Since the publication of the first edition of The Financial Technology Law Review in 2018, the German fintech market has continued to evolve, even though the expansion of the fintech market in Germany has slowed down compared to the previous years.2 Fintech-related topics are still frequently and intensively being discussed in Germany not only by participants in the financial sector but also by politicians and regulatory authorities. In recent months, particularly the question whether cryptocurrencies like bitcoin qualify as financial instruments and whether the present legal framework gives sufficient leeway for the application of blockchain-based business models have been the subject matter of such discussions.
The activities in the field of policy and financial market regulation that have been sparked by the insight that digitalisation will fundamentally change the financial industry include the assignment of a study to get a better understanding of the fintech market in Germany,3 the formation of the FinTech Council by the German Federal Ministry of Economics that aims to enhance the dialogue among business, politics and academia4 as well as a joint paper of the German Federal Ministry of Finance and the German Federal Ministry of Justice and Consumer Protection concerning the regulatory framework for blockchain-based securities and crypto-tokens aimed to foster innovation and investor protection.5 Further, the German Federal Financial Supervisory Authority (BaFin) has published several statements, explanations and opinions,6 including the perspective of BaFin on topics such as big data and artificial intelligence, distributed-ledger-technologies as well as digitalisation and information security.7 So far, however, the various initiatives have not resulted in any special fintech legislation, save for a relief in the regulation for crowdfunding platforms that is of particular relevance for peer-to-peer lending platforms as introduced by fintech businesses.8
Generally, German legislators and BaFin apply the principle of 'same business, same risk, same regulation'. This includes that neither the legislators nor BaFin has promulgated rules that privilege fintech companies compared to traditional players in the financial sector. Therefore, a 'sandbox' model that establishes an innovation space where fintech companies may test business models without tight regulation as established in the United Kingdom and in Switzerland has not been introduced in Germany yet.
Hence, BaFin attempts to find a balance between supervisory concerns and the start-up culture that often exists in fintech companies. In this connection, BaFin provides fintech companies with information concerning supervisory issues on their website.
There is no special public funding instrument for fintech companies, but the German Ministry of Economics has set up the programme 'INVEST' to help start-ups raise venture capital. If business angels purchase shares of newly founded innovative companies and hold them for more than three years, 20 per cent of their original investment will be reimbursed by the state up to a limit of €100,000.9 To qualify for the programme, investors have to spend at least €10,000. Invested capital must not result from a third-party loan to the investor. Furthermore, the business angel has to participate in the new company's gains and losses. Investors must be natural persons living in the European Economic Area or must use special investment companies registered in Germany (e.g., the limited liability company, GmbH).
Generally speaking, German regulatory authorities and the government emphasise that they recognise the potential of fintech for public economic benefit, while the regulation seems rather conservative when the traditional regulatory standards, which stem from the era of pre-digitalisation, are applied. Nevertheless, the efforts of BaFin to support fintech companies by offering detailed legal information and by improving the communication channels, as well as the indicators for future legislative changes to foster technical innovation, are evident.
i Licensing and marketing
The general rules apply to licensing and marketing of fintech companies in Germany. Since there is no specific fintech licence available in Germany, the regulation of fintech companies depends ultimately on the business they carry out. This again results from the 'same business, same risk, same rules' approach. The entire array of licences and marketing restrictions may therefore become relevant for fintech business models.
In particular, the following types of licences have to be taken into account:
- licence pursuant to Section 32 (1) Banking Act (KWG) for providing banking businesses within the meaning of Section 1(1)(2) KWG or investment services within the meaning of Section 1(1a)(2) KWG;
- licence pursuant to Section 10(1) Payments Services Supervisory Act (ZAG) for providing payment services or pursuant to Section 11 ZAG for the issuance of e-money;
- licence pursuant to Section 20(1) Capital Investment Code (KAGB) or, less burdensome, the mere registration pursuant to Section 44(1) KAGB for offering collective asset/funds management;
- licence pursuant to Sections 34c, 34d and 34f Industrial Code (GewO) for the brokerage of loans, insurance contracts and certain financial products; and
- licence pursuant to Section 8(1) Insurance Supervisory Act (VAG) for conducting insurance business.
In general a licence requirement is triggered if someone intends to provide in Germany commercially or on a scale which requires a commercially organised business undertaking one of the services listed in the comprehensive catalogues of regulated activities referred to above. Consequently, it needs to be carefully analysed whether a fintech business model falls within the scope of one or several of such regulated services.
Depending on the type of licence, different authorities might be competent to grant the relevant licence. Placing the competent authorities in a hierarchy, the European Central Bank (ECB) is at the top with its competence for granting licences for institutions that intend to carry out banking business that includes lending and deposit-taking business. Beneath the ECB, BaFin is the competent authority for institutions that intend to provide banking business except for lending and deposit taking, including investment services, payment services, collective asset or funds management and insurance business. The third level in the hierarchy would consist of the authorities which have been endowed under the German federal state laws with the competence to grant licences pursuant to the GewO.
All these types of licences may become relevant for fintech business models. This can be illustrated by the observation that the first 'fintech banks' were established in Germany holding a banking licence granted by ECB.
Both the requirements to obtain a licence under the German financial supervisory laws and subsequent ongoing legal requirements depend on the type of licence. For instance, the requirements to get a licence pursuant to Section 32(1) KWG for providing investment brokerage or investment advice are less tight than for guarantee or for safe custody business. In this regard, it makes a significant difference for regulatory purposes whether an institution is entitled to hold funds or assets for its clients because in this case the regulatory requirements are more comprehensive and stricter.
It would exceed the given framework to elaborate on the licence requirements for each fintech relevant business model. However, the general rule that the necessary type of licence depends on the specific services to be offered can be illustrated by reference to the robo-advice business models which have become popular in Germany in the recent years.
Generally speaking, a robo-adviser might be subject to a licence requirement pursuant to Section 32(1) KWG, in particular to provide investment brokerage, investment advice or portfolio management services. BaFin will only grant the necessary licence if, among other requirements, the applicant has at least €50,000 at its free disposal,10 if its managing directors are professionally qualified and with an impeccable reputation and if the applicant can prove that proper risk-management will be in place when the regulated business will be commenced.
By way of exception from this general licence requirement under the KWG, investment brokerage and investment advice may be provided under the less restrictive licence pursuant to Section 34f GewO; however, only specific financial products may be brokered or recommended under this privileged licence, which is granted not by BaFin but by the competent authorities in accordance with the laws of the relevant federal state. An additional exception is available for tied agents who closely cooperate with a licensed institution.
When robo-advisory models were introduced, some of the service providers offered robo-advice in the form of investment brokerage by connecting the supply of specific financial products to customers' demand for financial instruments. These models try to implement a structure where the client stays in charge of the investment process so that the client makes the ultimate decision to buy or sell a financial instrument. There is, however, a thin line between investment brokerage and investment advice. Although BaFin did not pursue a strict approach until 2017, it then made clear that a robo-adviser provides investment advice if clients could get the impression that the investment proposals presented by the robo-adviser are tailored to their individual circumstances.11 The distinction between both types of investment services becomes relevant for the type of licence which is required and, in practice more important, with respect to the requirements which the robo-adviser must comply with in offering its services. Particularly the suitability report that an investment adviser must prepare and which is aimed to show how the recommended financial products suit the needs of the client12 is for many robo-advisers a bureaucratic obstacle they would like to avoid.
Both the stricter position of BaFin and the preference not to prepare for each investment a suitability report have led to many robo-advisers becoming licensed as portfolio managers.13 Providing such type of investment service, however, involves the obligation to adhere to a comprehensive set of rules of conduct so that robo-advisers must thoroughly analyse which route suits them best and which type of licence they need for their individual business model.
With respect to marketing regulations applicable to fintech companies in Germany, the general rule is that marketing must be fair, transparent and not misleading. These principles follow from the Act against Unfair Competition (UWG) but are also included in some of the statutory provisions for financial services.14 Whether additional rules have to be taken into account depends primarily on the understanding of the term 'marketing'.
As far as marketing for investment services within the meaning of Section 2(8) of the WpHG is concerned (including investment brokerage, investment advice, portfolio management, underwriting business etc.), it is rather difficult to distinguish marketing from the rules of conduct for service providers set out, inter alia, in Section 63 et seq. of the WpHG and a regulation promulgated thereunder (WpDVerOV) but also in various delegated regulations promulgated under MiFID II. These require that offerors of investment services provide their potential clients with mandatory information regarding, for instance, their products (e.g., key information sheets), potential conflicts of interest and inducements, and that they obtain certain information from their clients. Further, investment service providers must comply with detailed requirements set out in the Minimum Requirements for the Compliance Function and Additional Requirements governing Rules of Conduct, Organisation and Transparency (MaComp) which have been promulgated by BaFin.
Similar rules as for investment services apply to the marketing of funds under Section 298 et seq. of the KAGB. The information obligations for professional or semi-professional clients are less comprehensive than those for retail clients.
Regarding marketing for payment services, a comprehensive set of pre-contractual information obligations is provided for in the German Civil Code (BGB) in conjunction with Art. 248 of the Introductory Act to the BGB (EGBGB).
Further, marketing for certain fintech related services might entail the obligation to publish a prospectus. Such obligation is usually be triggered once a public offer for securities or financial assets has been made in accordance with the Prospectus Act (WpPG) or the Asset Investment Act (VermAnlG). In particular, the prospectus obligation under the VermAnlG may become relevant for fintech business models such as, for instance, crowdfunding or P2P lending platforms.
Fintech companies in Germany should therefore check whether marketing for their business might be captured by one of the comprehensive legal regimes for marketing.
ii Cross-border issues
As a general rule, the German regulations apply to each service provider conducting its business in Germany. This means that the rules – particularly the licensing requirement – not only apply if the service provider has its registered office in Germany, but also if it actively targets the German market cross-border.15
Pure accessibility of the relevant services via the internet in Germany may be considered sufficient to assume that a service provider is actively targeting the German market. The regulations apply if the offeror of the relevant services intends the service to be used by German customers among users of different nationalities.16 If a service provider maintains its website in German, this is considered to be a strong indication of actively targeting the German market.
If, however, the provision of regulated services cross-border is concerned, the privilege to notify German regulators of existing licences from a home Member State within the European Economic Area (EEA) might offer an exception from this general rule, which may appear very strict at the first glance. The European 'passport' has been introduced for many regulated services such as, for instance, certain types of banking business, investment services as set out in Annex 1 of MiFID II and payment services. If a service provider has been licensed in its EEA-home Member State, the service provider may notify its competent supervisory authority of its intent to offer the regulated services also in Germany.17 Generally speaking, the service provider may commence the regulated business without a separate licence in Germany either on a cross-border basis or through a branch once the competent supervisory authority in the home Member State has informed BaFin, which subsequently has confirmed that the service provider may commence its business in Germany. In this scenario, the supervisory authority in the home Member State is generally responsible for the supervision of the service provider's activities in Germany, subject to certain residual competences of BaFin and the German Federal Bank. The limitation of the European passport to institutions with registered seat in the EEA is one of the main reasons why the decision of the United Kingdom to leave the EU and the EEA (Brexit) has caused such a turmoil in the financial sector. If the EU and the United Kingdom do not endorse an agreement providing for a well-regulated withdrawal from the EU, including transitional periods, fintechs based in the United Kingdom providing regulated services will not have the opportunity any more to offer such services on a cross-border basis to customers in EEA Member States under the EU-passport regime.
Another possibility for fintech companies to access the German market without being subject to a licensing requirement is to cooperate with a licensed service provider, typically a bank. Such ventures are 'white label structures' where a regulated entity (fronting bank) effectively makes available its licence for the business activities of a third party. For this purpose the third party must subordinate its business to the bank's management by granting instruction and control rights to the bank, which for regulatory purposes is responsible for the regulated services.
iii DIGITAL IDENTITY
To date, there is no generally recognised digital identity available in Germany. However, it is possible to identify yourself electronically via the internet if the requirements of Regulation (EU) No. 910/2014 on electronic identification and trust services for electronic transactions in the internal market are met. Details relating to this have been provided for in the Act on Trust Services (VDG).
Regarding the onboarding process as required under the statutory anti-money laundering and counterterrorism rules, the Anti-Money Laundering Code (GwG), which was revised in 2017, confirmed the possibility of video identification ensuring onboarding without media discontinuity, which is often particularly important for fintech business models. The requirements for such video identification are, however, rather strict.18 Given that BaFin confirmed the applicability of these standards in its guidance on the interpretation of the GwG published in December 2018,19 an alleviation of the requirements is not to be expected.
IV DIGITAL MARKETS, FUNDING AND PAYMENT SERVICES
Innovative funding solutions and business models related to payment services are typical areas in which fintech companies conduct business in Germany. Regulators have been struggling for some years to find a position on collective investment schemes balancing regulation to protect investors, in particular retail investors, and to allow innovative solutions that may also serve retail investors' interests. Eventually German legislators concluded that the regulatory requirements applicable for already known investment business models shall generally (subject to limited privileges) also apply to collective investment schemes.
Whether and which regulatory rules apply for peer-to-peer-lending depends on the specific business model.
Crowdfunding based on donations the investors make to support a special project (crowd-sponsoring) is generally not subject to financial regulation. If, however, the investor benefits financially from his or her investment, for example by participating in future profits of the project (crowd investing) or by being reimbursed with or without interest (crowd-lending), special regulations apply.20 Such regulations may be distinguished as falling under supervisory law, consumer law and capital market law.
Peer-to-peer lending in form of crowd investing or crowd lending may entail consequences under German financial supervisory law for the lender, the borrower and the platform.21 The key concern relates to possible licensing requirements. In particular, the licensing requirement for lending business must be considered.22 A licence requirement is triggered if the lender acts commercially or in a manner that requires a commercially established business operation. It is sufficient if the lender intends to repeatedly engage in the lending business to make profits.
The taking of deposits commercially or on a scale that requires a commercially established business operation is also subject to a licensing requirement.23 These requirements may become relevant for all involved parties, for example the platform if it keeps the funds extended by the lenders until the funds are transferred to a single or several borrowers. If the platform performs such function and transfers funds from the investors to the borrowers, the platform may also be subject to a licensing requirement under the ZAG for providing payment services. The licensing requirement under the KWG may become relevant for the investors who provide the funds extended to a single or various borrowers too. Even the borrowers may be subject to a licensing requirement for conducting the deposit taking business when they receive the funds from the platform or the investors.
Given these regulatory restrictions, peer-to-peer-lending business models in Germany typically include a fronting bank that holds a licence for the lending and deposit-taking business. In these models, the fronting bank extends the loans to the borrowers, and the bank refinance the loans by selling the repayment claims arising under them to the platform for on-selling to investors or directly to investors who ultimately receive the repayment claim against the borrower. The various business transactions between the involved parties relating to the extension of a loan are interdependent by way of conditions precedent. Therefore, the bank is only obliged to extend the loan if investors have committed to provide sufficient funds for the purchase of the repayment claims arising under the loan. The platform, which is typically a fintech company, is acting in this model as a broker that brings together investors and borrowers.
Such structure is usually not critical for the investors as they only acquire a repayment claim, which is as such not subject to a licensing requirement, provided that the acquisitions do not occur under a framework agreement. In the latter case, a licensing requirement for providing factoring business could be triggered.24 For the borrowers this model is not problematic either. One might consider whether they engage in deposit-taking business. However, it is generally recognised under German law that it does not constitute deposit-taking to borrow funds from a licensed bank. The fronting bank has in this model the necessary licences so the remaining question is whether the platform performs business activities subject to a licence requirement. The platform might conduct the factoring business if it acquires the repayment claims from the bank prior to selling them on to investors. Usually, however, the factoring business can be avoided by certain structural arrangements. In this case the regulated activities of the platform consist of brokering loans (between the bank and the borrowers) and investments (between the platform or the bank and investors as purchasers of the repayment claims). These are activities which can be structured to avoid regulation under the KWG and to ensure that 'only' the licence requirements under Sections 34c and 34f GewO need to be met. BaFin considers the repayment claims brokered by the platform to be financial assets within the meaning of the VermAnlG and, therefore, financial instruments within the meaning of the KWG so that, in principle, the brokering activity could also be subject to a licensing requirement pursuant to Section 32(1) KWG which is, however, typically avoided by taking advantage of an exception.
In Germany, as in the European Union generally, relatively strict consumer protection rules apply. This is also the case for consumer loans. Consequently, a direct contract between the lender and the borrower brokered by a peer-to-peer lending platform triggers far-reaching information obligations for the lender under Section 491 et seq. BGB, provided that the lender acts commercially and the borrower is a consumer. Given the typical structure for peer-to-peer lending platforms in Germany, the fronting bank implemented in the structure must typically comply with these obligations.
Further, given that peer-to-peer lending platforms typically offer their services online, the consumer protection rules on distance selling must be considered (Section 312a et seq. BKG). These rules are based on EU law and should in general not differ in the EU Member States.
Capital market law
Generally speaking, the WpPG and the VermAnlG has to be considered if the regulatory framework for crowdfunding and crowd-lending platforms is analysed under German law from a capital market point of view.
The VermAnlG generally applies to profit participating loans, subordinated loans and all other investments that grant a claim to interest and repayment. If such investments are publicly offered, a prospectus or at least an information sheet concerning the investment must be published, unless certain exceptions apply. One of these is explicitly directed to internet platforms engaging in crowd-investment (Section 2a VermAnlG). Under this exception, the obligation to publish a prospectus does not apply to investments that are only brokered via the internet and do not exceed low thresholds ranging from €1,000 to €10,000 per investment. Even if this exception applies, an information sheet must be published.
Should a crowdfunding platform issue or publicly offer securities within the meaning of the WpPG, a prospectus must, subject to certain limited exceptions, also be published. The WpPG obligations, however, have not yet gained material significance in the German fintech market, except for the very few fintech companies using securitisation to refinance. This might change in the future owing to the rise of ICOs.25
ii Payment services
The payment services sector was one of the first in the German financial industry where fintech companies became active and visible. This is one of the reasons for fragmentation of the payment services market, which has recently begun to consolidate. Nevertheless, the revised Payment Services Directive (EU) 2015/2366 (PSD II), which has been implemented into German law with effect from 13 January 2018, is expected to offer new business opportunities especially for nimble fintech companies. The reason for this expectation is that account information services and payment initiation services as new payment services have been introduced under the revised ZAG. The providers of such services now have a legal claim for access to payment accounts against the banks that maintain such payment accounts for their customers. This is perceived as a potential game changer because the traditional banks can no longer prevent their competitors from accessing the accounts of customers who consent to such access (open banking).
This opportunity, however, comes with additional regulatory burden. Providing payment services is generally subject to a licence requirement, unless certain exceptions apply. The scope of this licence requirement has been expanded to comprise the providers of account information and payment initiation services even though these service providers do not acquire at any time possession of their customers' funds. On account of this consideration, the regulatory requirements for a licence to provide payment initiation or account information services are less strict than for a licence to provide traditional payment services.
V CRYPTOCURRENCIES AND INITIAL COIN OFFERINGS
Cryptocurrencies such as bitcoin undoubtedly constitute a challenge for the German law from regulatory, civil law and tax perspectives. This is because legislators have not yet enacted any special rules for the legal treatment of cryptocurrencies.
In the absence of specific regulations dealing with cryptocurrencies, BaFin made a first step towards the regulation of cryptocurrencies through a broad interpretation of the term 'financial instrument' within the meaning of the KWG. According to BaFin, cryptocurrencies such as bitcoin qualify as 'units of account' within the meaning of Section 1(11) No. 7 alt. 2 KWG and therefore as financial instruments. This is an important determination, as it means that services related to cryptocurrencies that are provided commercially or on a commercial scale may be subject to a licensing requirement. However, this view of BaFin was recently challenged by a ruling of a higher regional court in criminal proceedings.26 The court held that bitcoins do not constitute 'units of account' within the meaning of the KWG and that the sale of bitcoins are therefore not subject to a licensing requirement the non-compliance of which would result in committing a criminal offence. This ruling sparked controversial discussions regarding whether BaFin may adhere to its qualification of bitcoin and similar cryptocurrencies as financial instruments. As a matter of practice, however, the German federal government provided the answer to this question by clarifying that the court ruling does not concern the administrative practice of BaFin.27 Against this background, one should not rely on said court ruling but take into account BaFin's view on bitcoin and similar crypotcurrencies in assessing the legal risks related to relevant business models. For instance, buying and purchasing cryptocurrencies in the service provider's own name for the account of others may constitute banking business in the form of principal brokering business.28 Further, brokering cryptocurrencies might constitute investment brokerage,29 whereas advising on the purchase or sale of cryptocurrencies might be considered investment advice.30 Also the operation of a platform on which cryptocurrencies can be traded may qualify as a multilateral trading platform within the meaning of Section 1(1a) Sent.2 No.(1b) KWG and might, therefore, be subject to a licensing requirement.31
However, neither the mining, nor the purchase or sale of cryptocurrencies in one's own name and for one's own account is subject to a licence requirement. Therefore, cryptocurrencies may generally be used as means of payment and generated by mining without any special permission.
From a civil law perspective, many questions have not yet definitively been answered. The uncertainty starts with the applicable jurisdiction and laws generally for a cryptocurrency. These questions become relevant if, for instance, cryptocurrency units are transferred or pledged. Further, it is still unclear which disclosure and information obligations apply in cryptocurrency transactions.
Interestingly, the usually complex tax analysis has at least partly already be clarified for cryptocurrencies through a decision by the European Court of Justice (CJEU).32
According to the principles of this decision that were incorporated into German tax law,33 exchanging regular currencies into bitcoin (or comparable cryptocurrencies) and vice versa shall be tax-free with respect to value added tax according to Section 4 no. 8b of the Turnover Tax Code (UStG). In addition, using bitcoins or comparable cryptocurrencies as payment and the process of mining are tax-free.
Other transactions concerning cryptocurrencies may, however, be affected by tax law.
From an accounting perspective, cryptocurrency units like bitcoins are transferable so that it appears necessary to account for them as assets on the balance sheet.
If they qualify as assets that support the business for only a short period (current assets), they may have to be recorded as 'other assets' according to Section 266 (2) B II No. 4 of the Commercial Code (HGB).34 If the cryptocurrency units qualify as assets that support the business for a long period (fixed assets) they should be taken accounted for as acquired immaterial assets according to Section 266(2) A I No. 2 of the HGB.35
ii Initial coin offerings
Initial coin offerings (ICOs) are sales of virtual tokens to raise funds for general corporate purposes or a specific project typically described in more detail in a White Paper. Depending on the structure of the ICO, tokens may be bought with regular or virtual currencies and may grant specific rights such as participation rights and profit shares, or no right at all. While the discussions and structures of ICOs and tokens are still in flux, tokens that can be offered in an ICO may be categorised as follows:
- Cryptocurrency tokens are meant to pay for goods or services external to the platform or not only exclusively between the platform and its users but also between users.
- Utility tokens are supposed to convey some functional utility to token holders other than or in addition to payment for goods or services, in the form of access to a product or service. These tokens come with particular rights, such as a right of access to a future service, a right to redeem the token for another token or service or voting rights which often are designed to shape the functionality of the product.
- Security tokens are comparable to traditional securities set out in Article 4(1)(44) MiFID II such as conventional debt or equity instruments.36
This rough categorisation – which corresponds to the general approach pursued by BaFin – illustrates that tokens may differ significantly. Consequently, each ICO must be thoroughly analysed with respect to its regulatory and capital market requirements. BaFin determines the applicability of the applicable legislation including the KWG, the ZAG, the WpPG, the KAGB and the VermAnlG case by case, depending on the specific contractual arrangements. Where tokens resemble participation rights that might be classified as securities under the WpPG or capital investments under the VermAnlG, a prospectus for the marketing of the tokens may be required. One might question, however, whether a fully digitised token constitutes a security within the meaning of the WpPG, as under German securities law such a security requires a certificate. In light of this general concept, the first BaFin-approval of a prospectus for a public offer of fully digitalised blockchain-based tokens under the WpPG-regime, in February 2019, was quite unexpected. Given the current legal framework for securities, it is not entirely clear yet whether this route involves various legal risks despite the approval by BaFin. It seems that clarity in this regard requires an amendment of the German securities laws explicitly permitting fully digitalised offerings of securities. The necessary changes of the relevant laws are already being discussed. The German Federal Government demonstrated its intention to support such changes when the German Federal Ministry of Finance and the German Federal Ministry of Justice and Consumer Protection published a joint paper concerning the future regulatory framework for blockchain-based securities and crypto-tokens, aimed to foster innovation and investor protection.37
In addition to a prospectus requirement, any professional service provided in connection with the trading of tokens – including an agreement to acquire, or the sale or purchase of tokens – when qualified as units of account, would, as a general rule, require licensing by BaFin.38
Even if an obligation to publish a prospectus does not exist, issuers of tokens should be aware that consumer protection laws might apply to the sale of tokens via internet. So, the underlying contract may qualify as a distance contract resulting in information obligations according to Section 312(i) of the BGB. Provided that the contract is considered as financial service, further information must be provided according to Section 312(d) of the BGB.39
iii Money laundering rules
Tokens and cryptocurrencies in general are perceived as highly susceptible to money laundering and terrorism financing. So far, however, special legislation has not been adopted in Germany to address such risks relating to ICOs and cryptocurrencies.
Yet, this does not mean that the existing German anti-money laundering and counterterrorism rules do not apply to cryptocurrencies and ICOs. Owing to the broad interpretation of the term 'financial instrument', cryptocurrency and ICO service providers may be subject to a licence requirement under the KWG. In this case they must, in their capacity as institutions, adhere to the duties set out in the Anti-Money Laundering Act (GwG). This includes having to conduct adequate customer due diligence and, as appropriate, notifying the Financial Intelligence Unit of any suspect transactions.
The more interesting question is whether also the issuer of tokens in an ICO may be subject to such obligations under the GwG. This may well be the case because such an issuer might be regarded as a person trading in goods within the meaning of Section 1 (9) GwG.40 For persons trading in goods, however, the full set of obligations under the GwG does not apply; instead, they need only– in the absence of a specific suspicion – identify their counterparty if they pay or receive a cash payment of at least €10,000 (Section 10(6) GwG).
To summarise, in Germany the statutory AML-rules may become relevant in the context of transactions with cryptocurrencies and ICOs, but there is still some ambiguity. More clarity will be achieved by the implementation of the stricter rules provided for in the 5th EU-AML Directive, which became effective on 9 July 2018. The 5th EU-AML Directive extends the scope of the AML requirements to operators of virtual currency platforms, which shall have the same customer identification obligations as banks. The new rules will be transposed into German law by 10 January 2010.
VI OTHER NEW BUSINESS MODELS
Generally speaking, it seems difficult to identify totally new business models in the past one or two years. Instead, one can observe enhanced efforts to find specific uses for blockchain technology and for artificial intelligence.
These efforts can be illustrated by the cooperation of Deutsche Bundesbank with Deutsche Börse aimed to develop solutions for a securities settlement system which facilitates the delivery of securities against virtual currency units on the basis of the distributed ledger technology.41
Participants in the capital markets in general appear to seek increasingly successful business models exploiting the potential of fintech. The first placings of promissory notes and commercial papers (even though these papers have not been governed by German law) have been made in Germany by taking advantage of the blockchain technology and of highly digitalised platforms.
Further, how artificial intelligence could support anti-money laundering compliance and the compliance function in general, which is sometimes called 'digital compliance', is also being investigated. In this regard, however, it seems too early to maintain that new business models have already evolved.
Worth mentioning in the context of recent and successful fintech-related business models is the increasing digitalisation in the insurance sector. New service providers have evolved that primarily broker insurance via smart phones quickly and simply. Certainly, such brokers must also comply with the general information duties relating to the brokerage of insurance contracts.
Also successful, but not strictly new, are product comparison websites, which have become very popular with price-conscious consumers. The influence of such offerings on the market is governed by the general competition rules. These include that price comparison tests must be performed in a competent manner, seek to be objectively accurate and be neutral.42 Finally, the incorporation of so-called fintech banks is noteworthy in connection with new business models. These fintech banks hold a comprehensive licence to conduct banking business but still perceive themselves to be fintech companies. Their business model is based on digitalisation; and partly they offer white-label solutions, namely they may seek to cooperate with other fintech companies that need licensed banks for their business model. This illustrates that some fintech banks position themselves as 'platform banks', where cooperation partners may find specific service offerings that they can use to complement their own products or services.
VII INTELLECTUAL PROPERTY AND DATA PROTECTION
i Intellectual property
A business model as such cannot be protected by copyright law. Therefore, it is not uncommon for successful fintech business models to be copied and optimised. Computer programs, however, that are characterised by a minimum of individuality and originality are subject to copyright protection according to Section 2 of the Act on Copyright and Neighbouring Rights (UrhG).43
Under German law copyright can be neither registered nor transferred, since the copyright itself emerges the moment the piece of work, such as the software, is created by its actual originator.44 The capacity of being the originator is strictly connected to a natural person and may therefore not be transferred.45 Obviously the lack of registration leads to various practical problems that often result in lawsuits. Nonetheless, a licence may be granted enabling the holder to make use of the piece of work in every or in particular matters (Section 31 of the UrhG). Employees and their employers implicitly agree on a full licence by drafting the employment contract.46 Therefore, the employer is allowed to make use of the piece of work. Concerning computer programs, another rule applies (Section 69b of the UrhG), granting the employer even more rights. Unless agreed otherwise, the employee is owed no compensation.47
ii Data protection
Generally speaking, data protection is governed by the Law on Telemedia (TMG) and the General Data Protection Regulation (GDPR), which replaced to a material extent the previous version of the Federal Act on Data Protection as of 25 May 2018 without, however, changing the fundamental principles of German data protection law. The GDPR and the TMG intend to prevent the collection and use of data related to individuals unless it is duly necessary to do so (Section 12(1) of the TMG, Article 1 of the GDPR). Data are considered to be related to individuals if the responsible body has the legal means that enable it to identify the data subject.48
Collection and processing of data related to individuals is only permitted if it is explicitly allowed by law or if the data subject consents (Section 12(1) TMG; Article 6(1) GDPR). Sections 14 and 15 of the TMG contain such allowances, if data are necessary to design a contract concerning the use of telemedia, to grant the user access to services or to charge those services properly. Furthermore, the user can declare his or her consent electronically (Section 12(2) of the TMG). Additionally, the user must be informed about nature, extent and purpose of data collection.
Digital profiling has to comply with the general principles stated above. The GDPR does not regulate digital profiling as such but focuses on some of its typical forms: firstly, the automated individual decision-making, including profiling, must comply with Article 22 of the GDPR; secondly, a decision that produces legal effects on the data subject or has a similarly significant influence on the data subject must not be based solely on automated processing (Article 22(1) GDPR). However, Article 22(1) GDPR shall not apply, if the decision: (1) is necessary for entering into, or performance of, a contract between the data subject and the data controller; (2) is authorised by law to which the controller is subject and that also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or (3) is based on the data subject's explicit consent (Article 22(2) GDPR).
VIII Year in review
Considering the developments in the fintech sector within the past 12 to 18 months, the following trends appear worth emphasising.
Overall, the fintech market in Germany continues to demonstrate growing maturity. This, and that business models of German fintech companies are able to implement commercially viable business models, may be illustrated by one of the German fintech banks that became the first German fintech 'unicorn', with a market evaluation of more than €1 billion by significant financings in 2018. However, scaling their operations is still difficult for many local fintechs, which may also be a result of the increasing efforts of incumbent institutions to take advantage of the lessons learned from fintechs concerning innovation and customer experience. Traditional players in the financial sector use these insights not only by establishing cooperations and partnerships with fintechs but also by developing their own digital offerings. This might explain why investment volumes and the number of noteworthy deals in 2018 did not reach the level of previous years.
ICOs and cryptocurrencies continue to be among the dominant topics in the fintech sector. For the time being, there is still a lack of specific regulation, which might be one of the explanations why risks such as high volatility, fraudulent business models and a lack of adequate customer information often accompany investments in ICOs and cryptocurrencies. The application of distributed ledger technology for other use cases remains a challenge, but market participants have deployed significant efforts to identify and realise corresponding business models, for instance, in the field of capital markets or supply chain finance.
The relevance of distributed ledger technology has also been recognised by politicians and by supervisory authorities that provide more guidance on the regulatory treatment of ICOs and cryptocurrencies. It seems that specific regulation of blockchain-based business models will be introduced rather sooner than later. The German legislator expressed its intention not to wait for a harmonised solution at the EU-level, but to initiate a blockchain initiative also involving specific legislation aimed at fostering business models using the distributed ledger technology.
The implementation of PSD II has opened the door for nimble fintech companies taking advantage of open banking possibilities by offering account information and payment initiation services.
IX Outlook and conclusions
Given the numerous initiatives at an international, EU and national level dealing with the regulatory challenges of fintech, specific regulation has to be expected. With regard to cryptocurrencies and ICOs this is likely to result in tighter or at least clearer statutory requirements. The 5th EU-AML Directive illustrates this trend by implementing customer identification obligations for virtual currency platforms. This, however, does not need to be detrimental to fintechs and their offerings. Instead, this is a chance for a reliable legal framework to foster trust and create an attractive climate for investors. Further, German politicians have recognised that the legislation needs to provide a legal environment that promotes innovative solutions. Whether this will lead to the introduction of an option for EU Member States to elect a 'sandbox model' remains to be seen. The regulatory authorities in Germany would still not welcome such an option. Instead, it is currently more likely that special legislation will be introduced in Germany that addresses the needs of blockchain-based business models. Further, there are some indications (e.g., the harsh sanctions regime) that the GDPR might turn out to be an obstacle for future prosperity of the fintech sector. In particular, it is questionable how the requirements under the GDPR and, in particular, the 'right to be forgotten' can be fully implemented by the blockchain-based services and products. Finally, new developments can be expected in the area of big data and artificial intelligence.
1 Jens H Kunz is a partner at Noerr LLP.
2 See EY study, Germany FinTech Landscape – FinTech beyond borders: cross-border FinTech activity, November 2018.
3 See Gregor Dorfleitner et al., 'FinTech-Markt in Deutschland', 17 October 2016, a study assigned by the Federal Ministry of Economics.
4 See German Federal Ministry of Finance (Bundesministerium der Finanzen),
www.bundesfinanzministerium.de/Content/DE/Pressemitteilungen/Finanzpolitik/2017/03/2017-03-22-pm-fintech.html (15 February 2019).
5 See German Federal Ministry of Finance (Bundesministerium der Finanzen), https://www.bundesfinanzministerium.de/Content/DE/Standardartikel/Themen/Internationales_Finanzmarkt/2019-03-08-eckpunkte-elektronische-wertpapiere.html (13 March 2019).
6 See the English version of the related BaFin-website where BaFin gives a summary of its position on fintech related regulatory questions: https://www.bafin.de/EN/Aufsicht/FinTech/fintech_node_en.html (15 February 2019).
8 Section 2a of the Asset Investment Act (Vermögensanlagengesetz, VermAnlG), which exempts such platforms from certain requirements as, for instance, the obligation to publish a prospectus provided that certain threshold amounts have not been crossed.
10 More comprehensive capital and other requirements apply if the robo-adviser is entitled to hold the assets and funds of its clients.
11 Grischuk, Robo-Advice, BaFin Journal from August 2017, p. 20, www.bafin.de/SharedDocs/Downloads/DE/BaFinJournal/2017/bj_1708.html (15 February 2019).
12 Section 64(4) Securities Trading Act (WpHG).
13 Section 32(1) of the KWG within the meaning of Section 1 (1a)(2)(3) KWG.
14 Section 63(6) WpHG, Section 302 KAGB and Section 23 KWG.
15 BaFin, Notes regarding the licensing for conducting cross-border banking business and/or providing cross-border financial services, April 2005, https://www.bafin.de/SharedDocs/Veroeffentlichungen/EN/Merkblatt/mb_050401_grenzueberschreitend_en.html (13 March 2019).
16 Cf. Federal Administrative Court (Bundesverwaltungsgericht), decision of 22 April 2009, Az. 8 C 2/09, juris margin: 41.
17 BaFin, Freedom to provide services and freedom of establishment of credit institutions in the European Economic Area, https://www.bafin.de/EN/Aufsicht/BankenFinanzdienstleister/Zulassung/EU-EWR-Kreditinstitute/eu-ewr-kreditinstitute_node_en.html (15 February 2019).
18 BaFin, Circular 3/2017 (GW) - Video Identification Procedures, www.bafin.de/SharedDocs/Veroeffentlichungen/EN/Rundschreiben/2017/rs_1703_gw_videoident_en.html (15 February 2019).
19 BaFin, Auslegungs- und Anwendungshinweise zum Geldwäschegesetz, https://www.bafin.de/SharedDocs/Downloads/DE/Auslegungsentscheidung/dl_ae_auas_gw_2018.html (15 February 2019) (only available in German).
20 Cf. BaFin, Crowdfunding, https://www.bafin.de/EN/Aufsicht/FinTech/Crowdfunding/crowdfunding_artikel_en.html (12 March2019).
21 BaFin, Merkblatt zur Erlaubnispflicht von Kreditvermittlungsplattformen, https://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Merkblatt/mb_070514_kreditvermittlungsplattform.html;jsessionid=0510174E1578D35D6508C7AD5765DAF6.1_cid363?nn=7847010, 15 February 2019.
22 Section 32(1) KWG in connection with Section 1(1)(2)(2) KWG.
23 Section 32(1) KWG in connection with Section 1(1)(2)(1) KWG.
24 Section 1(1a)(2)(9) KWG.
25 See in more detail at Section V.ii.
26 Higher Regional Court of Berlin (Kammergericht Berlin), decision of 25 September 2018 – (4) 161 Ss. 28/18 (35/18).
27 Printed Paper of the German Bundestag 19/6034.
28 Section 1(1)(2)(4) KWG.
29 Section 1(1a)(2)(1) KWG.
30 Section 1(1a)(2)(1a) KWG.
31 Münzer, BaFin Journal from January 2014, p. 28 f., https://www.bafin.de/SharedDocs/Downloads/DE/BaFinJournal/2014/bj_1401.html;jsessionid=7F1EB5E2362ED44685B5F3AB5B77FABD.1_cid390 (15 February 2019).
32 Cf. European Court of Justice, decision of 22 October 2015, C-264/14, V, Hedqvist.
33 Ministry of Finance, http://www.bundesfinanzministerium.de/Content/DE/Downloads/BMF_Schreiben/Steuerarten/Umsatzsteuer/Umsatzsteuer-Anwendungserlass/2018-02-27-umsatzsteuerliche-behandlung-von-bitcoin-und-anderen-sog-virtuellen-waehrungen.pdf;jsessionid=41D281B5241D47C388EF2F220B43C946?__blob=publicationFile&v=1 (15 February 2019).
34 Kirsch / von Wieding, Bilanzierung von Bitcoin nach HGB, BB 2017, 2731, 2734.
35 Kirsch / von Wieding, Bilanzierung von Bitcoin nach HGB, BB 2017, 2731, 2734.
36 Blockchain Bundesverband, Finance Working Group, Statement on token regulation with a focus on token sales (undated), p. 3.
37 See German Federal Ministry of Finance (Bundesministerium der Finanzen), https://www.bundesfinanzministerium.de/Content/DE/Standardartikel/Themen/Internationales_Finanzmarkt/2019-03-08-eckpunkte-elektronische-wertpapiere.html (13 March 2019).
38 See in more detail at Section V.i.
39 Blockchain Bundesverband, Statement on token regulation with a focus on token sales, p. 16,
https://bundesblock.de/wp-content/uploads/2018/02/180209_Statement-Token-Regulation_blockchain-bundesverband.pdf (15 February 2018).
40 Blockchain Bundesverband, Statement on token regulation with a focus on token sales, p. 19,
https://bundesblock.de/wp-content/uploads/2018/02/180209_Statement-Token-Regulation_blockchain-bundesverband.pdf (15 February 2018).
42 BGH, decision of 9 December.1975 - VI ZR 157/73, 'Warentest II'.
43 Cf. Bullinger, Wandtke/Bullinger, Praxiskommentar zum Urheberrecht, edition 4, Section 2 rec. 24.
44 Cf. Bullinger, Wandtke/Bullinger, Praxiskommentar zum Urheberrecht, edition 4, Section 7 rec. 3.
45 Cf. Benkard, Patentgesetz, edition 11, Section 15 rec. 5.
46 Cf. Wandtke, Wandtke/Bullinger, Praxiskommentar zum Urheberrecht edition 4, Section 43 rec. 50.
47 Cf. Rother, Rechte des Arbeitgebers/Dienstherrn am geistigen Eigentum, GRUR Int. 2004, 235, 237.
48 CJEU, decision of 19 October 2016 – C-582/14.