York State Department of Financial Services, while the AMF has sealed Fintech-related agreements with the regulatory agencies of China, Israel, Singapore, the United Arab Emirates, and Mauritius.Regarding global financial regulation, the AMF is also involved in the Fintech-related working groups organised by the Financial Stability Board, the International Organization of Securities Commissions, and the Committee on Payments and Market Infrastructures.

Hubert de VauplaneTel: +33 1 44 09 46 80 / Email: [email protected] de Vauplane co-leads the Alternative Investment Management practice in the Paris office, offering a global and integrated vision on regulatory and transactional structuring and operations matters. Hubert advises on EU and French laws on banking and investment services regulatory matters, asset management and funds, insurance investment regulations, and financial/securities litigations, e-money and payment services, and financial institution mergers and acquisitions. He provides legal counsel on fintech, blockchain and cryptocurrency assets, and financial regulatory issues relating to investment advice, asset management, payment services and banking.Hubert also advises corporates, asset managers, corporate and investment banks and institutional investors in relation to the entire range of disintermediated financings, including the structuring and setting-up of debt funds (AIFM, ELTIF, FPE) under French or Luxembourg law, factoring programmes of trade receivables (French or pan-European), and the issuance of private bonds and hybrid debt instruments (EuroPP, USPP, bons de caisse).

Victor CharpiatTel: +33 1 44 09 46 75 / Email: [email protected] Charpiat’s practice focuses on financial market regulations, as well as the regulation of fintech, blockchain and cryptocurrencies. Victor also advises French and foreign financial institutions with respect to financial services (notably, the marketing of financial products, investment services and post-market regulation) and other financial market transactions (credit loans, bond issuances, EuroPP, ICOs).

Kramer Levin Naftalis & Frankel LLP47 avenue Hoche, 75008 Paris, France

Tel: +33 1 44 09 46 00 / URL: www.kramerlevin.com



HungaryDr. Márton Kovács, Dr. András Zsirai & Dr. Roland Osvald

HBK-Partners



Under the Hungarian regulation, FinTech does not have a legal definition, it is rather used – in accordance with the European Commission’s approach – as an umbrella term “describing technology-enabled innovation in financial services that could result in new business models, applications, processes or products and could have an associated material effect on financial markets and institutions and how financial services are provided”. In connection with FinTech, the other essential part of the Hungarian regulation relates to the licensing practice of the regulating body: FinTech companies shall only need to acquire an activity licence if they carry out a licensed financial or investment activity. In Hungary, the supervision and authorisation of such activities falls within the scope of the National Bank of Hungary (the “NHB”). Overall, the NHB has a welcoming attitude towards FinTech and digitalisation. As an important step, in order to facilitate the process of obtaining an activity licence and additionally to enable FinTech companies to test their products in a real-life environment, at the beginning of 2019, a regulatory sandbox had been established by the NHB – as one of the first regulators in the Central-European region. Although the NHB aims to expand the availability of the sandbox to unlicensed companies as well, currently only regulated companies are entitled to participate in and benefit from the sandbox. Moreover, the NHB has established an Innovation Hub which helps to identify legal or business obstacles and offers support regarding the implementation of innovative solutions. During 2020, the NHB paid special attention to strengthen the FinTech ecosystem and to enhance digitalisation by way of cooperating with universities, supporting research projects, and organising hackathons.Over the past few years, the FinTech landscape in Hungary has evolved significantly and the emergence of the COVID-19 pandemic (which resulted in radically transformed consumer behaviour) has further accelerated the digitalisation processes and therefore the expansion of FinTech companies. As a result, in 2019, there were already 130 companies engaged in FinTech activities and the number has continued to grow ever since according to the Fintech and Digitalization Report of the NHB. The greater part of FinTech companies (approximately 77% of the sector) are micro and small enterprises that are mainly financed by venture capital. To further describe the Hungarian market, it can be established that the majority of FinTech companies operate in a business-to-business model, which indicates that FinTech companies are primarily present as the partners (and not as the challengers) of the incumbents in the financial sector. Moreover, several financial institutions have initiated incubation programmes to fund promising projects. In terms of service scope, most of the domestic FinTech companies provide services in the area of financial software development, system integration, payment services and robo-advisory services. The current

HBK-Partners Hungary


rise of the FinTech phenomenon in Hungary is also well illustrated by the establishment of the Hungarian FinTech Association, which functions as an independent representative organisation of the Hungarian FinTech community and aims to strengthen the cooperation between FinTech companies thus increasing the international competitiveness of domestic FinTech players.

Fintech offering in your jurisdiction

Payment servicesThe PSD2 directive was implemented in Hungary back in 2018, and there is no essential difference between the Hungarian implementation and the PSD2 directive. FinTechs providing innovative payment services account for the largest share of the domestic FinTech sector and a high portion of these are offering electronic payment platforms to rival the traditional payment systems. Such activity is regulated by Act CCXXXV of 2013 which also contains rules relating to the issuance of e-money. Under the Hungarian law, e-money is defined as “electronically, including magnetically, stored monetary value as represented by a claim on the issuer of the e-money which is issued on receipt of funds for the purpose of making payment transactions, and which is accepted by a natural or legal person, unincorporated business association or private entrepreneur other than the e-money issuer”. In general, companies issuing e-money are subject to the authorisation of the NHB. Furthermore, the adoption of Decree No. 35/2017 (XII. 14.) of the NHB, which implemented the instant payment system and allowed secondary identification for payment services instead of bank accounts, has contributed to the more frequent use of such digital payment solutions. Regarding the recent changes in the Hungarian legislation, the adoption of Decree No. 26/2020 (VIII. 25) of the NHB is also considered to be a breakthrough because it has made unlimited real-time account opening with remote customer identification possible for financial institutions.CrowdfundingCrowdfunding platforms allow individuals and investors to directly fund projects without involving any third party. Currently, there is no special legislation in Hungary relating to crowdfunding, it is subject to the regulation applicable for financial and investments services and to the acts of the European Union, the European Banking Authority and the European Market and Securities Authority. The NHB published a recommendation in 2015, and a supplementary recommendation in 2016 relating to crowdfunding, although these are not legally binding documents. Based on these recommendations, the NHB differentiates between four main kinds of crowdfunding activities: (i) donation-based; (ii) lending-based; (iii) investment-based; and (iv) prize-based crowdfunding. Lending- and investment-based crowdfunding has been further examined from a licensing perspective and according to the NHB, licensing requirements are only applicable if the subject of the activity conducted on the crowdfunding platform qualifies as a financial instrument determined in Section 6 of Act CXXXVIII of 2007. For instance, under the Hungarian regulation, lending activities performed on a business basis are also subject to licensing, so the NHB has provided a detailed analysis on how it should be determined whether the business basis criteria is met or not. To boost the capital raising activity of SMEs in Hungary, an amendment to the Act CXX of 2001 has made it possible for stock exchanges to operate crowdfunding activities. In connection with the future of crowdfunding, it must be mentioned that, from November 10, 2021, crowdfunding service providers will be able to operate under harmonised rules at EU level. The regulation that will enter into force will provide scope for the cross-



border provision of online platform-based crowdfunding services and will aim to strengthen confidence in this form of financing through detailed investor protection rules. In addition to PSD2, a new EU-level initiative may help spread innovative FinTech ideas from an operational point of view as well as by creating a new funding channel to keep pace with other regions.Distributed Ledger Technologies (blockchain) and cryptocurrenciesSo far there is no actual national legislation in connection with blockchain and cryptoassets; however, the Hungarian Authority of Data Protection and Freedom of Information (“DPA”) and the NHB have published several important guidance relating to these topics. The DPA has determined blockchain as a decentralised network where transactions are completed solely by adding new blocks (data) to the system without the involvement of any central entity. In a lot of cases new blocks contain personal data, therefore in these cases, the DPA considers miners (the users who add new blocks to the system) as data controllers which lead to data protection issues. The guidance issued by the DPA reflects the key issues on the data protection obligation of FinTech companies, but to help blockchain solutions become more widespread in Hungary, a more detailed regulation is inevitable.Despite the welcoming attitude towards digitalisation and innovative solutions, the NHB has issued several warnings relating to cryptocurrencies. Due to the decentralised nature of cryptocurrencies, there is not a central entity supervising these transactions which make them risky. Although the NHB considers cryptocurrencies as risky assets, it has announced the development of a central bank digital currency and initiated two other projects based on DLT (an application which allows students to collect digital coins and a registry to track valuable items). From a tax perspective, until recently, cryptocurrencies were considered as “other income” therefore, the taxation of these assets was extremely disadvantageous. However, earlier this year a new legislation has been passed relating to the taxation of cryptoassets.Robo-advisory systems Robo-advisors are basically software tools driven by artificial intelligence (“AI”) that provide investments advice services like portfolio selection or personal finance planning. Robo-advisory can be interpreted as investment advice or investment and financial analysis. Under the current regulation, carrying on these activities in connection with financial instruments requires the authorisation of the NHB.


RegtechThe core promise of Regulatory Technology (“RegTech”) was and is to disrupt the regulatory landscape by providing technologically advanced solutions to the ever-increasing demands of compliance within the financial industry. As mentioned earlier, the outbreak of the COVID-19 pandemic and the radically changed consumer behaviour made companies and institutions to rapidly digitalise their processes and to look for cost- and time-effective solutions to manage the regulatory requirements in a completely transformed business environment. It has been established earlier that, in Hungary, FinTech companies are primarily present as the partners of the incumbents in the financial sector, therefore RegTech companies mainly provide technological support for these institutions. The number of RegTech companies have always been quite low in comparison to domestic FinTech companies. However, in line with global trends, the pandemic has resulted in a rapid



growth regarding the demand for RegTech. Most of the Hungarian RegTech companies offer products relating to compliance with the General Data Protection Regulation (“GDPR”), electronic signatures or client identification processes. InsurTechConducting insurance activity in Hungary is subject to the NHB’s authorisation according to Section 237 (1) of Act LXXXVIII of 2014, but the requirements set out in order to acquire such authorisation are basically unachievable for InsurTech companies. In the field of insurance, one of the biggest obstacles is considered to be the lack of regular communication between insurance companies and their clients and in a lot of cases this results in higher prices. Most of the innovative InsurTech solutions are concentrating on this phenomenon and by integrating data analysis solutions, based on AI, into the internal processes of insurers, they try to make insurance processes more automated, while they also try to establish more direct connections with clients. As a result, over the last few years, a continuously increasing number of insurers have built strong cooperation with InsurTech companies to develop and automatise internal processes, which has caused a rapid boom in the market. However, these developments are taking place only within the biggest insurance companies, therefore further growth of the InsurTech industry can be expected in the future. Finally, it is worth mentioning that smart contracts are expected to fundamentally change insurance processes in the coming years. Smart contracts are essentially pre-written computer codes which are stored and replicated on DLTs and enable the automatic execution of monetary transactions upon the completion of the pre-determined conditions. However, these innovative solutions have not yet spread in the Hungarian market, hence, currently, there is not any specific legislation relating to them.

Regulatory bodies

In connection with FinTech companies, the following Hungarian regulatory bodies must be mentioned:NHBRelating to the financial services market, the key regulatory body is the NHB, which is the conduct regulator for firms providing financial products and services in Hungary. As mentioned earlier, carrying on finance, investment or insurance activities by way of business is subject to authorisation and such authorisation can be acquired from the NHB. Therefore, if the product or service of a FinTech company qualifies as a financial or investment activity, an authorisation from the NHB must be acquired as a precondition of the provision of such product or service. All authorised entities are listed on the Registry of the NHB, which is public and can be accessed for free. In addition, the NHB has an important role in the interpretation of law by issuing guidelines and opinions on good market practices. DPAMost of the FinTech activities also involve the processing of personal data and Hungary has an extremely privacy-sensitive FinTech ecosystem, so addressing data protection issues also plays an important role relating to FinTech activities. In Hungary, the DPA functions as the main data protection authority that monitors and supervises the activities of FinTech companies in connection with the compliance with Act CXII of 2011 (which is the Date Protection Act of Hungary) and the GDPR. Among other things, the DPA is entitled to conduct investigations in case of data protection infringements and has the right to impose fines.



Consumer protectionFinTech companies must conduct their activities with regard to consumer protection regulations. In Hungary, two bodies need to be mentioned relating to the compliance with the consumer legislation. Since 2017, the Ministry of Innovation and Technology functions as the general consumer protection authority and the NHB acts as the consumer authority for entities engaged in activities supervised by the NHB.


Firstly, it is essential to note that as a member country of the EU, Hungary has implemented the EU legislation relating to financial services and capital markets; therefore, the majority of the Hungarian law regarding FinTech companies derives directly from the regulations and directives issued by the European Commission. It has been mentioned earlier that FinTech companies are not separately regulated in Hungary, therefore they are subject to the general legislation applicable to the activity they conduct. This shows, however, that the number of fintech-specific regulation is still limited in Hungary. The main purpose of this chapter is to provide a comprehensive picture of the key regulatory compliance issues regarding innovative FinTech companies.Licensing and capital requirementsIn order to provide finance, investment, insurance services by way of business, the service providers must comply with requirements set out by the law. Most of these requirements are specified in the following acts:(i) Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises;(ii) Act CXX of 2001 on the Capital Market;(iii) Act CXXXVIII of 2007 on Investment Firms and Commodity Dealers, and on the

Regulations Governing their Activities; and(iv) Act LXXXVIII of 2014 on the Business of Insurance.It has been already established that, as one of the most essential requirements, FinTech companies must determine the type of services they provide and if it qualifies as a regulated activity, they must acquire the authorisation of the NHB. It is also important to note that under the Hungarian law, several regulated activities can only be carried out in certain corporate forms and are subject to capital requirements as well. For instance, financial enterprises must have a share capital of HUF 50 million while banks can be established with a share capital of at least HUF 2 billion.Anti-money laundering provisionsAct LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing authorises the NHB to supervise the anti-money laundering control of businesses that offer certain services, such as lending, providing payment services and issuing and administering other means of payment; therefore, FinTech companies must comply with such regulations as well. The Hungarian requirements in connection with anti-money laundering are basically the same as the requirements determined in the Fourth Anti-Money Laundering Directive.Data protection, cybersecurityAs mentioned earlier, FinTech companies must comply with the data protection rules in case they handle or process personal data. In Hungary, the GDPR and Act CXII of 2011 on the Right of Informational Self-Determination (Data Protection Act) and on Freedom of Information regulates data protection and processing of personal data. An infringement



of the GDPR may result in high administrative fines, therefore it is essential for FinTech companies to establish a data processing practice which complies with the requirements set out in the regulations above.The Hungarian law has implemented the Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union through the Act CVIII of 2001 on certain matters concerning electronic commercial services and information society services (“Electronic Commercial Services Actˮ). The Electronic Commercial Services Act contains rules in connection with online marketplaces, search engines, cloud computing services and data protection (for instance, the user’s right to prohibit data processing) as well; however, such rules are not applicable to SMEs, therefore most of the FinTech companies are exempt from such rules.OutsourcingIn Hungary, there are not any regulatory barriers relating to the cooperation between incumbents and FinTech companies. To cut expenses, incumbents often outsource some of their critical or non-critical functions to FinTech companies. Under the Hungarian regulation, despite the outsourcing of a certain function, incumbents will still be liable for such functions. In order to clarify issues in connection with outsourcing, the NHB has issued Recommendation No. 7/2020, which, amongst other topics, gives guidance on how to determine whether the given activity should be deemed as outsourcing and determines the requirements towards outsourcing agreements.

Restrictions

There is no specific regulation relating to FinTech companies, therefore they are not subject to any special restrictions. Regulations and restrictions applicable to a certain FinTech company should be assessed on a case-by-case basis depending on the exact type of activity carried out by the company.


Although by establishing the passport system the EU law encourages FinTech companies to enter foreign markets, the majority of the Hungarian FinTech companies still only address the domestic market. However there has been a growing number of foreign investments in Hungarian FinTech companies over the last few years. Furthermore, in 2019, Hungary joined the Global Financial Innovation Network (“GFiN”), an initiative which functions as a global regulatory sandbox and provides a cross-border environment for FinTech companies to test their products. In the future, this may encourage Hungarian companies to enter international markets and attract foreign investors to Hungary, which would increase the inflow of foreign capital to the domestic markets.

Dr. Márton KovácsTel: +36 1 610 4440 / Email: [email protected]. Márton Kovács worked in the real estate and litigation practice group of the Budapest office of Baker & McKenzie. In 2006, he founded his own firm and from January 2017, he became one of the founding partners of HBK-Partners. Although his professional experience covers mainly real estate and M&A, he is also proficient in capital markets transactions, having led HBK-Partners’ capital markets team in all three public takeovers at the Budapest Stock Exchange in 2017 and the listing of Hungary’s fourth-largest commercial bank in 2019. Further, he has gained unique experience in hotel law, representing various investors vis-à-vis global and local hotel operator companies. Márton is also a lecturer in M&A courses of the Budapest Institute of Banking (“BIB”) and holds workshops for various VC funds and start-up companies.

Dr. András ZsiraiTel: +36 1 610 4440 / Email: [email protected] Dr. András Zsirai is an associate in the Corporate M&A and Capital Market practice of HBK-Partners. He mainly focuses on M&A and capital investment transactions alongside providing legal advice in regulatory matters of financial institutions and investment funds. He has also gained valuable experiences in connection with banking & finance deals.

HBK-PartnersKálvin tér 12. Kálvin Square Offices, H-1085 Budapest, Hungary

Tel: +36 1 610 4440 / URL: www.hbk-partners.com



Dr. Roland OsvaldTel: +36 1 610 4440 / Email: [email protected]. Roland Osvald is an associate in the Corporate M&A and Capital Market practice of HBK-Partners. While mostly focusing on M&A transactions, he also gained experience in the areas of corporate law, banking law, litigation and legaltech.

IndiaShilpa Mankar Ahluwalia, Himanshu Malhotra & Vrinda Pareek

Shardul Amarchand Mangaldas & Co



FinTech has caused significant disruption in payments and lending in India. Rapid developments in mobile and telecommunications technology coupled with the Indian Government’s support for digital payments (as also seen in the 2021 Union Budget earmarking INR 15 billion for schemes towards incentivising digital payments) have led to tremendous innovation and growth of FinTech products. Transaction volume of digital payments on the Unified Payments Interface (“UPI”) network (also discussed in more detail subsequently) increased by 58% between February 2020 and October 2020, crossing 2 billion transactions in October 2020. COVID-19 and several phases of corresponding lockdowns likely caused this surge, which has also been facilitated by factors such as a strong policy shift towards digitisation and increasing banking and smartphone penetration. The digital payments market in India, in particular, is estimated to reach the USD 1 trillion mark by 2023. Changes in law (particularly around “know your customer” (“KYC”) and on-boarding of customer rules) had significantly increased the regulatory burden and costs of operation for non-bank FinTech players, causing several to re-think their business strategy. The regulator, recognising these operational challenges, had permitted FinTech players to utilise certain modes of digital and video KYC to on-board customers, allowing more cost-effective customer acquisition strategies. Video-based customer verification methods have since been innovated and adopted by several bank and non-bank FinTech players. Banks and non-bank players initially launched competing FinTech products and the FinTech landscape in India was, for a while, segmented into banks vs. non-bank players. The market has, however, shifted to a more collaborative model, with banks and non-bank entities partnering in several dimensions, each leveraging their respective strengths to provide customers easy-to-use financial products. Non-banks have the ability to leverage technology more effectively and are able to access markets that banks would find too expensive to tap into in the ordinary course. Banks have strong balance sheets and a good understanding of the regulatory and licensing regime governing financial products. In the payments space, banks have partnered with technology platforms to manage the customer and product interface for both pre-paid and UPI-enabled payment solutions. In digital lending, banks, at the origination stage, are beginning to rely on credit-scoring procedures of non-bank partners that use non-conventional data to perform a credit risk analysis. The market is also likely to see post-origination deals, such as securitisation of loan portfolios, risk-sharing and back-end bank participation structures.Further, to incentivise innovation in the retail payments space and in order to mitigate systemic risk on account of the National Payments Corporate of India (“NPCI”) managing

Shardul Amarchand Mangaldas & Co India


and operating a significant proportion of retail payments transaction value in the country, the RBI released a framework on August 18, 2020 for the authorisation of a new pan-India umbrella entity focusing on: retail payment systems, such as setting up automated teller machines and white labelled points of sale; developing clearance and settlement systems for participating FinTech players; undertaking systemic risk management; and ensuring competitive and efficient functioning of the payments space.On the digital lending side, meanwhile, the Reserve Bank of India (“RBI”), i.e. the central bank and the primary financial sector regulator, has indicated a recent policy move towards increased regulation. In India, digital lending is primarily undertaken by regulated entities such as banks and non-banking financial companies (“NBFCs”). However, the digital lending landscape involves other entities and platforms that may or may not be regulated and that provide value-added services such as data analytics, underwriting processes, credit modelling (on the basis of financial or behavioural data) and distribution of credit products. In January 2021, the RBI constituted a working group to review digital lending activities by regulated as well as unregulated entities with the objective of formulating a regulatory framework for digital lending. Following the submission of the working group’s recommendations to the RBI, it is likely that the digital lending sector will see greater regulation.Payment companies have been pushing for inter-operability and a level playing field between banks and non-banks. The RBI’s 2018 guidelines for inter-operability of all mobile wallets (enabling wallet-to-wallet transfers across multiple issuers) was recently supplemented in April 2021 with a policy statement recognising that voluntary migration towards interoperability has not been significant and proposing to make interoperability mandatory for full-KYC wallets and for all payment acceptance infrastructure (i.e. UPI/ card networks). As the digital payments sector has matured in India, the RBI seems to be getting more comfortable giving non-bank players access to the payments, financial and digital infrastructure that banks are able to access. For instance, as of April 2021, cash withdrawals were permitted only on full-KYC wallets/prepaid payment instruments issued by banks. However, to create a level playing field across bank and non-bank wallet issuers, the RBI has on May 19, 2021 also permitted cash withdrawals for full-KYC wallets/prepaid payment instruments issued by non-bank entities. The RBI has also introduced mandatory inter-operability for full-KYC prepaid payment instruments by March 31, 2022, to be implemented through authorised card networks in case of instruments issued in the form of cards and through the UPI in case of instruments in the form of mobile wallets.While FinTech has taken rapid strides in India in the digital payments and lending space, the same is not true for cryptocurrency, where there has been considerable regulatory resistance. In April 2018, the RBI issued a circular (“April 2018 Circular”) prohibiting any bank or other entity licensed by the RBI from dealing in, settling or enabling any buying or selling of cryptocurrency with the intent to ring-fence such regulated entities from the risks (including money-laundering risks) associated with trading in virtual currencies. While cryptocurrency was not legally prohibited by the April 2018 Circular, the RBI has on several occasions publicly stated that it does not view cryptocurrency as a valid payment system. In an important development, the Supreme Court of India, on March 4, 2020, quashed the April 2018 Circular, declaring the prohibition contained in the April 2018 Circular as disproportionate. While this decision allows for peer-to-peer (“P2P”) trading, the Government of India has been looking to prohibit the mining, holding, selling, trading, issuance, disposal or use of cryptocurrency in India, in the form of a draft “Banning of Cryptocurrency and Regulation of Digital Currency Bill, 2019”, yet to be formally introduced in the Indian Parliament.



While cryptocurrency is not recognised as valid legal tender in India, blockchain technology has not faced the same regulatory resistance. Indian regulators are open to blockchain technology-based innovations, with the RBI specifically including applications under blockchain technologies in the list of innovative products and services that could be tested under the framework for regulatory sandboxes notified by the RBI. Several start-ups and even some government departments in India are using blockchain-based technology for providing solutions to different industries ranging from healthcare, banking, trade finance, insurance, document management and others.Developments in robo-advisories, algorithmic trading and financial research platforms are at a nascent in India and fall within the jurisdiction of the financial markets regulator, Securities and Exchange Board of India (“SEBI”).

FinTech offering in India

The key FinTech players and products offered by such players (financial services companies and other entities operating in the FinTech space in India) broadly fall within the ambit of either digital payments or digital lending. These are:• PPIs: PPIs are instruments that facilitate the purchase of goods and services (including

financial services, remittance facilities, etc.) against a “stored value” on such instruments. In India, PPIs may be issued by banks and eligible non-bank entities as pre-paid cards (physical/ virtual) or virtual wallets. PPIs may be issued under one of three categories: (i) closed-system PPIs; (ii) semi-closed system PPIs; and (iii) open-system PPIs. Each of these categories permits a different scope of transactions.

• UPI payments: The UPI is a payments platform managed and operated by the NPCI. The UPI enables real-time, instantaneous, mobile-based bank-to-bank payments. It primarily relies on mobile technologies and telecommunications infrastructure to offer easily accessible, low-cost and universal remittance facilities to users. UPI-enabled payments constitute a significant percentage of the consumer-to-merchant and P2P digital payment transactions and were the most preferred mode of payment (in terms of volume) in 2020.

• Digital lending: With increasing advances in technology and telecommunications infrastructure, several NBFCs in India have moved to digital platforms for credit products, particularly to small and medium enterprises and retail clients. These NBFCs have developed interactive applications and websites to enable end-to-end digital customer journeys – starting with on-boarding and initial credit verification and checks; and then subsequently, execution of loan documents and disbursement.

• P2P lending platforms: P2P lending platforms are online platforms which offer loan facilitation services between lenders registered on the platform and prospective borrowers. Under RBI regulations, P2P lending platforms may be operated by eligible Indian companies registered with the RBI as an NBFC–P2P-lending platform. P2P lending platforms act as intermediaries providing an online marketplace for P2P lending in a regulated environment.

• Payment aggregators and payment gateways: Payment aggregators are entities which facilitate online sale and purchase transactions primarily on e-commerce platforms, without requiring e-commerce merchants to create a separate payment integration system. Payment aggregators receive payments from customers, and pool and transfer them to the merchants after a period of time. On the other hand, payment gateways are entities that provide technology infrastructure to route/facilitate processing of online payment transactions, without handling any funds.



• Payments banks: Payments banks are entities licensed by the RBI to offer basic banking services digitally to their customers and are permitted to accept small deposits (up to INR 100,000) from them. However, payments banks are not permitted to give loans, issue credit cards or offer any credit products. The regulatory intent behind payments bank licences was primarily to increase financial inclusion, especially in the low-income segments and to promote digital payments and digital banking services in the country.


Regulatory changes around e-KYC and AadhaarA key regulatory development that has had a significant impact on the FinTech ecosystem in India is the Indian Supreme Court’s judgment in Justice (Retd.) K. Puttaswamy & Ors. v. Union of India (“Aadhaar Judgment”) and consequent legislative changes. The Supreme Court’s decision in the Aadhaar Judgment restricted private bodies from undertaking Aadhaar e-KYC authentication (“e-KYC”) and from accessing the Central KYC Registry to verify the identity of their customers.In discussion with the Unique Identification Authority of India (“UIDAI”), FinTech players subsequently developed innovative and cost-efficient ways to leverage the existing Aadhaar ecosystem (without accessing the Central KYC Registry) to complete identity verification of their customers, including use of QR code-based technologies, XML files, and masked Aadhaar files, which evolved primarily as market practice to ensure compliance with KYC regulations in a commercially sound manner, and which have now been recognised as legally valid methods of undertaking identity verification. Further, recognising the challenges faced by FinTech players in undertaking their KYC processes, the RBI has permitted two additional modes of offline KYC for non-bank players: (i) digital KYC; and (ii) video-based KYC. These modes incorporate the methods/technology evolved by industry players to undertake KYC while ensuring an element of “liveness” and consequently requiring FinTech players to ensure identity verification while on-boarding customers in a non face-to-face format (in the case of video-based KYC).InsurTechWhile InsurTech in India is currently in the early stages of growth, it has disrupted the traditional supply chain of insurance products in the country. Several players in the insurance sector have partnered with technology partners and other FinTech players to offer a range of digital insurance products to their customers. For example, several payment wallets operating in the country have tied up with insurance companies to offer insurance products to existing customers through their digital platforms. In addition to partnering with FinTech players like payments wallets, insurance providers have also set up independent digital platforms for offering insurance products to existing and new customers.An important area of discussion in relation to the offering of insurance products in India is the bundling of insurance products with other goods and services (including financial products). The concerns around the packaging of insurance products with other products primarily include: inadequate disclosure to the customer of the characteristics of the bundled insurance products; restrictions on consumer choice or the freedom to make informed choices or comparisons with other products available in the market; and undue influence over the customers by the provider of the packaged bundled products. With advances in technology and fast-paced developments in the FinTech market, opportunities to bundle insurance products with other financial products have become easier and more convenient.



In 2012, with a view to regulate bundling of insurance products with other goods and services, the IRDAI released a discussion paper on “tying and bundling insurance policies with other services and goods” and invited comments from the public. However, the discussion paper did not culminate in codified guidelines or regulations to regulate the bundling of insurance products.

Regulatory bodies

RBIThe primary regulator for FinTech in India is the central bank – the RBI. The RBI initially followed a light-touch approach to FinTech regulation, but has been increasingly moving closer towards a full-regulation model. The RBI has also generally been quick to respond to market changes and technological advances, and there have been several changes and updates in the law over the last few years to appropriately accommodate such developments.NPCIThe NPCI is an umbrella, quasi-regulatory organisation for operating retail payments and settlement systems in India. It is a joint initiative of the RBI and the Indian Banks’ Association and was established with a view to create an innovative and robust payment & settlement infrastructure in India. The UPI payments in India are governed by periodic procedural guidelines issued by the NPCI. Ombudsman Scheme for Digital TransactionsThe RBI has mandated FinTech players to establish adequate mechanisms to address customer complaints in respect of products they offer. The RBI issued the Ombudsman Scheme for Digital Transactions on January 31, 2019, appointing RBI officers as ombudsmen to enable customers to report complaints against non-bank entities participating in a payment system on grounds including deficiency of service, unauthorised money transfers, and failure to initiate refunds. In addition, with a view to protect users of mobile wallets and other digital payment tools, the RBI has issued multiple directions limiting liability of customers to a prescribed maximum financial exposure in case of unauthorised electronic payment transactions. UIDAIThe UIDAI is the statutory body responsible for administering the Aadhaar programme – the largest identity project in India and one of the largest globally. The UIDAI has been central to the rules and framework governing use of Aadhaar by FinTech players as a means for customer on-boarding and verification.


Key regulations governing FinTech in IndiaThe regulatory landscape governing FinTech in India is largely fragmented, and there is no single set of regulations or guidelines which uniformly govern FinTech products in India. The absence of a consolidated set of regulations or guidelines governing FinTech products in India makes it challenging to navigate the regulatory landscape governing FinTech in India, which primarily consists of:• Payment and Settlement Systems Act, 2007: The Payment and Settlement Systems

Act, 2007 (“PSS Act”) is the principal legislation governing payments regulation in India. The PSS Act prohibits the commencement and operation of a “payment system”



without prior authorisation of the RBI. The PSS Act defines a “payment system” as “a system that enables payment to be effected between a payer and a beneficiary, involving clearing, payment or settlement service of all of them, but does not include a stock exchange”. Payment systems include the systems enabling credit card operations, debit card operations, smart card operations, money transfer operations, PPIs, etc.

• Master Direction on Issuance and Operation of Prepaid Payment Instruments: The Master Direction on Issuance and Operation of Prepaid Payment Instruments issued by the RBI on October 11, 2017 and amended from time to time (“PPI Master Direction”) prescribes the eligibility criteria for PPI issuers, permissible debits and credits from PPIs and other operational guidelines to be followed by PPI issuers while issuing PPIs to their customers in India. PPIs fall within the definition of a “payment system” under the PSS Act and are therefore required to comply with the PSS Act and the PPI Master Direction.

• NPCI Guidelines governing UPI Payments: UPI Payments in India are primarily governed by the UPI Procedural Guidelines issued by the NPCI. Under the current framework, only banks can directly integrate with the UPI platform to provide money transfer services to their customers. Banks are, however, permitted to engage technology providers for the design and operation of mobile applications for the purpose of UPI Payments, subject to compliance with certain eligibility and prudential norms prescribed by the NPCI.

• NBFCs: NBFCs are primarily governed by the Reserve Bank of India Act, 1934 and a series of master directions and circulars regulating the licensing and operation of NBFCs in India. The RBI has set out certain thresholds to determine whether an entity will be classified as a financial services company requiring licensing. Most digital lenders operating in India are licensed as NBFCs. The key regulations governing NBFCs in India include the Master Direction – NBFC – Systemically Important Non-Deposit taking Company and Deposit taking Company (Reserve Bank) Directions dated September 1, 2016, Master Direction – NBFC – Non-Systemically Important Non-Deposit taking Company (Reserve Bank) Directions dated September 1, 2016, and Master Direction – NBFC – Acceptance of Public Deposits (Reserve Bank) Directions dated August 25, 2016, each as amended from time to time.

• Guidelines regulating P2P lending platforms: P2P lending platforms are primarily governed by the Master Directions – NBFC – Peer to Peer Lending Platform Directions 2017, which prescribe lender exposure norms and aggregate borrowing limits in relation to the operation of P2P lending platforms in the country.

• Guidelines governing payment aggregators/gateways: The Circular on Guidelines on Regulation of Payment Aggregators and Payment Gateways dated March 17, 2020 (“Payment Intermediary Guidelines”), recently updated on March 31, 2021, sets out the legal framework applicable to payment intermediaries (such as payment aggregators and payment gateways) operating in India. While the RBI has sought to directly regulate payment aggregators, it has stipulated only baseline technology-related recommendations for payment gateways, given that payment gateways do not handle funds.

• Anti-money laundering The regulator primarily responsible for overseeing and enforcing anti-money laundering

regulations and measures is the RBI. Regulations governing entities offering financial products in India are the Prevention of Money Laundering Act, 2002, the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 and the RBI’s Master Directions on KYC dated February 25, 2016 (as amended from time to time).



• Data privacy and protection: Access to customer data, data privacy and protection have each become an increasingly important issue with FinTech platforms collecting and storing various forms of customersʼ personal, financial, and behavioural data. India does not today have a comprehensive data privacy framework. The Information Technology Act, 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 are the two key regulations governing protection of personal data. The Justice Srikrishna Committee constituted by the Government of India to develop a data protection regulatory framework issued a set of recommendations and submitted a draft bill in 2018, which was updated by the Government to the Personal Data Protection Bill, 2019, tabled in the Indian Parliament in December 2019 and examined by a Joint Parliamentary Committee. The bill is expected to come into law in 2021. In addition, with the objective of enhancing digital security to protect sensitive customer data, the RBI has recently introduced several measures and restrictions to mitigate data leaks. These measures include recommending technology measures for regulated entities to set up common minimum standards of security controls (via the Master Direction on Digital Payment Security Controls dated February 18, 2021), restricting payment aggregators and merchants from storing customer card credentials (save and except limited information for purposes of transaction tracking), etc.

Regulatory approaches

Data protection regulationWhile regulations governing FinTech in India have not substantially been influenced by international or supranational regulatory regimes (for example, the Indian Government’s continued resistance to recognise cryptocurrency), one area where Indian regulations have relied on global precedent is data protection laws. The draft Personal Data Protection Bill is modelled along the lines of the General Data Protection Regulation (“GDPR”) and adopts the key principles of the GDPR, including fair and reasonable processing, purpose limitation, collection limitation, and data storage limitation.Regulatory sandboxesThe RBI has typically dealt with new development in the FinTech space by inviting comments from the general public, market players and other stakeholders before issuing regulations governing new innovative products in the FinTech space. The RBI had, in 2018, released the “Draft Enabling Framework for Regulatory Sandbox”, inviting comments from the public and concerned stakeholders on proposed guidelines governing regulatory sandboxes proposed to be set up by the RBI to test new products in a controlled regulatory environment under close supervision, which translated into a final “Enabling Framework for Regulatory Sandbox” in August 2019. Under the regulatory sandbox framework, FinTech companies including start-ups, banks, financial institutions and any other company partnering with or providing support to financial services businesses and which satisfies the eligibility criteria will be selected for testing their products in the regulatory sandbox. The eligibility criteria include parameters such as: (i) net worth of at least INR 1 million; (ii) satisfactory credit score/history of promoters and directors; (iii) promoters and directors of the applicant entity meeting the prescribed “fit and proper” criteria; (iv) demonstrated ability to comply with personal data protection laws; and (v) adequate IT infrastructure and safeguards to protect against unauthorised access, destruction and disclosure. The sandbox is intended to allow for testing of products and technology that: (i) are not currently governed by regulations and face some form of regulatory barrier in implementation; (ii) require certain regulatory



relaxations for testing; and (iii) promise to improve delivery of financial services. The RBI has indicated that the solution proposed for sandboxing must highlight an existing gap in the financial ecosystem and specifically address how this can be solved. The RBI contemplates product testing by a few select entities in a single regulatory sandbox cohort (i.e. end-to-end sandbox process, typically lasting up to six months each), where products broadly fall within a shared theme. There is a requirement for the test scenarios and expected outcomes to be clearly defined upfront. The entity must report results to the RBI on an ongoing basis, as per a pre-agreed schedule. While certain regulatory requirements may be relaxed for the duration of the sandbox, the RBI has made it clear that applicants will have to continue to comply with data protection laws and KYC requirements. In addition, separately, applicants will continue to be liable to customers for financial products tested in the sandbox. The framework outlines various stages of the sandbox process for a single cohort, each of which shall be monitored by the FinTech Unit at the RBI under overall guidance of the Inter Departmental Group of the RBI and with participation of domain experts. The first cohort under the regulatory sandbox was opened up in November 2019, with “Retail Payments” as its theme, aimed particularly at evolving payments solutions for the unserved/underserved sections of the country; the second cohort on “Cross-border Payments” was announced in December 2020; and the third cohort will be focused on “SME Lendingˮ. Similar to the regulatory sandboxes implemented by the RBI for FinTech products, the IRDAI and the SEBI have proposed similar regulatory sandboxes products in the InsurTech space, and market-linked financial products offered by entities regulated by them, respectively.The shift from “light touch” regulation to more “fully-fledged” regulation has increased the costs of operation for FinTech players, particularly in the payments space. The next significant regulatory development will be the adoption of the Personal Data Protection Bill. There are several industry bodies that have commenced the groundwork to sensitise FinTech players to the key aspects of compliance with this data legislation.

Restrictions

Pre-paid wallet issuersUnder the PPI Master Directions, in order to be eligible to obtain a certificate of authorisation from the RBI for issuing PPIs in India, entities must have a minimum positive net worth of INR 50 million; and by the end of the third financial year from the date of receiving final authorisation from the RBI, such entities must achieve a minimum positive net worth of INR 150 million.NBFCsCompanies undertaking the business of a non-banking financial institution as their principal business are required to obtain a certificate of registration as an NBFC from the RBI. The RBI has further clarified that a company having financial assets which amount to more than 50% of its total assets (netted off by intangible assets), and income from financial assets amounting to more than 50% of the gross income, is considered to be engaged in the principal business of a non-banking financial institution (“Asset Income Test”). The Asset Income Test also requires a licensed NBFC to ensure that its principal business activities continue to be linked to provision of financial services. Most digital lending platforms in India operate as licensed NBFCs.Payment aggregatorsIn terms of the Payment Intermediary guidelines, new entities seeking authorisation as payment aggregators must have a minimum net-worth of INR 150 million at the time of



application for authorisation and must attain a net-worth of INR 250 million by the end of the third financial year of the grant of authorisation, which is required to be maintained at all times thereafter.Volume-based transaction cap on UPI transactionsIn order to mitigate the systemic risk linked to the concentration of retail payments in the hands of a few players, the NPCI had, on November 5, 2020, issued a circular requiring payment service provider banks and third-party app providers (“TPAPs”) operating in the UPI eco-system to ensure that the total volume of UPI transaction processed by TPAPs does not exceed 30% of the total transaction volume in the UPI network during the preceding three months on a rolling basis.


Developments in the FinTech space in India have also resulted in the emergence of several cross-border payment products in India. Under Indian law, foreign currency transactions are governed by the Foreign Exchange Management Act, 1999 and the rules and regulations made thereunder (“FEMA”). The directions issued by the RBI under the FEMA permit Authorised Dealer Category II Entities, i.e., money changers, to issue foreign currency pre-paid cards in India to Indian residents in accordance with the FEMA. Additionally, the PPI Master Directions permit eligible entities to issue PPIs for cross-border transactions. Authorised Dealer Category I Banks are permitted to issue semi-closed and open-system PPIs for use in permissible current account transactions (including purchase of goods and services), provided that such PPIs are fully KYC-compliant, the transactions are in accordance with the FEMA, and are subject to a transaction limit of INR 10,000 per transaction and INR 50,000 per month. Further, under the PPI Master Directions, permitted bank and non-bank PPI issuers (appointed as agents of an authorised overseas principal) may receive inward remittances under the money transfer service scheme, provided that such PPIs are fully KYC-compliant, reloadable, are issued in electronic form and the amounts of inward remittance do not exceed INR 50,000 per transaction.

Shilpa Mankar AhluwaliaTel: +91 98 7100 4853 / Email: [email protected] Mankar Ahluwalia leads the FinTech practice at Shardul Amarchand Mangaldas & Co (“the Firm”) and has worked in the banking & finance and financial services M&A practice groups. She was recognised by Chambers and Partners in 2019 as one of the leading lawyers in FinTech in India and as a Rank 1 FinTech lawyer in 2020. She has advised several leading FinTech platforms in connection with their products and solutions in India. She has led several policy initiatives in collaboration with the Digital Lenders Association of India (the leading industry body for digital lenders in India). Shilpa has also advised various companies, banks and financial institutions in connection with their financing activities (issue of bonds and non-convertible debentures, plain vanilla and structured financings, loan syndication and guarantee structures) as well as specialised financial products (including the first mortgage guarantee deal in India). Her clients include the International Finance Corporation, American Express, Nokia Corporation, Farallon Capital, Bank of America and Merrill Lynch. She was also on the Government drafting committee for the Factoring Act. She holds an LL.M. from the Columbia University School of Law, New York, and a BA LL.B. (Hons.) from the National Law School of India University, Bangalore. Prior to joining the Firm, Ms. Ahluwalia worked with Davis Polk & Wardwell, New York.

Himanshu MalhotraTel: +91 92 0598 4244 / Email: [email protected] Himanshu Malhotra is a member of the FinTech practice group at the Firm and has worked in the banking & finance practice group. He has advised several digital payment platforms, payment wallets and other FinTech players operating in the country in designing and structuring their financial products. He holds a BA LL.B. (Hons.) from NALSAR University of Law, Hyderabad.

Shardul Amarchand Mangaldas & CoAmarchand Towers, 216 Okhla Industrial Estate, Phase III, New Delhi – 110 020, India

Tel: +91 11 4159 0700 / +91 11 4060 / URL: www.amsshardul.com



Vrinda PareekTel: +91 97 1796 7771 / Email: [email protected] Vrinda Pareek is a member of the FinTech practice group at the Firm and has worked in the general corporate and banking & finance practice groups. She has advised several digital payments solutions platforms, payment wallets and other FinTech players in designing and structuring their financial products and obtaining licences from regulators for undertaking operations in India. She holds a BA LL.B. (Hons.) from Rajiv Gandhi National University of Law, Punjab.

IrelandJoe Beashel & Ian O’Mara

Matheson



Ireland is a leading European domicile for established and start-up Fintech businesses. This is unsurprising given Ireland’s traditional strengths in the internationally traded technology and financial services industries. According to the KPMG Pulse of Fintech H2 2020 report (the “KPMG Report”), the Irish Fintech industry secured USD 237.4 million in merger and acquisition, venture capital and private equity transactions in 2020. This represents a considerable jump from 2019 (USD 104.8 million) and 2018 (USD 97.9 million). 2020 saw a rise in the number of banks acquiring or partnering with Fintech firms and it is expected that this trend will accelerate in the next few years with banks eager to digitise their regulatory operations. This trend corresponds with the growing global interest in Regulatory Technology (“RegTech”) solutions, which has seen a growth in funding of USD 10.6 billion during 2020, up from the previous high of USD 6.5 billion seen in 2018.The Irish Government is strongly supportive of Fintech, recognising the significant benefits it can bring to consumers, economic growth, productivity and the competitiveness of the Irish economy. The Irish Government, in its commitment to building on the successes already achieved, has designed a strategy – “Ireland For Finance 2025” (“IFS 2025”) – to ensure that Ireland continues to be regarded as one of the world’s leading global financial centres. IFS 2025 is the Government’s strategy for the development of international financial services (“IFS”) in Ireland for the next five years. The IFS sector in Ireland is currently home to 14 of the top 15 global aircraft lessors and 20 of the world’s top 25 financial services companies. In addition, 17 of the top 20 global banks and 11 of the world’s top 15 insurance companies have a presence in Ireland. IFS 2025 is based on four pillars – the operating environment pillar, the technology and innovation pillar, the talent pillar and the communications and promotion pillar. The employment target for the Strategy is to reach 50,000 people in direct employment in the sector by 2025. In August 2019, a Fintech Foresight Group, chaired by Banking and Payments Federation Ireland (“BPFI”) was convened as a special cross-sector working group tasked with driving the development of Fintech in Ireland, scoping the annual action plans prepared, and informing policy under the IFS 2025. A specialised Fintech industry association, the Fintech and Payments Association of Ireland, has also been established. Key elements of the Irish Fintech ecosystem are: • State agencies: the Industrial Development Authority (“IDA”), Enterprise Ireland, and

Ireland Strategic Investment Fund (“ISIF”).• Successful international Fintech enterprises who have established presences in Ireland:

Revolut; Paysafe; Coinbase; Facebook Payments; among others.

Matheson Ireland


• Successful indigenous Fintech enterprises: Fenergo; CurrencyFair; Swrve; Transfer Mate; among others.

• Industry organisations: the Fintech and Payments Association of Ireland, the Banking and Payments Federation of Ireland, Fintech Ireland and Financial Services Ireland.

• Incubators and accelerators: start-lab/accelerators supported by organisations such as Bank of Ireland, Citi and Mastercard.

• Sophisticated professional advisors: lawyers; accountants; and technology consultancies.The COVID-19 pandemic underlined the importance of the technological transformation in financial services as consumers became increasingly dependent on Fintech solutions. This is supported by the Central Bank of Ireland’s (the “Central Bank”) credit and banking statistics, which showed a 35 per cent increase in online spending and a 45 per cent reduction in cash withdrawals from ATMs in November 2020, compared with November 2019. In September 2020, the European Commission adopted the Digital Finance Package (“DFP”), which included digital finance and retail payments strategies. Under the DFP, the Department of Finance has established a new Fintech Working Group (the “Working Group”) in order to gain a shared understanding of market developments in Fintech, technology and innovation. The Working Group will interact with external stakeholders from time to time in order to foster collaboration between policy-makers, Fintech business and technological innovators. Ireland’s stable 12.5 per cent rate of corporation tax on trading profits is an important element of its competitive offering to international business. Ireland also has tax legislation designed to make it attractive for holding companies and as regional headquarters, as well as other key tax benefits such as R&D credits. In addition to the potential for state funding/investment via the IDA, Enterprise Ireland and ISIF, the private funding sector is vibrant, though Ireland has seen relatively low levels of crowdfunding or ICO activity. Ireland’s talent pool is a key attraction for Fintech operations. Dublin is a dynamic and open city that provides a welcoming home to globally mobile professionals. Hosting major European operations for top-tier technology companies such as Google, Facebook and Microsoft, Ireland has a rich and deep tech worker base. It retains close ties to and attracts high levels of FDI from both the UK and the US, the world’s two leading Fintech start-up environments. With the fallout from Brexit still ongoing, Ireland continues to be well positioned to attract Fintech investment and financial service providers with many having already chosen Ireland as the base for their European operations.

Fintech offering in Ireland

Accelerator programmes are expanding their activities in Ireland, with Dublin being added as one of two accelerator locations by the NadiFin Fintech accelerator programme, and NDRC expanding its activities outside Dublin to Waterford and Galway. Dublin remains the hub for Fintech activities in Ireland, but other centres are seeing growth. Regional growth is a key element of national policy, and this is reflected in IFS 2025. Regionalisation is to be applied horizontally across all four pillars of the strategy.Ireland has won an outsized share of investment in corporate innovation labs, including Citi, Mastercard, Aon, Fidelity and First Data. In AI and RegTech, Enterprise Ireland and IDA have supported CeADAR, IC4 and GR3C, Ireland’s research centres for AI, cloud computing and commerce and governance risk/compliance.Many of the world’s leading payments and e-money firms that previously provided services across the EU on foot of a UK payments or e-money licence have sought to obtain Central Bank authorisations in Ireland so as to ensure continuity of operations. With Brexit finally

Matheson Ireland


occurring this year, there were 37 such firms formally authorised and operating in Ireland at the start of 2021. Even compared to five years ago, this is a sizeable increase in the number of Irish regulated Fintechs and it is notable that most of these are not focused exclusively on servicing the domestic market but have passported their authorisations across the other 31 Member States that make up the European Economic Area (“EEAˮ).Domestically, the digitialisation of financial services has developed dramatically in Ireland in recent times. One major trend in the payments industry in Ireland over the past year has been the huge jump in contactless payments by the Irish population. In the early days of the COVID-19 pandemic, the Irish Government increased the limits on the amounts that users could spend through contactless payments to the maximum of EUR 50 permitted by PSDII and this has prompted the rapid growth of these kinds of payments in recent times. Strong customer authentication has also been successfully rolled out for many of the large Irish retail banks and other payment service providers operating in the Irish market.At the same time, several of the main retail banks in Ireland have announced the permanent closure of dozens of bank branches and two retail banks have formally signalled that they intend to exit the Irish market altogether in the coming years. With just three major retail banks likely to be operating in the Irish market in the next few years, it is quite likely that Irish consumers are increasingly going to use a wider range of firms for niche financial services in future. Overall, Irish people have become very adept at using electronic payments during the pandemic and it is actually increasingly difficult to see consumers in Ireland and Europe reverting to cash as much as they did in the past. Overall, this makes Ireland an increasingly attractive place for a Fintech to launch, as the market here is maturing into one that is increasingly comfortable and reliant on financial services delivered through digital channels.


Like other advanced economies, Irish insurers are actively monitoring the “internet of things” and the development of AI and the resulting potential for more sophisticated underwriting approaches. As in other EU jurisdictions, GDPR compliance is the key legal concern here. The Central Bank updated its Consumer Protection Code, enhancing consumer protection measures, but has not addressed concerns that could arise from widespread adoption of InsurTech by insurers and intermediaries. The market potential for increased adoption of InsurTech is clear but the regulatory regime has yet to catch up. As regards RegTech, a survey published by a RegTech Analyst in March 2020 showed eight Irish firms in the top 100 globally, ranking Ireland above Hong Kong as a RegTech hub. Irish RegTech firms that have achieved international success include AQMetrics and Gecko Governance. The Irish financial services industry is well aware of the potential to better deploy technology to achieve more efficient and cheaper compliance solutions, but as of yet the Central Bank has not taken explicit measures within the regulatory framework to incentivise the deployment of RegTech by Irish regulated firms.

Regulatory bodies

There is only one financial services regulator in Ireland, the Central Bank, which is responsible for authorising and supervising providers of regulated financial services. The Central Bank is responsible for both prudential supervision and consumer protection of regulated entities which it has authorised. Where a regulated firm has been authorised by a supervisory authority in another jurisdiction, the home state regulator will be responsible for prudential supervision, but the Central Bank will be responsible for conduct of business

Matheson Ireland


supervision. The Single Supervisory Mechanism at the European Central Bank also directly supervises significant credit institutions and has exclusive competence for the authorisation of credit institutions (other than branches of third-country credit institutions).


Whether or not a Fintech business needs to hold a financial services authorisation will depend on the nature of the activities that the firm engages in. The majority of relevant regulated activities stem from EU directives, and each of the regimes below provide for a passporting regime which permits a provider authorised in one Member State to provide its services in other Member States, subject to notification requirements to the home and host state competent authorities. Directive (EU) 2015/2366 (“PSD II”) was transposed into Irish law by the European Union (Payment Services) Regulations 2018 and regulates the provision of payment services. Fintech businesses engaged in regulated payment services (such as money remittance or operating payment accounts) are required to be authorised under PSD II. PSD II also introduced two new “open banking” types of payment service: account information services; and payment initiation services. Directive 2009/110/EC (“EMD”) was transposed into Irish law by the European Communities (Electronic Money) Regulations 2011, which regulates the issue and redemption of “electronic money”. Directive 2014/65/EU (“MiFID II”) was transposed into Irish law by the European Union (Markets in Financial Instruments) Regulations 2017 (the “Irish MiFID II Regulations”) and aims to create a single market for investment services and activities and to ensure a high degree of harmonised protection for investors in “financial instruments” in the EU. In the case of digital assets (whether in the form of tokens, coins or otherwise), where the coin, token or other asset qualifies as a “transferable security” or other “financial instrument”, the process by which the digital asset is created, distributed or traded is likely to involve some MiFID II investment services such as placing, dealing in or advising on “financial instruments”, requiring authorisation from the Central Bank (or the supervisory authority of another Member State of the EU). The operation of a trading platform for “transferable securities” and other “financial instruments” is a regulated investment service that requires authorisation under the Irish MiFID II Regulations. Accordingly, if the digital assets to be traded comprise “transferable securities” or other “financial instruments”, a MiFID II authorisation will be required. If the digital assets to be traded are not “transferable securities” or other “financial instruments”, as is likely the case with pure utility tokens and payment tokens based on current law and practice, no MiFID II authorisation will be required. Prospectus regulation, deriving from EU law, may also be relevant where the digital asset constitutes a financial instrument and is either offered to the public in a Member State or is listed on a regulated market.The EU’s Fifth AML Directive has also been transposed into Irish law and a new registration obligation for all firms acting as virtual asset service providers in Ireland commenced in April 2021. Notably, because the legal framework is based on the EU’s AML directives (and not the PSD II), firms registered under this framework will not be able to passport their licences across the EEA.However, there are plans ahead at EU level for a Markets in Crypto-Asset Regulation (or “MiCA”, similar to MiFID II) and this legislative proposal will develop a more

Matheson Ireland


suitable regulatory framework for virtual asset service providers across Europe, including passporting rights for those firms. We expect many of the Irish firms already providing virtual asset services will undergo this new domestic Irish authorisation process so that their operating models and compliance frameworks are robust enough to be able to then obtain authorisation as a virtual asset service provider whenever the MiCA legislation is finalised.In addition to sector-specific requirements, Fintech businesses may need to comply with consumer protection legislation (depending on the nature of the customers), Central Bank conduct rules, anti-money laundering requirements and data protection legislation.In light of the lack of a common EU legislative framework in respect of crowdfunding, Regulation (EU) 2020/1503 (the “Crowdfunding Regulation”) and Directive (EU) 2020/1504 (the “MiFID II Amending Directive”) were published. The Crowdfunding Regulations will become directly effective from 10 November 2021 and Member States are required to implement the MiFID II Amending Directive into national law by 10 May 2021 and to apply those measures from 10 November 2021. European Crowdfunding Service Providers (“ECSPs”) are excluded from MiFID II by the MiFID II Amending Directive and ECSPs will instead be covered by the Crowdfunding Regulation. The Crowdfunding Regulation will apply to peer-to-peer crowdfunding platforms facilitating “business fundingˮ (lending to consumers is excluded) and investment-based crowdfunding platforms in relation to transferable securities up to a threshold of USD 5,000,000, whereas MiFID II will continue to apply to larger crowdfunding platforms. Prospective ECSPs must apply for authorisation under the Crowdfunding Regulation and may avail of the ability to passport its licence into each of the EEA Member States once approved. The Crowdfunding Regulation also places tailored operational and conduct of business requirements on ECSPs in their interactions with investors.

Restrictions

The main restriction on Fintech businesses seeking to operate in Ireland would be the requirement for authorisation if the proposed activities fall within the scope of one or more of the regulatory regimes listed above. The Central Bank has had Innovation Hub since 2018 for Fintechs operating in Ireland. This is a direct and dedicated point of contact for firms developing or implementing innovations in financial services based on new technologies. This intends to accommodate greater interaction by the Central Bank with the growing number of Fintech businesses looking to set up operations in Dublin, or expand their existing operations both in the regulated and unregulated space. A number of initiatives have been undertaken by different financial institutions applying distributed ledger technology, AI and robotics, and the Central Bank is keen to engage with innovators who are operating as regulated and unregulated entities in the financial services space. According to the Innovation Hub: 2020 Update, since its launch, the Innovation Hub has facilitated a total of 253 engagements, including 183 enquiries from firms innovating in financial services.


Ireland continues to develop as a Fintech hub and invest in attracting Fintech businesses to establish operations here. We have seen a number of cross-border firms enter the Irish

Matheson Ireland


market, particularly in the payments and e-money space. The trend is also driven by the fact that Ireland now has achieved a critical mass of Fintech firms operating in the country, it remains proximate to the UK and US markets, is an English-speaking EU Member State, and because the Central Bank of Ireland is considered a best-in-class regulator for firms that want to export their financial services across multiple European jurisdictions.

Joe BeashelTel: +353 1 232 2101 / Email: [email protected] Joe is a partner in the Financial Institutions Group and is head of the regulatory risk management and compliance team at Matheson. He is a solicitor with over 20 years’ experience, most of which were gained in the financial services sector. Before joining Matheson in 2004, he was the managing director of the Irish fund administration unit of a leading international investment manager. Joe assists clients with the authorisation of new entities by the Central Bank of Ireland including banks, e-money institutions, payment institutions, investment firms, fund services providers, retail credit firms and others. He also assists in expanding the regulatory authorisations of existing entities.

Ian O’MaraTel: +353 1 232 2874 / Email: [email protected] Ian is a Senior Associate in Matheson’s Financial Institutions Group with extensive prior career experience in government and public policy at the highest levels in Ireland. He specialises in financial services regulatory law, specifically in e-money, payments, investment services, and anti-money laundering rules. Since February 2021, he has been based out of Matheson’s office in London but advises clients on their Irish law requirements.

Matheson70 Sir John Rogerson’s Quay, Dublin 2, Ireland

Tel: +353 1 232 2000 / URL: www.matheson.com


Matheson Ireland

JapanKen Kawai, Shunsuke Aoki & Keisuke Hatano

Anderson Mōri & Tomotsune



There has been a series of significant Fintech-related changes to the regulations in Japan. We note that most of those changes are driven by the regulators’ intention to stimulate Fintech business and innovation in legacy financial institutions in Japan. Additionally, regulators have had to deal with various consumer protection issues that have arisen in Japanese Fintech industries, which resulted in their decision to strengthen the regulations governing emerging Fintech businesses in order to address new risks for consumers arising from the new services. We set forth below typical cases of this regulatory trend in Japan.Crypto assets and digital securitiesJapan introduced a regulatory framework for crypto assets in April 2017. Crypto asset exchange businesses became regulated under the Payment Services Act (the “PSA”). In 2019, the regulatory framework for crypto assets was significantly amended to (i) enhance customer protection by introducing stricter regulations applicable to crypto assets, and (ii) include specific regulations on crypto asset derivatives and digital securities. The new regulatory framework entered into force on May 1, 2020. A notable development was the increasing number of major financial institutions entering into the blockchain-based digital securities sector. Their main focus is on digital corporate notes and tokenised equity interests of real estate funds. Please refer to “Key regulations and regulatory approaches” below for details.Although not driven by the regulatory changes, from late 2020, non-fungible token (“NFT”)-related businesses became popular, especially in online gaming. In addition, a couple of platforms for issuing and trading tokenised digital art have recently emerged. One-stop financial services intermediaryThe rapid development of information and communication technologies in recent years has enabled entrepreneurs to create and offer innovative services to the financial industry. In particular, there has been a growing need for one-stop online platforms enabling access to financial services of various kinds. There has also been a rise in demand for convenient cashless payment services. Against this backdrop, the Financial Services Agency of Japan (the “FSA”) submitted a bill to the Diet in March 2020, which was passed by the Diet in June 2020. The bill is designed, amongst others, to introduce a new category of business termed “financial services intermediary business”. We understand that the introduction of a licence for a one-stop online platform for various kinds of financial services is a unique approach, even from a global perspective. The new regulatory framework is expected to enter into force in the second half of 2021. Please refer to “Key regulations and regulatory approaches” below for details.

Anderson Mōri & Tomotsune Japan


The COVID-19 pandemic’s impact on FintechWith more people avoiding physical cash amid the COVID-19 pandemic, mobile payment services have become more popular than ever before in Japan. According to a survey conducted by Dentsu Inc., the largest advertising agency in Japan, nearly half of the consumers increased use of cashless payments after the declaration of the COVID-19 state of emergency in March 2020.

Fintech offering in Japan

In Japan, crypto asset-based businesses, cashless payment or mobile payment services, financial account aggregation services, robo-advisors, and crowdfunding are relatively active Fintech offerings. Meanwhile, other innovations such as peer-to-peer lending and Insurtech have yet to penetrate the Japanese market. It is notable that an increasing number of companies have entered into or expanded their businesses in the mobile payment market in the past several years, and they are currently facing great competition. From a legal perspective, these mobile payment services (including QR code payment services) fall within three models: prepaid; direct debit payment; and deferred payment. The prepaid model requires a user to transfer funds from a bank account prior to a payment. The deferred payment model requires a user to link an existing credit card to the QR code application. Both models are relatively common in Japan, and the direct debit payment model is less popular but has been expanding recently. As different regulations apply to each model, entities seeking to undertake business related to QR code payments in Japan are recommended to consult a regulatory specialist for compliance purposes.From 2020, digital securities business has been steadily gaining ground. Because the new regulatory framework has clarified the regulations on digital securities (see “Key regulations and regulatory approaches”), quite a number of financial institutions are entering into this new market. In March 2020, Nomura Holdings revealed that it had issued digital securities using blockchain technology. In January 2021, SBI Holdings and Sumitomo Mitsui Financial Group revealed a plan to establish a joint venture provisionally named the “Osaka Digital Exchange”, which will handle, in addition to traditional stocks, digital securities. In April 2021, SBI Securities conducted a public offering of its own digital corporate note for the first time in Japan.It is also worth noting that the facilitation of Open APIs has resulted in embedded finance services becoming a new trend in Japan. In 2020, Japan Airlines and Culture Convenience Club, which is a major movie rental and bookshop chain, commenced the provision of banking services to its customers. From a legal perspective, they are bank agents of SBI Sumishin Net Bank registered under the Banking Act, but the user interface for their banking services are completely customised for each of them. Yamada Denki, which is one of the major electronic appliance chains in Japan, has also revealed its plan to provide banking services by using the embedded finance model.Moreover, “digital currency” has been a key focus over the past 12 months in the Fintech market in Japan. From June to November 2020, DeCurret, a Japanese crypto asset exchange service provider, hosted a study group with the goal of building a digital settlement infrastructure using fiat currency pegged to digital currencies. The study group included participants from three megabanks (Mizuho Bank, MUFG Bank and Sumitomo Mitsui Banking Corporation), as well as various major Japanese companies including telecom companies (NTT Group and KDDI). The FSA, the Ministry of Finance, the Ministry



of Internal Affairs and Communications, the Ministry of Economy, Trade and Industry (“METI”) and the Bank of Japan (“BOJ”) also participated in the study group as observers. In November 2020, the study group published its final report declaring that any digital currency issued by the private sector should ideally be a “two-layered digital currency” with a core function of a blockchain-based digital currency as its base layer and an additional layer implementing business logic and smart contracts. Meanwhile, in October 2020, the BOJ published a paper entitled “The Bank of Japan's Approach to Central Bank Digital Currency” and revealed that it aims to start Phase 1 of the Proof of Concept (“PoC”) programme in early 2021. The BOJ commenced this programme in April 2021.


Regtech (Regulatory Technology) has not yet come to Japan; however, the FSA officially announced in its Assessments and Strategic Priorities 2018 that it would enhance Regtech and Suptech (Supervisory Technology) in Japan. One of the recent legislative changes in this area is that, in 2018, the subordinate regulations of the Act on the Prevention of Transfer of Criminal Proceeds were amended in order to finally make several methods of e-Know-Your-Customers (e-KYCs) available in Japan. Insurtech (Insurance Technology) appears to still be behind other areas of Fintech, such as mobile payment and crypto assets businesses in Japan. While quite a few Japanese insurance companies appear to be interested in Insurtech and, therefore, either attempted to develop their own Insurtech tools or invest in overseas Insurtech enterprises, we have not seen many Insurtech startups in Japan as of yet.

Regulatory bodies

There are several relevant regulatory bodies for Fintech businesses in Japan.A firm (including an overseas firm) that wishes to undertake regulated activities in Japan is required to obtain the applicable licence from Japanese financial regulators, the FSA or one of the Local Financial Bureaus that the FSA has delegated a part of its authority to, except for services related to deferred payments, which require authorisation from the METI. Fintech-related laws such as the Banking Act, the PSA and the Installment Sales Act incorporate regulations addressing both prudential supervision and consumer protection. As a result, a regulator which governs each act will be a single regulator from the perspective of both prudential supervision and consumer protection.


Crypto asset-related servicesCrypto asset exchange servicesRegulations on crypto assets came into force on April 1, 2017. The PSA was amended to introduce registration requirements for “crypto asset exchange service providers”. In June 2019, the PSA was further amended to enhance customer protection by introducing stricter regulations applicable to crypto assets. The amended PSA came into force on May 1, 2020. For purposes of the PSA, “crypto asset” is defined as:i. proprietary value that may be used to pay an unspecified person the price of any goods

purchased or borrowed or any services provided, where such proprietary value may be



(a) sold to or purchased from an unspecified person, provided such sale and purchase is recorded on electronic or other devices through electronic means, and (b) transferred through an electronic data processing system; or

ii. proprietary value that may be exchanged reciprocally for such proprietary value specified in the preceding item with an unspecified person, where such proprietary value may be transferred through an electronic data processing system.

Most of the so-called payment tokens and utility tokens would fall within the definition of a crypto asset.Crypto asset exchange services (“CAES”) have been defined to include any of the following acts carried out as a business:i. the sale/purchase of crypto assets or exchanges for other crypto assets;ii. intermediary, agency or delegation services for the acts listed in i. above; iii. the management of users’ money in connection with the acts listed in i. and ii.; oriv. the management of crypto assets for the benefit of another person.As a consequence of this definition, not only typical crypto asset exchanges, but also so-called OTC (Over-the-Counter) brokers, are regulated as CAES providers under the PSA. Moreover, most Initial Coin Offerings (ICOs) or token sales fall within the definition of CAES. As a result, a token issuer must, as a general rule, be registered as a CAES provider if the token sale (i.e., the ICO) is targeted at residents in Japan. Notwithstanding the foregoing, a token issuer does not need to undergo registration as a CAES provider if the issuer has completely outsourced its token issuance to a reliable ICO platform provider that is registered as a CAES provider. It should be noted that, as a result of the 2019 amendment to the PSA, managing customers’ crypto assets and transferring such crypto assets to addresses designated by customers constitutes a CAES because “managing crypto assets for the benefit of another person” has been included in the definition. Accordingly, a custodial wallet service provider must undergo registration as a CAES provider if its wallet service is provided to residents in Japan.A CAES provider is required to manage its customers’ money separately from its own money, and to entrust its customers’ money to a trust company or any other similar entity. A CAES provider shall manage the crypto assets of customers (“Entrusted CA(s)”) separately from its own crypto assets. In addition, a CAES provider is required to manage 95% or more of the value of total Entrusted CAs with full-offline wallets or by other technical measures that have an equivalent level of safety as full-offline wallets.Crypto asset derivativesAs stated in “Approaches and developments” above, the amended FIEA which entered into force on May 1, 2020 includes specific regulations on crypto asset derivatives. As a consequence of the inclusion of “crypto assets” and standardised instruments of crypto assets created by financial instruments exchanges within the definition of financial instruments, and the inclusion of crypto asset prices, interest rates, etc. within the definition of financial indicators, respectively, crypto asset derivative transactions are now subject to the provisions of the FIEA, regardless of the type of derivative transactions involved. For instance, the provision of OTC crypto asset derivative transactions or acting as an intermediary or broker in relation thereto constitutes Type 1 Financial Instruments Business under the amended FIEA. Accordingly, a company engaging in these transactions needs to undergo registration as a Type 1 Financial Instruments Business Operator (“Type 1 FIBO”). In addition to various rules of conduct applicable to those Type 1 FIBOs providing crypto asset derivative



services under the FIEA, it is noteworthy that the amended FIEA introduced strict leverage ratio regulations. If a Type 1 FIBO engages in crypto asset derivative transactions, the amount of margins to be deposited by a customer must (i) if the customer is an individual, not fall below 50% of the amount of crypto asset derivative transactions (i.e., the leverage ratio is limited to two times), or (ii) if the customer is a corporation, not fall below the amount of crypto asset derivative transactions, multiplied by 50% or the crypto asset risk assumption ratio based on the historical crypto asset volatilities as specified in the public notice issued by the FSA entitled “Establishing the Calculation Method for Crypto Asset Risk Assumption Ratio in Crypto Asset Margin Trading”. Digital securitiesThe FIEA has conventionally classified securities into: i. traditional securities such as shares and bonds (“Paragraph 1 Securities”); and ii. contractual rights such as trust beneficiary interests and collective investment scheme interests (“Paragraph 2 Securities”). While Paragraph 1 Securities are subject to relatively stricter requirements in terms of disclosures and licensing/registration as they are highly liquid, Paragraph 2 Securities are subject to relatively looser requirements as they are less liquid. However, if securities are issued using an electronic data processing system such as blockchain, it is expected that such securities may have higher liquidity than securities issued using conventional methods, regardless of whether they are Paragraph 1 or Paragraph 2 Securities. For this reason, the amended FIEA introduces a new regulatory framework for securities which are transferable by using electronic data processing systems. Under the amended FIEA, securities which are transferable by electronic data processing systems are classified into the following three categories:i. Paragraph 1 Securities such as shares and bonds which are transferable by using

electronic data processing systems (Tokenised Paragraph 1 Securities).ii. Contractual rights such as trust beneficiary interests and collective investment scheme

interests, conventionally categorised as Paragraph 2 Securities, which are transferable by using electronic data processing systems (electronically recorded transferable rights (“ERTRs”)).

iii. Contractual rights such as trust beneficiary interests and interests in collective investment schemes, conventionally categorised as Paragraph 2 Securities, which are transferable by using electronic data processing systems but have their negotiability restricted to a certain extent (Non-ERTR Tokenised Paragraph 2 Securities).

An issuer of Tokenised Paragraph 1 Securities or ERTRs is in principle required, prior to making a public offering or secondary distribution, to file a securities registration statement as is the case for traditional Paragraph 1 Securities, unless the offering or distribution falls under any category of private placements. Any person who engages in the business of the sale, purchase or handling of the offering of Tokenised Paragraph 1 Securities or ERTRs is required to undergo registration as a Type I FIBO. In light of the higher degree of freedom in designing Tokenised Paragraph 1 Securities or ERTRs and the higher liquidity of these securities, a Type 1 FIBO that handles these digital securities is required to control risks associated with digital networks such as blockchain used for digital securities. Electronic payment intermediary servicesOn June 1, 2018, the amendment to the Banking Act came into force to regulate electronic payment intermediary service providers in order to facilitate open APIs. Electronic payment intermediary service providers are defined broadly enough to include intermediaries between financial institutions and customers, such as entities using IT to communicate



payment instructions to banks based on entrustment from customers, or entities using IT to provide customers with information about their financial accounts held by banks. Entities providing financial account aggregation services are also categorised as electronic payment intermediary service providers. They are required to register with the FSA in order to provide these services.Below are the key regulations applicable to registered electronic payment intermediary service providers:i. An electronic payment intermediary service provider that intends to conduct services

that constitute electronic payment intermediary services must, in principle, disclose certain matters in advance. Such matters include the trade name or address, authority, indemnity, and the contact details of the office dealing with complaints.

ii. With regard to electronic payment intermediary services, electronic payment intermediary service providers must (a) provide information to prevent misunderstandings, (b) ensure proper handling of user information, (c) maintain safety management measures, and (d) take measures to manage outsourcing contractors.

iii. Electronic payment intermediary service providers must conclude a contract regarding electronic payment intermediary services with a bank prior to performing acts that constitute electronic payment intermediary services.

iv. The contract must specify (a) the allocation of indemnity liability in cases where users suffer damage, (b) measures for proper handling of user information, and (c) measures for safety management. Both the bank and the electronic payment intermediary service providers must publish (a) to (c) above without delay when concluding the contract.

Financial services intermediary businessIn June 2020, the Act on Sales, etc. of Financial Instruments (ASFI) was amended in order to establish an industry suitable for financial services intermediaries that are seeking to provide a convenient one-stop service through which users can receive various financial services. This amendment is expected to enter into force in the second half of 2021.Under the current regulatory framework in Japan, financial intermediary services are divided by “functions”, such as bank agents and electronic payment service providers under the Banking Act, financial instruments intermediary service providers under the Financial Instruments and Exchange Act (FIEA), and insurance agents and insurance brokers under the Insurance Business Act. Therefore, a business operator handling products and services across multiple “functions” would be required to apply for multiple licences. In addition to that, if a business intends to act as the agent or the intermediary for multiple financial institutions (i.e. the principals) in handling the products and services provided by such financial institutions, it would have to bear the significant burden of responding to the instructions given by each relevant principal financial institution.Under the amended ASFI, by obtaining a new registration as a “financial services intermediary business operator” (“FSIBO”), a business operator will be permitted to act as an intermediary for cross-sectional financial services without being subject to the supervision of any principal financial institutions. Since an FSIBO is not subject to the supervision of principal financial institutions, the scope of its business will be restricted in a manner as described below:i. it may not offer financial services as an “agent” of any financial service provider; and ii. it may not handle financial instruments which are expected to be specified by the

relevant cabinet order as requiring highly specialised explanations to customers, such as derivative transactions or structured deposits.



In addition to the above, an FSIBO will be required to pay a security deposit to meet the needs of its own intermediary business and will be prohibited from holding customers’ funds regardless of whether or not it is only holding such funds temporarily. Other servicesApart from the regulations applicable to crypto asset-related services, services related to digital securities, electronic payment intermediary services and financial services intermediary business, there is no regulatory framework specifically designed to regulate Fintech businesses in Japan. However, if the services provided by the Fintech companies are subject to existing financial regulations, they are also required to comply with these existing regulations, which include obtaining any applicable licence or registration. A firm (including an overseas firm) that wishes to undertake regulated activities in Japan is required to obtain the applicable authorisation from Japanese financial regulators, the FSA or one of the Local Financial Bureaus to which the FSA has delegated a part of its authority or the METI. Please note that if an entity conducts solicitation activities in Japan for using its services, even if this is carried out from abroad, such an act may be considered to be an undertaking of regulated activities in Japan.Money transfer services are regulated under the Banking Act and other acts applicable to other depository institutions, which require firms that wish to enter into this business to obtain the relevant licence from the FSA; however, services involving money transfers of not more than JPY 1 million per transaction could be provided without the aforesaid licence if the firm obtains registration as a “funds transfer service provider” under the PSA. In this regard, the PSA was amended in June 2020 and came into effect on May 1, 2021 in order to facilitate the increased use of cashless payments. The amended PSA classifies fund transfer services (“FTS”) into the following three categories: 1. FTS involving remittances exceeding JPY 1 million per transaction (“Category 1 FTS”); 2. FTS that correspond to the FTS in the PSA prior to the amendment (the “Former PSA”), i.e. FTS involving remittances of amounts not exceeding JPY 1 million per transaction (“Category 2 FTS”); and 3. FTS involving remittances of amounts not exceeding JPY 50,000 per transaction (“Category 3 FTS”). Under the amended PSA, a Category 1 FTS provider must be authorised to operate by the FSA and comply with a stricter code of conduct than a Category 2 FTS provider. For instance, Category 1 FTS providers are not permitted to retain funds beyond the period necessary for processing administrative affairs relating to the transfer of funds. Namely, Category I FTS providers are prohibited from providing FTS in the form of wallet services, and funds deposited by users must be transferred immediately while funds received by users must be paid out immediately.The requirements applicable to a Category 2 FTS provider remain mostly the same as those applicable to an FTS provider under the Former PSA. A Category 3 FTS provider may operate if registered with the FSA and is subject to a more relaxed code of conduct than a Category 2 FTS provider. Regarding e-money, an issuer of e-money must comply with the applicable rules under the PSA. If e-money can be used only for payments to the issuer for its goods or services, the PSA does not require the issuer to obtain registration, provided that it complies with certain reporting obligations. On the other hand, if e-money can be used not only for payments to the issuer for its goods or services but also for payments to other entities designated by the issuer, the issuer is required to obtain registration as an “issuer of prepaid payment instruments” under the PSA.Please note that an online payment instrument can be considered either a “funds transfer” system, a “prepaid payment instrument”, a “crypto asset” or something else. As the scope



of each type of payment instrument is not easy to distinguish, it is recommended to consult specialists if an entity wishes to undertake business related to online payments in Japan. Influence of supra-national regulatory bodiesThe Financial Action Task Force has been influential in the development of Fintech-related regulations in Japan. For instance, the Guidance for a Risk-based Approach to Crypto Assets by the Financial Action Task Force (“FATF Guidance”) in June 2015 was the trigger for the introduction of regulations on crypto asset exchanges in Japan. The introduction of regulations on crypto asset custody services, which as described in “Key regulations and regulatory approaches” above, was pursuant to the recommendation of the FATF in October 2018. Additionally, the introduction of a risk-based approach to the AML guidelines of the FSA, published in February 2018, was also a reaction to the FATF recommendations.Financial regulators and policymakers in Japan are generally receptive to Fintech innovation and technology-driven new entrants in the regulated financial services markets, save that the FSA is taking a more conservative approach than before to crypto asset-based businesses following the hacking incident in January 2018, which involved one of the largest crypto asset exchanges in Japan losing approximately USD 530 million worth of cryptocurrencies. Sandbox and other initiativesIn June 2018, the Headquarters for Japan’s Economic Revitalization, under the Cabinet Secretariat, opened a cross-governmental one-stop desk for the regulatory sandbox (the “Regulatory Sandbox”) within the Japan Economic Revitalization Bureau. The Regulatory Sandbox can be used by Japanese and overseas companies, and it enables companies that apply and receive approval for projects not yet covered by present laws and regulations to carry out a demonstration under certain conditions without the need for amendment of existing laws or regulations. There is no limitation on the area of business regarding which companies can apply for the Regulatory Sandbox; however, AI, IoT, big data and blockchain projects are explicitly mentioned as the most prospective and suitable areas. Separately, in December 2015, the FSA established the “Fintech Support Desk”. It is a one-stop contact point for inquiries and exchange of information on Fintech. It accepts a wide-range of inquiries on various matters from those who currently operate Fintech businesses and others who intend to start Fintech startups.In addition, the FSA established a “Fintech Experiment Hub” in September 2017. The Hub gives support to Fintech companies and financial institutions when they conduct an unprecedented PoC. Please note that certain regulations are not suspended during the PoC, but the Hub aims to eliminate companies’ concerns of violating applicable regulations during the PoC by providing legal and other advice.In March 2017, the FSA announced the launch of the “Financial Market Entry Consultation Desk” to give advice on Japan’s financial regulations to foreign financial business operators that plan to establish a Fintech business based in Japan. In January 2021, the FSA reorganised the “Financial Market Entry Consultation Desk” into the “Financial Market Entry Office”, in order to enhance its English support service.

Restrictions

There are, at present, no prohibitions or restrictions that are specific to Fintech businesses in Japan. Certain types of Fintech business are regulated (see “Key regulations and regulatory approaches” above); however, these businesses can be carried out in compliance with applicable regulations.



As we noted above, a remarkable recent topic with respect to restrictions is the hacking of the crypto asset exchange, which triggered revisions of the regulations governing crypto assets and crypto asset exchanges.


It is worth noting that some Fintech players in Japan are collaborating with global payment businesses. For instance, Line Pay and PAYPAY, both emerging QR code payment service providers in Japan, are collaborating with Tencent and Alibaba, respectively, enabling merchants in Japan to receive payments by WeChat Pay and Alipay. Additionally, there are some international FTS providers licensed in Japan that provide overseas FTS using their own fund remittance infrastructure at a reasonable cost compared to traditional banks.In March 2017, the FSA and the UK’s Financial Conduct Authority jointly announced that they exchanged letters on a co-operation framework to support innovative Fintech companies in Japan and the UK to enter each other’s market by providing a regulatory referral system. The FSA has established similar frameworks with the Monetary Authority of Singapore (“MAS”), the Australian Securities & Investments Commission (“ASIC”), the Abu Dhabi Global Market Financial Services Regulatory Authority (“ADGM”), the Swiss Financial Market Supervisory Authority (“FINMA”), the Autorité des marchés financiers (“AMF”) and the Dubai Financial Services Agency (“DFSA”).The Tokyo Metropolitan Government (the “TMG”) released a paper titled “Global Financial City: Tokyo Vision – Toward the Tokyo Financial Big Bang” in 2017. While it outlines various measures to nurture domestic players and attract foreign players throughout the financial sector, the TMG gives particular importance to asset management and Fintech businesses and sets its aim to attract 40 foreign asset managers and Fintech companies by fiscal year 2020 (according to a press release by the TMG, this aim has almost been accomplished and the TMG is currently working on establishing a new strategy for the next few years).As a part of such measures, the TMG opened the “Business Development Center Tokyo”, which offers foreign entrepreneurs who are considering an expansion of their businesses in Tokyo a total support package covering all aspects from business through to lifestyle issues. For foreign companies planning expansion into the Special Zone for Asian Headquarters in particular, the Center provides both business exchange support and specialised consulting services. Furthermore, the “Tokyo One-Stop Business Establishment Center” facilitates the incorporation of its ancillary procedures, such as taxes, social security and immigration for foreign entrepreneurs considering establishing businesses in Tokyo.

Ken KawaiTel: +81 3 6775 1205 / Email: [email protected] Kawai has extensive experience advising financial institutions, Fintech startups, investors and corporate clients on complex finance and financial regulatory matters. Ken focuses primarily on the Fintech industry and regularly advises Fintech companies, financial institutions, international organisations and industry organisations on legal issues surrounding Fintech, including the complex legal framework governing cryptocurrencies and blockchain.Ken also specialises in derivatives and has counselled global banks, broker-dealers and investors on regulatory matters and best practices with respect to derivatives and related products. Ken’s deep and practical knowledge in this area is rooted in his 17-year career at MUFG Bank, Ltd. (formerly known as the Bank of Tokyo-Mitsubishi and, prior to that, the Bank of Tokyo Ltd.), where he was involved in derivatives trading and marketing.Ken received Band 1 evaluation in the Legal Department in Chambers FinTech 2021.

Shunsuke AokiTel: +81 3 6775 1173 / Email: [email protected] Aoki is a partner at Anderson Mōri & Tomotsune. Since joining the firm in 2008, Shunsuke has been primarily engaged in financial regulatory matters with a recent particular focus on Fintech matters, corporate finance transactions, including equity and debt offerings in both domestic and international capital markets, and project finance transactions. Shunsuke has external experience at one of Japan’s leading securities houses (2014–2016) where he was a member of the Capital Market Department in the Investment Banking Division, and at Sullivan & Cromwell LLP, New York (2013–2014) as a Visiting Lawyer. Shunsuke is admitted to practise in Japan and New York and earned a J.D. from University of Tokyo School of Law and an LL.M. from New York University School of Law.

Anderson Mōri & TomotsuneOtemachi Park Building, 1-1-1 Otemachi, Chiyoda-ku, Tokyo 100-8136, Japan

Tel: +81 3 6775 1000 / URL: www.amt-law.com



Keisuke HatanoTel: +81 3 6775 1250 / Email: [email protected] joining the firm in 2011, Keisuke Hatano has been involved in a number of significant finance transactions. He has extensive experience advising financial institutions and Fintech companies on regulatory matters.In addition to his professional experience at Anderson Mōri & Tomotsune, he worked for the Financial Services Agency, where he was mainly engaged in two separate processes of amending the Banking Act in 2016 and 2017 with the aim of creating a pro-Fintech environment for a second consecutive year.

KoreaWon H. Cho, Jeong Hwa Jang & Chi Eui Hong

D’LIGHT Law Group



The Financial Services Commission (“FSC”) announced five key policies for active administration in 2021, seeking to vitalise the post-COVID-19 Korean economy and finance. Amongst the five key policies are the acceleration of data and digital finance and the financial support of innovative companies to promote innovation. It is expected that these policies will generate continuous growth and development of the Korean FinTech industry, considering that there is a limit on how much a FinTech business can grow, regardless of the technological advances, if it is not supported by relevant financial regulations. Additionally, non-face-to-face transactions have become more common in Korea due to the COVID-19 pandemic, which has caused digital transformation throughout Korea, moving beyond digitalisation. The financial industry is of no exception. FinTech companies with new technologies and innovative ideas are providing innovative financial services despite the stringent financial regulations. Moreover, the amendment to various laws, such as the Credit Information Act, gave big-tech companies the opportunity to incorporate themselves into the financial industry. The current status and direction of the Korean FinTech industry and regulations are described below.

FinTech offering in Korea

Robo-advisorsIn August 2013, the Financial Investment Services and Capital Markets Act (the “FISCM Act”) allowed for the adoption of a Robo-advisor in discretionary investment businesses, which are businesses managing and operating, at their own discretion, an investor’s financial assets considering such investor’s purpose of investment or financial status. In April 2019, the FISCM Act extended the range of businesses covered by Robo-advisors to collective investments businesses, which manage assets pooled by inviting two or more persons. The Robo-advisor market is expected to grow rapidly in 2020, following the use of big data and the platform launched by the Financial Security Institute (“FSI”) where data such as financial, telecommunication and corporation data can be exchanged. Robo-advisors greatly increased the accessibility of general individual investors to investment advisory services which were only accessed by a few affluent people in the past.Internet banksInternet banks are among the most successful FinTech businesses in Korea. Since the FSC’s announcement in 2015 that internet banks which provide banking services through an electronic apparatus in a non-facing and automated manner will be permitted, K Bank and Kakao Bank launched their businesses in 2017. These banks had to meet all of the

D’LIGHT Law Group Korea


conditions and qualifications for conventional banks under the Banking Act, but the Special Act on Establishment and Operation of Internet-Only Banks (the “Internet-Only Bank Act”) was enacted in 2018 to lower the hurdles further. Toss Bank, an internet bank established by a top-tier FinTech company called Toss, has been authorised by the FSC to operate its banking business. It will begin operations as early as September after a preparation period, where actual transaction testings will be conducted. The launch of a third internet bank will accelerate competition and innovation in the financial industry. Moreover, the chairman of the FSC requested that Toss actively engages in inclusive financial activities, including supplying of loans to mid-to-low-credit borrowers, using FinTech technologies and data that have been accumulated through Toss’s platform.Internet banks were introduced to increase convenience for the financial consumer and promote competition and innovation in the financial industry through the convergence of Information and Communication Technology (“ICT”) and finance. According to the results of an evaluation in 2021, internet banks have contributed to the advancement of financial accessibility. However, they provided little contribution to the supply of credit to mid-to-low-credit borrowers. The proportion of credit loans to mid-to-low-credit borrowers is lower than that of commercial banks, and the plans to establish a Credit Scoring System (“CSS”) that distinguishes itself from the existing banks in an innovative manner has also been delayed. In response, the FSC and the Financial Supervisory Service (“FSS”) announced a plan to expand mid-to-low-credit loans from internet banks for innovative, inclusive financing in May 2021. They stated that they would 1) expand the number of credit loans to mid-to-low-credit borrowers, 2) promote the advancement of CSS, and 3) strengthen supervision and management of the implementation of the plans.Digital paymentsThe potential of the Korean digital or electronic payments market is expected to be very high, as credit cards are commonly used and the infrastructure for digital payments, such as the internet network, online market and smartphones, is well-established. According to a survey by the Bank of Korea, only 17.3% of transaction amounts were made in cash while 53.8% were made by credit cards in 2019. The mandatory use of the authorised certificate, together with the Active X security programme in online transactions exceeding approx. USD 300 for internet banking, and security accidents in online transactions, raised the desire for a simpler, faster and safer means of online payment. To meet such needs, the authorised certificate and Active X became non-mandatory, and Korea’s major corporations such as Samsung, Naver, Kakao, SK, Shinsegae and Lotte each – and separately – rushed to launch their own digital payments systems. Now, the Korean mobile payments application market is very competitive, with more than 50 applications.The majority of launched digital payments are mobile payments, which are payment systems enabling transactions using an ID and password on a PC or mobile devices. In traditional online payment systems, a credit card number, validation date, phone number and other such information had to be inserted for every single transaction. For mobile payments, this is no longer the case as such information is only required to be registered once.The second popular type of digital payments: App-to-App payments, which transfer money from a user’s account to another user’s account directly, is being named as a payment system to replace credit card payments. The App-to-App payments system has merits over traditional credit cards on various points: it has a lower fee rate – almost a quarter of that of credit cards; as PGs and VANs do not intervene in the payment process, the recipient does



not need to download the application or have payment terminals; and transactions can be made between private persons. Toss and Kakaopay are the leading App-to-App payments service providers, and the Korean government launched the beta version of the Zero Pay platform in December 2018. Zero Pay is a Quick Response (“QR”) code transaction platform introduced by the Seoul Metropolitan Government to lighten the financial burden on small businesses by avoiding credit card fees. The Korean government is encouraging the use of Zero Pay, offering tax benefits. If App-to-App payments successfully take over the market, then VAN, PG and credit card issuer businesses will be disrupted greatly. However, one should not be too optimistic about App-to-App payments, as it is a system fundamentally based on debit payments of which payments can be made up to the bank balance, making it much less attractive to people who are used to the credit card system.The new instance of a digital finance technology, FinTech, being applied to fiat currency is the “Central Bank Digital Currency” (“CBDC”). The Bank of Korea has been reviewing legal issues related to the CBDC and the legal requirements related to the enactment and amendment of the related laws since 2020. Moreover, in May 2021, the Bank of Korea released a request for proposals on the selection of service providers for the CBDC pilot programme. Through this pilot programme, the Bank of Korea intends to establish a simulation environment using distributed ledger technology in a virtual space and test the usability of the CBDC and the operation of general tasks. The first phase of the pilot programme will be completed in December 2021, when the tests on the primary functions of the CBDC (maintenance of the users’ crypto wallets, transfer of deposits, remittance and payments, and other primary functions related to the distribution of decentralised CBDC) and creation of a simulation environment will have been completed. The second phase will be implemented by June 2022 – testing the expansion function of the CBDC and the application of strengthening technology with regard to the protection of personal information.CryptocurrenciesApplication of the blockchain to the Korean market, one of the hottest and innovative FinTech ideas, is being discussed and sought in various ways. For example, a blockchain-based certification system is being developed to substitute the conventional authorised certificate and a blockchain-based local currency called No-Won Coin was launched and is currently in use. Further, a number of “altcoins”, which refers to cryptocurrencies other than Bitcoin, and cryptocurrency exchanges have newly appeared. On March 25, 2021, the Korean government ratified an amendment to the Act on Reporting and Using Specified Financial Transaction Information, which imposes anti-money laundering obligations on virtual asset service providers (“VASPs”). The amended Act describes “virtual assets” as “digital token[s] with economic value that can be digitally traded or transferred”, and a “VASP” as “a business entity that engages in the purchase and sales of virtual assets, exchanges between virtual assets, transfers of virtual assets (limited to the act of transferring virtual assets for sale, exchange, storage and management based on the request of a customer), safekeeping and administration of virtual assets, and intermediation or brokerages of such virtual asset transactions” (Article 2(1) and Article 3). The Act further requires the registration of all VASPs by September 25, 2021.Moreover, in the past, there were no provisions regarding the taxation of virtual assets. However, the Korean government has amended its tax laws, and from January 1, 2022, taxes will be levied upon all virtual asset transactions. Under the amended Income Tax Act, all “virtual asset income” that arises from the transfer of or lending of virtual assets by an



individual investor after January 1, 2022 will be taxed under “other income”. Moreover, under the amended Corporate Tax Act, virtual assets are to be added to the corporate assets subject to evaluation, and they are to be evaluated in accordance with the “first-in-first-out” method.


RegTechThe Korean government has consistently manifested its willingness to encourage financial companies to develop and adopt RegTech since 2017 and launched the RegTech Development Council in October 2018. The Council announced that RegTech is the breakwater which blocks risks from FinTech innovation waves, and it will construct infrastructure to enhance the development and use of RegTech. Also, it will run a pilot test for Machine Readable Regulation, which translates financial regulations to machine language, starting from the Electronic Financial Transactions Act (the “EFT Act”).The FSI launched a RegTech platform in January 2019. This platform provides an automated compliance management service, an automated financial security reporting service, a search and notice service on intelligence regulation, and financial security support. In April 2020, the FSS launched a task force for digitalisation of financial supervision, which is targeted to support and accelerate the development and adoption of RegTech. For this purpose, SubTech, such as analysis and supervision using artificial intelligence (“AI”), will be also developed.In accordance with the amendment to the Credit Information Use and Protection Act, “routine inspections of data protection” have been implemented since February 4, 2021. Under this system, the rights and performance of data protection on personal credit information processed by financial institutions are inspected and awarded a score or a grade based on their inspection results. This evaluation system systematically and routinely assesses the compliance and verification of data protection regulations throughout a data’s lifecycle, such as consent, collection, and provision of data. It further provides regular feedback on the performance of data protection in the financial sector through a self-regulatory organisation (FSI), and in the process, establishes a routine evaluation support system based on RegTech automating the evaluation process. It is expected that the introduction of routine inspections of data protection will help ensure consistency of data protection and improve credibility through accountability amid a rapidly changing environment surrounding the data industry, including the introduction of new technology such as AI and the introduction of pseudonymous data.InsurTechA few pieces of legislation are obstacles to InsurTech in Korea. The first relates to the separation of industrial and financial capital. Insurance companies cannot have FinTech subsidiaries, so they can develop InsurTech only by partnership with FinTech companies. The Medical Service Act strictly limits the medical service to be provided by doctors, nurses and other qualified medical persons. Some InsurTechs analyse health data, discount premiums based on such health information, and provide health information to the insured. Because such analysis and notification may be construed as diagnosis, which is a medical service, it is risky to operate such types of InsurTech in Korea. To encourage the development of InsurTech, the FCC lifted such restrictions for a few insurance items under the regulatory sandbox programme in 2019 and are being readied to be on market.



In addition, the FSC introduced the “Guideline on the Use of Artificial Intelligence in Financial Services” in July 2021 to bolster public trust in the development, commercialisation and utilisation of AI-based financial services. The “Guideline on the Use of Artificial Intelligence in Financial Services” prescribes the provision of internal control mechanisms and authorisation procedures, and the designation of a person in charge for any AI decisions, such as insurance screening, that have a significant impact on the conclusion and maintenance of an individual’s financial transaction contract. It further prescribes sufficient notice of a consumer’s right to require adequate notice and revision be given in the event a financial consumer decides to conclude a contract or a financial transaction, such as buying insurance, through AI.

Regulatory bodies

In general, the FSC and the FSS are the major regulatory authorities in the FinTech industry. The FSC is the government regulatory authority which assumes primary responsibility for rulemaking and licensing, while the FSS principally conducts supervision of the financial industry, including prudential supervision, capital market supervision, consumer protection, and other activities delegated by the FSC. Although the FSS is an organisation under the FSC, which is a governmental body, it is not itself a governmental body. The FSS is a specially legislated supervisory authority staffed by private sector employees who are not part of the government civil service system. This two-tier system is devised to reduce the risk of the government attempting to deprive the freedom and take control of financial companies.The FSC has the statutory authority to draft and amend financial laws and regulations and issue regulatory licences to financial institutions. For example, anyone who wishes to run an internet banking business should obtain permission from the FSC under the Banking Act following the detailed procedure and conditions decided and announced by the FSC. Similarly, the FSC has the authority to give a licence for a Robo-advisor business under the FISCM Act and a mobile payments business under the EFT Act. In addition, the FSC supervises foreign exchange transactions and leads the government’s anti-money laundering and counter-terrorism financing efforts.Prudential supervision is the main objective of the FSS. The FSS regularly carries out both targeted and full-scope examinations to evaluate financial firms’ financial health, risk management, internal controls, management competence, and compliance with rules and regulations. Consumer protection is another goal of the FSS. The FSS provides consumer complaint resolution services and consumer education programmes. Consumers can file complaints with the FSS against financial services firms through the consumer complaint resolution service and seek mediation and resolution. The FSI is a financial security-specialised organisation founded to create a safe and reliable financial environment and to contribute to the establishment of a convenient financial environment for financial consumers and financial institutions. Although the FSC led the foundation of the FSI and the FSI evaluates the security level of each financial company, it is a non-profit organisation and not a regulatory body.The Korea Financial Intelligence Unit (“KoFIU”) is a sub-organisation of the FSC established to prevent money laundering, terrorist financing, and illegal foreign currency outflows in order to establish a transparent financial transaction order. Pursuant to the Act on Reporting and Using Specified Financial Transaction Information, KoFIU analyses suspicious transactions reported by financial companies, and if deemed related to criminal funds or money laundering, reports such information to the relevant law enforcement



agencies, such as the prosecution, the National Tax Service (“NTS”), Korea Customs Service (“KCS”), the FSC, and the National Intelligence Service (“NIS”). Moreover, KoFIU oversees the reporting of VASPs.


Banking businessThe Banking Act deals with inherent banking business, which is defined as business with lending funds raised by bearing debts owed to many and unspecified persons, by the receipt of deposits or the issuance of securities and other bonds; while the Internet-Only Bank Act, introduced in September 2018, includes special regulations for internet-only banks that mainly conduct banking business via electronic financial transactions. The special rules included in the Internet-Only Bank Act are as follows: first, any person who intends to obtain authorisation for banking business shall have capital of at least KRW 100 billion (provided that a local bank’s required capital may be at least KRW 25 billion); while internet-only banks only require KRW 25 billion. Second, a non-financial business operator may hold up to 34% of the total number of outstanding voting stocks of a bank, instead of 4% (with some exceptions) as stipulated in the Banking Act, as the Internet-Only Bank Act eases the restrictions on stockholding by non-financial business operators. The restrictions on stockholding by non-financial business operators intend to prevent the non-financial sector from controlling the financial sector, but have hindered convergence and innovation between ICT and financial business. However, some regulations from the Internet-Only Bank Act are stricter than those of the Banking Act. For example, internet-only banks may only lend funds to a company that is a small or medium-sized enterprise, and to a person who is a large stockholder of such company.Payment and settlement serviceThe operation and management of the payment and settlement system is mainly based on the Bank of Korea Act and its sub-regulations, “Rules for the Operation and Management of Payment Systems”. A payment service provider may provide services by participating in the “Payment and Settlement System”, such as a large-scale payment system operated by the Bank of Korea, a small payment system operated by the Korean Financial Telecommunications & Clearings Institute (“KFTC”), etc. Payment service providers shall observe the Banking Act, FISCM Act, Specialized Credit Finance Business Act (the “SCFB Act”), EFT Act, etc. applicable to its own types of payment and settlement service. In relation to payment and settlement services with non-cash and paperless payment methods, the SCFB Act contains a regulation for credit card businesses, and the EFT Act deals with electronic financial transactions with electronic payment means. The EFT Act defines “electronic payment means” as an electronic funds transfer, electronic debit payment means, electronic prepayment means, electronic currency, a credit card, an electronic bond or other means of payment by electronic means. The EFT Act stipulates issuance and management of electronic payment means, permission and registration of electronic financial business, and measures ensuring the safety of electronic financial transactions and protection of users. Most FinTech payment services are treated as “electronic payment settlement agency services”, which are services that are rendered to transmit or receive payment settlement information in purchasing goods or using services by electronic means, or to execute as an agent or mediate the settlement of prices thereof. Also, most FinTech remittance services are treated as “issuance and management of electronic prepayment means business”, as prepayment means are used to remit funds between different bank accounts.



In December 2019, an open banking service was launched to promote innovation in the financial sector by opening up financial payment networks. This service was provided in the form of a joint platform whereby the KFTC acted as an operator that connected participating members to banking networks regardless of any partnership between the individual bank and the user institution. The domestic open banking service included Read API that allowed customers to check their balances and transfer from and out of their accounts. Moreover, the scope of the joint platform’s use, which was previously limited to FinTech businesses and banks, was expanded to included securities companies, mutual finance companies, savings banks, and credit card companies. From August 4, 2021, MyData businesses will collect and utilise personal credit information through standard Application Programming Interface (“API”) to provide their services to their consumers. Moreover, there are discussions related to the amendment of the EFT to allow MyPayment businesses to assist payers in transferring their electronic funds by delivering payment instructions on behalf of the payer to finance companies in which the payer has an account, even if the payer does not hold such funds.Money-lending businessThe SCFB Act and Act on Registration of Credit Business, etc. and Protection of Finance Users are applicable to credit loans or money-lending businesses without receipt of deposits, contrary to banks. Among the above, the SCFB Act deals with credit card business, facility-leasing business, instalment-financing business, and new technology venture capital business. Meanwhile, the Act on Registration of Credit Business, etc. and Protection of Finance Users is composed of regulations on credit business and loan brokerage business. Also, the credit business mentioned in the Act on Registration of Credit Business, etc. and Protection of Finance Users is primarily a business that lends small amounts of money to low-credit consumers. The bill to regulate peer-to-peer (“P2P”) lending business, a loan brokerage business which connects a lender and a borrower via online platform, was passed in November 2019 and in force from August 2020. With the enforcement of the Act on Online Investment-Linked Financing and User Protection, companies seeking to operate online investment-linked financial businesses must satisfy all registration requirements, such as equity capital requirements, and register with the FSC. Moreover, the Act further grants a one-year grace period (until August 26, 2021) to all existing P2P businesses. The Act is applicable only in the case that the broker borrows money from a lender and lends such amount to a borrower. In other words, it is not applicable if the broker only connects or introduces a lender and a borrower to each other and does not become involved in the money transaction.Financial investment service and asset managementThe FISCM Act includes regulations for financial investment instruments, such as securities and derivatives, and financial investment business that is classified as investment trading business, investment brokerage business, collective investment business, investment advisory business, discretionary investment business and trust business. Among the financial investment businesses, crowdfunding with issuance of securities is relevant to “investment brokerage business” under the FISCM Act, where a “crowdfunding broker” is defined as an investment broker engaging in the online brokerage of public offering or sale of debt securities, equity securities and investment contract securities issued by a person who is within the requirements of the Presidential Decree and the Support for Small and Medium Enterprise Establishment Act, etc., on another person’s account in whosever named by the method prescribed by Presidential Decree. Meanwhile, personalised asset management



and Robo-advisor services with AI are related to “investment advisory business” or “discretionary investment business” that use electronic investment advisory devices under the FISCM Act. The FSC plans to promote the relaxation of advertisement regulations, security issuance limitations, investment limitations, and the scope of companies that issue securities related to cloud funding to vitalise the supply of venture capital.InsuranceThe Insurance Business Act is applicable to InsurTech as well as traditional insurance business. Any person who intends to be an insurance agency shall apply for registration with the FSC. However, an electronic financial business entity is not allowed to run an insurance agency except for a “specific product non-life insurance agency”, which is a non-life insurance agency that solicits insurance products relevant to a person’s business where such person’s business mainly focuses on the sale of specific goods or the provision of specific services. In May 2021, the FSC made improvements on the rules on non-face-to-face digital solicitation to enhance the effectiveness of consumer protection and reduce the inefficiency of insurance operations. The improved system allows the insurance providers to fulfil their obligations of providing adequate explanation to customers via phone, given that they provide certain safety precautions, such as explaining and recording essential terms and conditions of the contract and verifying such recordings (Supervision Regulations on Financial Consumer Protection). Furthermore, it will allow insurance agents to use AI Voice Bots based on Text-to-Speech (“TTS”) technology rather than directly reading standard scripts when soliciting insurance over the phone. This would help insurance agents to focus on customer questions and additional explanation requests. A hybrid solicitation method is also planned to be approved, which would allow the processing of certain procedures, such as filling in of documents for insurance contracts and other subscription-related procedures, to be carried out online (mobile) while the important aspects of the insurance products will be explained over the phone.Foreign exchange transactionsIn order to engage in foreign exchange transactions such as payment, remittance, receipt and currency exchange between the Republic of Korea and a foreign country, a company should abide by the Foreign Exchange Transactions Act. The requirements for foreign exchange business are considerable, but the requirements for small-amount cross-border remittances business which being less than USD 5,000 per transaction and less than USD 50,000 per year were enlightened in 2017 to encourage cross-border FinTech business. In addition, companies that have been authorised or registered as businesses issuing and managing electronic currencies, electronic prepayment means or electronic payment settlement agency services under the EFT Act can also register with the Minister of Strategy and Finance for other specialised foreign exchange business and provide payment services overseas. Recently, the relevant regulations have been amended to allow electronic reporting of capital transactions. Financial data protectionIn January 2020, the three major pieces of legislation which promote and govern the use of data, the Personal Information Protection Act (“PIPA”), the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. (“Network Act”), and the Credit Information Use and Protection Act (“Credit Act”), were amended as follows:• PIPA adopted the concept of anonymised data and pseudonymised data. The former is

partially replaced or deleted personal data so that an individual cannot be recognised



or identified without the use of additional data. The latter is not explicitly defined in PIPA, but it can be interpreted as data from which an individual cannot be recognised or identified even additional data is used or applied. PIPA allowed pseudonymised data to be processed for statistical, scientific research or public interest record-keeping purposes, and exempted major obligations applicable to typical personal data, such as the individual’s prior consent to collect data and release of data after a certain period of time.

• The main amendment to the Network Act was the deletion of provisions related to the protection of personal data, so that PIPA would be the main piece of legislation which governs matters related to the protection of personal data.

• The Credit Act was amended to provide the legal basis for analysing and using big data in the finance sector. Similar to PIPA, pseudonymised data can be processed for statistical, scientific research or public interest record-keeping purposes without the individual’s consent. In addition, the Act newly introduced an individual’s right to request for an explanation or object to the profiling of financial companies by automated data processing.

• Pursuant to the amendment of the Credit Act, “MyData Industry”, which provides an integrated inquiry service on personal credit information that has been dispersed in accordance with the customer’s right to request transmission of the information, is allowed. However, MyData businesses must comply with their obligations under the Credit Act, such as ceasing to scrap (a method of storing authentication information such as customer ID/PW and signatures on official certificates), and providing this information to information providers, such as banks, on behalf of the customer in order to acquire all of the customer’s information at once.

Financial consumer protectionTraditionally, financial consumers were protected under the Acts that regulate each financial product, such as the Depositor Protection Act, Banking Act, Insurance Act and more. In March 2020, the Financial Consumer Protection Act was enacted and entered into force on March, 25, 2021. The Act sets out the general restrictions and principles applicable to all financial products and strengthens the penalty for the violation of such restrictions.Recently, big-tech companies are actively entering the finance industry bolstered by their vast customer data and abundant capital. Since big-tech companies focus on “technology” more than “finance”, there is a possibility that they would be less observant of financial regulations, such as the regulations on financial consumption protection, when compared to financial companies. In order to prevent market monopoly of big-tech companies, such as financial product sales agents and brokers, the Enforcement Decree of the Financial Consumer Protection Act states that the registration of financial product sales agents and brokers will be disallowed or cancelled in the event that the agents or brokers are punished for violating the Fair-Trade Act. Furthermore, the Decree prohibits agents and brokers from entrusting sales only to themselves or a specific business entity.Financial innovation supportOn April 1, 2019, the Special Act on Financial Innovation Support was enacted with the purpose of promoting the development of innovative financial services. The Special Act on Financial Innovation Support is applicable in preference to other finance-related laws, such as the Banking Act, FISCM Act, SCFB Act, EFT Act, Credit Act, PIPA, Network Act and so forth. The Special Act on Financial Innovation Support provides the designation of innovative financial service by the FSC and support of innovative financial services, the responsibility of designated innovative financial services providers, and matters concerning



designated agents who can be entrusted with the work of a financial company. Designated innovative financial services providers must inform the customer in advance that the service is in test operation and that unexpected risks may arise and, furthermore, obtain consent from its users about providing innovative financial services. Also, designated innovative financial services providers shall not only indemnify a customer against damages caused by the provision of services, but shall also be insured against liability for damages. Initially, it was illegal to entrust essential operations of a financial company (such as contracting for investment brokers) to a company that did not have the relevant licence. However, the Special Act on Financial Innovation Support introduced the “designated agent system”, which allowed financial companies to entrust their essential operations to FinTech companies, leading to the provision of innovative financial services.To address the new developments in the area of FinTech, the following attempts are being made by the government and financial authorities:• Test-Bed system in connection with the statute: in March 2017, the FSC announced

measures to introduce a Test-Bed for financial regulation for an early settlement of innovative financial services. The Test-Bed system introduced by the FSC consists of the FSC’s issuance of non-action opinions, a test assignment programme through a financial company, and a designated agent to which a financial company’s business is entrusted.

• Establishment of the QR Code Payment Standard: in November 2018, the FSC published the QR Code Payment Standard to ensure availability, simplicity and security of payment while issuing, using, and destroying QR codes in electronic financial transactions. In particular, the QR Code Payment Standard ensures that the QR code has its own security functions to prevent any forgery or tampering, and also to prohibit the inclusion of sensitive personal or credit information.

• Convergence of the financial and non-financial sectors: the Internet-Only Banks Act amended the principles of segregation between bank capital and industrial capital. Also, the Banking Act and Act on the Structural Improvement of the Financial Industry and Financial Holding Companies Act prohibit financial companies from possessing stock ownership in general, and the only exception would be when the two companies’ businesses are related. Of course, the financial company should obtain the FSC’s approval or report to the FSC prior to the acquisition of the non-financial company’s stock, while the FSC clarified the types of FinTech company businesses in which financial companies may invest by issuing an official opinion on the interpretation of the statute in May 2015, in order to stimulate investment in FinTech companies. However, due to restrictions under the Insurance Business Act, an insurance company still cannot have a FinTech company as a subsidiary.

• Introducing the API for open banking: the open API, which allows a financial company to use all existing banking networks without obtaining a licence or permission of each bank, was launched in December 2019. In detail, the open API renders the following six services: balance search; transaction details search; account user verification; remitter search; and remittance and receipt of money transmission. To use the open API, a financial company needs to have the KFTC’s approval. It should be noted that the open API is a contract-based system, and the legislation to be applied has not yet been established.

• To promote FinTech investment by financial companies, the FSC plans to expand the scope of FinTech companies in which financial companies can invest in and promote the enactment of the “Fintech Support Act”, which includes a provision that exempts employees of a financial company from investment loss liabilities, should any arise.



Restrictions

Korean financial legislation strictly and specifically states the qualifications and requirements of financial business. And unlike in common law countries where a financial supervisory authority typically has the power to determine the applicability of specific regulations and licensing requirements at its discretion, in Korea, a civil law country, a financial supervisory authority has limited power. Accordingly, a financial company should strictly be in compliance with financial legislation. Also, a FinTech company that wishes to commence an innovative FinTech business where there is no financial legislation to follow should not consider such business legitimate because a financial supervisory authority gave an opinion in favour of another FinTech company. In principle, the amendment of financial legislation and their sub-regulations is required. However, as explained above, the Special Act on Financial Innovation Support introduced strong incentives for FinTech companies. Businesses designated as innovative financial services enjoy exemptions from various legal restrictions for a certain duration. Furthermore, if a FinTech company, designated as an innovative financial service, acquires a licence with the conditions required by the relevant financial law, an exclusive right is guaranteed to such company by prohibiting other companies from providing the same service to the market for two years after entering the market in earnest.With regard to virtual asset businesses, the regulations have been strengthened with the implementation of the amended Act on Reporting and Using Specified Financial Transaction Information on March 25, 2021. According to the wording of the amended Act, the scope of “virtual assets” and “VASPs” that are subject to the regulations is very wide. Moreover, legal uncertainties exist when conducting businesses using virtual assets since few regulatory practice cases have been accumulated by the financial regulators. In this regard, there is a controversy over whether Non-Fungible Tokens (“NFTs”) are “virtual assets” subject to the Act on Reporting and Using Specified Financial Transaction Information, and it has been suggested that NFTs used to transact digital files, such as game items, digital music, and digital art, do not amount to “virtual assets”.


As briefly explained above, the Foreign Exchange Transactions Act is applicable to cross-border transactions. In May 2019, the Act was amended to allow pre-paid electronic currency to be used abroad. The small-amount cross-border remittances market grew very rapidly and now its size is more than USD 14 billion. Nowadays, the settling of virtual assets is being sought as the way to replace SWIFT for overseas remittances. However, it is not clear whether such use of virtual assets for small-amount cross-border remittance is legal or not, as the Foreign Exchange Transactions Act does not have any provision in relation to virtual assets and the Korean government has not made its position clear.Regarding cross-border FinTech businesses, the FSC announced in September 2019 that it will fully support the domestic FinTech companies’ challenge to the overseas market, and many financial authorities have entered into memoranda of understanding (“MoUs”) for collaboration in FinTech development. It is expected that collaboration in cross-border FinTech businesses will increase, especially with South-East Asian countries.

Won H. ChoTel: +82 2 2051 1870 / Email: [email protected] an experienced corporate lawyer with extensive commercial transactional experience in various specialty industries including entertainment, ICT and healthcare, Won H. Cho is uniquely positioned to advise clients on a wide range of complex IP, corporate and regulatory matters. He started his career as an associate at Bae, Kim & Lee LLC (“BKL”) and went on to serve as a partner of the firm, leading BKL’s prominent IP and technology transaction practices, spanning a total of 16 years. Mr. Cho also worked on secondment at Ropes & Gray (New York) in 2014 in the firm’s IP division. Recently, he has been actively advising clients in the blockchain and fintech industry. Mr. Cho is now an adjunct professor at KAIST-MIP (Master of Intellectual Property) and serves in leadership roles at various local and state organisations, including the Korea Fair Trade Commission Advisory Committee, Korean Intellectual Property Office, US Korea Law Foundation, Korea Licensing Executive Society, and the Korea Association of Entertainment Law, among others. Mr. Cho holds a B.A. from Seoul National University and received an LL.M. from the University of Texas.

Jeong Hwa JangTel: +82 2 2051 1876 / Email: [email protected] Hwa Jang is a senior associate at D’LIGHT, where she focuses on advising and assisting in litigation and legal issues in the ICT and FinTech industries and financial investment regulations. Ms. Jang studied economics and business at Yonsei University before accumulating practical experience in financial institutes and completed her legal training at Yonsei University Law School. Based on her understanding of the financial sector, Ms. Jang counsels clients on financial regulation, FinTech, Foreign Investment and PEF.

D’LIGHT Law Group5th Floor, 311, Gangnam-daero, Seocho-gu 06628, Seoul, Korea

Tel: +82 2 2051 1870 / URL: www.dlightlaw.com



Chi Eui HongTel: +82 2 2051 1870 / Email: [email protected] Eui Hong is an associate at D’LIGHT, where she focuses on advising and assisting in litigation and legal issues in the FinTech industries and financial regulations. Ms. Hong studied law at Seoul National University. Upon graduation from law school, Ms. Hong engaged in private practice at a law firm and then moved in-house at a securities company. Based on her understanding of the financial sector and as a certified Investment Manager, Ms. Hong counsels clients on financial regulation, FinTech, corporate finance and PEF.

LuxembourgProf. Jean-Louis Schiltz & Nadia Manzari

Schiltz & Schiltz S.A.



Luxembourg has always considered innovation as an essential driver for the development of financial services and the financial sector in general. In 2014, the Luxembourg Government launched its Digital Luxembourg initiative of which financial technology (“Fintech”) is a key component, the aim being to bring finance to the 21st century. The Luxembourg mindset which consists of embracing and fostering change has contributed to the creation of a very successful and dynamic Fintech sector in Luxembourg. A growing number of companies from around the world are opening offices in Luxembourg to develop and market their product range in Europe and worldwide. Fintech has been around for a long time in Luxembourg, even before the concept became known as such. The fund industry has indeed been using Fintech solutions for many years (Multifonds is one of the historic examples). Luxembourg has generally been very active in digital innovation and was amongst the first countries in Europe to implement the European payment services directive1 in 2009. This “first mover” advantage in particular enabled the country to develop a strong track record in payments services, and this led in turn to the creation of an ecosystem of highly innovative products.Luxembourg’s financial centre provides an attractive environment for Fintech companies. The presence of 126 banks,2 the world’s leading fund industry, a well-developed insurance and reinsurance sector and financial infrastructures like central securities depositories provide for a large potential client base. Also, mainly due to Luxembourg’s attractive and efficient research ecosystem, the 2020 edition of the innovation scoreboard, published by the European commission, ranked Luxembourg as one of the top five “innovation leaders”,3 and in the 2021 edition of the innovation scoreboard Luxembourg was again qualified as being a strong innovator with performance above the EU average.4 Excellence in the field of IT in particular gives Luxembourg a competitive advantage over other countries thanks to the presence of the largest number of Tier IV data centres in the world, guaranteeing data availability and security at the highest standards. Furthermore, Luxembourg is a founding member of EuroHPC (“European High-Performance Computing”) and was selected in June 2019 as one of the eight sites that will host supercomputers.5 Thus, Luxembourg acquired a supercomputer called Meluxina, which is hosted, operated and marketed at the LuxConnect data centre and powered exclusively by green energy produced in part by Kiowatt, a cogeneration plant fuelled by scrap wood.6

Luxembourg is also active in the field of quantum computing. For instance, the Luxembourg Government decided to use part of the resilience funds it received in the context of the EU’s recovery and resilience facility to subsidise SES’s quantum communication infrastructure.

Schiltz & Schiltz S.A. Luxembourg


By establishing a highly secure communication infrastructure based on quantum technology, Luxembourg aims to facilitate the exchange of confidential information within the public and private sectors.7 The country is also intensely working on blockchain technology. The creation of the Infrachain initiative, which combines the transparency of public chains with the flexibility of private chains, is one of the flagship examples in this context. It aims at enabling companies to customise blockchains for specific needs. Another example is the launch of the Luxembourg Blockchain & DLT Association (“Letzblock”), which aims to be Luxembourg’s community hub for blockchain initiatives. Through its working groups and educational programmes, it encourages, supports and shares the adoption and the development of blockchain and distributed ledger technology ecosystems, but furthermore, also creates an entry point to these technologies for stakeholders across all sectors.8 In the same vein, the Luxembourg University, through its Center for Security Reliability and Trust, is at the forefront of the research activities based on or related to distributed ledger technologies. In 2019, it has, for instance, announced a partnership with US-based Ripple.9 Those three actors, together with the Luxembourg Institute of Science and Technology (“LIST”) and the Luxembourg House of Financial Technology (“LHoFT”), launched a cross-industry collaboration with the mission to set up a landmark EU hub for blockchain education, research and industry projects, as well as develop industry capabilities to aid the deployment of the latest blockchain and distributed ledger technologies.10

Most importantly, the country has adopted two laws setting out in “black and white”, (i) that securities can be legally held and transferred through distributed ledger technologies,11 and (ii) that blockchain and other DLT can be used to record the issuance of dematerialised securities,12 thus adding one more layer to its long tradition of “innovation through law”, of which legal certainty is one of the essential pillars. Luxembourg is not only promoting digital technology on a national basis but also fully commits to engage with digital technology at the European level and has signed the “Declaration of European Blockchain Partnership”.13

Fintech offering in Luxembourg

Luxembourg has a diversified Fintech ecosystem composed of Fintech firms, finance-related software vendors as well as IT solution providers. More than 40 of them are, for instance, active in the payments sector, offering innovative digitised payment solutions to consumers as well as to merchants.14

To name just a few examples, PayPal (Europe) S.à r.l. et Cie, S.C.A. was granted a banking licence in Luxembourg in 2007. Amazon Payments Europe S.C.A. has an e-money licence in the Grand-Duchy since 2010 and in 2016, Rakuten Europe Bank S.A., after having initially obtained a payment institution licence, obtained a banking licence. PingPong Europe S.A. was one of the first Chinese Fintechs to obtain a European payment licence in Luxembourg back in 2017, and received an EMI licence in 2020. Bitstamp was the first crypto-exchange to become licensed as a payment institution in Luxembourg in 2016, the Luxembourg regulator thus obliging for the first time in Europe crypto-clients to abide by AML/CTF and KYC requirements (Europe has followed the same path in the meantime). eBay S.à.r.l. is also operating its payment services in Europe under a payment institution licence granted by the Luxembourg Ministry of Finance in 2014, and Payconiq International S.A. has acquired Digicash – a booming Luxembourg mobile payments company – in order to establish a Benelux-wide presence of its mobile payments initiative. Alipay (Europe) Limited S.A. obtained an e-money licence in 2018. Airbnb Payments Luxembourg S.A. obtained its payment institution licence in autumn of 2019 and the Danish fintech Banking Circle S.A. also obtained its banking licence from the Minister of Finance in 2019. In 2020, both the London-based fintech PPRO Payment Services S.A. and Monex Europe S.A. became licensed as payment institutions in Luxembourg.



A large number of Fintech companies in Luxembourg are active in the fund – and the investment industry at large – as well as in the banking and insurance sectors. Fintech companies in Luxembourg are also omnipresent in the fields of big data, artificial intelligence (“AI”), cybersecurity, authentication (KYC), cryptocurrencies and blockchain.15 Over the last seven years, local and international banks, professionals of the financial sector and insurance companies have deployed impressive energy and expertise in Fintech, regulatory technology (“Regtech”) and insurance technology (“Insurtech”). Across the different industries, we are seeing more and more M&A activity and collaboration at large between Fintechs and traditional actors, with the result that these traditional actors rapidly achieve innovative new offerings.In line with the concept of “innovation through law”, Luxembourg in the first place always aims to apply existing laws and regulations to new models. A striking example is the application of the payment legislation to crypto-exchanges (whereas, in contrast, other countries decided not to regulate this type of activity, leaving the actors established in their territory in a grey area, to say the least). Only where existing legislation is not clear enough, or where existing legislation is totally silent about a certain type of activity, does Luxembourg enact new legislation. The most striking examples here are the Law of 1 March 201916 on transfers of securities via distributed ledger technologies, and the Law of 22 January 2021 amending the Law of 5 April 1993 on the financial sector and the Law of 6 April 2013 on dematerialised securities.17


As part of the booming Fintech sector, an impressive number of Regtech providers have grown out of Luxembourg over the last years. Among the most well-known actors, Governance.com, Seqvoia, KYC TECH, FINOLOGEE or LUXHUB, each in their own field, for instance, assist financial institutions to face ever-increasing regulatory requirements. Regtech companies in Luxembourg mainly provide services based on automated processes in the areas of AML/CTF and KYC, reporting and risk management, thus enabling better and more efficient risk identification and regulatory compliance. The adoption of Insurtech solutions is going smoothly in Luxembourg. Tools are becoming increasingly sophisticated and innovative. Claims handling and actuarial calculations are just two examples of areas of predilection for their implementation. Looking at Insurtech from a wide angle, it can be observed that Luxembourg’s insurers are at the forefront of innovation when it comes to driverless or so-called autonomous cars. In 2018, the Association of Luxembourg Insurance Companies, together with the University of Luxembourg and Schiltz & Schiltz S.A., organised a mock trial about a fictitious car accident that “took place” in 2030, and in which a driverless car hit a pedestrian. The case was pleaded in front of real judges in the Court house of Luxembourg City, and the judges handed down a real fictitious judgment. In this judgment, the Court held that the ancient theory distinguishing between the structural custody and behavioural custody of an object (here: the vehicle) was as a matter of principle relevant for assessing liability claims in the context of driverless cars. It also held that for the car maker, the law on civil liability for defective products needed to be analysed. In the end (and in short), the driver was held liable because it was established that he did not follow the voice instructions of the car.

Regulatory bodies

Fintech entities established in Luxembourg and that are subject to regulatory supervision (many are not) are supervised by the Luxembourg supervisory authorities. Depending on



their licence, they may fall under the supervision of the Commission de Surveillance du Secteur Financier (“CSSF”) or the Commissariat aux assurances (“CAA”). The Central Bank of Luxembourg (“BCL”) has competences, amongst others, with regard to the security of payment systems and payment instruments and the Commission Nationale pour la Protection des Données (“CNPD”) is the authority in charge of data protection. The CSSF is a public institution which supervises the professionals and products of the Luxembourg financial sector. The CSSF performs its duties of prudential supervision and market supervision for the purposes of ensuring the safety and soundness of the financial sector, solely in the public interest. Within the limits of its remit, it ensures that the authorised entities and the issuers are complying with the regulations applicable to them, including those aiming to ensure the protection of the financial consumers and the prevention of the use of the financial sector for the purposes of money laundering or terrorist financing. The CSSF represents Luxembourg in the area of European and international supervision.18

In pursuing its objectives, the CSSF applies a prudential approach in line with the international standards, in accordance with the principle of proportionality. This approach is implemented in a professional manner, thereby ensuring an independent, forward-looking and risk-based supervision.The CSSF is transparent and fosters effective communication with the stakeholders of the financial sector while fully complying with the professional secrecy requirements. It considers integrity and accountability to be of utmost importance and delivers on its commitment and adapts to reach its objectives. The CSSF is committed to good governance and to performing its tasks with efficiency, in a spirit of internal cooperation as well as at national, European and international level.19

The Central Bank of Luxembourg has within its tasks to ensure the efficiency and safety of payment systems as well as the safety of payment instruments. The means of coordination and cooperation employed for the performance of these tasks are subject to agreements between the BCL and the CSSF, complying with the legal competences of the parties.20 For the purpose of performing its tasks related to the safety of payment instruments, the BCL may ask issuers of payment instruments to provide any information relating to those payment instruments which is necessary in order to assess their safety. Additionally, the BCL is authorised to undertake on-site visits in order to collect the information and coordinates with the CSSF to this end.21

The CAA is the competent supervisory authority for the insurance sector in Luxembourg, which includes the insurance companies, reinsurance companies, certain pension funds, the professionals of the insurance sector (“PSA”) and insurance and reinsurance intermediaries (agents and brokers).22

The main objective assigned by the legislator to the CAA is to ensure the protection of the insurance takers and the beneficiaries. This objective includes the following tasks:• examination of the applications for approval of natural and legal persons under the

supervision of the CAA;• prudential supervision of the same natural and legal persons and supervision of the

market in insurance products;• monitoring compliance with professional obligations in the fight against money

laundering and terrorist financing in the insurance sector; • attending international and European meetings in order to develop common standards;

and



• preparation of draft laws and prudential regulations relating to the insurance sector and the coordination of the Governmentʼs efforts to ensure the orderly expansion of insurance sector activities in the Grand Duchy of Luxembourg as well as the out-of-court settlement of disputes.23

The CNPD is an independent public institution with legal personality. It is financially and administratively autonomous. It verifies the legality of the processing of personal data and ensures the respect of personal freedoms and fundamental rights with regard to data protection and privacy.24


Key regulationsIn line with the principle consisting of “applying existing laws and regulations to new models”, the Luxembourg legislator (Parliament) has not so far enacted numerous Fintech laws. There are indeed only two examples of specific Fintech laws that have been enacted by Parliament up to now, i.e. the above mentioned Law of 1 March 2019 amending the Law of 1 August 2001 concerning the circulation of securities, which aims to promote the use of distributed ledger technologies for the circulation of securities by setting out in “black and white” terms that securities can be legally transferred through distributed ledger technologies, including blockchain and the also above mentioned Law of 22 January 2021 modifying the Law of 5 April 1993 on the financial sector and the Law of 6 April 2013 on dematerialised securities, which expressly recognises the possibility to issue dematerialised securities through distributed ledger technology such as blockchains. Whilst it can, with some certainty, be argued that securities could be held on the blockchain even before the enactment of the said laws, both laws now provide the financial sector with crystal-clear legal certainty, thus enabling the various actors to fully take advantage of the opportunities offered by distributed ledger technologies in the field of securities. For the rest, and in addition to these Fintech laws, Fintech actors and activities fall under the scope of existing laws and regulations, with the CSSF issuing specific secondary legislation through circulars or general guidance in a number of areas.Whilst historically, Fintech activities developed first in the payments industry, it nowadays impacts the entire financial industry, from banks to start-ups as well as investment services and the fund industry. Clearing and settlement infrastructures as well as the Luxembourg Stock Exchange are equally running Fintech projects today. For example, HQLAᵡ is a Luxembourg-based innovative Fintech firm whose vision is to accelerate the financial ecosystem’s transition towards frictionless ownership transfers of assets, and whose core clients are financial institutions active in securities lending and collateral management.Fintech companies, whilst building the services they offer on innovative technologies, often provide financial services and in that case they do fall – just like traditional companies providing financial services – into the scope of the CSSF’s supervisory competences (and whether or not a certain law or regulation then applies to such services depends on the Fintech product or service offering). For example, Fintech payment products – such as the use of digital payment methods which are intended to be used as a means of payment for acquiring goods or services or as a means of money or value transfer – will be subject to the modified Law of 10 November 2009 on payment services, on the activity of electronic money institution and settlement finality in payment and securities settlement systems (“Law of 10 November 2009 on payment services”).



An example of regulatory guidance issued by the CSSF is the area of robo-advisory. According to the CSSF, investment services based on robo-advisory tools do fall under the remit of the Law of 5 April 1993 on the financial sector, as amended (“Law of 5 April 1993 on the financial sector”). In a position paper on robo-advice published on 27 March 2018,25 the CSSF outlined that the type of licensing required by a robo-advisor to perform its activities depends on the operating model chosen, including the services provided, the contractual arrangements and the structure of the platform. Therefore, robo-advisors need to register as investment advisers26 – just like traditional, non-automated financial advisors – when they merely provide advisory services without intervening in the implementation of the advice they have provided. The CSSF paper also considers that whenever robo-advisors use robo-technology to manage portfolios as per clients’ mandates on a discretionary client-by-client basis, they need to register as private portfolio managers.27 Furthermore, the CSSF considers that robo-advisors need to register as brokers in financial instruments28 when their servicing consists of that of an intermediary by either encouraging parties to be brought together with a view to conclude a transaction, or by passing on their clients’ purchase or sale orders without holding the investments of the latter. Finally, in cases where a robo-advisor executes orders on behalf of clients in relation to one or more financial instruments, the robo-advisor needs to apply for an authorisation as a commission agent.29 The paper specifies that in any of the above-mentioned cases, robo-advisors have to comply with the MiFID/MiFIR framework.For tokens – which continue to be a hot topic in Luxembourg – the general position in Luxembourg is that asset tokens, which represent a debt or equity claim on the issuer, entitling, for example, the holder of a share in future company earnings or future capital flows (which could, in terms of their economic function, be compared to equities, bonds or derivatives), or tokens which enable physical assets to be traded on the blockchain, would fall under the remit of different regulatory frameworks, depending on the exact qualification of the token and on the financial service provided. As a consequence, in particular, the following laws may apply:30

• Law of 10 July 2005 on prospectuses for securities, as amended;• Law of 5 April 1993 on the financial sector, as amended;• Law of 30 May 2018 on markets in financial instruments, as amended;• Law of 17 December 2010 relating to undertakings for collective investment, as

amended; and• Law of 12 July 2013 on alternative investment fund managers, as amended.31

This is also confirmed by the European Commission’s draft proposal for a directive amending in particular MiFID II which was adopted on 24 September 2020, and which proposes to explicitly include in the definition of financial instruments, financial instruments issued by means of distributed ledger technology.32 Regtech companies providing services and solutions in order to assist financial actors to comply with regulatory requirements can also be subject to regulatory supervision. Depending on their setup and the services they provide, a licence as a support professional of the financial sector (“support PFS”) as per the Law of 5 April 1993 on the financial sector may be required for a number of these companies, whereas for others, i.e. those merely providing technological solutions (software in the wider sense), no specific licence would be required. The support PFS licence is a Luxembourg-specific licence aiming at including in the supervision of the financial sector a certain number of activities that are connected to or closely interlinked with a financial activity. Licensing as a client communication agent,33 administrative agent of the financial sector,34 primary IT system operator,35 secondary IT systems and communication networks operators36 may therefore have to be considered by Regtech firms.



In this context, two Regtech entities have been granted a licence in the first quarter of 2019: FINOLOGEE, which has been authorised as a client communication agent and a secondary IT systems and communication networks operator; and LUXHUB, which has been granted a licence as a secondary IT systems and communication networks operator. In the insurance sector, no new Insurtech-specific regulations have been issued by the CAA so far. It has to be noted that every regulated Fintech or Insurtech product or service also falls under the remit of the Law of 12 November 2004 on the fight against money laundering and terrorist financing. Finally, it goes without saying that Luxembourg Fintech/Regtech/Insurtech companies have to comply with the European Union General Data Protection Regulation (“GDPR”), which imposes rigorous requirements on the controlling and processing of personal data. In this context, it must, inter alia, be ensured that only relevant and accurate personal data are processed and that the reinforced and partially new rights of data subjects are being complied with.Regulatory approachesThe CSSF is on record for establishing a constructive and open dialogue with the Fintech industry by making itself available for all entities wishing to present an innovative project. In this context, the CSSF created the “Innovation Hub”, which is a division dedicated to Financial Innovation and which constitutes the single point of contact of the CSSF for any person seeking to present an innovative solution, initiate an open dialogue or raise any question related to Financial Innovation. Thanks to this Innovation Hub, the CSSF can provide entities with advice and guidelines on the applicable regulatory framework in order to ensure that the project is developed in compliance with the regulations in force and the CSSF is in permanent contact with market players, which enables the CSSF to gain the best possible understanding of FinTech developments and expectations and to address the forthcoming challenges.37 Regarding cloud computing, the Luxembourg financial supervisor has issued a pro-cloud position on 17 May 2017 by publishing Circular CSSF 17/654, which is supported by technical guidelines related to the use of some specific cloud products. It has also published on its website frequently asked questions on cloud computing.38 Circular CSSF 19/717 was published on 27 March 2019, updating Circular CSSF 17/654, with the objective to apply more proportionality to the treatment of the notification process for non-material outsourcing to cloud computing infrastructures, as the initial circular revealed itself to be too burdensome in certain instances both for supervised entities and for the CSSF.39

On 8 March 2018, the CSSF also published updated frequently asked questions on AML/CTF and IT requirements for specific customer on-boarding/KYC methods for identification/verification through video chat.40

With regard to robo-advice and as detailed above, the CSSF published on 27 March 2018 a position paper outlining the licence requirements for robo-advisors.In the context of AI, the CSSF has carried out a research study in order to better understand AI. The result of the research, which has been made public, aims at spreading basic knowledge about AI, describing the different types of AI together with practical use cases for and in the financial sector. Furthermore, the study covers the analysis of the main risks associated with AI technology and provides some key recommendations to take into account when implementing AI into a business process.41



Following the publication of the European Regulation (EU) 2020/1503 of 7 October 2020 on European Crowdfunding Service Providers for business,42 the CSSF clarified that as of 10 November 2021 (date on which the regulation will be directly applicable in all Member States), the provision of crowdfunding services from Luxembourg will be subject to the obtention of a licence as European Crowdfunding Service Providers (“ECSP”) as well as the prudential supervision of the CSSF. Should an ECSP intend to provide payment services in addition to the crowdfunding services, a separate licence under the Law of 10 November 2009 on payment services may be required.43

As for Insurtech, even though – as indicated above – no new specific Insurtech regulations have been issued so far, it is by no means anticipated that the CAA will want to put barriers in place for Insurtech solutions – in fact, the opposite is true. Influence of supra-national regulatory bodiesThe CSSF does closely cooperate with supra-national regulatory bodies such as the European Banking Authority (“EBA”), the European Securities and Markets Supervisor (“ESMA”), the International Organization of Securities Commissions (“IOSCO”), the Single Supervisory Mechanism (“SSM”), the European Insurance and Occupational Pensions Authority (“EIOPA”), the Committee of European Auditing Oversight Bodies (“CEAOB”), the Basel Committee on Banking Supervision (“BCBS”) and the International Monetary Fund (“IMF”). The CSSF is also closely involved with several international working groups dealing with AML/CFT issues, notably the Financial Action Task Force (“FATF”), the Joint Committee’s Sub-Committee on Anti-Money Laundering (“AMLC”) under the Joint Committee of the European Supervisory Authorities, the Expert Group on Money Laundering and Terrorist Financing (“EGMLTF”) of the European Commission and the Anti-Money Laundering Expert Group (“AMLEG”) of the BCBS.44 The CAA is a member of the EIOPA, the International Association of Insurance Supervisors (“IAIS”). The CAA is involved in the Expert Group on Banking, Payments and Insurance (“EGBPI”) as well as in the European Commission’s working groups, the FATF and the OECD.The BCL is an integral part of the European System of Central Banks (“ESCB”). The CNPD is a member of the European Data Protection Board (“EDPB”), the International Working Group on Data Protection in Telecommunications, the VIS Supervision Coordination Group (“VIS SCG”), the Europol Joint Supervisory Authority (“JSA”), the SIS II Supervision Coordination Group (“SIS II SCG”) and the Joint Supervisory Authority (“JSA”) for customs. In addition, the CNPD represents the Grand Duchy of Luxembourg in various Council of Europe committees.Fintech platform and working groupsOne of the main Fintech regulatory working groups today is the Tech law group which is working under the auspices of the Haut Comité de la Place Financière (“HCPF”).In 2008, the Luxembourg Financial Industry Federation (“PROFIL”) and the Luxembourg Government founded Luxembourg for Finance (“LFF”), an agency for the development of the Financial Centre. The objective of this public-private partnership is to develop Luxembourg’s financial services industry and identify new business opportunities. LFF, among others, monitors global trends in finance and provides informational material on products and services available in Luxembourg. It does so in particular in the Fintech area.Luxembourg has furthermore created in 2016 a dedicated national Fintech platform, the LHoFT.45 The LHoFT is a platform in charge of building and developing the growing



national Fintech ecosystem. It should enable financial institutions, Fintech innovators, research, academia and public authorities to interact and develop solutions and products in order to cover specific industry needs.46 The LHoFT also interacts with other Fintech hubs around the world encouraging domestic and international collaborations, working groups and initiatives.47 The Luxembourg Bankers’ Association (“ABBL”) as well as the Association of the Luxembourg Fund Industry (“ALFI”) have also set up dedicated working groups in order to allow their members to engage with the Fintech community.48

The ABBL’s Digital Banking and Fintech Innovation Cluster (“DBFI”) facilitates cooperation between banks and Fintech firms in Luxembourg and strives to support its members in embracing disruptive technologies to satisfy expectations of more and more demanding customers.49

The University of Luxembourg is also heavily involved in many Fintech initiatives.50

It should also be noted, that at an international level the CSSF is an active member of international working groups, such as the European Forum for Innovation Facilitators (“EFIF”)51 and Global Financial Innovation Network (“GFIN”).52

Restrictions

There are as such in Luxembourg no patent restrictions to the development of Fintech, Regtech or Insurtech activities. It accordingly will suffice to outline below a few aspects to be taken into account or to be borne in mind for Fintech activities: No one shall be authorised to carry out a financial activity without a licence in Luxembourg or out of Luxembourg. This does not mean that every Fintech needs a licence, but every Fintech carrying out a regulated activity – in general, providing financial services – does. A Fintech company which would like to establish itself in Luxembourg shall accordingly define its business purpose and its activity in a sufficiently concrete and precise manner, so as to allow the CSSF to determine whether a licence and, if so, which licence is required; mere technology providers will, for instance, not be required to apply for and obtain a licence.On virtual currencies, the CSSF has stated that: “there is currently no legal framework in Luxembourg or at European level that specifically applies to virtual currencies. However, the CSSF reminds that it should be borne in mind that any provision of financial sector services by a natural or legal person requires an authorisation by the Minister of Finance. The CSSF furthermore clarifies that legal qualification of virtual currencies and services provided relating to these virtual currencies is complex, notably given the technical specificities inherent in the different types of virtual currencies. Therefore, the CSSF invites the persons that envisage exercising an activity associated with virtual currencies (such as the issuing of means of payment in the form of virtual or other currencies, the offer of payment services using virtual currencies or other, or the provision of virtual currency exchange services) to submit their draft documentation to the CSSF beforehand. The CSSF will then determine whether or not the activity is a regulated activity.”53 This statement is also to be viewed against the background of the payment licence issued to Bitstamp as a crypto-exchange.On initial coin offerings (“ICO”) and tokens, the CSSF has informed service providers and initiators of ICOs that: “– despite the lack of specific regulations that applies to ICOs – the activities related thereto or implied through the creation of tokens as for example the collection and raising of funds may – depending on their characteristics – be subject to certain legal provisions in Luxembourg and thus to certain supervisory requirements. The CSSF therefore



explains that it will not hesitate to assess such fundraising activities by extending its analysis to the objectives pursued in order to assess whether it could be a scheme to circumvent or avoid financial sector regulations, notably the provisions of the amended Law of 10 July 2005 on prospectuses for securities and the Law of 5 April 1993 on the financial sector. In this context, the CSSF considers that for any fundraising, the initiators of such ICOs are required to establish anti-money laundering and terrorist financing procedures.”54

The common denominator here is that while being open to innovation, the CSSF is likely to regulate Fintech activities in a large number of instances and will not tolerate financial activities being undertaken out of Luxembourg without a licence. It has to be mentioned here that a recent amendment of the AML/CTF Law has brought Virtual Assets Service Providers (“VASPs”) that do not meet the conditions to be qualified as electronic money within the meaning of the Law on payment services or the conditions to be qualified as financial instruments under the Law of 5 April 1993 on the financial sector, as amended into the scope of the AML/CTF Law.55 The said law now provides legal definitions related to VASPs, virtual assets, virtual currencies, safekeeping or administration service providers and custodian wallet providers and designates the CSSF as the competent supervisory authority for virtual assets and VASPs. According to the AML/CTF Law, VASPs that carry on activities other than the provision of payment services must be registered within the register of VASPs established by the CSSF. This new requirement applies to VASPs which are either established in Luxembourg or provide their services in Luxembourg.In 2021, the first VASPs were registered within a primary register of VASPs established by the CSSF. The first VASP to be registered in Luxembourg was Bitflyer, the latter was shortly followed by Swissquote Bank Europe S.A.The CSSF specifies that the aforementioned registration requirement is without prejudice to any other licence/registration or other status required either in Luxembourg or by another European or third country for any other activities performed by the applicant56 and that the CSSF’s role in this context is limited to registration, supervision and enforcement for AML/CFT purposes only.57

In the insurance sector, legal issues, if any, generally do not arise under insurance sector regulations themselves, but more likely in a data protection environment. It will suffice to mention two examples here:Processing health data can be a challenge against the background of the GDPR, which does not provide for a carve out or specific rules regarding the insurance sector, in particular life insurance.New car insurance models include the tracking of the behaviour of the driver of a car through a dedicated app. Data protection can be a challenge here as well, in particular when it comes to the processing of personal data, the amalgamation of which may for instance show that a criminal offence has been committed (no matter whether such offence is a major one or not). There is at least one known example where this type of application has been debated in Luxembourg with the data protection authority.


Luxembourg is the European centre from where Fintech companies can – in a regulated way – provide their services and develop their activities all over the European Union and in third countries. Since the European regulatory framework applies to most of the authorised



Fintech activities, the providers that have obtained a licence can easily passport their services throughout the European Union. Fintech has – more than ever – a very strong international and global dimension58 which requires a common and harmonised response from the regulators of the financial sector and the insurance sector. In this context and as previously mentioned, the CSSF, the CAA, the BCL and the CNPD actively participate in all major supra-national regulatory bodies and working groups, thus continuing, together with others, to be at the forefront of innovation and contributing to shape the international regulatory landscape of Fintech, Regtech and Insurtech.

* * *

Endnotes1. Directive 2007/64/EC of the European Parliament and of the Council of 13 November

2007 on payment services.2. Situation as per 30 May 2020.3. https://ec.europa.eu/digital-single-market/en/scoreboard/luxembourg.4. https://ec.europa.eu/growth/industry/policy/innovation/scoreboards_en.5. https://ec.europa.eu/growth/industry/policy/innovation/scoreboards_en.6. https://luxembourg.public.lu/en/invest/innovation/meluxina-superordinateur.html.7. https://gouvernement.lu/fr/dossiers.gouv_mfin%2Bfr%2Bdossiers%2B2021%2Bplan

derelance.html.8. https://www.letzblock.com. 9. https://coinreport.net/university-of-luxembourg-ripple-initiative.10. https://digital-luxembourg.public.lu/news/luxembourg-targets-setup-blockchain-hub-

excellence.11. Law of 1 March 2019 amending the Law of 1 August 2001 concerning the circulation

of securities.12. Law of 22 January 2021 amending the Law of 5 April 1993 on the financial sector and

the law of 6 April 2013 on dematerialised securities.13. https://ec.europa.eu/digital-single-market/en/news/european-countries-join-blockchain-

partnership.14. https://www.Fintechmap.lu.15. https://www.lhoft.com/en/insights/the-luxembourg-Fintech-map.16. See endnote 11.17. See endnote 12.18. http://www.cssf.lu/en/about-the-cssf/about-the-cssf.19. http://www.cssf.lu/en/about-the-cssf/mission-and-competences.20. Article 2(5) of the Law of 23 December 1998 concerning the monetary status and the

Central Bank of Luxembourg, as amended.21. Article 27-3 of the Law of 23 December 1998 concerning the monetary status and the

Central Bank of Luxembourg, as amended.22. http://www.caa.lu/fr/le-caa (non-official translation).23. Ibidem.24. https://cnpd.public.lu/en/commission-nationale.html.25. http://www.cssf.lu/fileadmin/files/PSF/Robo_advice_270318.pdf.26. Article 24 of the Law of 5 April 1993 on the financial sector.27. Article 24-3 of the Law of 5 April 1993 on the financial sector.28. Article 24-1 of the Law of 5 April 1993 on the financial sector.



29. Article 24-2 of the Law of 5 April 1993 on the financial sector.30. The Virtual Currency Regulation Review Luxembourg Chapter by Jean-Louis Schiltz

and Nadia Manzari.31. Ibidem.32. Article 6, (1) of the EU’s proposal for a Directive of the European Parliament and

of the Council of 24 September 2020 amending Directives 2006/43/EC, 2009/65/EC, 2009/138/EU, 2011/61/EU, EU/2013/36, 2014/65/EU, (EU) 2015/2366 and EU/2016/2341.

33. Article 29-1 of the Law of 5 April 1993 on the financial sector.34. Article 29-2 of the Law of 5 April 1993 on the financial sector.35. Article 29-3 of the Law of 5 April 1993 on the financial sector.36. Article 29-3 of the Law of 5 April 1993 on the financial sector.37. https://www.cssf.lu/wp-content/uploads/C_Financial-innovation_February-2021.pdf.38. https://www.cssf.lu/wp-content/uploads/FAQ_Cloud_Computing_Circular.pdf.39. http://www.cssf.lu/fileadmin/files/Lois_reglements/Circulaires/Hors_blanchiment_

terrorisme/cssf19_714eng.pdf.40. http://www.cssf.lu/fileadmin/files/LBC_FT/FAQ_LBCFT_VIDEO_IDENTIFICATION

_080318.pdf.41. http://www.cssf.lu/fileadmin/files/Publications/Rapports_ponctuels/CSSF_White_

Paper Artificial_Intelligence_201218.pdf.42. Regulation (EU) 2020/1503 of the European Parliament and of the Council of 7

October 2020 on European Crowdfunding Service Providers for business and amending Regulation (EU) 2017/1129 and Directive (EU) 2019/1937.

43. https://www.cssf.lu/en/crowdfunding-service-providers.44. http://www.cssf.lu/fileadmin/files/Publications/Rapports_annuels/Rapport_2017/RA_

2017_eng.pdf.45. https://www.luxembourgforfinance.com/en/financial-centre/fin-tech.46. Ibidem.47. Ibidem.48. Ibidem.49. https://www.abbl.lu/abbl-clusters/dbfi.50. For a recent example, see: https://coinreport.net/university-of-luxembourg-ripple-initiative.51. https://euagenda.eu/upload/publications/annual-report-2019.pdf.52. https://www.thegfin.com/members.53. http://www.cssf.lu/fileadmin/files/Protection_consommateurs/Avertissements/W_virtual_

currencies_140318eng.pdf, 14 March 2018.54. http://www.cssf.lu/fileadmin/files/Protection_consommateurs/Avertissements/W_

ICOS_140318_eng.pdf, 14 March 2018.55. Article 2(1) point 16 of the AML/CTF Law.56. https://www.cssf.lu/registration-vasp. 57. CSSF Communication of 9 April 2020 on virtual assets, virtual asset service providers

and the related registration process.58. On 4 October 2018, the CSSF has for instance signed a Cooperation Agreement with the

Australian Securities & Investments Commission (“ASIC”), providing a framework for cooperation to understand financial innovation in each jurisdiction and for information sharing between the two regulators on Fintech and Regtech (http://www.cssf.lu/fileadmin/files/Publications/Communiques/Communiques_2018/PR1832_ASIC_CSSF_Cooperation_Agreement.pdf ).

Prof. Jean-Louis SchiltzTel: +352 45 64 80 / Email: [email protected] is the Senior partner at Schiltz & Schiltz and Professor (hon.) at the University of Luxembourg. Jean-Louis Schiltz is a regular speaker at tech law and innovation conferences and has authored and co-authored a number of articles and reports in the field over the last years. He serves as a member for a number of companies and non-profit organisations. From 2004 to 2009, Jean-Louis served as Cabinet Minister in Luxembourg. His portfolio included media, telecommunications, technology, international development and defence. Jean-Louis joined the firm in 1989 and was admitted to the Luxembourg Bar the same year. He holds a postgraduate degree (DEA) in business law from the University of Paris I, Panthéon-Sorbonne. He taught at his alma mater in the early 1990s.

Nadia ManzariTel: +352 45 64 80 / Email: [email protected] Manzari is a Partner at Schiltz & Schiltz. Before joining the firm in 2018, Nadia was the Head of the Innovation, Payments, Markets Infrastructures and Governance Department at the Commission de Surveillance du Secteur Financier (“CSSF”), where she started her career in 2001.She is a regular speaker at national and international conferences covering payment services, financial technologies, remuneration policies and corporate governance.Nadia graduated in law from the University Robert Schuman in Strasbourg and holds a Master’s degree in private law (maîtrise en droit privé, mention “droit des affaires”) as well as a postgraduate DJCE diploma (Diplôme de Juriste Conseil d’Entreprise) degree with a focus on German-French business law. She holds the Certificate in Corporate Governance of INSEAD and is an ILA certified director.

Schiltz & Schiltz S.A.24–26, avenue de la Gare L-1610 Luxembourg

Tel: +352 45 64 80 / URL: www.schiltz.lu



MalaysiaMohamed Ridza Abdullah & Mohamad Nazran Basirun

Mohamed Ridza & Co.



According to the Fintech Malaysia Report 2021, there are 233 fintech companies in Malaysia. Payments and e-wallets make up the majority at 21.5% and 16.3% of the fintech players, respectively, followed by lending (15.9%) and insurtech companies (9.9%).1 With a population of 32.7 million and internet penetration at 83.8%, debit card and credit card ownership have now reached 143% and 30%, respectively, while online banking penetration is at 112.5% and mobile banking penetration at 61.8%.2

“Based on the statistics from Bank Negara Malaysia, the central bank of Malaysia [(“BNM”)], it is clear that online banking is still the dominant channel for Malaysians to perform transaction[s].”3 Both mobile banking and e-money show a considerably larger volume of transactions. “The data tells a narrative that mobile payments whether through digital wallets or mobile banking is the preferred channel to perform micropayments”4 rather than the traditional way. Both payments and wallets continue to have the largest representation within the fintech scene in Malaysia. The International Monetary Fund (“IMF”) is of the opinion that: “With its growing middle class, high mobile phone penetration rates, and strong government support for the digital economy, Malaysia is well situated to take advantage of fintech innovation. From mobile wallets and electronic payments, to crowdfunding and “insurtech” (the combination of insurance and technology), Malaysian businesses and consumers appear ready to embrace the technology.”5

The IMF further reports that: “Internet banking in Malaysia has quadrupled in the last decade, topping a 90% usage rate in 2018. Mobile banking is also booming, supported by near-universal 4G network coverage, affordable data, and 5G is in the works. It’s no coincidence the World Economic Forum’s 2019 Network Readiness Index ranked Malaysia high among the 139 countries surveyed, ahead of Italy, China, and Chile and first among countries in emerging and developing Asia.”6

According to FintechNews’ Fintech Malaysia Report 2019: “Data from Bank Negara Malaysia shows that mobile banking transaction value has grown seven times in the past five years whereas e-money’s transaction value has grown more than double in the same period. This indicates that Malaysian[s] are increasingly becoming more comfortable with using mobile financial services.”7 In 2020, e-money accounted for the largest transaction volume, contributing 29% of the total payment transaction volume, ahead of mobile and internet banking. Whereas, internet banking remains the biggest channel in terms of transaction value, in which corporate transactions made up 88% of the transaction value. 8

Mobile banking transactions surged more than double to RM 460 billion in 2020 from RM 200 billion in 2019. The surge in transactions was supported by a 3 million increase in mobile banking service subscribers in 2020 to 20.2 million, from 2019’s 17.2 million.9

Mohamed Ridza & Co. Malaysia


While there was a rise in mobile financial services before the COVID-19 pandemic, Malaysia’s “Movement Control Order”, in effect due to the pandemic, was the catalyst that spurred Malaysians to adopt a digital/mobile-first mindset for their banking needs.10

“It is likely that the digital wallet growth is caused by a combination of players being cognizant of the growing demand for mobile payments and others jumping into the bandwagon.” AliPay, Boost, Touch ‘N Go, VCash, iPay88 and MOLPay are examples of fintech companies’ applications currently available in Malaysia. “Nonetheless the space is becoming increasingly crowded, it’s difficult for a month to pass in Malaysia without an announcement of a new wallet player in town.”11

Based on FintechNews’ website, it was reported that there had been an announcement on the Capital Markets and Services (Prescription of Securities) (Digital Currency and Digital Token) Order 2019 (“CMS Order”), which states that “anyone caught operating a cryptocurrency exchange or raising ICOs [initial coin offerings (“ICOs”)] without proper authorisation could face up to 10 years of jail and a RM 10 million fine. While the prescription order made headlines across the news, a draft framework [had] not yet [been] made ready for the industry which caused quite a fair bit of confusion and speculation. The Securities Commission of Malaysia [(“SC”)] team moved quickly to issue a draft within the same month in order to provide some much-needed clarity to the market”.12 FintechNews also reported that: “In early 2019, there were over 50 crypto exchanges operating in Malaysia, in efforts to bring more order [to] the market, the Securities Commission [of] Malaysia issued a framework for crypto exchanges in Malaysia.”13 Further, BNM “released Anti-Money Laundering and Counter Financing of Terrorism guidelines in respect of: money services businesses which requires approved remittance business which offer online and/or mobile remittance services to implement electronic know-your-customer (“e-KYCˮ) system for their on-boarding process; and any person who offer services to exchange digital currencies either from or to fiat money, or from or to another digital currency shall be subjected to obligations as a “reporting institution” under the First Schedule of the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001”.14

As mentioned above, in January 2019, the Ministry of Finance and the SC issued the CMS Order which came into force on 15 January 2019. Digital currencies and digital tokens are defined in the CMS Order as securities, and for the purpose of securities laws would be regulated by the SC.On 15 January 2020, the SC issued the Guidelines on Digital Assets to enable companies to raise funds via the issuance of digital tokens in Malaysia through Initial Exchange Offering (“IEO”) platforms registered by the SC, mandating digital token offerings in the country only via IEOs. Under these Guidelines on Digital Assets, IEO platform operators will be required to assess and conduct the necessary due diligence on the issuer, review the issuer’s proposal and the disclosures in the whitepaper, and assess the issuer’s ability to comply with the requirements of the Guidelines and the SC’s Guidelines on Prevention of Money Laundering and Terrorism Financing.15

The Guidelines on Digital Assets also include rules and regulations on Digital Asset Custodians (“DACs”) to facilitate interested parties who wish to provide custody services for digital assets. DACs play an important role within the digital asset ecosystem of the Malaysian capital market to safeguard digital assets of investors.16

In October 2020, the SC revised its Guidelines on Digital Assets, which regulate IEOs and DACs. The SC takes into consideration factors such as the applicant’s value proposition,



technology competencies, and compliance and risk management frameworks before issuing an approval in principle for successful applicants.17

Currently, the SC has licensed three firms to run what are called Digital Exchange Platforms (“DAX”); namely, Luno Malaysia Sdn Bhd, Sinegy Technologies (M) Sdn Bhd and Tokenize Technology (M) Sdn Bhd. These platforms act as online trade centres for cryptocurrencies such as Bitcoin and Ethereum.

Fintech offering in Malaysia

Malaysia has offered technologies in the financial services market and market intermediary functions for quite some time. Electronic money (“e-money”), payment processing services, and robo-advisors are amongst the fintech offering available in Malaysia.E-moneyThe rise of e-commerce and the increased popularity of mobile devices such as tablets and smartphones have revolutionised the retail payments landscape and enabled new ways of making payments, one of which is by way of using e-money. BNM has shown strong support for moving towards a cashless society by issuing the Guidelines on E-money. The Guidelines legally recognise e-money as a valid and enforceable legal tender in Malaysia. E-money can be issued in different forms, such as by card, including by prepaid card, and by a network which can be accessed via the internet, mobile phones or any other device. An e-wallet, as one of the e-money instruments, has become widely accepted as a payment option for parking, groceries, tolls and bills, along with movie tickets and food deliveries.Up to May 2021, there were 54 e-money issuers in Malaysia, of which only six were banks, while the other 48 were non-banks. Malaysia’s mobile payment landscape used to be dominated by banks, but non-banks have started to gain traction. This may be due to the attractive business models and myriad of other services offered by non-bank e-money issuers. For instance, as detailed by Eastspring Investments: “Grab Pay was launched following the success of Grab’s e-hailing service which secured a captive user base within its ecosystem. Using Grab Pay, users were introduced to various other services, such as fund transfer and paying for other Grab services which include bills, food delivery and rides. Most E-Money operators in Malaysia today are competing for user acquisitions by offering multiple incentives such as shopping cash backs or discounted services (transportation, bill payment, e-Commerce) using their respective electronic wallets.”18

“In addition, e-money has no “shelf life”, unlike bank-issued credit cards. Shoppers these days prefer hassle-free mobile payments via e-wallet for online and offline retail purchases which offer rewards with cashback for buying from a variety of great deals, discounted products, vouchers and services.”19 From the e-money issuers perspective, they can add value in the area of utilising customers’ data by offering personalised products and services “such as automatic bill payments, goods ordering, delivery services and various services customisation”. They can also “incorporate loyalty rewards and help customers track their spending patterns”, “offer a one-stop digital ecosystem platform which provides financial services, insurance, healthcare or travel services” and “create new jobs and enable the monetisation of payments services at reduced cost compared to the traditional banks”.20

“Nonetheless, the rise of non-bank e-money issuers does not spell gloom and doom for banks. Many banks have responded with their own e-money offerings. For instance, Malaysia’s largest bank by asset size, Maybank Berhad has launched its own e-money wallet MAE while also offering its mobile payment solution Maybank QR Pay for its customers. Another major bank, CIMB Bank is vying its spot in the e-money space via its subsidiary



Touch ‘n Go’s joint venture with Alibaba Group’s Ant Financial to tap the market, which currently dominates as the sole electronic payment system for expressways and highways in Malaysia.”21

Payment processing servicesPayment processing services in Malaysia are regulated under the Payment Systems Act 2003 (“Payment Systems Act”). The Payment Systems Act provides the legal framework to ensure the efficient functioning and stability of the payments system in Malaysia and that the confidence in the payments system is preserved. Payment systems in Malaysia can be broadly categorised into four groups; namely, the Real-Time Electronic Transfer of Funds and Securities (“RENTAS”), the National Image-based Check Settlement System (“SPICK”), the Automated Teller Machine (“ATM”) and other retail payment networks. Based on the Payment and Settlement Systems report published by BNM, it has been observed that the use of cheques in Malaysia has fallen by more than half of the volume from the previous years. Meanwhile the adoption of credit transfer services continues to gain traction with an increase of 35.5%. The monthly instant transfer transaction volume has significantly increased by 100.8%, which can largely be attributed to the waiver of transaction fees by banks. The usage of debit cards for transactions has also increased by 28.3% with at least one transaction per month. Financial transactions conducted via the mobile banking channel has more than doubled from the previous year. This was supported by a continued increase in subscribers to mobile banking services to 6.6 million back in 2018. Based on the above statistics, we can state that mobile payments are increasingly displacing cash payments in day-to-day purchase transactions.Robo-advisorsRobo-advisors are still relatively new in Malaysia. In 2017, the SC issued the Digital Investment Management (“DIM”) Framework (“Handbook”) to set out licensing and conduct requirements for the offering of automated portfolio management services to investors. The Handbook does not use the term “robo-advisory”. It uses the term DIM to define robo-advisor activities. Currently, there are three robo-advisors/DIM services in Malaysia that are licensed by the SC to provide their services. They are namely MYTHEO, StashAway and Wahed Invest. StashAway was the first robo-advisor in Malaysia to be awarded the Capital Markets Licence by the SC under the Digital Investment Licence in October 2018. It has been predicted that robo-advisory will best serve the needs of retail investors with the ease of the investing approach of robo-advisors and low barrier to entry for retail investors.


Regulatory technologyDisruptive technology will continue to challenge our regulatory landscape; regulators must be well-equipped to respond to the growing needs of emerging industries. The way we do business is continuously evolving at a rapid pace, where regulatory frameworks are constantly playing catch up to what is being shaped and re-shaped as the “new norm”. The Government must then consider the best way to ensure that innovation and disruptive technology are not stifled by archaic legislation. In the Malaysian market, the regulatory bodies are providing strong support and accelerating fintech growth. BNM seeks to provide a regulatory environment that is conducive for the deployment of fintech. This includes reviewing and adapting regulatory requirements or



procedures that may unintentionally inhibit innovation or render them non-viable. BNM has established the Financial Technology Enabler Group (“FTEG”) in June 2016, with the goal to facilitate technological innovation and testing within the financial services sector. FTEG’s sandbox provides an opportunity for both financial institutions and fintech companies to operate and experiment in a live environment while containing risks. The sandbox was established on 18 October 2016. Post-sandbox, the fintech companies “have either obtained the necessary regulatory approvals to commercialize, ceased operations or are exploring new technology partners to achieve more value from their solutions”. “To encourage more targeted and efficient testing for high-impact innovation, FTEG enhanced its sandbox framework in 2018 by introducing the ‘Specialized Sandbox’, adding specialized thematic tracks to the sandbox.”22 BNM has demonstrated its desire to grow and encourage the industry by approving several firms to operate within FTEG’s sandbox framework.The above is applicable to both financial institutions regulated by BNM as well as fintech companies intending to carry on an authorised or registered business as defined in the Financial Services Act 2013 (“FSA”) and Islamic Financial Services Act 2013 (“IFSA”) or a money services business as defined in the Money Services Business Act 2011.An all-inclusive regulatory sandbox model will not only bring benefits to innovators, investors, consumers and regulators, but will also have a distributive effect to the country as a whole from an economic perspective. The notion of providing a “safe space” for innovations while placating regulatory constraints is necessary at a time where economies are slowly emerging from the impact of the COVID-19 pandemic. It is hoped that the growing acceptance of regulators in adopting a regulatory sandbox approach is evidence of recognition of the importance of digitalisation and technology not for the future, but for the present day.23

Insurance technologyApart from the above, as detailed by the Malaysian InsurTech Landscape, 2019 study, “the Malaysian insurance industry has been showing good growth since its inception”. BNM has “timely introduced new regulations wrapped in strong governance principles, which has ensured smooth sailing for the industry so far. BNM has taken initiatives to support insurtech, as it looks to achieve the target insurance penetration rate of 75%”.24

Formerly, insurers appeared to be unconvinced and uncertain about insurtech. They were in doubt on the customer readiness to accept fintech; specifically, insurtech. As insurtech in Malaysia is still emerging, there is much value it can add to Malaysian society. The insurers have begun to realise that, somehow, insurtech matters for Malaysians. The regulations are aimed towards cutting down on agency use. Insurance companies have over the past couple of years branched out into online platforms and mobile applications, making insurtech more accessible to customers.The Malaysian insurance industry is regulated by BNM, under the Ministry of Finance. Further, as outlined by BNM, the “FSA and IFSA amalgamate several separate laws to govern the financial sector under a single legislative framework for the conventional and Islamic financial sectors respectively, namely, the Banking and Financial Institutions Act 1989 (“BAFIAˮ), Islamic Banking Act 1983, Insurance Act 1996 (IA), Takaful Act 1984, Payment Systems Act 2003 and Exchange Control Act 1953 which are repealed on the same date”. “The new laws will place Malaysia’s financial sector, encompassing the banking system, the insurance/takaful sector, the financial markets and payment systems and other financial



intermediaries, on a platform for advancing forward as a sound, responsible and progressive financial system. This is especially important to enable the financial system to meet the new demands for financing associated with Malaysia’s economic transformation programme both during and beyond the next decade, the changing demographics of our population, and the increasing integration of the Malaysian economy with the region and the world.”25

Below are examples of insurtech in Malaysia:• RHB Insurance Berhad’s “RHB Insurance Mobile App”, which “enables its customers

to purchase motor insurance policy and road tax with just a single end-to-end mobile enabled application”. This App “allows users to complete the purchase of their motor insurance policy in three […] minutes, among the fastest in the financial industry”. Customers are “able to obtain a quotation for their motor insurance policy, opt to renew road tax, comprehensive insurance coverage for their vehicles and as well as access round-the-clock auto assistance at the touch of their smartphone screens”.26

• Allianz Malaysia Berhad (“Allianz”)’s partnership with PolicyStreet intends to “provide Malaysians with better online access to insurance products. PolicyStreet is an insurance technology company which offers an online curated platform with an aim to provide simple and affordable insurance solutions that cater for all customer needs. Through the new partnership, PolicyStreet is offering four of Allianz digital products”.27

• AXA Affin’s insurtech product, AXA eMedic, which “focuses on offering low barrier to entry e-medical cards targeted at young professionals and families”.28 AXA Affin has partnered with various companies ranging from insurtech start-ups, telecommunication companies and digital health companies. AXA Affin claims that the entire process of signing up for the product takes less than five minutes and requires no medical check-up. Following the success of AXA eMedic in April 2018, AXA Affin unveiled their AXA eMedic Family Plan in October 2019. “Similar to their earlier digital product, the AXA eMedic family plan can be purchased digitally within 10 minutes and is priced affordably with prices as low as RM 150 per month for a family of four with coverage up to RM 100,000.”29

Regulatory bodies

There is no specific regulatory body that is solely responsible for regulating fintech businesses in Malaysia. However, there are existing key regulatory bodies in Malaysia such as the SC, BNM and Labuan Financial Services Authority (“Labuan FSA”). Their roles and supervisory functions are broad in the financial services sector.The SC is a statutory body which is established under the Securities Commission Act 1993. The SC is a self-funding statutory body with investigative and enforcement powers. The SC also reports to the Minister of Finance. The mission of the SC is “to promote and maintain fair, efficient, secure and transparent securities and derivatives markets; and facilitate the orderly development of an innovative and competitive capital market”.30 The primary functions of the SC are to: (a) “advise the Finance Minister on all matters relating to the capital market”; (b) “regulate all matters relating to the capital market”; (c) “ensure that the provisions of the securities laws are complied with”; (d) “regulate the take-overs and mergers of companies”; (e) “promote and regulate all matters relating to fund management, including unit trust and private retirement schemes”; (f) “consider and make recommendations for the reform of the securities laws”; (g) “encourage and promote the development of the capital market in Malaysia including research and training”; (h) “encourage and promote self-regulation by professional associations or market institutions in the capital market”; (i) “license, register, authorise, approve and supervise all persons engaging in regulated activities or providing



capital market services as may be provided for under any securities law”; (j) “promote and maintain the integrity of all licensed persons, registered persons, approved persons and participants in the capital market”; (k) “register or recognise all auditors of public interest entities or schedule funds, and to exercise oversight over any person who prepares a report in relation to financial information of public interest entities or schedule funds, in relation to capital market activities”; (l) “promote confidence in the quality and reliability of audited financial statements in Malaysia, and to promote and develop an effective and robust audit oversight framework in Malaysia”; (m) “take all reasonable measures to monitor, mitigate and manage systemic risks arising from the capital market”; and (n) “promote and regulate corporate governance and approved accounting standards of listed corporations; and to set and approve standards for professional qualification for the capital market”.31

BNM is a statutory body which is governed by the Central Bank of Malaysia Act 2009. The principal objectives of BNM are to promote monetary stability and financial stability conducive to the sustainable growth of the Malaysian economy. The primary functions of BNM are: “(a) to formulate and conduct monetary policy in Malaysia; (b) to issue currency in Malaysia; (c) to regulate and supervise financial institutions which are subject to the laws enforced by the Bank; (d) to provide oversight over money and foreign exchange markets; (e) to exercise oversight over payment systems; (f) to promote a sound, progressive and inclusive financial system; (g) to hold and manage the foreign reserves of Malaysia; (h) to promote an exchange rate regime consistent with the fundamentals of the economy; and (i) to act as financial adviser, banker and financial agent of the Government”.32

Labuan FSA is a statutory body established under the Labuan Financial Services Authority Act 1996. Labuan FSA is responsible for the development and administration of the Labuan International Business and Financial Centre (“Labuan IBFC”). Labuan IBFC is an international offshore financial centre which provides for the development of activities in the areas of banking and insurance, trust and fund management, investment holding and other activities carried on by multinational companies in Labuan. Labuan was declared a Federal Territory of Malaysia on 16 April 1984 and is under the administration of the Federal Government in Kuala Lumpur. The objectives of Labuan FSA are: (a) “to promote and develop Labuan as an international centre for business and financial services”; (b) “to develop national objectives, policies and priorities for the orderly development and administration of international business and financial services in Labuan”; and (c) “to act as the central regulatory, supervisory and enforcement authority of the international business and financial services industry in Labuan”.33 “Labuan FSA’s key role is to license and regulate licensed entities operating within Labuan IBFC and to ensure all such entities remain in compliance with the internal and international best standards adopted by the jurisdiction.”34


The SC issued the Guidelines on Digital Assets on 15 January 2020, which set out the requirements for an issuer seeking to raise funds through digital token offerings and the registration of a platform operator to operate an ICO platform.The SC also issued the Guidelines on Recognised Markets on 11 December 2015 (“Guidelines on Recognised Markets”). The Guidelines on Recognised Markets have been revised several times on 31 January 2019, 16 April 2020 and 5 May 2020 to introduce new chapters on the additional requirements to be complied with by a person who wishes to operate a DAX, on the additional requirements to be complied with by a person who wishes to operate a Property Crowdfunding (“PCF”) Platform, and new paragraphs inserted



to clarify that any person who wishes to operate invoice financing on a platform must apply for registration as a peer-to-peer (“P2P”) financing operator under the Guidelines on Recognised Markets.On 9 May 2017, the SC introduced a Handbook for digital investment managers. This Handbook sets out licensing and conduct requirements for the offering of automated discretionary portfolio management services to investors. DIM is a fund management business which incorporates innovative technologies into discretionary portfolio management services.BNM issued the Anti-Money Laundering and Counter Financing of Terrorism (“AML”/“CFT”) – Digital Currencies (Sector 6) policy document on 27 February 2018, which is applicable to reporting institutions carrying out activities or providing any or any combination of the following services: (i) exchanging digital currency for money; (ii) exchanging money for digital currency; and/or (iii) exchanging one digital currency for another digital currency, whether in the course of carrying on a digital currency exchange business or otherwise.BNM and the SC have been receptive to fintech innovation and technology-driven new entrants. In June 2016, BNM established FTEG, which “is responsible for formulating and enhancing regulatory policies to facilitate the adoption of technological innovations in the Malaysian financial services industry”.35 On 18 October 2016, BNM issued details of the Financial Technology Regulatory Sandbox Framework (“BNM Framework”). The BNM Framework will enable the experimentation of fintech solutions in a live environment, subject to appropriate safeguards and regulatory requirements. BNM has approved the first batch of participants to its BNM Framework which include GoBear Ltd, GetCover Sdn Bhd, MoneyMatch Sdn Bhd and World Remit. MoneyMatch Sdn Bhd is the first to graduate within the BNM Framework, and this followed the approval in principle for a class-b remittance licence in April 2019. Concurrent with the graduation, MoneyMatch also received full approval from BNM to conduct their digital remittance services for businesses and individuals.With respect to e-money, BNM has issued Guidelines on E-money and permitted non-banking institutions to issue e-money.On 26 June 2018, Labuan FSA issued a circular (“Circular”) on their support to welcome the use of innovative financial services which include digital currency activities, robo-advisory services, blockchains and distributed ledgers, insurtech and any other innovative financial service (“Innovative Financial Services”) by Labuan entities as part of their business activities. The Circular further requires Labuan entities that wish to undertake Innovative Financial Services-related activities that fall within the ambit of the Labuan Financial Services and Securities Act 2010 or the Labuan Islamic Financial Services and Securities Act 2010 to obtain Labuan FSA’s prior approval.

Restrictions

Except for those specifically approved by the SC, DAXs are prohibited from operating in Malaysia. The SC has issued the new Guidelines on Digital Assets, which provide that an issuer must only carry out an offering of digital tokens through an IEO platform and not through any other means. Further, an issuer must submit its application to an IEO operator for an approval in a form and manner as may be specified by the IEO operator, including a “fit and proper” declaration of its board members and senior management and the issuer’s whitepaper, which must contain the relevant information required under the Guidelines issued by the SC.Apart from what has been explained above, please see a summary of the fintech services and their respective regulations which businesses must adopt to ensure compliance below:



E-money“A payment instrument that stores funds electronically in exchange of funds paid to the issuer and is able to be used as a means of making payment to any person other than the issuer; it can be issued in different forms such as a digital wallet (e-wallet), which is a type of prepaid account in which a user can store their money for any future online transaction.”36

“E-money issuers must obtain approval from the BNM pursuant to Section 11 of the Financial Services Act 2013 (the “FSA 2013ˮ). According to Division 1, Part 1, Schedule 1 of the FSA 2013, businesses that require approval include those that issue designated payment instruments.”37

Merchant acquiring service“A business of an operator of a payment system that enters into a contract with a merchant for the purpose of accepting payment instruments for payment of goods and services.”38 “Merchant acquiring services [are] registered businesses under Schedule 1, Part 2 of the FSA 2013. As such, a person must register with the BNM and comply with the requirements in Section 17 to carry on a merchant acquiring service.”39

Equity crowdfunding (“ECF”)“ECF – enables individuals to invest in a start-up in exchange for shares in that particular company.”40 “Under the Guidelines on Recognised Markets issued on 17 May 2019 pursuant to the Capital Markets and Services Act 2007 (the “CMSA 2007ˮ) (the “RM Guidelinesˮ), an ECF operator must register as a recognised market operator (“RMOˮ) with the SC.”41

PCFPCF is a “form of fundraising that envisages a homebuyer obtaining funds to pay for the property’s purchase price through investments from multiple investors, through an online platform facilitating such transactions”.42 “Under the RM Guidelines, a PCF operator must register as an RMO with the SC.”43

Digital currencies or tokens offered through IEO or ICO“An issuer, typically an early-stage venture, that seeks to raise funds through offering of digital currencies or tokens.”44 “The Capital Markets and Services (“Prescription of Securitiesˮ) (“Digital Currency and Digital Tokenˮ) Order 2019 (“Order 2019ˮ) which recognises digital currencies and digital tokens as securities came into force on 15 January 2019. With that, any person who intends to make available, offer for purchase, or issue an invitation to purchase digital currencies or tokens needs to seek authorisation of the SC to do so. Further, an issuer must obtain approval from an IEO operator to offer digital tokens as per the Guidelines on Digital Assets issued on 15 January 2020 pursuant to the CMSA 2007.”45

P2P lendingP2P lending enables individuals via a P2P platform to “lend money without the use of a bank or a financial institution as an intermediary”.46 Under the Guidelines on Recognised Markets, “a P2P operator must register as an RMO with the SC”.47

DAXDAX is “an electronic platform which facilitates the trading of digital currencies and digital tokens”.48 Under the Guidelines on Recognised Markets, “a DAX operator must register as an RMO with the SC. Additionally, the trading of any digital asset is subject to the approval of the SC.”49

DIMDIM refers to “[A] company carrying on the business of fund management incorporating technologies into its automated discretionary portfolio management services.”50 “DIM is



a regulated activity pursuant to Part 1, Schedule 2 of the CMSA 2007, and as such must obtain a capital markets services licence from the SC pursuant to Section 58 of the CMSA 2007.”51

Digital bankingDigital banking is: “A banking business or Islamic banking business carried on primarily or wholly through digital or electronic means.”52 “Digital banks and Islamic digital banks must apply for a licence with the BNM pursuant to Section 10 of the FSA 2013 or Section 10 of Islamic Financial Services Act 2013 (the “IFSA 2013ˮ) (whichever applicable). This is subject to the Exposure Draft for Licensing Framework for Digital Banks issued by the BNM on 27 December 2019 being finalised as a policy document and coming into effect.”53

Insurance and takaful aggregation businessInsurance and takaful aggregation business refers to: “[a] business of providing services through any electronic means that: (a) sources, aggregates and compares insurance or takaful products of more than one licensed person; and (b) makes referrals to any such licensed person in respect of the procurement of such insurance or takaful products; or (c) arranges the procurement of such insurance or takaful products through such electronic means.”54 “Based on the Exposure Draft for Insurance and Takaful Aggregation Business Registration Procedure and Requirements issued by the BNM on 18 June 2019 (the ITAB Exposure Draft), any persons intending to become a registered insurance and takaful aggregator will be required to be registered under the FSA 2013 to carry on insurance and takaful aggregation business. An amendment to the FSA 2013 is expected to be effected to set out the scope of insurance and takaful aggregation business.”55

There is no one specific example of major disruption through fintech in Malaysia. However, disruption is visible mostly in payments and digital wallets, followed by lending, wealth management, marketplaces, crowdfunding, and KYC. Digital wallets from established players such as Alipay, WeChat Pay and others will continue to disrupt the payments market and impact the revenue of banks. It must be highlighted that fintech start-ups that engage in activities under the purview of the central bank must comply with existing laws. Regulated businesses include banking, insurance or takaful, money changing, remittance, operating a payment system or issuing payment instruments.Furthermore, those that continue to rely on physical documents and wet signatures will likely be the first to fall. KYC is a tedious task for customers. For the KYC to be carried out, customers must be physically present to meet face to face with bank representatives for many types of banking products. BNM has recently published the e-KYC guidelines for remittance companies and is currently mooting an industry-wide adoption. Should the e-KYC be approved, a wave of change will be seen on how customers apply and sign up for products digitally in the future. This would be a great innovation for the financial sector in Malaysia.


As stated on its website, the SC, as one of the regulators in Malaysia, works “with a global network of securities regulators to facilitate cross-border cooperation on regulatory and enforcement matters”.56 Below are examples of such cooperation taken from the SC’s website:IOSCO Multilateral Memorandum of Understanding (“IOSCO MMoU”)“The SC has been a signatory to the IOSCO Multilateral Memorandum of Understanding (IOSCO MMoU) since 2007. Strong coordination with international regulators through this global information sharing network has strengthened the SC’s enforcement capabilities



in dealing with cross-border market misconduct. The list of IOSCO MMoU signatories is available here [https://www.iosco.org/about/?subSection=mmou&subSection1=signatories].”57

IOSCO Administrative Arrangement Privacy Notice“This privacy notice explains how the SC handles personal data received through international transfers from the European Economic Area (“EEAˮ) securities regulators. The SC is a signatory to the IOSCO Administrative Arrangement that sets out the safeguards for the transfer of personal data between EEA and non-EEA securities regulators.”58

European Union’s Alternative Investment Fund Managers Directive (“AIFMD”) on Supervision of cross-border offering of alternative investment funds“The SC has signed a series of Memoranda of Understanding with securities regulators from the European Union to cooperate on the supervision of cross border offering of alternative investment funds.”59

Memoranda of Understanding“The SC has entered into Memoranda of Understanding with our regulatory counterparts on mutual assistance, cross-border co-operation and the exchange of information for the purpose of enforcing/supervising and securing compliance with respective laws and regulations.”60 The list of countries as at November 2018 can be viewed at https://www.sc.com.my/development/international/furthering-regulatory-cooperation.Innovation Cooperation Agreements“The SC has signed Innovation Cooperation Agreements with our regulatory counterparts. These FinTech bridges provide a framework for information sharing on emerging trends and regulatory issues in digital finance, and facilitate referrals of innovative businesses as well as explore potential joint innovation projects relating to the application of new technologies”.61 The list of countries as at November 2018 can be viewed at https://www.sc.com.my/development/international/furthering-regulatory-cooperation.Apart from the above, as reported in OpenGov Asia, “a Malaysian universal bank has signed a Memorandum of Understanding [(“MOU”)] with the National Bank of Cambodia to promote collaboration in the area of cross border payment and remittance between Cambodia and Malaysia”. Based on the MOU between the Malaysian and Cambodia, “branches of the banks and the National Bank of Cambodia will work together to explore the possibility of enabling real-time transfers, payments, and cross border remittance of funds between Cambodia and Malaysia through the National Bank of Cambodia’s Bakong payment system and Maybank’s Maybank2u digital platform. The Bakong system is a payment system using blockchain-based technology, established by the National Bank of Cambodia for real-time transfer, payment, and settlement across different banking and financial institutions in Cambodia”.62

Additionally, as reported in IBS Intelligence, a “Singapore-based digital payment and digital banking solution provider – FOMO Pay, has partnered with OCBC Bank (Malaysia) to develop OCBC OneCollect as its first merchant cross-border QRcode collection service project. This project follows the opening of FOMO Pay’s new office in Malaysia, Kuala Lumpur. This move opens up opportunities to provide customer support in a larger territory, and signals continued rapid growth for the company in the region. The fintech company collaborated with the bank in February to develop the application for Malaysia’s cross-border QR Code collection service, OCBC OneCollect. The service allows account holders of Singapore’s PayNow participating banks to make Singapore Dollar payments to eligible



merchants in Malaysia through OCBC OneCollect. Priorly, QR code payments in Malaysia are said to have been done for only for local Ringgit currency transactions.”63

It was also reported in e27 that “Malaysia’s cross-border payments industry is going through a renaissance”.64 Customers are now switching to fintech players for sending money to their relatives abroad rather than relying on banks. This is very good news for online cross-border payments companies such as MoneyMatch, MyCash Online, InstaRem (now Nium), Valyou, Tranglo, and BigPay.

* * *

Endnotes1. https://e27.co/wp-content/uploads/2019/11/The-malaysia-fintech-report-2019-latest.

pdf.2. Ibid.3. https://fintechnews.my/17922/uncategorized/fintech-malaysia-report-2018/.4. Ibid.5. https://www.imf.org/en/News/Articles/2020/02/27/na022820-malaysia-a-flourishing-

fintech-ecosystem.6. Ibid.7. https://fintechnews.my/22107/editors-pick/fintech-malaysia-report-2019/.8. Supra note 1.9. Supra note 1.10. https://www.theedgemarkets.com/article/finance-no-looking-back-pace-digital-

banking-accelerates.11. Supra note 3.12. https://fintechnews.my/22514/malaysia/top-fintech-stories-malaysia-2019/.13. Supra note 7.14. http://zico.group/wp-content/uploads/2019/09/Malaysia%E2%80%99s-potential-as-

the-fintech-hub-for-the-ASEAN-region.pdf.15. https://iclg.com/practice-areas/fintech-laws-and-regulations/malaysia.16. https://www.sc.com.my/resources/media/media-release/guidelines-on-digital-assets-

come-into-force-today.17. https://www.sc.com.my/regulation/guidelines/digital-assets.18. https://www.eastspring.com/insights/the-e-money-revolution.19. Ibid.20. Ibid.21. Ibid.22. https://www.imf.org/~/media/Files/Publications/CR/2020/English/1MYSEA2020002.

ashx.23. https://www.zicolaw.com/wp-content/uploads/2020/12/Cultivating-Innovation-

Through-Regulatory-Sandboxes.pdf.24. https://store.frost.com/the-malaysian-insurtech-landscape-2019.html.25. https://www.bnm.gov.my/index.php?ch=en_press&pg=en_press&ac=607&lang=en.26. https://fintechnews.my/17622/insurtech-malaysia/rhb-insurance-mobile-app/.27. https://fintechnews.my/16951/insurtech-malaysia/allianz-malaysia-partners-with-

policystreet-for-digital-distribution/.28. https://fintechnews.my/16930/insurtech-malaysia/axa-affin-insurtech-emedic/.29. https://fintechnews.my/21641/insurtech-malaysia/axa-emedic-family-plan/.



30. https://www.sc.com.my/about/about-the-sc.31. Ibid.32. https://www.bnm.gov.my/index.php?ch=en_legislation&pg=en_legislation_act&ac=486.33. https://www.labuanibfc.com/about-labuan-ibfc/the-regulator.34. Ibid.35. https://www.bnm.gov.my/index.php?ch=idx_b&pg=idx_hghts&ac=46.36. https://thelawreviews.co.uk/edition/the-financial-technology-law-review-edition-3/1226674/

malaysia.37. Ibid.38. Ibid.39. Ibid.40. Ibid.41. Ibid.42. Ibid.43. Ibid.44. Ibid.45. Ibid.46. Ibid.47. Ibid.48. Ibid.49. Ibid.50. Ibid.51. Ibid.52. Ibid.53. Ibid.54. Ibid.55. Ibid.56. https://www.sc.com.my/development/international/furthering-regulatory-cooperation.57. Ibid.58. Ibid.59. Ibid.60. Ibid.61. Ibid.62. https://www.opengovasia.com/malaysian-bank-working-to-promote-cross-border-

payment.63. https://ibsintelligence.com/ibs-journal/ibs-news/fomo-pay-makes-first-2020-overseas-

foray-into-malaysia/.64. https://e27.co/malaysias-cross-border-remittance-is-going-through-a-renaissance-say-

fintech-experts-20191107/.

Mohamed Ridza AbdullahTel: +60 3 2092 4822 / Email: [email protected] Ridza graduated from the International Islamic University Malaysia with a Bachelor of Laws (First Class Honours) degree in 1992. He is also a graduate of the Institute of Chartered Secretaries and Administrators, an Associate Member of the Chartered Institute of Arbitrators (London), a Fellow of the Institute of Chartered Secretaries and Administrators, and an Associate Member of the Chartered Institute of Arbitrators. Ridza also sits as an independent director on the board of several public companies and also their respective audit committees. Additionally, Ridza is the author of several publications such as The Law and Practice of Islamic Banking & Finance (now in its 3rd edition) and The Life and Law of Fintech (published by Sweet & Maxwell). Ridza was named one of the world’s leading Islamic finance lawyers as voted by his peers in the industry, in Asialaw Leading Lawyers in the area of Banking, Capital Markets, Corporate Finance and Islamic Finance, and nominated as one of the outstanding practitioners in World’s Leading Islamic Finance Practitioners, published by Legal Media Group. He was also named by Asia Business Law Journal as one of the top 100 lawyers in Malaysia.

Mohamad Nazran BasirunTel: +60 3 2092 4822 / Email: [email protected] Nazran advises foreign and local companies in respect of various corporate and commercial matters of listed and non-listed entities, including mergers and acquisitions, listings of public companies, joint ventures and project-related matters, with a specialisation in oil and gas contracts. He also advises foreign and local companies in matters relating to offshore business activities, especially through Labuan, which include advising clients on the setting up of public or private funds, advising on offshore leasing, offshore trusts, etc. Prior to joining the firm, Nazran was a senior associate in the corporate and commercial division at Messrs Zaid Ibrahim & Co (“ZICO”). He was seconded to ZI Labuan Trust Company Ltd, a sister company of ZICO, from 2003 to 2004. Before joining ZICO, he was a legal officer at SAMP Sdn Bhd., where he assisted in the drafting of various legal documentation, advised the management and the board of the company on legal and company secretarial matters, liaised with external lawyers, etc. He is now a partner at Mohamed Ridza & Co.

Mohamed Ridza & Co.50-10-9, Level 10, Wisma UOA Damansara, No. 50, Jalan Dungun, Damansara Heights,

50490, Kuala Lumpur, MalaysiaTel: +60 3 2092 4822 / URL: www.ridzalaw.com.my



NetherlandsLous Vervuurt

BUREN



Amsterdam, the Dutch capital, has a long history of being a leader in finance. The first stock exchange was established in Amsterdam in the beginning of the 17th century; also, the first “options market” was opened in Amsterdam in 1978 (European Options Exchange) and more recently, Dutch banks have been the absolute front runners in introducing online and mobile banking, resulting therein that, nowadays, the concept of “banking with paper” has almost been eradictated in the Netherlands. As of today, the Dutch financial sector provides over 200,000 jobs, of which an increasing number of jobs are within the Fintech sector. The large majority of these positions are established within the business area of Amsterdam.Over the last couple of years, Amsterdam’s financial industry has been boosted by Fintech. Due to Amsterdam’s popularity, certain factors are of importance, for example: having a (historically) strong financial sector; a good tech and innovative “ecosystem”; an encouraging environment for start-up companies; good entrepreneurial spirit; and no fear for the adoption of technical novelties.In 2016, Amsterdam was crowned the European Capital of Innovation in the annual iCapital competition, organised by the European Commission. A panel of independent experts judged the nine finalist cities based on four key areas of urban living impacted by innovation: governance; economics; social inclusion; and quality of life. Facing a tough competition, Amsterdam came out on top and was praised for its healthy start-up climate and sharing economy resulting from a bottom-up approach based on smart growth, start-ups, liveability and digital social innovation. Amsterdam is home to hundreds of companies that make living up to that name their order of business. Top Fintech events take place in Amsterdam every year, including Money20/20 Europe (held in 2016 and to be held in September 2021), which covers 12 industry-spanning themes and brings together influential speakers. This confirms the prominence of Amsterdam as a major Fintech city. Payment services provider Adyen (set up by a group of Dutch entrepreneurs) was Amsterdam’s first unicorn from the Fintech sector. Nowadays, its value on the stock exchange exceeds the aggregate of stock exchange values of both ABNAMRO and ING, and it is even likely that Adyen is worth more than all four major Dutch banks together (Rabobank and Volksbank do not have a stock exchange listing). Furthermore, a number of Dutch start-ups, such as Ohpen, Buckaroo and EclecticIQ, are following and make important developments in the fields of payments, banking software and cyber security.The Dutch Fintech ecosystem is bolstered by a modern, productive, flexible and internationally oriented workforce. Education levels in the Netherlands are high – more than

BUREN Netherlands


half of Amsterdam’s residents between 25 and 64 have a degree, and most of Amsterdam’s residents speak English well and are often fluent in one or two additional languages. The Netherlands and Amsterdam regularly score highly in the EF English Proficiency for Companies surveys, which evaluate English skills among the global workforce, and came first for language skills in the IMD World Talent ranking 2018.The largest data transport hub in the world, the Amsterdam Internet Exchange (AMS-IX), is located in the city, which has flawless digital credentials and which is one of the largest hubs for internet traffic in the world. As for physical connectivity, the Amsterdam Area offers full access to the European market: Amsterdam Airport Schiphol is centrally located and flies to more than 300 destinations; and high-speed rail services make it easy to work while travelling from Amsterdam to London, Paris, Brussels and Berlin.

Fintech offering in the Netherlands

As set forth above, the Netherlands has an active Fintech ecosystem. There are quite a number of companies that are striving to create revolutionary technology that will change the way people conduct their banking and investing. In the Netherlands, there has been a significant advancement in the Fintech sector. This small country boasts a number of established and successful Fintech start-ups that are drawing the attention of investors and partners all across the world. To name just a few examples: Adyen – offering a platform that integrates gateway, risk management, processing, acquiring, and settlement of payments; bunq, being “the Bank of the Free”, is totally internet-based and an independent bank that claims to make life easy; Mollie payments – a payments platform that offers an easy-to-implement process for integrating payments into a site or app (Mollie as Adyen, frequently used by webshops to settle their payments); Ohpen – a cloud-based core-banking engine; and payconiq – offering easy and fast payments via a smartphone.Furthermore, there is an active M&A industry in respect of Fintech companies in the Netherlands, which, in 2020 led to the acquisition of 13 Netherlands-based start-ups, among which are Sustainalytics (provider of social, environmental and governance ratings/research), Blockchain Consulting (Amsterdam) offering blockchain software development, crypto market analysis and strategic consulting services and TerraPay, a company that makes sending and receiving money from and to emerging countries cheaper and easier.


InsurTechTraditionally, the Netherlands is a country with a high insurance level. The Dutch like to be insured against various risks, not only limited to traditional risks (e.g. fire and health insurances) but also to specific risks (e.g. against bad weather on holiday or the loss of income from a couple of days’ hospitalisation). The technological developments in insurance (InsurTech) are often seen as disruptive innovation in the insurance sector, as it is driven by technological developments. New technologies and fast scalability are allowing disruptive companies to have a major impact in the insurance market at a relatively low cost and InsurTech effectively means that start-ups as well as large tech companies pose a real threat to traditional Dutch financial institutions. However, InsurTech can also offer the same challenging opportunities to existing insurers, e.g., through the development of new business models, micro product insurance or blockchain and telematics.

BUREN Netherlands


Current technology trends in InsurTech in the Netherlands comprise of, inter alia:(i) Microservices, breaking down large insurance schemes to simple core functions.

Insurers in the Netherlands concur that getting into microservices architecture early can bring a bigger competitive advantage to them. Microservices in travel and vehicle insurance promises to be a great prospect in the Netherlands.

(ii) Blockchain, corresponding to smart contracts in a distributed environment. The Dutch insurance industry is already using distributed ledgers for insuring flight delays, lost baggage claims, and is expanding to shipping, health insurance, and consumer durables domains. Blockchain technology is said that it might transform the wholesale insurance having a favourable impact on business problems.

(iii) Edge computing, improving response time, bringing computation and data storage closer to the consumer’s location. It improves response time and at times can take real-time actions.

RegTechRegulatory technology (RegTech) has multiple, varying definitions that all deal with technology being used to meet regulatory challenges. RegTech may be characterised as technology that helps solve regulatory challenges by providing governance, risk management, compliance and regulatory reporting solutions. RegTech solutions can be of help for parties providing financial services in a number of ways. Financial institutions can improve their understanding of how regulation impacts their business, support implementation and compliance, meet business demand through supplying digital-first products and services, decrease compliance and risk costs, increase organisational agility, and create better insight and oversight of compliance and risk management for customers and employees. 2018 was an important year for RegTech as certain major European Union regulations came into effect, the most important being the Revised Payments Services Directive (PSD2), the General Data Protection Regulation (GDPR), and the second Markets in Financial Instruments Directive (MiFID II), with PSD2 having an extended implementation schedule in the Netherlands and other EU countries.As is the case in many industries, technology drives advances in how institutions do business, both in terms of internal and external practice. RegTech shows that artificial intelligence and machine learning are important technology solutions that change the way institutions tackle compliance and risk and analyse data, even though they are currently being developed to find the best and most efficient uses in a RegTech environment. Although artificial intelligence has been around for an extended period of time, it has primarily been used for non-governance risk and compliance applications. However, its current use is being expanded to cover those processes, making them more sophisticated. Specifically, it is used in the analysis of regulations, pattern recognition, communications monitoring, and capturing information.While improved use of analytic tools will make use of available big data, there is much potential for the use of machine learning to enhance the use of artificial intelligence in RegTech. Though these systems are being developed, large-scale deployment and integration is still to come in the Netherlands. In the Netherlands though, the number of start-ups in RegTech is growing steadily.

Regulatory bodies

As set forth below, the Dutch Act on the financial supervision (Wet op het financieel toezicht, the AFS) has been designed for functional supervision, to be distinguished in prudential

BUREN Netherlands


supervision and market conduct supervision. Two regulatory authorities are engaged in supervision: the Dutch Central Bank (De Nederlandsche Bank N.V., the DCB); and the Netherlands Authority for the Financial Markets (Autoriteit Financiële Markten, the AFM). The DCB conducts, in cooperation with the European Central Bank (ECB) prudential supervision and the AFM is engaged in conduct supervision. The mutual cooperation of both regulators is laid down in the AFS, in bilateral agreements among DCB and AFM and in the Dutch General Administrative Law Act (Algemene Wet bestuursrecht). DCBThe DCB is responsible for prudential supervision of financial undertakings, integrity supervision and supervision on compliance with the Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme, Wwft). The DCB grants (in cooperation with the AFM) licences to payment institutions (which Fintech companies mostly are), insurance companies, and pension funds. Furthermore, the DCB carries out supervision on the banking system in the Netherlands in general, on the Dutch payment system, the balance of payments, and carries out monetary tasks. The DCB’s attitude when exercising supervision is more pragmatic than formalistic, and the DCB is, in comparison with other supervisory authorities in Europe, approachable to market parties.ECBThe ECB is, since the introduction of the EU Banking Union in 2014, the relevant authority exercising prudential supervision on banks with their seat within the Eurozone (the countries that have adopted the euro as their legal tender) whereas that task, in respect of supervision and licensing of Dutch banks, was formerly designated for the DCB. The ECB directly supervises seven “significant entities” in the Netherlands, working together with the DCB, and the DCB exercises supervision on the less significant financial institutions in the Netherlands. The ECB is the licensing authority for all banks (irrespective of whether they are a significant entity or not) and on granting declarations of no objection in respect of, inter alia, major holdings in banks (certain Fintech companies may qualify as “banks”). Furthermore, the ECB is an influential supervisor as it is engaged in adopting regulations and issuing guidelines and binding regulations. The ECB’s supervision is less pragmatic than the DCB’s supervision; the ECB operates at a greater distance from market parties and, consequently, is not as approachable as the DCB.AFMThe AFM is the competent authority for conduct supervision in the Netherlands, on all financial institutions active in the Netherlands. Conduct supervision is designed to safeguard orderly and transparent procedures in the Dutch financial markets, sound trading procedures and further focuses on trustworthiness and expertise of the persons in relevant functions as financial institutions (including Fintech companies that may qualify either as banks or as payment institutions). Although the AFM is approachable for market parties, it is fairly formalistic and does not hesitate to publish violations of the AFS by market parties (which it is obliged to do pursuant to the AFS) and to impose penalties. The AFM is also engaged in supervision on compliance with the Financial Reporting (Supervision) Act (Wet toezicht financiële verslaggeving).


Dutch regulatory framework – generalThe Dutch regulatory framework for financial services comprises of the AFS, the decrees promulgated thereunder and EU regulations that directly apply to Dutch law. The AFS is,

BUREN Netherlands


for the majority of its provisions, based on EU directives, including but not limited to the MiFID II and the PSD 2, both of which are important for the Fintech business, next to the European Regulation “MiFIR” (Regulation 600/2014 of the European Parliament and of the Council).The AFS has been drafted as a “principle-based” law rather than a “rule-based” law which means that it provides a framework and market parties have the relative freedom to determine how to interpret compliance. A (limited) level of self-regulation is permitted. The AFS has been designed for functional supervision rather than sectoral supervision. Its chapters are: 1. general provisions, scope, sanctions and provisions re. cooperation of the supervisory authorities; 2. market access for financial enterprises (inter alios: banks; payment institutions; investment firms; managers of alternative investment funds; insurance firms; credit providers; advisors; and financial intermediaries); 3. prudential supervision on financial institutions and rationalisation measures; 4. conduct supervision on financial institutions; 5. market conduct supervision; 6. specific measures in respect of the stability of the financial system; and 7. concluding provisions.Fintech Action Plan in the NetherlandsIn respect of Fintech, in line with the principles of the AFS, the Dutch legislator has, until now, not implemented special regulations in respect of Fintech businesses. Following a survey, carried out in the second half of 2019, on the Dutch Fintech sector and its growth potential, the Dutch government presented a “Fintech Action Plan”. The survey showed that the Netherlands are in a strong position when it comes to development of Fintech, which is highlighted, inter alia, by the healthy growth in the number of Fintech companies established in the Netherlands and their envisaged growth potential. According to the survey, the Netherlands is ideally suited to the development of Fintech companies and the Dutch government considers it important that this situation remains in the future. The Fintech Action Plan has various lines of action, as set forth below:1. Put the Dutch Fintech climate and sector on the map, nationally and internationally,

whereby the goal is that the Netherlands will be a global leader in the area of Fintech and Dutch Fintech companies can grow both in domestic territories and abroad. The way to that goal is described as, inter alia, pursuing an international agenda in partnership with the Fintech sector; international publications describing the Netherlands as an attractive country for the Fintech business; exploring ways of stimulating Fintech activity through the SME guarantee scheme; and informing consumers about opportunities and risks of financial innovation.

2. Ensure Fintech companies have good access to knowledge and talent. The way to that goal is described as, inter alia, organising periodic Fintech round tables to discuss opportunities and obstacles; strengthen the Dutch Innovation Hub and the Regulatory Sandbox and launch the DNB Innovation Forum; several measures ensuring that Fintech companies can find the right talent (i.e. development of a residence provision for essential staff for start-ups, working with various regions and national partners, develop a branding strategy and information page aimed at attracting and retaining salaried international talent, inform Fintech companies of the possibility of obtaining SME funding to resolve training problems (the budget for 2020 has been raised to €10 million) and, to make it more attractive in tax terms, to issue share options as salary.

3. Ensure that legislation is future-proof and allows room for innovation. The way to that goal is described as, inter alia, that Dutch Fintech companies do not have to meet requirements that are necessary and proportionate, i.e., ensuring that legislation

BUREN Netherlands


is proportionate for start-ups and small businesses, ensure that supervisory costs are proportionate and, e.g., the press for European legislation on crypto currencies.

Restrictions

In the Netherlands, there are no specific restrictions to develop and maintain a Fintech company, be engaged in RegTech or InsurTech. This does not mean, however, that all activities can be performed free of registrations or licences. The below will give a brief overview.In terms of financial services, as soon as a Fintech company performs a financial service (which will most likely be the services of a bank, a payment services provider or an investment firm), appropriate licensing must be sought with the regulatory authorities. If the activities are commenced in the Netherlands, the AFM and the DNB will be the competent regulatory authorities and all regulatory requirements must be met. Once licensed by the AFM or DNB, a European Passport to expand services throughout the European Economic Area can easily be obtained.In terms of crypto currency, it must be noted that, although crypto currencies under Dutch legislation do not qualify as “securities” or “investment objects”, the offering or trading of which would require either a licence or at least a prospectus, certain regulatory requirements apply. DNB distinguished two types of crypto services. One type is crypto service providers exchanging money, such as euros or dollars, for virtual (crypto) currencies, such as Bitcoin, Ethereum or Libra. The other type of crypto service is the offering to customers of a custodial wallet for storing crypto currencies. Currently, the DNB checks whether crypto service providers comply with the Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme, the WWFT) and the Sanctions Act 1977 (Sanctiewet, the SW). The DNB, nor any other regulatory authority in the Netherlands, is engaged in supervising financial business risks, consumer risks or other risks. The AFM currently has no part in supervising crypto service providers. In general, the Netherlands does not have any specific consumer protection regulations for crypto services. There is, however, general consumer protection coming from less specific laws such as the Dutch Civil Code, that sanctions, e.g., unfair business practices and incorrect commercial expressions.Crypto service providers operating or wishing to operate in or from the Netherlands must apply for a registration with the DNB and must be in the position to show their compliance with the WWFT and the SW. The register is publicly available on the website of the DNB (https://www.dnb.nl/en/public-register/register-of-crypto-service-providers/).


The Netherlands definitely offers a financial and tech centre where Fintech companies can, with the help of the flexible regulatory environment, provide services and expand their business all over the world. The harmonised EU legislation (on which most parts of the AFS have been based) is helpful for a flexible journey throughout the European Economic Area (as set forth above) as it enables a concurrent authorisation in all applicable countries through the passporting of licences that directly give access to the foreign market without any further regulatory requirements having to be met.

BUREN Netherlands


Fintech is not a national topic; Fintech is designed to be enrolled globally and, therefore, the need for common and harmonised responses from financial and insurance regulators is of the utmost importance. The Dutch regulatory bodies, the AFM and the DNB, both regularly take part in supra-national bodies and working groups to be at the forefront of innovation and to contribute to design and internationally flexible landscape for Fintech companies, working in the financial sector, the regulatory sector or insurance.

Lous VervuurtTel: +31 70 318 4200 / Email: [email protected] Vervuurt, lawyer at BUREN, specialises in business law and financial law (banking and securities). She advises multinationals, listed companies, investment companies and investment institutions on the laws and regulations governing securities, corporate governance and compliance. She oversees the legal aspects of financings, stock exchange listings (of shares and bonds, in the Netherlands and abroad) and banking licences, and advises finance companies.Lous is a member of the Board of Representatives of the Dutch Bar Association. She received a degree in Dutch law (business law) from Leiden University in 1991 and completed the Grotius specialisation course on Financing and Securities in 1998.

BURENWTC – Toren C level 14, Strawinskylaan 1441, 1077 XX – Amsterdam, Netherlands

Tel: +31 20 333 8390 / URL: www.burenlegal.com


BUREN Netherlands

NigeriaProf. Gbolahan Elias, Ebimobowei Jikenghan & Novo Edojariogba

G. Elias & Co.


Approaches and developments in Nigeria

The Nigerian Financial technology (“Fintech”) landscape experienced significant growth in 2020, both in terms of adoption and regulations. However, despite the growth experienced, the Fintech Association of Nigeria in its 2020 Census Report1 (the “Census Report”) described the Fintech sector in Nigeria as nascent compared to other Fintech ecosystems globally. Over recent years, the exponential development of Fintech companies in Nigeria has been evidenced by a significant increase in foreign investments in Fintech companies and listings of homegrown Fintech companies on global exchanges. Kuda Technologies, which currently offers mobile-first banking services in Nigeria raised funding of USD 25 million in a Series A funding led by Valar Ventures, a US-based venture capital fund.2 This was Valar Ventures’ first financing of an African start-up. In October 2020, Paystack, a Lagos-based payments platform facilitating payments to merchants by their customers, was acquired by the US payment giant Stripe for a reported USD 200 million.3 This is one of the biggest acquisitions in Nigeria’s Fintech history. In March 2021, Flutterwave, a Nigerian payments company announced that it had secured USD 170 million in its Series C funding round.4 With this funding the company’s valuation rose to USD 1 billion, securing the company’s place as a unicorn. Also, in March 2021, Flutterwave announced a collaboration with PayPal5 that will enable PayPal customers globally to pay African merchants, further reducing the gap to the African market. The COVID-19 pandemic, while taking a toll on various sectors of the economy, has been a key driver in the accelerated use of Fintech offerings and the growth potential and investments in the Fintech sector in Nigeria. With the burgeoning growth in the Fintech sector, regulators are becoming increasingly focused on keeping up with advancements in the sector and adopting a risk-based approach towards balancing the imperatives of consumer protection and cybersecurity with innovation.

Fintech offerings in NigeriaNearly a decade ago, the Fintech industry received its first official endorsement (albeit a limited one) from the apex banking regulator, the Central Bank of Nigeria (“CBN”) through its 2012 cashless policy. In the years following the decision to introduce the cashless policy, the CBN, other key regulators and successive Governments have introduced policies aimed at improving financial inclusion, thereby providing a foundation for the penetration of Fintech offerings in the Nigerian market.In the second edition of this chapter published in 2020, seven broad classes of offerings were listed, namely: (i) Banking; (ii) Alternative Lending and Digital Credit; (iii) Electronic Payments; (iv) Public Revenue Collection; (v) Investment and Financial Management; (vi)

G. Elias & Co. Nigeria


Foreign Exchange and Remittance Transactions; and (vii) Blockchain, Digital Currencies, Crowdfunding and Alternative Financing. On a closer observation of recent regulatory and market developments, the list has been revised to five broad categories, with some sub-offerings. The revised offerings are discussed below:(i) Digital Banking:

Fintech has caused a major disruption in the way banks provide their services to customers, especially retail banking services. The COVID-19 pandemic also bolstered the adoption of mobile and online banking platforms by virtually all banks. In addition to the increase in the Payment Service Bank licences granted, the year 2020 also saw many Fintech companies offering virtual bank accounts. For this category of financial service providers, the existing laws and guidelines applicable to traditional banks also apply, especially regarding consumer protection, data privacy and protection, cybersecurity, anti-money laundering, and minimum capital requirements. Future regulation in this area is promising as the CBN in February 2021 issued the Regulatory Framework for Open Banking in Nigeria (“the Open Banking Framework”). It is expected that this regulation will increase data accessibility and collaboration between traditional banks and new Fintech entrants.

(ii) Alternative Lending and Digital Credit: Several tech-driven alternative lending and direct credit platforms have emerged in Nigeria. These platforms enable customers to swiftly access unsecured credit facilities online and are more convenient for borrowers when compared to borrowing from traditional commercial banks due to the reduced documentation requirements and absence of a requirement for collateral. Operators in this space use machine learning algorithms to perform real-time assessments of the creditworthiness of a user and carry out risk evaluations of the ability of users to repay the loans. The algorithms usually rely on non-traditional digital data mined from the mobile phone of the user in the first instance, and credit report/history obtained from facilitators such as the credit bureau (where available) for subsequent disbursements. Notable operators in this space include Renmoney, Paylater, Menacred, Quickcheck and Kiakia.co. Several banks within the past year have launched various lending products (such as Click Credit by UBA, Quick Credit by GTBank) similar to the product offerings by the alternative lenders and also highlighting that loan products can be obtained without cumbersome documentation processes. A notable development is the introduction of the Global Standing Instruction (“GSI”) agenda introduced by the CBN in July 2020 to improve credit repayment.6 Participating financial institutions are now able to recover past-due debts from borrowers by accessing all accounts held by such borrowers (in addition to the repayment account) with participating financial institutions across Nigeria. This is a relatively new concept in Nigeria, but it is expected to improve information sharing within the financial sector. However, there are concerns relating to data privacy and confidentiality.

(iii) Electronic Payments: In the past several years, payment and bill collection mechanisms in Nigeria have significantly evolved following the development of electronic payments and payment processing platforms such as Quickteller, Paga, Flutterwave, Remita, PayU and Paystack. These Payment System Providers are mainly non-banking institutions that integrate the payment side of commercial activities. The regulatory framework in this area is relatively stable.



A sub-category of electronic payments is public sector revenue collection. All payments to the Federal Government of Nigeria and its agencies are made to its Treasury Single Account via the Remita online payment platform. In addition, the Federal Inland Revenue Service introduced several electronic tax services including the e-Tax Payment product for the payment of all Federal Government taxes and levies through payment platforms, such as NIBSS, Remita and Interswitch.Another sub-category of electronic payments is foreign exchange and remittance transactions. Fintech has impacted cross-border businesses particularly with respect to foreign exchange and remittance transactions. A recent example is Chipper Cash, which recently expanded its operations to Nigeria in partnership with Paystack, to facilitate cross-border mobile money transfers in Africa. The CBN regulates this space principally through the Guidelines on International Mobile Money Remittance Service, 2014 and the Guidelines on International Mobile Money Remittance Service in Nigeria, 2015, which authorise licensed operators to provide inbound and outbound international money remittance services in Nigeria through mobile phones and other hand-held devices.

(iv) Investment and Financial Management/Crowdfunding: This is another area that has been impacted by Fintech solutions. At present, trustee and asset management companies have introduced online investment platforms that enable customers to invest in money market instruments, mutual funds and treasury bills. These include online investment platforms such as I-invest, InvestNow, and the online securities trading platform, MeritTrade. Also, the Nigerian Stock Exchange has adopted Fintech solutions in the form of an automated trading system (“ATS”) for securities trading on its floor. Further, non-banking institutions have also developed online platforms that provide financial management services such as savings, expense management and invoicing to customers. Notable examples include Carbon, PiggyVest and CowryWise (online savings platforms), Kliqr (an online expenses management platform) and Invoice NG (an invoicing platform).In Nigeria, investment management platforms often offer crowdfunding as an investment product. The two biggest beneficiaries of crowdfunding in Nigeria are Agriculture and Real Estate. Beyond the typical equity and debt financing options open to a business seeking funding, crowdfunding relies on the use of online platforms to raise funds to finance a project, business, or venture. The Securities and Exchange Commission (“SEC”) in January 2021 issued its Rules on Crowdfunding (the “Rules”), which provides a regulatory framework permitting private companies with the required structure and mechanism in place to raise capital from the public through crowdfunding. The principal feature of the Rules is the introduction of a crowdfunding portal, which would serve as a touchpoint between the fundraising entity and the investing public.On May 5, 2021, the SEC issued its proposed new rules on Robo-Advisory (“Robo-Advisory Rules”).7 Robo-Advisors provide automated financial management services utilising information on the financial state and goals of investors. The Robo-Advisory Rules seek to regulate Robo-Advisors who operate digital investment platforms that offer finance management services by proposing, amongst others, that: (i) Robo-Advisors comply with extant laws and regulations applicable to financial advisors regulated by the SEC; (ii) the principal officers of Robo-Advisors have the required experience and skill in financial management and technology; (iii) mechanics be put in place to mitigate investor risks where Robo-Advisors are advising on trading in foreign securities; and (iv) material information be disclosed



to investors, etc. Although Fintech companies in Nigeria like Carbon, Piggvest and Cowrywise actively provide wealth management services, they do not as yet provide the whole gamut of Robo-Advisory services.

(v) Blockchain and Digital Currencies: There is no legal framework relating to blockchain technology adoption in Nigeria. However, in recognition of the potential of blockchain in the development of the Nigerian digital economy in areas including national identity management, internal revenue monitoring and secure financial services, the National Information Technology Development Agency (“NITDA”) issued a draft framework on the National Blockchain Adoption Strategy in October 2020 (the “Framework”) for stakeholders’ input. The Framework referenced a 2019 survey conducted by the Blockchain Nigeria User Group on over 70 blockchain start-ups in Nigeria, which revealed that blockchain is mainly used in the areas of finance, trading exchanges and wallet services. This trend was further confirmed in the 2020 Global Crypto Adoption Index published by Chainalysis, which ranked Nigeria eighth out of 154 countries in terms of cryptocurrency adoption.8 However, despite the increase in interest and demand for digital currencies in Nigeria, the regulatory response has been largely cautious. It dates as far back as January 12, 2017, when the SEC issued a public notice on Investments in Cryptocurrencies and other Virtual or Digital Currencies. The notice warned the public to desist from investing in cryptocurrencies, as these virtual currencies and their operators have not been approved by the SEC, and regulations have not been made to regulate them and protect investors. Also, the CBN on February 28, 2018 issued a press release, which reiterated its earlier January 12, 2017 Circular to Banks and Other Financial Institutions on Virtual Currency Operations in Nigeria, by which it stated that virtual currencies are not recognised as legal tender in Nigeria and are used at the peril of the user. The CBN in its February 7, 2021 circular maintained its position in its circular of January 12, 2017. By the circular, the CBN further mandated all banks to close accounts which dealt with cryptocurrency with immediate effect. The key concerns for the regulators as set out in the Framework include the need: (i) to defend the value of the Naira (the official currency of Nigeria) in the global market through adequate regulatory oversight and control of virtual currencies and exchanges; (ii) for visibility into all financial activities for regulatory oversight; (iii) to fight money laundering and corruption; (iv) to promote transparency and accountability in governance; (v) for consumer protection from risks associated with unregulated markets; and (vi) to reduce capital flight through emerging markets. It is expected that the outcome of the stakeholder engagement would provide a framework document that would guide Nigeria’s blockchain regulation and provide regulatory certainty to stakeholders in space.


Given the speed of innovation and the evolving regulatory space for Fintech companies in Nigeria, financial institutions have resorted to regulatory technology (“Regtech”) solutions to aid in regulatory compliance. Requirements for more rigorous data protection and privacy have led Fintech companies to, as part of their Regtech offerings, provide blockchain, cybersecurity and other technology-enabled services to enable banks and other financial institutions to comply with data protection, risk monitoring, reporting and Know Your Customer (“KYCˮ) requirements.



The insurance space in Nigeria is dominated by traditional insurance companies offering their services without the use of Insurance Technology (“Insurtech”). The Census Report shows that only about 3% of Fintech companies provide Insurtech products and services. However, in recent times, some start-ups, such as AutoGenius, CompareIN and Cassava, have emerged with technologies that integrate the creation, distribution and administration of the insurance business using mobile applications, thereby promoting ease of accessing insurance products and services at competitive prices. This has compelled key players in the insurance industry to rethink their mode of operation. One of such ways is partnerships. In April 2020, Carbon, a Fintech company, announced its partnership with Axa Mansard (an insurance company) to launch a range of healthcare benefits for its customers in the wake of the COVID-19 pandemic in Nigeria.9 Also, Aella Credit, another Fintech company providing lending services, recently launched its health insurance product AellaCare to provide health insurance for financially excluded persons in Nigeria.10 It is expected that more of such partnerships will emerge in the coming years as Fintech companies look to diversify from other “crowded” areas of Fintech in Nigeria.

Regulatory bodies

The main regulators of the Fintech sector in Nigeria are the CBN, the Nigerian Deposit Insurance Corporation (“NDIC”), the SEC, the Nigerian Communications Commission (“NCC”), the NITDA, the National Insurance Commission (“NAICOM”) and the Federal Competition and Consumer Protection Commission (“FCCPC”).(i) The CBN: The CBN has primary responsibility for regulating financial services in Nigeria.

The CBN is the principal regulator mandated to issue licences to banks and other financial institutions by virtue of the Banks and Other Financial Institutions Act, 2020 (“BOFIA”). Fintech companies offering financial services to Nigerian consumers must obtain the necessary licences and comply with CBN’s applicable guidelines.

(ii) The NDIC: The NDIC is responsible for insuring all deposit liabilities of licensed banks and

other deposit-receiving financial institutions in Nigeria. Fintech companies that are in the business of obtaining and saving money deposited by Nigerian consumers, such as Payment Service Banks, must be registered with the NDIC, pursuant to section 15 of the NDIC Act, 2006.

(iii) The SEC: The SEC is the securities and capital market regulator in Nigeria pursuant to the

Investments and Securities Act, 2007 (“ISA”). Fintech companies desirous of raising capital from the capital market must register their securities with the SEC and comply with the ISA and the rules made thereunder.

(iv) The Corporate Affairs Commission (“CAC”): The CAC does the incorporation of and official record-keeping for all companies

in Nigeria. See section 8 of the Companies and Allied Matters Act, 2020. Fintech companies (including banks) must be incorporated at the CAC to carry on business in (as distinct from doing business with) Nigeria except otherwise exempted from this requirement (see sections 78 and 80 of CAMA 2020).

(v) The NCC: The NCC is empowered by the Nigerian Communications Act, 2003 to regulate

the telecommunication industry in Nigeria. Thus, Fintech companies offering services that involve the use of mobile networks or mobile phones are subject to



NCC’s regulatory purview and must obtain operating licences from the NCC. For instance, companies that operate mobile payments must be licensed by the NCC pursuant to the Licence Framework for Value Added Service (“VAS”). The NCC VAS regulation defines a VAS provider as a person or organisation engaged in the provision of value-added mobile/fixed services.

(vi) The NITDA: The NITDA is responsible for creating and enforcing data protection regulations

in Nigeria pursuant to the NITDA Act, 2007. NITDA issued the Nigerian Data Protection Regulations 2019 (the “Regulations”) and subsequently issued its Implementation Framework in 2020. The Regulations and its Implementation Framework aim to safeguard the rights of natural persons to data privacy and foster the safe conduct of transactions involving the exchange of personal data.

(vii) The NAICOM: The NAICOM was established by the NAICOM Act, 1997 with the responsibility

for ensuring the administration, regulation, and control of insurance business in Nigeria. Thus, where an Insurtech company carries on insurance business, it will require a licence from the NAICOM.

(viii) The FCCPC: The FCCPC was established by the Federal Competition and Consumer Protection

Act (“FCCPA”). The FCCPA provisions extend to Fintech companies that do not qualify as banks or other financial institutions as defined by BOFIA and to this extent prohibits anti-competitive practices in the Fintech space.


Key regulationsWhile there is no single primary statue specifically targeted towards Fintech players in Nigeria, there are several statutes and regulations that regulate the conduct of business in the Fintech space. They include: (i) the Open Banking Framework;(ii) CBN Framework for Regulatory Sandbox Operations, 2020 (“Sandbox Operations

Framework”);(iii) CBN Guidelines on Mobile Money Services in Nigeria, 2015;(iv) CBN Guidelines for Licensing and Regulation of Payment Service Banks in Nigeria,

2018;(v) CBN Regulatory Framework for the Use of Unstructured Supplementary Service

Data (USSD) Financial Services in Nigeria, 2018;(vi) CBN Regulation for Bill Payments in Nigeria, 2018;(vii) CBN Risk-Based Cyber-Security Framework and Guidelines for Deposit Money

Banks and Payment Service Providers, 2018;(viii) CBN Microfinance Policy, Regulatory and Supervisory Framework, 2011;(ix) CBN Revised Guidelines for Finance Companies in Nigeria, 2014;(x) CBN Guidelines on Operations of Electronic Payment Channels in Nigeria, 2016;(xi) NCC Value Added Services and Aggregator Framework, 2018;(xii) CBN Guidelines on International Mobile Money Remittance Service in Nigeria,

2015;(xiii) CBN Guidelines on International Money Transfer Services in Nigeria, 2014; (xiv) CBN Regulation on Electronic Payments and Collections for Public and Private

Sectors in Nigeria, 2019;



(xv) CBN Regulation for Direct Debit Scheme in Nigeria, 2018;(xvi) SEC Crowdfunding Rules, 2021; and (xvii) Moneylenders Laws of the respective states in Nigeria.Other generally applicable laws and regulations include the: (i) Companies and Allied Matters Act, 2020;(ii) Investment and Securities Act, 2007;(iii) FCCPA; (iv) NAICOM Act;(v) Money Laundering (Prohibition) Act, 2011 (as Amended);(vi) BOFIA;(vii) Corrupt Practices and other Related Offences Act, 2000;(viii) Economic and Financial Crimes Commission (Establishment, Etc.) Act, 2004;(ix) Terrorism (Prevention) Act, 2011 (as Amended);(x) Advance Fee Fraud and other Fraud Related Offences Act, 2006;(xi) Cybercrimes (Prohibition, Prevention, Etc.) Act, 2015;(xii) Nigeria Data Protection Regulations, 2019; and(xiii) NDPR Implementation Framework, 2020.

Regulatory approaches to Fintech

As part of the initiatives and interventions through which Nigerian regulators attempt to foster financial inclusion, stability, integrity, and consumer protection, the CBN issued the Open Banking Framework in February 2021. The Open Banking Framework promotes the integration of banks and financial institutions with Fintech companies and innovators to create a customer-centric approach to the provision of financial services. This integration comes with all the attendant benefits of data and innovation sharing among Fintech companies, innovators, banks, financial institutions, and other participants in the financial services sector within the boundaries set by the Open Banking Framework. The CBN and the Nigeria Inter-Bank Settlement System (“NIBSS”) backed the introduction of the first Fintech industry innovative sandbox launched by Financial Services Innovators (“FSI”) with the aim of lowering entry barriers into the Fintech space, especially as it relates to regulation and licensing. In July 2020, the CBN also issued the approved Sandbox Operations Framework. The Sandbox Operations Framework gives eligible Fintech innovators an opportunity to test their products, services, or solutions without the need to acquire a CBN licence. It is targeted at products, services and solutions that improve access to financial services and enhance the efficiency and effectiveness of Nigerian financial institutions’ risk management policies and practices.

RestrictionsTwo major key regulators have continued to maintain a cautionary stance in relation to cryptocurrencies and blockchain trading. On September 14, 2020, the SEC issued a statement on Digital Assets and their Classification and Treatment wherein the regulator stated that it would regulate “crypto-token or crypto-coin investments when the character of the investments qualifies as securities transactions”. Taking the view that such transactions fall within its mandate to protect investors, the SEC stated that unless the issuer or sponsor of such crypto assets proves otherwise, such assets must be registered with the SEC. The requirement for registration applies to “all Digital Assets Token Offering (“DATOs”), Initial Coin Offerings (“ICOs”), Security Token ICOs and other Blockchain-based offers of digital assets within Nigeria or by Nigerian issuers or sponsors or foreign issuers targeting Nigerian investors…”.



Insisting on fulfilling its mandate to ensure the financial system’s stability, the CBN on February 5, 2021, issued a notice to Deposit Money Banks to desist from dealing with entities engaged in cryptocurrency trading. This announcement caused a major disruption in the market and caused buyers and sellers of cryptocurrency to panic because the announcement effectively prevented them from operating bank accounts in Nigeria. According to the CBN, its stance is based on the significant risks associated with transacting in cryptocurrencies, among them, the risks of loss of investments, money laundering, terrorism financing, illicit fund flows and other criminal activities. The CBN maintains that cryptocurrencies are issued by unregulated and unlicensed entities and their use constitutes a contravention of existing law. As is evident from the approaches adopted by the SEC and the CBN, there seem to be a uniform position from a regulatory standpoint on crypto-based products in Nigeria. This regulatory uncertainty has prompted Fintech players and stakeholders to rethink their strategy and accelerate engagements with the regulators. On April 8, 2021, the SEC also issued a circular, warning capital market operators to desist from assisting and facilitating online investment and trading platforms to have direct access to the securities of foreign companies listed on securities exchanges registered in other jurisdictions. By law, only foreign securities listed on any exchange licensed by the SEC may be issued, sold, or offered for sale or subscription to the Nigerian public. Apart from the restrictions on cryptocurrency and access to foreign securities, the Federal Government of Nigeria announced that all citizens must have their National Identity Number (“NIN”) linked to their Subscriber Identification Module (“SIM”) cards (National NIN-SIM Registration Policy), while cautioning that failure to have the NIN would cause persons to be disconnected from their SIM cards. The announcement had a significant impact for two reasons: (i) at the time of the announcement, many Nigerians did not have the NIN; and (ii) sections 27 and 29 of the NIMC Act 2007 provide for the mandatory use of the NIN for transactions, including applications for and issuance of a passport, opening of personal bank accounts, purchase of insurance policies, voter registration, and obtaining credit. On the heels of the announcement, having a NIN became a requirement for operating bank accounts and using some Fintech applications. Almost all regulators in Nigeria now require a NIN from their customers/clients. The CBN has also issued a directive directing Fintech companies and third-party partners to request Bank Verification Number (“BVN”) validation from their customers. Whilst the goal of the initiative is understood, the lack of the required resources to ensure a speedy and all-inclusive process is a major impediment to the operations of Fintech companies in Nigeria, especially as it relates to KYC requirements.

Cross-border businessThe meteoric rise of the Fintech sector in Nigeria has, quite naturally, led to continued collaborative relationships between local players and their global counterparts. On the local scene, the impact of the Fintech sector has been remarkably pronounced in the areas of banking, payments solutions, lending, and financial management. For instance, the likes of Flutterwave and Paystack are redrawing the lines in the spheres of payments, whilst PiggyVest and Cowrywise continue to lead the financial management silo of the Fintech market.The growth of the Fintech sector in Nigeria has led to a spade of inroads by local players into non-Nigerian markets. For instance, earlier this year, Paystack – which made headlines in 2020 for its USD 200 million acquisition by the Irish American Fintech company Stripe – announced its entry into the South African market. Flutterwave and PayPal also recently collaborated for the purpose of allowing PayPal customers globally to pay



African merchants through its “Pay with PayPal” feature – in a move heralded as injecting more than 300 million PayPal users to African businesses. Flutterwave has recently also announced a partnership with Worldpay for the purpose of improving payments processing for businesses in South Africa and Nigeria as well as businesses seeking inroads into these markets.11 Interswitch’s recent partnership with American Express was billed to enable card-carrying customers of American Express to transact, using a wide range of merchants who process payments through the Interswitch platform.12

Nigerian Fintech companies, drawing from the foregoing examples, are entrenching themselves in and outside the local market, through the strategic development of meaningful relationships with global players.As Nigeria continues to nurture its Fintech local regulatory landscape, collaborations with global regulators have remained in the works. The UK-Africa Fintech summit which was held in the first quarter of 202113 saw the UK Department of International Trade take steps to explore opportunities for growth in the African market and investigate ways of building strategic relationships with African Fintech companies. Flutterwave famously raised USD 170 million from investors and has openly mulled the possibility of listing on the New York Stock Exchange, which would trigger further interactions with US regulators. At present, San Francisco-headquartered Flutterwave is already regulated by the US Securities and Exchange Commission. Overall, global regulators are not averse to collaborating with Nigerian Fintech companies, as the regulators continue to monitor the rampant rise of local players in the wider, international Fintech space. It is expected that there will be significant growth in the number, breadth, and depth of such collaborative relationships across the globe in the near future.

* * *

Endnotes1. Executive Summary, Fintech NGR and EY Nigeria Fintech Census 2020, p. 6.2. https://techcrunch.com/2021/03/18/kuda-raises-25m-more-led-by-valar-to-become-

the-neobank-for-every-african-on-the-planet.3. https://techcrunch.com/2020/10/15/stripe-acquires-nigerias-paystack-for-200m-to-

expand-into-the-african-continent.4. https://techcrunch.com/2021/03/09/african-payments-company-flutterwave-raises-

170m-now-valued-at-over-1b.5. https://techcrunch.com/2021/03/15/flutterwave-and-paypal-partner-to-allow-african-

merchants-to-accept-and-make-payments.6. https://www.nibss-plc.com.ng/news/4vartgw6074y02r3rn0hxqte4b.7. https://sec.gov.ng/proposed-new-rules-and-sundry-amendments-to-the-rules-and-

regulations-of-the-commission.8. https://blog.chainalysis.com/reports/2020-global-cryptocurrency-adoption-index-2020.9. https://venturesafrica.com/carbon-launches-healthcare-benefits-program-in-

partnership-with-axa-mansard.10. https://businessday.ng/companies/article/aella-inaugurates-health-insurance-with-free-

30-day-coverage.11. https://flutterwave.com/ng/blog/flutterwave-and-worldpay.12. https://www.interswitchgroup.com/interswitch-partners-with-american-express-to-

broaden-acceptance-of-amex-cards-in-nigeria.13. https://brevityanderson.com/uk-africa-fintech-summit-2021.



AcknowledgmentsThe authors would like to thank Oluwaseun Oyekan, Oluwadara Sontan, Fidelis Oguche, Iyinoluwa Ajayi and Doyinsola Kazeem for their diligence, outstanding research, and contribution to this chapter.

Prof. Gbolahan EliasTel: +234 1 460 7890 / Email: [email protected] Elias is a Senior Advocate of Nigeria and the Presiding Partner at G. Elias & Co. He has been advising leading private equity and venture capital fund managers and investees in the financial services, telecommunications, and technology sectors on investment transactions as well as on the regulatory regime of Fintech businesses in Nigeria.Gbolahan Elias was called to the Nigerian Bar and the New York Bar in 1981 and 1990, respectively, and has been a Senior Advocate of Nigeria (the equivalent of Queen’s Counsel) since 2005. He was an Associate at Cravath Swaine & Moore, a pre-eminent New York law firm, in late 1989 to early 1993. Prior to that, he read law at Oxford University, England, and obtained all of his four degrees – BA (First Class Honours), MA BCL (also first Class Honours), D. Phil. – from Oxford University.

Ebimobowei JikenghanTel: +234 805 748 7178 / Email: [email protected] Jikenghan is a Senior Associate and a key member of G. Elias & Co.’s New Economy team, comprising of Fintech, technology, media and entertainment and telecommunications, with experience in advising local and foreign clients on sundry regulatory issues, including on the regulatory framework for setting up Fintech platforms in Nigeria, the local data protection regime and anti-money laundering aspects of technology tools deployed for payment solutions. He is currently part of the Fintech Association of Nigeria committee tasked with driving the process of developing an operators-led standard for lending in Nigeria.

G. Elias & Co.Lagos: 6 Broad Street, Lagos, Nigeria /

Abuja: Abia House, Central Business District, Wuse II, Abuja, NigeriaTel: +234 1 460 7890 / URL: www.gelias.com



Novo EdojariogbaTel: +234 706 066 0272 / Email: [email protected] Edojariogba is an Associate at G. Elias & Co. and she is currently a member of the New Economy team, comprising of Fintech, technology, media and entertainment and telecommunications. She routinely advises local and international clients on regulatory issues concerning the formation, licensing and operational requirements for Fintech companies in Nigeria.

NorwayOle Andenæs, Snorre Nordmo & Stina Tveiten

Wikborg Rein Advokatfirma AS



Norwegian consumers are at the forefront when it comes to using digital solutions from public and private companies. This has been a great advantage during the COVID-19 pandemic. In Norway, 1.3 million customers use online banking or mobile banking every day, according to Consumer and Financial Trends 2020 (provided by Finance Norway).1 This is an increase of seven percentage points from 2019. From our experience, even though society is shut down and people are encouraged to be more at home, customers still want to conduct their daily banking errands, and do so by increasing the use of online banking and mobile banking solutions. Due to the pandemic, we have even seen an increase in the use of online banking or mobile banking among customers over the age of 66.One of the main reasons for the widespread use of digital solutions is that Norway has a highly developed infrastructure and several consumer-friendly payment services, and as a result the use of cash has fallen to less than ten per cent of all payment transactions, while new digital payment solutions such as Swish, MobilePay and Vipps have grown considerably. Several services have been automated, and customers have become increasingly self-serviced. Similar to other countries in the Nordics, the Norwegian fintech industry is highly developed and constantly evolving. Technological innovations stimulate competition, as well as cooperation, between the fintech companies, and between the fintech companies and the traditional banks. We have seen a shift towards more co-creation, co-investments and cooperation between the banks and fintech companies. In Norway, Directive 2015/2366/EU (PSD2), together with new technological solutions, has contributed to the emergence of entrepreneurial fintech clusters and fintech environments, such as Finance Innovation2 and Oslo Fintech Hub. Even though Norway has come a long way, the Norwegian financial services industry is set to undergo major changes in the future. As a consequence of globalisation and digitalisation, the Norwegian fintech sector is constantly working on establishing a foundation for creating new solutions in the banking and finance sector to meet new demands in terms of supply, efficiency, advanced technology and new complex business models. We have also seen a trend of increased focus on selling Norwegian fintech to the international market. It was initially DNB (largest bank in Norway) that established the payment service Vipps, a platform which has eventually been incorporated into a larger banking collaboration and is today owned by more than 100 Norwegian banks. Vipps has seen a tremendous growth in just a few years, and today a total of 90 per cent of banking customers use this service. This amounts to approximately 3.8 million customers in Norway.It was announced in June 2021 that Vipps will merge with MobilePay in Denmark and Pivo in Finland to become one of Europe’s biggest mobile payment providers with a combined

Wikborg Rein Advokatfirma AS Norway


user base of 11 million consumers. The new technology platform will provide innovative solutions available at an even faster pace. One of the most important parts of the project is that the service will allow cross-border payments.3

We have seen a shift where payment services are now driven by technological and regulatory development, rather than banks producing and distributing financial products and services in the traditional way. As part of the improved cooperation between the fintech sector and banks, we observe that major banks such as DNB,4 Sparebank 1 SR-bank5 and Nordea6 have announced allocation of significant funds to venture investment in fintech companies. Innovation Norway7 provides support to start-ups and growth companies in the form of funding, advisory services, networking opportunities and other resources. We have also seen an increase in venture capital funds and fintech hubs where fintech entrepreneurs are given access to software and consulting on legal issues and technology in addition to funding. As mentioned, people’s payment habits have changed during the COVID-19 pandemic, both due to the restrictions on travel and socialising and consumers’ payment solutions – for example, in stores and restaurants – according to Norges Bank’s Retail Payment Services 2020 report.8 Online banking is the most used transfer service for retail customers and the number of instant payments has grown quickly, and are now the second most used transfer service. The industry has adapted quickly to meet consumer demands – for example, we have also seen a substantial use of QR codes in physical stores and restaurants during the pandemic. The Norwegian authorities play a key role in the development, implementation and supervision of the Norwegian fintech sector. Norwegian legislation, regulation and regulatory requirements within the fintech sector are either based on or highly affected by EU law. Norway is not a member of the European Union; however, Norway is part of the European Economic Area (EEA), which was established through the EEA Agreement. The EEA Agreement links Norway to the EU’s internal market and forms the foundation of Norway’s European policy. EU legislation does not automatically transform to Norwegian law, and EU legislation, such as PSD2, must be incorporated into the EEA Agreement and subsequently be transposed into Norwegian law by the Norwegian parliament (lawmaker).COVID-19 has affected the fintech industry, and most companies either gained or suffered loss due to the pandemic. In Norway, the Norwegian Government introduced the COVID-19 financial assistance package to Norwegian start-ups and growth companies. In April, NOK 1 billion9 in additional funding was allocated to investors as part of the assistance package. Also, Innovation Norway has given crisis financial support during the pandemic.10

Fintech offering in Norway

Below is a list of the various fintech offerings in Norway, please note that the list is not exhaustive. • Hubs, incubators and accelerators – where innovators, change makers and entrepreneurs

can join a fintech community and create an environment where start-ups can cooperate with financial institutions such as insurance companies, banks, tech companies and other corporates; and which provides specialised programmes, funding and help to launch start-ups (Oslo Fintech Hub, StartupLab, TheFactory and Finance Innovation).

• Crowdfunding – crowdfunding platforms for project owners, in order to get in contact with financial supporters, donors or investors, for their projects. The platforms in Norway can be divided into: donation and reward (Speis, Bidra and Startskudd); equity (Dealflow); lending; (Fundingpartner, Monner, Perx, Kredd, Kameo); and software (SparkUp, Folkeinvest, Crowdworks, Investio).



• Personal financial management – enables consumers to get access to aggregated information about their financial situation (Neonomics).

• Online banking – proprietary innovative systems and integrated platforms provided, e.g., by banks to streamline their services.

• Lending services – for example, apps where users exist within commonly shared pools of money, within which they can freely borrow and lend (Lendonomy).

• Investment services – providers of investment services on the basis of adaptive data-driven models and strategies (Abelee).

• Exchange services for cryptocurrencies and wallet providers (Kaupang Krypto, MiraiX).• Artificial Intelligence (AI) – a fully automatic monitoring platform for investment

professionals (Exabel).• On-the-spot financing solutions for small and medium-sized enterprises (Aprila).• Payment solutions – these provide fully digitised payment services for online sales of

goods (Nets, ZTL). • Mobile payment solutions – these enable peer-to-peer transactions in Norway. In Norway,

the largest provider is Vipps. • Digital identity service provider (DISP) – Signicat is the leading provider of e-ID and

e-signatures in Europe, delivering services in line with international standards and requirements of anti-money laundering (AML) and KYC.

• Robo-advisors – companies that use customer information and algorithms to develop automated services for investment proposals and portfolio allocation tailored to each individual customer. In June, the Norwegian bank Sbanken became the first in the world to achieve authorisation for its robo-advisor. In March 2019, a coordinated Norwegian financial industry (Finance Norway and the Norwegian Fund and Asset Management Association) decided to establish an authorisation scheme for robo-advisors. Sbanken was one of six pilot companies that tested the application process through 2020 and requirements for the authorisation. The authorisation scheme was officially opened in January 2021.11

• Savings apps for consumers (Spiff, Spare, Kron).• Mobile payment apps – examples include Settle Group, which launched the first mobile

payment service in Norway, and Zwipe, which provide biometric payment cards and wearables that enable consumers to authorise transactions with their fingerprints without compromising their privacy.

• Trading platforms – platforms where customers can trade equities, cryptocurrencies, commodities, currency crosses, ETFs and indices.

• Accounting services (Fiken).


RegtechSo far, we have not seen many platforms for regtech service providers in Norway other than some providers of KYC processes (Mangopay, Beaufort Solutions). However, complex regulatory requirements put pressure on companies and individuals, and it is likely that we will see a growth in regtech companies that can provide cost-efficient solutions for KYC process, transaction monitoring, risk management, compliance and regulatory reporting. InsuretechIn Norway, we have seen new technology within the insurance industry to automate



processes for insurance companies in order to increase efficiency and customer satisfaction. One of the service providers, Digital Workforce, has announced that their next step involves the use of Robotic Process Automation (RPA) with AI to expand the capacity of process automation.12

In addition, several new and existing insurance companies have increased the use of electronic data to better calculate risks and insurance premiums, resulting in potential greater return for insurance companies and better premiums for customers with lower risk profiles.

Regulatory bodies

Listed below are the main regulatory bodies for fintech in Norway:• The Financial Supervisory Authority in Norway (FSAN) – FSAN’s main tasks include:

licensing; providing information to the public; regulatory development; supervision; and monitoring.

• The Data Protection Authority – responsible for supervision, providing information and regulatory developments within data privacy and handling of personal data. The Data Protection Authority has also established a regulatory sandbox for AI. The goal of the sandbox is to stimulate innovation of ethical and responsible AI from a data privacy perspective.

• The Consumer Agency – which provides information about consumer rights and assistance with regard to the complaints procedure.

• The Norwegian Financial Services Complaints Board (FinKN) – FinKN deals with disputes that arise between finance companies and their customers in service areas such as insurance, securities funds, banking, financing, and debt collection.

• Organisations – for example, Finance Norway, which is the industry organisation that represents the financial industry and employers’ interests in Norway.


There is no general regulation specific for the fintech sector in Norway, and the area is regulated by a number of different laws. The legal landscape is fragmented, and this is one of the reasons for the emergence of accelerators, hubs and incubators that assist fintech start-ups with navigating the regulatory requirements and legislation.The regulations may be divided into the following main areas: (i) banking and financial institutions; (ii) laws regarding insurance; and (iii) trade of securities. Regulated companiesThere is strict and comprehensive legislation in terms of licensing requirements for institutions/entities engaging in “financial activities” – below is a list of some activities that require a licence:• Financing activities.• Insurance business.• Deposit-taking.• Payment services and e-money.• FX, foreign exchange business (spot trading in foreign exchange).• Investment services and activities.• Asset management.• Real estate agency.• Debt information businesses.



• Credit and debt collection agencies.• Accounting and auditor services. • Virtual currency services.Payment servicesThe Payment Services Directive (PSD1) was fully implemented into Norwegian law in 2010. Most of the provisions implementing the EU’s revised PSD2 into Norwegian law entered into force on 1 April 2019 (full implementation of PSD2 is expected to take place when the new Financial Agreements Act enters into force). The implementation entailed changes in several laws and regulations that apply to banks, mortgage companies, payment companies, e-money companies, information agents and payment service companies.13 For the banking industry, the new regulations represent both threats, in terms of competition, and new opportunities, in terms of cooperation and growth.As of today, five Norwegian companies have a PSD2 licence (Vipps, Lendo, Horde, ZTL and Neonomics).14

Strong Customer Authentication (SCA)In September 2019, the EU Directive on SCA was implemented into Norwegian law. The requirement for strong customer authentication entail (among other things) that a two-factor authentication must be used for card payments/payments online, with some exceptions. AML regulationsThe new AML Act, implementing EU’s fourth AML Directive, entered into force in Norway on 15 October 2018. Most fintech entities with a licence from FSAN are subject to the AML Act. BanksIn order to establish a bank in Norway you are required to apply for a banking licence in accordance with the Act on financial institutions and financial groups (LOV-2015-04-10-17) to operate either as a savings bank or a commercial bank. There are certain ownership restrictions under Norwegian law – for example, not allowing non-financial institutions to own more than 20–25 per cent of banks. The requirements to obtain and hold a banking licence are extensive, and are based on the CRD IV and CRR framework, as implemented in Norway. Guarantee for bank deposits – the purpose of the banks’ guarantee fund is to secure deposits in the member banks of up to NOK 2 million, in the event a bank is taken under public administration or dissolved. GDPR and processing of personal dataThe General Data Protection Regulation (GDPR) was adopted in the EEA through a Joint Committee Decision on 6 July 2018. The Personal Data Act, including the GDPR, entered into force in Norway on 20 July 2018. The Norwegian Data Protection Authority is the supervisory authority in Norway. Companies within the fintech industry may need to carry out a Data Protection Impact Assessment (DPIA) and actions to mitigate risks. A DPIA is a process to help companies identify and minimise the data protection risks of a project. A DPIA is required under the GDPR any time a company begins a new project that is likely to involve “a high risk” to other people’s personal information.Rules on the processing of personal data by credit information services – applicable to fintech GDPR processing of personal data. The GDPR applies to the processing of personal data in the context of the establishment of a controller or processor in the EEA.Crypto-assetsThe regulatory approach to crypto-assets is different in the various EEA countries, and there is



no specific Norwegian legislation regulating crypto-assets. However, in Norway, the Securities Trading Act, the AML Act and the Financial Undertakings Act may regulate crypto-assets and related activities based on the characteristics of the crypto-assets and activity related to such assets (whether it is payment tokens, investment tokens or utility tokens). The AML Act regulates the exchange of fiat money to virtual currencies (and vice versa), as well as safekeeping of private keys/wallet functions. Such providers are subject to “fit and proper” testing of management and owners, and must register with FSAN, and comply with AML legislation. FSAN has stated that they are looking to perform on-site visits during 2021 to supervise compliance with AML legislation. There are currently 10 entities registered with FSAN to provide exchange and storage of virtual currencies in Norway.Some crypto-assets fall under the definition of electronic money (e-money) in the Financial Undertakings Act § 2-4 and can only be issued by banks, mortgage companies and e-money companies and by finance companies that are licensed to conduct such activities in Norway. Norges Bank is of the view that stable coins intended for the general public where the issuer guarantees a nominal value will, in principle, fall within the definition of e-money.Consumer-related legislationThe Financial Agreements Act of 1999 regulates agreements and assignments of financial services where one contract party is a financial institution or similar institution. On 1 December 2020, a new Financial Agreements Act was passed, implementing the private law aspects of several EU Directives, including the Payment Account Directive, PSD2, the Mortgage Credit Directive, as well as the Consumer Credit Directive and the Consumer Rights Directive.15 The date for when the law will enter into force has not yet been determined, but it is expected that this will take place in 2022. The law further strengthens consumer protection and introduces new measures to prevent consumers from taking on excessive debt, and new rules that will provide consumers with protection against fraud with electronic signatures (BankID).Intellectual property rightsSafeguarding the intellectual property rights of a fintech company is essential (i.e., to protect copyrights, company names, brands, innovations, domains, trademarks, know-how, designs, trade secrets and authorship, including software code, website content, and marketing materials). Protection of intellectual property can also give a competitive edge in the market, as this gives investors, stakeholders, consumers, and others a profound sense of trust in the start-up. Trademarks, patents and design rights shall be registered in NIPO’s database (the Norwegian Industrial Property Office).Regulatory sandboxFSAN has the established a “regulatory sandbox”16 for the purpose of increasing innovation within the financial industry and to facilitate the entrance of new actors and increased competition. The companies that participate in the “regulatory sandbox” are given the opportunity to launch new, innovative products, technologies and services subject to guidance from, and supervision by, FSAN. Taxation of start-upsFor start-up companies, granting stock options or warrants is a flexible and useful remuneration method that caters for the needs of such companies (reducing overheads and allowing employees a profit share). Until recently, stock options were not treated favourably from a tax perspective.



The Norwegian Ministry of Finance has, by a consultation note on 7 June 2021, proposed a new tax scheme for start-up companies, providing a more favourable and predictable tax treatment. The proposal implies that the stock option tax is deferred until the shares are realised, and they are then taxed fully as share income (the capital tax rate is currently at 22 per cent) – in contrast to the current payroll tax on options which is significantly higher than capital tax. Further, the scheme, once in force, will extend to companies with up to 50 employees (currently set at 25 employees under the current tax scheme), NOK 80 million in turnover (currently set at NOK 25 million under the current tax scheme), and 10-year-old companies (the current tax scheme only extends to six-year-old companies).17

The consultation deadline is 6 August 2021, and the Ministry of Finance has stated that the new tax scheme will enter into force on 1 January 2022.18

Restrictions

There are no general restrictions that apply to fintech activities in Norway. However, specific restrictions may apply, depending on the relevant activity being conducted.


Five years back, there were relatively few Norwegian start-ups, and Norwegian start-ups rarely expanded their business abroad. The situation today is different, and Norway has become a suitable spot for fintech start-ups. The general focus on the transition to a greener economy has caused a shift where Norwegian businesses and universities are now excelling at developing engineers for tech and start-ups (previously they had focused at developing engineers for the oil and gas industry). We see a trend of further expansion and cooperation between Norwegian businesses and international or Nordic entities. For example, the largest Norwegian IT company, Evry, merged with the Finnish company Tieto in 2019 and started the business TietoEVRY in 2020, delivering consultancy, IT and science services. TietoEVRY entered into a collaboration on the Swedish “e-krona” (pilot project for the national bank in Sweden). As a result of digitalisation and technology development that will change supply, demand, and business models rapidly, we will likely witness further cooperation between Norwegian and global players in the years to come.An advantage in this context is that companies licensed in Norway may use the passporting system under the EU regulatory framework when conducting services within the EEA, and other EEA companies when conducting services in Norway.

* * *

Endnotes1. https://www.finansnorge.no/aktuelt/nyheter/forbruker-og-finanstrender/forbruker--og-

finanstrender-2020/digitale-forbrukere-er-en-styrke-under-koronakrisen.2. https://financeinnovation.no.3. https://finansavisen.no/nyheter/bank/2021/06/30/7697795/danske-bank-merger-vipps.4. https://shifter.no/dnb-kjerstin-braathen-sbanken/dnb-venture-skal-investere-250-

millioner-i-startups-dette-er-selskapene-de-er-pa-utkikk-etter/107148.5. https://sprint.no/artikler/intervju-med-sr-bank-storsatsing-pa-venture-og-innovasjon.6. https://shifter.no/nyheter/nordea-sto-for-230-millioner-kroner-i-tibber-avtalen-na-

girer-storbanken-opp-jakten-pa-vekstselskaper/197755.



7. https://www.innovasjonnorge.no.8. https://www.norges-bank.no/contentassets/b29d4d26c2f34625917b06392f44021d/

papers_2_21-retail-payment-services.pdf?v=05/19/2021220248&ft=.pdf.9. https://www.altinn.no/starte-og-drive/stotteordninger.10. https://www.innovasjonnorge.no/no/tjenester/finansiering2/krisetiltak.11. https://www.finaut.no/finaut-english/worlds-first-authorization-achieved-robo-advisor.12. https://digitalworkforce.com/no/intelligente-automatiseringslosninger/forsikring.13. https://www.finanstilsynet.no/tema/psd-2---eus-reviderte-betalingstjenestedirektiv.14. https://shifter.no/nyheter/tre-av-fem-norske-selskaper-med-psd2-lisens-kritiserer-

bankenes-handtering/195411.15. (EU) 2015/2366, 2014/92, 2014/17, 2008/48, 2009/924, 2012/260, 2011/83.16. https://www.finanstilsynet.no/tema/fintech/finanstilsynets-regulatoriske-sandkasse.17. https://www.regjeringen.no/no/aktuelt/horing-av-ny-opsjonsskatteordning-for-

selskap-i-oppstarts-og-vekstfasen/id2848503.18. https://www.regjeringen.no/no/aktuelt/horing-ny-opsjonsskatteordning-for-selskap-i-

oppstarts-og-vekstfasen/id2857270.

Snorre NordmoTel: +47 22 82 76 09 / Email: [email protected] Nordmo is Specialist Counsel at Wikborg Rein’s Oslo office, and leads the firm’s Asset Management practice.Snorre is specialised in asset management and financial regulatory matters and has broad experience within the industry from both a service provider and client perspective. He advises both regulated and unregulated asset managers, including investment firms, alternative investment fund managers (within private equity, hedge funds, real estate, private debt, infrastructure, etc.), securities fund managers, investment banks and financial institutions, pension funds, insurance companies, family offices, consultants, advisers and service providers within the asset management industry. Snorre previously worked as an attorney at Norges Bank Investment Management (which manage Norway’s sovereign wealth fund) and as general counsel at Sector Asset Management (Norway’s largest hedge fund manager).

Wikborg Rein Advokatfirma ASDronning Mauds gate 11, Pb. 1513 Vika, 0117 Oslo, Norway

Tel: +47 22 82 75 00 / URL: www.wr.no



Ole AndenæsTel: +47 22 82 76 61 / Email: [email protected] Andenæs is a Partner at Wikborg Rein’s Oslo office, and heads the firm’s Financial Regulations practice.Andenæs previously worked as Head of Legal of investment bank Carnegie AS, and he has in-depth and practical knowledge about the regulatory framework surrounding investment firms, asset managers, investor behaviour and adjacent regulations. Prior to this, Andenæs worked as a Senior Lawyer at the law firm Thommessen, where he mainly worked with financial regulations, advising a wide range of regulated entities, as well as company law and disputes within these areas. He is also a specialist in company law, and is the co-author of Aksjeselskaper og allmennaksjeselskaper (third edition 2016) (Public and Private Limited Company Law).

Stina TveitenTel: +47 22 82 75 33 / Email: [email protected] Tveiten is an Associate at Wikborg Rein’s Oslo office and is part of the firm’s Capital Markets and Asset Management practice. Stina previously worked as an Associate at DLA Piper.

RomaniaSimona Petrişor, Diana E. Ispas & Alexandru Achim

Bondoc și Asociații SCA



General trendsIn line with the strong expansion trend at global level, the Romanian Fintech ecosystem has been on continuous growth over the past years. Recent Fintech mapping initiatives1

report over 60 projects, from both native and international companies with local presence, which operate in several niches such as personal finance, payments & wallets, financial infrastructure, investments & wealth management, Insurtech, crowdfunding and blockchain & cryptocurrencies. Although the Romanian Fintech ecosystem is relatively small by reference to nearby benchmark countries, such as Poland, Romania has managed to reach a spot in the top 20 European countries ranked by the number of Fintech funding rounds.2 Recent views of local venture capitalists3 report the Fintech sector as well-positioned to thrive in the future and showcase their investment appetite in this field. The recent successful listing on the NYSE of the USD 35bn Romanian software technology unicorn, UiPath,4 a leader in Robotic Process Automation (“RPA”), has also set an unprecedented landmark in Romania’s tech innovation history, boosting the local tech innovation. In addition, the 2020 promotion of Romania to the emerging market status by FTSE Russell came with a set of international investment advantages, also triggering new financing opportunities for local Fintechs. The significant growth over the last years and the encouraging perspectives prompted some of the most important local Fintech companies to join forces and set up the first Fintech professional association early in 2020 – the Romanian Fintech Association, supporting Fintech companies to access markets, capital and financing resources, as well as human resources to contribute to the development of the industry. Several accelerators (e.g. Techcelerator, Innovation Labs, Spherik Accelerator, Risky Business) and business angels (e.g. TechAngels) are also active in the Fintech landscape. More generally, Romania has built a strong reputation over the years in holding impressive IT capabilities, both in terms of human resources and in terms of being a top-ranking country as regards broadband internet speed.5 These capabilities enabled Romania to win the race to host the European Cybersecurity Competence Centre and contribute to a stimulating environment for the growth of Fintech companies. Approach of the Romanian supervisory authoritiesRomanian regulators in the banking and non-banking financial sector, the National Bank of Romania (“NBR”) and the Financial Supervisory Authority (“FSA”), respectively, recognise the importance of Fintech and seek to leverage on the benefits thereof to support innovation in their fields of supervision. To this end, both the NBR and the FSA developed

Bondoc și Asociații SCA Romania


dedicated Fintech hubs to encourage dialogue with interested parties and create a favourable environment for the development of innovative products and services, namely FinTech Innovation Hub – NBR and Fintech Hub and InsurTech Hub – FSA. At the end of 2020, the NBR engaged in discussions with experts from the Development Facility for the European Fund for Southeast Europe to explore the implementation of a Fintech regulatory sandbox. The FSA appears to also be considering the opportunity of developing a regulatory sandbox as part of its 2021–2023 strategy.6 In terms of the regulatory framework, the Romanian banking and financial laws as well as Fintech-related legal developments stem primarily from the EU directives and regulations. Very few legal proposals addressing the Fintech emerging trends have been initiated at domestic level and, so far, none have entered into force – for example, a draft law on crowdfunding services entered the legislative process in 2015 and was finally rejected by the Romanian Parliament in May 2021. In the environment above, traditional banks still dominate the local regulated banking and payments sector. While Fintechs aim to take full benefit of the opportunities brought by the open banking era under the PSD 2,7 only one local fintech (Smart Fintech) has recently managed to obtain a licence as a payment institution also covering payment initiation services. Many local Fintechs operate in an unregulated environment and some of them provide the relevant infrastructure and services (outsourcing Fintechs) to traditional players in the market. The latter, in their turn, contribute to the growth of the Fintech phenomenon by developing dedicated acceleration programmes (e.g. Elevator Lab Partnership Program by Raiffeisen Bank International or InnovX-BCR by Banca Comerciala Romana), offering opportunities to test new ideas, building partnerships and offering financing opportunities to Fintech companies. The lack of a dedicated legal framework translates into limited Fintech offerings in certain niches, where the EU legislation is yet to be implemented (such as crowdfunding – the EU Crowdfunding Regulation) or is in the process of being created (such as blockchain and cryptocurrencies – the draft EU laws on cryptoassets and distributed ledger technology (“DLT”)8). As a result, the Romanian Fintech landscape is fragmented and seems to be dominated by companies active in the payment & wallets sector, financial infrastructure and personal finance. Additionally, there are some limited but important developments in crowdfunding services where the current operating platforms structure their business model outside the capital markets regulations perimeter, as well as growth in the blockchain and crypto niche.

Fintech offering in Romania

Payments-related solutionsPayments-related solutions represent the largest segment of the fintech offerings in Romania and tackle a wide spectrum of customers’ needs. These include mobile apps-based solutions allowing in-app (bulk) payments for utility bills, insurance, public services, etc. to various service providers and merchants integrated in the product (Pago, mobilePay Wallet), decentralised payment solutions for closed-loop environments (Oveit) or fast and customer friendly peer-to-peer (“P2P”) money transfers (Moneymailme, Volt), some also showcasing digital wallet features allowing for NFC/QR-based payments, as well as software solutions (licensed via API or white label). Such innovative payments-related solutions are usually developed and/or provided by the Fintech companies in partnership with regulated entities that ultimately carry out the credit/debit card payments and credit transfers facilitated by



means of the Fintech products. Only one local Fintech company (Smart Fintech) entered the open banking ecosystem as a PISP with its plug-and-play payment initiation service for e-commerce merchants – Smart Pay. API-based shopping platforms offering customers cash-backs on purchase and “buy now, pay later” features have become a popular online shopping alternative (Beez).Personal financeSeveral personal finance products have worked their way up in the Romanian Fintech market (e.g. ThinkOut, Cash Control, Finboard ). Both B2B- and B2C-oriented, web or mobile-based, Fintech products in this niche provide cashflow analysis and forecasting, income and expenses monitoring and other similar functions. Generally, the source of data used is either the accounting data imported and processed by the app, figures inserted by the user or actual money movements from the users’ accounts. The latter feature involves regulated account information services under PSD 2 and may be provided by the Fintech companies as registered/licensed account information service provider (“AISPs”) or in partnership with AISPs. Lending and crowdfunding Loans as well as factoring and invoice discounting are currently products that may be accessed online from regulated entities, based on fast and customer-friendly processes and approvals. Certain Fintech companies target the instant lending market and some short-term lending products also integrate “buy now, pay later” technology solutions for online and offline purchases (Revo Technology). Non-regulated entities target the B2B lending landscape via online platforms for invoice trading and factoring (iFactor). Despite the absent dedicated legal framework, equity-based crowdfunding has an important exponent in Romania – SeedBlink, which is the largest equity crowdfunding platform in Southeast Europe.The current regulatory regime leaves little or no room for lending-based crowdfunding platforms – the lending activity is subject to the monopoly of the regulated financial institutions. As such, lending-based crowdfunding platforms are not yet active in Romania. However, the upcoming application of the EU Crowdfunding Regulation is expected to change the regulatory environment and bring more (local and EU-based) players in this niche. Wealth managementLocal tech solutions on wealth management contemplate the use of AI algorithms for building investment strategies and tools for sharing and accessing practical knowledge built by trading experts (Vestinda) as well as the use of robo-advice as an automatic wealth management solution for retail investors (Optimus). When the Fintech services cover the investment advice, MiFID 2 rules will need to be considered. While Optimus obtained its MiFID 2 relevant licence, none of the local examples mentioned above appear to be operational yet.DLT and cryptoassetsIn line with the global trend, the interest in cryptoassets and DLT-based technologies is also widespread in Romania. Cryptoassets enthusiasts have access to several global cryptoexchanges and trading platforms as well as to locally developed exchange facilities (such as Tokero (formerly LDV)). In terms of raising funds, ICOs/IEOs were used for accessing finance either by locally-founded (Restart Energy) or Romanian-based (Elrond) companies, the latter being the developer of the public blockchain ecosystem for various financial-related utilisations (including the Mayar wallet, for their eGold native cryptoasset).



Blockchain-based solutions are developed for utilisations in several other fields (Sablier as real-time payment in crypto); local authorities (the FSA) appear to be exploring the use of this technology in the exercise of their supervisory powers (as a Regtech solution), according to the FSA Strategy for 2021–2023.Financial infrastructure and enablersFinancial infrastructure providers and Fintech enablers (developers of tech solutions for financial services) are well represented (e.g. FintechOS, Typing DNA, Druid ) and are expected to maintain traction within the Romanian Fintech ecosystem (some of them actually managing to also export their solutions to other EU countries recently). Solutions in this niche vary from open banking API-related (such as API aggregators/hubs, testing tools for PSD 2 APIs), authentication (including biometric) tools (such as typing biometrics authentication), full-process onboarding platforms and chatbots, to platforms that enable banks and insurers (as Insurtech solutions) to create end-to-end digital customer journeys (e.g. in the case of banks, from onboarding to accessing banking products). While the business of the companies active in this niche is not itself regulated, their end-services and products are usually dedicated to regulated activities and may need to ensure compliance with several requirements, such as the strong customer authentication rules under PSD, anti-money laundering (“AML”), KYC onboarding standards, eIDAS Regulation and/or GDPR. Also, all applicable outsourcing rules need to be complied with by the relevant regulated entities in their relationships with these entities.


Insurance technologyThe tech innovation in the insurance market has recently become more visible as an increasing number of insurers have integrated Fintech solutions in their activities to close the digital gap and hold on and increase their customer base. Implemented Insurtech solutions are aimed at providing tailored insurance offerings and streamlining the insurance process. These include telematics/usage-based insurance options, chatbots that facilitate interaction with customers and offer 24/7 assistance, online underwriting processes, digital-first notices of loss and also end-to-end digital customer journeys (that cover quote and underwriting, policy issuance, payment and policy management processes). Insurance-dedicated solutions by Fintech enablers include, in general, digital claims notice and processing, appointments of repair shops/selection of treatment facilities as well as features to facilitate the settlement invoices/claim completion. The InsurTech Hub set up by the FSA is aimed to facilitate the interaction between traditional players in the insurance markets (insurers, brokers) and tech innovators to explore further developments in this niche.Regulatory technologyWhile the visible focus in the use of Fintech solutions by the regulated entities has been towards meeting customers’ needs and improving interaction with customers, ensuring compliance with regulatory requirements is also covered by various Fintech solutions. Fintech solutions in the open banking era also have a Regtech component, as the technology should enable compliance with several requirements, e.g. under PSD 2 and/or the AML legal framework. Certain Regtech solutions cover client identification processes (via electronic means) and secured client authentication protocols. Despite the relatively limited local offerings in this field (e.g., Reporting Centre offering regulatory reporting solutions), the use-cases of Regtech are expected to continuously extend to the mid- and back-office internal processes of the regulated entities to serve, amongst others, compliance and risk



management (e.g., automatic evaluations of the regulatory environment, data aggregation), fraud detection and regulatory reporting. Both the NBR and the FSA support the development of the Regtech ecosystem and the FSA itself undertook in its 2021–2023 strategy to explore the use of innovative technologies (such as DLT and blockchain, AI and machine learning) to strengthen its supervisory capabilities.

Regulatory bodies

Under the Romanian law, there is no single regulatory and supervisory authority for Fintech companies. Depending on their business models and whether part of such amount to regulated activities, the activities of Fintech companies may be authorised and supervised by the NBR (payments, e-money and banking business) or the FSA (financial services firms or crowdfunding services providers). Also, from an AML and international sanctions legislation perspective, relevant authorities include the National Office for Prevention and Control of Money Laundering and the National Agency for Fiscal Administration. Additionally, the National Consumer Protection Authority may also supervise the relevant activity of Fintech companies offering B2C products and services.In connection with the providers of services related to cryptoassets, relevant authorities also include the Authority for the Digitalization of Romania, as well as the Ministry of Public Finance.The competent authority in Romania for data privacy matters is the National Supervisory Authority for Personal Data Processing, which is a public authority, having the legal power to launch investigations and apply sanctions.As regards cybersecurity matters, companies are supervised by CERT-RO, which is responsible for preventing, analysing, identifying, and reacting to cyber incidents, having the legal power to apply sanctions under the Romanian Cybersecurity Law.9


Under the Romanian law, there is no dedicated piece of legislation aimed at regulating Fintech companies. Unlike other European lawmakers, which have adopted certain special regulations aimed at covering the quick market developments in this sector, the Romanian legislator has not taken such a stance until now, the limited legislative initiatives to regulate this area, such as the draft law regarding crowdfunding, having been aborted during the legislative process. The regulations applicable to Fintech companies very much depend on the type of business carried out by such companies. Depending on such business models (e.g., B2B, B2C), Fintech companies may need to comply with multiple layers of rules and regulations in order to provide their services and products in Romania. As regards the financial services legislation, including payment services, insurance, e-money, and financial investment services, the Romanian legislation has substantially implemented the relevant EU directives, namely PSD 2, Solvency II, the E-Money Directive and MiFID 2. To the extent that Fintech companies’ activities fall under the scope of licensed activities, namely payment services or e-money business, banking business or financial services, the Fintech companies should obtain the relevant licences prior to actually carrying out their business. Also, such companies are deemed as reporting entities under the relevant AML legislation and should accordingly comply with international sanctions regulations in force in Romania.



Additionally, we note that EU directives relevant for a B2C business, such as the Distance Marketing of Financial Services Directive, the Unfair Contract Terms Directive, as well as the Consumer Credit Directive are also implemented under Romanian law, and Fintech companies carrying on a B2C activity must comply with the relevant provisions thereof. Apart from the special legislation above, the activity of a Fintech company is subject to the general legislation applicable to companies including the Civil Code, Company Law no. 31/1990, data protection laws (including GDPR) and the legislation on e-commerce and prohibiting unfair practices.Payment servicesIn terms of payment services, since 13 December 2019 they have been regulated by Law 209/2019 on payment services and for the amendment of certain regulatory acts, transposing PSD 2 in the Romanian law. The law regulates the main principles of PSD 2 regarding the regulation, the authorisation of payment institutions, the registration of AISPs and their supervision, while the technical conditions regarding the authorisation of payment institutions or the registration of account information services providers and other similar matters, including from the relevant EBA guidelines, are mainly regulated by NBR Regulation 4/2019 on payment institutions and dedicated providers of account information services in force since December 2019. Also, e-money and e-money institutions are regulated by Law 210/2019 on e-money issuance activity in force since November 2019 and implementing regulation of the NBR 5/2019 in force since December 2019. Of interest in the area of payments is also NBR Regulation 2/2020 regulating the security measures related to the operational and security risks and the reporting requirements for payment services. These main regulations are further supplemented by the relevant EBA guidelines adopted in furtherance of PSD 2.Payment services can be performed in Romania by credit institutions, payment institutions (including third-party providers carrying out payment initiation services), e-money institutions, all these players being subject to prior authorisation by the NBR, capital requirements and prudential supervision. Also, under Law 209/2019, the AISPs exercising only such payment services may provide these services in Romania subject to a prior registration with the NBR registers (following consultation by such authority with the National Authority for Consumer Protection and other competent authorities) and compliance with certain conditions. Unfortunately, the Romanian legal framework does not regulate a lighter authorisation procedure for PISPs and the first such authorisation was obtained by a Romanian fintech company (Smart Fintech) only in April 2021, after a nine month-authorisation procedure. It is, however, expected that the following authorisation procedures of third-party providers will go smoother, with two other authorisation procedures pending with the NBR. Also, as of the end of May 2021, no AISP has been registered in the corresponding section of the register kept by the NBR, no public information being available in connection with the ongoing procedures carried out by third parties for such registration.When assessing the need for an authorisation as a payment institution, Fintech companies must carefully consider whether the services contemplated to be provided actually amount to regulated payment services (including payment initiation services) or whether they could be assimilated only to technical services providers which are exempted from the obligation of an authorisation in accordance with Art. 4 (j) of Law 209/2019 (transposing Art. 3 (j) of PSD 2). According to available public information, open banking imposed by PSD 2 was required to be finalised in Romania by 31 March 2021 – the final deadline assumed by the NBR to EBA being 30 April 2021. Currently, a few Romanian banks have adopted API systems created



by a Romanian Fintech company, allowing access to the account information of other main Romanian credit institutions, taking thus advantage of the opportunity of open banking offered by PSD 2. According to recent comparative data regarding the implementation of open banking in the European States,10 as of June 2021, Romania achieved one of the weakest rankings, open banking being deemed “a very low priority for regulators”.AML and international sanctions legislationPayment services, e-money and, more generally, banking and financial services businesses are also subject to Romanian AML legislation, consisting mainly of Law 129/2019, as subsequently amended, including by GEO 111/2021, transposing under the Romanian law the 4th AML Directive, as well as the 5th AML Directive. The related secondary legislation includes the dedicated regulation applicable to credit institutions, payment institutions, e-money institutions and non-banking financial institutions also qualifying as payment institutions, namely NBR Regulation 2/2019, as well as the one applicable to the regulated entities under the FSA supervision including insurers, investment funds, alternative investment funds managers, investment firms and others, namely FSA Regulation 13/2019. The implementation norms to Law 129/2019 adopted by the National Office for Prevention and Control of Money Laundering apply, inter alia, to providers engaged in exchange services between virtual currencies and fiat currencies and custodian wallet providers. Essentially, all such reporting entities should have KYC procedures in place and apply KYC measures in relation to their clients.Relevant for the development of Fintech activities in Romania is the recent amendment of Law 129/2019 under GEO 111/2021, transposing the 6th AML Directive with effect from July 2020, allowing now for the identification and verification of a client’s identity based on documents, data and information obtained from secure and independent sources, including, if available, means of electronic identification and relevant trust services regulated under eIDAS Regulation no. 910/2014 or via any other secure identification process at a distance or electronically, regulated, recognised, approved or accepted at a national level by the Authority for the Digitalization of Romania. Theoretically, this amendment regulates the digital identification of the reporting entities’ clients as part of the KYC process, encouraging the development of online businesses such as those developed by Fintech companies. In furtherance of this amendment, in February 2021 the Authority for the Digitalization of Romania submitted to public consultation a draft emergency ordinance regarding the identification of a person at a distance by video means. It is likely that the draft undergoing public consultation will be subject to significant amendments before its enactment by the Government, numerous comments including from the representatives of the Fintech sector criticising its scope (aimed to apply only to payment services providers, public institutions and trust services providers), requesting that such services should be provided by a broader range of service providers submitted to public consultation and requesting a longer implementation deadline. Finally, the reporting entities subject to AML legislation should also comply with the international sanctions legislation consisting in Romania of both the relevant European regulations and Government Emergency Ordinance 202/2008 as subsequently amended and its application norms enacted under Government Decision 603/2011, as amended under Government Decision 292/2021.Cryptoassets and financial instrumentsSimilar to the status of the EU legislation, there is no specific financial regulatory regime dedicated to cryptoassets under the Romanian law. In line with the 5th AML Directive,



the relevant Romanian legal framework defines the concept of cryptocurrency and digital wallet providers related to virtual currencies, and the fiscal legislation regulates the rules applicable to income tax generated by transfers of virtual currency. Also, for the purpose of implementing the Non-Cash Directive,11 a draft law is currently undergoing the legislative process for the purposes of amending the Criminal Code to cover specific sanctions related to the fraudulent use of cryptocurrency and e-money.As such, digital wallet providers and cryptocurrency exchanges qualify as reporting entities under the Romanian AML legislation and are also subject to authorisation/registration requirements with the Commission for the authorisation of the foreign exchange activity within the Ministry of Public Finance, as well as to the requirement to obtain a technical endorsement from the Authority for the Digitalization of Romania, but are not regulated as such (e.g., no specific conduct of business rules, organisational requirements being applicable). Currently, the application norms regulating the procedure for obtaining the authorisation/registration with the Ministry of Public Finance and the endorsement of the Authority for the Digitalization of Romania have not been adopted and, consequently, there is no entity authorised/registered as a digital wallet provider or cryptocurrency exchange in Romania. Providing such services without authorisation/registration may trigger criminal liability. The key piece of legislation transposing MiFID 2 in Romania is Law no. 126/2018 on markets in financial instruments (“Romanian MiFID 2 Law”), on the basis of which the FSA issued Regulation no. 5/2019 regarding the regulation of the provision of financial services and activities.To the extent that Fintech companies issue or trade in cryptoassets that may qualify as transferable securities or financial instruments, as defined under the Romanian law implementing MiFID 2, the legal regime governing the provision of financial investment services would apply, including the Prospectus Regulation, the Romanian MiFID 2 Law and the Market Abuse Regulation. The definition of financial instruments under the Romanian MiFID 2 Law is substantially similar to the one included in Section C of Annex I of MiFID 2, no additional type of instrument linked to cryptoassets being expressly included in such list under the Romanian MiFID 2 Law. Absent any specific guidelines to date from the FSA on the qualification of cryptoassets as financial instruments, it is to be expected that the relevant advice and guidelines provided by ESMA12 will play an essential role in the case-by-case analysis to be performed by the Romanian authority.Considering the lack of a dedicated legal framework on cryptoassets, the FSA has issued another warning in 2021 re-stating that cryptoassets are extremely risky and speculative, and that the majority of such assets do not qualify as financial instruments, leaving investors without the corresponding legal protection. The NBR issued similar warnings over the years in connection with the risks of financial losses posed by investments in certain cryptoassets (i.e., virtual currencies). However, the latest warning issued in April 2021 indicates that the NBR is ready to view more favourably certain types of activities connected with cryptoassets. Specifically, as compared to its initial warnings which expressly discouraged credit institutions to provide any banking services to entities involved in the cryptocurrency business, the latest warning expressly confirms that there is no legal provision prohibiting banks from offering account services to cryptocurrency exchanges or custodian wallet providers, if the AML legislation is complied with. In the absence of any local initiatives to address the risks and clarify the legal regime of cryptoassets, the use of cryptocurrencies as actual payment means as well as the financing



opportunities for fintech start-ups through ICOs and blockchain-based capital markets infrastructure is expected to reach their full potential once the future EU regulations on cryptoassets are enacted. CrowdfundingThere is no bespoke legal regime in Romania governing crowdfunding. To date, certain limited steps have been taken in view of enabling the application of the EU Crowdfunding Regulation (applicable as of November 2021), namely a draft law was submitted for public consultation aiming to amend the Romanian MiFID 2 Law in consideration of the EU Crowdfunding Regulation. However, we expect that a broader set of amendments to various pieces of legislation is required in order to allow for a proper conduct of business in Romania of the equity-based and of the lending-based crowdfunding platforms.The crowdfunding landscape in Romania is fragmented and seems to be dominated by certain equity-based crowdfunding platforms (such as Seedblink dedicated to tech start-ups), as well as by some donation and reward-based crowdfunding platforms (e.g., Startarium and Consolid8), the latter not being generally subject to licensing requirements in Romania.In the current legal environment, investment-based crowdfunding is permitted on a non-regulated basis only to the extent that the used business model does not trigger the applicability of the legislation governing financial instruments and financial services, including the Romanian MiFID 2 Law and the Prospectus Regulation, as well as the legislation implementing PSD 2, AIFMD and the Romanian legislation governing alternative investment funds. To the best of our knowledge, there are no Romanian entities holding a MiFID 2 licence operating investment-based crowdfunding platforms in Romania. On the other hand, lending-based crowdfunding platforms are not operational in Romania due to some major regulatory hurdles that seem impossible to overcome in the current regulatory framework without the involvement of a licensed entity. Essentially, the lending of money within the crowdlending platform carries the risk of being qualified as a professional lending activity, which is subject to a banking licence in Romania pursuant to GEO no. 99/2006 on credit institutions and capital adequacy. Providing lending activities for interest by a non-authorised person (the law does not distinguish between legal entities and individuals) is considered as usury and is criminally sanctioned under the Criminal Code.Data protectionAll Fintech companies that process personal data must comply with the GDPR;13 in addition, there are certain national requirements that must be observed; for example, conducting a data protection impact assessment when large-scale processing of personal data is conducted by using innovative/new technological solutions, particularly where such operations limit the ability of data subjects to exercise their rights – which may be the case for a vast number of Fintech companies. Also, Law no. 190/2018 on the measures for the application of GDPR defines the concept of national identification number as a sensitive category of personal data encompassing the personal identification number, number of the identity document, passport number, driving licence number, social health insurance number, etc. The processing thereof is subject to particular requirements if it is based on the controller’s legitimate interest. CybersecurityAccording to the Romanian Cybersecurity Law, all essential service operators (including a wide array of essential services, such as digital infrastructure, banking and financial market infrastructures) are required to comply with specific obligations, including the obligation



to (i) notify CERT-RO in order to be registered within the Registry of essential service operators, and (ii) comply with the technical norms on the minimum requirements for ensuring the security of computer networks and systems.

Restrictions

The Romanian law does not contemplate specific restrictions, nor does it create a privileged regime for Fintech companies. As such, the main restrictions from a regulatory perspective derive from the authorisation/licensing requirements if the business model targeted by the Fintech companies falls under the scope of the regulatory regimes set out above or from the lack of a dedicated legal framework or of any authority guidance (e.g., P2P/P2B lending-based crowdfunding platforms and cryptoassets, which puts Romania at a competitive disadvantage as compared to other EU jurisdictions). Additionally, even when there is legal framework in place, the lengthy authorisation process and the high costs involved have proven to be significant hurdles for Fintech start-ups so far.


EEA-licensed Fintech companies that carry out EU regulated activities (as mentioned above) may enter the Romanian Fintech market based on the well-known EU passporting regime. Non-EEA-based companies with the same (regulated) business models targeting the local market will need to pass the relevant licensing test before the NBR or the FSA. Foreign Fintech companies that carry out non-licensed businesses which may cross/overlap with the EU regulated activities (e.g. crowdfunding platforms) based on specific endorsements from local foreign authorities face risks triggered by the scarce regulatory framework in Romania. Business models will be ultimately assessed by NBR and/or FSA, as applicable, for activities carried out in Romania. There are no particular rules to access the Romanian market by foreign Fintechs that do not carry out regulated activities (such as infrastructure provider/enabler Fintechs) – general business rules apply. On the opposite stream, several local Fintechs have already crossed borders with their solutions (e.g. FintechOS) targeting the EU market.

* * *

Endnotes1. Future Banking Fintech Edition, Romania’s Fintech Map V.2.1 2021.2. Tech.eu, The State of Fintech in Europe, January 2021.3. TechCrunch.com, 8 investors tell us the story behind the Romanian startup boom, see:

https://techcrunch.com/2021/01/23/8-investors-tell-us-the-story-behind-the-romanian-startup-boom/.

4. On the listing of UiPath, considered one of largest US software IPOs in history, see: https://www.siliconrepublic.com/companies/uipath-ipo-software-stock-market; https://www.ft.com/content/05fb8ebd-26b1-48ca-be29-1ede7381da3b.

5. https://scoopempire.com/here-are-the-top-15-countries-with-the-fastest-internet-speed-in-2021.

6. The FSA 2021–2023 strategy (in Romanian only).



7. Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market.

8. Proposal for a Regulation of the European Parliament and of the Council on Markets in Crypto-assets and amending Directive (EU) 2019/1937; Proposal for a Regulation of the European Parliament and of the Council on a pilot regime for market infrastructures based on distributed ledger technology.

9. Law no. 362/2018 on measures to secure a high common level of security of networks and information systems, which transposes at national level the NIS Directive.

10. https://www.yapily.com/blog/european-open-banking-league-table.11. Directive (EU) 2019/713 of the European Parliament and of the Council of 17 April

2019 on combating fraud and counterfeiting of non-cash means of payment and replacing Council Framework Decision 2001/413/JHA.

12. ESMA Advice on ICO and Crypto-Assets, 9 January 2019 | ESMA50-157-1391. 13. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April

2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Simona PetrisorTel: +40 31 224 8413 / Email: [email protected] Petrişor is the Head of the Banking & Finance practice of Bondoc și Asociații SCA. With over 16 years of experience, Simona focuses her practice primarily in the areas of banking & finance, capital markets, financial services regulations and restructuring & insolvency. Simona has gained significant experience on regulatory matters in financial services, having advised banking, payment institutions, e-money issuers, insurance, asset management companies, alternative investment funds and fintech companies, as well as their senior officers and investors, on transactional, enforcement and regulatory matters. Simona’s transactional practice focuses on capital raising, debt finance, restructuring and activism matters. She has an integrated transactional and regulatory approach, particularly helpful in the structuring phases of complex transactions or innovative products.

Diana E. IspasTel: +40 31 224 8418 / Email: [email protected] E. Ispas is a Partner with over 15 years of experience focusing on banking, finance and capital markets, financial services and corporate governance. Diana’s regulatory experience covers the full spectrum of financial services (e.g., payment services, insurance, pensions, e-money), being well versed in dealing with complex financial regulatory projects and having obtained precedent-setting interpretations from regulatory authorities. In addition to the extensive experience covering virtually all types of traditional financing (from syndicated loans to corporate and municipal bond issues and IPOs), Diana provides regular advice to various players, including Fintech companies and banks in connection with alternative financing means, such as crowdfunding and DLT-based products, as well as advice on financial service digitalisation.Diana is an active contributor to the improvement of financial services legislation and a co-author of key industry guidelines.

Bondoc și Asociații SCALondra Street 34, Bucharest 011764, Romania

Tel: +40 31 224 8400 / URL: www.bondoc-asociatii.ro



Alexandru AchimTel: +40 31 224 8472 / Email: [email protected] Alexandru Achim is an Associate Attorney with Bondoc și Asociații SCA with over five years of professional experience in the areas of banking and finance, regulatory and compliance in financial services and capital markets. Alexandru has advised local and foreign banks as well as international finance institutions on a wide range of domestic and cross-border finance transactions and has developed knowledge on the payment and electronic money services regulatory framework, as well as sanctions and anti-money laundering legislation along with crowdfunding and cryptoassets legal challenges, by providing legal assistance in connection with certain innovative products targeting the Romanian market.

SingaporeLim Chong Kin & Benjamin Gaw

Drew & Napier LLC



The Singapore government and its statutory boards, including and most notably, the Monetary Authority of Singapore (“MAS”), have identified FinTech as a potential growth area. They have launched numerous initiatives to support FinTech investment and innovation in Singapore.Institutional developmentsIn 2015, the MAS formed the FinTech & Innovation Group (“FTIG”) dedicated to formulating regulatory policies and developing strategies to facilitate the use of technology and innovation, to better manage risks, enhance efficiency, and strengthen competitiveness in the financial sector.1

At a nationwide institutional level, the MAS and the National Research Foundation in the Prime Minister’s Office of Singapore jointly established a FinTech Office in May 2016. This is intended to serve as a one-stop office for all FinTech matters and to promote Singapore as a FinTech hub.2 FinTech businesses may seek advice on government grants and schemes through the FinTech Office. Broadly, the grants and schemes include: (1) the Financial Sector Technology and Innovation (“FSTI”) scheme, under the purview of the MAS; (2) Enterprise Development Grants approved by Enterprise Singapore (a statutory board under the Singapore Ministry of Trade and Industry); and (3) Startup SG programmes, also under Enterprise Singapore. In response to the COVID-19 pandemic, the MAS announced on 8 April 2020 a S$125 million package for the financial and FinTech sectors.3

For instance, the FSTI Proof of Concept scheme aims to promote experimentation within the financial services sector in Singapore, and to accelerate the development and dissemination of early-stage innovative technologies in financial services. Depending on the project, the MAS may provide funding support of up to 50% to 70% of qualifying costs, up to S$400,000, for up to 18 months to Singapore-based financial institutions and technology or solution providers working with Singapore-based financial institutions for early-stage development of innovative solutions.4

Regulation – MAS’s principles of FinTech regulationApart from being the central bank, the MAS is the key regulator overseeing the financial industry in Singapore, and has oversight over financial institutions such as banks, insurers and insurance intermediaries, capital market intermediaries, financial advisers and the stock exchange. In supporting the development of the FinTech industry, the MAS indicated that its role is two-fold: to provide regulation conducive to innovation while fostering safety and security; and to facilitate the infrastructure for an innovative ecosystem and the adoption of new technologies.5

Drew & Napier LLC Singapore


The MAS also laid down general principles underlying its approach to FinTech regulation. First, the MAS indicated that regulation should not “front-run” innovation. Instead, it would monitor new innovative offerings, and continually evaluate whether there is a need to regulate them. In addition, any regulation should be introduced when risks arising from the new technology are material or cross a certain threshold, and regulation should be proportionate to the risk posed.6 Lastly, the MAS would seek to incentivise risk mitigation aspects resulting from the new technologies while restraining any new risks created.Regulation – MAS’s FinTech regulatory initiativesIn line with its regulatory principles, the MAS introduced a FinTech Regulatory Sandbox for financial institutions and new FinTech players to test innovative FinTech products or services in the production environment, but within a well-defined space and duration. Under the FinTech Regulatory Sandbox, the MAS may relax specific legal and regulatory requirements which the entity would be otherwise subject to.7

In addition, the MAS has issued “softer” regulatory instruments, such as guidelines providing interpretative guidance on the application of existing legislation to innovative FinTech solutions. These include the Guidelines on Provision of Digital Advisory Services (“Robo-advisory Guidelines”) and A Guide to Digital Token Offerings. The MAS also issued several guidelines outlining its expectations of financial institutions to address the risks from new technology solutions. For instance, the E-Payments User Protection Guidelines set out duties and responsibilities of certain financial institutions and consumers in respect of payment transactions, thereby mitigating risks from unauthorised and erroneous transactions. In addition, the MAS issued notices on technology risk management and risk management practices on outsourcing, e.g., to third-party cloud computing services.In view of FinTech payment solutions, the MAS was also integral in introducing the new Payment Services Act 2019 (No. 2 of 2019) (“PSA”), which came into force on 28 January 2020. The PSA is a single, activity-based and risk-specific legislation for payment-related services, consolidating existing payments regulatory frameworks and introducing new types of licensable payment services. There are now seven types of payment services regulated under the PSA.8

Infrastructure – strengthening FinTech infrastructureThe MAS has introduced several major initiatives to improve the national payments infrastructure, in furtherance of its objective of creating a Smart Financial Centre. In particular, the MAS worked with industry players such as banks to develop the Fast and Secure Transfers (“FAST”) system, a 24/7 real-time inter-bank funds transfer system. The MAS was also involved in implementing PayNow, which operates on FAST. PayNow enables individuals or businesses to instantly transfer money using unique identifiers such as their personal identification number or mobile phone number.9 From February 2021, non-bank financial institutions (“NFIs”) can connect to FAST and PayNow, allowing such NFIs to provide e-wallets that can transfer funds in real-time to and from bank accounts and other e-wallets.10

To streamline multiple payment channels, the MAS introduced the Unified Point-of-Sale Terminal (“UPOS”) which accepts all major credit card brands regardless of the technologies used (for example, whether using a smart chip, Near Field Communication (“NFC”) technology or Quick Response (“QR”) code). Moreover, the MAS facilitated the creation of a QR code known as the Singapore Quick Response Code (“SGQR”), which would be adopted by payment applications as a single unified QR code for payment. This dispenses with the need for multiple QR codes from various payment service providers to be displayed at the payment terminal.



To facilitate financial planning, the Singapore Financial Data Exchange (“SGFinDex”) was launched. SGFinDex allows Singaporeans to retrieve personal financial information (such as deposits, credit cards, loans, and investments) from financial institutions and government agencies on a single secure and centralised gateway. To facilitate collaboration between traditional players and new FinTech players in the financial services industry, the MAS introduced a Financial Industry Application Programming Interface (“API”) Register, containing 1,686 APIs (as of 2020) in various functional categories such as transactions, sales and marketing. The Register is updated on an ongoing basis and provides FinTech startups with a consolidated Register to utilise APIs contributed by financial institutions. The MAS has also undertaken a collaborative project named “Project Ubin” with various local and international players, including the Bank of England and the Bank of Canada, which explores the use of distributed ledger technology (“DLT”) for clearing and settlement of payments and securities, both within and across borders.11 On 13 July 2020, the MAS and Temasek jointly released a report, marking the successful conclusion of the project which saw the successful development of “a blockchain-based multi-currency payments network”.12

FinTech offering in Singapore

FinTech offerings – an overviewFinTech offerings in Singapore include operating cryptocurrency exchanges and the offering of digital tokens (such as initial coin offerings (“ICOs”) and security token offerings), the development of electronic payments or fund transfer solutions, digital advisory services (“robo-advisers”), and digital banking services.Existing FinTech payments solutionsOne key example of disruption is the introduction of FinTech solutions that offer mobile or contactless payments and/or fund transfers. As mentioned, a number of these FinTech solutions involve government-initiated schemes, including PayNow, SGQR and UPOS. PayNow enables customers of any of the seven participating banks (namely, Citibank Singapore, DBS Bank/POSB, HSBC, Maybank, OCBC Bank, Standard Chartered Bank and UOB) to transfer funds directly to one another using their mobile phone number or personal identification number (i.e., NRIC/FIN), almost instantly and on a 24/7 basis, without the receiver needing to download the app. There is no need to input the recipient’s bank and account number when transferring money via PayNow. The PayNow service has been expanded (under PayNow Corporate) to include businesses which are customers of the nine participating banks (including Bank of China and Industrial and Commercial Bank of China in addition to the initial seven banks).13 PayNow Corporate allows businesses and the Singapore government to instantly pay and receive money using the organisation’s Unique Entity Number.14 On 29 April 2021, the MAS and the Bank of Thailand launched the linkage of PayNow with Thailand’s PromptPay, offering the transfer of funds of up to S$1,000 or THB25,000 daily using just a mobile number, the first of its kind globally.Contactless and cashless payment services (for example, through the use of NFC, QR codes, etc.) offered by established international players such as Apple Pay, Android Pay and Samsung Pay are also prevalent, allowing users to tap and pay for goods and services at any Visa payWave and Mastercard PayPass contactless payment terminals.15 Other cashless mobile payment options include GrabPay, Singtel Dash and Alipay. For GrabPay and Singtel Dash, deductions may be made from users’ e-wallets when users tap their smart



phones on local merchants’ contactless payment terminals. Meanwhile, Alipay is a China-based cashless payment service provider that allows payments to be made by scanning the QR code at the payment terminal, much like PayNow.16

Depending on the scope of the FinTech activities, electronic payment and fund transfer solutions may have to comply with regulatory requirements relating to payment systems and stored value facilities under the PSA. In addition, licensing requirements relating to the carrying on of a remittance business may apply if the payments services provider facilitates fund transfers out of Singapore.ICOs and cryptocurrency exchangesSingapore is also one of the largest markets for ICOs. Notable ICOs include the ICO by blockchain startup TenX and PolicyPal.The MAS stated that it may regulate digital token offerings if the digital tokens constitute capital markets products regulated under the Securities and Futures Act (Cap. 289) (“SFA”), which includes shares, debentures, units in a collective investment scheme and derivative contracts. This would depend on the characteristics and the rights attached to the digital token. Where the digital tokens constitute products regulated under the SFA, the offeror may have to comply with prospectus registration requirements for the offering of the digital tokens. Licensing requirements may apply to the dealers, advisers and other parties. Operators of platforms and markets facilitating the secondary trading of such digital tokens may have to be approved or recognised by the MAS as an approved exchange or a recognised market operator, unless so exempted. iSTOX, which uses blockchain technology, was approved by the MAS as a recognised market operator and capital markets services (“CMS”) licensee in February 2020.Regardless of the applicability of the SFA, the offeror would be subject to ongoing anti-money laundering and countering the financing of terrorism (“AML/CFT”) laws, such as the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act (Cap. 65A), and the Terrorism (Suppression of Financing) Act (Cap. 325). This would include a mandatory suspicious transaction reporting requirement for any person who reasonably suspects that any property or part thereof is linked to the prescribed drug dealing or serious crimes, which must be reported to the Suspicious Transaction Reporting Office (“STRO”) of Singapore. Further guidance may be obtained from the Guidelines on Prevention of Money Laundering and Countering the Financing of Terrorism.Licensing requirements are applicable to “account issuance services” under the PSA. Under the First Schedule, this refers to the service of issuing a payment account to any person in Singapore, or any service enabling money to be placed or withdrawn from a payment account, such as an e-wallet. Licensing requirements also apply to “digital payment token services”, defined as any service of dealing in or facilitating the exchange of digital payment tokens. Depending on the scope of payment services, offerors conducting ICOs or operating cryptocurrency exchanges may potentially be required to obtain a licence under the PSA. On 4 January 2021, the Singapore Parliament passed certain amendments to the PSA, which will widen the definition of “digital payment token services” to regulate activities of virtual asset service providers under new standards adopted by the Financial Action Task Force on AML/CFT laws.Digital advisory services (robo-advisers)The financial advisory space in Singapore has seen several new FinTech players offering digital advisory services (i.e., robo-advisers), which are advisory services on investment



products based on automated, algorithm-based tools involving limited or no human interaction. Notable robo-advisers include StashAway, AutoWealth, MoneyOwl and Endowus.With the increasing prevalence of digital advisory services, the MAS issued the Robo-advisory Guidelines in October 2018, where the MAS stated that while there is no separate authorisation regime for robo-advisers, the licensing framework under the SFA and the Financial Advisers Act (Cap. 110) (“FAA”) is technology-agnostic. Therefore, robo-advisers need to be licensed if they carry out regulated activities under the relevant legislation, unless exempted, particularly if they provide financial advisory services within the ambit of the FAA. In addition, if the robo-adviser offers a platform for the execution of certain investment products, it may be required to hold a CMS licence under the SFA for dealing in capital markets products. Where the robo-adviser retains some discretion over management of the clients’ investment portfolio, a CMS licence under the SFA in fund management may be required.17

Digital banksOn 4 December 2020, the MAS announced four successful digital bank applicants. The MAS awarded Digital Full Bank licences to: (i) a consortium comprising Grab Holding Inc. and Singapore Telecommunications Ltd.; and (ii) an entity wholly-owned by Sea Ltd, which will allow them to provide banking services to retail and corporate customers without physical branches or ATMs. The MAS also awarded Digital Wholesale Bank licences to: (i) an entity wholly-owned by Ant Group Co. Ltd.; and (ii) a consortium comprising Greenland Financial Holdings Group Co. Ltd, Linklogis Hong Kong Ltd, and Beijing Co-operative Equity Investment Fund Management Co. Ltd.18


RegTechLocal banks have been utilising RegTech solutions to comply with their ongoing regulatory obligations, such as AML/CFT obligations. For instance, OCBC collaborated with the Singapore Police Force for Project Poet (Production Orders: Electronic Transmission) in 2019 to allow banking information to be conveyed more promptly between the bank and the police, which enhances Singapore’s AML risk management regime. The MAS also sought to enhance supervision and surveillance of unlicensed ICOs by making use of data such as transactional information on public blockchains, and assessing their ML/TF risks.While the use of RegTech solutions may facilitate FinTech service providers’ compliance with ongoing regulatory obligations, in the event of any regulatory breach, the FinTech service provider would likely be held responsible for the breach. In this regard, the FinTech service provider should undertake prudent risk-management practices and when engaging a third-party RegTech service provider, should retain overall supervision and oversight. Further guidance may be obtained from the MAS’s Guidelines on Outsourcing and Guidelines on Technology Risk Management.On 30 April 2021, the MAS announced a grant scheme for Singapore-based financial institutions to promote technology adoption in risk management and compliance.19

InsurTechSingapore is one of the largest InsurTech hubs in the Asia region.20 Singapore InsurTech companies include Singlife, which provides digital life insurance services and Bandboo, a



peer-to-peer online platform for people to co-insure one another21 and PolicyPal Network, a direct insurance broker that employs machine learning and artificial intelligence to offer digital insurance policies and allows users to select and manage existing policies. Users can upload their existing policies to understand their insurance coverage and research on available policies with global insurance companies, including big names like Allianz, HSBC Insurance and AXA.22

Besides InsurTech companies, there are also notable InsurTech innovation labs in Singapore. One example is the Metlife Lumenlab, which focuses on building new products and services grounded in technology and data to help people achieve richer and more fulfilling lives. Solaria Labs was also launched in Singapore to build and test experimental new products based on customer-centric research around emerging trends such as next-generation vehicles, connected life and the sharing economy.23 The Singapore government has recognised the potential of InsurTech. Minister Ong Ye Kung, an MAS board member, noted the MAS’s desire to continue to encourage and foster Insurance-InsurTech collaborations.24 While there is currently no legislation specifically regulating InsurTech under Singapore law, InsurTech companies may be regulated under legislation such as the FAA or the Insurance Act (Cap. 142). Meanwhile, the MAS has stated that it is technology-neutral and will not favour one technology over another, and will monitor technological developments of the industry closely.25

Regulatory bodies

The specific regulatory bodies involved depends on the nature of the entity’s FinTech services or products, and its business activities. The MAS is the key regulator of the financial services industry in Singapore, and administers various legislation governing financial institutions such as banks, insurers and insurance intermediaries, capital market intermediaries, financial advisers and stock exchanges. Notably, moneylenders are not regulated by the MAS but under the Moneylenders Act (Cap. 188), under the purview of the Registry of Moneylenders (part of the Singapore Ministry of Law).The Accounting and Corporate Regulatory Authority (“ACRA”), a statutory board instituted under the Singapore Ministry of Finance, is the regulator of business entities, public accountants and corporate service providers in Singapore. ACRA monitors registered companies’ compliance with the Companies Act (Cap. 50), including prescribed regulatory filings and lodgments.The Competition and Consumer Commission of Singapore (“CCCS”), a statutory board under the Ministry of Trade and Industry, administers and enforces the Competition Act (Cap. 50B), which governs competition law matters in Singapore. The CCCS also administers the Consumer Protection (Fair Trading) Act (Cap. 52A) (“CPFTA”), the principal consumer protection legislation in Singapore. FinTech business dealing with consumers should be aware that most MAS-regulated financial products and services come within the ambit of the CPFTA, and consumers can seek redress and civil remedies for unfair practices in respect of these financial products and services. In terms of matters relating to personal data protection, the Singapore Personal Data Protection Commission is the regulatory authority administering and enforcing the Personal Data Protection Act 2012 (No. 26 of 2012), which governs the collection, use and disclosure of personal data.Different regulatory bodies may also administer FinTech-related government grants or incentive schemes. For instance, this may include the MAS and Enterprise Singapore.




An overview of the MAS’s approach to regulatory approach and policies relating to FinTech is discussed in the section “Approaches and developments”.FinTech-related regulationPresently, there is no single omnibus legislation regulating FinTech offerings per se. Existing financial services legislation is technology-agnostic and apply to FinTech services and products if they fall within the scope of regulated financial activities. Depending on the nature of services and products, some of the following FinTech-related legislation may be applicable:• the SFA;• the Companies Act (Cap. 50); • the FAA;• the Insurance Act (Cap. 142);• the Banking Act (Cap. 19);• the Trust Companies Act (Cap. 336);• the Moneylenders Act (Cap. 188);• the Currency Act (Cap. 69); and• the Commodity Trading Act (Cap. 48A).Depending on the precise scope of FinTech activities, regulatory issues may include (among others):• prospectus registration requirements for offering capital market products to persons in

Singapore under the SFA;• licensing requirements for carrying on business in regulated activities (e.g., dealing in

capital markets products or fund management) under the SFA;• regulatory requirements for operating a secondary trading facility for certain financial

products under the SFA; • licensing requirements for providing financial advisory services within the meaning of

the FAA; and• licensing requirements for carrying on a moneylending business under the Moneylenders

Act (Cap. 188).PSAAs stated, the PSA came into force in January 2020. It streamlines the previous legislative regime for payment services, by combining and repealing the Payment Systems (Oversight) Act and the Money-changing and Remittance Businesses Act (“MCRBA”). In addition, the PSA expands the scope of regulated payment services to seven types of payment services.The PSA consists of two parallel regulatory frameworks: (a) the licensing regime for payment service providers; and (b) the designation framework for significant payment systems. With respect to the licensing regime, the PSA regulates seven types of payment services, namely: (a) account issuance services;(b) domestic money transfer services; (c) cross-border money transfer services; (d) merchant acquisition services; (e) electronic money (“e-money”) issuance services;(f) digital payment token services; and (g) money-changing services.



Providers of such payment services are required to hold a licence under the PSA, unless otherwise exempted.The payment services provider needs to hold the class of licence which corresponds to the risk posed by the scale of services provided. There are three classes of licence under the PSA, namely:(a) a money-changing licence for carrying on a business of providing money-changing

services, but not any other regulated payment services;(b) a standard payment institution licence for carrying on a business of providing any

regulated payment service (other than money-changing) which does not meet the thresholds set out under limb (c); and

(c) a major payment institution licence for carrying on a business of providing any payment services (other than money-changing) which exceeds certain prescribed thresholds, including, for services other than e-money issuance and e-money account issuance, where the monthly average of the total value of all payment transactions that were accepted, processed, or executed exceeds: (i) S$3 million for any one of the regulated payment services; or (ii) S$6 million for two or more of the regulated payment services.

Furthermore, the PSA stipulates that where any type of payment service is provided while the person carries on any primary business, that person is presumed to carry on a secondary business of providing that type of payment service, regardless of whether provision of the service is related or incidental to the primary business. Accordingly, the appropriate licence for that payment service has to be obtained. This expressly displaces the Singapore High Court case of Chinpo Shipping co v PP (2017), which suggested that remittances purely incidental to a primary business of ship agency and chandelling did not constitute a remittance business that requires licensing under the now-repealed MCRBA.26

Where a FinTech business operates e-wallets or deals in digital payment tokens, it may be subject to the licensing requirements under the PSA. However, there are carve-outs from regulation under the PSA for payment services that do not pose sufficient risk to warrant regulation, particularly for services related to limited purpose e-money, and the dealing in or exchange of limited purpose digital payment tokens.27 Other carve-outs include payment transactions performed by authorised commercial agents for the sale or purchase of goods or services.Regulatory SandboxThe MAS introduced the FinTech Regulatory Sandbox in 2016 to allow financial institutions and startups with a nascent FinTech service or product to experiment in a controlled environment to mitigate any financial risks. The parameters of each Regulatory Sandbox are tailored to address the risks posed by the FinTech service or product, and the MAS will decide on the specific regulatory requirements that may be relaxed during the sandbox period.In 2019, the MAS launched Sandbox Express, a sandbox with fast-track approvals available within 21 days as a complement to the present FinTech Regulatory Sandbox. By doing so, the MAS seeks to encourage innovation by allowing for experiments to be embarked upon more quickly by introducing pre-defined sandboxes without a need for the MAS to create sandboxes specific to the applicant. Sandbox Express was originally available for insurance brokers, recognised market operators and remittance businesses but from January 2020, Sandbox Express is no longer available for remittance businesses as the MCRBA was repealed with the commencement of the PSA, and they are subject to regulatory requirements under the PSA, under Activity C.



Restrictions

As stated above, the MAS’s regulatory approach is to be facilitative towards innovation in the financial sector, while managing risks appropriately. Thus, the MAS has not imposed outright bans or blanket prohibitions with respect to particular FinTech activities, even where such activities have been prohibited by other jurisdictions, e.g. cryptocurrency exchanges or ICOs. Generally, with respect to FinTech, the MAS takes a technology-neutral approach in administering and enforcing legislation. Therefore, emerging FinTech activities within the scope of existing regulated activities would need to comply with such regulatory regimes. The MAS monitors Singapore’s FinTech landscape and takes enforcement action to ensure compliance.For instance, the MAS has taken a more restrictive approach towards FinTech services which stray into shadow banking. The MAS stated that carrying on the business of taking deposits and lending to the public crosses into the territory of banking business, and upon crossing that line, a banking licence, which imposes higher regulatory standards, including capital and liquidity requirements and more stringent risk management practices, would be required. Thus, under the PSA, larger e-wallet operators with an average daily e-money float of more than S$5 million will have to ring-fence the e-money float in a prescribed manner, and are not permitted to provide loans out of the e-money float without holding the requisite licences.28

In line with the MAS’s stated objective to help ensure that consumers are well-informed and empowered,29 in 2017, the MAS issued an advisory to the public on the significant risks in investments. The MAS notes that these risks include highly speculative valuation, heightened risk of fraud and lack of a proven track record. In addition, the MAS noted that cryptocurrencies are not regulated, and members of the public who lose money in cryptocurrency investments are unable to rely on any protection afforded under legislation administered by the MAS.Where FinTech activities come within the ambit of existing legislation, the MAS has shown that it is willing to take action against errant FinTech players, to address any financial risks. In March 2020, the MAS penalised a firm for failure to comply with the MAS’s AML/CFT requirements. Compliance with securities laws also extends to digital token exchanges. In May 2018, the MAS issued warnings to eight digital token exchanges in Singapore not to facilitate trading in digital tokens that are deemed to be securities or futures contracts without being authorised by the MAS. The MAS also recognised the risk that FinTech activities relating to digital tokens are prone to being misused for illegal activities due to the anonymity of the transactions, and the ease with which large sums of monies may be raised in a short period of time. Thus, the MAS and the Commercial Affairs Department (a department of the Singapore Police Force) jointly issued a public advisory warning of the risks of digital token-related investment schemes.


Despite the COVID-19 pandemic, FinTech investments in Singapore have remained strong. Investments rebounded in the second quarter of 2020 to US$278 million, four times that of the first quarter and Singapore ranked as Asia-Pacific’s top destination, with more than 40% of FinTech firms in South-East Asia based in Singapore.30



To facilitate cross-border business, Singapore has entered into Digital Economy Agreements with Australia, Chile and New Zealand.31

In recognition of the potential risks and benefits arising from FinTech applications, which are virtual and may have cross-border implications, Singapore regulators pro-actively entered into co-operation agreements and arrangements with their foreign counterparts. For instance, in the context of cross-border payments, the MAS and the Bank of Canada collaborated in the use of DLT and central bank digital currencies to make the cross-border payment process cheaper, faster and safer.The MAS is a signatory to numerous FinTech Co-operation Agreements (approximately 35 to date) with their international counterparts which strengthen the MAS’s ability to co-operate and exchange information with foreign regulators on FinTech, as well as to promote innovation in financial services in the respective markets. For instance, in November 2019, the MAS concluded a FinTech Co-operation Agreement with eight members of the Canadian Securities Administrators to facilitate access by FinTech firms to each other’s markets.32 To effectively monitor cross-border capital markets activities, the MAS can rely on a broad surveillance network with foreign securities regulators under the International Organisation of Securities Commissions Multilateral Memorandum of Understanding Concerning Consultation and Cooperation and the Exchange of Information. Such frameworks facilitate cross-border co-operation in the area of enforcement, by establishing a channel for the sharing of information among regulators.33 In this regard, while FinTech services are virtual and may be borderless in nature, it should be noted that some legislation, such as the FAA and the SFA, contain provisions which give them extraterritorial effect. Accordingly, an act done entirely outside of Singapore but which has a “substantial and reasonably foreseeable effect” in Singapore may still contravene the FAA or the SFA. Therefore, the offering of FinTech products and services from entities based in foreign jurisdictions to persons in Singapore may have potential regulatory implications in Singapore on the part of the offeror.With respect to money-laundering risks posed by FinTech activities, Singapore’s main AML legislation, the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act (Cap. 65A), expressly allows for the assertion of criminal extraterritorial jurisdiction, and empowers regulators and other government authorities such as the STRO to exchange information and jointly co-operate in enforcement. The STRO is a member of the Egmont Group of Financial Intelligence Units (“FIU”), which is a forum for FIUs worldwide to enhance support to respective governments against money laundering and other serious financial crimes.34

Furthermore, FinTech may result in increased cybercrime and cybersecurity risks, which may originate outside of Singapore, and are addressed in international co-operation arrangements. The Cybersecurity Act 2018 (No. 9 of 2018) and the Computer Misuse Act (Cap. 50A) set out the framework for cross-border enforcement of cybercrime, and the Cyber Security Agency of Singapore works closely with its foreign counterparts, through information-sharing arrangements, to facilitate cybersecurity investigations.35 Furthermore, the MAS has, in collaboration with the Financial Services Information Sharing and Analysis Center (“FS-ISAC”), established an Asia Pacific Regional Intelligence and Analysis Centre to encourage regional sharing and analysis of cybersecurity information within the financial services sector,36 and in 2017, the FS-ISAC and the MAS launched the FS-ISAC Asia Pacific Regional Analysis Centre’s office and operations in Singapore.



Endnotes1. https://www.mas.gov.sg/news/media-releases/2015/mas-sets-up-new-fintech-and-

innovation-group.2. https://www.mas.gov.sg/news/media-releases/2016/new-fintech-office.3. https://www.mas.gov.sg/development/fintech/covid-19-support-package-for-fintechs.4. https://www.mas.gov.sg/development/fintech/mas-fsti-proof-of-concept-grant.5. https://www.mas.gov.sg/news/speeches/2016/singapore-fintech-journey.6. https://www.mas.gov.sg/news/speeches/2016/singapore-fintech-journey.7. https://www.mas.gov.sg/development/fintech/regulatory-sandbox. See also: https://

www.mas.gov.sg/-/media/MAS/Smart-Financial-Centre/Sandbox/FinTech-Regulatory-Sandbox-Guidelines-19Feb2018.pdf.

8. https://www.mas.gov.sg/-/media/MAS/FAQ/PS-Act-Infographic.pdf.9. https://www.mas.gov.sg/news/speeches/2018/epayments-for-everyone.10. https://www.mas.gov.sg/news/media-releases/2020/non-bank-financial-institutions-to-

have-access-to-fast-and-paynow.11. http://www.mas.gov.sg/Singapore-Financial-Centre/Smart-Financial-Centre/Project-

Ubin.aspx.12. https://www.mas.gov.sg/-/media/MAS/ProjectUbin/Project-Ubin-Phase-5-Enabling-

Broad-Ecosystem-Opportunities.pdf.13. https://www.straitstimes.com/business/banking/bank-of-china-icbc-join-7-other-

banks-offering-paynow-in-singapore.14. https://www.businesstimes.com.sg/banking-finance/paynow-corporate-seen-as-game-

changer-in-singapores-cashless-drive.15. https://www.straitstimes.com/tech/cashless-payment-systems-in-singapore.16. https://www.straitstimes.com/tech/cashless-payment-systems-in-singapore.17. https://www.mas.gov.sg/-/media/MAS/Regulations-and-Financial-Stability/

Regulations-Guidance-and-Licensing/Securities-Futures-and-Fund-Management/Guidelines-on-Provision-of-Digital-Advisory-Services--CMGG02.pdf.

18. https://www.mas.gov.sg/news/media-releases/2020/mas-announces-successful-applicants-of-licences-to-operate-new-digital-banks-in-singapore.

19. https://www.mas.gov.sg/news/media-releases/2021/mas-commits-42m-to-spur-adoption-of-technology-solutions.

20. http://fintechnews.sg/23449/insurtech/asia-100-insurtech-companies.21. http://fintechnews.sg/23449/insurtech/asia-100-insurtech-companies.22. https://www.todayonline.com/business/policypal-be-first-digitised-direct-insurance-broker.23. http://fintechnews.sg/26093/fintech/top-28-fintech-and-insurtech-innovation-labs-in-

singapore.24. https://www.mas.gov.sg/news/speeches/2019/opening-address-by-minister-ong-ye-

kung-at-manulife-tower-opening-ceremony.25. https://www.mas.gov.sg/news/speeches/2018/life-insurance-industry.26. https://www.parliament.gov.sg/docs/default-source/default-document-library/

payment-services-bill-48-2018.pdf.27. https://www.mas.gov.sg/-/media/MAS/FAQ/Payment-Services-Act-FAQ-4-

October-2019.pdf.28. https://www.straitstimes.com/business/rules-to-bar-fintechs-from-moving-into-

banking-ops.29. http://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Monographs%20

and%20Information%20Papers/Objectives%20and%20Principles%20of%20Financial%20Supervision%20in%20Singapore.pdf – see page 11, paragraph 17.



30. https://www.straitstimes.com/business/banking/singapore-fintech-investments-rebounded-to-371-million-in-q2-report.

31. https://www.mas.gov.sg/news/speeches/2020/speech-by-mr-heng-swee-keat-at-sff-x-switch-2020.

32. https://www.mas.gov.sg/news/media-releases/2019/canadian-securities-regulators-and-mas-strengthen-cooperation-in-fintech.aspx.

33. http://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Monographs%20and%20Information%20Papers/MAS%20Capital%20Markets%20Enforcement.pdf.

34. http://www.mas.gov.sg/~/media/MAS/News%20and%20Publications/Monographs%20and%20Information%20Papers/MAS%20Capital%20Markets%20Enforcement.pdf.

35. https://www.csa.gov.sg/~/media/csa/cybersecurity_bill/cybersecurity_act_faq.pdf.36. https://www.mas.gov.sg/news/media-releases/2017/fs-isac-and-mas-to-strengthen-

cyber-information-sharing-across-nine-countries.

Lim Chong KinTel: +65 6531 4110 / Email: [email protected] Kin is Managing Director of Drew & Napier’s Corporate & Finance Department. He also heads the TMT, Competition and Data Protection & Cybersecurity Practice Groups. Under Chong Kin’s leadership, Drew & Napier LLC’s TMT Practice Group has consistently been ranked the leading information technology practice in Singapore.In the area of FinTech, Chong Kin often assists his technology-based clients to deploy payment platforms solution and enter into the finance-related sector, arising from the convergence of technology and financial regulation. With his strong background in competition, data-protection and technology laws, he is also depended upon by finance-related companies to deploy technology solutions.Chong Kin is cited as a leading lawyer by Asia Pacific Legal 500, Chambers Asia-Pacific, PLC Which Lawyer?, International Who’s Who of Regulatory Communications Lawyers, Competition Lawyers & Economists, Best Lawyers and Asialaw Leading Lawyers.

Benjamin GawTel: +65 6531 2393 / Email: [email protected] is a Director in the Corporate & Finance Department, as well as Head of Healthcare & Life Sciences – Corporate & Regulatory. He is also a member of the TMT Practice Group and the Employment Practice Group.Benjamin has advised founders and investors in early-stage investments for FinTech startups. He has advised on issues pertinent to early-stage funding rounds, including issues relating to preference shares, board representation, liquidation preference, reserved matters, anti-dilution protection, founders’ rights, buy-out clauses and minority protection.Benjamin’s FinTech expertise includes advising on emerging and established payments solutions, payment gateways, blockchain-based digital investment platforms, cryptocurrencies and ICOs, e-wallets, contactless and mobile payments solutions, and digital gift vouchers.Benjamin regularly advises on FinTech-related licensing and regulatory issues, including requirements relating to securities offering, dealing in capital markets products, securities markets, payment systems, stored value facilities, remittance services and money-changing services.Amongst other awards, recognitions and citations, he is cited as a market-leading lawyer by Asialaw for Corporate/M&A, and a recommended lawyer by The Legal 500 Asia Pacific. He is endorsed by Best Lawyers 2020 for Information Technology, and recognised by Who’s Who Legal 2016 as a leading lawyer for Telecommunications Media and Technology. He is also listed by the Singapore Business Review as one of Singapore’s 70 most influential lawyers aged under 40.

Drew & Napier LLC10 Collyer Quay, #10-01 Ocean Financial Centre, 049315 Singapore

Tel: +65 6535 0733 / URL: www.drewnapier.com



SpainAlfonso López-Ibor Aliño, Olivia López-Ibor Jaume & Alejandro Sosa Röhl

López-Ibor Abogados



Spain’s startup scene has been in constant revolution for the past few years. According to the latest fintech report by El Referente, the number of Spanish fintechs increased to over 400 operative startups in 2020. Traditionally, the fintech companies that have been predominant in the Spanish ecosystem are those in the payments and e-payments and loans sectors, 30% of the total number of fintech companies. However, while growth is seen in almost all fintech sectors, the incorporation of digital payments has decreased despite being one of the sectors with the most fintech companies. Currently, the most popular fintechs are neobanks, wealth management fintechs, insurtechs and biotechs. In early 2021, Spain’s government published its entrepreneurial strategy (“Spain Entrepreneurial Nation Strategy”) to make Spain a more entrepreneurial country by 2030 and strengthen the role of entrepreneurs in Spain and revitalise the economy after the COVID-19 pandemic, which includes a new “startup law” to bring more favourable conditions to companies that are in the first stages of operations. In this sense, this new law will offer tax incentives and reduce the administrative burdens of these young entities. One of the first stumbling blocks is the recognition of what a startup is – there must be a consensus on the definition of this concept among parties for the new startup law to have a future. But Spain is not only pushing towards being a more entrepreneurial country, it is also reacting to the fact that in the year 2020, even though Spain has shown a lot of progress, it still occupies position number 13 in the European ranking of digitally integrated startups. In fact, the Digital Economy and Society Index (“DESI”) published a report last year stating that Spanish startups still have a long road ahead in order to exploit the full potential of e-commerce, since the country is below the European average in the use of cloud services and in the penetration of big data analytics. In this sense, Spain still has low participation of technologically integrated companies within the productive tissue of the country, which represents an obstacle to long-term growth and internationalisation, and, therefore, to the increase in the productivity of the economy as a whole. So, these conditions have led legislators to push towards fintech development in Spain. On the one hand, companies are undergoing digital transformations forced by the current COVID-19 pandemic, investing heavily in new technologies which provide cost-efficient solutions. On the other hand, the effort legislators are putting into the development of a better-adapted regulatory framework for this new reality is significant. In this context, it is especially relevant that the Senate Commission for economic affairs and digital transformation unanimously passed on November 4, 2020 the Law for the Digital Transformation of the Financial Sector. This Law will undoubtedly make Spain an international reference point

López-Ibor Abogados Spain


for legislative innovation within the fintech sector. A big concern for Spanish authorities, as to the use of this new technology, is regarding the possible gateway fintech may present for possible money laundering and the financing of terrorism. But, mainly, the Law for the Digital Transformation of the Financial Sector has two objectives:(a) to guarantee suitable tools for the financial authorities to continue with their current

roles within the new digital era; and (b) to facilitate the innovation process to promote more equitable development by allowing

access to the best financing for different productive sectors and by attracting talent to a highly competitive international technological environment.

Nonetheless, the main highlight of this Law is the establishment of a “sandbox” or test space. This sandbox consists of controlled safe spaces that allow experimentation for new business proposals. It is designed as the ideal environment to identify the best projects for the betterment of financial service provisions through digital innovation. Supervision protocols, proportionality criteria and the principle of equality will govern sandbox proposals. Additionally, the Law also reinforces the necessary instruments aimed to guarantee the objectives set by the current financial policies. But here is where the most interesting aspect of this Law comes into place: pilot projects and proposed tests that are allowed into the sandbox will not be subject to the current applicable legislation for financial services: they will only have to comply with the new Law’s regulations and protocols. There is no doubt that digital transformation represents a new paradigm for the financial sector. In accordance with the Resolution of May 14, 2021, the Secretariat General of the Treasury and International Finance published a list of projects submitted to the controlled testing space (sandbox) that have received a favourable evaluation. Only 18 out of 67 projects have been admitted into the sandbox. Finally, it is worth noting that the European Union (“EU”) is the driving force encouraging EU Member States to adapt to the new developments. Also, the EU has started a Digital Finance Package to try to harmonise the legal requirements so that fintech companies can operate in any Member State.For instance, on October 24, 2020, the European Parliament and the Counsel published for the first time a Proposal for a Regulation on Markets in Crypto-Assets (“MiCA”), which will amend Directive (EU) 2019/1937 and will have the aim of harmonising a set of rules for providers of crypto-assets services and issuers of crypto-assets all across Europe.

Fintech offering in Spain

New fintech regulations in the coming years will also open the doors for more financial activities through existing online platforms. Today, Spain is among the most energetic fintech environments in all of Europe, which translates to one of the most active in the world. However, there are still many obstacles ahead that need to be surmounted in order to secure this position and ensure the sector’s continued development. Among the main obstacles we have today for the fintech sector’s growth is that investors’ interest in Spanish fintech firms is relatively lower than in other countries. Also, most Spanish fintechs are oriented towards B2B, obtain revenues via fees/commissions and are at a seed stage, according to a report from the Bank of Spain. Moreover, most of these firms were founded by entrepreneurs and are in large cities such as Madrid and Barcelona. Madrid and Barcelona are the two main hubs, but Valencia is also increasing its popularity among entrepreneurs.Fintechs are currently present in the following sectors, among others:



Payment servicesThe second Payment Services Directive (“PSD2”) was fully transposed in Spain in 2019. PSD2: (i) regulates Payment Initiation Servicers Providers (“PISP”) and Account Information Services Providers (“AISP”), recognising for the first time the right for these companies to have access to information from banks; (ii) simplifies the process to obtain authorisation for small entities and for entities which conduct business within Spanish territory; and (iii) increases the obligations regarding payments security and strengthens the online identification requirements for clients.Personal financeIt is a common practice for companies to incorporate entities that can provide financial advice (“EAFIs”) as a first step to analyse the Spanish market and search for clients. EAFIs are a type of company which are licensed only to provide investment advice. Therefore, to incorporate an EAFI is easier than to incorporate other companies such as companies and securities agencies (“Sociedad de Valores and Agencia de Valores”), portfolio management companies (“Sociedad Gestora de Carteras”), and asset management companies (“Sociedad Gestora de Instituciones de Inversion Colectiva”).Social trading platforms The Spanish Securities Market Commission (“CNMV”) stipulates that this type of company must offer their services to investors under a discretionary portfolio management contract (article 140 d) of the Securities Market Law’s consolidated text). In addition, before signing the contract, the company must be ensured of the investor’s suitability and comply with all the rules of conduct according to the Securities Market Law.Therefore, for a fintech company to perform “social trading” services, it would need to be incorporated as one of the following: a companies and securities agency (“Sociedad de Valores and Agencia de Valores”); a portfolio management company (“Sociedad Gestora de Carteras”); or an asset management company (“Sociedad Gestora de Instituciones de Inversion Colectiva”). Among these types of entities, the portfolio management company is the simplest and the one that needs fewer requirements to be met for its incorporation.Crowdfunding Law 5/2015, of April 27, on the Promotion of Business Financing (“LFFE”) regulates financial crowdfunding platforms involved in the intermediation of financing through loans, bonds or equity participations. These platforms are under the authorisation, supervision, inspection and sanction of the CNMV, with the participation of the Bank of Spain, in case of lending-based crowdfunding. Moreover, the LFFE restricts the range of services that these platforms may provide. In particular, they are not allowed to offer investment advice or process payments (unless they apply for a licence as hybrid payment institutions). Cryptocurrency The current position of the CNMV and the Bank of Spain is that a specific regulation of cryptocurrency and initial coin offerings (“ICOs”) is necessary. Nonetheless, such regulation can only be made at EU level and after consultation with certain third countries, such as the U.S., which play a major role in the world’s financial markets. Since there is no specific regulation on cryptocurrencies in Spain, they cannot be treated as legal tender, which is exclusively reserved for the Euro as the national currency. The CNMV also points out that there have been no issuances of cryptocurrency or ICOs which have been approved or verified by any regulatory authority, such as the Bank of Spain or the CNMV. In Spanish law, cryptocurrency cannot be considered either as a financial instrument (promissory note,



derivative, etc.) or a currency (domestic or foreign), but, when traded individually, in the case of public offerings or chattels or commodities, they could be assimilated to securities.To the extent that they can be considered securities, ICOs may fall within the prospectus filing requirements of the Spanish stock market law (“LMV”), as the definition of financial instruments and negotiable securities is very wide (article 2 of LMV), and the Spanish government can add new types of securities by its own fiat without an amendment of the law being necessary, provided this has been agreed under EU regulations. Regarding the registration of virtual currency procedures with the Bank of Spain for anti-money laundering reasons, please see the section titled “Key regulations and regulatory approaches” below. Loan services, loan broking, factoringAs for fintech companies that provide loan services, Spanish law, in general, does not impose any formal or material requirements in order to grant loans. To put it simply, loans are governed by the general commercial law. An exception to this is in the case of consumer loans: the agreement has to be drawn up on paper and the denomination of financial credit establishments (“Establecimientos Financieros de Credito”), specialised in the granting of credits and loans in a specific field such as consumer credit, mortgage credit, credit cards, guarantees, leasing (leasing with purchase option), or factoring (assignment of a credit portfolio), is used. As for fintech companies that provide brokerage, fine trading and ancillary services, so long as they are not conducted with funds collected from the general public (i.e. banking activity), there would be no need for the fintech to obtain a banking licence.Online banking services and neobanks/Spanish banking licences and challenger banks Regarding PSD2, traditional banks are under pressure to become more dynamic, especially since the latest generation of fintech is adapting a lot faster to the international competition. In Spain, there is no specific regulatory framework governing online banking or neobanks, which are those fintechs that offer a 100% mobile banking experience by partnering with a traditional bank to manage operations; such bank is really the one in charge of issues such as regulatory compliance, Know Your Customer (“KYC”) policies and all the processes, controls and restrictions to which the fintech is subject. Unlike neobanks, challenger banks are those which intend to get a banking licence. Online banking services that aim to take deposits from the public, which are used for on-lending, must be provided only by entities that have a licence. Banks within Spain need an authorisation from the Bank of Spain and an authorisation from the European Central Bank (“ECB”). With respect to the Bank of Spain authorisation, fintech entities will have to meet certain requirements, more or less strict, depending on the type of licence that the new company wants to acquire. In general terms, the main requirements to obtain a licence are the same as those required by the ECB: the solvency of the fintech company; the experience of its shareholders and members of the management committee must be at the required level; a good administrative and accounting organisation; and adequate internal control procedures.In Spain, the types of licences available are as follows:Licence for credit institutions (i.e. banks, savings banks and credit unions). Credit instiutions are the only entities that can collect reimbursable funds from customers; that is, receive a user’s balance with the commitment to return it under the agreed conditions (offer deposits or bank accounts), among many other products. The credit institution licence is the most complete and complicated licence to obtain.



Licence for other entities. To perform other types of financial activities, such as lending money by means of loans and credits, it is not necessary to have a credit institution licence. There are other non-bank credit companies that can perform certain financial roles without becoming a bank. Each one has a special licence according to its function. The main ones are:i) Financial credit establishments (“Establecimientos Financieros de Credito”) specialised

in the granting of credits and loans in a specific field; for example, consumers. An example of a Spanish company is Cofidis.

ii) Payment entities (“Entidades de Pago”) that intend to provide payment services. They allow the opening of an account, entering and withdrawing of money and balance movements. One example is American Express Spain.

iii) Electronic money entities (“Entidades de dinero electrónico”) are companies dedicated to the issuance of electronic money. They are able to issue, distribute and reimburse customers’ money, as well as offer linked means of payment. Examples include PayPal and some neobanks such as B-Next.

iv) Mutual guarantee societies (“Sociedad de Garantía Recríproca”) are non-profit entities specialised in offering guarantees to facilitate access to financing for small and medium-sized companies. They are usually linked to a specific sector and their activity is supported by their public protective partners (regional or local administrations), savings banks, etc.

v) Appraisal entities are dedicated to real estate appraisals and certify the value of these for different purposes, such as the granting of financing with a mortgage guarantee.

Finally, fintech entities that have obtained a licence in another EU country can operate through the passporting regime or free provision of services. This means that supervision will be exercised in the country in which the fintech company obtained the licence and, to a lesser extent and for specific aspects, in Spain. Fortunately, the requirements to be met by fintech companies to proceed with the freedom to provide services as a credit institution on Spanish territory are quite simple. But, to establish a branch or, where appropriate, a representative office, additional requirements have to be met.


Developing and selling insurance products in Spain falls under Spanish regulation. Currently, the most important legal text regarding this matter is Law 20/2015, which transposes Directive 2009/138/EC (“Solvency II”). In addition, this Law has been developed by detailed enabling legislation provided by the Royal Decree 1060/2015. A new complementary law, Royal Decree Law 3/2020, has come into force for the regulation of the insurance distribution, transposing Directive 2016/97. This piece of legislation regulates the distribution of insurance products within Spain through brokers, agents, underwriters, and banks. On the other hand, Law 20/2015 governs certain aspects related to the insurance market and subjects this activity to an administrative authorisation. Consequently, in order to provide coverage, the insurance company must satisfy the following requirements: i) Keep a solvency capital requirement and eligible basic own funds to cover the absolute

floor of the minimum capital requirements (approximately €5,500,000).ii) Keep eligible basic own funds to cover at all times the minimum capital requirements

and the solvency capital requirement.iii) Requirements related to honourability, qualifications and professional experience. iv) Requirements related to corporate governance and internal control systems.



In addition to all of the above, all insurtechs performing in the insurance sector, although not directly as an insurance company but rolling an intermediary profile (e.g. mediators, insurance brokers, insurance agents, etc.), must meet specific requirements in their special area provided in Royal Decree Law 3/2020. The Association of Fintech and Insurtech (“AEFI”), which promotes fintech initiatives, has published a white paper on insurtech regulation in Spain to boost legislative initiatives. However, the licensing authority for all insurance business is the Directorate General for Insurance and Pension Funds (“DGSFP”) operating under the jurisdiction of the Spanish Ministry of Economy.As for regtech companies, there are currently no special legal licences applicable to such companies. Regtech companies provide technological support for developing and implementing compliance policies and procedures; hence, this technology does not perform direct investment services. However, the CNMV has stated these companies should cooperate with public agencies to afford a better supervision of the market.

Regulatory bodies

The regulator in charge of supervision of fintech businesses is the CNMV, together with the Bank of Spain (supervisory authority of the banking system), and the DGSFP, depending on the type of entity intending to provide services in Spain and the exact nature of those services. The Executive Service of the Commission for the Prevention of Money Laundering and Monetary Infringements (“SEPBLAC”) is another supervisory body.Although not a regulatory body, the AEFI promotes the development of fintech and insurtech companies in Spain and has played a key role in the approval of the sandbox in Spain.


There are business models, such as crowdfunding platforms (equity crowdfunding and crowdlending), which have their own regulatory regime that is established in the LFFE. However, the vast majority of fintechs are not regulated by a specific law. The legal provisions are intended for traditional banking activities and most fintech activities, since they are not restricted, are allowed. However, it is also true that fintech companies cover a myriad of activities, some of which would trigger licensing requirements. Contrary to popular belief, not all activity performed by a fintech company falls outside the regulatory spectrum that characterises the traditional financial system. Conventional bodies, such as the National Stock Market Commission, the Bank of Spain and the DGSFP, oversee these new technologies, using existing legislation not adjusted to technological innovation. In this respect, the CNMV has created a forum (https://www.cnmv.es/portal/Fintech/Innovacion.aspx?lang=en) to assist fintechs where regulation is not clear. This forum helps promoters of businesses to ascertain whether their activities fall under the securities market rules and creates an informal space for exchanging information with promoters on their initiatives, which are strictly confidential.Whether a fintech company falls within the scope of this regulatory regime will depend on the exact nature of its business and the type of activities being carried out. As for regulation of financial instruments, such securities may fall under the definition of financial instruments and negotiable securities, which is very wide (article 2 of LMV). To carry out any of these activities in relation to financial instruments on a professional basis in Spain, the relevant fintech must obtain a licence or an authorisation or operate via the EU passport regime or under the free provision of services regime. In addition to this approval, registration is a requirement to operate in Spain. Marketing of investment services or offering of financial



instruments on a professional basis as well as prior or preliminary activities also require an authorisation. Separately, the provision of loans does not trigger licensing requirements, even though it is a typical activity of credit entities. However, while the activity of extending credit is not a reserved activity, it is usually connected to other regulated activities that trigger licensing requirements.Regarding payment services, it is prohibited for entities or natural persons who are not payment service providers (apart from certain exceptions derived from PSD2) to provide payment services in Spain on a professional basis.As for exchange platforms of cryptocurrencies, the CNMV currently considers that exchange platforms of cryptocurrency are subject to at least the rules of custody/registration, conflicts of interest management and transparency (of inducements), and anti-money laundering provisions. The CNMV recommends that platforms apply voluntarily the principles of the securities market regulation to ensure their business operates in compliance with the relevant regulations.On a separate note, on April 28, 2021, the Spanish National Gazette published Royal Decree 7/2021, of April 27, for the transposition of the EU Directives on the areas of competition, prevention of money laundering (“AMLD5”), credit institutions, telecommunications, tax measures, prevention and remediation of environmental damage, posting of workers in the provision of transactional services and consumer protection. This Royal Decree will modify Law 10/2010, of April 28, for the Prevention of Money Laundering and Financing of Terrorism (“AML/CFT”) in the following ways: Definitions: incorporated within article 1 of Law 10/2010: a) Virtual Currency: means “any digital representation of value not issued by a central bank

or public authority, which is not necessarily associated to an established legal tender and does not possess the legal status of currency or money, but is accepted as medium of exchange and can be transferred, stored or electronically negotiated”.

b) Virtual Currency Exchange for Fiat Currency: means “the purchase and sale of virtual currency by delivery or receipt of euros or any other foreign legal tender or electronic money accepted as a means of payment in the issuing country”.

c) Services for the Custody of Electronic Wallets: means “those individuals or entities that provide services pertaining to the safeguard or custody of private cryptographic keys on behalf of their customers, for the holding, storage and transfer of virtual currency”.

New Regulated EntitiesNew Regulated Entities were included within article 2 of Law 10/2010. Among these entities, the “providers of services regarding the exchange between virtual and fiat currency, and the custody of virtual wallets” can be found in section z) of article 2 (hereinafter, “Virtual Currency Service Providers”). RegistrationVirtual Currency Service Providers will now have to comply with the following provisions: 1) Regardless of their nationality, if the services pointed out in definitions “b)” and “c)”

mentioned above are offered or provided in Spanish territory, these individuals or entities will have to be registered within the Registry of the Spanish Central Bank (“SCB”) created for these purposes.

2) Likewise, the following must also register within the SCB Registry: a) Regardless of their nationality, those individuals or entities that provide the



aforementioned services, when the address, administration or management of these activities reside in Spain, regardless of the location of the service recipients.

b) The entities located in Spain that provide these services, regardless of the location of the service recipients.

3) The registration within the SCB Registry will be conditioned to the existence of:a) Adequate AML procedures, provided by Law 10/2010 (identification of clients,

communications to SEPBLAC, internal control measures, etc.). b) Compliance with the requirements of commercial and professional honourability,

according to the terms established in article 30 of Royal Decree 84/2015, of February 13, for the development of Law 10/2014, of June 26, on the regulation, supervision and solvency of credit institutions. In summary, these requirements consist of displaying personal, business and professional conduct that do not cast doubt on the ability to perform a sound and prudent management of the entity.

c) The SCB will have authority to supervise compliance with the abovementioned requirements.

It is important to highlight that if Virtual Currency Service Providers do not comply with the required registration requirement mentioned above, such conduct could be considered a very serious infringement of Spanish law, and the entity or individual will be subject to sanctions imposed by the SCB. The infringement will be considered “serious” and not “very serious” only if the provided services were occasional or isolated. Registration deadlineThe SCB has a period of six months before the Registry for Virtual Currency Service Providers starts functioning, counting from the date of entry into force of Royal Decree 7/2021. If the services mentioned in definitions “b)” and “c)” are provided to residents in Spain, then the Virtual Currency Service Provider will have a period of nine months, counting from the date of entry into force of Royal Decree 7/2021, to register. Royal Decree 7/2001 entered into force on April 29, 2021, therefore the deadline dates for the abovementioned are as follows: a) Six months for the registry to start functioning: October 29, 2021.b) Nine months for Virtual Currency Service Providers to register: January 29, 2022. In relation to this new Royal Decree, it is interesting to highlight that, for the first time, an official definition of virtual assets is offered by the Spanish legislation. Previously, consideration given to these assets in Spain was limited to the jurisprudential scope of the Supreme Court’s Decision 326/2019 of June 20, 2019, through which the criminal chamber defined them as “intangible assets of exchange…”, that, in no way, have the legal consideration of fiat money. Through this new Royal Decree, the legislator solidifies the Supreme Court’s insight, strengthening its approach and consolidating a definition for virtual assets as a source of Spanish law.In general terms, it is important to note that fintech companies established in Spain are subject to data protection regulations. In the EU context, Directive 95/46/EC (“General Data Protection Regulation”) has been directly applicable to all Member States, including Spain, since 25 May 2018. In Spain, local data protection laws were passed in December 2018 (“Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales”).Finally, on July 10, 2021, the Spanish National Gazette published the Law 11/2021 on preventive measures to combat tax avoidance – a long-awaited transposition of the EU



Council Directive 2016/1164 laying down rules against tax avoidance practices that directly affect the functioning of the internal market. This new law has added certain modifications to the Additional Provision number 13 of the Spanish Personal Income Tax Law (“Ley de Impuesto Sobre la Renta”), referring to new declaratory obligations for Cryptocurrency Service Providers operating in Spain as well as individuals or entities holding cryptocurrency abroad.

Restrictions

There are no legal restrictions as there is no specific regulation for fintech companies. Whether a fintech company falls within the scope of the regulatory regime will depend on the exact nature of its business and the type of activities being carried out. Therefore, applicable regulation (and restrictions), for each fintech company should be assessed carefully on a case-by-case basis. One general barrier that fintech companies face is that they cannot access market infrastructures and this constitutes a disadvantage with respect to banks and big companies that have close relationships with Spanish regulators and the government, which aids their digitalisation process.


Within the EU, there is no particularity in cross-border provision of financial products and services as Spanish and foreign fintechs must comply with the general cross-border rules established in each area of the law which transposed the relevant EU Directives (MiFID II, CRD IV, PSD2, etc). For instance, if activities are regulated, Spanish and foreign entities need to obtain suitable passports or licences, depending on each case. There is no other way for foreign fintechs to operate in Spain than the one provided in the relevant EU Directives, but if a fintech company obtains authorisation within an EU Member State, it can benefit from passporting options or from the freedom of service provision regime.

Alfonso López-Ibor AliñoTel: +34 915 21 78 18 / Email: [email protected] López-Ibor Aliño is the managing partner of the Madrid office. Previously, he was managing partner of Allen & Overy, Madrid, for 10 years.He specialises in commercial, financial and banking law. Alfonso is also recognised for his experience in litigation, arbitration and air transport law.In commercial law, he regularly advises clients on the acquisition and sale of Spanish or foreign companies, in venture capital/private equity transactions, MBOs and corporate restructuring. He also advises multinationals that wish to settle in Spain, either through branches or through the acquisition of already established companies.In banking and financial law, he has experience in syndicated loans, guarantees and financing of assets, as well as with working with the CNMV.Alfonso heads up the department specialised in providing legal advice to companies in the airline sector, including national and international contracting, handling contracts, financial structures, including operating lease transactions, guarantees, financing of acquisitions, permits, authorisations and registrations. He is one of the best-known Spanish lawyers in the aviation sector.Alfonso provides advice on litigation and international arbitrations in matters of great complexity.

Olivia López-Ibor JaumeTel: +34 915 21 78 18 / Email: [email protected] López-Ibor Jaume is a lawyer in the Banking & Finance Department in Madrid. She began her professional career in the Financial Law Department at Allen & Overy.Olivia specialises in the air transport financing sector and advises aircraft operators and lessors in sale, lease, financing, and mortgage transactions. She also works with airlines and their airport agents in connection with ground attendance administrative procedures.She advises foreign companies in various securities market operations, including negotiations of guarantee and financing of acquisitions packages and CNMV authorisations. Olivia also advises companies engaged in technology in the e-banking sector, payment services, cryptocurrencies, and on the Fintech sector regulation in general.

López-Ibor AbogadosLópez de Hoyos 35, 3 piso, 28002, Madrid, Spain

Tel: +34 915 21 78 18 / URL: www.lopez-iborabogados.com



Alejandro Sosa RöhlTel: +34 915 21 78 18 / Email: [email protected] Sosa Röhl is a Venezuelan lawyer working in the Banking & Finance Department of López-Ibor Abogados. After graduating from Universidad Católica Andrés Bello (Caracas, Venezuela), he decided to study for a Masterʼs degree in Corporate Legal Counselling at Universidad Carlos III and develop his professional career in Spain. In view of becoming a member of the Bar, he is currently studying for a Master’s degree in Access to the Legal Profession at the Universidad Antonio Nebrija.

SwedenDavid Frydlinger & Caroline Olstedt Carlström

Cirio Law Firm



Sweden is one of the most advanced fintech countries in the European Union, and possibly the world. Sweden is in general a highly digitalised country, not least in the traditional banking sector. The European Commission has, for instance, been monitoring Member States’ digital competitiveness with the Digital Economy and Society Index (DESI) reports since 2015. The DESI 2020 report, published in June 2021, shows, for instance, that Sweden holds a steady second place in Europe with regard to digitalisation, and it is considered to be among the global leaders in digitalisation. The OECD has also in reports declared Sweden to be one of the leading countries in digital innovation.Almost all Swedes are regular or frequent internet users, with only a few per cent having never been online. Swedish businesses embrace new technologies, such as cloud services, artificial intelligence applications etc., and every third SME sells online. Sweden is the 18th largest market for e-commerce and with an increase of online sales of 21 per cent in 2020, revenues amounted to US$12 billion in 2020. With a government that has helped cultivate a society of early adopters from the 1990s, the Swedish market provides an excellent hotbed for innovative startups and emerging technologies.Sweden is moving towards being a cashless society, where most transactions are carried out using credit or debit cards or other digital payment solutions. Today, just one per cent of Sweden’s GDP circulates as cash and this number is steadily decreasing. Furthermore, both businesses and consumers have for many years had steadily increasing access to digital banking services, regarding bank accounts, payments, trading, lending, financing and other services. All of the major Swedish banks offer not only internet banking via web interfaces, but also rather advanced apps, making it possible to handle a large number of bank-related matters via a smartphone. Also, attempts are being made to use robo-advisors. The number of physical bank offices are, consequently, steadily decreasing, and Sweden is currently one of the countries where digital payments are increasing the fastest.In February 2020, Sweden’s central bank, Riksbanken, announced a year-long pilot experiment with its own digital currency, the e-krona. This is a pilot project with the aim of developing a proposal for a technical solution for an e-krona. In July 2021, no decision about the e-krona has been taken yet, but analysis is still ongoing where Riksbanken is investigating the needs and testing various different technical solutions. The objective is to create, in an isolated test environment, a digital krona that is simple and user-friendly. The technical solution will be based on blockchain technology (Distributed Ledger Technology, DLT) and the main aim of the pilot is for the Riksbank to increase its knowledge of central bank-issued digital krona.

Cirio Law Firm Sweden


This strong digitalisation of the financial sector has been partly driven by challenges from fintech challengers and successful disruptors, but also to a large extent by the dominant players themselves, the incumbents. Major Swedish banks, like Nordea, have invested heavily in local fintech companies. There is here an interesting interaction between the traditional large Swedish banks and challenging fintech players, with a combination of head-on competition and collaboration. Even the financial regulators are taking an interest in the sector. Swedish banks are now top global leaders in fintech, ahead of, for instance, their major US counterparts. One reason for this is, of course, that Sweden very early saw several disruptors in this industry, and fintech has since then become a mature market in Sweden. Most banks have used a mixed strategy of in-house development of digital offerings and licensing of solutions from fintech companies, often combined with direct investments in these companies. Another important factor enabling strong digitalisation is the general access in Sweden to solutions for electronic identification.Electronic identification is something that early on was considered as solved in the Swedish market, thanks, of course, to technical innovations, but also based on the fact that all Swedes are easily identified via their Swedish personal identity number. The personal identity number consists of the date of birth with four additional digits attached to it (YYMMDD-XXXX). It is obtained when a person is entered in the Swedish population register by the Swedish Tax Agency. It is widely used for everyday purposes in Swedish society, such as setting up memberships and subscriptions and to establish, for instance, a banking relationship with a Swedish bank, enabling online payments, etc. Furthermore, Sweden is an open society with a generally very high degree of consumer trust in service providers. The financial services and the incumbent banks especially enjoy a high degree of trust by customers (consumers as well as businesses). The typical Swedish customer does not mind disclosing his or her personal identity number to businesses, banks or Swedish authorities, including in an online environment. A combination of easy access to efficient online identification mechanisms and the Swedish trust in digital services in general led early on to easy access to trustworthy data sources in Sweden, enabling efficient online identification methods and forming a good basis for efficient and timely know-your-customer (KYC) assessments, credit assessments and fraud prevention methods and services.As a result of the above, Swedish customers have broad access from both traditional banks and fintech companies to digital solutions, such as account information services, payment initiation services (where, for example, apps can be used to initiate payments from the customers’ bank accounts), trading platforms, lending platforms, crowdsourcing and peer-to-peer platforms, and so on. In the past two years we have also seen a steady increase in Sweden in open-banking activities and solutions.Interestingly, the strong development described above has largely taken place without regard or support of a regulatory framework. The EU Directive 2015/2366 on payment services – commonly referred to as PSD2 – was, however, implemented into Swedish law in May 2018, forcing the traditional banks to open up their databases via standardised interfaces. The European Banking Authority (EBA) was also mandated to issue a set of Regulatory Technical Standards (RTS), and in September 2019, the RTS on strong customer authentication and secure communication came into force, with the objective of further stimulating and enabling additional open-banking solutions. This happened, however, at a time when many Swedish customers already had access to the solutions which the PSD2 is supposed to enable. During the last year we have now also seen a number of Swedish



initiatives and new or changed services that further build on these developments, employing the simplified access and open-banking solutions. Naturally, the EU General Data Protection Regulation (GDPR) has also had important consequences for the fintech sector, but since the level of compliance is generally high in the financial services sector, the GDPR has in practice not restricted the growth of the Swedish fintech market, but rather enabled further innovation by elucidating the requirements and providing, directly or indirectly, further guidance. The legal requirements have furthermore sparked some innovations in this area, providing regtech solutions in a primarily B2B sector.Sweden still waits, however, to see a strong uptake in blockchain-based solutions, such as cryptocurrencies. There are a number of reasons behind this, not least the large transaction costs of implementing such solutions involving many players, but one of them has been a still existing regulatory uncertainty as to the permissibility of the use of cryptocurrencies. We do however see a growing impact of blockchain in industries beyond the financial sector, which is also likely to in a year or two have an impact also on fintech innovation. Blockchain technology is, for instance, used in retail and we start to see supply chain management enabled by blockchain in order to cope with a number of issues, such as counterfeiting and a lack of transparency.Furthermore, when addressing key developments in the fintech space in Sweden, it is of course highly relevant to also mention the huge interest of and booming development of artificial intelligence (AI). AI is a crucial aspect for many fintech start-ups and organisations in many different ways. In a way, AI is intelligence demonstrated by machines. This can take place in a variety of different ways, and it will have wide implications in the financial services industries, among many others. As mentioned above, the Swedish technology scene is an excellent hotbed for innovation and a combination of easy access to efficient online identification mechanisms and data sources together with the Swedish trust in digital services in general provides for excellent opportunities also in this area.

Fintech offering in Sweden

As described in the previous section, Swedish customers – both consumers and business customers – have access to a wide variety of fintech offerings. The most important categories of such services are described below.Personal financial management, where consumers can get access to aggregated account information about their financial situation from all their banks and similar institutions. These services may also include payment initiation, authentication, fraud detection, lending services and similar services.Payments, where paying customers as well as merchants are provided with alternative solutions for payments both on the internet and in retail stores. There is now also a large number of platforms that offer not just their own payment methods, but enable a whole range of different national and international payment methods (not seldom also operated by competitors).Payment initiation services, whereby a customer may mandate a payment initiation service provider to access the customer’s online banking account to initiate a desired transaction.Lending, where customers can borrow, and investors also invest money for lending, via platforms not connected to the traditional banks. Trading platforms, providing customers with portfolio management services for stocks and funds.



Banking services, providing customers with a full set of services traditionally provided by the large Swedish or Nordic banks, including account management, lending and payments.There is now also a number of operators in the Swedish market that combine the different services into more advanced operations on larger platforms, or platforms combining several operators into one single service for the customers. Not seldom are these services also now connected to, integrated in or partly including social media features of various kinds for a more complete experience for especially the consumers. The overall goal is usually to simplify the user experience while at the same time adding additional features to the customer journey. This entails additional challenges for both commercial customers (such as retailers for instance) but also consumers, as these services quickly now develop and integrate and the landscape overall gets much more complex. Not least from a data privacy and data protection perspective, but also from a commercial perspective, it is important to correctly consider and properly protect the data flows, as also the net value of many businesses and their respective business models now are based on the data available in the business and the intelligence that derives from it. Overall, Swedish fintech companies have found new ways of innovating, to improve their customer experience, and increase their revenue.As already stated above, these and other services have evolved within the existing legal and regulatory framework, without specific support from, for example, the national implementation of the PSD2. This development has thus been driven by technology and access to funding from investors.


During recent years, Sweden has seen the establishment and growth of a number of regtech companies, market development is still in an early stage but quickly growing. There are a number of companies providing solutions for compliance with the GDPR, including personal data records, data privacy impact assessments, incident management, compliance process task management, etc. In addition, there are a growing number of companies offering solutions for anti-money laundering management – not least KYC checks – and insider information management. There are also a number of GRC platforms now available (Governance, Risk management and Compliance), in order to address the full spectra of various risks. During the last year, there has also been a lot of development in relation to cyber security risks, within these platforms and as standalone offerings.There is also an ongoing clear uptake of progressive technologies in the insurance industry, including machine learning, artificial intelligence, and robot process automation to increase efficiency in claims processes. This development is mainly taking place within large insurance companies and, as of yet, Sweden has yet to see the growth of an insurtech industry.

Regulatory bodies

The following are the most important regulatory bodies for Fintech in Sweden:• The Financial Supervisory Authority, which authorises, supervises and monitors

all companies operating in Swedish financial markets, including banks and other credit institutions, securities management companies, stock exchanges, and insurance companies.

• The Swedish Authority for Privacy Protection, which supervises and monitors compliance with the GDPR.

• The Consumer Agency, which safeguards consumer interests, not least by monitoring compliance with consumer legislation.




The Swedish financial sector is highly regulated. Being a Member State of the European Union, the key regulations in Sweden are largely based on European Union regulations and directives. While this is the case, it is also important to note that the growth of the Swedish fintech sector has played out largely independent of laws and regulations, or rather within a legal framework not necessarily adapted to the new market environment for financial services. There is no general regulatory approach to the regulation of fintech activities in Sweden. Also, there is not only one or a few laws, but instead a multitude of laws, which become applicable depending on the activities carried out. As regards regulations specific to the financial sector, there are three broad categories of laws and regulations: (i) laws regarding banks and credit institutions; (ii) laws regarding insurance and related activities; and (iii) laws regarding trade of securities. Depending on the activities of the specific fintech company, laws from one or all three of these categories can become applicable. Banks and credit institutions are subject to various rules, of which the Banking and Financing Business Act (2004:297) is the most important. A typical fintech company would, however, not apply for a licence to carry out banking activities, so this law would rarely be applicable. In the current state of the Swedish fintech market, a law of particular importance is the Act (2010:751) on Payment Services, which also includes the main body of the implemented PSD2. The Act applies to payment services being provided in Sweden, and also to account information services and payment initiation services. Providing such services requires a licence from the Swedish Financial Supervisory Authority; however, certain exceptions exist for account information services. To obtain a licence, the company must show that the company management, as well as persons with significant influence in the company through shared ownership or otherwise, have the necessary qualifications, knowledge and insight to run the business, and that necessary insurance coverage exists. For companies holding a licence, there are also additional requirements for minimum funding. Furthermore, the Act on Payment Services includes rules regarding what is commonly referred to as “open banking”. Under these rules, banks and other financial institutions are obliged to provide third parties with access to payment systems and payment account services, enabling such third parties to, for example, establish personal finance management services. As of September 2019, banks and other institutions also have to comply with the RTS issued by the EBA regarding the technical requirements for the interfaces giving third parties access to data.For certain fintech offerings, the Act (2003:862) on Financial Advice to Consumers will be applicable. The Act sets out rules for companies providing advice to consumers about placements of their financial assets. In addition to sector-specific laws, there are a number of laws which have general applicability in the Swedish market, but which are highly relevant for the fintech sector. The most important of those laws is the European GDPR, which sets out the rules for the processing of personal data. Given the nature of the fintech business, the GDPR is a key regulation that every fintech player must take into consideration. The regulation requires, inter alia, data controllers – entities deciding the purpose and means of the processing of personal data – to: only process personal data lawfully, fairly and in a transparent manner,



for specified, explicit and legitimate purposes; not process more data than what is necessary for the stated purposes; ensure the accuracy of the personal data; not store personal data longer than what is necessary for the stated purpose; and ensure the confidentiality and integrity of the personal data. During the last couple of years, we have also seen a number of supervisory activities and court cases stipulating clear accountability standards and introducing a high degree of administrative sanctions for companies not fully complying or not being in control of their data processing activities and the technical and organisational measures required in order to document and protect these activities and the personal data involved.For fintech companies providing lending services to consumers, the Act (2010:1846) on Consumer Credits will typically become applicable. The Act sets out mandatory rules regarding the offering of consumer credits. The Act contains rules about information requirements to consumers, restrictions on marketing, credit assessments, restrictions on changes of interest rates and other related rules.A law of great practical importance for consumer-oriented fintech activities is the Act (1994:1512) on Unfair Contract Terms in Consumer Contracts, implementing the European Union Council Directive 93/13/EEC on unfair terms in consumer contracts. The Act includes rules under which the Swedish Market Court may prohibit companies from applying unfair terms and conditions in their consumer contracts. Examples of unfair clauses are all clauses giving the company the discretionary right to alter prices, fees and other terms, limitations of liability, and formal requirements for terminating the contract.The Financial Supervisory Authority works closely with the EBA in several matters, not least regarding regulation of the fintech sector. The Financial Supervisory Authority has also initiated an innovation forum for the Swedish fintech sector. It is not a regulatory sandbox, but instead a meeting forum for the FSA and the various players in the market with the main purpose of sharing experience and views. The FSA’s intention is to stay close to the development of the Swedish fintech market, with the dual purpose of monitoring compliance and enabling growth.Furthermore, in the last year we have also seen several initiatives where the various regulators initiate seminars, hearings, open forums and roundtables together and also together with industry representatives in order to initiate knowledge sharing, and for further understanding of cross-sector important initiatives.Also, it is well worth mentioning that on December 11, 2020, a special investigator was assigned by the Swedish government to investigate the state’s role in the payment market and take a position on what the role should look like in the future. This will be done against the backdrop of a thorough and broad analysis of what the role has looked like historically and what it looks like today, changes in the financial and payment markets as a result of technology development and digitisation, new payment methods and reduced use of traditional means of payment in the form of banknotes and coins (cash), and the future payment market. This is due to the fantastic digital development we have seen in Sweden, how new payment methods have been established and the fact that the use of cash has decreased. The investigator shall, inter alia, map the payment market today, map the division of roles between private actors and the state, take a position on the need for Sweden’s Central Bank, Riksbanken, to issue digital central bank money, and e-krona etc. For the Swedish fintech sector, important input values here are innovation and competitive neutrality in the payment market, but also access to the financial infrastructure. This can, inter alia, apply to access to a company account, which is today considered a problem for



many fintech companies. The Payment Inquiry will present the results of its investigation at the end of 2022. During the first half of 2021, the work was started up, inter alia, by meeting with various industry representatives, mapping the payment market and building the foundation for the investigation work. During the autumn of 2021, research and investigations will be performed in relation to certain special areas with the help of experts. Finally, we have also seen some development in the AI area in the EU. On April 21, 2021, the European Commission presented its Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on AI. The proposal defines AI broadly as a suite of software development frameworks that encompass machine learning, expert and logic systems, and so-called Bayesian or statistical approaches. A software product featuring these approaches whose outputs “influence the environments they interact with” will be covered. The proposal distinguishes between three categories of AI uses: prohibited AI uses; high-risk AI uses; and systems with limited risk. As important as this legislation will become for the fintech sector, as relevant is it of course to understand the various buckets here, and to analyse and follow up on the development of this legislative file. The proposal has of course been highly debated already, and, for instance, the EU watchdog European Data Protection Supervisor (EDPS) and the EDPB on June 23, 2021, issued a joint statement where they strongly welcome the aim of addressing the use of AI systems within the European Union, including the use of AI systems by EU institutions, bodies or agencies. At the same time, the EDPB and EDPS are concerned, for instance, by the exclusion of international law enforcement cooperation from the scope of the proposal. The EDPB and EDPS also stress the need to explicitly clarify that existing EU data protection legislation applies to any processing of personal data falling under the scope of the draft AI regulation. The EDPB and the EDPS, however, welcome the risk-based approach underpinning the proposal. However, this approach should be clarified and the concept of “risk to fundamental rights” aligned with the EU data protection legislation, since aspects related to the protection of personal data come into play.

Restrictions

Apart from the general requirements to comply with applicable laws and regulation, there are no restrictions on fintech activities in Sweden.It may be worth mentioning, however, that there are some regulatory obstacles that generally are perceived to sometimes prevent the proper scale-up that fintechs normally strive to achieve, of which could be mentioned:Cloud matters: In March 2018, the US adopted the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) to enable US government authorities to acquire data stored by communication and cloud services both within and outside of the US. The primary effect of the CLOUD Act is that it extends the geographical scope of existing US legislation, thereby letting US authorities require service providers to grant access to data regardless of where the data is stored and whether it is stored by a US company or a foreign affiliate. However, the CLOUD Act also establishes a framework under which the US can conclude executive agreements with “qualifying foreign governments” to facilitate access to data stored with service providers. There is a potential conflict between the CLOUD Act, the GDPR and potentially also other national legislation. Swedish policy is not yet clear on the consequences of this conflict, and the requirements have not yet been assessed in the Swedish court. The Swedish government has, however, appointed a committee that has already proposed some adjusted legislation



as regards potential conflicts between the CLOUD Act and the Swedish Public Access to Information and Secrecy Act (SFS 2009:400) and possibly also the GDPR. Their final proposal is expected to be presented to the Swedish government in September 2021.The Swedish Financial Supervisory Authority has struggled to embrace cloud services in outsourced financial operations in general (considering any use of cloud service infrastructure as outsourcing), but has in recent years, as mentioned, initiated an innovation forum for the Swedish fintech sector. This entails a great development for the fintech sector and forms a basis for good progress in this area.When considering cloud services in general, and especially if potentially impacted by the CLOUD Act, it is therefore important for a Swedish fintech to properly identify and assess the risks, also considering the US implications of the Act.Challenges escalated also when the European Court of Justice (ECJ) on July 16, 2020, announced the verdict in the Schrems II case (case C-311/18). The court’s decision invalidated the European Commission’s adequacy decision for the EU–U.S. Privacy Shield Framework, with reference to US surveillance programmes. In concrete terms, this meant that the Privacy Shield is not sufficient as protection for personal data, which prevents the transfer of EU citizens’ personal data to US companies under the Privacy Shield, but allows continued transfer with the support of so-called standard contractual clauses. The ruling has far-reaching consequences for Swedish companies and authorities that needed to start taking action, and in practice it entailed that many of the ongoing international data transfers were no longer carried out based on applicable and lawful transfer mechanisms. As a next step, the EDPB on June 18, 2021, adopted Recommendations on supplementary measures following the draft recommendations which were published in the aftermath of the Schrems II judgment last autumn. The recommendations aim at facilitating the tasks of data controllers to ensure an essentially equivalent level of data protection when transferring personal data to third countries, outside the EU/EEA area. The final version of the recommendations were furthermore published two weeks after the new Standard Contractual Clauses (SCCs) for international transfers were published by the EU Commission.Fraud prevention: Under the previous European Data Protection Directive and its national implementation in Swedish law (Swedish Personal Data Act), the prohibition on processing personal data concerning criminal offences was interpreted both by the Data Protection Authority as well as Swedish courts to have a very wide scope, including also a prohibition on data controllers other than the public authorities to process even their suspicion of any such criminal offences. This led, for instance, to fraud assessments and fighting criminal activities in general by digital means being a challenge for Swedish data controllers.The prohibition on processing personal data relating to criminal convictions and offences according to article 10 has been considered by the Swedish Data Protection Authority as still also embracing the processing of personal data relating to suspicion of such criminal activities.It remains to be seen if the scope of the prohibition under the GDPR would be considered as wide by the courts today post-GDPR. For now, the Swedish authorities are still requiring Swedish data controllers to submit applications for exemption from the prohibition in order to be able to, for instance, screen prospective and current customers and their representatives against the US’s so-called OFAC lists (the lists of economic sanctions against individuals and entities published by the US Treasury Department, Office of Foreign Asset Control). Such screening is an important part of international business today, and if such an application is dismissed, or not submitted, it would place a fintech company in a



difficult position, with their business affected negatively since fulfilling legal requirements under US sanctions law would be made impossible; and thus, the company would be put in a less favourable position than competitors in other countries. That could in turn lead to discontinued business relationships, partnerships that cannot be realised, the risk of penalties from US authorities and difficulties to compete.


Business and consumer fintech customers are still mostly being provided with services from Swedish fintech companies. During recent years, however, there has been a growth in foreign investments in Swedish companies, such as Ingenico’s acquisition of Bambora, PayPal’s acquisition of iZettle, several transactions with additional investments in Klarna Bank and now the recent Visa acquisition of the open banking platform, Tink. A growing number of Swedish fintech companies have also started to expand their business abroad, notably Klarna Bank. This growth of cross-border business calls for harmonised rules, which are also largely provided by the regulations and directives of the European Union.

David FrydlingerTel: +46 766 17 09 85 / Email: [email protected] is a managing partner of Cirio and also head of Cirio’s digital offering. He has much experience in advising small, medium and large Swedish and international companies on digital matters, not least in the fintech sector. His advice includes regulatory advice on data privacy, financial regulation, consumer laws and contract drafting and negotiations.

Caroline Olstedt CarlströmTel: +46 703 53 90 30 / Email: [email protected] has over 20 years of experience in international data privacy, and has served as legal/strategic advisor to companies within IT, media, telecommunications, and finance sectors. She served for five years as Vice President of Privacy at Klarna Bank with global responsibility for Klarna Group’s data protection strategy and compliance and managing its Global Privacy Office. Today she is a partner at Cirio, responsible for Cirio’s Data Privacy & Information Security Practice, Caroline has also been appointed as external Data Protection Officer (DPO) for Nasdaq’s regulated businesses in the Nordics and Baltics, for the Enento Group and for the Dustin Group. Caroline is chairman of the Swedish Data Protection Forum and involved in several industry data privacy taskforces, such as, for instance, the Swedish ICC’s Policy Commission for Digital Economy.

Cirio Law FirmMäster Samuelsgatan 20, PO Box 3294, 103 65 Stockholm, Sweden

Tel: +46 852 79 16 00 / URL: www.cirio.se



SwitzerlandDr. Lukas Morscher, Fedor Poskriakov & Isy Isaac Sakkal

Lenz & Staehelin



The market conditions in Switzerland for Fintech offerings are generally considered favourable, in particular, based on broad access to credit and venture capital, the available human know-how (number of graduates in science and technology), as well as the access to, and use of, information and communication technology. In recent years, the Fintech market growth (value chain share) and expansion (range of products and services) have accelerated in Switzerland based on an already relatively high level. However, the coronavirus pandemic has affected investments in technology-driven young companies, in particular, in the Fintech sector, where the total invested capital registered a drastic decrease of 40% in 2020, dragging down the total amount of money invested in the Fintech industry to 220.1 million Swiss francs, mainly due to the lack of large financing rounds (rounds of more than 200 million Swiss francs). By contrast, the number of financing rounds continued to rise, adding up to 38 in 2020.1 For the Fintech industry, the decisive considerations remain in financing and fundraising. The Swiss Fintech landscape has evolved significantly over the past few years. Switzerland remains an attractive base for innovators in the financial sector. There are currently more than 200 active players (both emerging and incumbent) in Switzerland’s Fintech ecosystem, whilst the total number of Fintech-related businesses is much higher. Most of their business models focus on the financial market sector (notably payment services, investment management, banking infrastructure, deposit and lending, distributed ledger technology (DLT) and analytics). A considerable number of these businesses offer their products and services to incumbent financial institutions and/or offer cooperation opportunities with respect to digitalisation projects. Overall, the Fintech market in Switzerland is dominated by start-ups that are mainly financed through venture capital. A cooperation strategy between established providers of financial services and emerging players is common in Switzerland. While no general displacement trends can be identified at present, it is apparent that the value chain of established providers of financial services is under scrutiny and subject to (internal and/or external) challenges, including based on technology-driven new products and services developed by emerging companies that have the potential to disrupt the value chain of many established players. Established financial service providers generally have the financial and organisational resources required to adapt their business processes gradually to avoid such displacement and get high market visibility. Conversely, only a relatively small number of emerging companies can rely on a trust-emanating brand or a financial market licence (e.g., as a bank or a securities firm).Various associations and interest groups have been set up to coordinate the interests of Fintech-oriented organisations and individuals. They organise networking events, facilitate

Lenz & Staehelin Switzerland


the exchange of experience and know-how and raise the voice of the Fintech sector in politics. In addition, the federally funded Commission for Technology and Innovation provides financial and administrative support (subject to certain eligibility criteria). Furthermore, a considerable number of private initiative incubators and accelerators are active or have been recently launched to support emerging Fintech companies in the development of their business ideas and models. A number of Fintech-specific awards and challenges (e.g., Swiss Fintech Awards) are also intended to encourage innovation in the Fintech sector.

Fintech offering in Switzerland

The most represented areas of Fintech include the following:Robo-Advisors and high-frequency algorithmic tradingIn Switzerland, financial advisors providing financial advice or investment management services online via automated or semi-automated systems, so-called “Robo-Advisors”, are growing in popularity. Several companies offer Robo-Advisor services that allocate, manage and optimise clients’ assets based on mathematical rules or algorithms, which automatically determine the triggering and the individual parameters of an order (such as time, price or quantity). High-frequency trading is a subcase of algorithmic trading with very short delays in order generation and transmission, which usually pursues a very short-term trading strategy. Its distinctive feature is a high number of order entries, changes or deletions within microseconds.CrowdlendingCrowdlending refers to alternative ways of raising capital from many participants using online platforms with or without professional intermediaries. Crowdlending is also known as peer-to-peer (P2P) or social lending because funding is provided by individuals or companies that are not financial institutions or intermediaries. Participants (funding providers) typically receive a payment in return for their funding made available to the project developer (borrower) in the form of interest, although participating loans or bonds/notes issuances are also possible. The amount of the interest or return payment varies depending on the risk of the project and borrower, but generally represents a lower cost of funding for the borrower than traditional bank lending. There are a number of crowdlending-based platforms in Switzerland which offer loans for both private persons and companies. Currently, the Swiss regulatory framework for financial activities does not contain any specific rules regarding crowdlending activities (see below under “Key regulations and regulatory approaches”).Payment processorsIn Switzerland, the payment services market has evolved during the last few years. Since the first market entry of a mobile payment app, the Swiss market has seen several new companies and a rapid consolidation process. Many electronic payment systems are at least partially based on classic credit or debit card payment schemes, using technology to facilitate payments at the point of sale, in the context of e-commerce, or in some cases between individuals (P2P). In addition to credit and debit card-based payments, some payment apps may be linked to traditional bank accounts with partnering banks. While the user experience is similar, the payment is in this case executed as a bank transfer. These systems are often bank-operated or bank-sponsored, and may therefore be less constrained in regulatory matters.DLTDLT, such as various blockchain implementations, have been the focus of many public and private initiatives. Whilst the Swiss legislature is aware that the possibilities offered by DLT/



blockchain go far beyond the application to such alternative financings, there is currently a legislative focus on the financial sector. The Swiss Federal Council published in December 2018 a report on the legal framework for blockchain and DLT in the financial sector. The report noted that the Swiss legal framework is well suited to deal with new technologies, although a few selective adjustments are expected to be implemented in the coming years. As a result, on 25 September 2020, the Swiss Parliament adopted the Federal Act on the Adaptation of Federal Law to Developments in Distributed Ledger Technology (DLT Act). The aim of the DLT Act is to increase market access to Fintech companies in the field of DLT/blockchain technologies by improving legal certainty and removing certain regulatory barriers. In a nutshell, the legislative amendments include: (i) a civil law change aimed at increasing the legal certainty in the transfer of DLT-based assets; (ii) the possibility of segregation of crypto-based assets in the event of bankruptcy; and (iii) a new authorisation category for DLT Trading Facilities which provide services in the areas of trading, clearing, settlement and custody with DLT-based assets. Some provisions of the DLT Act entered into force on 1 February 2021, while the remaining provisions are expected to enter into force on 1 August 2021.Furthermore, traditional fundraising techniques and processes have been challenged in the last couple of years by the emergence of a new form of capital raising by start-ups in the form of initial coin offerings (ICOs) or token-generating events based on DLT technology. In this context, FINMA published the “ICO Guidelines for enquiries regarding the regulatory framework for initial coin offerings” on 16 February 2018. Generally, FINMA focuses on the economic function and purpose of the tokens, as well as whether they are tradeable or transferable, in order to classify the tokens broadly into three “archetypes”, which are payment tokens (which include cryptocurrencies), utility tokens and asset tokens. The classification of the tokens has an impact on the applicable legal and regulatory framework (see below under “Key regulations and regulatory approaches”). In August 2019, FINMA granted banking licences to two Fintech players (Seba and Sygnum) operating in the field of DLT-based assets.


The InsurTech market in Switzerland is growing rapidly, due to, for example, organisations pursuing business models which are based on the general challenges faced by incumbent insurance institutions (e.g., new regulatory frameworks, the inflow of alternative capital and the ongoing low interest rate environment). In general, incumbent insurance institutions have lower barriers when entering the InsurTech market, as they already have the corresponding licences and are able to focus on the development of the technology. To date, no legislation specifically refers to InsurTech business models. In this context, regulatory implications for specific InsurTech business models must be assessed under the ordinary principles governing the provision of insurance services, in particular, as regards maintaining the protection objectives of insurance supervision by FINMA.RegTech is a subset of Fintech focusing on technologies that may facilitate the delivery of regulatory requirements in a cost-effective and comprehensive way. RegTech refers to technology and software created to address regulatory requirements and help companies stay compliant, including by leveraging software and automation to close compliance gaps and to monitor and detect risks on a permanent basis. Outsourced functions by financial institutions (e.g., operational risk management and compliance tasks) is an important segment for RegTech companies. Again, to date, there is no legislation specifically referring to RegTech. FINMA has generally been welcoming technology applications supporting supervised entities in complying with regulatory requirements. Conversely, however, there



are no material efforts led by the Swiss regulator to promote the development, use and reliance of technology for regulatory compliance, despite the fact that FINMA has adopted a number of initiatives to digitalise its own processes (e.g., electronic data reporting, only secure document filing and transmission platform, etc.).

Regulatory bodies

In Switzerland, the legal framework governing the activities of Fintech operators consists of a number of federal acts and implementing ordinances issued by the Federal Council. The Swiss legal and regulatory framework does not foresee a single authority responsible for the overall supervision of Fintech companies. In this context, the following regulatory bodies and authorities may be involved depending upon the type of legislation concerned.FINMAFINMA is Switzerland’s regulator supervising the financial markets and its participants. The applicable licensing requirements or special approval processes, if any, depend on the business model of any given Fintech company. FINMA’s regulatory powers derive from the Federal Act on the Swiss Financial Market Supervisory Authority (FINMASA). Generally speaking, FINMA is responsible for the authorisation, supervision, enforcement and documentation of all activities that require an approval. The supervision is risk-based depending upon the respective financial market participant. Financial market laws are enforced by FINMA, making use of administrative measures where necessary. FINMA is also competent to issue implementing ordinances as well as circulars and other guidance. As regards Fintech in particular, FINMA intends to strengthen Switzerland’s position as one of the leaders in this sector. FINMA has a specific Fintech desk to address this sector’s issues more efficiently. In 2020, FINMA conducted around 100 preliminary investigations in connection with Fintech-based business models while 140 market players were placed on FINMA’s warning list, in particular in relation to ICOs conducted in Switzerland.2 FINMA’s warning list includes companies and individuals suspected of conducting unauthorised activities in the financial markets. The persons placed on the warning list are informed by FINMA and the treatment of their data is governed by the FINMA Data Processing Ordinance.Self-regulatory organisations (SROs)Swiss Fintech companies that are financial intermediaries operating on a commercial basis are subject to the Swiss anti-money laundering framework, namely the Anti-Money Laundering Act (AMLA) (see below under “Key regulations and regulatory approaches”). Companies subject to AMLA that are not otherwise supervised by FINMA (e.g., as a bank or securities firm) must become a member of an SRO recognised by FINMA. While having limited enforcement powers, SROs are responsible for supervising compliance with the due diligence obligations of the financial intermediaries. In turn, FINMA actively supervises the SROs.Supervisory organisation (SO)Swiss Fintech companies that operate as asset managers (or as trustees) are, under the new Swiss Financial Institutions Act (FinIA), required to be licensed by FINMA as such and become affiliated with an independent, privately organised SO. While FINMA retains the competence to issue licences to asset managers and trustees, as well as to conduct any respective enforcement proceedings, the ongoing supervision of those firms is delegated to the SOs, which, in turn, must obtain authorisation from FINMA and are themselves supervised by FINMA.



OmbudsmanSwiss Fintech companies that provide financial services under the new Financial Services Act (FinSA) are also, in principle, required to become affiliated to an ombudsman’s office. In this context, disputes regarding legal claims between clients and financial services providers are to be settled in mediation proceedings. Following the entry into force of the DLT Act on 1 February 2021, financial service providers serving exclusively institutional or professional clients are exempted from the obligation to affiliate with an ombudsman.Data Protection CommissionerThe Federal Data Protection and Information Commissioner (FDPIC) is the federal data protection authority in Switzerland. In addition, cantons are competent to establish their own data protection authorities for the supervision of data processing by cantonal and communal bodies. The FDPIC has no direct enforcement or sanctioning powers against private bodies processing personal data. Nevertheless, the FDPIC can carry out investigations on its own initiative or at the request of a third party (i) if methods of processing are capable of violating the privacy of a large number of persons (system errors), (ii) if a specific data collection must be registered, or (iii) if there is a duty to provide information in connection with a cross-border data transfer. To this effect, the FDPIC may request documents, make inquiries and attend data-processing demonstrations. On the basis of these investigations, the FDPIC may recommend that a certain method of data processing be changed or abandoned. Whilst these recommendations are not binding, if a recommendation made by the FDPIC is not complied with or is rejected, the FDPIC may refer the matter to the Federal Administrative Court for a decision. The revised Data Protection Act (DPA) recently adopted by the Swiss Parliament foresees that the FDPIC will be able to issue binding administrative decisions (instead of recommendations under the current DPA); for example, to modify or terminate unlawful processing.Criminal authoritiesIn addition to FINMA, which is competent to issue administrative sanctions, criminal prosecution authorities are also involved in enforcing financial market laws. Where irregularities fall under criminal law, FINMA may file a complaint with the competent authorities (Federal Department of Finance, Office of the Attorney General and cantonal prosecutors). As an example, the exercise of an activity that requires a licence under the financial markets legislation without having obtained said licence is a criminal offence.


Swiss law is generally technology-neutral and principle-based. Accordingly, Fintech companies based in Switzerland generally have considerable regulatory latitude compared to other jurisdictions. That being said, since 2015, the legislator’s focus has been on adapting the applicable legal and regulatory framework to the needs of the Fintech sector. In this context, the Swiss legislator introduced three measures within Swiss banking legislation with the aim of promoting innovation in the financial sector, i.e.:• the introduction of a maximum period of 60 days (as opposed to seven days, in

accordance with FINMA’s prior practice) for the holding of monies on settlement accounts (e.g., for crowdfunding projects), without any limitation in terms of amounts;

• the creation of an innovation area called a “sandbox”, where companies are permitted to accept public deposits up to a total amount of 1 million Swiss francs without the need to apply for a banking or fintech licence, subject to certain conditions such as disclosures and a prohibition to invest deposits; and



• the introduction of a new Fintech licence suitable for businesses whose activity involves some form of deposit-taking, but without any lending activities involving maturity transformation.

Under the Fintech licence, financial services providers are permitted to accept public deposits provided that (i) the aggregate amount of deposits does not exceed 100 million Swiss francs, (ii) the deposits do not bear interest (or are not otherwise remunerated), and (iii) the deposits are not re-invested by the company (i.e., they are not used for on-lending purposes). This new Fintech licence involves less stringent regulatory requirements than a banking licence. Strict banking equity ratio requirements as well as the liquidity requirements do not apply. In addition, leaner minimal capital requirements apply. In this context, the minimum equity capital of companies benefitting from such a licence must amount to 3% of the public funds (deposits) and must, in any case, reach a minimum of 300,000 Swiss francs. On 3 December 2018, FINMA issued guidelines for the Fintech licence, highlighting the information and documentation that an applicant must submit when applying for such licence. This namely includes a list of all participants holding a direct or indirect interest of 5% in the applicant, information on the governing bodies, as well as various explanations on the activities of the company with a business plan for three financial years. To be clear, the Fintech licence is not a banking licence, and companies operating under such a licence do not qualify as a banking institution and may not use such designation. In this context, the client deposits are not covered by the Swiss deposit protection regime and the clients must be comprehensively informed in advance of this fact, as well as of the risks resulting from the business model. To date, FINMA has granted Fintech licences to three companies offering payment services.Alongside these specific Fintech-dedicated measures, the general applicable legal and regulatory framework applies to Fintech companies and may be summarised as follows:Banking and securities-dealing legislationThe solicitation and acceptance of deposits from the public on a professional basis is, as a matter of principle, an activity restricted to Swiss banks and triggers the obligation to obtain a fully-fledged banking licence from FINMA. Under the Banking Act, the term “deposit” broadly encompasses any liability owed to a client. Deposits are deemed to be “public” as soon as (i) funds are solicited from the “public” (as opposed to being solicited from banks or professional financial intermediaries, institutional investors/shareholders, employees or other related persons), or as soon as (ii) funds from more than 20 depositors are accepted. As a result of this approach, most business models relied upon by payment systems, payment services providers, crowdfunding or crowdlending platforms, for instance, are considered to involve the solicitation and acceptance of deposits and may fall within the scope of the Banking Act and, therefore, trigger licensing requirements.That being said, in the event that deposits of not more than 1 million Swiss francs (see above “sandbox” exception with applicable conditions) are held by a Fintech company, no banking licence will be needed. Similarly, if the deposits are held for less than 60 days on a settlement account (without any limitation in terms of amounts), no banking licence will be needed. All other deposit-taking activities require either a Fintech licence for a deposit-taking activity not exceeding 100 million Swiss francs, or a fully-fledged banking licence. It is also worth noting that funds linked to means of payment or to a payment system are exempted from the qualification as deposits, provided that (i) the funds serve the purpose of purchasing goods or services, (ii) no interest is paid on them, and (iii) the funds remain below a threshold of 3,000 Swiss francs per customer and per issuer of a payment instrument or operator. Although this



exemption may provide some relief to card payment services and online or mobile payment services, it requires a model strictly tailored in a way that any funds stored on user accounts be limited to the purchase of goods and services (as opposed to allowing P2P transfers, withdrawals, transfers to the user’s bank account, etc.) and never exceed 3,000 Swiss francs per customer.In addition, the new Swiss Financial Services Act (FinSA) and FinIA entered into force on 1 January 2020. Whilst the purpose of FinIA is to provide a new legal framework governing most financial institutions (i.e., asset managers, trustees, managers of collective assets, fund management companies and securities firms), the objective of FinSA is to regulate financial services in Switzerland, whether provided by a Swiss-based business or on a cross-border basis to clients in Switzerland (see also under “Cross-border business” below as regards cross-border regulation). The rules are largely based on the EU directives (MiFID II, Prospectus Directive, PRIIPs), with adjustments made to reflect specific Swiss circumstances. In a nutshell, as regards Fintech, the new legal framework may involve additional regulatory requirements to the extent that Fintech companies provide financial services in Switzerland, or to clients in Switzerland (application of FinSA), or provide asset management services or other regulated services in Switzerland (application of FinIA and new licensing requirements). For example, Fintech companies buying or selling securities in a professional capacity on the secondary market, either for their own account with the intent of reselling them within a short time period, for the account of third parties, for making public offers of securities on the primary market, or offering derivatives to the public, fall within the ambit of FinIA. In such case, a FINMA licence as a securities firm will be required.AML legislationAny Swiss-based natural or legal person accepting or holding deposit assets belonging to others, or assisting in the investment or transfer of such assets, qualifies as an intermediary according to AMLA. Namely, this includes persons carrying out credit transactions (in particular, in relation to consumer loans or mortgages, factoring, commercial financing or financial leasing) or providing services related to payment transactions. This applies to many upcoming business models, such as those involving mobile payments, blockchain and related applications, cryptocurrencies, automated investment advice, crowdfunding or P2P lending. Based on this broad scope, many, if not most, Fintech companies qualify as financial intermediaries and are generally subject to AML obligations, including compliance with know-your-customer (KYC) rules. As mentioned, Fintech companies subject to AMLA that are not otherwise supervised by FINMA (e.g., as a bank or securities firm) are required to join an SRO (see above under “Regulatory bodies”). Compliance with Swiss AML regulations is relatively straightforward and usually does not represent a significant entry barrier. However, dealing with the associated costs (which can be substantial and, hence, a key aspect with respect to certain business models) requires careful planning and possibly adaptation of envisioned business models. This applies, in particular, to Fintech companies providing alternative finance (e.g., crowdlending) platforms and payment services. Similarly, compliance with AML/CFT requirements may be challenging for virtual currency payment products and services that rely on a set of decentralised cross-border virtual protocols and infrastructure elements. In this context, FINMA confirmed in its ICO Guidelines (see above under “Fintech offering in Switzerland”) that AML requirements may be fulfilled by having the funds accepted via a financial intermediary which is already



subject to AMLA in Switzerland, and which performs the corresponding due diligence requirements on behalf of the ICO organiser. In such circumstances, the ICO organiser does not itself have to be affiliated to an SRO. Separately, FINMA also issued a circular on video and online identification (FINMA Circular 2016/7, currently being revised by FINMA). Aimed at levelling the playing field and fostering technological developments, this circular provides for the possibility of financial intermediaries to comply with their KYC requirements by means of video transmission and other forms of online identification.Data protectionThe processing of personal data by private persons and federal bodies is regulated, in particular, by the DPA and the Data Protection Ordinance (DPO), which apply, with some exceptions, to the processing of data relating to natural persons as well as (contrary to most other jurisdictions) legal entities. Personal data must be protected against unauthorised processing by appropriate technical and organisational measures. Such protection has been specified with respect to the storing, processing and transferring of client data in the banking sector (Annex 3 to FINMA Circular 2008/21 on capital adequacy requirements for operational risks within the banking sector). Of note, Swiss data protection law is currently being amended with the aim of aligning Swiss legislation with international data protection standards (including the EU General Data Protection Regulation, GDPR). The total revision of the DPA was adopted by the Swiss Parliament in September 2020. The updated DPA will generally increase transparency and strengthen the rights of data subjects. In addition, it will namely introduce notification obligations in case of data breaches as well as increased fines in case for data protection violations. As a next step, the implementing ordinance to the DPA will be revised and submitted for public consultation. The new legislation is expected to enter into force in the course of 2022.As regards cybersecurity, non-binding guidelines, with respect to minimum security requirements for telecommunications services, have been issued by the competent regulator, the Federal Office of Communications (OFCOM). Also, in 2020, FINMA issued new rules related to the reporting by FINMA-supervised financial institutions of cyber-attacks. However, there is no cross-sector cybersecurity legislation in Switzerland that would generally be applicable to Fintech companies.As regards blockchain, although the data stored on a public blockchain is usually encrypted, personal data can still be generated by linking further information enabling it to be assigned to a natural person. If this is the case, the transparency and immutability of the information documented on the blockchain are not compatible with the basic principles of data protection. Participation in a blockchain platform would, to some extent, be tantamount to giving up informational self-determination (consent) as the data has been entered voluntarily into the system. While encryption technology and digital signatures fundamentally increase data security, effective protection against loss or theft also depends, to a large extent, on the management of private keys. For example, several of the major thefts of tokens can be traced back to the improper management of private keys. For this reason, great importance must be attached to the safekeeping of private keys.Other relevant legislationOther legislation may apply to Fintech companies. As an example, under the Swiss Consumer Credit Act (CCA), only authorised lenders are entitled to provide consumer credits. Registration must be obtained from the lender’s Swiss Canton of establishment or, if the activity is conducted on a cross-border basis by a foreign lender, with the Swiss Canton in which the lender intends to perform its services. In the course of the amendment



of the Banking Act to introduce the new Fintech licence category (see above), the CCA has been amended. In this context, consumer loans that are obtained through a crowdlending platform will need to comply with the same consumer protection afforded by the law as if they were extended by a professional lender.In addition, further licensing and supervisory requirements from the Swiss National Bank may be required for payment systems with payment settlement levels in excess of 25 billion Swiss francs (gross) per financial year, as well as for Swiss and foreign payment systems that are classified as “systemically relevant”.

Restrictions

Based on its technology neutrality and principles-based approach, the Swiss regulatory framework allows for considerable regulatory latitude and room for development for Fintech companies. Two key principles of Swiss financial market regulation are system stability and consumer protection. Accordingly, a number of cross-sector regulations aim at strengthening the robustness of financial institutions while ensuring transparency. The specific Swiss Fintech regulation (see above under “Key regulations and regulatory approaches”) maintains these principles while addressing the most critical barriers to innovative business models – i.e., the regulatory threshold for accepting client money and holding more than 20 deposits – and is tailored to allow fair and equal treatment of all market players while providing a risk-based framework to encourage innovation.Traditional financial institutions encounter lower barriers when entering the Fintech market because such institutions are typically fully licensed and are, hence, in a position to develop and deploy technology-driven business models without the additional burden of ensuring that such development and deployment is in line with applicable general regulatory requirements. Several regulatory circulars and guidance papers, such as the FINMA Video and Online Identification Circular, FINMA ICO Guidelines and Swiss Federal Council’s report on the legal framework for blockchain/DLT in the financial sector, are also aimed at lowering entry barriers for emerging companies by clarifying the regulatory framework applicable to Fintech companies. In this context, the current legal and regulatory framework generally allows new business opportunities for Fintech companies irrespective of the technology used, including by way of collaboration, outsourcing and otherwise.In addition, it is worth noting that in the absence of international standards, FINMA, as well as other regulators across the world, generally adopt a cautious approach in relation to new technologies (e.g., capital adequacy requirements for cryptocurrencies). Such approach creates uncertainties for emerging Fintech companies as well as for existing financial institutions which are exposed to significant reputational risk.


New legislation came into force on 1 January 2020 that provides, inter alia, that a non-Swiss financial services provider acting on a cross-border basis will be subject to Swiss rules of conduct, as well as, under certain circumstances, registration requirements in Switzerland for its client advisors. Client advisors of foreign-based financial services providers are required to register in a Client Advisors Register in Switzerland prior to being able to offer financial services in Switzerland. In this context, the registration requirement does not apply at the level of the financial services provider, but at the level of the individuals qualifying as “client advisors” of such financial services provider. An exemption to the registration applies for client advisors of foreign financial services providers subject to



prudential supervision and providing financial services exclusively to professional and institutional clients.As regards AML obligations, the Swiss regime (AMLA) only applies to financial intermediaries that have a “physical presence” in Switzerland and, as a rule, does not extend to foreign institutions active on a pure cross-border basis. As an example, payment service providers conducting their activity exclusively via electronic channels or the internet, for instance, are typically not subject to AMLA. That being said, irrespective of the application of AMLA, the general prohibition of money laundering under criminal law remains applicable.Finally, it is worth noting that FINMA engages with a number of international bodies to establish a framework aimed at promoting innovation, as well as the protection of customers and investors in this area. In this context, FINMA has entered into several memoranda of understanding with various foreign regulators and regularly cooperates with foreign regulators or organisations. As an example, FINMA entered into a cooperation agreement with the Monetary Authority of Singapore in September 2016 with the aim of encouraging and enabling innovation in their respective financial services industries. Overall, both FINMA and the Swiss legislator endeavour to support financial innovation and to establish a Fintech-friendly environment.

* * *

Endnotes1. Swiss Venture Capital Report 2021, available at: https://www.startupticker.ch/en/home.2. FINMA Annual Report 2020, available at: https://www.finma.ch/en/documentation/finma-

publications/annual-reports--and-financial-statements/.

Dr. Lukas MorscherTel: +41 58 450 80 00 / Email: [email protected]. Lukas Morscher is a partner and head of the Technology and Outsourcing practice, co-head of the Fintech practice in the Zurich office of Lenz & Staehelin and an expert on the digitisation of the financial services industry. He practises in transactional and regulatory matters in technology, outsourcing (IT and business process transactions), Fintech and digitisation, distributed ledger technology (DLT) and blockchain, crypto finance, digitised capital markets, tokenisation of securities (ICOs, STOs), digital assets (custody solutions, trading platforms), data privacy, internet and e-commerce, banking and finance, corporate and M&A, private equity, stock exchange law, corporate governance. A member of SwissICT and the International Technology Law Association (ITechLaw), Lukas Morscher is a frequent speaker on topics related to Fintech and digitisation.

Fedor PoskriakovTel: +41 58 450 70 00 / Email: [email protected] Poskriakov is a partner at Lenz & Staehelin in the Banking and Finance practice in Geneva and specialises in banking, securities and finance law with a focus on Fintech. He regularly advises on various regulatory, contractual and corporate matters. His practice covers banking, investment management and alternative investments, including private equity and hedge funds. He also advises on complex asset structuring and protection for business and private assets. Fedor Poskriakov heads the Geneva Fintech practice and is the secretary general of the Capital Markets and Technology Association (CMTA). He has developed expertise in advising on new technologies, including DLT (and blockchain), as well as novel Fintech business models.

Lenz & StaehelinRoute de Chêne 30, 1211 Geneva 6, Switzerland

Brandschenkestrasse 24, 8027 Zurich, SwitzerlandTel: +41 58 450 70 00 / +41 58 450 80 00 / URL: www.lenzstaehelin.com



Isy Isaac SakkalTel: +41 58 450 70 00 / Email: [email protected] Isaac Sakkal is a senior associate in the Geneva office and is a member of the Banking and Finance group. His practice covers banking and finance, investment funds, regulatory, Fintech, corporate, M&A and contracts. Isy Isaac Sakkal is admitted to the Bar in Geneva and New York. He has a Master’s in Business Law from the University of Geneva (Switzerland), as well as an LL.M. from the University of California, Berkeley (USA).

TaiwanRobin Chang & Eddie HsiungLee and Li, Attorneys-at-Law



In recent years, Taiwan has adopted various initiatives to facilitate financial innovation with the development of technology. In particular, the Financial Supervisory Commission (FSC), Taiwan’s financial regulator, published the “Fintech Development Strategy Whitepaper” in May 2016 to demonstrate its commitment to fintech. In addition, an action plan designed by the FSC to develop Taiwan’s financial sector was later unveiled in June 2018. The plan aims to spur financial innovation and implement a range of financial policies to respond to financial service demands. Also, to promote fintech services and companies, the Taiwan government promulgated a law for the fintech regulatory sandbox, the FinTech Development and Innovation and Experiment Act (the Sandbox Act), on 31 January 2018, which took effect on 30 April 2018. The Sandbox Act was promulgated to enable fintech businesses to test their financial technologies in a controlled regulatory environment. At the time of writing, nine applications have been approved by the FSC to enter into the sandbox under the Sandbox Act as summarised below:1. to facilitate digital banking business, e.g. online credit (credit card, credit facility), by

means of a mobile phone ID verification system;2. outbound remittance by foreign workers through local convenience stores (two cases);3. to use blockchain technology for the transmission of fund transfer information between

financial institutions;4. to enable customers to purchase travel insurance through the website of a travel agency

by means of API connections;5. to provide the “fund exchange” service by means of blockchain technology; 6. to shorten the fund transmission gap by means of a “T+0 contract mechanism”; 7. to provide a group buying platform for investing in bonds with blockchain as the

underlying technology; and8. to allow investors to buy U.S. ETFs using dollar-cost averaging strategy based on the

advice provided by robo-advisors.According to relevant local news articles, three of the experiments which entered the regulatory sandbox may be implemented legally in the real world soon. It is generally expected that relevant existing laws and regulations involved in the experiments will be amended by the FSC and/or the Legislative Yuan, so the applicants of those experiments may apply for the new licence or approval for their business after the laws and regulations to be amended become effective officially.In addition to the sandbox mechanism described above, in 2018, the Taiwan government also supported fintech developments by, for example, establishing a “FinTech Space”, which is a

Lee and Li, Attorneys-at-Law Taiwan


physical location situated in the city of Taipei with an aim to provide relevant assistance to fintech startups, such as acting as an intermediary between fintech startups and financial services entities (with respect to potential cooperation between the parties), a “regulatory clinic” (i.e., free preliminary advice provided by government officials regarding regulations), etc.

Fintech offering in Taiwan

The following activities/services are certain important examples of the application of relevant new technologies to the financial industry in Taiwan: Robo-advisorsIn June 2017, the Securities Investment Trust and Consulting Association of Taiwan (SITCA), the self-disciplinary organisation of the asset management industry, issued “Operating Rules for Securities Investment Consulting Enterprises Using Automated Tools to Provide Consulting Service (Robo-Advisor)” (the Robo-Advisor Rules), which were approved by the FSC. Pursuant to the Robo-Advisor Rules, Securities Investment Consulting Enterprises (SICEs) may provide online securities investment consulting services by using automated tools through an algorithm (Robo-Advisor Services), and must comply with certain rules, which include, among others, the following: • periodical review of the algorithm; • relevant know-your-customer (KYC) procedures should be conducted before provision

of advice; • a special committee should be established to supervise the adequacy of the Robo-

Advisor Services; and • customers should be informed of precautions before using Robo-Advisor Services.Electronic paymentsThe Electronic Payment Institutions Act (E-payment Act), which governs the online payment sector in Taiwan, was enacted in 2015. In December 2020, Taiwan’s parliament, the Legislative Yuan, made an amendment to the E-payment Act, which took effect on 1 July 2021. Under the amended E-payment Act, the scope of business of a new e-payment institution includes (1) core businesses, and (2) ancillary and derivative businesses.For the core businesses, in addition to the existing businesses of (i) collecting and making payments for real transactions as an agent, and (ii) accepting deposits of funds as stored-value funds, small amount domestic and cross-border remittance services and foreign exchange services relating to the core businesses have been opened to e-payment institutions from the effective date of the amendment. The ancillary and derivative businesses are all new under the E-payment Act, which include (a) assisting the contracted merchants with integration and transmission of acquiring and payment information, (b) sharing terminal equipment at the contracted merchants, (c) assisting the information exchange between the users and between the users and the contracted merchants, (d) providing an electronic Uniform Invoice system and its value-added services, (e) taking custody of paid price of vouchers/tickets of goods/services, and assisting in the issuance, sales, validation and related services for vouchers/tickets, (f) providing services for integration of bonus points and offsetting/settling payments for real transactions with bonus points, (g) providing value storing blocks in electronic stored-value cards or application programs for use by others, and (h) providing any planning, instalment, maintenance or consultancy services for the information system and facilities in relation to the above seven ancillary and derivative businesses of e-payment institutions.



“Small amount remittances by foreign workers” allowed for non-payment institutions The amended E-payment Act also permits qualified non-e-payment institutions to apply to become a cross-border remittance service provider exclusively for foreign workers in Taiwan. Detailed enforcement rules and regulations promulgated by the FSC were made effective on 1 July 2021.Digital-only banksIn 2018, the FSC promulgated relevant regulations governing the application for establishment of digital-only banks (i.e., banks without physical branches). Three applications were filed with the FSC by 15 February 2019 and all of them were approved by 30 July 2019. According to relevant local news articles, two of them have officially started operating as of the time of writing. The establishment of digital-only banks is anticipated to encourage cross-industry combinations and fintech applications for everyday life by building a fintech ecosphere.Security token offeringsOn 3 July 2019, the FSC, by issuing a ruling, officially designated cryptocurrencies with the nature of securities, i.e. security tokens, as “securities” under the Securities and Exchange Act (SEA) (2019 Ruling). According to the 2019 Ruling, security tokens refer to those which: • utilise cryptography, distributed ledger technology or other similar technologies to

represent their value that can be stored, exchanged or transferred through a digital mechanism;

• are transferable; and • encompass all of the following attributes of an investment:

• funding provided by investors; • providing funding for a common enterprise or project;• investors expecting to receive profits; and• profits generated primarily from the efforts of the issuer or third parties.

Since mid-2019, the FSC and the Taipei Exchange (TPEx) have been outlining the set of regulations governing Security Token Offering (STO), and such rules (STO Rules) were finalised in January 2020. The FSC differentiates the regulation of STOs with the threshold of NT$30 million. For an STO of NT$30 million or less, the STO may be conducted in compliance with the STO Rules; an STO above NT$30 million must first apply to be tested in the “financial regulatory sandbox” pursuant to the Sandbox Act and, in case the experiment has a positive outcome, should be conducted pursuant to the SEA. Please see below summary of certain key provisions of the STO Rules (i.e., for STOs of NT$30 million or less): Qualifications of the issuer – the issuer must be a company limited by shares incorporated under the laws of Taiwan and not a company listed on the Taiwan Stock Exchange or TPEx or traded on the Emerging Stock Market.Types of security tokens that can be issued – the issuer can only issue profit-sharing or debt tokens without shareholders’ rights.Eligible investors and amount limits – only “professional investors” are eligible to participate in STOs; where the professional investor is a natural person, the maximum subscription amount is NT$300,000 per STO.Pursuant to the STO Rules, there are also some other requirements and restrictions including those regarding trading (secondary market), the STO platform operator (licensing



requirements – securities dealer licence, with minimum paid-in capital of NT$100 million, etc.), real-name basis, NT$ only, etc. Cloud computingWhen the use of cloud computing involves outsourcing the operations of a financial institution, relevant laws and regulations governing outsourcing activities should be complied with. In general, an outsourcing activity should follow the internal rules and procedures of the financial institutions, and in certain circumstances, prior approval from the FSC would be required. According to the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation as last amended on 30 September 2019, a prior approval from the FSC shall be required if an outsourcing of operations by a financial institution involves cloud-based services and the outsourcing of operations is considered “material” or the operations are outsourced to an overseas service provider. Further, when the outsourcing involves cloud-based services, the financial institution shall, among others: (i) ensure appropriate diversification of cloud service providers; (ii) retain full ownership of the data outsourced to cloud service providers; and (iii) ensure the location for processing and storage is within Taiwan (with certain exceptions).


RegtechWith the rise of regtech globally, it was reported that the FSC has promoted regtech from two aspects of financial inspection: enabling financial institutions to use APIs; and enhancing the efficiency of the mobile office of the Financial Examination Bureau of the FSC (EB). In addition, it was also reported that the FSC is designing policies to supervise and build digital-only banks and will keep financial supervision costs down through API technology. The FSC will have the regulatory framework in force on the same day the digital-only banks are launched. InsurtechThe development of insurtech in Taiwan is mainly reflected in the increasing types of insurance policies that may be purchased purely online. It was also reported that the FSC has been encouraging insurance companies to adopt insurtech that may improve the efficiency of their operations by, among others, cooperating with tech companies on areas or topics such as identity verification, approval of insurance, insurance claim and settlement process, use of blockchain technology, electronic insurance policies, and so on.For example, the Life Insurance Association and several insurers in Taiwan built up a blockchain platform to improve the claims settlement process in 2020. Through the platform, insureds can file claims with multiple insurers in a single submission, instead of submitting to each insurer respectively. Insurers may also integrate and exchange the relevant data via the platform and review the proposed claims in a more efficient way aiming to provide a faster claim settlement service. It was also reported that four hospitals joined this platform as of April 2021, thus now clients can file claims in these four hospitals.Also, due to the current severe COVID-19 situation in Taiwan, on 25 May 2021, the FSC announced a temporary measure that enables insurance agents to meet the insureds via video and obtain documents by means of email or uploading through the internet, rather than meeting in person and submitting paper documents.

Regulatory bodies

In Taiwan, the FSC is the government body regulating all financial products and services.



There are four bureaux established under the FSC, which are the Banking Bureau (BB), the Securities and Futures Bureau (SFB), the Insurance Bureau (IB) and the EB. Each of the BB, SFB and IB is separately responsible for regulating the banking, securities and insurance industries. The EB is in charge of financial inspection and audits of financial institutions regulated by the FSC. Currently, none of the four bureaux has been specifically designated to regulate fintech products and services. Therefore, it should depend on the nature of such products and services to determine which bureau would be the body regulating the relevant fintech products or services. As to the mechanism of the regulatory sandbox described in “Approaches and developments”, the FSC is the competent authority; nonetheless, if the tested fintech product and service relates to the regulatory regime of other competent authorities (such as the Central Bank of the Republic of China (Taiwan) (the Central Bank)), the opinion of such relevant authority will also be consulted by the FSC.


In Taiwan, conducting finance-related activities generally requires a licence from the FSC. However, there is no special licence specifically targeted at fintech companies. Such activities include, without limitation: 1. Securities-related activities: securities underwriting; securities brokerage; securities

dealing (i.e., proprietary trading); securities investment trust (i.e., asset management); and securities investment consulting.

2. General consulting business, such as acting as financial advisers or agents to arrange investments or bring about merger or acquisition deals, does not require any licence. In addition, acting as principal in an investment deal does not require any licence as well (save for foreign investors, who will need a foreign investment approval, and investment in regulated industries, which will need special approvals).

3. Bank-related activities: (1) lending: lending activities do not fall within the businesses to be exclusively

conducted by a local licensed bank. However, as no financing company may be registered in Taiwan, it is currently not possible for an entity to register as a financing company to carry on lending activities in Taiwan;

(2) factoring and invoicing, discounting and secondary market loan trading; (3) deposit taking;(4) foreign exchange trading; (5) remittance; and (6) electronic payments, credit cards and electronic stored-value cards.

With respect to the regulatory sandbox under the Sandbox Act (see “Approaches and developments”), the sandbox offers a platform to test new applications of fintech technologies. According to the Sandbox Act, an applicant (who can be an entity or individual) needs to obtain an approval from the FSC before entering the sandbox and beginning the experiment. During the experiment period, the experimental activities may enjoy exemptions from certain laws and regulations (such as FSC licensing requirements and certain legal liability exemptions). After completion of the approved experiments, the FSC will analyse the results of the experiments. If the result is positive, the FSC may review the existing financial laws and regulations and explore the possibility of amending such existing rules that pose obstacles to the experimented financial innovation if put in the real world. Note, however, that, depending on the review result of the FSC, the sandbox



entity or individual might still be required to apply for a relevant licence or approval from the FSC in order to formally conduct the activities as previously tested in the sandbox. As to the influence of any supra-national regulatory regimes or regulatory bodies, please be advised that there was an amendment to Taiwan’s anti-money laundering (AML) law, the Money Laundering Control Act (MLCA); it is generally considered that such amendment has moved Taiwan’s regulatory standards for anti-money laundering closer to the those recognised internationally. With respect to digital currency platform operators or transactions, the latest amended MLCA has brought the “virtual currency platforms and trading business” into Taiwan's AML regulatory regime, under which the enterprises falling within the designated scope will be subject to the relevant rules applicable to financial institutions under the MLCA. On 7 April 2021, Taiwan’s Executive Yuan issued a ruling (AML Ruling), interpreting the scope of enterprises of “virtual currency platforms and trading business” under the MLCA, which is generally expected to take effect on 1 July 2021. The scope described under the AML Ruling covers those who engage in the following activities for others:1. exchange between virtual currency and NT$, foreign currencies or currencies issued by

Mainland China, Hong Kong or Macao;2. exchange between virtual currencies;3. transfer of virtual currencies;4. custody and/or administration of virtual currency or providing instruments enabling

control over virtual currencies; and5. participation in and provision of financial services related to issuance or sale of virtual

currencies.After the AML Ruling was issued, the FSC promulgated the draft Regulations Governing Anti-Money Laundering and Countering the Financing of Terrorism for Enterprises of Virtual Currency Platforms and Trading Business. According to the draft regulations, the designated operators of crypto-assets and exchanges would be required to establish, among others, an internal control and audit mechanism, a reporting procedure of suspicious transactions and the KYC procedure, etc. The regulations took effect on 1 July 2021, save for the provision requiring the “transfer-out” of the cryptocurrency to be carried out on a no-name basis both for the transferor and transferee – the effective date of such provision will be further determined by the FSC.

Restrictions

To engage in regulated financial activities, a company needs to apply for the relevant licences to the FSC. Depending on the types of regulated activities, the applicant must meet certain qualifications as required under relevant laws and FSC regulations. A fintech company cannot carry on regulated activities without a licence from the FSC. Also, a fintech company may be subject to relevant restrictions under financial laws and regulations if the fintech activities are considered financial services. For example, the Financial Consumer Protection Act (FCPA) and its related regulations provide for the general marketing rules applicable to the marketing materials for financial services. In general, under the FCPA, when carrying out advertising, promotional or marketing activities, financial services providers should not falsify, conceal, hide or take any action that would mislead financial consumers and should ensure the truthfulness of the advertisements. In addition to the general marketing rules under the FCPA, the financial service providers may also be subject to additional marketing rules as specified in the laws and regulations governing the specific types of financial services or products.




There is no concept of a “passporting right” in Taiwan. To engage in regulated financial activities, a company needs to apply for the relevant licences to the FSC. Depending on the types of regulated activities, the applicant must meet certain qualifications as required under relevant laws and FSC regulations. Foreign companies cannot carry on regulated businesses (which include financial services) without a licence and the FSC licences required for providing financial services are not issued to foreign companies without establishing a subsidiary or a branch in Taiwan.Cross-border activities might involve the need for foreign exchange, i.e., conversion from local currency (i.e., NT$) into foreign currency or the other way around. As for foreign exchange-related restrictions, for each calendar year, a Taiwanese company may, upon filing a report with the Central Bank, purchase foreign currency with NT$ and remit the foreign currency out of Taiwan for purposes other than trade or service-related payments, in an amount up to US$50 million or its equivalent without special approval from the Central Bank. Foreign exchange purchases for purposes other than trade or service-related payments exceeding the applicable ceiling would require special approval from the Central Bank. Such approval is discretionary and is decided by the Central Bank on a case-by-case basis. In June 2021, in response to rapid changes in the economic conditions and financial markets as well as the new E-payment Act, which was made effective in July 2021, the Central Bank proposed an amendment to the current foreign exchange regulations. If such amendment comes into effect, the Central Bank will have the authority to adjust the abovementioned foreign exchange quota from time to time. As far as we understand, no Taiwan laws or regulations have been specifically promulgated or amended as a result of any cross-border collaboration with global regulators to address any of the emerging fintech-related issues, except for the amendment to the MLCA (anti-money laundering law) discussed under “Key regulations and regulatory approaches” above.

Robin ChangTel: +886 2 2763 8000 Ext.2208 / Email: [email protected] Chang is a partner at Lee and Li, Attorneys-at-Law and the head of the firm’s banking practice group. His practice focuses on fintech services and regulatory issues, banking, IPO, capital markets, M&As, project financing, financial consumer protection law, personal data protection law, securitisation and antitrust law.Mr. Chang advises major international commercial banks and investment banks on their operations in Taiwan. He successfully assisted the listing of some foreign companies in Taiwan. He is also involved in many M&A transactions of financial institutions in the Taiwan market.

Eddie HsiungTel: +886 2 2763 8000 Ext.2162 / Email: [email protected] Hsiung is licensed to practise law in Taiwan and New York. His practice focuses on M&A, securities, financial services, general corporate and commercial, startups, etc. He regularly advises leading banks, securities firms, payment and credit cards and other financial services companies on transactional, licensing and regulatory and compliance matters, as well as internal investigations. In addition to the abovementioned traditional practice areas, he is familiar with legal issues regarding the digital economy and the application of new technologies, such as fintech (e-payment, digital financial services, and regulatory sandboxes), blockchain, virtual assets, AI, data protection, and is often invited to participate in public hearings, seminars, and panel discussions to provide advice to the government, regulators, legislators and university/research institutions in these areas on regulatory policies.

Lee and Li, Attorneys-at-Law8F No. 555, Section 4, Zhongxiao East Road, Xinyi District, Taipei City, 11072, Taiwan

Tel: + 886 2 2763 8000 / URL: www.leeandli.com



ThailandSappawit Jansuparerg & Thaya Uthayophas

Weerawong, Chinnavat & Partners Ltd.



With high levels of digital and mobile penetration and regulatory transparency and advancement, Thailand is fast becoming a FinTech hub in the ASEAN region.1 The COVID-19 pandemic has been a key driving force in spurring the adoption of FinTech throughout the country, with Thailand’s internet penetration rate and the number of mobile connections now standing at 69.5% and 129.7% of the total population, respectively, as of January 2021.2 Additionally, Thailand’s key FinTech regulators – the Bank of Thailand (BOT), the Securities and Exchange Commission (SEC), and the Office of Insurance Commission (OIC) – have been receptive to technological innovation in the financial sector.3

Indeed, there has been a big push since the mid-2010s to promote the adoption of FinTech by the relevant parties in Thailand. The Thai FinTech Association was established in July 2016 with the aim of facilitating ecosystem collaboration to drive the growth of the FinTech industry in Thailand.4 The Government of Thailand established the Digital Economy Promotion Agency (DEPA) in January 2017 to support the development of the digital industry, and a cabinet resolution providing guidelines for the promotion of FinTech in Thailand was issued on 17 April 2018.5 The National Innovation Agency (NIA, established in 2003) meanwhile continues to provide training, including in FinTech, and the Electronic Transactions Development Agency (ETDA, established in 2011) has continued to push strongly for the adoption of electronic transaction facilities. The E-Commerce Association of Thailand (THECA, established in 2005) provides important connections and support to players in the e-marketplace, e-travel and e-payment sectors.Regulations governing digital transactions have been in place in Thailand since the 2000s, with the Electronic Transaction Act of 2001 recognising the effectiveness of electronic transactions and the Electronic Payment Services Business Act of 2008 regulating electronic payment formats and procedures, which was replaced by the Payment Systems Act of 2017. The Electronic Transaction Act of 2001 may soon be amended to include greater protections for online consumers. The launch of a National E-Payment Plan in 2015 and the successful implementation of the national PromptPay electronic fund transfer system in 2017 with links to ASEAN networks have contributed to the elimination of most bank transfer fees in Thailand and encouraged a less cash-based economy.6

With Board of Investment privileges for FinTech digital services companies, including exemption from corporate income tax and other non-tax incentives,7 and Smart City investment programmes in digital technology innovations,8 Thailand is now home to at least 96 FinTech start-ups and is one of the fastest-growing digital asset markets in the world.9

Weerawong, Chinnavat & Partners Ltd. Thailand


FinTech offerings in Thailand

FinTech offerings in Thailand include:• Digital payments, including mobile wallets and remittance.• Retail investment platforms.• Digital assets, including cryptocurrencies and digital tokens.• Personal finance solutions.• Peer-to-peer lending and alternative credit.• Crowdfunding.• Financial education.• InsurTech.• Financial and insurance comparison tools.• Robo-advisors.• Business tools (B2B).• Financial infrastructure, including electronic know your customer (e-KYC) and the

Scripless Bond Project.10

Thailand’s top digital sectors include E-Commerce, TravelTech, InsurTech, HealthTech, FoodTech, and Telecommunications.


Regulatory Technology (RegTech)Key examples of RegTech in Thailand include e-KYC, digital banking and mobile banking with biometrics, alternative credit, and peer-to-peer lending:• The e-KYC process and the use of biometrics for digital and mobile banking are

possible under Notification of the Bank of Thailand No. FPG. 19/2562 Re: Regulations on Know Your Customer (KYC) for deposit account opening at financial institutions, which was announced on 23 August 2019.11 A KYC process is required for the opening of savings accounts in person or though internet or mobile banking. Financial institutions are responsible for obtaining identification data and documents that verify the customer’s identity, but such data and documents may also be in electronic form for the e-KYC process. They may also adopt biometric comparison technology to enhance the efficiency of customer verification. For non-face-to-face verification, financial institutions must take a photo of the customer and use liveness detection and biometric comparison technology to verify the identity of the customer.

• On 15 September 2020, the BOT issued a circular permitting the use of alternative data for credit analysis in loan approval processes.12 Under the Circular Re: Rules, Procedures and Conditions for the Undertaking of Digital Personal Loan Business, lenders may apply for a digital personal loan business licence, which requires the lenders to digitise the lending process and use alternative data, including utility and mobile phone bill payment behaviours or earning and spending behaviours on e-commerce platforms, in assessing the borrower’s ability or willingness to repay the loan. Lenders may grant a digital personal loan with the maximum credit amount of 20,000 baht, and a maximum repayment period of six months. Effective rates of interest charged with the fees must not exceed 25% per annum.

• On 30 July 2020, the BOT issued Notification of the Bank of Thailand No. FPG. 14/2563 Re: Prescription of Rules, Procedures and Conditions for Operating an Electronic System or Network Business for Peer-to-Peer Lending (Peer-to-Peer Lending Platform).13 The rules prescribed allow platform providers to operate a peer-



to-peer lending platform using their business as a channel or intermediary for credit financing through an electronic system or network. As of 28 September 2020, three peer-to-peer lending platform providers have been accepted into the BOT regulatory sandbox as test projects.14

Insurance Technology (InsurTech)Products in the InsurTech sector in Thailand are highly diversified, ranging from distribution channels and sales support to claim handling.15 Three key recent developments in InsurTech in Thailand include: the sale and issuance of insurance policies, including claim management through electronic channels; personalisation of insurance products with Big Data and AI; and regulatory and tools-based support from the OIC. • The sale, issuance, and claim management of insurance policies can be made through

electronic channels according to OIC Notification Re: Rules and Procedures For Insurance Policy Issuance, Insurance Policy Offering and Reimbursement of Money under Life Insurance Contracts using Electronic Methods B.E. 2560 (2017)16 and OIC Notification Re: Rules and Procedures For Insurance Policy Issuance, Insurance Policy Offering and Reimbursement or Indemnity Under an Insurance Contract using Electronic Methods B.E. 2560 (2017),17 both announced on 22 February 2017. Under these notifications, the sale and offering of both life and non-life insurance, the procedures accompanying such sales, the issuance of insurance policies, and reimbursement or indemnity thereunder can be made through online platforms in accordance with the Electronic Transaction Act of 2001. Note that insurance companies, brokers, and financial institutions must still comply with the OIC’s various announcements on operating an insurance business.

• Big Data and AI have been used by some InsurTech companies in Thailand to offer personalised insurance packages. For instance, Sunday, a Bangkok-based InsurTech start-up that uses AI to offer personalised insurance packages and develop risk prediction engines that help companies recommend and price health and motor coverage, has recently raised USD 9 million in a pre-series B bridge round as it is preparing for expansion to Indonesia. There are no specific regulations concerning the use of Big Data and AI in InsurTech in Thailand.

• The OIC offers regulatory and tools-based support for InsurTech companies in Thailand. With the OIC’s announcement on the Procedures to Participate in Insurance Regulatory Sandbox on 27 December 2019 to enforce its Guidelines for participating in an innovative testing project that brings technology to support services for insurance businesses (Insurance Regulatory Sandbox), previously announced on 24 May 2017, the OIC has opened the door for InsurTech companies to participate in an insurance regulatory sandbox with the OIC to test new insurance products, new ways of offering insurance products, new methodologies for claims management, smart contracts, and any other transactions approved by the OIC. The OIC itself has been developing digital tools for data analysis to track down fraudulent activities in the insurance system in an attempt to protect both the insured and insurer and has approved cybersecurity insurance policies to serve as risk management tools for FinTech companies.

Regulatory bodies

BOTAs the central bank of Thailand, the BOT has a variety of roles and responsibilities as determined by the Financial Institution Business Act of 2008 (FIBA). Those most relevant



to FinTech include establishing or supporting the establishment of payment systems and electronic clearing systems, and administering such systems for safety and efficiency, including the activities of non-banking institutions, and extend to areas such as e-payments, personal loans, and nano finance businesses, as well as the supervision, examination, and analysis of the financial status and performance and risk management systems of financial institutions in order to promote stability, including the typical services such as loans and deposits as well as regulations for e-banking and FinTech used by banks and non-banking institutions.18

SECThe SEC was established by the Securities and Exchange Act of 1992 as an independent state agency with the power and duty to promote and develop, as well as to supervise, matters concerning securities, securities businesses, the securities markets, the issuance or offering of securities for sale to the public, the acquisition of securities for business takeovers, and prevention of unfair securities trading practices.19 Of particular relevance to FinTech is that the SEC also regulates crowdfunding, digital asset business, and initial coin offerings (ICOs).OICThe OIC was established by the Insurance Commission Act of 2007 as an independent state agency with the power to lay down the policies for, and regulate, promote, and develop the undertaking of, insurance businesses.20 The OIC regulates the electronic means for issuing insurance, thereby facilitating the growth in the use of electronic platforms for digital insurers.


There is currently no FinTech-specific legislation in Thailand. Instead, the regulatory approach to FinTech is divided amongst the relevant regulators.BOTMobile and internet bankingThe BOT’s SorNorSor 3/2561 Re: Rules Regarding Service Channels of Commercial Banks governs the offering of products and services of banks through digital channels.21 In addition to compliance with general governance standards, banks offering products and services through digital channels and mobile banking applications must follow the governance standards for digital channels, which include risk management and consumer protection measures.Payment systemsThe Payment Systems Act of 2017 regulates electronic payment systems and services in Thailand.22 Electronic payment systems and services are divided into three areas:23

• Highly Important Payment Systems, which deal with the principal payment infrastructure of the country, such as the inter-bank large value funds transfer system (BAHTNET) and Imaged Cheque Clearing and Archive System (ICAS);

• Designated Payment Systems, which deal with payment systems that form the hub or network linking system users for the transfer, clearance or settlement of funds, such as retail funds transfer systems, payment card networks, and settlement systems; and

• Designated Payment Services, which deal with designated payment services for which business providers are required to either obtain a licence from the Ministry of Finance (MOF) (with advice from the BOT) or obtain registration directly from the BOT.24



These services include the provision of credit cards, debit cards, or ATM card services, provision of electronic money services, provision of services for receiving electronic payments for and on behalf of third parties, provision of services for transferring money by electronic means, and other provisions of payment services which may affect the financial system or public interest. According to the Notification of the Ministry of Finance Re: Stipulation on Designated Payment Services, business providers whose six-month average monthly balance of money received in advance is equal to 50 million baht or more and those who have passed the BOT regulatory sandbox and intend to provide services within the scope specified during the sandbox testing may obtain registration directly from the BOT instead of proceeding with the licensing requirements of the MOF.25

Regulatory sandbox for RegTechAccording to the Notification on Guidelines for Participation in Testing and Developing Innovations that Bring New Technology to Support Financial Services (Regulatory Sandbox) dated 15 March 2019,26 the BOT permits financial institutions, financial business group companies, and non-banking institutions under the supervision of the BOT as well as interested FinTech and technology firms to offer trial financial services within the scope of the BOT’s regulatory sandbox for a period not exceeding one year. The trial financial services to be offered in the regulatory sandbox must be (1) under the supervision of the BOT, (2) innovative, and (3) of the kind that can support the development of the infrastructure or overall standard of Thailand’s financial sector and on which the service provider needed to conduct joint testing, or when relevant laws require the testing of the services in the regulatory sandbox prior to usage by the public.Financial services providers who are not required by the above criteria to conduct or submit to testing may consult directly with the BOT to enter the regulatory sandbox or may arrange for a test in their own sandbox, subject to the financial services provider’s own supervision and risk management under the relevant laws. Examples of projects that have been trialed in the BOT’s regulatory sandbox include standardised QR codes for payments, biometrics – facial recognition for KYC and iris recognition, blockchain – letter of guarantee and cross-border transfer, machine learning – alternative credit-based lending, and standardised API to exchange information.27

QR code payments are now covered under the Policy Guidelines: Standardized Thai QR Code for Payment Transactions dated 17 April 2019.28 Usage of alternative data for credit analysis in the loan approval process is permitted under the Circular Re: Rules, Procedures and Conditions for the Undertaking of Digital Personal Loan Business dated 15 September 2020.29 Under the Guidelines for the Use of Biometric Technology for Financial Services dated 22 July 2020, financial services providers whose biometrics technology have passed the BOT’s regulatory sandbox test may use the biometric technology for the opening of personal deposit accounts, electronic financial services, and other similar transactions.30 However, the financial services providers must consult with the BOT prior to using other types of biometric technology. Peer-to-Peer lending platformsAccording to SorNorSor 4/2562 Re: Rules, Procedures and Conditions for Undertaking Peer to Peer (P2P) Lending Platform Business, financial services providers looking to provide a peer-to-peer lending platform service must first be part of the BOT’s regulatory sandbox before applying for a licence from the BOT.31 Peer-to-peer lending is defined as lending



between lenders and borrowers through electronic systems or networks. The notification does not apply to financial institutions, including banks, although subsidiaries of banks that otherwise qualify under the notification can participate in the regulatory sandbox and apply for licensing. According to the notification, a peer-to-peer platform service provider must be a private or public company incorporated in Thailand, have paid-up capital of at least 5 million baht, have at least 75% of its total shares held by Thai citizens, and have qualified directors in terms of reputation, ability, and financial soundness. The notification also provides various qualifications for borrowers, who must be natural persons, and lenders participating in the peer-to-peer lending platform.SECThe Emergency Decree on Digital Asset Businesses B.E. 2561 (2018) (Digital Asset Decree) and relevant notifications govern digital asset businesses and the public offering of digital tokens in Thailand.Digital Asset DecreeThe Digital Asset Decree covers two types of digital assets: cryptocurrencies; and digital tokens. A digital asset business refers to any of the following businesses: (1) digital asset exchange; (2) digital asset broker; (3) digital asset dealer; and (4) other businesses relating to digital assets as prescribed by the MOF on the recommendation of the SEC (including digital asset fund manager and digital asset advisor pursuant to the announcement on 19 October 2020).32 The decree also covers regulations concerning digital token portal services. Both digital asset business operators and digital token portal service providers are regarded as financial institutions and regulated under anti-money laundering laws. The Digital Asset Decree includes various provisions preventing unfair digital asset trading practices, with criminal and civil penalties. Digital business operators and digital token portal service (ICO Portal)Digital business operators, digital asset exchanges, digital asset brokers and digital asset dealers are subject to the licensing requirements of the MOF on the recommendation of the SEC.33 According to the Notification of the Ministry of Finance Re: Licensing of Digital Asset Businesses B.E 2561, a licence holder must be a company registered under Thai law and have paid-up registered capital in the amount designated by the SEC, which depends on the type of digital asset business, amongst other qualifications. Similarly, a digital token portal service provider (ICO Portal) is subject to the licensing requirements of the SEC.34 According to the Notification of the Securities and Exchange Commission No. KorJor. 16/2561 Re: Rules, Conditions and Approval Methods Digital Token Offering System Provider (Codified Edition) dated 3 July 2018, an ICO Portal licenCe holder must be a company registered under Thai law and have paid-up registered capital in the amount of 5 million baht, amongst other requirements.Digital business operators and ICO Portals are required to follow the rules, conditions, and procedures as notified by the SEC.35

As of 6 June 2021, the following cryptocurrencies are approved for business transactions conducted by digital business operators and ICO Portals: Bitcoin; Ethereum; Ripple; and Stellar.36

A current list of companies operating digital asset exchanges, digital asset brokers, digital asset dealers, and ICO Portals can be found on the SEC website.



Public offering of digital tokens (ICO issuers)According to the Digital Asset Decree, an issuer of digital tokens which intends to offer digital tokens to the public must be a limited company or a public limited company. The issuer must obtain the approval of the SEC Office and file a registration statement for the offering of digital tokens and a draft prospectus with the SEC.37

Offering of digital tokens may only be made through the SEC-approved ICO Portal,38 and offerors of digital tokens are required to submit reports concerning their business operations and financial condition, as well as any other information that may affect the rights of digital token holders or their investment decisions, to the SEC.39

Public fundraising and ESOPThere are many public fundraising options available for FinTech businesses in Thailand, including equity and debenture crowdfunding, ICOs, PP-SME offerings, public offerings through the Market for Alternative Investment (MAI), and public offerings through the Stock Exchange of Thailand (SET) – all of which are governed by the SEC. Equity and debenture crowdfunding are available for FinTech companies through crowdfunding portals.40 A FinTech company interested in offering securities through crowdfunding must be registered in Thailand, have clear business objectives and intend to use the money received from the offering to operate its business or pay off debts the company has incurred in order to conduct its business, and have no shares listed as securities on the SET. A FinTech company can raise funds through this crowdfunding channel from institutional investors with no limitation. However, a FinTech company can raise a maximum of 20 million baht from retail investors through this crowdfunding channel in a 12-month period after the initial offering and another 20 million baht (taking the total to 40 million baht) from investments thereafter. The SEC notes that 69 SMEs and start-ups are likely to access the crowdfunding platform in 2021, after the successful trial of three pilot projects.41

The SEC also permits the offering of Employee Stock Option Plans (ESOP) without the need to apply for an offer for sale of newly issued shares from the SEC. However, companies wishing to issue ESOPs must comply with the SEC’s ESPO Criteria, seek approval from their shareholders’ meetings for the transaction (the sale of securities must be completed within one year after the approval is granted), and submit an ESOP Checklist with the results of the sale to the SEC within 15 days from the transaction date.42

SEC regulatory sandboxThe SEC issued an announcement that came into effect on 16 August 2020, adding business types that can be included in its regulatory sandbox programme: • Intermediary group: securities business in the category of investment advisory and

private fund management, mutual fund management and Securities Borrowing and Lending (SBL), and derivatives business in the category of brokerage, trading, advisory and derivatives fund management (brokerage, stock trading, underwriting).

• KYC process group.• After-sales service group, i.e., securities clearing house, securities depository, securities

registrar and derivatives clearing house.• Product trading system service group, i.e., electronic trading platform (ETP) services

and securities trading centre and derivatives trading centre.43

OICElectronic offering of insurance policiesThe OIC issued two notifications in 2017 to recognise and regulate the electronic means of



issuing insurance policies, offering insurance policies, and reimbursement of money under life and non-life insurance contracts.44 The offering of insurance policies by electronic means can only be conducted by licensed insurance companies, insurance brokers, or banks which must continue to also follow applicable laws on insurance offerings, including the format for forms and insurance policies offered for sale by electronic means.45

In addition to following specific criteria under the legislation on electronic means for issuing insurance policies, offering insurance policies, reimbursement of money under a life and non-life insurance contract, and maintaining information security, the electronic means for issuing insurance policies, offering insurance policies and reimbursement of money under life and non-life insurance contracts must follow the Electronic Transaction Act (2001) and must not contravene anti-money laundering laws and other similar laws. Regulatory sandbox for InsurTechThe OIC issued a notification on the criteria, methods, and conditions for participating in its regulatory sandbox programme on 17 May 2021,46 which replaces notifications issued in 2019 and 2017.Examples of projects in the regulatory sandbox programme include: Prakan Kubdee, a vehicle insurance company in Thailand launched by MSIG and AIG Insurance Services that calculates premiums from information on real driving behaviour;47 and Fairdee, a digital insurance platform launched by Singapore-based Vouch Insurtech in partnership with six Thai insurers which seeks to promote safer driving and reduce insurance fraud.48

Data protection requirements

The Personal Data Protection Act of Thailand 2019 (PDPA) was promulgated to protect natural persons from the unauthorised or unlawful collection, use or disclosure of their personal data. The COVID-19 pandemic led the Thai Government to postpone the enforcement of most of the PDPA’s provisions to 1 June 2022, but the minimum security standards under the PDPA already apply, whereby data controllers must inform their staff and relevant parties of the importance of personal data protection, and certain data access safeguards must be implemented.Chief amongst the requirements of the PDPA is that any collection, usage, or disclosure of personal data must be conducted with either the data subject’s consent or on a lawful basis, and the Personal Data Protection Committee of Thailand must be notified of any data breach within 72 hours of the data controller having become aware of it. The PDPA applies to the collection, usage, or disclosure of personal data by any company that is either based in Thailand and/or based outside Thailand but is offering goods and services to data subjects who are in Thailand and/or monitoring data subjects’ behaviour that occurs in Thailand. A company that is based outside Thailand but falls within the jurisdiction of the PDPA is also required to appoint a representative in Thailand who is authorised to act on its behalf in respect of the collection, usage, or disclosure of personal data. Cross-border transfer of personal data requires a data controller to either obtain the consent of the data subject or ensure that the destination country or international organisation that receives the data has adequate data protection standards as determined by the committee (currently unspecified).Penalties for non-compliance with the PDPA include criminal and civil penalties. FinTech companies are also required to comply with the personal data protection rules issued by their respective regulatory authorities.



Patents

The Patent Act (1979) authorises the Department of Intellectual Property to issue a patent for an invention that is new, involves the use of inventive technology, and is capable of industrial application. An invention patent has a term of 20 years from the date of filing of the application, and grants the patentee(s) the exclusive right to produce, use, sell or have in their possession for sale the patented products or import the patented product(s) produced by the patented process into the country.49 Additionally, patentees are allowed to grant licences for their inventions to third parties and receive royalties therefrom.

Restrictions

Restrictions on the various types of FinTech businesses will depend on the licence or registration requirements involved, as discussed in the “Key regulations and regulatory approaches” section above. However, no types of FinTech products are prohibited outright in Thailand. There are strict controls on business operations by foreign entities in Thailand. Under the Foreign Business Act (1999), foreigners looking to start a FinTech business in Thailand must generally apply for a Foreign Business Licence from the Department of Business Development. Depending on the type of FinTech business involved, there may also be specific restrictions on the foreign shareholding of the licensees. For example, one of the BOT’s requirements for peer-to-peer lending platform providers is that at least 75% of the platform provider’s total shares must be held by Thai nationals.50 Foreign companies interested in participating in the BOT’s regulatory sandbox programme typically do so in partnership with local counterparts. Additionally, participation in the digital asset business by financial institutions is strictly monitored by the BOT under Guidelines on the Undertaking of Digital Asset Business by Financial Institutions and Companies Within the Financial Business Group of Financial Institutions (2018). While companies within financial business groups may engage in digital asset businesses, they are not allowed to be an ICO issuer or ICO Portal, undertake digital asset businesses (exchange, broker, or dealer), and cannot act as an advisor or solicit investment in digital assets from clients who are not institutional investors, ultra-high-net-worth investors or high-net-worth investors.51 Investment in and issuance of digital assets by commercial banks are only permitted by participating in the BOT’s regulatory sandbox programme with the objective of developing financial innovations to enhance the efficiency or quality of financial services for their customers.Finally, FinTech companies must also comply with anti-money laundering52 laws as well as laws countering the financing of terrorism,53 which may impose restrictions on the transfer of money and the handling of some financial accounts.


Cross-border paymentsVarious cross-border payment mechanisms were launched in the ASEAN region in 2020 and 2021.54

• The Monetary Authority of Singapore (MAS) and the BOT launched the linkage of Singapore’s PayNow and Thailand’s PromptPay real-time retail payment systems on 29 April 2021.

• Bank Negara Malaysia (BNM) has extended the cross-border link between Singapore’s PayNow and Thailand’s PromptPay to Malaysia’s DuitNow.55



• The State Bank of Vietnam (SBV) and the BOT jointly launched the first cross-border interoperable QR code payment linkage in early 202156 with at least one local Thai bank now offering cross-border QR payments between Thailand and Vietnam.57

• The National Bank of Cambodia and the BOT jointly launched the first cross-border interoperable QR code payment linkage between the two nations on 18 February 2020.58

• Additionally, the BOT has signed separate MOUs with the Bank of Lao PDR59 and the Central Bank of Myanmar60 with similar goals of enhancing the collaboration on financial innovation and payment services to promote more efficient and secure domestic and cross-border payments. The BOT and Bank of Lao PDR are working together to develop interoperable QR codes for payments and innovative real-time remittance to facilitate cross-border retail payment services between Lao PDR and Thailand.61

Various commercial banks in Thailand already accept payments by Alipay and WeChatPay,62 a popular initiative amongst Chinese shoppers in Thailand, and the first cross-border QR payment system with Japan was launched in 2019.63

E-Money services in foreign currenciesNon-bank operators of FinTech and digital money services have been able to apply for an FX e-Money licence from the BOT, permitting them to issue e-money in foreign currencies for customers to pay for cross-border goods and services, since 26 June 2020.64 Any non-bank operator wishing to apply for an FX e-Money licence must be a Thai entity with a minimum registered paid-up capital of 100 million baht and have an Electronic Money Service Business licence under the Payment Systems Act.

* * *

Endnotes1. https://www.researchgate.net/publication/337971279_Thailand_FinTech_Landscape_

Report_Sanitized_by_Global_Markets_EY_Knowledge.2. https://datareportal.com/reports/digital-2021-thailand#:~:text=The%20number%20

of%20internet%20users,at%2069.5%25%20in%20January%202021.3. World Bank’s Global Covid-19 FinTech Market Rapid Assessment Study.4. https://thaifintech.org/about.5. https://www.depa.or.th/en/about-depa/background.6. https://www.bangkokpost.com/thailand/general/1011321/e-payment-will-eliminate-

most-bank-transfer-fees; https://www.globaldata.com/thailands-national-e-payment-master-plan-has-opened-door-to-less-cash-economy-says-globaldata.

7. https://www.boi.go.th/index.php?page=incentive. https://www.boi.go.th/upload/content/BOI-A%20Guide_EN.pdf.

8. https://www.depa.or.th/en/smart-city-plan; https://opengovasia.com/thailand-to-collaborate-internationally-for-smart-city-tech.

9. https://www.crowdfundinsider.com/2020/11/169654-thailand-is-now-home-to-96-fintech-startups-including-crowdfunding-insurtech-remittance-payments-services-report; https://www.crowdfundinsider.com/2020/08/165542-digital-banking-competition-in-southeast-asia-should-intensify-as-theres-been-a-boom-in-fintech-investments-report; https://www.crowdfundinsider.com/2020/09/166880-asian-countries-like-india-indonesia-vietnam-thailand-have-one-of-the-fastest-growing-digital-asset-markets-report.

10. https://www.bot.or.th/Thai/DebtSecurities/Documents/DLT%20Scripless%20Bond.pdf; https://www.bot.or.th/English/PressandSpeeches/Press/2020/Pages/n5963.aspx.



11. https://www.bot.or.th/Thai/FIPCS/Documents/FPG/2562/EngPDF/25620191.pdf.12. https://www.bot.or.th/English/PressandSpeeches/Press/2020/Pages/n6463.aspx.13. https://www.bot.or.th/Thai/FIPCS/Documents/FPG/2563/EngPDF/25630186.pdf.14. https://www.bot.or.th/English/PaymentSystems/FinTech/Pages/P2PLendingSandbox.

aspx.15. https://www.oic.or.th/sites/default/files/content/87698/3-thailand-insurance.pdf.16. http://oiceservice.oic.or.th/document/Law/file/05079/05079_a4896511fce69a40b015c

81dd7eb02b7.pdf.17. http://oiceservice.oic.or.th/document/Law/file/05090/05090_914ba349ca43c3969d516

49e52e82c52.pdf.18. https://www.bot.or.th/English/AboutBOT/RolesAndHistory/pages/rolesandresponsibility.

aspx.19. Section 14 of the Securities and Exchange Act of 1992.20. Section 12 of the Insurance Commission Act of 2007.21. https://www.bot.or.th/Thai/FIPCS/Documents/FPG/2561/EngPDF/25610086.pdf.22. https://www.bot.or.th/English/PaymentSystems/PSA_Oversight/Pages/default.aspx.23. https://www.bot.or.th/English/PaymentSystems/PSA_Oversight/Pages/RelatedLaws.

aspx.24. Notification of the Ministry of Finance Re: Stipulation on Designated Payment Services,

https://www.bot.or.th/Thai/FIPCS/Documents/FPG/2561/EngPDF/25610194.pdf.25. https://www.bot.or.th/Thai/FIPCS/Documents/FPG/2561/EngPDF/25610194.pdf.26. https://www.bot.or.th/Thai/FIPCS/Documents/FPG/2562/ThaiPDF/25620036.pdf.27. https://www.bot.or.th/Thai/AboutBOT/Activities/Documents/MediaBriefing/

RegulatorySandbox.pdf.28. https://www.bot.or.th/Thai/FIPCS/Documents/FPG/2562/ThaiPDF/25620084.pdf.29. https://www.bot.or.th/English/PressandSpeeches/Press/2020/Pages/n6463.aspx.30. https://www.bot.or.th/Thai/FIPCS/Documents/FOG/2563/ThaiPDF/25630177.pdf.31. http://www.ratchakitcha.soc.go.th/DATA/PDF/2562/E/106/T_0016.PDF.32. Notification of the Ministry of Finance Re: Prescribing Other Businesses Related to

Digital Assets to become an additional digital asset business. 19 October 2020. 33. Emergency Decree on Digital Asset Businesses B.E. 2561 (2018) Section 27. The

Notification of the Ministry of Finance regarding licensing of digital asset businesses B.E 2561.

34. https://www.sec.or.th/th/pages/lawandregulations/icoportal.aspx.35. The Notification of the Securities and Exchange Commission No. GorThor. 19/2561

Re: Rules, Conditions and Procedures for Undertaking Digital Asset Businesses.36. Announcement of the SEC Office No. SorJor. 12/2562 regarding the list of cryptocurrencies

announced by the SEC Office (No. 2), https://publish.sec.or.th/nrs/7998s.pdf.37. Emergency Decree on Digital Asset Businesses B.E. 2561 (2018) Section 17.38. Emergency Decree on Digital Asset Businesses B.E. 2561 (2018) Section 19.39. Emergency Decree on Digital Asset Businesses B.E. 2561 (2018) Section 19.40. Crowdfunding Notification TorJor. 21/2562 12 April 2019 Capital Market Supervisory

Board (CMSB), amended by TorJor. 14/2563 (No.2) in March 2020.41. https://www.bangkokpost.com/business/2036615/sec-gauges-69-smes-for-crowdfunding.42. https://www.sec.or.th/TH/pages/lawandregulations/employeestockoptionprogram.

aspx.43. https://www.sec.or.th/TH/Pages/News_Detail.aspx?SECID=8343.44. OIC Notification Re: Rules and Procedures for Insurance Policy Issuance, Insurance



Policy Offering and Reimbursement of Money under the Life Insurance contract Using Electronic Methods (2017). OIC Notification Re: Rules and Procedures for Insurance Policy Issuance, Insurance Policy Offering and Reimbursement of Money under a Non-Life Insurance Contract Using Electronic Methods (2017).

45. Registrar’s Order No. 56/2560 Re: Rules for Approval, Forms, and Insurance Policy Messages and the Premium Rates Offered for Sale Via Electronic for Non-Life Insurance Companies. Registrar’s Order No. 53/2560 Re: Criteria for Approval, Form and Insurance Policy Message of Life Insurance Policy Offering for Sale or Issue of Insurance Policy Using Electronic Means of Ordinary Type with Installment Premium Payment or A Standard One-Time Premium Payment for Life Insurance Companies.

46. OIC Notification: Criteria, Methods and Conditions for Participating in Innovation Testing Projects that Bring Technology to Support Services for Insurance Business (Insurance Regulatory Sandbox) (2021), http://oiceservice.oic.or.th/document/Law/file/12499/12499_27c05a5508bb7d9beb39685f61078222.pdf.

47. https://investor.ais.co.th/news.html/id/822982/group/newsroom_press.48. https://www.insurancebusinessmag.com/asia/news/breaking-news/singaporebased-

insurtech-launches-in-thailand-106372.aspx.49. Section 36 of the Patent Act (1979).50. SorNorSor 4/2562 Re: Rules, Procedures and Conditions for Undertaking Peer to Peer

(P2P) Lending Platform Business.51. No. BOT.RPD(23)C. 1759/2561 Re: Guidelines on the Undertaking of Digital Asset

Business by Financial Institutions and Companies Within the Financial Business Group of Financial Institutions.

52. Anti-Money Laundering Act 1999.53. Counter-Financing of Terrorism and Dissemination of Weapons of Mass Destruction

B.E. 2559. 54. https://internationalfinance.com/thailand-introduce-qr-code-cross-border-payments-

asean.55. https://www.bangkokpost.com/business/2134811/promptpay-now-linked-to-duitnow.56. https://internationalfinance.com/thailand-vietnam-launch-qr-code-facilitate-cross-

border-transactions.57. https://www.bangkokpost.com/business/2090595/bbl-to-offer-cross-border-qr-

payment-with-vietnam.58. https://www.bot.or.th/English/PressandSpeeches/Press/2020/Pages/n0963.aspx.59. https://www.bot.or.th/English/PressandSpeeches/Press/2019/Pages/n2262.aspx.60. https://www.bot.or.th/English/PressandSpeeches/Press/2019/Pages/n6062.aspx.61. https://www.bot.or.th/English/PressandSpeeches/Press/2019/Pages/n2262.aspx.62. https://www.bangkokbank.com/en/Business-Banking/Manage-My-Business/Merchant-

Services/AliPay-WeChatPay; https://www.kasikornbank.com/th/business/sme/digital-banking/kplusshop/functions/manage/Pages/apply-alipay.html; https://www.scb.co.th/th/personal-banking/payment/for-merchant/mae-manee-app/alipay-wechat-onboarding.html.

63. nationthailand.com/business/30395933; https://www.krungsri.com/bank/en/Newsand Activities/Krungsri-Banking-News/thai-qr-code-payment-in-japan.html.

64. https://www.bot.or.th/English/PressandSpeeches/Press/2020/Pages/n3563.aspx.

Sappawit JansuparergTel: +66 2 264 8000 / Email: [email protected] Jansuparerg is a senior associate in the regulatory practice group at Weerawong C&P. His practice crosses a broad range of industries and disciplines, including representing issuers and investment banks in public offerings and private placements of equity and debt securities. Sappawit also advises public and private companies in a wide array of strategic transactions, including mergers, acquisitions, joint ventures and corporate restructurings as well corporate and commercial matters. In addition to his substantial experience in the telecommunications industry, Sappawit has also represented companies across a broad range of industries, including technology, private equity, venture capital, manufacturing, medical and transportation.

Thaya UthayophasTel: +66 2 264 8000 / Email:[email protected] Uthayophas is an associate in the banking and finance practice group at Weerawong C&P. He also has experience in corporate-commercial matters and projects. Thaya is the Secretariat of Clear & Create, a registered pro bono legal aid foundation founded by Weerawong C&P. Clear & Create advises and assists start-ups and next-generation social enterprises to clear legal hurdles and create solutions for their establishment, legal compliance, data protection, third-party agreements, partnership and investor agreements, tax, intellectual property, and general liability matters.

Weerawong, Chinnavat & Partners Ltd.22nd Floor, Mercury Tower, 540 Ploenchit Road, Lumpini, Pathumwan, Bangkok 10110, Thailand

Tel: +66 2 264 8000 / Fax: +66 2 657 2222 / URL: www.weerawongcp.com



United KingdomIan Mason, Sushil Kuner & Samantha Holland

Gowling WLG (UK) LLP



“FinTech” is the use of technology to facilitate financial services. The UK FinTech industry is reaching higher levels of investment than ever before, with the UK accounting for the majority of European FinTech transactions in 2020. Such investment is changing conventional standards regarding investment, particularly as the majority of recent investments were driven by the investees rather than the investors. Investors for many years have been making equity investments in technology companies with high potential in the future, but now the market is witnessing more businesses with sought-after products that are actively going to the market. FinTech is also now drawing more innovative methods of investment. Particularly in the past few years, crowdfunding has been becoming a more established type of financing whereby individuals can invest in companies not listed on stock exchanges. This trend is likely to continue in the foreseeable future and we expect to see more companies that have gone through fundraising in this way making profitable returns to investors on exits, such as initial public offerings (“IPOs”), share sales and asset sales.One of the most interesting developments as a result of FinTech, however, will be the “Uber-isation” of the UK financial services industry from its traditional UK home in the City of London, and the development of other major regional digital hubs. The UK Government has recognised the importance of FinTech as a key industry, announcing a new Financial Conduct Authority (“FCA”) “scale box” and Centre for Finance, Innovation and Technology to boost growth, a central bank digital currency taskforce, support for new technologies and infrastructures and additional plans for capital markets reform to enhance an open and dynamic FinTech market in the UK. There are currently over 2,100 FinTech companies in the UK, a figure which is expected to at least double within the next 10 years.In February 2021, the Kalifa Review of UK FinTech made a number of recommendations to promote the UK as a FinTech centre, which the Government is considering.1

The UK FinTech offering

There are many key ways in which the technologies, applications and methods of financial services companies are disrupting traditional financial services markets. The use of blockchain and cryptocurrencies may speed up transactions. Permissioned blockchain, in which access is granted or prevented by those who administer it, has great potential. Several organisations are experimenting with such technology, particularly relating to digital currency payments. Smart contracts, which are also known as “programmable money”, have the ability to dramatically change transaction and insurance processes, by creating blocks based on conditions where transactions are executed, provided that specified conditions are met.

Gowling WLG (UK) LLP United Kingdom



RegTechRegTech involves the use of technology to meet regulatory requirements in a more rapid and effective way than current systems. The use of automation and artificial intelligence (“AI”) can minimise the risk of human error and simplify standard processes, reducing cost and time involved. There are already a number of established use cases for RegTech. European and UK anti-money laundering (“AML”) provisions require financial institutions (and others, such as law firms) to carry out identity verification, AML and counter-terrorism financing (see below), anti-fraud and Know Your Customer (“KYC”) checks as part of customer due diligence (“CDD”) when taking on new clients. RegTech solutions can automate the verification to reduce the manual input required. The use of biometrics is also increasing in this area.Regulatory reporting such as standardised returns is another good use case for RegTech. RegTech has also been used in customer-facing applications, such as “robo-advice” services, where customers answer standardised questions on their investment objectives and risk profile (among others), which inform the recommendation of an investment portfolio. The FCA has raised some regulatory concerns on pure auto-advice services, and has emphasised that automated investment services must meet the same regulatory standards as traditional discretionary or advisory services. However, one of the major uses of RegTech has been in the launch of Open Banking. This allows banks to provide access to customers’ data through third-party providers (“TPP”), using a secure application programme interface (“API”). Regulatory changes such as the implementation of the Payment Services Directive (“PSD 2”) have made this possible. The UK regulators have been keen to encourage innovation and the use of technology in financial services with the FCA Innovation Hub and Regulatory Sandbox (see below). The FCA is also one of the regulators involved in creating a global sandbox under the Global Financial Innovation Network (“GFIN”) (see below).The FCA is considering how it can itself use RegTech and it has recently replaced its previous Gabriel system with a new platform for collecting firms’ data. In the FCA’s Business Plan for 2020/21, it emphasised the increased use of data, investing in technology and AI. InsurTechA rise in InsurTechs and the increased use of technology by incumbent insurers has had a transformative effect on the UK insurance industry, impacting every aspect of the insurance value chain. Smart devices and the Internet of Things (“IoT”) have led to a rise in usage-based insurance, often on a peer-to-peer platform. Chat bots and machine learning are transforming sales and distribution channels. Big Data, telematics and AI allow for granular analysis of risk with more accurate pricing models, tailored products and a better customer experience. Distributed ledger technology (“DLT”) allows for greater efficiency in data-sharing, improved fraud detection and better regulatory compliance. Smart contracts are transforming claims handling automatic pay-outs on the occurrence of an event without the policyholder ever having to make a claim. The COVID-19 global pandemic has only accelerated the pace of change with an increased focus on digitalisation and improving online customer online experience as more people work and shop at home through mobile apps and online. There has been particular focus on the online purchase of insurance through digital platforms and paperless claims processing



with greater opportunities for B2B insurtechs who are able to partner with incumbents to improve aspects of the insurance value chain. In the UK, the insurance sector is regulated by the FCA and the Prudential Regulation Authority (the “PRA”), whilst regulatory disputes between consumers and insurers or insurance intermediaries are determined by the Financial Ombudsman Service (“FOS”). The law on insurance contracts in England and Wales is principally governed by the Insurance Act 2015 (the “Insurance Act”), which is interpreted and applied by the English courts. New insurance technology presents some legal and regulatory challenges:• In the UK, an insurance contract is a contract of good faith and the Insurance Act sets

out certain requirements around pre-contractual disclosure. An insured must give fair presentation of the risk but is not required to disclose information known to the insurer. The use of Big Data and telematics to underwrite risk has the potential to blur the lines around insurer knowledge, whilst the increased robotisation of distribution channels allows the insured to take a passive role in the disclosure process. This could undermine an insurer’s ability to defend claims for breach of the duty of fair presentation.

• The use of AI and machine learning to analyse risk gives rise to concerns on data privacy, cybersecurity, fairness and discrimination. In September 2016, the FCA raised concerns that the micro-analysis of risk through the use of technology could lead to a new group of “uninsurables”. The FCA also warned that insurers could leverage the data to charge higher premiums unreflective of the risk. The FCA committed to intervene if either scenario became a reality.

• There are a number of features of blockchain and smart contracts which are at odds with insurance law and regulation. In particular, the immutable nature of DLT gives rise to obvious data protection issues and conflicts directly with the “right to be forgotten” in the UK General Data Protection Regulation (“UK GDPR”). The automation of claims through a smart contract may also make it difficult for an insurer to demonstrate to the FOS or the courts that its refusal to pay a claim was appropriate.

These legal and regulatory considerations have led to increased scrutiny by the FCA into the use of technology in the insurance value chain. Whilst this could give rise to the potential for increased regulatory intervention, the FCA has instead adopted an open-house approach providing advice and support to InsurTechs through its Innovation Hub and Advice Unit; and its sandbox has provided a safe space for a number of InsurTechs to test out their products in a supportive regulatory setting. Nevertheless, we can expect the FCA to continue to keep a close eye on technological developments in the insurance sector as well as further guidance from industry bodies, such as the Association of British Insurers (“ABI”) and the British Insurance Brokers Association (“BIBA”), and from the English courts as they struggle to apply the existing statutory framework to non-traditional insurance products.

Regulatory bodies

In the UK, there is no single regulatory framework which governs FinTech. FinTech firms which carry on certain regulated activities2 (including, for example, consumer credit-related activities, banking, advising on investments, insurance distribution, etc.) will fall within the regulatory perimeter, unless an exemption applies, and will need to be authorised and regulated by one or more of the following bodies:• the FCA – the FCA’s key focus is on the risks posed by the conduct of financial services

firms, and the individuals which work for them, to its three statutory objectives: protecting consumers; ensuring market integrity; and promoting effective competition.



Any firm which carries on regulated activities by way of business in the UK will need to be authorised and regulated by the FCA; and

• the Bank of England (“BoE”) – the BoE, through the PRA, aims to ensure the financial soundness of firms and seeks to remove or reduce systemic risks that may threaten market stability. While the FCA focuses on conduct risk, the PRA focuses on the prudential soundness of firms.

In the UK, it is a criminal offence to carry on regulated activities by way of business (unless an exemption applies) without first obtaining authorisation from the FCA and, if applicable, the PRA.


The Financial Services and Markets Act 2000 (“FSMA”) establishes the FCA and the PRA as the statutory regulators of UK financial services businesses. The FCA and PRA rulebooks are extensive. FinTech firms will need to consider whether their activities require authorisation, and comply with the relevant provisions and rules. A failure to comply could result in enforcement action being taken by the FCA and/or the PRA and penalties include significant fines and, in cases involving individuals, potential prohibitions from working in the industry. While, generally, the FCA’s and PRA’s rules are technology neutral, the rise in the number of FinTech firms in recent years has led to two important regulatory developments: the first has been in the form of greater clarity on the regulatory approach to cryptoassets; and the second is in the form of recent changes in the UK’s AML regime.In general terms though, the UK financial regulators and policy makers are very receptive to FinTech.

Restrictions

While the FCA, the PRA and HM Treasury (“HMT”) are embracing FinTech to further competition in the interest of UK consumers and the UK economy as a whole, they are also taking certain precautionary steps as outlined below. Regulatory approach to cryptoassetsIn March 2018, the Government launched the Cryptoassets Taskforce (“the Taskforce”) in response to the significant attention being given to DLT and the growth of cryptoassets. The Taskforce concluded that DLT has the potential to deliver significant benefits in financial services and other sectors. However, they warned that the regulators would take action to mitigate the risks that cryptoassets can pose to consumers and market integrity: to prevent the use of cryptoassets being used for illicit activity; to guard against the threats to financial stability that could emerge in the future; and to encourage responsible development of legitimate DLT and cryptoasset-related activity in the UK. Clarity on the regulatory perimeterIn July 2019, the FCA published its Final Guidance on Cryptoassets3 to help firms understand whether, and the extent to which, their cryptoasset activities fall under FCA regulation (“the Guidance”). The Guidance clarifies where different categories of cryptoasset tokens fall within the FCA’s regulatory perimeter. Activities that fall within the regulatory perimeter are regulated and require authorisation from the FCA – and in limited circumstances the PRA – before they can be carried out. Carrying out regulated activities without the relevant authorisations may constitute a criminal offence.



The FCA has categorised cryptoassets into three types of tokens. Whether a cryptoasset falls within the regulatory perimeter should always be considered on a case-by-case basis, with regard to a number of different factors.Regulated tokensThese are tokens that are regulated by the FCA and generally comprise “security tokens” and “e-money tokens”. Security tokensSecurity tokens include specific characteristics that bring them within the definition of a “specified investment”,4 such as a share or a debt instrument, falling within the regulatory perimeter. They include tokens that grant holders some, or all, of the rights conferred on shareholders or debt-holders, as well as those tokens that give rights to other tokens that are themselves specified investments. The FCA considers a security to refer broadly to an instrument that indicates an ownership position in an entity, a creditor relationship with an entity, or other rights to ownership or profit. Security tokens are securities because they grant certain rights associated with traditional securities.FinTech firms which carry on a regulated activity involving security tokens will need to ensure that they are appropriately authorised or exempt. Issuers of such tokens may themselves not need to be authorised; however, certain requirements related to the issuance of the tokens may still apply – for example, prospectus and transparency requirements. Market participants should also be aware of the FCA’s financial promotions regime (see below).Factors to consider when determining if a token is a security tokenGiven the complexity of many tokens, the FCA has recognised that it is not always easy to determine whether a token is a specified investment. The FCA has, therefore, set out a non-exhaustive list of factors that it considers are indicative of a security to assist firms in determining whether or not they are undertaking regulated activities:• the contractual rights and obligations the token-holder has by virtue of holding or

owning that cryptoasset;• any contractual entitlement to profit-share (e.g. dividends), revenues, or other payment

or benefit of any kind;• any contractual entitlement to ownership in, or control of, the token issuer or other

relevant person (e.g. voting rights);• the language used in relevant documentation (e.g. white papers). However, the FCA

has made clear that if a white paper declares a token to be a utility token, but the characteristics of the token indicate it is a specified investment, the FCA would treat it as a security token;

• whether the token is transferable and tradeable on cryptoasset exchanges or any other type of exchange or market;

• whether there is a flow of payment from the issuer or other relevant party to token-holders; and

• whether any flow of payment is a contractual entitlement – the FCA has made clear that it would consider this to be a strong indication that a token is a security.

E-money tokensThese are a form of regulated token, but have been given their own categorisation. They are tokens that meet the definition of electronic money in the E-Money Regulations 2011 (“EMRs”). They are subject to the EMRs and firms must ensure that they have the correct permissions and follow the relevant rules and regulations. E-money is defined in the EMRs as:



a) electronically stored monetary value that represents a claim on the issuer;b) issued on receipt of funds for the purpose of making payment transactions;c) accepted by a person other than the issuer; andd) not excluded from the definition of e-money in the EMRs.E-money must enable users to make payment transactions with third parties, so must be accepted by more parties than just the issuer. Due to the fact that they are not usually centrally issued on the receipt of funds, nor do they represent a claim against an issuer, exchange tokens like Bitcoin and Ether are unlikely to represent e-money. Unregulated tokensUnregulated tokens are those that do not provide rights of obligations akin to specified investments like shares, debt securities and e-money. These tokens include exchange tokens and utility tokens, which can be centrally issued, decentralised, primarily used as a means of exchange, or grant access to a current or prospective product or service. They may be used in one or many networks or ecosystems and can be fully transferable or have restricted transferability. The key point is that any token that is not a security token or an e-money token is likely to be an unregulated token. Exchange tokensExchange tokens are not issued or backed by any central authority and are intended to be designed to be used as a means of exchange. These tokens can enable the buying as well as selling of goods and services without the need for traditional intermediaries, such as central or commercial banks (e.g. on a peer-to-peer basis).Exchange tokens are used in a way similar to traditional fiat currency. However, while exchange tokens can be used as a means of exchange, they are not currently recognised as legal tender in the United Kingdom, and are therefore not considered to be “currency” or “money” within the UK regulatory framework. Due to the fact that they tend to be decentralised, with no central issuer obliged to honour contractual rights, the FCA’s view is that they do not typically grant the holder any of the rights associated with “specified investments”.As such, the FCA has confirmed that exchange tokens generally fall outside of the regulatory perimeter. Therefore, transferring, buying and selling these types of token, including the commercial operation of cryptoasset exchanges for exchange tokens, are activities not currently regulated by the FCA. However, they may be caught by the UK’s AML regime.Utility tokensUtility tokens provide holders with access to a current or prospective product or service but do not grant holders rights that are the same as those granted by specified investments. They may have similarities with rewards-based crowdfunding where participants contribute funds to a project in exchange for a reward; for example, access to products or services at a discount.The FCA has stated that, much like exchange tokens, utility tokens can usually be traded on the secondary markets and can be used for speculative investment purposes. However, this does not mean these tokens constitute specified investments.Although utility tokens do not typically exhibit features of specified investments, they could still require FCA authorisation if they constitute “e-money”.Key considerations for FinTech firmsIrrespective of the type of token being issued, firms should consider whether their tokens



are being used to facilitate payment services. If they are, then this will likely need the appropriate authorisation under the Payment Services Regulations 2017 (“PSRs”), unless an exemption under the PSRs applies.Firms which engage in any activity by way of business in the UK that relates to a security token or an e-money token should consider whether those activities require authorisation.If a token is a transferable security and will either be offered to the public in the UK or admitted to trading on a regulated market, an issuer will need to publish a prospectus in accordance with the UK’s Prospectus Regime unless an exemption applies.If activities fall within the FCA’s regulatory perimeter, FinTech firms should consider, in particular:• the application of financial promotion rules, including ensuring communications are

marketed in a way that is clear, fair and not misleading;• the application of the Prospectus Regime;• the application of relevant financial crime controls; and• operational resilience and cybersecurity issues – cryptoassets are now regarded as

high-value targets for theft, and service providers (e.g. custodians/wallet providers) are increasingly being targeted by cybercriminals to obtain the private keys that enable consumers to access and transfer their cryptoassets.

The UK’s AML regimeThe UK’s AML regime relating to financial services is largely embodied within the Proceeds of Crime Act 2002 (“POCA”) and the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (“the MLRs”). The various offences are found in POCA and criminalise both the process of overt money laundering as well as the failure of otherwise legitimate businesses to report suspicions of money laundering.The MLRs generally support the money laundering provisions in POCA. They place a general obligation on certain firms, including financial services firms, to establish and maintain appropriate and proportionate risk-based policies and procedures to prevent and detect situations where their systems may be at risk of being used in connection with money laundering. A failure to comply with the MLRs may constitute a criminal offence.The EU’s Fourth Money Laundering Directive ((EU) 2015/849) (“4MLD”) and the Fifth Anti-Money Laundering Directive of the European Parliament and of the Council (Directive (EU) 2018/843)5 (“5MLD”) introduced further European AML regulation. 5MLD extended European AML regimes to virtual currencies. Member States were obliged to implement these new requirements through national legislation by 10 January 2020, which the UK has done through amendment to the MLRs.5MLD marks a key development in cryptoasset regulation, and has widened the scope of 4MLD to include cryptoasset exchange providers and custodian wallet providers. The MLRs, like 5MLD, introduce new AML obligations for cryptoasset exchange providers and custodian wallet providers. However, the amended MLRs define each of these terms and attempt to clarify that a broader definition applies to each.Cryptoasset exchange providersThese are firms or sole practitioners who by way of business provide one or more of the following services, including where the firm or sole practitioner does so as creator or issuer or any of the cryptoassets involved, when providing such services:• exchanging, or arranging or making arrangements with a view to the exchange of,

cryptoassets for money or money for cryptoassets;



• exchanging, or arranging or making arrangements with a view to the exchange of one cryptoasset for another; or

• operating a machine that utilises automated processes to exchange cryptoassets for money or money for cryptoassets.

Custodian wallet providersThese are firms or sole practitioners who by way of business provide services to safeguard, or to safeguard and administer:• cryptoassets on behalf of their customers; or• private cryptographic keys on behalf of their customers in order to hold, store and

transfer cryptoassets, when providing such services.For the purpose of the MLRs, “cryptoasset” is defined as “a cryptographically secured digital representation of value or contractual rights that was a form of distributed ledger technology and can be transferred, stored or traded electronically”.Therefore, the following types of cryptoasset activities would likely fall within scope of the MLRs:• cryptoasset exchange providers that exchange fiat currency for a cryptoasset (or vice

versa) or exchange one cryptoasset for another cryptoasset;• cryptoasset automated teller machines (“ATMs”) – these are physical kiosks that allow

users to exchange cryptoassets and fiat currencies;• custodian wallet providers – these look after customers’ tokens in their information

technology systems or servers and may administer or transfer tokens on behalf of customers;

• peer-to-peer providers – these provide an online marketplace that facilitates the exchange of fiat currencies and cryptoassets between prospective buyers and sellers; and

• issuers or new cryptoassets (e.g. in an Initial Coin Offering or Initial Exchange Offering) – these are businesses that sell a cryptoasset, which is either promoted or sold as a new type of cryptoasset or one that will become useable in the future, in exchange for fiat currency.

From 10 January 2020, cryptoasset exchange and cryptoasset wallet providers were obliged to comply with the MLRs’ requirements in respect of CDD measures, risk assessments and reporting suspicious activity. They would also be expected to have regard to the Joint Money Laundering Steering Group (“JMSLG”) Guidance in ensuring compliance with the MLRs. Both types of cryptoasset business now need to be registered with the FCA for AML purposes, as the FCA is the supervisor for relevant cryptoasset businesses under the MLRs. New cryptoasset businesses that intend to carry on a cryptoasset activity must register with the FCA before they can carry out that activity, while existing businesses, which were already carrying on cryptoasset activity before 10 January 2020, may continue their business if they registered with the FCA under its Temporary Registration Regime and provided they act in compliance with the MLRs, but must be registered with the FCA by 31 March 2022 or stop all cryptoasset activity altogether. Once registered, these businesses will be subject to ongoing reporting regulatory requirements.

Planned enhancements to the UK cryptoasset regulatory regime

Since the formation of the Taskforce in 2018, the cryptoasset landscape has changed significantly. There has been a meteoric rise in the number of “stablecoins”, which are essentially tokens whose value the issuers have attempted to stabilise using a variety of mechanisms.



In January 2021, HMT published a consultation paper outlining the UK's proposed regulatory approach to cryptoassets and stablecoins.6 It recognised that stablecoins could pave the way for faster, cheaper payments, and that DLT could have significant benefits for capital markets, potentially fundamentally changing the way they operate. However, it also recognised that in a rapidly evolving landscape, these developments could pose a range of risks to consumers and, depending on their uptake, to the stability of the financial system. Accordingly, HMT proposed incremental regulatory adjustments to the current framework, bringing within the scope of regulation some currently unregulated cryptoassets. HMT has indicated that initially the use of unregulated tokens and associated activities primarily used for speculative investment purposes, such as Bitcoin, could remain outside of the regulatory perimeter for conduct and prudential purposes. However, they could potentially be subject to more stringent regulation in relation to the UK’s financial promotions regime, pending any longer-term policy changes which may make them subject to regulation in future. HMT proposes to introduce a regulatory regime for stablecoins used as a means of payment. This would cover firms issuing stablecoins and firms providing services in relation to them, either directly or indirectly to consumers. In particular, the Government is proposing to ensure that cryptoassets which could be reliably used for retail or wholesale transactions are subject to minimum requirements and protections as part of a UK authorisation regime. In July 2020, HMT also proposed expanding the perimeter of the FCA’s financial promotions regime in order to enhance consumer protection.7 The financial promotions regime is set out in the FSMA. It is an offence under section 21 FSMA for a person to, in the course of business, communicate an invitation or inducement to engage in investment activity unless that person is authorised, the communication has been approved by an authorised person, or the financial promotion is exempt (“the Financial Promotion Restriction”). HMT has proposed expanding the definition of “controlled activity” and “controlled investment” within the definition of investment activity.Investment activity is defined as:• entering, or offering to enter into, an agreement, the making or performance of which

by either party is a “controlled activity”; or• exercising any rights conferred by a “controlled investment” to acquire, dispose of,

underwrite or convert a controlled investment.Controlled investments and controlled activities are set out in the FSMA (Financial Promotions) Order 2005 (“the FPO”). HMT has proposed adding qualifying cryptoassets to the list of controlled investments in the FPO, meaning that the Financial Promotion Restriction would apply to any inducement or invitation to exercise any rights conferred by qualifying cryptoassets to acquire, dispose of, underwrite or convert the same. Under HMT’s proposals, a “qualifying cryptoasset” would be defined as “any cryptographically secured digital representation of value or contractual rights that uses a form of DLT and which – a) is fungible;b) is transferable or confers transferable rights, or is promoted as being transferable or

as conferring transferable rights;c) is not any other controlled investment as described in this Part;d) is not electronic money within the meaning given in the EMRs; ande) is not currency issued by a central bank or other public authority.”This definition would therefore exclude cryptoassets that are security tokens which are already “controlled investments” under the FPO and so are carved out from the above



definition. Limb (d) also excludes e-money tokens which are already regulated under the EMRs. The majority of stablecoins would either already be in scope of the FPO, as security tokens or e-money tokens, or would be caught under this new category of controlled investment.HMT has also proposed amending the following controlled activities, for the purposes of the Financial Promotion Restriction, so that they incorporate activities in relation to the buying, selling, subscribing for or underwriting of qualifying cryptoassets (as defined above):• dealing in securities and contractually based investments;• arranging deals in investments;• managing investments;• advising on investments; and• agreeing to carry on specified kinds of activity.


Cross-border FinTech investment in 2020 reduced by 9% from 2019 levels (mainly due to the pandemic), but there are signs of a sharp upturn in the market because of large amounts of available capital and a willingness to invest. There has been an increasing focus on M&A, which is reaching high levels. In 2021, we have seen the following trends: • The UK remained the leading investment destination in Europe (accounting for the

majority of all European FinTech funding), but moderate growth continued throughout the continent.

• The USA continued to drive investment in North and South America, although Canada and Brazil also saw transactions reach high levels.

• The most significant growth was seen in Asia, especially in India, China and Singapore, which have been leading destinations for innovation, with skilled personnel driven by greater governmental investment in research & development and global expansion.

• Cross-border transactions remained very high, with the first quarter of 2021 being the largest funding quarter on record.

Co-operation between regulators – the GFINGiven the increasing number of FinTech firms which were seeking to offer cross-border solutions to customers, in early 2018, the FCA proposed the creation of a global version of its Regulatory Sandbox. After a period of consultation with industry, the GFIN was formally launched in January 2019 by an international group of 35 financial regulators and related organisations, including the FCA, all of which are committed to supporting financial innovation in the interests of consumers. The GFIN has since expanded to be a network of 50 organisations. The GFIN aims to provide a more efficient way for innovative firms to interact with regulators, helping them to navigate between countries as they look to scale their businesses.

* * *

Endnotes1. The Kalifa Review of UK FinTech (https://www.gov.uk/government/publications/the-

kalifa-review-of-uk-fintech).2. Regulated activities are specified by the Financial Services and Markets Act 2000

(Regulated Activities) Order 2001.3. FCA Final Guidance on Cryptoassets (PS 19/22) dated July 2019.4. Any of the investments specified in Part III of the Financial Services and Markets Act

2000 (Regulated Activities) Order 2001 (SI 2001/544).



5. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32018L0843.6. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_

data/file/950206/HM_Treasury_Cryptoasset_and_Stablecoin_consultation.pdf.7. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_

data/file/902891/Cryptoasset_promotions_consultation.pdf.

* * *

Acknowledgment

The authors would like to thank David Brennan for his contribution to this chapter.David is a Partner in the Corporate Team and Co-Chair of the firm’s Global Tech Group. His practice focuses on both equity capital markets and public and private mergers and acquisitions. He has advised both issuers and sponsors on numerous IPOs and secondary fundraisings (including placings, open offers and rights issues), particularly of AIM and dual-listed companies. He has considerable experience advising on public takeovers, private acquisitions and disposals and international joint ventures in various sectors, but with a particular emphasis on tech.

Ian MasonTel: +44 20 7759 6685 / Email: [email protected] is a Partner, Head of UK Financial Services Regulatory Team, and Joint Head of UK Financial Services Sector at Gowling WLG.Ian has more than 20 years’ experience advising clients on financial services regulation, and is a former Head of Department in the Enforcement Division at the UK financial services regulator, as well as having worked in-house, and advising firms and individuals in private practice. Ian has been involved in advising a number of FinTech clients on regulatory issues, including regulatory perimeter advice, AML provisions, payment services and e-money. His clients include banks, asset managers, payments services firms, brokers and listed companies. Ian has significant experience in advising clients on regulatory investigations, both in enforcement and on the defence side, representing firms and individuals.

Sushil KunerTel: +44 20 7759 6542 / Email: [email protected] is a Principal Associate in the Financial Services Regulatory Team at Gowling WLG.Sushil joined Gowling WLG in July 2018, having spent eight years working within the Supervision and Enforcement Divisions of the FCA. She has a wealth of regulatory experience across a broad range of contentious and non-contentious issues, offering clients a holistic approach to regulatory compliance and the ability to spot risks before they arise. She advises on all aspects of financial services regulatory law and has a particular interest in FinTech, advising a number of clients on regulatory considerations for ICOs, blockchain and cryptoassets since joining. Sushil has been recognised as a key lawyer for Financial Services Regulation and FinTech in the 2021 The Legal 500 UK rankings and has appeared as a commentator in the mainstream media, including in The Telegraph and The Guardian. She also regularly represents the firm as a panel speaker at a various FinTech conferences and has authored numerous articles on key regulatory issues impacting FinTech companies.

Gowling WLG (UK) LLP4 More London Riverside, London SE1 2AU, United Kingdom

Tel: +44 37 0903 1000 / Fax: +44 37 0904 1099 / URL: www.gowlingwlg.com



Samantha HollandTel: +44 37 0733 0590 / Email: [email protected] is a Partner in the Insurance Team and leads the Gowling WLG InsurTech Group, which combines an understanding of technologies such as blockchain, AI and IoT with in-depth knowledge of the insurance value-chain and the regulatory framework in which InsurTechs operate. These leading technology and insurance professionals provide full-service legal support across the InsurTech landscape. Samantha innovates wherever possible working with entrepreneurial clients to bring products to market, most recently in the sports insurance, transactional insurance and real estate markets. Her 20+ years as a litigator mean that she is ideally placed to analyse risk and stress-test the application of new technologies.

USAAndrew Lorentz & Thomas Kost

Davis Wright Tremaine LLP



Overview of U.S. approach to regulating financial servicesFintech, like all financial services in the U.S., is regulated at both the state and federal level. Each of the 50 states and the federal government have passed their own body of laws that may apply to financial services and providers of financial services. This is also true of the subset of financial services providers who operate in the banking industry, which is subject to the dual banking system in the U.S., under which banks are chartered and supervised by either a U.S. state or the federal government.The vast network of laws that apply to Fintech are implemented and enforced by a similarly vast network of U.S. state and federal agencies, each with a differing (but often overlapping) scope of authority. Some agencies are focused on specific types of entities; other agencies are focused on specific types of financial services; yet others have a general mandate to protect consumers from harm across a range of entities and services. Federal law and the authority of federal agencies generally preempt (or displace) state laws and agencies where there is direct conflict. However, for some Fintech-related issues, there is no specific federal law, subjecting the industry to both levels of authority.Regulation of financial services in the U.S. can take many forms. State and federal agencies may be empowered to write new rules and regulations with the force of law; interpret existing rules and regulations; grant licences to entities to engage in specialised activities like banking or lending; examine entities’ records or practices; investigate entities’ compliance with the law; and, ultimately, enforce the law through administrative or court proceedings in the event of alleged violations. The regulatory landscape for Fintech is continually evolving as each regulator takes its own approach to establishing a regulatory framework that is consistent with its mandate while also promoting beneficial innovation. The specific mix of compliance obligations and regulators to whom a Fintech entity must answer will depend on how the entity is structured, the types of products or services it offers, and the particular jurisdictions in which it operates. Major opportunities and challenges for FintechThe trends driving the disruption of financial services in the U.S. continue to accelerate – including changes in customer preferences, the speed and capacity of data networks and processing, and a fragmented regulatory framework – leaving incumbent providers labouring under legacy compliance and technology infrastructures that are slow and costly to adapt (and hence create openings for new players).

Davis Wright Tremaine LLP USA


The division of the U.S. into over 50 jurisdictions, each with its own regulatory authority, creates constant tension with the preferred Fintech “software-as-a-service” model that depends on the ability to scale products for a national market. The industry has trended towards increasing sophistication and beneficial collaboration between Fintech entities and chartered and licensed financial institutions in launching products. This trend has led U.S. federal and state regulators to engage in sincere efforts to likewise innovate in their oversight of financial services. In addition to the major contributions of U.S. Fintech entities in offering innovative products, Fintech entities from other countries are injecting energy and dynamism into the U.S. market for financial services. Nevertheless, Fintech in the U.S. continues to be challenged by inconsistent regulatory expectations – even from the same regulators depending on the political climate – and by the struggle of U.S. regulators to adapt their dated regulatory frameworks to keep pace with new Fintech models.

Fintech offerings in your jurisdiction

Fintech has had varying degrees of impact on virtually every aspect of the U.S. market for financial services. Below, we highlight a few of the most prominent Fintech offerings, as well as efforts by regulators to ensure that these offerings conform to appropriate guardrails.Money transmissionHistorically, money transmission in the U.S. was carried out by licensed money transmitters who relied on authorised delegates in multiple locations to act as their agents for collecting and disbursing cash and monetary instruments. Money transmitters generally had a transactional rather than an account relationship with their customers, did not store funds on behalf of customers, and often lacked the capability to provide other services ancillary to money movement to their clients. The internet and mobile technology have fundamentally changed the business operations and relationship of U.S. money transmitters to their customers in several important ways. First, although cash payments are still common, money is now primarily represented and stored in digital format. Second, electronic payment orders, instructions, and responses with respect to digital money can be transmitted and processed in real time, thereby enabling real-time clearing and settlement. Third, customers possess the means to initiate payment orders from their own electronic devices. These three factors have obviated the need for physical locations for the collection and disbursement of funds and payment instructions, and instead created a need for digital and mobile wallets where money can be stored and accessed through a customer device, and for digital and mobile interfaces and applications where payments orders can be created. For corporate entities, it has also created the opportunity to digitalise the invoicing, remittance, and reconciliation process, which has typically been a heavily manual process prone to error and delay. Technology companies have capitalised on the shift to digital and mobile payments by offering free or low-cost bank account substitutes with payment capabilities to unbanked or underbanked consumers. They also have developed applications that allow users to send and receive electronic payments instantly from their computer or phone, often in conjunction with other financial and non-financial services. In comparison, banks have been slow to develop an online presence and often charge for the same services that are made available by technology companies for free. In contrast to the local regulation and provision of financial services contemplated under U.S. money transmission laws, digital and mobile services can be enabled in all 50 states as



easily as they can in a single state. The requirement to obtain money transmission licences in 49 states1 for digital wallet or payment service providers is a significant bottleneck in bringing such solutions to market. An increasing number of Fintech entities are seeking a bank charter (or special purpose Fintech charter, as discussed below) to avoid state-by-state licensure. In response, some state regulators are participating in initiatives to improve the efficiency of the money transmitter licensing and examination process.2

Alternatives to traditional lendingFintech has democratised consumer and small business lending in the U.S. Working independently or in partnership with banks, Fintech entities have streamlined the loan application process through mobile apps and online interfaces that are accessible, intuitive and easy to use. Fintech firms have also pioneered the use of new technologies like big-data mining and artificial intelligence to increase the speed and accuracy of the underwriting process. These innovations have benefitted consumers through new offerings in the marketplace, better pricing, and expanded access to credit. Some of the most notable gains have been made in the market for small business financing, reflecting the streamlined availability of loans from Fintech platforms and the introduction of alternative financing products such as factoring arrangements and merchant cash advances. The increasing importance of alternative data – including personal data or additional data about income, expenses, or cash flow – and artificial intelligence in underwriting has presented unique regulatory challenges. On the one hand, Fintech lenders have used these innovations to make more refined assessments of the credit risk presented by individual applicants, with especially significant benefits for consumers with limited or poor credit histories. On the other hand, regulators have expressed concern about the potential for discriminatory outcomes of algorithmic decision-making processes where those processes rely on variables or factors that produce biases against racial or ethnic minorities or members of other protected classes.3 The Fintech-led emergence of alternative lending has accelerated during the global pandemic. Fintech entities have played a critical role in delivering financial assistance in connection with the federal government’s COVID-19 relief efforts, including by originating loans through the Paycheck Protection Program. For example, several prominent Fintech entities worked with Cross River Bank – a state-chartered bank with a single branch – to lend nearly $5 billion to PPP recipients.4 Buy now, pay laterFirst popularised in other countries, “buy now, pay later” products (or “BNPLs”) have quickly gained a foothold in the U.S. in recent years. BNPLs offered by Fintech entities have given U.S. consumers yet another option to finance their online (and increasingly in-store) purchases beyond credit and debit cards and traditional purchase financing plans. BNPLs are zero-interest payment plans repaid in four instalments every two weeks, with the first payment often due at the time of purchase. They have proven beneficial to both merchants and consumers. For merchants, BNPLs offer an alternative to high-cost credit cards without the need to adhere to onerous private credit card network rules. Consumers view BNPLs as a more efficient way to access credit, as most BNPL providers do not rely on credit scores or other prerequisites that traditionally create barriers to credit. Other consumers look at BNPLs as a way to avoid carrying a credit card balance that may be subject to high interest rates and costly penalty fees. Early BNPL providers in the U.S. were non-bank Fintech entities that, in general, operated outside of federal and state lending regimes, which gave them an initial advantage of offering



their products unencumbered by the rules applicable to banks and licensed lenders. However, enforcement actions in 2020 against Fintech BNPL providers by California’s Department of Financial Protection and Innovation signalled an important regulatory shift.5 The enforcement actions focused on the risks created by the BNPL model, such as accumulated late fees, increased collection efforts, and potential harm to consumer credit profiles. As a result, Fintech BNPL providers are now required to obtain state lender licences, not only in California but in a number of other states as well. Moreover, with Europe and Australia considering whether to apply traditional consumer protections to BNPLs,6 and with U.S. banks contemplating their own BNPL offerings, the BNPL market is likely to experience increased regulatory scrutiny from U.S. regulators at both the federal and state levels.CryptocurrencyCryptocurrency refers to digital units of value that can be transferred or exchanged without a central intermediary through the use of blockchain technology. Developers have created hundreds of tokens and coins (the distinction between these has become less important) that vary widely in use-case and popularity.Cryptocurrency transactions and businesses engaged in facilitating such transactions are subject to money transmission laws to varying degrees. FinCEN regulates what it has dubbed “convertible virtual currency” under the Bank Secrecy Act.7 Some states were early adopters of laws specifically targeting cryptocurrency activities, such as the New York BitLicense.8 Meanwhile, other states are considering versions of the Uniform Regulation of Virtual-Currency Business Act, which would create a tailored cryptocurrency licensing framework.9 A number of states have chosen to treat cryptocurrency activities as money transmission.10 Still, others have chosen not to regulate cryptocurrency under their money transmitter laws or virtual currency-specific laws.11

The expanding state licensing requirements for non-bank Fintech entities, combined with recent moves by bank regulators, have prompted banks to compete in the cryptocurrency market. In July 2020, the Office of the Comptroller of the Currency clarified that national banks and federal savings associations may provide cryptocurrency custody services and hold cryptographic keys on behalf of customers.12 In September 2020, the state of Wyoming issued its first special purpose depository institution charter to Kraken, the cryptocurrency exchange, allowing it to take deposits and provide custody for digital assets.13 More recently, the Federal Deposit Insurance Corporation has sought information related to insured depository institutions engaging in digital asset activities.14 In addition, the Federal Reserve is exploring the implications of a central bank digital currency.15

Regulatory bodies

As discussed above, a broad constellation of state and federal agencies have been charged with regulating Fintech entities and products. Many of these agencies have created innovation offices specifically to address Fintech-related developments. Federal banking regulatorsFour federal prudential regulators are principally responsible for regulating the banking industry, including Fintech entities that engage in the business of banking. Each agency focuses on different elements of the industry, but all have taken actions to embrace Fintech.• The Federal Deposit Insurance Corporation (“FDIC”) is the primary federal regulator

of state-chartered banks that are not members of the Federal Reserve System. The FDIC is in the midst of a significant update to modernise the bank call report based on Fintech and artificial intelligence solutions.



• The Office of the Comptroller of the Currency (“OCC”) regulates and charters national banks and federal savings associations. The OCC has established an Office of Innovation to develop a regulatory framework that supports responsible innovation.

• The Board of Governors of the Federal Reserve System (“FRB”) is the primary regulator of all state-chartered banks that are members of the Federal Reserve System and oversees the operations of all depository institution holding companies. The FRB continues to support responsible innovation, with a focus on facilitating real-time payments, studying the risks and opportunities with digital currencies, and supporting the use of artificial intelligence in financial services.

• The National Credit Union Administration (“NCUA”) charters national credit unions and regulates all national and state-chartered credit unions. The NCUA has taken a more measured approach to Fintech-related developments.

Other federal regulatorsIn addition to the federal banking agencies, other federal regulators play an important role in regulating the impact and influence of Fintech.• The Consumer Financial Protection Bureau (“CFPB”) supervises and enforces

compliance with many federal consumer financial protection laws that impact Fintech. The CFPB’s supervisory authority covers large banks and some non-bank financial services companies, including mortgage lenders, debut collectors, and student loan servicers; its authority to write regulations and enforce consumer protection laws is much broader. The CFPB created an Office of Innovation to work with Fintech entities and other stakeholders to promote financial services innovation that benefits consumers.

• The Federal Trade Commission (“FTC”) promotes competition and protects consumers from unfair or deceptive acts and practices in the marketplace. The FTC’s authority extends to non-bank Fintech entities that provide a variety of financial services, including lending, payments, and cryptocurrency offerings.

• The Financial Crimes Enforcement Network (“FinCEN”) collects and analyses information about financial transactions in order to prevent money laundering, terrorist financing and other financial crimes, and prescribes rules for financial institutions’ AML compliance programmes. FinCEN’s Innovation Initiative promotes innovation in AML compliance through the adoption of new technologies.

• The Securities and Exchange Commission (“SEC”), Commodity Futures Trading Commission (“CFTC”) and Financial Industry Regulatory Authority (“FINRA”) protect investors from Fintech-related scams, regulate the activities and operations of cryptocurrency exchanges, and enforce federal securities and commodities trading laws implicated in Fintech offerings. The agencies also promote Fintech through initiatives such as the SEC’s Strategic Hub for Innovation and Financial Technology, the CFTC’s LabCFTC, and FINRA’s Office of Financial Innovation.

State regulatorsOver the past several years, most state banking and financial services regulators have expanded the scope and reach of their oversight and regulation of Fintech, particularly with respect to the Fintech offerings from state-chartered banks and non-bank financial services providers (which traditionally have been regulated at the state level). A state banking regulator organisation, the Conference of State Banking Supervisors (“CSBS”), helps to coordinate and promote uniformity and consistency among state regulators with respect to these issues.16



At the same time, some state regulators have pursued an aggressive agenda both to regulate Fintech and promote innovation. For example, while the New York Department of Financial Services (“NYDFS”) has been a major antagonist in the efforts of the OCC to establish a Fintech national bank charter, NYDFS also has been at the forefront of efforts to license cryptocurrency businesses, including transmitting and buying/selling virtual currency and providing exchange services. In 2020, NYDFS also established its “FastForward” programme to support Fintech innovation.17 Like New York, California has moved aggressively to regulate Fintech with an eye towards consumer protection while simultaneously trying to promote innovation. Reflecting its focus on Fintech-related developments, California even changed the name of the agency responsible for financial services regulation from the “Department of Business Oversight” to the “Department of Financial Protection and Innovation”, with part of its mission to support Fintech.18

In addition, several states have established so-called “sandboxes”, which are intended to enable entities to test new Fintech products and services in the marketplace without the need to obtain otherwise-required licences. States that have established Fintech sandboxes include Arizona, Florida, Nevada, Utah, West Virginia, and Wyoming.


Fintech offerings are subject to extensive product-level regulation by the federal government and individual states. The relevant laws and regulations, which collectively form the bedrock of the U.S. system for regulating the financial services industry, are too numerous to mention here.19 Fintech entities also are subject to licensing and chartering regimes at the federal level and on a state-by-state basis, which collectively determine whether and how firms are supervised by regulatory authorities.Within this broader regulatory architecture, U.S. regulators have responded in various ways to Fintech-related innovations. Fintech chartersTo provide a uniform regulatory structure, the OCC has proposed issuing special purpose national bank charters (Fintech charters) to qualifying Fintech entities.20 These so-called Fintech banks would be authorised to lend money and transmit funds, but not accept deposits.21 Because the Fintech charter would be issued under the National Bank Act, Fintech banks would benefit from federal preemption of state lending and money transmission licensing requirements. Although first proposed in 2016, the OCC has not granted any Fintech charters. The lack of interest is likely due to uncertainty caused by state challenges to the OCC’s legal authority to issue such charters.22 Open bankingUnlike some other jurisdictions, U.S. regulators have not yet mandated the sharing of financial data between banks and consumers – commonly known as “open banking” – however, informal, market-driven developments have increased opportunities for consumers to direct banks to share their data with Fintech entities in order to provide beneficial new products and services.A change in the regulatory approach to open banking may be on the horizon. On November 6, 2020, the CFPB published an Advance Notice of Proposed Rulemaking (“ANPR”) announcing its intention to explore regulation of open banking.23 The ANPR seeks to implement Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act, which requires consumer financial services providers to make information in



possession of the provider available to the consumer24 and follows on the nine financial data sharing and aggregation principles published by the CFPB in 2017.25 The CFPB notes that, although market participants have helped open banking become more secure, effective and subject to consumer control, certain emerging market practices may not reflect the access rights described in Section 1033. The ANPR does not propose any regulations. Instead, it requests public input on a broad array of concerns regarding the “data access ecosystem”, including consumer control over access to data, the effects of regulatory uncertainty, data minimisation, consumer protection incentives of the different parties within the data access ecosystem, and the standardisation of data access methods and formats. While noting the many benefits of open banking in driving competition and innovation, the ANPR highlights concerns around the practices of Fintech entities authorised by consumers to access their data and whether those practices are fair, transparent and secure. The path to regulation is likely to accelerate quickly. The Biden administration has issued an Executive Order encouraging the CFPB to consider a rule governing the portability of consumer financial transaction data to allow consumers to more easily switch banks or take advantage of Fintech-enabled services.26 In addition, recent private litigation challenging data aggregator practices underscores the evolving risks associated with the disclosure of data through authorised third parties and Fintech entities, or collection of data as an authorised third party.27

Anti-money laundering reformOn January 1, 2021, the U.S. Congress enacted the Anti-Money Laundering Act of 2020 (“AMLA”), which contains a number of substantive and administrative reforms to the Bank Secrecy Act (“BSA”) and other federal anti-money laundering (“AML”) and counter-terror financing laws.28 Of primary importance may be the Corporate Transparency Act, which is part of the broader AMLA architecture and requires reporting companies, including Fintech entities, to submit documentation about beneficial account owners to a database maintained by FinCEN. Database information will be non-public and for use by federal, state, and local authorities, but may also be used by FinCEN to facilitate financial institution compliance with BSA requirements.Other parts of the AMLA may not have an immediate impact on the Fintech landscape, but instead direct relevant regulatory authorities to initiate future rulemaking and information exchange efforts to modernise federal AML laws. For example, AMLA requires FinCEN to periodically review currency transaction report and suspicious activity report requirements in order to develop new rulesets streamlining the submission process.The AMLA also includes a number of provisions enhancing federal enforcement authorities and providing for additional administrative mechanisms to ensure compliance. Most notably for new entrants to the U.S. financial services market, the AMLA also permits FinCEN and the U.S. Department of Justice to subpoena non-U.S. banks that maintain correspondent accounts in the U.S. in order to request both U.S. and international AML records.State credit and money transmitter lawsFintech entities seeking to offer credit (particularly consumer credit), or payments, products and services, confront particular challenges under the U.S. system of parallel regulation by federal and state authorities. Consumer credit is subject to a thicket of product regulation at both levels. As a result, applicable disclosure and substantive requirements are inconsistent across states and often not well suited to modern financing products. In order to charge a rate of interest that allows for a profitable product, Fintech lenders that choose to lend directly (i.e., without a bank or credit union partner) must confront state



small loan licensing laws that often impose an antiquated licensing regime under which Fintech lenders are subject to state licensing requirements and regular examination.29 Even out-of-state banks may face claims by state regulators that they should obtain a state lending licence to lend to borrowers in other states, and Fintech entities working with bank lender partners also may be obliged to obtain state loan broker licences.30 Similarly, Fintech entities offering payment products to both consumers and businesses must comply with state money transmission laws that require licensure for anyone in the business of “receiving money for transmission” or “transmitting money”. While there are some similarities in language and requirements among the states under both credit and money transmission regulation, there are also many state-by-state nuances, calling for a very robust compliance programme for a national offering.31

Prospects for harmonising state-licensed lending laws seem unlikely, emphasising the need for Fintech financing providers to be able to rely on bank partnerships for the foreseeable future. Efforts to harmonise state money transmission regimes and streamline their effects are brighter, with the efforts by the CSBS in this regard of special note.32

Regulatory framework for cryptocurrencyThe growing regulatory framework around cryptocurrencies still lacks a definitive means to determine the legal character of any given token or coin. This uncertainty comes from a combination of the overlapping jurisdictions of the SEC, CFTC, and FinCEN and the piecemeal opinions and rulemakings from the regulators trying to catch up with the industry.Since 2013, FinCEN has defined convertible virtual currency (“CVC”) as a medium of exchange that operates like a currency in some environments, but does not have all the attributes of real currency.33 Further, FinCEN clarified that the label given to any particular CVC – e.g., digital currency, cryptocurrency, or cryptoasset – is not dispositive of its regulatory treatment.34

Meanwhile, the SEC has determined that some cryptocurrencies are securities. Under the Howey Test, if the SEC finds the purchase of cryptocurrency involved: (1) the investment of money in a common enterprise with; (2) a reasonable expectation of profits; (3) to be derived from the entrepreneurial or managerial efforts of others, then the cryptocurrency is a security.35

The Howey Test generally applies at the creation or issuance of a cryptocurrency, and some coins already in wide circulation, such as bitcoin, are not likely securities.36 The CFTC, however, has stated that such cryptocurrencies are commodities, subject to its jurisdiction if used in a derivatives contract, or if there is fraud or manipulation involving a cryptocurrency traded in interstate commerce.37

Restrictions

In general, substantive product and licensing restrictions applicable to Fintech entities are set forth in the federal and state laws discussed above. However, certain aspects of these laws have proved especially fluid and continue to evolve to meet perceived regulatory challenges created by new innovations. A few such developments are highlighted below.Engaging in the “business of banking”Banks are among the most highly regulated entities in the U.S. Banks are empowered by their state or federal chartering authority to engage in the “business of banking”, a group of activities that are generally restricted to banking organisations and other specialised licensees. Specific activities include taking deposits, making loans, and payments. As a result of the special status afforded to banks, including federal deposit insurance, many states



carefully restrict the use of the term “bank” and related terms by non-banks,38 including non-bank Fintech entities that engage in related activities. As the number of innovative banking services and products increases, federal and state regulators have voiced concerns that consumers cannot sufficiently distinguish banks from non-bank Fintech entities providing similar services. Regulators have thus taken aim at potential misuse of the terms “bank” or “banking” by unlicensed entities through enforcement and rulemaking efforts. In March 2021, California’s DFPI entered into a settlement agreement with a Fintech entity regarding its use of the terms “bank” and “banking” in its business.39 The DFPI alleged that the Fintech entity, which worked with banking partners to provide consumer banking products, had violated California law by using a URL address including the word “bank” prior to February 2020 and by using the words “bank” and “banking” in other aspects of its business. The Fintech entity agreed to stop using the term “bank” in its business unless it becomes a bank or obtains the requisite authorisation to engage in the business of banking. The Fintech entity also agreed to perform a review of its webpage and advertising to clarify that it is not a bank and that banking services are provided by bank partners. In April 2021, the FDIC announced a rulemaking proceeding in which it requested information on potential modernisation of the FDIC’s official sign and advertising requirements to align with how Fintech has advanced the traditional business of banking.40

“True lender” doctrineIn the U.S., interest rates are generally regulated through state-by-state usury laws, creating a patchwork of permissible rates across the country. Under Section 27 of the Federal Deposit Insurance Act,41 FDIC-insured banks are permitted to charge the interest rates permitted in the state where the bank is located regardless of where the borrower resides, enabling banks to offer uniform rates nationally. As a result, Fintech lenders often establish partnerships with banks to take advantage of their special status and avoid the complications of state-by-state rate regulation. Plaintiffs and regulators have challenged the legitimacy of these partnerships in a number of high-profile cases in recent years, arguing that the Fintech entity is the “true lender” and the bank partnership was created for the sole purpose of avoiding state interest rate regulation. In resolving these cases, courts have considered either the structure of the partnership relationship – including how the credit is originated, serviced, or sold, and which party controlled the underwriting and servicing – or the economic benefits and risk of the partnership for the parties, or applied a combination of these approaches. When courts and regulators have concluded that the bank is not the “true lender,” state-by-state rate limits are held to apply to the loans offered by the Fintech entity. In October 2020, the OCC issued a final rule relating to “National Banks and Federal Savings Associations as Lenders” seeking to clarify these issues as to national banks and federal thrifts (the “true lender” rule).42 On June 30, 2021, however, the Biden administration nullified the rule,43 and the OCC may not reissue the same or a substantially similar rule absent congressional authorisation.44 Separately, the FDIC issued a related rule reinforcing the provisions of Section 27 of the FDI Act, even if a loan is later sold by a bank, but expressly refusing to address the “true lender” doctrine.45 As a result, Fintech-bank lending partnerships remain subject to the risk that a court or regulator will apply a “true lender” theory to undermine the partnership’s approach to interest rate limitations, calling into question the enforceability of the partner bank’s loan agreement.



Effect of evolving UDAAP standards on data privacy and security requirements Unfair or deceptive acts or practices in trade or commerce are widely prohibited by both state and federal laws. At the federal level, the Consumer Financial Protection Act further prohibits “abusive” acts or practices.46 Together, these laws are often referred to as “UDAAPs”, and they generally apply to any entity that offers financial services to consumers. Fintech entities must navigate a regulatory environment in which UDAAP standards are deliberately broad and continually evolving. Indeed, regulators use the flexible nature of these laws to fill perceived gaps left by other, more prescriptive regulatory schemes. In the absence of detailed laws or regulations clarifying what is and is not a UDAAP, Fintech entities often need to rely on agency precedent in the form of enforcement actions, including litigation and negotiated consent orders, to better understand regulators’ expectations. For instance, the FTC has brought several recent enforcement actions against Fintech entities alleging “unfair or deceptive” practices relating to online lending, crowdfunding, payment processing, peer-to-peer payments, and cryptocurrency that establish the guardrails within which Fintech entities are expected to operate.47

In particular, regulators have used evolving UDAAP standards to fill regulatory gaps in the area of financial privacy and data security. Financial institutions are generally subject to federal (and some state) privacy and security requirements, including the Gramm-Leach-Bliley Act (“GLBA”), its implementing Regulation P, and the FTC’s Safeguards Rule.48 For Fintech entities that partner with financial institutions (such as when offering banking as a service), the determination as to which privacy regime applies – and how to manage data under those regimes – can be difficult. For example, as servicer to a financial institution, a Fintech entity would normally operate under the GLBA – directly as a recipient of the financial institution’s data but also contractually under its agreement with the financial institution. In providing its own services, a Fintech entity would have its own privacy compliance obligations, whether under GLBA (if its services are financial in nature) or another non-financial privacy regime (such as the California Consumer Privacy Act). Regardless of which privacy regime applies, however, Fintech entities should be aware that UDAAP standards are always operating in the background. As such, regulators have often cited to UDAAP as a basis to initiate an enforcement action against a Fintech entity for problematic privacy practices, even if the Fintech entity has not clearly violated other privacy-focused laws that may apply. In other words, a Fintech entity’s efforts to come into technical compliance with a particular privacy regime, while necessary as a legal matter, may be less relevant to a regulator if the Fintech entity’s privacy practices are deemed to be unfair or deceptive.Managing third-party relationshipsRegulators require that banks practice effective risk management when selecting, contracting with, and monitoring third parties with which the banks have business arrangements. The OCC has the most developed framework, elaborated in its guidance on third-party risk management49 and recently updated supplementary FAQs explicitly addressing banks’ business arrangements with Fintech entities.50 Relationships between Fintech entities and banks make delivery of banking of a service (“BaaS”) more efficient in some areas (e.g., simplifying regulatory requirements for lending and payments services) and are essential for enabling the BaaS elements that must be backed by a bank charter (e.g., access to bankcard, RTP, wire, and ACH networks).The OCC has acknowledged that Fintech-bank relationships do not automatically require that banks exercise (and Fintech entities submit to) the heightened oversight requirements



that the OCC expects in situations like high-risk outsourcing of a bank’s critical activities. Rather than applying a strict, one-size-fits-all rule to Fintech relationships that would unnecessarily hamper innovation, the OCC expects that banks will make careful risk assessments to determine the diligence, contractual requirements and monitoring appropriate for each third-party relationship. The OCC’s FAQs illustrate how to assess risk factors in certain Fintech-bank business arrangements, including use of data aggregators; performing diligence on and contracting with start-ups; backing marketplace lending arrangements; and providing consumer mobile wallets.In its own effort to reduce the burden on banks and Fintech entities relating to third-party oversight requirements, the FDIC has proposed the creation of a public/private standard-setting and voluntary certification programme for nonbank entities.51 A trusted certification could cut the costs of engagement on both sides, increasing efficiency and encouraging innovation.Antitrust and competitionFintech entities will face an evolving antitrust and competition regulatory climate in the coming years. The federal regulators responsible for enforcing competition and consumer protection laws have signaled an interest in acquiring more expertise and taking more aggressive action in technology markets, including in the financial services and banking sectors. A reorganisation of the U.S. Department of Justice (“DOJ”) in 2020 led to the consolidation of antitrust oversight over banking, financial services, and credit/debit cards under a new Financial Services, Fintech, and Banking Section. After signaling more active enforcement of the antitrust laws governing mergers and acquisitions,52 the DOJ in December 2020 brought a lawsuit challenging Visa’s acquisition of a Fintech entity, a transaction the parties subsequently abandoned. The DOJ’s case centred on portraying the Fintech entity as a “nascent competitive threat” to the credit card network incumbent in the market for online debit services.53 The case is a signal to the financial services industry that regulators are willing to bring such “potential competition” cases against deals where there is little or even no existing competition between the merging parties, including where one party is an emerging Fintech entity.


Regulators in the U.S. have participated in international initiatives to address the impact of new technologies in financial services. Two of the most notable cross-border collaborations are:• The Financial Action Task Force (“FATF”) is an intergovernmental body that aims to

help fill gaps in the amount and quality of AML information that authorities can obtain regarding international transactions. The FATF establishes international standards and policies for combatting money laundering and terrorism financing. FinCEN and other U.S. regulators may turn to the FATF’s Recommendations guide as they continue to seek ways to modernise and improve U.S. AML regulations.54

• The CFPB is a member of the Global Financial Innovation Network (“GFIN”), which is an alliance of regulatory agencies from across the globe who seek to encourage responsible financial innovation.55 The GFIN works with international regulators to facilitate innovation in financial services and promote regulatory best practices. The CFPB works with GFIN through its Office of Innovation.



Endnotes1. Every U.S. state but Montana has adopted laws regulating money transmission activities.2. See, e.g., Conference of State Bank Supervisors, Reengineering Nonbank Supervision,

Chapter Two: Overview of Nonbank Supervision at 23–26 (Aug. 2019), available at https://www.csbs.org/sites/default/files/chapter_two_-_overview_of_state_nonbank_supervision_2.pdf.

3. See “Interagency Statement on the Use of Alternative Data in Credit Underwriting,” available at (Dec. 2019), https://files.consumerfinance.gov/f/documents/cfpb_interagency-statement_alternative-data.pdf; see also Elisa Jillson, Federal Trade Commission – Business Blog, Aiming for truth, fairness, and equity in your company’s use of AI (Apr. 19, 2021), available at https://www.ftc.gov/news-events/blogs/business-blog/2021/04/aiming-truth-fairness-equity-your-companys-use-ai.

4. Stacey Cowley, N.Y. Times, “The Tiny Bank That Got Pandemic Aid to 100,000 Small Businesses” (June 30, 2020), available at https://www.nytimes.com/2020/06/23/business/paycheck-protection-program-cross-river-bank.html.

5. See California Department of Financial Protection and Innovation, “Point-of-Sale Lender Sezzle Agrees to Cease Illegal Loans, Pay Refunds in Settlement with the California Department of Business Oversight” (Jan. 16, 2020), available at https://dfpi.ca.gov/2020/01/16/point-of-sale-lender-sezzle-agrees-to-cease-illegal-loans-pay-refunds-in-settlement-with-the-california-department-of-business-oversight/; and California Department of Financial Protection and Innovation, “Point-of-Sale Lender Afterpay Agrees to Cease Illegal Loans, Pay Refunds in Settlement with the California Department of Business Oversight” (Mar. 16, 2020), available at https://dfpi.ca.gov/2020/03/16/point-of-sale-lender-afterpay-agrees-to-cease-illegal-loans-pay-refunds-in-settlement-with-the-department-of-business-oversight/.

6. See HM Treasury, “Buy-now-pay-later products to be regulated” (Feb. 2, 2021), available at https://www.gov.uk/government/news/buy-now-pay-later-products-to-be-regulated; and Australian Securities & Investments Commision, 20-280MR ASIC releases latest data on buy now pay later industry (Nov. 16, 2020), available at https://asic.gov.au/about-asic/news-centre/find-a-media-release/2020-releases/20-280mr-asic-releases-latest-data-on-buy-now-pay-later-industry/.

7. Financial Crimes Enforcement Network, FinCEN Guidance FIN-2019-G0001 (May 9, 2019), available at https://www.fincen.gov/sites/default/files/2019-05/FinCEN%20Guidance%20CVC%20FINAL%20508.pdf.

8. New York Department of Financial Services, NY DFS Releases Proposed BitLicense Regulatory Framework For Virtual Currency Firms (July 17, 2014), available at https://www.dfs.ny.gov/reports_and_publications/press_releases/pr 1407171.

9. Uniform Law Commission, Regulation of Virtual-Currency Businesses Act (2017), available at https://www.uniformlaws.org/committees/community-home? communitykey=e104aaa8-c10f-45a7-a34a-0423c2106778.

10. See, e.g., Washington Department of Financial Institutions, Virtual Currency and Money Transmission Laws (undated), available at https://dfi.wa.gov/sites/default/files/virtual-currency-money-transmission-laws.pdf.

11. See, e.g., Texas Department of Banking, Supervisory Memorandum – 1037 (April 1, 2019), available at https://www.dob.texas.gov/public/uploads/files/consumer-information/sm1037.pdf. But note that stablecoins and other cryptocurrencies pegged



to and redeemable for sovereign currency are considered “money or monetary value” subject to Texas’ money transmitter law.

12. Office of the Comptroller of the Currency, Interpretive Letter #1170 (July 22, 2020), available at https://www.occ.gov/topics/charters-and-licensing/interpretations-and-actions/2020/int1170.pdf.

13. Kraken Corporate Blog, “Kraken Wins Bank Charter Approval”, (Sept. 16, 2020), available at https://blog.kraken.com/post/6241/kraken-wyoming-first-digital-asset-bank.

14. Federal Deposit Insurance Corporation, Request for Information and Comment on Digital Assets, 86 Fed. Reg. 27602 (May 21, 2021), available at https://www.federalregister.gov/documents/2021/05/21/2021-10772/request-for-information-and-comment-on-digital-assets.

15. Board of Governors of the Federal Reserve System, “What is a Central Bank Digital Currency? Is the Federal Reserve Moving Toward Adopting a Digital Dollar?” (May 20, 2021), available at https://www.federalreserve.gov/faqs/what-is-a-central-bank-digital-currency.htm.

16. See Conference of State Banking Supervisors, About CSBS, https://www.csbs.org/about (last visited July 13, 2021).

17. See New York State Department of Financial Services, FastForward, https://www.dfs.ny.gov/industry_guidance/dfs_next/dfs_fastforward (last visited July 13, 2021).

18. See California Assembly Bill 1864 (passed Aug. 31, 2020), available at https://leginfo.legislature.ca.gov/faces/billPdf.xhtml?bill_id=201920200AB1864&version=20190AB186497AMD.

19. Some prominent examples at the federal level include the Truth in Lending Act for consumer credit, the Electronic Fund Transfer Act for transfers of consumer funds, and the Gramm-Leach Bliley Act and Fair Credit Reporting Act for information collection and sharing.

20. Office of the Comptroller of the Currency, Exploring Special Purpose National Bank Charters for Fintech Companies (Dec. 2016), available at https://www.occ.gov/publications-and-resources/publications/banker-education/files/pub-special-purpose-nat-bank-charters-fintech.pdf.

21. Office of the Comptroller of the Currency, Considering Charter Applications From Financial Technology Companies (July 2018), available at https://www.occ.gov/publications-and-resources/publications/comptrollers-licensing-manual/files/pub-considering-charter-apps-from-fin-tech-co.pdf.

22. See Lacewell v. Office of the Comptroller of the Currency, No. 19-4271 (2d Cir. 2021). NYDFS sued the OCC and won in federal district court, but the case was reversed and dismissed on appeal as “unripe” because the OCC had not yet issued any Fintech charters. NYDFS is expected to refile its challenge whenever the OCC issues its first Fintech charter.

23. Consumer Financial Protection Bureau, Consumer Access to Financial Records, 85 Fed. Reg. 71003 (Nov. 6, 2020), available at https://www.federalregister.gov/documents/2020/11/06/2020-23723/consumer-access-to-financial-records.

24. 12 U.S.C. § 5533.25. Consumer Financial Protection Bureau, “Consumer Protection Principles: Consumer-

Authorized Financial Data Sharing and Aggregation” (Oct. 18, 2017), available at https://files.consumerfinance.gov/f/documents/cfpb_consumer-protection-principles_data-aggregation.pdf.

26. Executive Order on Promoting Competition in the American Economy (July 9, 2021), available at https://www.whitehouse.gov/briefing-room/presidential-



actions/2021/07/09/executive-order-on-promoting-competition-in-the-american-economy/.

27. See, e.g., Cottle v. Plaid Inc., No. 4:20-cv-03056 (N.D. Cal. filed May 4, 2020).28. William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021,

H.R. 6395, 116th Cong. § 6001, et. seq. (2021), available at https://www.congress.gov/bill/116th-congress/house-bill/6395.

29. See, e.g., Oklahoma Stat. Ann. tit. 14A §§ 1-101, et seq.30. See Charge Letter, Maryland Commissioner of Financial Regulation v. Fortiva

Financial, et al., Case No. CFR-FY2017-0033 (Jan. 21, 2021), available at https://www.consumerfinancemonitor.com/wp-content/uploads/sites/14/2021/05/Maryland.pdf.

31. As of the date of publication, the Uniform Consumer Credit Code (“UCCC”) has only been enacted in 11 states. See Uniform Law Commission, Consumer Credit Code, available at https://www.uniformlaws.org/committees/community-home?CommunityKey=0f8dc75f-b418-4378-9641-486bb12813ff. The Uniform Money Services Act (“UMSA”) has only been enacted in 10 states plus Puerto Rico and the U.S. Virgin Islands. See Uniform Law Commission, Money Services Act, available at https://www.uniformlaws.org/committees/community-home?CommunityKey=cf8b649a-114c-4bc9-8937-c4ee17148a1b.

Federal consumer credit regulation is also very demanding and supplements the state regimes with product disclosure and substantive requirements; the whole lifecycle of consumer credit is regulated from application, underwriting, and servicing up to and including debt collection. For payments, states also regulate “stored value” under their money transmission laws, and the federal FinCEN regulates the analogous “prepaid access” to implement the Bank Secrecy Act’s anti-money laundering requirements.

32. See, e.g., Conference of State Banking Supervisors, “Networked Supervision: The Evolution of State Regulation” (Apr. 22, 2021), available at https://www.csbs.org/newsroom/networked-supervision-evolution-state-regulation.

33. Financial Crimes Enforcement Network, FinCen Guidance FIN-2013-G001 (Mar. 18, 2013), available at https://www.fincen.gov/sites/default/files/shared/FIN-2013-G001.pdf.

34. Financial Crimes Enforcement Network, FinCen Guidance FIN-2019-G001 (May 9, 2019), available at https://www.fincen.gov/sites/default/files/2019-05/FinCEN%20Guidance%20CVC%20FINAL%20508.pdf.

35. Securities and Exchange Commission, Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: The DAO, Release No. 81207 (July 25, 2017), available at https://www.sec.gov/litigation/investreport/34-81207.pdf.

36. William H. Hinman, Director of Division of Corporation Finance, Securities and Exchange Commission, Remarks at the Yahoo Finance All Markets Summit: Crypto, “Digital Asset Transactions: When Howey Met Gary (Plastic)” (June 14, 2018), available at https://www.sec.gov/news/speech/speech-hinman-061418.

37. Commodity Futures Trading Commission, LabCFTC at the CFTC, A CFTC Primer on Virtual Currencies (Oct. 17, 2017), available at https://www.cftc.gov/sites/default/files/idc/groups/public/%40customerprotection/documents/file/labcftc_primercurrencies100417.pdf.

38. See e.g., N.Y. Banking Law § 131 (“No person, except a national bank, a federal reserve bank, or a corporation duly authorised by the superintendent to transact business in this state, shall make use of any office sign at the place where such business is transacted having thereon any artificial or corporate name, or other words indicating that such place or office is the place of business or office of a bank or trust company…”).



39. Department of Financial Protection and Innovation, Settlement Agreement, In the Matter of The Commissioner of Financial Protection and Innovation v. Chime Financial, Inc. (Mar. 29, 2021), available at https://dfpi.ca.gov/wp-content/uploads/sites/337/2021/04/Admin.-Action-Chime-Financial-Inc.-Settlement-Agreement.pdf.

40. Federal Deposit Insurance Corporation, Request for Information on FDIC Official Sign and Advertising Requirements and Potential Technological Solutions, 86 Fed. Reg. 18528 (April 9, 2021), available at https://www.federalregister.gov/documents/2021/04/09/2021-07356/request-for-information-on-fdic-official-sign-and-advertising-requirements-and-potential.

41. 12 U.S.C. § 1831d. 42. Office of the Comptroller of the Currency, Final Rule: National Banks and Federal

Savings Associations as Lenders, 85 Fed. Reg. 68742 (Oct. 30, 2020), available at https://www.federalregister.gov/documents/2020/10/30/2020-24134/national-banks-and-federal-savings-associations-as-lenders.

43. 5 U.S.C. §§ 801-808.44. S.J. Res. 15, 117th Congress (passed May 11, 2021), available at https://www.congress.

gov/bill/117th-congress/senate-joint-resolution/15?r=1&s=8.45. Federal Deposit Insurance Corporation, Final Rule: Federal Interest Rate Authority,

85 Fed. Reg. 44146 (July 22, 2022), available at https://www.fdic.gov/news/board/2020/2020-06-25-notice-dis-c-fr.pdf.

46. 12 U.S.C. § 5531(d). 47. See, e.g., Complaint, FTC v. Beam Financial Inc., No. 3:20-cv-08119-AGT

(N.D. Cal. Nov. 18, 2020), available at https://www.ftc.gov/enforcement/cases-proceedings/182-3177/beam-financial-inc; Complaint, FTC v. AlliedWallet, Inc. et al, No. 2:19-cv-4355 (C. D. Cal. May 20, 2019), available at https://www.ftc.gov/news-events/press-releases/2019/05/operators-payment-processing-firm-settle-charges-assisting; Federal Trade Commission, FTC Data Shows Huge Spike in Cryptocurrency Investment Scams (May 17, 2021), available at https://www.ftc.gov/news-events/press-releases/2021/05/ftc-data-shows-huge-spike-cryptocurrency-investment-scams.

48. See, e.g., 16 C.F.R. part 314 (Safeguards Rule).49. Office of the Comptroller of the Currency, OCC Bulletin 2013-29, (Oct. 30, 2013),

available at https://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html. The banking agencies recently released a proposal to combine the banking agency guidance on third-party relationships into a single set of interagency guidelines: https://www.occ.treas.gov/news-issuances/news-releases/2021/nr-occ-2021-74a.pdf.

50. Office of the Comptroller of the Currency, OCC Bulletin 2020-10, (Mar. 5, 2020) (the “FAQs”), available at https://www.occ.gov/news-issuances/bulletins/2020/bulletin-2020-10.html.

51. Federal Deposit Insurance Corporation, Request for Information on Standard Setting and Voluntary Certification for Models and Third-Party Providers of Technology and Other Services, 85 Fed. Reg. 44890 (July 24, 2020), available at https://www.federalregister.gov/documents/2020/07/24/2020-16058/request-for-information-on-standard-setting-and-voluntary-certification-for-models-and-third-party.

52. Michael Murray, Deputy Assistant Attorney General, U.S. Department of Justice, The Muscular Role for Antitrust in Fintech, Financial Markets, and Banking: The Antitrust Division’s Decision to Lean In (Oct. 14, 2020), available at https://www.justice.gov/opa/speech/file/1327491/download.

53. United States vs. Visa Inc., No. 3:20-cv-07810 (N.D. Cal. filed Nov. 5, 2020), available at https://www.justice.gov/opa/press-release/file/1334726/download.



54. See Financial Action Task Force, The FATF Recommendations 2012 (as amended Oct. 2020), available at https://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatf-recommendations.html.

55. Consumer Financial Protection Bureau, The Consumer Financial Protection Bureau and the Global Financial Innovation Network (GFIN), https://www.consumerfinance.gov/rules-policy/innovation/global-financial-innovation-network/ (last visited July 13, 2021).

Acknowledgments

The authors would like to thank the following individuals for their invaluable contributions to this chapter: Amit Aulakh; Rachel Block; Matthew Bornfreund; Jonathan Engel; Bradford Hardin; Brian Hurh; Silki Patel; Kevin Petrasic; Kaj Rozga; Bill Schuerman; Dsu-Wei Yuen; and Rich Zukowsky.

Andrew Lorentz Tel: +1 202 973 4232 / Email: [email protected] Lorentz helps clients find the shortest path through the maze of regulations between their vision and the launch of a commercial product. The co-chair of DWT’s FinTech practice, he advises on complex regulatory issues and transactions and helps resolve disputes. Andy is committed to driving change within the delivery of legal services, drawing on lessons learned from the industry’s most innovative and disruptive companies. Andy has represented major banks and non-depository financial institutions, global technology companies, e-commerce and payment companies, and retailers. He advises on issues related to the Electronic Fund Transfer Act, Regulation E, Truth-in-Lending, Regulation Z, the Fair Debt Collection Practices Act, the Federal Trade Commission Act, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, federal and state banking regulation, state money transmission and licensed lending laws, payment network rules, unclaimed property laws, the Bank Secrecy Act, FDIC insurance, and E-SIGN.

Thomas Kost Tel: +1 206 757 8357 / Email: [email protected] Kost draws on his experience as a regulator to guide financial services companies through high-stakes enforcement and supervisory matters, litigation, and compliance challenges. A former staff attorney with the FTC’s Bureau of Consumer Protection, Thomas has handled all aspects of complex governmental investigations and litigation involving a wide variety of consumer financial laws. Thomas’s experience spans a range of traditional and emerging financial products and services. While with the FTC, Thomas helped develop the agency’s enforcement strategy relating to small business financing. He has also represented banks, card issuers, and non-bank financial services providers in matters involving retail deposit products, overdraft services, mortgage lending and servicing, unsecured lending, credit cards, and prepaid cards.

Davis Wright Tremaine LLP920 Fifth Avenue, Suite 3300, Seattle, WA 98104, USA

Tel: +1 206 622 3150 / URL: www.dwt.com



VietnamPhilip Ziter, Chu Bao Khanh & Nguyen Huu Minh Nhut

Russin & Vecchi



Vietnam’s Fintech landscape has evolved dramatically over the last decade, with homegrown market leaders like MoMo, Mocha, and VNPay leading the way. Foreign-invested players also occupy significant market share. The legal framework governing Fintech in Vietnam continues to develop and evolve. Financial inclusion is weak. Vietnam lags behind other countries in Southeast Asia. Approximately 70% of its population remains unbanked.1 Fintech is playing a significant role in filling the gap. Non-bank institutions continue to exploit the opportunities unmet by traditional financial services providers.Vietnam has yet to develop clear and robust legislation regulating Fintech activities. Non-cash payments companies are an exception. They are regulated as Intermediate Payment Services providers. Businesses involved in peer-to-peer lending (“P2P lending”), blockchain, or other unregulated business models typically function by registering under a combination of available operating licences. See “Key regulations and regulatory approaches” below for a complete discussion on existing and anticipated laws.The rapid development of Fintech has enhanced and accelerated the government’s efforts regarding anti-money laundering/combatting the financing of terrorism (“AML/CFT”). This rapid development has put a spotlight on risks related to data privacy and cybersecurity, resulting in impending updates to the law via new Draft Decrees on Data Protection and Cybersecurity (discussed below). The government recognises the importance of establishing a Fintech regulatory sandbox. “Sandbox” is understood in Vietnam as it is elsewhere. It would provide regulatory exemptions for certain businesses and for a fixed period of time, allowing businesses to develop and test new products, services, and models. It perfectly fits Vietnam’s current needs. The Prime Minister has put plans in motion to establish a Fintech regulatory sandbox. While the timing remains unclear, we are optimistic that a Fintech sandbox will be established in the coming months.

Fintech offering in Vietnam

Vietnam’s Fintech industry has experienced substantial growth, due to a massive rise in adoption of digital transactions, largely by way of the booming e-commerce industry, and deliberate government efforts to boost digital payments generally. The government’s stated target is to reduce cash transactions to below 10% by boosting e-payments and developing digital means of payments in rural and remote areas. We discuss specific regulatory developments below.

Russin & Vecchi Vietnam


Among several existing product segments (i.e., digital payments, P2P lending, wealth management/personal finance, SME finance, blockchain, Insurtech, etc.), digital payments account for the lion’s share of the market at approximately 90%. According to a joint report by United Overseas Bank, PricewaterhouseCoopers and the Singapore FinTech Association, 98% of total funding in recent years has been allocated to the payments sector.Digital payment refers to transactions, conducted by electronic means (i.e., online or via a mobile network), between a payor and a payee. Personal finance relates to the facilitation of users’ financial activities and decisions (i.e., investing, saving, spending, etc.) performed via electronic means. Digital financial services for business customers (i.e., corporate finance) presents a relatively unexploited model, which is expected to see major growth in the coming years. Additionally, the following segments represent growing trends in the market:2

• Mobile payments (as described in detail below).• Payment platforms/aggregators that enable and/or facilitate transactions between

payment platforms and front-end processors/merchants.• Non-bank financial institutions disrupting traditional financial products (i.e., insurance,

group savings, crowdfunding/investing).• Robo-Advisors, digital personal investments, financial management products using

artificial intelligence.


In general, Regtech is not yet intensively regulated under Vietnamese law. To date, the Vietnamese Government has only shown early signs of adoption of Regtech. According to Decision 149/2020/QD-TTg dated January 22, 2020 of the Prime Minister, development of a legal framework for the adoption of e-KYC is an objective for the State Bank of Vietnam (“SBVN”) to achieve by 2022. On December 4, 2020, the SBVN issued Circular No. 16/2020/TTNHNN amending Circular No. 23/2014/TT-NHNN on opening and using payment accounts with payment service providers (“Circular 16”) as one way to achieve its objective. Specifically, Circular 16 allows licensed banks and foreign bank branches (“Licensed Banks”) to implement e-KYC for Vietnamese citizens and enterprises to open payment accounts. Licensed Banks have the right to decide the method, form, and technology it will use for e-KYC, assuming minimum requirements are satisfied. For example, Licensed Banks must have solutions and technologies to collect, examine, collate and ensure consistency between e-KYC information and information on customers’ identity documents or identity information certified by competent agencies/organisations (e.g., credit institutions, and organisations providing electronic identification and verification services). Licensed Banks are also required to introduce and implement a process of control and risk assessment for these operations. Licensed Banks are also entitled to decide on the transaction limit of customer’s payment accounts opened via e-method, but they must ensure that the total value transaction limit (debit) does not exceed VND100 million (approximately USD4,300) per month, per customer. A value transaction limit greater than VND100 million per month, per customer can be applied to payment accounts which have been verified by e-KYC, e.g., via a video call or using technology to examine and collate biometric characteristics of customers through the citizen identification database.In line with the issuance of Circular 16, the Vietnamese Government is working to set up the national population database in July 2021, which can play an important role in enabling



e-KYC by allowing the collection and use of basic information on all Vietnamese citizens, which is standardised, digitalised, stored, and managed by state-run information technology infrastructure.In addition, a decree on electronic identity identification and verification services (“Draft ID Decree”) is also being drafted by the Vietnamese Government. The Draft ID Decree sets out, among other things, the levels of security and reliability of electronic identity, and licensing requirements for companies providing an electronic identity identification and verification service. The Draft ID Decree also introduces the concept of a platform whereby companies can obtain and exchange information regarding electronic identification and verification. It is not yet clear who will establish the platform, whether it will be a single platform run by the government, or if private platforms can be established. Of note, the Draft ID Decree currently proposes that an electronic identification and verification service provider must maintain an escrow account with a minimum amount of VND20 billion (approximately USD870,000) in order to be permitted to provide this service. Insurtech is still in its early development in Vietnam. Most insurance companies have built online applications or websites for their business activities. However, revenues from insurance services through online channels is estimated to contribute only 5–7% of total revenues in 2020. Along with the penetration of foreign Insurtech companies (e.g., 9Lives), a number of Insurtech startups in Vietnam have also been established, such as INSO, SaveMoney, MIIN, Papaya, etc. These companies are relatively small in scale, most act as intermediaries (i.e., as brokers or insurance agents), and provide technology services to primary insurance companies (e.g., online platforms, mobile apps, etc.).To date, Vietnam’s legal framework for Insurtech has not yet been developed. However, according to Government Decree 03/2021/ND-CP dated January 15, 2021, and for the first time, insurance companies are permitted to grant electronic certificates of compulsory insurance for civil liability to motor vehicle owners.

Regulatory bodies

As Fintech involves elements of both finance and technology, the industry is subject to multiple regulations issued by a number of key regulators. The SBVN, as the central bank, regulates finance-related matters, while the Ministry of Public Security (“MPS”) oversees data privacy and cybersecurity-related matters. The Steering Committee on Financial Technology under the SBVN, which was established under Decision 328/QD-NHNN dated March 16, 2017 of the SBVN, is the designated centralised state authority to implement state management of Fintech. The Department of Payments under the SBVN is the standing unit responsible for implementing tasks assigned by the Steering Committee. The Steering Committee is positioned to, among other functions, develop and complete the Fintech ecosystem (including a regulatory framework), and create opportunities for Fintech companies following the policy and strategy of the government.


To date, there is neither a specific definition of Fintech nor a consolidated legal document regulating Fintech. Current regulations have, for the most part, evolved around the payment industry. That said, the government has been developing projects and draft regulations to regulate thus far unregulated Fintech forms.



Intermediary payment services (“IPS”)IPS are governed by Government Decree 101/2012/ND-CP dated November 22, 2012 on non-cash payments (“Decree 101”), and SBVN’s guiding Circular No. 39/2014/TT-NHNN dated December 11, 2014, as amended by Circular No. 23/2019/TT-NHNN dated November 22, 2019 (“Circular 39”). IPS include financial switching services, electronic clearing services, payment gateway services, support services for money collection and payments, support services for electronic money transfer, and e-wallet services. Under Circular 39, IPS providers must be locally established enterprises that have obtained a licence to provide IPS (“IPS Licence”) from the SBVN. In order to obtain an IPS Licence, the applicant must satisfy conditions such as: (a) have a minimum charter capital (i.e., VND50 billion, equivalent to around USD2,200,000); (b) demonstrate certain human resource requirements; and (c) fulfil facilities and technical conditions. Vietnam did not commit to open IPS to foreign investment in its commitments under the WTO – nor did it do so under its recent trade agreements. Therefore, the licensing of foreign investors is considered on a case-by-case basis. The Vietnamese Government is working on a draft decree on non-cash payment to replace Decree 101, which is expected to provide more details on IPS, allow outsourcing of certain functions to agents, and release or to remove certain licensing requirements to facilitate market access to Fintech investors. Of note, the current version of the draft decree proposes a foreign ownership cap of 49% for an IPS provider. However, upon considering public opinion, the SBVN has recently reconsidered and may remove the cap. Still, a new version of the draft decree reflecting this reconsideration has yet to be publicised by the SBVN. Mobile money serviceUnder Decision 316/QD-TTg of the Prime Minister dated March 9, 2021, a pilot programme for mobile money service has been approved. It allows the use of mobile phone credit to pay for goods and services of small value (i.e., a total transaction value limit of VND10 million per month, equivalent to around USD430). The pilot programme will operate for two years from approval of the first enterprise to pilot the mobile money service. The result of the pilot programme will be used by regulators to design specific regulations. The most significant difference compared to e-wallets is that the mobile money service does not require a bank account to use and to pay like e-wallets. In addition, mobile money will only be applicable for domestic transactions and will not be available for cross-border services. In order to apply for the pilot programme, an enterprise must (i) obtain a licence to provide e-wallet IPS, and (ii) obtain a licence to establish a public mobile terrestrial telecommunications network using radio frequencies, or be a subsidiary of a company which has such a telecoms licence and is authorised to use the telecommunications infrastructure of the parent company. There are three carriers that have announced participation in the pilot in Vietnam, namely: Viettel; VNPT; and Mobifone. P2P lending serviceThe activities of P2P lending are currently not governed by specific legislation in Vietnam. This view is supported by the SBVN’s Official Letter 5228/NHNN/CSTT dated July 8, 2019. That said, in practice, Fintech companies operating P2P lending are still obliged to comply with the general regulations provided by the Civil Code, the Law on Investment and the Law on Enterprise. Particularly, Fintech companies must obtain enterprise registration



certificates with similar business lines to P2P lending (e.g., financial consultancy, financial brokerage, or activities auxiliary to financial service activities not elsewhere classified). In addition, under Vietnamese law, P2P lending is considered to be a civil transaction rather than a business activity, and thus is subject to the requirements on civil lending. Among other things, the lending interest rate in civil transactions may not exceed the maximum rate of 20% per annum provided under the Civil Code.The SBV is currently working on a pilot programme for P2P lending as part of the Plan on Promoting a Sharing Economy, under Decision 999/QD-TTg dated August 12, 2019 of the Prime Minister (“Decision 999”). According to Decision 999, the SBVN is expected to create the P2P lending pilot programme by the end of 2021. e-KYCPlease see the section entitled “Regulatory and insurance technology” above. BlockchainCurrently, there is no specific legal framework on blockchain, including for blockchain-based currencies such as bitcoin. According to the SBVN’s Directive 02/CT-NHNN dated April 13, 2018, provision of services in relation to cryptocurrencies are specifically prohibited. Under the Prime Minister’s Decision 942/QD-TTg dated June 15, 2021, the SBVN is authorised to establish a legal framework on blockchain-based currencies. The expectation is that such a framework will be completed by 2023.Personal data protectionFintech services involved in data-related activities may be subject to the regulations which apply to personal data protection. Vietnam does not have a single comprehensive law that addresses individual and organisational privacy rights. Instead, the various provisions which apply are contained in various legal instruments, such as the Civil Code, the Law on Information Technology, the Law on Protection of Consumers’ Rights, the Penal Code, and the Law on Network Information Security, etc. In general, both personal information (i.e., information that identifies a person, including: name; age; address; ID; phone number; and email address) and private information (i.e., information that a person or an organisation does not publicise or only publicises to an entity or a group of entities whose identity and address are known) are protected. Collecting personal and private information of a person and providing it to a third party is subject to the consent of the person concerned, unless: (a) collection and provision of such information is permitted by law; or (b) it is so requested by a competent state agency. According to Article 17 of the Law on Network Information Security, in order to collect, use, transfer, store and process personal data, an organisation needs to meet the following requirements:• it must have obtained consent of the owner of the personal data; • it must have a policy published regarding its handling and protection of personal

information; and• it must provide an adequate level of protection for the personal data. An “adequate level of protection” is not defined by the Law on Network Information Security. It is suggested that a fairly standard level of protection for personal data should be implemented.In addition, according to Article 18 of the Law on Network Information Security, a data subject is entitled to request the entity that collects, processes, and uses his/her personal



information to update, amend, delete such information, or cease to transfer the information to third parties. The data processor must carry out the update, amendment, or deletion themselves or must enable the data subject to do it. In case such update, amendment, or deletion is not possible, the data processor must apply measures to protect the relevant information, as well as to notify the data subject of the situation.A recent development by the government in terms of data privacy/data protection is the draft decree on personal data protection (“Draft PDP Decree”), which was made available for public comment in February 2021. Under the Draft PDP Decree, outward transfer of personal data is subject to approval by the Personal Data Protection Commission (which is a new regulator under the MPS set up for the purpose of personal data protection) (“PDPC”). In order to obtain necessary approval for the transfer, the transferor must provide written evidence that the transferee is located in a country or region with a level of protection of personal data that is equal to or higher than that of Vietnam. In addition, processing of sensitive personal data (including among others: health data; financial details; location, etc. of data subjects) is also subject to advance registration with the PDPC. The Draft PDP Decree is expected to be issued and to take effect by the end of 2021. Data control and localisationFintech services involved in data-related activities may be subject to regulations on control of local users’ data and data localisation under the Cybersecurity Law. In general, if an entity, either onshore or offshore, provides services via a telecom network or on the Internet, or provides other online value-added services in Vietnam, it is subject to requirements on user data control, including:• authenticate users;• provide information upon registration;• cooperate with Vietnamese authorities to provide information on their users when such

users are investigated or deemed to have breached laws on cybersecurity; and• prevent and delete content which is “anti-government”, “offensive” or which “incites”

from its platform within 24 hours after receiving a request from the competent authorities.

Additionally, if such service provider (i.e., the data processor) collects, utilises, and processes user data, it must also: • store (a) personal data, (b) data on relationships of the service users, and (c) any data

that is created by Vietnamese users inside Vietnam during a time limit (which has not yet been set by the Cybersecurity Law, and will be decided by the government in a subsequent implementing decree); and

• establish a branch or a representative office in Vietnam.We note that, the Vietnamese Government is working on a draft decree to guide implementation of the Cybersecurity Law (“Draft Cybersecurity Decree”). Under the Draft Cybersecurity Decree, a service provider’s burden to comply with the two localisation requirements above is relieved to some extent. Specifically, localisation requirements will not be triggered, unless the service provider: • allows its users to conduct prohibited acts in cyberspace (e.g., allowing publication of

anti-state or immoral messages, etc.); or• disobeys the authorities or fails to comply with their requests (such as request to

disclose information or take down certain content within 24 hours of request, etc.). Having said that, the Draft Cybersecurity Decree is still in draft form, and it may be revised by the authorities in the next rounds and until enactment.



Market access limitations under international commitmentsVietnam did not commit to open Fintech services to foreign investment in its commitments under the WTO – nor did it do so under most of its trade agreements, except for the European Union-Vietnam Free Trade Agreement (“EVFTA”). Therefore, licensing of foreign investors outside of the European Union (“EU”) is considered on a case-by-case basis. For foreign investors from the EU, Vietnam’s commitments to the EVFTA will apply. Under the EVFTA, Fintech services (excluding IPS) are likely to be viewed as “new financial services”.3 In such case, Article 8.44 of the EVFTA provides that Vietnam must permit a financial service supplier from an EU country, say France, to provide any new financial service (which is not yet provided in Vietnam), if such financial service is already permitted by French domestic laws and regulations, without requirement of a new law or modification of an existing law. Furthermore, Vietnam may determine the institutional and legal form through which the service may be provided and may require authorisation for the provision of the service. In such case, however, a decision must be made within a reasonable time, and the authorisation may only be refused for prudential reasons. In addition, Vietnam may also impose a pilot testing programme for a new financial service, and in doing so may impose either a cap on the number of financial service suppliers that may participate in pilot testing or may restrict the scope of pilot testing programmes. These measures, however, may not be more burdensome than necessary to achieve their aim. As discussed above, Vietnam has not yet entered into any international treaty/convention that makes commitments in connection with Fintech services, except for the EVFTA together with its Investment Protection Agreement (“EVIPA”). Under EVIPA, in the case of any disputes on investment between an investor and a state (e.g., expropriation without compensation or investment discrimination), the investor is allowed to bring the dispute to the Investment Tribunal for settlement (which will comprise nine members, including three nationals of an EU Member State, three nationals of Vietnam and three nationals of third countries). In case either of the disputing parties disagrees with the decision of the Tribunal, it can appeal to the Appeal Tribunal. In the first five years from the date when the EVIPA enters into force, the recognition and enforcement of the final award, where Vietnam is the respondent, shall be conducted pursuant to the New York Convention on the Recognition and Enforcement of Foreign Arbitral Awards of 1958. A final award is deemed to have the same effect as an effective judgment of a Vietnamese court. We note, however, that for the time being, the EVIPA has not yet come into effect. The EVIPA will only enter into force after all EU members have ratified the EVIPA (which may take years). Apart from issuing regulations on specific areas of Fintech (as we mentioned above), the Vietnamese Government is developing a regulatory sandbox as a catch-all instrument for new and upcoming forms of Fintech. In June 2020, the Vietnamese Government issued a draft decree providing for a Fintech regulatory sandbox (“Draft Sandbox Decree”) in the banking sector. In general, the Draft Sandbox Decree facilitates the sandbox’s purpose, conditions and application procedures, test-run requirements, extension/exit schemes, and the obligations of related parties. Specifically, under the Draft Sandbox Decree, a Fintech regulatory sandbox in the banking sector is defined as a legal mechanism established by the government that allows credit



institutions, Fintech solution providers, and other innovative organisations to directly test Fintech products and services in a closely controlled environment supervised by the appropriate state bodies. Fintech areas that can be test run include payment, credit, P2P lending, KYC support, Open API, solutions applying innovative technologies (e.g., blockchain), and other services supporting banking activities (e.g., credit scoring, savings, fundraising).Under the Draft Sandbox Decree, Fintech companies must obtain a certificate of registration to participate in the sandbox (“Sandbox Certificate”) by submitting a dossier to the Department of Payments of the SBVN. Generally, in order to apply for a Sandbox Certificate, a Fintech company must ensure that its Fintech solutions/technology: • are not yet regulated wholly or partly by law; • will first be applied in Vietnam or will be used in new and innovative services which are

beneficial to Vietnamese users, especially with respect to Fintech solutions/technology that support and promote national financial inclusion;

• are sufficiently designed in terms of risk management; will not or are not likely to cause any adverse impact on financial institutions and the financial system as a whole; and are equipped with a rectification plan in case incidents occur during a test run;

• are audited by Fintech companies or credit institutions in terms of its functionality, utilities and usefulness;

• are highly feasible and commercially viable, with a specific market entry plan after the test run; and

• do not pose any potential risk to the financial/banking market and the economy. The SBVN will issue a Sandbox Certificate upon approval by the Prime Minister. Upon receipt of a Sandbox Certificate, a Fintech company may start its test run, which may last from one to two years (as decided by the Prime Minister on a case-by-case basis). After the test run (and if the result of the test run is considered to be qualified by the authorities), the Fintech company may receive approval from the Prime Minister officially to launch its service in Vietnam.Although the current Draft Sandbox Decree focuses on developing a regulatory sandbox for Fintech in the banking sector, it is likely that the government will introduce similar regulatory sandboxes for each specific sector, in case there is any new development in different areas of Fintech (e.g., Regtech and Insurtech). As mentioned, in 2017, the SBVN established a Steering Committee on Financial Technology as the centralised state authority for Fintech management. Since then, the Committee has shown constant efforts to encourage Fintech services and Fintech companies in Vietnam by working on enhancement of the legal framework and on a pilot regulatory sandbox for Fintech, as well as establishing direct dialogue channels with Fintech firms to facilitate active problem-solving during their operation.

Restrictions

As mentioned above, Vietnam did not commit to open Fintech services to foreign investment in its commitments under the WTO – nor did it do so under most of its trade agreements, except for the EVFTA. Therefore, licensing for foreign investors outside of the EU is considered on a case-by-case basis. Vietnam did not commit to open IPS to foreign investment in its commitments under the WTO. Nor did it do so under its recent trade agreements. Therefore, licensing for foreign investors is considered on a case-by-case basis. A current version of the draft decree



proposes a foreign ownership cap of 49% for an IPS provider. However, based on public opinion, the SBVN has recently reconsidered removing the cap.P2P lending is controversial and has been a focal point of the government in recent years. The operation of a number of P2P lending platforms in Vietnam have highlighted potential risks to users, including poor information security, lack of transparency, unreasonably high loan rates often disguised as “service fees”, and questionable methods employed to coerce collection of such fees. Such risks will likely ensure that the new P2P sandbox will impose strict requirements on P2P lending platforms. Undoubtedly, the SBVN will maintain close supervision of P2P companies operating in Vietnam.


Cross-border transactions are highly regulated in Vietnam. Currency and foreign exchange controls are tightly controlled and monitored by the SBVN. Specifically, outward transactions are strictly controlled, while inward transactions are generally not regulated. That is, when a transaction involves funds flowing out of Vietnam, the restrictions are a burden.With the development of online cross-border transactions in general, and Fintech in particular, the government is paying more attention to tax collection on e-commerce and digital business activities. A foreign entity or an individual (collectively called “foreign contractor”) that does business in or receives income from Vietnam on the basis of an agreement between the foreign contractor and a Vietnamese counterparty is generally subject to a foreign contractor tax (“FCT”) under the Ministry of Finance’s Circular No. 103/2014/TT-BTC dated August 6, 2014. The Vietnamese counterparties may include individuals (e.g., in case of B2C), or a state, domestic or foreign-owned entity that is incorporated or registered to do business in Vietnam (e.g., in case of B2B).The FCT is a type of withholding tax that is comprised of two taxes: Value Added Tax (“VAT”) and income tax. For an entity, the FCT comprises Corporate Income Tax (“CIT”) and VAT. VAT and Personal Income Tax (“PIT”) apply to an individual foreign contractor. Depending on the nature of a transaction, VAT may be exempted, while CIT rate may vary. For example: (i) postal and telecommunications services from abroad (inbound services); (ii) newspapers, magazines, specialist newsletters, political books, textbooks, teaching materials, law books, scientific books; (iii) education and training services; (iv) technology transfer (including transfer of trademarks); and (v) exported goods/services, are exempted from VAT pursuant to Circular No. 2192.The FCT does not apply to a foreign contractor that provides its services (or if they are consumed) outside of Vietnam. Income derived from services that are provided and consumed outside of Vietnam are not taxed in Vietnam. Many basic cross-border e-commerce transactions for goods and/or services (i.e., paying for an offshore streaming service) can be regarded as supplied, rendered and consumed in Vietnam. In such cases, FCT liability is triggered.The government has recently enacted Decree 126/2020/ND-CP to expand the reach of taxation on e-commerce and digital business activities, including Fintech, by introducing a number of new significant measures to boost the tax administration framework, aiming specifically at various tax withholding sources being parties involved in e-commerce and digital business surrounding overseas Fintech providers, such as local commercial banks, local payment intermediaries and other local partners to overseas platforms. Among other measures, local banks and payment intermediaries now have the statutory responsibility to



disclose information regarding digital transactions of foreign players at the request of the tax authorities. The Ministry of Finance is drafting a Circular to detail the approach laid out by Decree 126/2020/ND-CP.

* * *

Endnotes1. https://www.statista.com/statistics/1246963/unbanked-population-in-selected-countries.2. YCP Solidiance, Unlocking Vietnam’s Fintech Growth Potential, 2020.3. According to Article 8.41.2(c) of the EVFTA, “new financial service” means services

of a financial nature including services relating to existing and new products or the manner in which a product is delivered, which is not supplied by any financial service supplier in the territory of a party but which is supplied in the territory of the other party.

Philip ZiterTel: +84 28 3824 3026 / Email: [email protected] to joining Russin & Vecchi, Philip worked in Vietnam as an attorney at a top-tier regional law firm and later with a commercial firm involved in blockchain.Philip advises on corporate and transactional matters, and on financing arrangements.Philip has been legal advisor to a handful of startup companies. He is knowledgeable in the Fintech, blockchain, and e-commerce industries in Vietnam, Hong Kong, Singapore, and the US.Philip has also worked with manufacturers, pharmaceutical companies, and many entities in cross-border transactions. He advises on inbound investments involving corporate finance, manufacturing, intellectual property, and mergers and acquisitions.

Chu Bao KhanhTel: +84 28 3824 3026 / Email: [email protected] joined Russin & Vecchi in 2013 after working for a Japanese manufacturing company as in-house counsel. Khanh practises in areas involving corporate, M&A, commercial, banking, and foreign investment.

Russin & VecchiVietcombank Tower, 5 Me Linh Square, 14/F, Ho Chi Minh City, Vietnam

Tel: +84 28 3824 3026 / URL: www.russinvecchi.com.vn



Nguyen Huu Minh NhutTel: +84 28 3824 3026 / Email: [email protected] has experience in international business and multi-jurisdictional transactions. His practice focuses principally on M&A, private equity, international finance, and inbound foreign investment in general. He has particular experience in structuring complex M&A deals that require creative structures of share acquisition in light of existing legal restrictions and ambiguities. Nhut has practised law in Vietnam for more than 20 years.

NOTES


AI, Machine Learning & Big DataBanking RegulationBlockchain & Cryptocurrency Bribery & CorruptionCartelsCorporate TaxEmployment & Labour LawEnergy

Fund FinanceInitial Public OfferingsInternational ArbitrationLitigation & Dispute ResolutionMerger ControlMergers & AcquisitionsPricing & Reimbursement

www.globallegalinsights.com

Other titles in the Global Legal Insights series include: