I OVERVIEW

There is currently no special legal regime applicable to fintech companies. Generally, the Austrian financial services market is known for its fairly strict licensing requirements. While not targeted at fintech in particular, depending on a fintech's proposed activities, these may impact its business model. Also, the Austrian Financial Market Authority (FMA) is known for its rather strict administrative practice when evaluating whether market participants provide regulated services without a licence. Fintechs are therefore well advised to carefully scrutinise their business models against regulatory requirements applicable in Austria.

Whereas a 'regulatory sandbox' for fintech companies is now part of the current government's coalition pact (but still needs to be established as law), these businesses are presently subject to the same regulatory and financial services framework as other market participants.

A proposal for a regulatory sandbox has been made by the fintech advisory board of the Austrian Federal Ministry of Finance in 2019. The requirements for being included in the sandbox are (among others) a business model that is based on information and communications technology (ICT), that licensing requirements for business models cannot be excluded and that the business model is (from a technical perspective) already ready for testing. The purpose of the sandbox will be to accelerate the market readiness of such business model in a controlled environment, while the fintech is able to resolve any regulatory issue that may exist at the same time. Applicants will need a business plan evidencing also the fulfilment of all requirements for inclusion in the sandbox. The regulator may grant a temporary banking, MiFID II or PSD II licence for fintech companies included in the sandbox.

Independent of the efforts to establish a regulatory sandbox, the FMA is generally aware of the need for fintechs to obtain legal certainty about the applicable regulatory framework, which can be overwhelming for market participants who are unfamiliar with financial services regulation. The FMA has therefore launched a dedicated web-based platform for fintechs, the FMA FinTech Navigator,2 which allows fintechs to liaise with the FMA on questions concerning the supervisory laws (e.g., whether a proposed business activity may trigger licensing requirements or the like). Also, in a Q&A-style questionnaire, fintechs can self-check certain standard business models against possible licensing requirements under Austrian law.

The FMA tends to be supportive when approached in a respectful and constructive manner. If a business model is or may be subject to licensing requirements, the FMA will clearly say so. Should this be the case, fintechs should explore potential alternatives, including partnering with licensed market participants (which could act as fronting banks, for example). White-labelling is becoming increasingly relevant for fintechs.

Furthermore, at present there are no special tax incentives available for fintech companies. Fintech start-ups, however, will benefit from the same incentives as other start-ups. These incentives apply inter alia when companies are newly founded and the core of these incentives is relief from certain statutory taxes and stamp duties. Also, there are various institutions providing support (also in terms of funding) to start-ups and fintechs. One such institute is the Austrian Promotional Bank,3 which has already provided more than €1 billion in funding to start-up companies.

iI Regulation

i Licensing and marketing

Licensing requirements and marketing restrictions will very much depend on a fintech company's business model and the scope of proposed activities.

Generally, different licensing requirements may apply under the Austrian Trade Code or financial supervisory laws.

The Austrian Trade Code will apply whenever (1) the activity is of a commercial nature and (2) is provided in Austria, as long as no regulated activity is conducted (i.e., because in this case special financial supervisory rules apply). Depending on the activities to be provided, the trade licence may be free or regulated. A regulated trade licence bears additional burdens (such as the requirement to set up a branch or subsidiary in Austria).

If the proposed activities are regulated under financial services laws, specific licensing requirements will apply. In a nutshell, Austria has transposed the relevant EU framework legislation under the Markets in Financial Instruments Directive (MiFID II), the E-Money Directive, the Alternative Investment Fund Manager Directive (AIFMD) and the Payment Services Directive II (PSD II). In addition, as a general guideline, fintech companies should be aware that almost all of the services listed in Annex 1 to the Capital Requirements Directive (CRD IV) require a banking licence in Austria. This may be significantly more burdensome than expected as compared to their home state legislation. For instance, such activities include trading with currencies and financial instruments.

Some typical activities of fintechs have the potential to be licensed or otherwise regulated services: (1) internet platforms or app solutions that offer trading venues for tokens or placement services for tokens, in particular Security Tokens (see Section V.iii); (2) initial coin offering (ICOs), initial token offerings (ITOs) or initial exchange offerings (IEOs); (3) crypto miners in certain circumstances where money is collected from the market; or (4) setting up an investment management company or automated digital advisory company.

Special restrictions on marketing fintech services (besides general requirements under competition laws) generally do not apply as long as the activities are not regulated or the products do not constitute financial instruments or securities. Restrictions will apply if regulated services or securities and financial instruments are involved. It is recommended that fintech companies explore specific marketing restrictions that may apply to their specific use case. In particular, marketing via e-mails and cold calling is heavily restricted in Austria. Save for some exemptions (e.g., where the receiver has consented or where previous business relationships exist), generally, no emails may be sent for the purposes of direct marketing.

ii Cross-border issues

The Single European Passport is available for regulated companies under, inter alia, CRD IV, MiFID II, the E-Money Directive, the AIFMD and PSD II. This means that fintech companies that are regulated under their home Member State laws and possess a banking licence, a licence as a payment services provider pursuant to PSD II, a licence as AIFM under the AIFMD, a licence a e-money institute or a licence as an investment firm under MiFID II, may passport their licence into Austria and provide their services in Austria without having to first obtain a licence from the FMA.

Where fintech companies do not provide regulated services and are not licensed under their home Member State legislation, no passport is generally available. To the extent that the Austrian Trade Code applies (see Section II.i above), services may be provided in Austria on a temporary basis only under the EU freedom of services without a trade licence. If a service is targeting the Austrian market on a continuous basis or if the services are continuously provided in Austria, a trade licence will be required (see Section II.i above).

Generally, no reverse solicitation exemption will apply (the MiFID II reverse solicitation exemption will only be available to regulated entities from non-EEA Member States). This means that licensing requirements will generally apply when a foreign person is acting in Austria. The FMA's approach appears to be much stricter than that of the trade authority. As regards regulated services, in order to determine whether a regulated business is conducted in Austria, regulatory practice as applied by the FMA focuses on the place where the offer to enter into a contract is made or where the offer is accepted. As a general rule, market operators will be deemed to carry out licensed banking activities in Austria as soon as any counterparty located in Austria is in a position to enter into relevant, legally binding commitments.

This approach applies irrespective of the means of communication involved. In terms of traditional mail, it will therefore be sufficient if the place of sending and posting the offer to enter into a relevant contract or the acceptance thereof is in Austria. With regard to services offered via the internet, licensing requirements will usually be triggered if clients located in Austria find themselves in the position – technically and legally – to enter into relevant commitments legally binding on them.

This view has further been corroborated by the Austrian Supreme Court in a decision regarding loans granted cross-border by a Swiss bank. Furthermore, case law with respect to a securities portfolio of an Austrian client that was managed outside of Austria (in this instance, the United States) confirmed that advisory services in respect of such portfolio have to be considered to be provided at the place where the customer at the time of provision of these services is located, irrespective of whether such service is provided from outside of Austria via telephone, facsimile, letter, email or similar. Case law further held that the conclusion of an agreement on portfolio management services (to be provided abroad) in Austria was sufficient to conclude that financial services were subject to Austrian licensing requirements.

III DIGITAL IDENTITY AND ONBOARDING

Whereas there is no generally recognised digital identity in Austria, the 'citizen card' and a mobile phone signature allow for a secure and authentic electronic signature. A person may officially sign documents via authentication by smartphone app or via a dedicated website. By law, this electronic signature has the same effect as a handwritten signature.

The electronic citizen card and the mobile phone signature is also available to non-Austrian citizens, although the person must be a permanent resident of Austria. The citizen card can be obtained and the mobile phone signature can be activated in various ways, for example, via the online tool of the Austrian tax authorities or in certain Austrian banks or authorities acting as registrars.

Fully digitised onboarding of clients should generally be feasible but will very much depend on the technical infrastructure available. The legal framework for digitised onboarding is set by the FMA in its Ordinance on Online Identification (the FMA Online Identification Ordinance). Many banks use third-party providers to comply with the rather strict standards for online identification set in the FMA Online Identification Ordinance (e.g., conduct of the identification by educated personnel in a separate room with access control, live identification) by way of outsourcing. Such onboarding is most commonly conducted via videoconference, where an operator verifies the identity of the customers in compliance with the FMA Online Identification Ordinance.

IV DIGITAL MARKETS, PAYMENT SERVICES AND FUNDING

i Payment services

Payment services are regulated under the Payment Services Act, implementing PSD II. Certain services, such as issuing payment instruments or providing money transfers, are regulated and require a payment services licence.

Exemptions as outlined in the PSD II also apply in Austria. The most important exemption relates to the provision of payment services in a limited network. This means, for example, where a payment instrument is only accepted by very few vendors for a specific product (e.g., gas payment cards issued by gas station operators for payment of gas only) or by one vendor for a limited number of products or services or in a limited number of places (e.g., its stores), the issuance of such instruments will not necessarily trigger licensing requirements.

Upon request of the customer, banks are required to provide third parties access to a customer's account. This was intended inter alia to help fintech start-ups with innovative business models that depend on such data (e.g., platforms for combined access to bank accounts held with different banks).

ii Collective investment schemes

Collective investment schemes are largely regulated under Austrian law in the form of a fund or alternative investment fund (AIF). Depending on how they are structured, collective investment schemes may qualify as undertakings for the collective investment in transferable securities (UCITS) under the Austrian Investment Fund Act or AIFs under the Austrian Alternative Investment Fund Manager Act. An AIF can take whatever legal form possible and is not limited to fund entities similar to UCITS. For instance, some forms of private equity instruments (e.g., shares in private limited partnerships) may qualify as AIFs under Austrian law. But also less obvious forms have been deemed as AIF by the FMA: a crypto mining company, for instance, was held to be a AIF. This was based on that mining company offering crypto mining plans to customers where customers could participate in income generated from the company mining certain crypto currencies. When managing or offering an AIF, licensing or registration requirements will apply.

Securities and investments

The offering of tradeable securities, such as bearer shares or bonds, is subject to prospectus requirements under the Prospectus Regulation and the Austrian Capital Markets Act 2019 (CMA) supplementing the Prospectus Directive. Exemptions to the prospectus requirements are available.

Furthermore, besides the offering of securities the public offering of investments is also subject to prospectus requirements under the CMA. An investment is the offer of any form of right that is not a tradeable security, provided that a group of persons invests in a project or company or asset and shares the risk associated with the investment. An investment prospectus is considerably less burdensome than a security prospectus and follows the scheme as outlined by an annex to the CMA. Generally, the same exemptions to prospectus requirements as with respect to securities also apply to the offering of investments. Typical forms of investments are, for example, subordinated loans, profit participation rights and limited partnership shares.

If securities and investments are issued below an amount of €5 million, only a simplified prospectus is required and is optional. This simplified prospectus does not follow the schemes under the Prospectus Regulation, but a specific scheme as annexed to the CMA. The advantage of the prospectus being slimmer and less burdensome to produce is, however, accompanied by the disadvantage that passporting of the simplified prospectus into other EEA Member States is not possible. This limits fundraising via such simplified prospectus to Austria, unless the offering of the securities in other EEA Member States is done in reliance on a official exemption from prospectus requirements under the Prospectus Regulation.

Alternative financing instruments

Since 2015, the Austrian legislator provides for simplified requirements to funding by way of the Austrian Alternative Financing Act.

The Alternative Financing Act (AFA) was initially introduced to help small and medium-sized enterprises (SMEs) conduct crowdfunding by a set of rules allowing easier access to funding. While donation or rewards-based crowdfunding was not subject to any substantial restrictions, typical crowdfunding campaigns involving the collection of money from the public for investment purposes was usually subject to prospectus requirements under the CMA (see Section IV.ii above).

Subsequently, the AFA was amended and aligned with the CMA. It now no longer distinguishes between the issuance of securities and investments under the CMA on the one hand and the issuance of alternative financial instruments under the AFA on the other. Rather, the AFA now applies to the issuance of securities and investments under reliance on an exemption from prospectus requirements under the CMA. The simplified framework does no longer solely apply to SMEs that are required to use funds directly for their operational expenses. Rather, all sorts of issuers (including licensed entities) are able to make use of the simplified rules.

Under the revised AFA, securities may be issued without the need to prepare a prospectus if the total amount of each issuance does not reach €2 million. This, however, does not mean that such issuances are not regulated. Issuers will need to prepare a key information document that will disclose essential information about the issuer and the relevant project to investors. Still, the burden to prepare a (simplified) prospectus and (with respect to securities) get the prospectus approved by the regulator (FMA) has been lifted – which should help reduce costs for issuers.

Regard must be had to the following restrictions: (1) the aggregate outstanding amount of all investments raised via the AFA may not exceed €5 million over a period of seven years; (2) the aggregate amount of all securities and investments issued pursuant to the AFA may not exceed €2 million over a 12-month period; and (3) the aggregate outstanding amount of all securities and investments in the European Union may not exceed €5 million over a period of 12 months. If by new issuances these thresholds would be exceeded, any such new issuance will require a prospectus under the CMA (see Section IV.ii above).There are limits to the amounts that retail investors may invest in alternative financing instruments (generally €5,000 in a 12-month period), which will need to be taken into account when determining the target market for such an instrument.

Issuers of securities are not bound to rely on the simplified rules. They may continue to prepare a full EU securities prospectus (e.g., when this is beneficial for placement of the securities or the like or passporting of the prospectus is intended); in this case, the rules of the AFA will not apply to such issuances.

iii Lending

Lending is a licensable banking activity under Austrian law. There are no exemptions for peer-to-peer lending or start-up companies; however, the FMA does not appear to pursue private individuals who participate in peer-to-peer lending platforms. It should be noted that the intermediation of loans can also be a licensable banking activity, unless certain exemptions apply, in which case only a regulated trade licence will be required (see Section I above).

Furthermore, factoring is a licensed banking activity under Austrian law. More precisely, the purchase of receivables, including loans, requires a banking licence. The assignment of receivables is also subject to an ad valorem stamp duty in the amount of 0.8 per cent of the assigned value. Certain exemptions to the stamp duty may apply, for example, assignments in the course of a factoring transaction or an assignment of receivables to a securitisation special-purpose entity. No perfection requirements apply with respect to an assignment of receivables. The assignment will be valid once agreed between the parties or in accordance with the terms of the contract. However, a third-party debtor may raise defences and may also declare set-off against the new assignee until being notified of the assignment.

iv Digital marketplaces

Legal requirements for digital marketplaces will depend on the assets that are traded or offered via such marketplaces: where securities are offered and traded, a marketplace could – depending on the exact services offered – qualify as either a stock exchange, multilateral trading facility (MTF) or organised trading facility (OTF). To operate a stock exchange, MTF or OTF requires the operator to be licensed. Unoffocially, the FMA has suggested that no such licence would be required since an MTF or OTF requires by definition that the securities are held by a central depository – which is not the case for tokens. In addition, participating in underwriting third-party securities issues as well as related services (third-party securities underwriting business) is subject to a banking licence under the Austrian Bank Act. Where only investments (see Section IV.ii above) are offered or traded, a regulated trade licence (see Section II.i above) may be required.

In terms of ICOs and cryptocurrencies, a platform will be subject to the above requirements where the coins or tokens are qualified as investment or security (see Section V.iii below). Trading platforms for genuine cryptocurrencies – like Bitcoin and Ether, which do not have an issuer that is collecting money from the public – will usually require no financial services licence but may require a free trading licence (see Section II.i above).

Crowdfunding platforms can be subject to the above licensing requirements – depending on their exact business and services offered. In order to avoid licensing requirements, platforms in Austria have taken different approaches – some do not include securities (including security tokens), while others limit the services so that in fact no licensed service is provided. Often, such platforms are reduced to mere marketing platforms but operators refrain from offering trading (selling or purchasing) securities and tokens or placement of such instruments.

V CRYPTOCURRENCIES, INITIAL COIN OFFERINGS (ICO) AND SECURITY TOKENS

There is no specific regulation of blockchain technology in Austria. The FMA considers the current legislation to be technology neutral.

i Genuine cryptocurrencies (Bitcoin and Ether)

Cryptocurrencies without an issuer that are generated via a blockchain protocol using mining and distributed ledger technology – such as Bitcoin and Ether – are not considered currencies or financial instruments or tradeable securities in Austria.

This means that trading in such cryptocurrencies is not a regulated activity, but depending on the business model, a trade licence may be required (see Section I above). Nevertheless, if the underlying asset of a derivative instrument consists of cryptocurrencies, this derivative instrument may qualify as a financial instrument under MiFID II. It may be assumed that the same should apply if the value of a token is linked to cryptocurrencies such as Bitcoin or Ether. However, it is not clear that stablecoins linking a token to a fiat currency are treated the same by the FMA. Rather, it appears that the FMA treats such stablecoins as e-money.

Since implementation of the amendment to the EU Anti-Money Laundering Directive (5AMLD) in early January 2020, the applicable anti-money laundering (AML) rules extend to custodian wallet providers and platforms for exchanging cryptocurrencies. Such providers now need to file a registration with the FMA and must evidence a compliance programme ensuring full adherence to AML rules.

ii Payment token

Slightly different from cryptocurrencies like Bitcoin and Ether, tokens can also take the form of payment tokens that have a similar function to Bitcoin and Ether but are issued by an entity or person.

Currently, some market participants are trying to establish stablecoins that are effectively mirroring a fiat currency such as the euro. Such coins could, for example, be used to pay for goods and services – if the service provider was willing to accept such coins and if some other person was willing to exchange such coins either against fiat currency or potentially also other types of cryptoassets. Depending on the exact features, such payment tokens could qualify as e-money and issuing such payment tokens may require a licence as an e-money institute. A licence under the Banking Act or the Payment Services Act may be also required, for example, for issuing payment instruments or for providing payment services. There are exemptions from licensing requirements available that would need to be scrutinised on a case-by-case basis.

No securities prospectus (see Section V.iii below) is required to issue payment tokens.

iii Fundraising via tokens

Fundraising via tokens is generally subject to the same rules as any other form of fundraising (see Section IV.ii above). These rules apply when funds are raised in Austria irrespective of whether the issuer or offeror is domiciled in Austria or acting from abroad.

Security tokens

If tokens are structured as tradeable securities, they are most commonly referred to as security tokens and may be qualified as financial instruments and transferable securities, provided such security tokens are freely tradeable in a similar way to securities (presumably the case with any ERC-20 token). Hence, the public offer of such tokens may be subject to prospectus requirements (see Section IV.ii). However, there is also a significant advantage for issuers when tokens are considered as securities, as they will be able to benefit from prospectus passporting rules that would otherwise not be available for initial coin offerings (ICOs) or initial token offerings (ITOs). On the other hand, such qualification might adversely impact certain business models of fintech companies. For example, trading in security tokens may require a banking licence in Austria, advising customers on investments in security tokens might be considered as investment advice under MiFID II, and accepting and transmitting orders for security tokens may also be regulated under the Austrian Securities Supervision Act 2018.

As outlined in Section IV.ii, the offering of investments is also subject to investment prospectus requirements under the CMA. Whenever such investments are represented in token form, particular scrutiny must be applied. This is because the FMA considers investments that are 'tokenised' (i.e., issued in token form) to be tradeable securities for the purposes of prospectus requirements (see Section IV.ii). Hence, such tokens also qualify as security tokens. This means that such ICOs/ITOs will require a securities prospectus instead of the more simplified investment prospectus (see Section IV.ii).

All exemptions from prospectus requirement and the easements contained in the AFA should also apply to security tokens and ICOs/ITOs.

Utility tokens

Utility tokens are usually structured like vouchers and grant holders the right to exchange their tokens against goods or services (of the issuer or service partners). Such tokens are qualified as payment instruments by the FMA. However, the FMA considers the limited network exemption under PSD II to be applicable, provided that the tokens are only accepted by the issuer of the tokens and a limited number of service partners (see Section IV.i). Otherwise, a licence under the Payment Services Act, implementing PSD II, may be required.

iv Tax treatment

Income tax and capital gains tax

Cryptocurrencies are treated as immaterial and non-consumable assets for income tax purposes. Interest and gains resulting from cryptocurrencies and tokens are subject to capital gains tax. If held for one's private assets, gains resulting from trading cryptocurrencies are tax-free if the cryptocurrencies are held for longer than one year.

The mining of cryptocurrencies is considered a commercial activity subject to income tax. The same applies to trading cryptocurrencies or operating a Bitcoin ATM.

VAT

According to the Austrian Ministry of Finance, in accordance with C-254/14 of the European Court of Justice (Hedqvist), exchanging fiat currency (e.g., the euro) against cryptocurrencies is not subject to VAT. The same applies to cryptocurrency mining.

If goods and services are delivered in exchange for Bitcoin or other cryptocurrencies, the goods and services are taxed the same way as payment effected in fiat currency (e.g., the euro). The amount of tax is calculated in accordance with the value of the cryptocurrency at the time of the exchange.

VI OTHER NEW BUSINESS MODELS

i Self-executing contracts

There is currently no special legal framework in place for self-executing contracts ('if this then that' (IFTTT)). Any such smart contract would therefore need to fit into existing Austrian civil law rules on contract formation, rights and remedies, enforcement and potential termination or dissolution. When using smart contracts, various legal uncertainties will exist: from the choice of law, to jurisdiction in case of conflict, to questions of warranties and potentially the need to reverse a transaction.

Having in mind the above, smart contracts appear as suitable instruments to execute certain transactions that have been agreed off-chain (e.g., a smart contract to execute a sale and purchase of tokens etc). In such case, the smart contract itself does not establish the obligation but rather the automatism of the smart contract (IFTTT) enables automatic settlement.

Like any other form of contract, if one party wishes to enforce its rights under the contract in Austria, it will need to prove that the other party in fact entered into it. It is largely unclear how such evidence capable of standing up before an Austrian court could be produced in case of self-executing contracts (smart contracts), but this is ultimately a question about what is technically feasible in order to prove the identity of the contracting parties, for example, the implementation of an authentic electronic signature (see Section III).

ii Fully automated investment process

For licensing purposes under the Austrian Banking Act or the Austrian Securities Supervision Act 2018, it does not matter whether regulated activities are provided in fully automated form or whether an employee is acting on behalf of the investment company. Hence, entities that offer fully automated investment advice or fully automated portfolio management services will also require the respective licences under Austrian law.

iii Websites comparing products

There is no general rule prohibiting a website that compares different financial products. However, there is a thin line between the mere comparison of the features of regulated products and being seen to offer or market those products to the public. Website operators are well advised to take into account the specific marketing rules in the various legal acts applicable to financial products, including the Securities Supervision Act 2018, the Investment Fund Act or the CMA.

iv Decentralised exchanges

Decentralised exchanges allow for peer-to-peer transactions between customers without the operator or a central counterparty or intermediary being involved. To the extent that such decentralised exchange facilitates the trading of securities and security tokens, a licence under the Austrian Banking Act or the Securities Supervision Act 2018 may be required (see Section IV.iv).

VII INTELLECTUAL PROPERTY AND DATA PROTECTION

i Intellectual property

A business model as such cannot be protected under Austrian law. However, depending on the business model, some aspects relating to it (such as software solutions or inventions necessary to facilitate the business activities) may be subject to protection under local Austrian intellectual property rules:

ii Patent

Patent protection will be available for all inventions in the technical sector that are new, do not derive from prior art in an obvious manner and can be commercially used.

The Austrian Patent Act excludes certain inventions, products and methods from patent protection, including scientific theories and mathematical methods, aesthetic creative forms, plans and methods for intellectual activities, for games or for business activities and computer programs.

Patent protection grants protection for up to a maximum of 20 years.

iii Utility patent and design patent

Protection as a utility patent will be available for all inventions in the technical sector that are new, derive from an inventive step and can be commercially used. Excluded from protection are, inter alia, scientific theories and mathematical methods, aesthetic creative forms, plans and methods for intellectual activities, for games or for business activities and computer programs. However, unlike patents, utility patents may also be used to protect programming logic underlying data processing software. A utility patent is granted for a maximum period of 10 years.

Protection as a design patent is available for new and characteristic designs. If a design results solely from a technical function, no protection will be granted. A design patent is granted for a period of five years, which can be extended by further five-year periods up to a maximum term of 25 years.

iv Copyright

Unique intellectual creations are protected by the Austrian Copyright Act. Besides works of art (paintings, films, etc.) and literature, copyright protection may extend to software (including source codes) and databank solutions under Austrian law, provided that these achieve the status of unique intellectual creations. Under Austrian law, the creator is always a natural person. Legal persons cannot be creators within the meaning of the Austrian Copyright Right Act but may, of course, be granted (exclusive or non-exclusive) rights of usage or exploitation.

In terms of software protection, the Austrian Supreme Court held that what is protected is not a work result achieved by a software application, but the individually shaped problem solving achieved by combining many programming steps. A prerequisite for the protection of the programming steps is that they have a certain complexity. In another case, the Supreme Court decided that computer programs have the necessary complexity, for example, if the task at hand allowed for several solutions and the programmer had sufficient freedom of thought to develop individual features. This is to be assumed either in the case of complex programs or if an unusual degree of experience, skill and expertise is manifested in the work. It is also decisive whether a program is newly created or whether the programmer can essentially fall back on already existing program modules.

The copyright ends 70 years after the (last) creator's death.

v Employee inventions

Patents and utility patents

Generally, an employee who creates an invention while being employed by his or her employer nevertheless has the right to patent protection. A contractual arrangement to the contrary is possible but will only be valid to the extent that it concerns 'service inventions'. A service invention is any invention (1) whose creation was part of the activities that the employee was tasked to provide, (2) which was inspired by the services provided by the employee to his or her employer, and (3) which was facilitated to a substantial extent through use of the resources of the employer.

The employee is nevertheless entitled to appropriate additional compensation for each invention, unless the employee was expressly employed for the purpose of creating inventions for the use of the employer. Ultimately, the employment contract will need to be analysed under labour law to determine whether compensation is owed by the employer to the employee.

The rules applicable to patents will also apply mutatis mutandis to utility patents.

Design patens

If the creation of the design patent was part of the activities that the employee was tasked to provide and the design patent is part of the business area of the employer or if the design patent was created by the employee by order of the employer, the employer will have the right of protection. There is no provision in the Austrian Design Patent Act that would provide for additional remuneration of the employee. Hence, questions of additional remuneration will predominantly be a question of employment or labour law with a specific focus on the contractual arrangement between the parties.

Copyright

An employer will be granted an unlimited right of usage for computer programs that are created by an employee in fulfilling his or her duties in relation to the employer. However, the employee retains the right to be named as the creator. There is no provision in the Austrian Copyright Act that would provide for additional remuneration of the employee. Hence, questions of additional remuneration will predominantly be a question of employment or labour law with a specific focus on the contractual arrangement between the parties.

vi Data protection

Data protection in Austria is governed by Regulation 2016/679 (the General Data Protection Regulation (GDPR)) and by the Austrian Data Protection Act (supplementing the GDPR).

Under the GDPR, personal data that allows for the identification of natural persons is protected and subject to a strict regime. Any person about whom data is processed (the data subject) has certain rights under the GDPR that cannot be derogated from. These rights include the right to obtain transparent information from the controller, the right to obtain rectification of inaccurate personal data, the right to erasure (right to be forgotten), the right to restriction of further processing and the right to object to data processing.

Profiling of client data is part of many fintechs' business models and is covered by the GDPR. Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is subject to specific regulation under the GDPR, including the right of the client to object.

Under the GDPR, where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. This may in particular apply to certain fintechs with business models built on extensive and elaborate data mining, processing or profiling.

Fines under the GDPR are quite hefty and range from between €10 and €20 million and 4 per cent of the total worldwide annual turnover of the preceding financial year, whichever is the higher.

In addition, strict banking secrecy applies under Austrian law. All client banking data is protected, even the information that a certain person is a client of a bank. Unlike the GDPR, banking secrecy will also protect legal persons. Any service provider acting for a bank in Austria (e.g., a fintech company providing outsourcing services for a bank) will be bound by banking secrecy by law. Hence, the outsourcing provider will be directly subject to the sanctions of a breach of banking secrecy, including criminal liability.

Data protection and banking secrecy need to be read together – where both are applicable, the stricter standard will prevail. This means that where data processing is permissible under the GDPR but not under banking secrecy, the data processing is not allowed. The same applies vice versa: where data processing is permissible under banking secrecy but not under the GDPR, the data processing is not allowed.

VIII YEAR IN REVIEW

The past year saw an increased focus on security tokens. As investors shifted away from utility tokens (that do not offer investors any repayment of their capital but rather serve as glorified coupons), start-ups had to consider alternative forms to fundraise via tokens. The predominant capital markets instruments currently being tokenised as security tokens in the Austrian market are profit participation rights. Depending on the exact structuring, such security tokens are often hybrids between debt and equity with the security tokens usually representing a right to a portion of the issuer's profits.

Currently, the market is seeking ways to offer investors security tokens conferring rights in real properties. Due to the strict requirements of Austrian real property law, usually security tokens are not being able to be directly collateralised by the underlying real property – rather market practice tends to, again, offer profit participation rights in real estate developing companies.

On the regulatory side, a light on the horizon emerged through the draft proposal for a regulatory sandbox (see Sections I and IX).

IX OUTLOOK AND CONCLUSIONS

Following some turmoil in the Austrian government (which lead to an inactive interim government and new elections in the autumn of 2019), the proposal for the regulatory sandbox outlined in Section I still needs to be enacted into law. As the new government led by the Austrian People's Party and the Green Party have voiced support for new technologies and in particular blockchain and fintech projects, it is to be hoped that progress may soon be reported.

Meanwhile, depending on a fintech company's exact business model, licensing requirements may apply. One possible solution for fintech would be to partner with existing and regulated market participants (white-labelling). Any licensable activities would formally be provided by the regulated partner entities, while fintech companies would undertake to provide those entities with specific fintech solutions or act as an outsourcing provider. This would allow them to establish unique and innovative business models while adhering to the regulatory framework. If a business model proves successful, fintech companies could decide at a later stage to seek the required licences themselves.

As all applicable major EU framework legislation (MiFID II, PSD II, 5AMLD) has been implemented, there is currently no further legislation to be expected. However, fintechs and other start-ups can also look forward to the European Commission's initiative on an aligned European Union crowdfunding regulation. In December 2019, it was announced that the European Parliament's negotiating team had reached a deal with the Council to allow for cross-border crowdfunding. For amounts up to €5 million, the new regulation shall ease requirements for fundraising, while at the same time ensuring investor protection through a key investment information sheet rather than a full capital market prospectus. While the full text of the final proposal is yet being drafted by the EU's institutions, the draft proposal very much appears to follow the Austrian sample approach under the AFA (see Section IV.ii above).


Footnotes

1 Stefan Paulmayer is a partner at CMS Reich-Rohrwig Hainz Rechsanwälte GmbH.