The fintech sector in the Netherlands is rapidly growing. In 2017 over 430 companies were active in the Dutch fintech market. The climate for fintech initiatives is generally good. Factors that play a role are the availability of skilled IT personnel, the penetration of broadband and mobile data connectivity and the willingness of consumers in the Netherlands to adapt to new technologies. Online and mobile banking has quickly become the de facto standard and users in the Netherlands have proven willing to adopt the use of new instruments such as debit cards, chip-cards and wireless payments.
i Legal and regulatory climate
Where the market developments run on a very fast pace, in the Netherlands not many fintech laws and regulations have been introduced. The majority of the new rules that were introduced in this decade are mainly implementations of European directives (MIFID, PSD2) and regulations from European Supervisory authorities (inter alia, the Regulatory Technical Standards and Implementing Technical Standards of the European Banking Authority and the European Securities Markets Authority (ESMA) respectively.
Banking laws in the Netherlands are relatively limited in scope and provide some blanket exemptions. This means that many fintech services can operate without being subject to sector-specific regulations and supervision. On the other hand, once a fintech service provider becomes subject to banking regulations, it will face a heavy compliance burden.
The two main regulators in the financial services market, the Dutch Central Bank (DNB) and the Dutch Authority for the Financial Markets (AFM) try to respond to this and have started a joint ‘InnovationHub’ project. This Innovation Hub is a sort of ‘regulatory sandbox’, which should help fintech start-ups understand their position better and enable them to get answers from both regulators on relevant questions. The AFM reports that as many as 216 questions from market players were submitted to the Innovation Hub.
In 2016, Netherlands government appointed former minister Mr Willem Vermeend as ‘special envoy’ for fintech, and he is actively supporting the development of the fintech ecosystem in the Netherlands.
Another factor that plays a role in the relative success of fintech in the Netherlands is the structure of the regulations and the way these regulations are enforced. There are numerous ‘open norms’ that define the scope and applicability and often there is room for debate as to whether a service falls within that scope or not. Particularly in that ‘grey area’ the Dutch regulators are not inclined to enforce aggressively. It has, for instance, taken many years for the regulatory status of crowdfunding to be clarified – but in that time a growing number of crowdfunding platforms opened their services in the Netherlands. Even fintech services that were quite clearly subject to regulations, such as the short-term consumer loan website voorschotje.nl, could operate for approximately six years before being fined by the AFM in December 2013.
Not all activities that are within the scope of the most commonly used fintech definitions are equally represented in the Netherlands. The dominant niches in the Netherlands ecosystem are payment services, crowdfunding, insurance technology, and blockchain and cryptocurrencies.
ii Tax incentives
Although tax laws do not directly regulate services of fintech companies, the qualification of the services under tax laws may have a significant impact on the feasibility of the business models of companies operating within the fintech sector.
Dutch corporate income tax
The Dutch Corporate Income Tax Act distinguishes between resident and non-resident taxpayers. Dutch subsidiaries of foreign companies are regarded as resident taxpayers, while Dutch branches of foreign companies are regarded as non-resident taxpayers.
In general, Dutch companies are subject to Dutch corporate income tax (CIT) on their worldwide income. Up to and including 2017, profits up to €200,000 are taxed at a CIT rate of 20 per cent and profits exceeding €200,000 are taxed at a rate of 25 per cent. The first bracket to which the 20 per cent rate applies will be increased over a period of four years.
Dutch participation exemption
The Dutch participation exemption provides for a full exemption of all benefits (e.g., dividends, capital gains and liquidation proceeds) derived from a qualifying shareholding (5 per cent or more) in a subsidiary. Historically, the participation exemption regime resulted in the establishment of thousands of holding companies in the Netherlands.
Innovation box: reduced CIT rate
The Dutch innovation box regime aims to stimulate technical innovation in the Netherlands. We have been able to successfully make arrangements with the Dutch tax authorities in the past, regarding the use of the innovation box by several fintech companies.
Under the Dutch innovation box, qualifying income that results from endeavours in the field of R&D is taxed at an effective tax rate of only 7 per cent (the normal tax rate is 25 per cent). A taxpayer can only apply the innovation box for intangibles that originate from activities for which an R&D declaration has been granted by the Ministry of Economic Affairs.
Companies with: (1) more than €50 million global group-wide turnover and (2) at least €7.5 million per year in gross revenues from all IP assets will only have access to the regime when their intangibles originate from activities for which an R&D declaration has been granted and when additional requirements in relation to the qualifying intangibles are met. In that case, the qualifying intangible needs to qualify as any of the following:
- a software program;
- a (pending) patent;
- an authorisation for the marketing of a medicine/drug;
- a supplementary protection certificate;
- a utility model; or
- an exclusive licence to use the above-listed intangible assets.
The costs of R&D are immediately and fully deductible from the taxable profit, and must be recovered first. The qualifying income is taxed at a effective 7 per cent rate to the extent it exceeds the previously reported costs. Qualifying income can be limited if, and to the extent that, a taxpayer has outsourced part of its R&D activities to a company within its group.
Wage withholdings facility
The Dutch government provides incentives for R&D projects in, for example, information, biotechnologies and environmental technologies. However, for fintech companies it is also possible to benefit from general R&D grants.
The WBSO (R&D tax credit) was enacted to encourage investment in R&D activities in the Netherlands. The R&D facility provides for a reduction in wage withholdings (ie, wage tax and certain social security contributions) withheld from the salary of experts engaged in R&D in the Netherlands.
This results in a decrease in R&D labour costs, which benefits the employer. The reduction for a given year is 32 per cent of the wage withholdings on R&D wages up to €350,000. For companies who qualify as a start-up, the percentage amounts to 40 per cent. The reduction for wages in excess of €350,000 is 16 per cent of the wage withholdings. Qualifying R&D activities are awarded an R&D declaration by the Ministry of Economic Affairs, Agriculture and Innovation. Such intangible assets may also benefit from the innovation box facility as described above.
This programme was set up by the Ministry of Economic Affairs, Agriculture and Innovation to offer support to innovative companies in the SME sectors. It entails an interest-bearing loan for up to 45 per cent of the technical development costs of a new product, with a maximum of €10 million. If the project fails or is aborted for commercial reasons, the loan may be released. If the project succeeds, the loan, plus interest, must be repaid within six years.
Besides CIT considerations, the VAT qualification of fintech services may have a significant impact on the feasibility of the business models and of fintech companies.
A characteristic feature of fintech services is that they have financial features as well as technical features. Under the EU VAT rules, certain financial services are exempt from VAT, whereas technical services are generally subject to VAT (21 per cent in the Netherlands).
If a service qualifies as VAT exempt, the service supplier does not need to charge VAT to its customer. However, the disadvantage of being a VAT-exempt business is that such businesses generally cannot recover VAT on costs that they incur (e.g., IT or marketing costs). Such VAT will, in principle, constitute a cost. On the other hand, if a business makes VAT taxable supplies, such a business can generally recover VAT on costs that it incurs.
It is therefore important to carefully analyse the nature of a specific fintech service in order to assess whether that service qualifies as a VAT-exempt financial service or a VAT-taxable technical service. Although VAT rules are in principle harmonised within the EU, tax authorities and courts in various Member States interpret these rules in their own way. In practice, we see that the Netherlands has a relatively narrow interpretation of the scope of financial VAT exemptions when compared to other EU Member States. In that light, fintech companies may benefit from VAT recovery in the Netherlands, whereas such VAT may constitute a cost in other EU Member States.
i Licensing and marketing
Financial supervision in the Netherlands is based on a ‘twin peaks’ model of supervision. The first peak is formed by prudential supervision consisting of supervising the liquidity and solidity of financial companies. This supervision is exercised by DNB. DNB carries out its supervision of banks as an ancillary to the European Central Bank (ECB). The second peak is formed by behavioural conduct and market conduct supervision. This supervision is exercised by the AFM. DNB and the AFM are also responsible for issuing licences for all financial undertakings with the exception of banking licences, which are issued by the ECB.
Lacking a harmonised legal framework in the European Union; the biggest challenge currently is trying to fit fintech ventures in the existing regulatory framework designed for more traditional financial services. Dutch regulatory law does not provide for a specific fintech licence. The dominant fintech niches in the Netherlands ecosystem are payment services, crowdfunding, insurance technology, blockchain and cryptocurrencies. Fintech ventures active in such niches may be confronted with a variety of licensing requirements and other regulatory obligations. Digital advisory companies that do not provide advice on regulated financial instruments, services or products are outside the scope of financial regulation.
There are a number of European directives and regulations to which fintech ventures are or could be subject:
- the Prospectus Regulation ((EU) 2017/1129) impacts how companies raise funds;
- the UCITS Directives (2014/91/EU) and Alternative Investment Fund Managers Directive (AIFMD) (2011/61/EU) impact how asset managers are regulated;
- the Credit Requirements Regulation (CRR) ((EU) 575/2013) and Credit Requirements Directive IV (CRD IC) (2013/36/EU) impact the manner in which funds are held and how banking services are provided;
- the Electronic Money Directive (2009/110/EC) impacts companies that issue electronic money (e-money);
- the Payment Services Directive 2 (PSD 2) ((EU) 2015/2366) impacts how payment services are provided;
- the Insurance Distribution Directive (IDD) ((EU) 2016/96) impacts the position of insurance intermediaries; and
- the Markets in Financial Instruments Regulation (MiFIR) ((EU) 600/2014) and the Markets in Financial Instruments Directive II (MiFID II) (2014/65/EU) impact companies that offer investment services or perform investment activities.
In addition to the above-mentioned European directives and regulations, fintech companies are subject to financial regulation that is national in origin, such as financial regulations in respect of consumer credit.
ii Marketing of fintech services and products
Marketing of fintech services and products is possible. However, fintech ventures offering regulated services or products on a cross-border basis should assess whether they are offering such services or products on a reverse solicitation basis in order to avoid triggering licensing requirements (see Section II.iv). Furthermore, if the relevant fintech services and products involve regulated financial services and products, requirements on marketing of those services and products may apply.
For example, fintech ventures that offer investment services or perform investment activities fall under the MiFIR or MiFID II framework for investment firms, which includes specific requirements for marketing communications. The general requirement imposed by MiFID II is that all communication with clients must be done in a manner that is ‘fair, clear and not misleading’. This general requirement is further specified to require investment firms, inter alia, to include specific information in financial promotion, marketing material and product collateral such as risk warnings and forward-looking statements and to draw up marketing materials in a language and formatting to ensure that the information is likely to be understood by the average member of the group to whom the marketing material is directed.
iii Credit information services
When the provision of credit to consumers is involved, fintech ventures that offer credit information services may be subject to licensing requirements in the Netherlands as financial service provider for ‘acting as intermediaries’ with respect to the provision of consumer credit. The definition of ‘acting as intermediary’ is very broad and covers two activities: activities aimed at the conclusion of a consumer credit contract as intermediary between the offeror and the consumer, and activities relating to servicing of a consumer credit contract. The first leg of the definition is interpreted very broadly by the AFM, which has published guidelines on when companies are considered to be acting as intermediaries in that manner. The AFM holds the view that when an intermediary ‘merely’ receives or passes on information relating to the consumer to the offeror that is more than the consumer’s name, address, telephone number and email address, such intermediary is acting as an intermediary and thereby performing a regulated financial service and must be licensed as a financial service provider.
iv Cross-border issues
Dutch licensing requirements generally apply to all firms that offer regulated services or perform regulated acts ‘in or from the Netherlands’. Offering services ‘in’ the Netherlands also includes offering online services in a different EU Member State through a Dutch company or through a Dutch branch of a company that has its registered seat in a non-EU Member State. Most licensed EU firms can offer their services in the Netherlands, either cross-border or by establishing a branch without triggering additional licence requirements on the basis of a ‘European passport’. However, firms are required to notify the regulator in their home Member State of their intention to open a branch or to offer their service cross-border in a different Member State.
Third-country firms seeking to offer regulated services or products in the Netherlands will generally be subject to licensing requirements. However, some specific exemptions may apply, such as the exemption for licensing requirements for investment firms from Switzerland, Australia and the United States that are already regulated in their home country.
Where services are provided to Dutch clients on a cross-border basis it can be difficult to assess whether these services are being provided ‘in the Netherlands’. As a rule of thumb, where Dutch clients are actively solicited by the foreign institution, that foreign institution will be subject to Dutch financial regulations. However, if an undertaking enters into a business relationship with a Dutch client as a result of reverse solicitation, this generally will not trigger any Dutch licensing or authorisation requirements. Reverse solicitation refers to the situation where a client decides to approach a foreign undertaking of its own volition, without having been approached by that particular undertaking.
The Dutch regulators have issued little guidance with regard to the exact scope of the reverse solicitation exemption. In general it is clear though that the scope of the reverse solicitation exemption must be interpreted quite narrowly. Based on case law and the limited guidance available, there are a number of factors that will help to determine whether a foreign financial undertaking has actively marketed its services to Dutch clients. These include:
- not using disclaimers or selling restrictions (if applicable), or poorly enforcing them;
- making use of media for promotional purposes that include the Netherlands in their coverage area;
- using the Dutch language on a website or in promotional or informational materials;
- having Dutch customers referred to by a dedicated intermediary;
- providing information on Dutch tax regimes;
- directly addressing potential customers based in the Netherlands (for example, via email); and
- referencing or providing information on Dutch law.
v Exchange control regulations
Under Dutch law there are no formal exchange control regulations. Please note, however, that DNB may require any Netherlands-resident company to comply with certain notification and registration requirements of DNB in connection with payments to be made or received by companies to or from non-residents of the Netherlands in accordance with the Reporting Instructions Balance of Payments Reports 2003 issued by DNB pursuant to the External Financial Relations Act 1994. Any Dutch-resident company will have to notify DNB if it falls within the scope of the External Financial Relations Act 1994. Such notification to DNB may result in a request from DNB to that company to comply with requirements to provide DNB with financial data on a regular basis that is used by DNB to comprise the national balance of payments.
iii DIGITAL IDENTITY AND ONBOARDING
A digital identity infrastructure for private parties is not available in the Netherlands as yet, but this is being worked on. The Netherlands government has created an electronic ID infrastructure for electronic communications between the government and citizen, the DigiD service. This service is being replaced with the eID system, which will also become available for use by private parties. The roll-out of eID is planned to take place in 2019. The tender for the technical authentication means use by private parties is planned for 2018.
i Digitised onboarding of clients
From a financial regulatory perspective, regulated financial undertakings should take the digitisation of the onboarding process into account when assessing anti-money laundering and terrorist financing risks. Pursuant to Dutch implementation of the EU’s Anti-Money Laundering Directives ((EU) 2015/849), regulated financial service providers are required to carry out risk-based client due diligence and to monitor and report suspicious transactions to the Dutch Financial Intelligence Unit. It is typical for clients to be identified through digital means (e.g., Skype). It must be noted that DNB and the AFM consider it a principle of proper client due diligence to identify customers in person. In fact, not being able to perform an identification in person is considered a potential ‘red flag’, which should trigger enhanced client due diligence procedures. However, one of the key principles of the Dutch legal anti-money laundering framework is that the institutions subject to it have a great deal of freedom in determining their client due diligence policies. It remains to be seen, therefore, if the Dutch regulators will reject customer identification through digital means if such process is part of an adequate and appropriate risk-based client due diligence policy.
IV DIGITAL MARKETS, FUNDING AND PAYMENT SERVICES
There are two types of regulated collective investment schemes under Dutch law: (1) undertakings for the collective investment in securities (UCITS), and (2) alternative investment funds (AIF). UCITS are regulated pursuant to the EU’s UCITS Directives, whereas AIFs are regulated pursuant to the AIFMD. The main feature of the regulatory framework for UCITS and AIFs is that the manager of the assets or offers rights of participation in the UCITS or AIF to investors is subject to licensing requirements. Note that managing the assets of funds that do not qualify as a UCITS or AIF may still trigger licence requirements since asset management is a regulated investment service under MiFID II.
Crowdfunding often involves attracting or obtaining the disposal of funds from investors to online crowdfunding platforms that act as an intermediary between the investors and the company. These platforms are usually managed by an operator. Crowdfunding can take a number of forms depending on the purpose of the investments. With reward-based crowdfunding the company is targeting a certain amount of capital to raise. In return for the funds, the company offers a non-financial incentive to participate – the reward. Loan-based crowdfunding involves lending money to companies who in return pay the investors interest. Equity crowdfunding offers investors securities in private companies.
Faced by a lack of uniform rules – or a uniform consensus on the applicability of the aforementioned directives – Member States themselves regulate equity crowdfunding in different ways.
DNB and the AFM have published extensive interpretations on crowdfunding, including the applicability of certain regulatory provisions. For example, when – as might be the case with equity crowdfunding – investments are made in transferable securities, the platform must apply for a licence as an investment firm since this is considered ‘order referral’. However, other countries have set different requirements. In the United Kingdom equity crowdfunding platforms must be registered. In France the platform managers must obtain a crowdfunding investment adviser licence, subject to stringent tests.
Another dilemma is posed by the AIFMD. ESMA has stated that the AIFMD could be applicable to an equity crowdfunding platform when it manages a non-UCITS collective investment undertaking that raises capital from a number of investors with a view to investing it in accordance with a defined investment policy. Such asset management companies require an AIFMD licence from the AFM.
AIFMD itself says that holding companies established by platforms for the purpose of grouping together investors’ holdings are excluded from its applicability. These requirements are complex, even for traditional investment funds, let alone for equity crowdfunders. Once it has been established that the platform is subject to the AIFMD, the question remains whether or not a those parts of the platform that meet the criteria for an AIF are subject to the same capital requirements as traditional AIFs. Additionally it is not clear whether the crowdfunding platform managers are also subject to suitability requirements, like AIFMs.
The legal uncertainty as to the applicability of these requirements, and the substantial compliance costs if they are, leads to structures outside the EU regulatory framework.
Even in areas where the applicability of regulatory rules is currently more or less clear, fintech companies will have to consider certain business choices that are not faced by traditional financial companies.
ii Payment services
Providing payment services is a regulated activity in the Netherlands pursuant to PSD II. Interestingly, for fintech companies involved in the payment services industry, regulation is more crystallised as a result of PSD II. PSD II allows for third parties to have ‘access to accounts’ (XS2A), making it possible for account aggregation servicers, as third parties, to gather financial information from their clients bank account and present it to them in a single overlay. Such services are introduced in PSD II as a new regulated payment services. Furthermore, with respect to such XS2A services, PSD II now states that the institutions where the accounts are held are obligated to provide account aggregation servicers with such access. This was not possible under PSD I as PSD I did not require that such access was granted. However, because these account aggregation servicers are providing regulated payment services under PSD II, they have to be authorised as payment institutions. This is something to be considered by fintech ventures engaged in account aggregation services.
Commercial lending activities are not regulated activities under in the Netherlands (except for consumer lending or residential mortgage lending). If an entity lends money to consumers, licensing requirements will be triggered. Therefore, if a lender’s activities are limited to commercial finance (and not consumer lending or residential mortgage lending), then there are no local authorisation requirements. However, if the lender were to accept deposits, offer investment services or perform investment activities in the Netherlands, then specific authorisation from the AFM or DNB may apply.
In addition to the prohibition to be active as a bank without a licence, Dutch law provides a general prohibition to anyone that attracts, obtains or has the disposal of repayable funds beyond a restricted circle in the Netherlands in the pursuit of a business from parties other than professional market parties. On application, DNB may, whether or not for a fixed period, grant a dispensation from the prohibition if the applicant demonstrates that the interests that prudential rules seek to protect are sufficiently protected in other ways.
iv Trading loans on secondary markets
Loans and financings are actively traded on secondary markets in the Netherlands. The assignment of a claim under Dutch civil law requires a valid title, an act of transfer, and the transferor must have the power to dispose of the claim. The act of transfer can take the form of a deed of transfer followed by notification of the transfer to the borrower. The transfer of a claim can also be effected without notification to the borrower whereby the act of transfer takes the form of a notarial deed or a private deed that is registered with the Dutch tax authorities (which is the most common way of assigning claims in the Netherlands on the secondary market).
Please note that a number of regulatory aspects should be considered, such as possible licence requirements, the prohibition to attract repayable funds, prospectus requirements, and investor information requirements. For example, Dutch law provides that any entity that only obtains the disposal of a consumer loan granted by another entity (for example through purchase on the secondary market) will be considered as an offeror of such consumer loan and accordingly is required to have a licence as financial service provider. However, Dutch law provides an exemption for such entities that have disposal of such consumer loans of they have concluded a servicing agreement with a licensed entity that will service the consumer loan.
V CRYPTOCURRENCIES AND INITIAL COIN OFFERINGS (ICO)
Cryptocurrencies are not regulated in the Netherlands and fall outside of the supervision of the AFM and DNB. The primary reason for this is that the AFM and DNB do not consider cryptocurrencies a form of money or currency. The qualification of tokens is less clear under Dutch law. The AFM has noted that most types of tokens are structured in such a way as to fall outside the scope of Dutch regulatory law because they are mostly structured as a right to receive a service from an offeror in the future against current payment of a price. The AFM has indicated that whether a token qualifies as a security should be determined on a case-by-case basis by establishing whether the characteristics of the token are the same as or similar to ordinary transferable securities. In this respect, attention should be given to whether the token should be seen as a transferrable value instrument, debt instrument or share. Furthermore, if the token can be converted into a transferrable value instrument, debt instrument or share, or if the token may be settled in cash whereby the cash payout depends on an index, the token may be considered a security.
i Money laundering rules
The Dutch anti-money laundering framework only applies to entities engaged in certain specified regulated activities. In principle, therefore, entities involved in cryptocurrencies and tokens should not be subject to anti-money laundering provisions. Please note, however, that where tokens qualify as transferrable securities as set out above, and by virtue of that may trigger licensing requirements, such entities will be required to comply with anti-money laundering provisions. We note that the criminal law provisions against money laundering apply to anyone, the above notwithstanding.
VI OTHER NEW BUSINESS MODELS
i Third-party websites comparing products
The AFM has published guidance on the regulatory qualification of comparison sites, and in particular on whether such websites are acting as intermediaries (see Section II.iii). It should be noted that this only applies to comparison websites that compare regulated financial services or products. A comparison website that compares consumer goods (such as cars, electronic devices, etc.) is not acting as intermediary.
Pursuant to the guidance from the AFM, a third-party comparison site is acting as intermediary when (1) it asks information from the customer, other than name, address, phone number and email, and uses such information to make the comparison, and (2) has concluded an agreement with the offeror of the regulated product or services the purpose of which is to bring the customer into contact with the offeror. In situations where there is no agreement between the offeror and the intermediary, then the receipt of fees by the offeror to the intermediary could be seen as evidence of an agreement.
VII INTELLECTUAL PROPERTY AND DATA PROTECTION
i Intellectual property protection
Computer software may be protected under the Netherlands Copyright Act, provided it satisfies the originality requirement. The courts in the Netherlands directly apply the doctrine of the European Court of Justice in respect of copyrights to software products. No formalities are required to obtain copyright protection for computer software and its graphical user interface; the first is protected under the Software Directive (2009/24/EC), while the second is protected under common copyright law. The rights in a software product will vest in the programmer or the employer of the programmer, if the product was created in the course of its regular employment.
A proprietor of a fintech software product may have, and be able to enforce its copyrights if (parts of) the source code or the particular behaviour of the software qualify as one’s ‘own intellectual creation’, as set forth in the Infopaq decision of the European Court of Justice on 16 July 2009.
The possibility of protecting software by means of a patent is still under discussion, even at the European level. There is little case law in the Netherlands on patent protection for computer software. Although software ‘as such’ is not eligible for patenting, patents have been granted for inventions that comprise software implemented in hardware. Fintech innovations, especially when consisting of a combination of hardware and software, may hence be eligible for patent protection.
ii Data protection
One of the most common elements of fintech products and services is that they are based on the processing and exchange of the users’ data. Generally transaction data, bank account details and other financial data qualify as ‘personal data’ within the meaning of the Netherlands Personal Data Protection Act (PDPA) and the General Data Protection Regulation (GDPR) that will supersede the PDPA as per 25 May 2018.
iii Scope and key principles.
The GDPR is applicable to any type of automated personal data processing. This is a broad concept and includes the collection, processing, storage and deletion of personal data.
Personal data is defined as any information that relates to a directly or indirectly identifiable natural person. This also includes, for example, information relating to an individual in its capacity as representative or owner of a company. Data regarding a legal entity of a person that is deceased does not fall under the scope of the definition of personal data.
The obligations under the GDPR mainly concern the legitimacy of data processing and transparency. As an illustration, any data processing operation must be based on a statutory data processing ground and must be proportionate to its aim. In addition, data subjects (meaning the individuals to which personal data relates) must be informed on the data processing activities carried out.
iv Data transfer outside the EEA
In addition, specific requirements apply to the transfer of personal data outside the EEA. Such transfer (data export) includes situations where the data is made accessible to recipients or viewers from outside the EEA. Data export is only permitted on limited grounds, which include explicit consent of the data subject, the use of EC-approved, standard contractual clauses and approved binding corporate rules. This is a particular challenge for fintech providers, as often these make use of cloud technology and as they are also inclined to roll out their services internationally.
v Consent and other processing grounds
Under the GDPR, the requirements for obtaining consent have become stricter than under the old regime. The fintech provider has to ensure that it informs the data subject of all relevant aspects of the data processing and that the consent can be withdrawn at any time. It must also demonstrate that (and how) the data subject expressed its free will to consent to the data processing. The fintech provider cannot ‘force’ the data subject to give its consent by making it conditional to providing the service at hand.
Aside from that, the GDPR contains specific restrictions on profiling. The definition of profiling is quite broad and most of the data analytics operations are within the scope of this definition. Personal data can be used for business intelligence purposes, but only if the data controller (i.e., the organisation that is processing the data or instructs others to do so on its behalf) can demonstrate that this processing is compliant with the GDPR. To this end it will typically have the choice between (1) seeking specific consent) or (2) demonstrate that the processing of such data (that was collected for other purposes) is ‘compatible’. In the latter event, it will have to perform a multi-factor ‘compatibility assessment’ to demonstrate that the profiling is appropriate, given the nature of the data, the impact on the data subjects’ privacy rights and the safeguards put in place to protect such privacy rights.
Data subjects must at all times be given the opportunity to object to their data being used for profiling purposes.
vii Automated decision making
The next level of profiling and data analytics is automating work flows and service delivery. In this field many fintech companies develop new services and (software) products. Here, another GDPR requirement comes into play. If decisions are based solely on (1) ‘automated processing, including profiling, which produces legal effects concerning’ or (2) ‘similarly significantly affects’ the individual concerned, this is considered ‘automated decision making’. Automated decision making is heavily regulated. In the banking sector there is still discussion around the question of whether prior consent is required across the board or whether scenarios exist in which this technology can be deployed on an opt-out basis, and on the condition that the compatibility assessment reveals that the associated data processing is compatible. Fintech companies should hence be aware that they would need to build in any automated decision making logic that specific, additional consent is sought prior to running the relevant process, or seek specialist counsel before trying alternative approaches to address the GDPR restrictions to automated decision making.
viii Data breach notification
Controllers will have to report data breaches to the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (unless the breach is unlikely to result in a risk for data subjects’ rights and freedoms). A proper justification must accompany the notification if it is not made within 72 hours. Affected data subjects must be notified of a breach without undue delay if the breach is likely to result in a high risk for their rights or freedoms.
A ‘personal data breach’ is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Organisations must notify data breaches to the Data Protection Authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it; affected data subjects must be notified without undue delay. This means that affected individuals should be notified as soon as reasonably feasible and in line with any guidance provided by the notified DPA. The DPA also has the power to order controllers to communicate a personal data breach to data subjects.
Note that the above requirement does not apply to licensed financial services providers. These organisations will have to notify incidents (including data breach occurrences) to their financial services regulator and hence be exempted from the duty to notify the DPA.
Failure to comply with data privacy laws can result in complaints, Data Protection Authority investigations and audits, Data Protection Authority orders, administrative fines, penalties or other sanctions, seizure of equipment or data, civil actions, criminal proceedings or private rights of action.
The GDPR will harmonise the tasks and powers of supervisory authorities and significantly increase fines. For major infringements (such as failure to comply with cross-border transfer rules or to obtain adequate consents), fines can be up to €20 million or, in the case of an undertaking, up to 4 per cent of the total worldwide annual turnover of the preceding financial year (whichever is higher).
As a general rule, enforcement measures must be appropriate, necessary and proportionate having regard to each individual case. DPAs have less discretion about enforcement rules, but critically they retain discretion about the application of the provisions. The GDPR expressly states that as a general rule (in order to strengthen enforcement of the GDPR rules), penalties and administrative fines should be imposed for any infringement of the GDPR in addition to, or instead of, appropriate measures imposed by the SA. The exceptions are minor infringements and cases in which a fine would constitute a disproportionate burden on a natural person. In those cases, a reprimand may be issued instead of a fine. Therefore, the imposition of fines is likely to become the norm.
In the Netherlands, however, fines were not imposed very often and it is not clear whether the GDPR will bring a new trend in this regard. The PDPA typically first investigates and grants the data controller the option to remedy any issues found. If the data controller refuses or fails, the typical next step is a specific performance order, enforced by a penalty for each day the order is not complied with.
As many breaches are not black and white in nature, one of the key instruments for data controllers to reduce their risks is to make sure their choices are well documented. If the DPA investigates a matter and finds that personal data is stored for too long, or is not really necessary, it will help a great deal if the data controller has a record to demonstrate that it did consider this, but came to a different conclusion. Without such historical file, the DPA will have an easier case arguing that the data controller did not (demonstrably) consider its data protection obligations and hence breached the PDPA.
VIII YEAR IN REVIEW
Over the past 18 months a number of European directives and regulations came into force that impact fintech ventures offering regulated services and products. The implementation of the directives into Dutch law has been somewhat lacking. The implementation of PSD II was supposed to be completed by 13 January 2018 but this deadline has not been met. Similarly, the implementation of the Fourth Anti-Money Laundering Directive has not happened. Perhaps the most important development was the implementation and entry into force of MiFIR and MiFID II on 3 January 2018 that impacts investment firms in an unprecedented way.
It is clear crowdfunding has caught the attention of the European and national regulator. On 30 October 2017, the European Commission published the Inception Impact Assessment in which the Commission outlines the biggest challenges ahead when it comes to crowdfunding and how these challenges can be overcome. Furthermore, Dutch Ministry of Finance consulted with market parties in October 2017 on ways in which the regulatory framework for loan-based platforms could be strengthened.
The European Commission has also published the results from its public consultation titled: ‘Fintech: a more competitive and innovative European financial sector’. In this consultation, the Commission established three core principles to help the fintech sector evolve across the EU: (1) technology neutrality, to create a level playing field, (2) proportionality, to ensure that regulation is tailored to the size and scope of fintech ventures, and (3) integrity, to ensure transparency towards the consumer.
Another important development is that fintech was specifically mentioned in the coalition agreement 2017–2021. It is the government’s ambition to simplify the accession of fintech ventures to the financial markets through the introduction of a simplified licence regime (a fintech licence). Exactly how this fintech licence will take shape is not yet known.
IX OUTLOOK AND CONCLUSIONS
The legal and tax climate, in combination with non-aggressive regulatory enforcement practices and an innovative and competitive financial services sector, have proven a fruitful basis for the fintech sector in the Netherlands. As the industry has gained recognition for being a strategic growth area, the road to further expansion seems paved.
The agenda of the law maker in the Netherlands is dominated by projects involving the implementation of European regulatory instruments such as PSD 2, MiFIR and MiFID and the GDPR. This will not leave much room for preparing fundamental changes in the national laws that touch on fintech. Having said that, it is likely that more options will be created for fintech ventures to obtain a licence from the regulator. Until then, many new fintech activities will continue to be launched in the Netherlands and aggressive regulatory interventions are not likely to take place in respect of bona fide market parties.
1 Wouter Seinen and Maarten Hoelen are partners, and Richte van Ginneken and Boris de Best are associates at Baker McKenzie.