Fintech continues to be a vibrant and fast-developing industry in Austria. The industry enjoys the support of the government, which has actively sought to provide legislative and regulatory clarity to attract fintech businesses to the country. Since 2016, the government's priorities in the fintech industry have been shaped by the Blockchain Roadmap2 of the Federal Ministry of Education, Science and Research, as well as the Digital Roadmap3 of the Federal Ministry for Digital and Economic Affairs. More recently, the newly established fintech advisory board, an initiative of the Federal Ministry of Finance, approved the establishment of a regulatory sandbox, which is anticipated to go live in the first half of 2019. Participation will be limited to companies licensed by the Austrian Financial Market Authority (FMA) or the European Central Bank as well as companies potentially to be licensed by the FMA. Further regulatory proposals are expected by the fintech advisory board in the course of 2019.
Licensing requirements for companies in the financial services industry in Austria are strict and multifaceted. To provide support to fintech companies in particular, the FMA maintains the FinTech Navigator, a publicly available online resource that provides general overviews of licensing obligations and other topical regulations.4 The FMA also makes itself available via the FinTech Point of Contact to answer informal questions on legal issues pertinent to fintech companies such a licensing, prospectus requirements and compliance and anti-money laundering regulations. More formal applications to the FMA for notice of a binding legal opinion are also possible.
Small to medium-sized fintech companies may utilise the same tax incentives and funding sources generally available to start-ups. Austria hosts a dynamic start-up scene that is home to numerous incubators and accelerators, particularly in the capital, Vienna.
i Licensing and marketing
There is no special licensing regime for fintech companies in Austria. Austrian supervisory laws are technology-neutral, which means that each company's business model and the scope of its business activities must be examined on a case-by-case basis to determine whether a licence is required. Licencing is primarily conducted by the FMA.
Fintech companies active in Austria should consider whether the following licences are applicable to them:
- licence pursuant to Article 1(1) of the Banking Act (BWG) for engaging in banking transactions;
- licence pursuant to Article 3(2) of the Securities Supervision Act 2018 (WAG) for providing investment services;
- licence pursuant to Article 1(2) of the Payment Services Act 2018 (ZaDiG) for providing payment services;
- licence pursuant to Article 1(1) of the E-Money Act 2010 for issuing electronic money;
- licence pursuant to Article 4(1) of the Alternative Investment Fund Managers Act (AIFMG) for managing an alternative investment fund;
- licence pursuant to Article 6(1) of the Insurance Supervision Act 2016 for pursuing contractual insurance activities; and
- obligation pursuant to Article 2(1) of the Capital Market Act (KMG) to publish a prospectus.
The obligation to obtain a licence applies to companies that operate on a commercial basis and are active in Austria. Companies incorporated outside of Austria are deemed to be active in Austria if their business model actively targets the Austrian market, which can be evidenced by, inter alia, maintenance of an Austrian website (.at domain), providing Austrian contact information, advertising in Austria or establishing an Austrian distribution network. The seat of the company and the origin of its services are not determinative, but rather the active targeting of the Austrian market or the destination of the company's services to customers or investors in Austria.
Many common business models and activities in the fintech industry are susceptible to triggering a licence obligation in Austria. For example, issuers of initial coin offerings (ICOs) must be particularly mindful of licence requirements, as blockchain technology makes it easier than ever to engage in regulated activities over the internet with few, if any, gatekeepers or other intermediaries. Also, cryptocurrency mining companies that passively manage capital gathered from a number of investors may be regarded by the FMA as alternative investment fund managers under the Austrian AIFMG if offered within or into Austria. Internet-based platforms that provide investment or brokerage services may require a licence pursuant to the WAG. There are no special rules for companies that offer automated investment advice and trading. The FMA does not hesitate to initiate administrative proceedings against companies engaged in unauthorised business practices.
Other fintech business models that are gaining popularity in Austria, such as platforms for trading contracts for difference (CFDs) and binary options, are currently in a state of regulatory flux. On the EU level, the European Securities and Markets Authority (ESMA) temporarily banned the marketing, distribution or sale of binary options to retail clients. The ban has been in force since 2 July 2018 and will remain in force until at least 2 July 2019. ESMA has similarly placed restrictions on CFDs, which will remain in force until at least 1 May 2019. In Austria, it is currently unclear whether offering binary options or CFDs settled in cryptocurrencies are subject to an investment services licence under WAG.
The standards for obtaining a financial services licence in Austria are consistent with the standards set by applicable European legislation. Once an application for a licence has been made, the FMA typically has three months to make a decision or request additional time for review. Formal and informal means of communicating with the FMA regarding the applicability of one or more licences in a particular case are available.
Even if a licence pursuant to Austrian supervisory law is not required, a general licence obligation under the Trade Act (GewO) may nevertheless exist. Trade licences are administered by local authorities and are required to carry out any kind of trade or business activity in Austria. There are two types of trades: free and regulated. Licences for regulated trades as listed in the GewO are subject to more stringent requirements, including providing a certificate of professional competence. Businesses providing temporary cross-border services pursuant to the EU's freedom to provide services are subject to special rules under Section 373a GewO but are exempt from the requirement to provide a certificate of competency.
Marketing of fintech products and services are subject to the same rules as other financial industry participants. In particular, clients of investment firms are entitled to adequate information that is fair, clear and non-misleading in order to make informed investment decisions. These principles also apply to marketing communications (Article 40(7) WAG). Moreover, issuers of securities or investments must take care that marketing materials do not run afoul of the prohibition against offering securities or investments, for which no approved prospectus has been published pursuant to the KMG.
ii Cross-border issues
Companies within the European Economic Area (EEA) may passport certain EU-regulated or licensed activities from another jurisdiction into Austria pursuant to the single licence principle. The process is relatively simple: companies must first notify their home supervisory authority, which then notifies the FMA. The same applies vice versa if a licensed Austrian company intends to provide services in another jurisdiction within the EEA. The FMA maintains a searchable list of companies authorised to be active on a cross-border basis on its website.5 The single passport is available for regulated companies under, inter alia, the Capital Requirements Directive, the Markets in Financial Instruments Directive (MiFID II), the Payment Services Directive and the Alternative Investment Fund Managers Directive (AIFMD).
If a company intends to offer services cross-border pursuant to the EU's freedom of establishment, the establishment of a local branch is required. No local branch is required if cross-border business is conducted pursuant to the EU's freedom to provide services.
Reverse solicitation, the provision of regulated services by a third-country firm upon the exclusive initiative of a retail or professional client, is possible in theory pursuant to MiFID II or the AIFMD; however, the FMA interprets the applicable exemptions narrowly.
The Oesterreichische Nationalbank (OeNB), the central bank of Austria, administers foreign capital exchanges under the Foreign Exchange Act 2004. Except for certain cases referred to in the Treaty on the Functioning of the European Union, capital transactions and payments with other countries are not subject to any restrictions. However, the OeNB retains the authority to take certain measures to fulfil its obligations under international law or to safeguard the foreign interest of Austria. Under the Foreign Trade Act 2011 (the AußWG 2011), the acquisition of a 25 per cent or more shareholding of a company active in an area of public safety and order by certain foreign persons requires prior approval by the federal ministry in charge of economic affairs.
III DIGITAL IDENTITY AND ONBOARDING
Austria generally recognises two forms of digital identification: the Mobile Phone Signature and the Citizen Card. Both can be used to electronically sign documents in PDF format such as contracts or receipts. These electronic signatures have the same legal validity as handwritten signatures. Austrian citizens and residents generally are eligible for both services.
Financial service providers have been able to carry out fully digitised onboarding of clients since 3 January 2017. The FMA's Online Identification Regulation sets out strict organisational and procedural safeguards for video-based online identification, which effectively require digitised onboarding to be conducted in a live (rather than pre-recorded) setting. To complete the verification process, a potential customer must, inter alia, provide a screenshot of his or her face as well as the front and back of an official photo identification document. The potential customer must also upon request move his or her head while showing his or her face and communicate the serial number of the official photo identification document. Specially trained staff are required to conduct the online identification process in a separate room equipped with an access control system. Owing to these stringent requirements, many financial service providers outsource digitised onboarding to third parties.
IV DIGITAL MARKETS, FUNDING AND PAYMENT SERVICES
i Collective investment schemes
Management of a collective investment scheme generally requires a licence in Austria. Several regulatory classifications are possible, depending on the structure of the scheme. A licence determination frequently turns on whether an investment strategy is present and whether the collected funds are directly attributable to operational activity.
Managing an alternative investment fund requires a licence pursuant to the AIFMG unless total assets under management do not exceed certain thresholds, in which case mere registration with the FMA is required. Without a licence, however, an alternative investment fund manager is prohibited from marketing any alternative investment fund to retail investors and engaging in cross-border marketing or management.
Undertakings for collective investment in transferable securities (UCITS) in Austria are governed by the Investment Fund Act 2011 (InvFG 2011), which transposes the UCITS Directive. The InvFG 2011 also regulates special types of alternative investment funds such as pension investment funds.
The management of real estate investment funds is also subject to a licence pursuant to the Real Estate Investment Fund Act. As such funds are a subtype of an alternative investment fund, the provisions of the AIFMG are also applicable.
Crowdfunding projects that publicly offer securities or investments in Austria are subject to the requirement to publish a prospectus pursuant to the KMG. The FMA reviews prospectuses for offerings of securities such as traditional stocks or bonds, while offerings of investments – essentially transferable, securitised rights that are not securities – are reviewed by a non-governmental prospectus auditor of the issuer's choice. Donation and rewards-based crowdfunding are generally not subject to the prospectus requirement. Certain offerings are exempt from the obligation to publish a prospectus.
Small and medium-sized enterprises may take advantage of special crowdfunding rules under the Alternative Financing Act (AltFG), which is enforced by the local administrative authorities rather than the FMA. Generally, under the AltFG, public offerings with a total consideration of up to €250,000 within 12 months have no prospectus or information requirement. Public offerings that lead to a total consideration from more than €250,000 to less than €2 million within 12 months must provide investors with an information sheet set out in the Alternative Financing Information Regulation. Public offerings exceeding €2 million and up to €5 million require a simplified prospectus in accordance with Annex F of the KMG. Retail investors in offerings pursuant to the AltFG generally cannot invest more than €5,000 within a 12-month period.
Crowdfunding platforms should be mindful of potential licence obligations if they engage in certain business activities such as providing brokerage or investment services (WAG), payment services (ZaDiG) or engage in banking transactions such as credit intermediation (BWG). The AltFG contains specific requirements for operators of an internet platform related to the prevention of money laundering and terrorist financing and transparency of information. Platforms therefore often engage licensed partners to provide such regulated services.
The conclusion of money-lending agreements and the extension of monetary loans requires a licence pursuant to Article 1(1) No. 3 BWG. No special exemptions exist for peer-to-peer lending.
V CRYPTOCURRENCIES AND INITIAL COIN OFFERINGS
To date, Austria does not have a specific regulation for blockchain technology. The FMA generally views cryptocurrencies, namely, bitcoin and its ilk, as falling outside its regulatory purview since cryptocurrencies are not legal tender and not backed by a central authority. Nevertheless, the FMA has actively warned consumers of the high financial and technological risks posed by cryptocurrencies.
The Austrian government has been considering how to approach the regulation of cryptocurrencies over the past year. In February 2018, Finance Minister Hartwig Löger announced his position that cryptocurrencies should be regulated similar to gold and derivatives, which are subject to robust anti-money laundering and counter-financing of terrorism (AML and CFT) rules.6 To this end, Austria supports the amendment to the EU Anti-Money Laundering Directive (the 5th AMLD), which must be implemented into national law by 10 January 2020. The 5th AMLD extends the scope of application of AML and CFT rules to include custodian wallet providers and platforms for exchanging virtual currencies. The newly established fintech advisory board in Austria may produce more specific recommendations on how cryptocurrencies should be regulated. In any case, it appears that the current Austrian approach is to wait for further guidance on the European level.
This does not mean that cryptocurrency-related businesses are free from regulation. Companies that transact in cryptocurrencies may require a licence if they engage in certain activities (see Section II.i). Issuers of payment tokens, for example, may require a licence for the issuance and administration of payment instruments pursuant to Article 1(1) No. 6 BWG. With regard to cryptocurrency mining, mining cryptocurrencies in one's own name and on one's own account generally does not require a licence, although certain business models may qualify as an alternative investment fund under the AIFMG.
Austria's approach to cryptocurrency taxation is generally favourable to investors and consumers. Cryptocurrencies held by natural persons as business assets are subject to income tax at applicable rates prescribed in the Income Tax Act. Conversely, gains on cryptocurrencies held as non-business assets for longer than one year are tax free. In line with the seminal Hedqvist ruling by the Court of Justice of the European Union, the exchange of fiat currency into bitcoin and comparable cryptocurrencies and vice versa is exempt from VAT. Cryptocurrencies obtained by mining are treated in the same way as the production of other assets for taxation purpose. Operating a cryptocurrency ATM also has tax consequences.
ii Initial coin offerings
The FMA is open-minded toward capital-raising projects using blockchain technology. In November 2018, the FMA approved for the first time a prospectus for an offering of securities executed on the basis of blockchain technology in the EU.7 The prospectus was successfully passported into Germany.
The FMA roughly classifies tokens offered in ICOs into three categories: security and investment tokens, payment and currency tokens and utility tokens.
Security and investment tokens are subject to the requirement to publish a prospectus. Depending on the rights attached to the token, security tokens may represent transferable securities or investments. The term 'transferable securities' is defined in MiFID II and is transposed into Austrian law through the KMG and WAG. Generally, tokens qualify as transferable securities if they resemble traditional securities such as bonds, shares or profit participation rights – a popular type of security in Austria that resemble shares but exclude voting rights. If transfer of a token is restricted but certain rights are embodied on the token and risk-sharing within a group is present, the token may qualify as an investment.
Payment and currency tokens are not subject to the requirement to publish a prospectus, but issuers of payment tokens may require a licence for the issuance and administration of payment instruments. A licence is not required if the payment system constitutes a limited network.
Utility tokens with features that overlap with security or payment tokens are subject to the respective regulations outlined above. In Austria, utility tokens typically resemble vouchers that entitle holders to goods or services available on a (yet-to-be developed) platform. The FMA views this model as comparable to a payment token; however, most models are exempted from the licence requirement on the ground of the limited network exemption.
VI OTHER NEW BUSINESS MODELS
i Self-executing contracts
Self-executing contracts, colloquially known as 'smart contracts', entail significant legal uncertainty. As there is no special legal framework for smart contracts, foundational principles of contract formation under Austrian private law apply. It is currently not possible to conclude certain types of agreements entirely via smart contracts, as Austrian law requires certain formalities such as notarisation to be kept. Enforcement issues that are likely to arise, particularly with regard to the reversal of immutable transactions and the conclusion of agreements with anonymous or pseudonymous parties, have yet to be resolved by the courts.
ii Decentralised exchanges
Decentralised exchanges that permit peer-to-peer trading of security tokens without a central intermediary are not exempt from the licence requirement for the operation of a multilateral trading facility under Article 1(2)(h) WAG.
iii Proof of stake algorithms
The transition of some popular cryptocurrencies from a proof of work to a proof of stake consensus algorithm may raise novel legal issues in Austria. In a proof of stake system, nodes validate transactions based on the amount of coins held. To maximise its ability to validate transactions, a node may borrow coins from other network participants in exchange for interest. Whether this practice triggers a licence obligation for deposit, lending or custody businesses under the BWG is unclear. The FMA has not explicitly addressed the issue.
VII INTELLECTUAL PROPERTY AND DATA PROTECTION
i Intellectual property
Austria does not have special rules that protect an entire business model per se. Accordingly, business models must be examined on a case-by-case basis to determine whether any intellectual property rights can be protected. The most relevant available protective rights under Austrian law include:
- trademarks protected under the Trademark Protection Act;
- designs protected under the Design Protection Act;
- patents protected under the Patent Act;
- utility patents protected under the Utility Patents Protection Act; and
- copyrights protected under the Copyright Act (UrhG).
Protection afforded under the above legislation is usually provided by registration in a public register and lasts up to 70 years after the death of the author.
Software is protected as a work of literature under Section 40a UrhG if it is the result of the own intellectual and individual creation of its author or their authors and has a minimum level of creativity and complexity. This protection includes the machine-, object- and source- code of the software, as well as design material such as flowcharts or structure charts. However, graphic user interfaces of a software as well as the ideas and principles underlying the software are not protectable. The author of the software is always its creator. Legal entities are excluded as creators. It is possible to transfer derived rights of use to legal entities. For this reason, rights owners within the meaning of the UrhG are always only natural persons. In view of the complexity of today's software and its programming, co-ownership can be assumed. The UrhG may also protect databases under certain circumstances.
Unless otherwise agreed, only the employer is entitled to exercise property rights in software that was developed by an employee within the framework of an employment agreement. The employer thus effectively receives a legally required licence.
The unauthorised duplication and distribution of software can be prosecuted civilly for damages and injunctive relief as well as criminally by private prosecution.
ii Data protection
The EU General Data Protection Regulation (GDPR) has been legally binding and directly applicable throughout the EU since 25 May 2018. In Austria, the Data Protection Act (DSG) further implements certain provisions of the GDPR.
The GDPR generally applies to the processing of personal data related to identifiable natural persons. The processing of client data of fintech companies is therefore also covered within the scope of the GDPR.
Persons who deal with the processing of personal data must implement appropriate technical and organisational measures and procedures to ensure that the rights of persons concerned are adequately protected. Pursuant to Article 33 GDPR, personal data breaches of a certain nature must be reported to the Austrian Data Protection Authority (DPA) within 72 hours after having become aware of it. Moreover, the person whose rights were violated must be informed without undue delay if there is a high risk to their personal rights and freedoms.
Digital profiling of clients is covered under the GDPR. Fintech companies must take into account that, at the time the data used for profiling is collected, data subjects are entitled to certain information including the fact that the profiling is taking place, the legal justification for the profiling and the expected effects of the profiling. Furthermore, a data protection impact assessment must be carried out if a systematic and extensive evaluation of personal aspects relating to natural persons is conducted (Article 35(3) GDPR). The persons concerned have the right to object pursuant to Article 21 GDPR, according to which the person concerned may, among other things, object to profiling if profiling is based on the legal basis of the overriding legitimate interest or is carried out for the purposes of direct marketing.
Fintech companies may be required under certain circumstances to conduct a data protection impact assessment, to compile a list of processing activities and to appoint a data protection officer. The DPA may impose fines of up to €20 million or, in the case of a company, up to 4 per cent of its total annual worldwide turnover in the previous financial year.
The provision of banking secrecy pursuant to Article 38 BWG is also of significance to fintech companies. According to this provision, credit institutions, their shareholders, board members, employees and other persons working for credit institutions may not disclose or utilise secrets or sensitive information that have been entrusted to them or made accessible to them exclusively on the basis of business relations with customers. In contrast to the GDPR, the BWG protects legal entities. Even if a transfer of data is not subject to banking secrecy or is permissible under the BWG, its admissibility under the GDPR or the DSG must also be examined. In the event of a breach of banking secrecy, fintech companies may also be liable under civil, criminal and administrative laws.
Further data protection regulations are contained in the Austrian Telecommunications Act.
VIII YEAR IN REVIEW
The establishment of the fintech advisory board by the Federal Ministry of Finance in April 2018 was a welcome development that may accelerate the pace of fintech regulation in Austria. The advisory board has already approved regulatory sandboxes for certain regulated entities, which are expected to go live in the first half of 2019. Further regulatory proposals are expected by the fintech advisory board in the course of the year.
The FMA has been supportive of capital raising projects using blockchain technology. In November 2018, the FMA approved for the first time a prospectus for an offering of securities executed on the basis of blockchain technology. More projects of a similar nature are expected to follow.
IX OUTLOOK AND CONCLUSIONS
In addition to the regulatory sandboxes, the Federal Ministry of Finance has identified two other priorities for the fintech industry in 2019:
- the creation of a central platform for financial companies to manage know-your-customer data of customers; and
- the dematerialisation of securities.
These priorities align with the Finance Ministry's larger goal of digitalising the financial services sector. The time to implementation, however, is uncertain. In any case, the Austrian government will be tasked in the course of 2019 with transposing the provisions of the 5th AMLD into national law by the 10 January 2020 deadline. The future of cryptocurrency regulation in Austria, namely whether cryptocurrencies will be regulated like gold and derivatives, remains to be seen. In any case, Austria is likely to follow guidance provided on the EU level.
1 Oliver Völkel is a founding partner and Bryan Hollmann is counsel at Stadler Völkel Rechtsanwälte GmbH. The authors would like to thank Arthur Stadler, Andreas Pfeil, Jacqueline Bichler and Margaux Mermin for their valuable contributions.
7 The authors represented the issuer in the prospectus.