I OVERVIEW

Since the publication of the second edition of The Financial Technology Law Review in 2019, the German fintech market has matured. It seems that a consolidation phase has been reached where the fintech market's influence on the financial sector is of rather evolutionary nature.2 Although a 'winner-takes-all' phenomenon was recently observed in the fintech industry (attributed to increased competition and high acquisition costs), fintechs are expected to benefit from new business opportunities, especially in the field of artificial intelligence, big data and distributed ledger technology.3 It might also be perceived as an indication of a matured market that fintech companies have increasingly been integrated by banks and financial institutions into their value chains.4 The trend towards consolidation might further be accelerated by the current corona-virus pandemic, which is likely to result in tremendous challenges for all participants in the financial sector.

These developments, however, do not mean that the German fintech market has become stagnant. The opposite is true. Fintech-related topics have been frequently and intensively discussed in Germany not only by participants in the financial sector but also by politicians and regulatory authorities. The public interest caused by Facebook's initiative to introduce Libra as a global virtual payment instrument backed by fiat currencies has certainly contributed to the momentum of the current developments. Particularly the question of whether the present legal framework gives sufficient leeway for the application of blockchain-based business models while simultaneously providing a sufficient level of protection for market participants has been the subject matter of such discussions. As a result, the German legislator recently introduced new statutory provisions according to which crypto values qualify as financial instruments for financial licencing purposes. Further, the crypto custody business was introduced as a new type of service, which is subject to a licence requirement under the German Banking Act (KWG).

In recent years the activities in the field of policy and financial market regulation that have been sparked by the insight that digitalisation will fundamentally change the financial industry included the assignment of a study to get a better understanding of the fintech market in Germany,5 the formation of the FinTech Council by the German Federal Ministry of Economics that aims to enhance the dialogue among business, politics and academia6 as well as a joint paper of the German Federal Ministry of Finance and the German Federal Ministry of Justice and Consumer Protection concerning the regulatory framework for blockchain-based securities and crypto tokens aimed at fostering innovation and investor protection.7 Further, the German Federal Financial Supervisory Authority (BaFin) has published several statements, explanations and opinions,8 including the perspective of BaFin on topics such as big data and artificial intelligence, distributed ledger technologies as well as digitalisation and information security.9 The new statutory rules on crypto values and the crypto custody business as well as the plans of the German government concerning special rules for blockchain-based securities also indicate that the legislator has realised the need to provide legal certainty for innovative business models and services.

Generally, German legislator and BaFin apply the technology-neutral principle of 'same business, same risk, same regulation'.10 This includes that neither the legislator nor BaFin has promulgated rules that privilege fintech companies compared to traditional players in the financial sector. Therefore, a 'sandbox' model that establishes an innovation space where fintech companies may test business models without tight regulation as established in the United Kingdom and in Switzerland has not been introduced in Germany yet.

Hence, BaFin attempts to find a balance between supervisory concerns and the start-up culture that often exists in fintech companies. As part of its efforts in this regard, BaFin provides fintech companies with information concerning supervisory issues on their website.

There is no special public funding instrument for fintech companies, but the German Ministry of Economics has set up the programme 'INVEST' to help start-ups raise venture capital. If business angels purchase shares of newly founded innovative companies and hold them for more than three years, 20 per cent of their original investment will be reimbursed by the state up to a limit of €100,000.11 To qualify for the programme, investors have to spend at least €10,000. Invested capital must not result from a third-party loan to the investor. Furthermore, the business angel has to participate in the new company's gains and losses. Investors must be natural persons living in the European Economic Area or must use special investment companies registered in Germany (e.g., the limited liability company, GmbH).

Generally speaking, German regulatory authorities and the government emphasise that they recognise the potential of fintech for public economic benefit, while the regulation still seems rather conservative when the traditional regulatory standards, which stem from the pre-digitalisation era, are applied. Nevertheless, the efforts of BaFin to support fintech companies by offering detailed legal information and by improving the communication channels, as well as recent legislative changes concerning the regulatory requirements for cryptoasset-related services, are evident.

iI Regulation

i Licensing and marketing

The general rules apply to licensing and marketing of fintech companies in Germany. Since there is no specific fintech licence available in Germany, the regulation of fintech companies depends ultimately on the business they carry out. This again results from the technology-neutral 'same business, same risk, same rules' approach. The entire array of licences and marketing restrictions may therefore become relevant for fintech business models.

In particular, the following types of licences have to be taken into account:

  1. licence pursuant to Section 32 (1) Banking Act (KWG) for providing banking businesses within the meaning of Section 1(1)(2) KWG or financial services within the meaning of Section 1(1a)(2) KWG (including, since 1 January 2020, the crypto custody business within the meaning of Section 1(1a)(2) No. 6 KWG, which is of particular relevance for fintech companies);
  2. licence pursuant to Section 10(1) Payments Services Supervisory Act (ZAG) for providing payment services or pursuant to Section 11 ZAG for the issuance of e-money;
  3. licence pursuant to Section 20(1) Capital Investment Code (KAGB) or, less burdensome, the mere registration pursuant to Section 44(1) KAGB for offering collective asset/funds management;
  4. licence pursuant to Sections 34c, 34d and 34f Industrial Code (GewO) for the brokerage of loans, insurance contracts and certain financial products; and
  5. licence pursuant to Section 8(1) Insurance Supervisory Act (VAG) for conducting insurance business.

In general a licence requirement is triggered if someone intends to provide in Germany commercially or on a scale which requires a commercially organised business undertaking one of the services listed in the comprehensive catalogues of regulated activities referred to above. Consequently, it needs to be carefully analysed whether a fintech business model falls within the scope of one or several of such regulated services.

Depending on the type of licence, different authorities might be competent to grant the relevant licence. Placing the competent authorities in a hierarchy, the European Central Bank (ECB) is at the top with its competence for granting licences for institutions that intend to carry out banking business that includes lending and deposit-taking business. Beneath the ECB, BaFin is the competent authority for institutions that intend to provide banking business except for lending and deposit taking, including investment services and other financial services, payment services, collective asset or funds management and insurance business. The third level in the hierarchy would consist of the authorities which have been endowed under the German federal state laws with the competence to grant licences pursuant to the GewO.

All these types of licences may become relevant for fintech business models. This can be illustrated by the observation that the first 'fintech banks' were established in Germany holding a banking licence granted by ECB.

Both the requirements to obtain a licence under the German financial supervisory laws and subsequent ongoing legal requirements depend on the type of licence. For instance, the requirements to obtain a licence pursuant to Section 32(1) KWG for providing investment brokerage or investment advice are less tight than for guarantee or for safe custody business. In this regard, it makes a significant difference for regulatory purposes whether an institution is entitled to hold funds or assets for its clients because in this case the regulatory requirements are more comprehensive and stricter.

The newly introduced licence requirement for the crypto custody business under the KWG may be considered the first fintech-specific or at least fintech-focused licence requirement under German law. The corresponding changes to the KWG were made in the course of the implementation of the Fifth EU AML-Directive (Directive (EU) 2018/843) but without the legal necessity under EU law to make such changes of the KWG. The relevant Section 1(1a)(2) No. 6 KWG defines crypto custody business as custody, management and safeguarding of crypto values or private cryptographic keys used to hold, store or transfer crypto values as a service for others. Cryptographic values, which are (now explicitly) included in the catalogue of financial instruments under Section 1(11) sent. 1 No. 10 KWG, are defined as digital representations of value that are not issued or guaranteed by a central bank or a public authority, do not possess statutory status of currency or money, but are accepted by natural or legal persons as a means of exchange or payment, or which serve investment purposes and which can be transferred, stored and traded electronically. Consequently, the term crypto value includes not only crypto currencies like Bitcoin but also investment tokens. The broad definition of the terms crypto value and crypto custody business (including also the activities relating to private cryptographic keys) results in a wide scope of the new licence requirement. The KWG, however, provides for certain relief insofar as crypto custody service providers focusing on this type of financial service (i.e., that do not carry out any other regulated activities) do not have to meet all regulatory obligations applying to other providers of financial services. Instead, such crypto custody service providers are exempted from the general capital and liquidity requirements under the CRR (Regulation (EU) No. 575/2013) and some other rules. However, the requirements on the initial capital, reputation of the board members, proper business organisation and related reporting obligations do apply. The new licence regime for custody service providers also includes certain transitional provisions so that such service providers may adapt to the new requirements if they submit a complete application for the necessary licence until 30 November 2020. Further guidance with respect to crypto custody business and the transitional period has been provided by BaFin.12

Although it would exceed the given framework to elaborate on the licence requirements for every single fintech-relevant business model, it may be worth illustrating the licence requirement by reference to the robo-advice business models, as these have become popular in Germany in the recent years.

Generally speaking, a robo-adviser might be subject to a licence requirement pursuant to Section 32(1) KWG, in particular to provide investment brokerage, investment advice or portfolio management services. BaFin will only grant the necessary licence if, among other requirements, the applicant has at least €50,000 at its free disposal,13 if its managing directors are professionally qualified and with an impeccable reputation and if the applicant can prove that proper risk-management will be in place when the regulated business will be commenced.

By way of exception from this general licence requirement under the KWG, investment brokerage and investment advice may be provided under the less restrictive licence pursuant to Section 34f GewO; however, only specific financial products may be brokered or recommended under this privileged licence, which is granted not by BaFin but by the competent authorities in accordance with the laws of the relevant federal state. An additional exception is available for tied agents who closely cooperate with a licensed institution.

When robo-advisory models were introduced, some of the service providers offered robo-advice in the form of investment brokerage by connecting the supply of specific financial products to customers' demand for financial instruments. These models try to implement a structure where the client stays in charge of the investment process so that the client makes the ultimate decision to buy or sell a financial instrument. There is, however, a thin line between investment brokerage and investment advice. Although BaFin did not pursue a strict approach until 2017, it then made clear that a robo-adviser provides investment advice if clients could get the impression that the investment proposals presented by the robo-adviser are tailored to their individual circumstances.14 The distinction between both types of investment services becomes relevant for the type of licence which is required and, in practice more important, with respect to the requirements which the robo-adviser must comply with in offering its services. Particularly the suitability report that an investment adviser must prepare and which is aimed to show how the recommended financial products suit the needs of the client15 is for many robo-advisers a bureaucratic obstacle they would like to avoid.

Both the stricter position of BaFin and the preference not to prepare for each investment a suitability report have led to many robo-advisers becoming licensed as portfolio managers.16 Providing such type of investment service, however, involves the obligation to adhere to a comprehensive set of rules of conduct so that robo-advisers must thoroughly analyse which route suits them best and which type of licence they need for their individual business model.

With respect to marketing regulations applicable to fintech companies in Germany, the general rule is that marketing must be fair, transparent and not misleading. These principles follow from the Act against Unfair Competition (UWG) but are also included in some of the statutory provisions for financial services.17 Whether additional rules have to be taken into account depends primarily on the understanding of the term 'marketing'.

As far as marketing for investment services within the meaning of Section 2(8) of the WpHG is concerned (including investment brokerage, investment advice, portfolio management, underwriting business etc.), it is rather difficult to distinguish marketing from the rules of conduct for service providers set out, inter alia, in Section 63 et seq. of the WpHG and a regulation promulgated thereunder (WpDVerOV) but also in various delegated regulations promulgated under MiFID II. These require that offerors of investment services provide their potential clients with mandatory information regarding, for instance, their products (e.g., key information sheets), potential conflicts of interest and inducements, and that they obtain certain information from their clients. Further, investment service providers must comply with detailed requirements set out in the Minimum Requirements for the Compliance Function and Additional Requirements governing Rules of Conduct, Organisation and Transparency (MaComp) which have been promulgated by BaFin.

Similar rules as for investment services apply to the marketing of funds under Section 298 et seq. of the KAGB. The information obligations for professional or semi-professional clients are less comprehensive than those for retail clients.

Regarding marketing for payment services, a comprehensive set of pre-contractual information obligations is provided for in the German Civil Code (BGB) in conjunction with Art. 248 of the Introductory Act to the BGB (EGBGB).

Further, marketing for certain fintech related services might entail the obligation to publish a prospectus. Such obligation is usually be triggered once a public offer for securities or financial assets has been made in accordance with the Prospectus Act (WpPG) or the Asset Investment Act (VermAnlG). In particular, the prospectus obligation under the VermAnlG may become relevant for fintech business models such as, for instance, crowdfunding or P2P lending platforms.

Fintech companies in Germany should therefore check whether marketing for their business might be captured by one of the comprehensive legal regimes for marketing.

ii Cross-border issues

As a general rule, the German regulations apply to each service provider conducting its business in Germany. This means that the rules – particularly the licensing requirement – not only apply if the service provider has its registered office in Germany, but also if it actively targets the German market cross-border.18

Pure accessibility of the relevant services via the internet in Germany may be considered sufficient to assume that a service provider is actively targeting the German market. The regulations apply if the offeror of the relevant services intends the service to be used by German customers among users of different nationalities.19 If a service provider maintains its website in German, this is considered to be a strong indication of actively targeting the German market.

If, however, the provision of regulated services cross-border is concerned, the privilege to notify German regulators of existing licences from a home Member State within the European Economic Area (EEA) might offer an exception from this general rule, which may appear very strict at the first glance. The European 'passport' has been introduced for many regulated services such as, for instance, certain types of banking business, investment services as set out in Annex 1 of MiFID II and payment services. If a service provider has been licensed in its EEA-home Member State, the service provider may notify its competent supervisory authority of its intent to offer the regulated services also in Germany.20 Generally speaking, the service provider may commence the regulated business without a separate licence in Germany either on a cross-border basis or through a branch once the competent supervisory authority in the home Member State has informed BaFin, which subsequently has confirmed that the service provider may commence its business in Germany. In this scenario, the supervisory authority in the home Member State is generally responsible for the supervision of the service provider's activities in Germany, subject to certain residual competences of BaFin and the German Federal Bank. The limitation of the European passport to institutions with registered seat in the EEA is one of the main reasons why the decision of the United Kingdom to leave the EU and the EEA (Brexit) has caused such a turmoil in the financial sector. If the EU and the United Kingdom do not endorse an agreement providing for a regulatory framework following the lapse of the transitional period under the Withdrawal Agreement, fintechs based in the United Kingdom providing regulated services will no longer have the opportunity to offer such services on a cross-border basis to customers in EEA Member States under the EU/EEA passport regime.

Another possibility for fintech companies to access the German market without being subject to a licence requirement is to cooperate with a licensed service provider, typically a bank. Such ventures are 'white label structures' where a regulated entity (fronting bank) effectively makes available its licence for the business activities of a third party. For this purpose the third party must subordinate its business to the bank's management by granting instruction and control rights to the bank, which for regulatory purposes is responsible for the regulated services.

III DIGITAL IDENTITY AND ONBOARDING

To date, there is no generally recognised digital identity available in Germany. However, it is possible to identify yourself electronically via the internet if the requirements of Regulation (EU) No. 910/2014 on electronic identification and trust services for electronic transactions in the internal market are met. Details relating to this have been provided for in the Act on Trust Services (VDG).

Regarding the onboarding process as required under the statutory anti-money laundering and counterterrorism rules, the Anti-Money Laundering Code (GwG), which was revised as part of the implementation of the Fifth EU AML Directive, includes various possibilities for remote identification. However, non-face-to-face business relationships or transactions may indicate higher AML risks21 and thus may trigger enhanced customer due diligence requirements. In the past, BaFin published the standards for video identification, which are rather strict22 and which were confirmed by BaFin in its guidance on the interpretation of the GwG published in December 201823. It remains to be seen whether and to what extent BaFin will adjust its administrative practice following the implementation of the Fifth EU AML Directive. However, given the recent legislative trends, an alleviation of the requirements is not to be expected.

IV DIGITAL MARKETS, PAYMENT SERVICES AND FUNDING

Innovative funding solutions and business models related to payment services are typical areas in which fintech companies conduct business in Germany. Regulators have been struggling for some years to find a position on collective investment schemes balancing regulation to protect investors, in particular retail investors, and to allow innovative solutions that may also serve retail investors' interests. Eventually German legislators concluded that the regulatory requirements applicable for already known investment business models shall generally (subject to limited privileges) also apply to collective investment schemes. Similarly, with regard to digital markets in general, German legislators and BaFin apply the technology-neutral principle of 'same business, same risk, same regulation'. Therefore, the exact scope of the applicable requirements, in particular the assessment of whether a licence requirement under the KWG may be triggered, depends on the specific business model and should be reviewed on a case-by-case basis. The implementation of the Fifth EU AML Directive into German law has, at least to a certain extent, provided clarity on the regulatory qualification of activities in the cryptocurrency or cryptoassets business. As part of the implementation package, the German federal legislator introduced a legal definition of 'crypto values' and explicitly included these in the catalogue of financial instruments under the KWG.24 In line with the Fifth EU AML Directive, the statutory definition of crypto values is broad in scope so that all potential uses of virtual currencies, including as a means of investment, are covered. On the international level, these various types of virtual units of value, described also as coins or tokens, are often referred to collectively as 'cryptoassets'.25 For more details, see Section V below.

i Peer-to-peer-lending

Whether and which regulatory rules apply for peer-to-peer-lending depends on the specific business model.

Crowdfunding based on donations the investors make to support a special project (crowd-sponsoring) is generally not subject to financial regulation. If, however, the investor benefits financially from his or her investment, for example by participating in future profits of the project (crowd investing) or by being reimbursed with or without interest (crowd-lending), special regulations apply.26 Such regulations may be distinguished as falling under supervisory law, consumer law and capital market law.

Supervisory law

Peer-to-peer lending in form of crowd investing or crowd-lending may entail consequences under German financial supervisory law for the lender, the borrower and the platform.27 The key concern relates to possible licensing requirements. In particular, the licensing requirement for lending business must be considered.28 A licence requirement is triggered if the lender acts commercially or in a manner that requires a commercially established business operation. It is sufficient if the lender intends to repeatedly engage in the lending business to make profits.

The taking of deposits commercially or on a scale that requires a commercially established business operation is also subject to a licensing requirement.29 These requirements may become relevant for all involved parties, for example the platform if it keeps the funds extended by the lenders until the funds are transferred to a single or several borrowers. If the platform performs such function and transfers funds from the investors to the borrowers, the platform may also be subject to a licensing requirement under the ZAG for providing payment services. The licensing requirement under the KWG may become relevant for the investors who provide the funds extended to a single or various borrowers too. Even the borrowers may be subject to a licensing requirement for conducting the deposit taking business when they receive the funds from the platform or the investors.

Given these regulatory restrictions, peer-to-peer-lending business models in Germany typically include a fronting bank that holds a licence for the lending and deposit-taking business. In these models, the fronting bank extends the loans to the borrowers, and the bank refinance the loans by selling the repayment claims arising under them to the platform for on-selling to investors or directly to investors who ultimately receive the repayment claim against the borrower. The various business transactions between the involved parties relating to the extension of a loan are interdependent by way of conditions precedent. Therefore, the bank is only obliged to extend the loan if investors have committed to provide sufficient funds for the purchase of the repayment claims arising under the loan. The platform, which is typically a fintech company, is acting in this model as a broker that brings together investors and borrowers.

Such structure is usually not critical for the investors as they only acquire a repayment claim, which is as such not subject to a licensing requirement, provided that the acquisitions do not occur under a framework agreement. In the latter case, a licensing requirement for providing factoring business could be triggered.30 For the borrowers this model is not problematic either. One might consider whether they engage in deposit-taking business. However, it is generally recognised under German law that it does not constitute deposit-taking to borrow funds from a licensed bank. The fronting bank has in this model the necessary licences so the remaining question is whether the platform performs business activities subject to a licence requirement. The platform might conduct the factoring business if it acquires the repayment claims from the bank prior to selling them on to investors. Usually, however, the factoring business can be avoided by certain structural arrangements. In this case the regulated activities of the platform consist of brokering loans (between the bank and the borrowers) and investments (between the platform or the bank and investors as purchasers of the repayment claims). These are activities which can be structured to avoid regulation under the KWG and to ensure that 'only' the licence requirements under Sections 34c and 34f GewO need to be met. BaFin considers the repayment claims brokered by the platform to be financial assets within the meaning of the VermAnlG and, therefore, financial instruments within the meaning of the KWG so that, in principle, the brokering activity could also be subject to a licensing requirement pursuant to Section 32(1) KWG which is, however, typically avoided by taking advantage of an exception.

Consumer law

In Germany, as in the European Union generally, relatively strict consumer protection rules apply. This is also the case for consumer loans. Consequently, a direct contract between the lender and the borrower brokered by a peer-to-peer lending platform triggers far-reaching information obligations for the lender under Section 491 et seq. BGB, provided that the lender acts commercially and the borrower is a consumer. Given the typical structure for peer-to-peer lending platforms in Germany, the fronting bank implemented in the structure must typically comply with these obligations.

Further, given that peer-to-peer lending platforms typically offer their services online, the consumer protection rules on distance selling must be considered (Section 312a et seq. BGB). These rules are based on EU law and should in general not differ in the EU Member States.

Capital market law

Generally speaking, the WpPG and the VermAnlG has to be considered if the regulatory framework for crowdfunding and crowd-lending platforms is analysed under German law from a capital market point of view.

The VermAnlG generally applies to profit participating loans, subordinated loans and all other investments that grant a claim to interest and repayment. If such investments are publicly offered, a prospectus or at least an information sheet concerning the investment must be published, unless certain exceptions apply. One of these is explicitly directed to internet platforms engaging in crowd-investment (Section 2a VermAnlG). Under this exception, the obligation to publish a prospectus does not apply to investments that are only brokered via the internet and do not exceed low thresholds ranging from €1,000 to €10,000 per investment. Even if this exception applies, an information sheet must be published.

Should a crowdfunding platform issue or publicly offer securities within the meaning of the WpPG, a prospectus must, subject to certain limited exceptions, also be published. The WpPG obligations, however, have not yet gained material significance in the German fintech market, except for the very few fintech companies using securitisation to refinance. This might change in the future owing to the rise of ICOs.31

ii Payment services

The payment services sector was one of the first in the German financial industry where fintech companies became active and visible. This is one of the reasons for fragmentation of the payment services market, which has recently begun to consolidate. Nevertheless, the revised Payment Services Directive (EU) 2015/2366 (PSD II), which has been implemented into German law with effect from 13 January 2018, offers new business opportunities especially for nimble fintech companies. The reason for this is that account information services and payment initiation services as new payment services were introduced under the revised ZAG. The providers of such services now have a legal claim for access to payment accounts against the banks that maintain such payment accounts for their customers. This is perceived as a potential game changer because the traditional banks can no longer prevent their competitors from accessing the accounts of customers who consent to such access (open banking). However, experiences so far suggest that it will take some time before the necessary APIs work as required. Some market observers have already criticised credit institutions for using the PSD II rules as an instrument to prevent competition by fintechs, e.g., by no longer offering the previously established connections via FinTS.

Further, new business opportunities come with additional regulatory burdens. Providing payment services is generally subject to a licence requirement, unless certain exceptions apply. The scope of this licence requirement has been expanded to comprise the providers of account information and payment initiation services even though these service providers do not acquire at any time possession of their customers' funds. On account of this consideration, the regulatory requirements for a licence to provide payment initiation or account information services are less strict than for a licence to provide traditional payment services.

Recent amendments of the ZAG aim to foster technological innovation and competition on the payment market.32 Under the relevant provisions (Section 58a ZAG) – which has been labelled by some market observers as 'Lex Apple Pay' – payment services providers and e-money issuers have the right to obtain access to certain key technical infrastructure. 'System companies' contributing through technical infrastructure services to the provision of payment services or the conduct of e-money business in Germany are obliged, upon request of a payment services provider or e-money issuer, to make such technical infrastructure services available and provide necessary access against consideration and without undue delay. The obligation does not apply if the relevant technical infrastructure is used by no more than 10 payment services providers or e-money issuers or if the company has no more than 2 million registered users. The company may also deny access in case of objective reasons, for example, if the security and integrity of the technical infrastructure services would be jeopardised. The new statutory rules are not based on EU law and are considered to be the reaction to some system providers refusing to open their systems to facilitate more competition in the area of mobile payments.

V CRYPTOCURRENCIES, INITIAL COIN OFFERINGS (ICO) AND SECURITY TOKENS

i Cryptocurrencies

Cryptocurrencies such as Bitcoin undoubtedly constitute a challenge for the German law from regulatory, civil law and tax perspectives. A certain level of conceptual clarity has been achieved by the legal definition of crypto values (such as Bitcoin) in connection with the implementation of the Fifth EU AML Directive into German law. Crypto values are now included in the catalogue of financial instruments under the KWG so that various activities relating to crypto values are clearly within the scope of certain licence requirements. Further, the crypto custody business has been introduced as a new type of financial service, which is subject to a licence requirement under the KWG.

Crypto values are defined as digital representations of a value that is not issued or guaranteed by a central bank or a public authority, does not possess a statutory status of currency or money, but which is accepted by natural or legal persons as a means of exchange or payment, or which serves investment purposes and which can be transferred, stored and traded electronically. This broad definition is aimed at comprising any uses of virtual currencies, including as a means of investment. So far the definition of crypto values includes not only tokens with exchange and payment functions (including cryptocurrencies), which may anyway fall under the scope of financial instruments as the 'units of account' within the meaning of Section 1(11) sent.1 No. 7 KWG, but also tokens used for investment. Such security or investment tokens may also qualify as investment products, debt instruments or units in collective investment schemes under Section 1 (11) sent. 1 Nos. 2, 3 or 5 KWG.33

Not covered by the definition of crypto values are domestic and foreign legal tender, electronic money, monetary value stored on payment instruments falling under the limited network exemption within the meaning of PSD II and payment transactions of providers of electronic communications networks or services.34 Also not covered are electronic vouchers for the purchase of goods or services from the issuer or a third party that are intended to have an economic function in relation to the issuer only through redemption and that are therefore not tradable and, due to their design, do not reflect investor-like expectations regarding the performance of the voucher or the general business performance of the issuer or a third party in terms of value or accounting.35

The amendments with respect to crypto values reflect to a certain extent the previous administrative practice of BaFin that took the first steps towards the regulation of cryptocurrencies in Germany by adopting a broad interpretation of the term 'financial instrument' within the meaning of the KWG. This approach was partially criticised and not shared in a ruling of a higher regional court in criminal proceedings.36

The recent changes of the KWG has resolved the controversy on the qualification of cryptocurrencies as financial instruments and has insofar contributed to more legal clarity. It should be noted, however, that the German legislator only changed the definition of 'financial instrument' for the purpose of the licensing requirement but not with regard to the conduct rules set out in the WpHG, which effectively reflect the MiFID II provisions. Therefore, a service provider operating a market place for cryptocurrencies may fall within the licence requirement for an operator of multilateral trading facilities within the meaning of the KWG but may not be obliged to adhere to the rules of conduct set out for such operators in the WpHG.

Against this background, one should thoroughly analyse the legal risks related to relevant business models and assess whether and which licence requirements and conduct rules may apply. In particular, buying and purchasing cryptocurrencies in the service provider's own name for the account of others may constitute banking business in the form of principal brokering business.37 Further, brokering cryptocurrencies may constitute for licensing purposes investment brokerage,38 whereas advising on the purchase or sale of cryptocurrencies may be considered investment advice.39 Also the operation of a platform on which cryptocurrencies can be traded may qualify as a multilateral trading platform within the meaning of Section 1(1a) sent.2 No. (1b) KWG and may, therefore, be subject to a licence requirement.40 The activity involving custody, management and safeguarding of crypto values or private cryptographic keys may also fall within the scope of the newly regulated crypto custody business. This new type of financial service and the related licence requirement may be relevant for domestic companies as well as cross-border service providers and their agents that intend to or have already been offering such services.41

However, neither the mining, nor the purchase or sale of cryptocurrencies in one's own name and for one's own account is subject to a licence requirement. Therefore, cryptocurrencies may generally be used as means of payment and generated by mining without any special permission.

From a civil law perspective, many questions have not yet definitively been answered. The uncertainty starts with the applicable jurisdiction and laws generally for a cryptocurrency. These questions become relevant if, for instance, cryptocurrency units are transferred or pledged. Further, it is still unclear which disclosure and information obligations apply in cryptocurrency transactions.

Interestingly, the usually complex tax analysis has at least partly been clarified for cryptocurrencies through a decision by the European Court of Justice (CJEU).42

According to the principles of this decision that were incorporated into German tax law,43 exchanging regular currencies into Bitcoin (or comparable cryptocurrencies) and vice versa shall be tax-free with respect to value added tax according to Section 4 No. 8b of the Turnover Tax Code (UStG). In addition, using Bitcoin or comparable cryptocurrencies as payment and the process of mining are tax-free.

Other transactions concerning cryptocurrencies may, however, be affected by tax law.

From an accounting perspective, cryptocurrency units like Bitcoin are transferable so that it appears necessary to account for them as assets on the balance sheet.

If they qualify as assets that support the business for only a short period (current assets), they may have to be recorded as 'other assets' according to Section 266 (2) B II No. 4 of the Commercial Code (HGB).44 If the cryptocurrency units qualify as assets that support the business for a long period (fixed assets) they should be taken accounted for as acquired immaterial assets according to Section 266(2) A I No. 2 of the HGB.45

ii Initial coin offerings

Initial coin offerings (ICOs) are sales of virtual tokens to raise funds for general corporate purposes or a specific project typically described in more detail in a White Paper. Depending on the structure of the ICO, tokens may be bought with regular or virtual currencies and may grant specific rights such as participation rights and profit shares, or no right at all. While the discussions and structures of ICOs and tokens are still in flux, tokens that can be offered in an ICO may be categorised as follows:

  1. Cryptocurrency tokens are meant to pay for goods or services external to the platform or not only exclusively between the platform and its users but also between users.
  2. Utility tokens are supposed to convey some functional utility to token holders other than or in addition to payment for goods or services, in the form of access to a product or service. These tokens come with particular rights, such as a right of access to a future service, a right to redeem the token for another token or service or voting rights which often are designed to shape the functionality of the product.
  3. Security tokens are comparable to traditional securities set out in Article 4(1)(44) MiFID II such as conventional debt or equity instruments.46

This rough categorisation – which corresponds to the general approach pursued by BaFin – illustrates that tokens may differ significantly. Following the amendments to the KWG, as from 1 January 2020, tokens with exchange and payment functions and tokens used for investment, for example, security tokens and investment tokens, are likely to fall within the broad definition of cryptographic values and thus constitute financial instruments under KWG (aside from possible classification of such tokens as other types of financial instruments, which is to be assessed on a case-by-case basis).47

Consequently, each ICO must be thoroughly analysed with respect to its regulatory and capital market requirements. BaFin determines the applicability of the relevant legislation including the KWG, the ZAG, the WpPG, the KAGB and the VermAnlG case by case, depending on the specific contractual arrangements. Where tokens resemble participation rights that might be classified as securities under the WpPG or capital investments under the VermAnlG, a prospectus for the marketing of the tokens may be required. One might question, however, whether a fully digitised token constitutes a security within the meaning of the WpPG, as under German securities law such a security requires a certificate. In light of this general concept, the first BaFin-approval of a prospectus for a public offer of fully digitalised blockchain-based tokens under the WpPG regime, in February 2019, was quite unexpected. Given the current legal framework for securities, it is not entirely clear yet whether this route involves various legal risks despite the approval by BaFin. It seems that clarity in this regard requires an amendment of the German securities laws explicitly permitting fully digitalised offerings of securities. The necessary changes of the relevant laws are already being discussed. The German federal government demonstrated its intention to support such changes when the German Federal Ministry of Finance and the German Federal Ministry of Justice and Consumer Protection published a joint paper concerning the future regulatory framework for blockchain-based securities and crypto-tokens, aimed to foster innovation and investor protection.48

In addition to a prospectus requirement, any professional service provided in connection with the trading of tokens – including an agreement to acquire, or the sale or purchase of tokens – when qualified as units of account or crypto values – would, as a general rule, require a licence from BaFin.49

Even if an obligation to publish a prospectus does not exist, issuers of tokens should be aware that consumer protection laws might apply to the sale of tokens via internet. So, the underlying contract may qualify as a distance contract resulting in information obligations according to Section 312(i) of the BGB. Provided that the contract is considered as financial service, further information must be provided according to Section 312(d) of the BGB.50

iii Money laundering rules

Tokens and cryptocurrencies in general are perceived as highly susceptible to money laundering and terrorism financing. In this respect, a certain level of clarity with regard to the applicability of the AML regime has been provided by the law implementing the Fifth EU-AML Directive in Germany, in force since 1 January 2020. As already outlined above, the law introduced a broad definition of crypto values and classified them as financial instruments under the KWG. In principle, the scope of the definition generally includes tokens with exchange and payment functions (e.g., cryptocurrencies) and tokens used for investment (e.g., security tokens and investment tokens).51 This generally means that services concerning cryptocurrencies and tokens, for instance, buying and purchasing cryptocurrencies in the service provider's own name for the account of others, advising on the purchase or sale of cryptocurrencies or operation of a platform on which cryptocurrencies can be traded may fall under the scope of regulated services and require a KWG licence for, in particular, principal brokering business,52 investment brokerage,53 investment advice54 or operation of a multilateral trading platform.55 In addition, the management and safeguarding of crypto values or private cryptographic keys may require obtaining a KWG licence if other general statutory prerequisites under KWG (in essence, commercial character or a scale that requires a commercially organised business undertaking) are fulfilled. Services providers whose activities fall within the scope of the KWG-licence requirements are obliged entities within the meaning of the GwG and must, therefore, adhere to the duties set out therein. These include the obligation to conduct adequate customer due diligence, to implement adequate risk management systems aimed at preventing money laundering and terrorism financing and, as appropriate, notifying the Financial Intelligence Unit of any suspect transactions as well as fulfilling respective reporting obligations in relation transparency register. Nonetheless, even prior to the implementation of the Fifth EU-AML Directive into German law cryptocurrency and ICO service providers were often required to obtain a KWG licence and, as a result, comply with the German AML requirements. This was owing to the broad interpretation of the term 'financial instrument' within the meaning of the KWG according to BaFin's previous administrative practice.56

Further, an interesting and not fully clarified question is whether the issuer of tokens in an ICO may be subject to such obligations under the GwG. This may well be the case because such an issuer might be regarded as a person trading in goods within the meaning of Section 1 (9) GwG.57 For persons trading in goods, however, the full set of obligations under the GwG does not apply; instead, they need only – in the absence of a specific suspicion – identify their counterparty if they pay or receive a cash payment of at least €10,000 (Section 10(6) GwG).

VI OTHER NEW BUSINESS MODELS

Generally speaking, it seems difficult to identify totally new business models in the past one or two years. Instead, one can observe enhanced efforts to find specific uses for blockchain technology and for artificial intelligence.

These efforts can be illustrated by the cooperation of Deutsche Bundesbank with Deutsche Börse aimed to develop solutions for a securities settlement system which facilitates the delivery of securities against virtual currency units on the basis of the distributed ledger technology.58

Participants in the capital markets in general appear to seek increasingly successful business models exploiting the potential of fintech. The first placings of promissory notes and commercial papers (even though these papers have not been governed by German law) have been made in Germany by taking advantage of the blockchain technology and of highly digitalised platforms.

Further, how artificial intelligence could support anti-money laundering compliance and the compliance function in general, which is sometimes called 'digital compliance', is also being investigated. In this regard, however, it seems too early to maintain that new business models have already established themselves on the German market.

In general, the operation of business models involving the use of AI is subject to the regulatory requirements applicable to already known business models in line with the technology-neutral approach of 'same business, same risk, same regulation'. This means that for each relevant fintech business model, careful analysis should judge whether it falls within the scope of one or several regulated services and which regulatory requirements apply. In essence, the KWG-licensed institutions using programs and algorithms involving AI must ensure that they maintain a proper business organisation,59 in particular an adequate and effective risk management, and that the use of such programs and algorithms is in line with such general regulatory requirements. This includes processes for determining and safeguarding the sustainability of services, internal control procedures and internal control systems, adequate contingency plans, especially for IT systems, complete documentation of business operations permitting seamless monitoring by BaFin as well as compliance with outsourcing requirements. The exact arrangement of the business organisation should be appropriate for the nature, scope, complexity and risk content of the institution's business activities. In this regard, the minimum requirements for risk management in BaFin's Circular No. 09/2017 (MaRisk)60 and with the supervisory requirements for IT in BaFin's Circular No. 10/2017 (BAIT) have to be met.61

With respect to the use of algorithms by KWG-licensed institutions BaFin has recently confirmed its approach that it does not grant general a priori approvals for the use of algorithms in decision-making processes and that its administrative practice is technology-neutral.62 The legal reasoning behind this approach is generally twofold: the nature of the risk-oriented and ad hoc financial supervision on the one hand and the lack of a statutory basis for general a priori algorithms approvals on the other.63 As to the former, the supervisory requirements do not primarily concern the algorithm itself; instead, the focus of supervision is on the entire decision-making process in which the relevant algorithm is embedded – therefore compliance with general requirements on proper business organisation and risk management plays a key role.64 With respect to the lack of a statutory legal basis for algorithms approval two exceptions should be noted in which the regulation of the use of algorithms may be derived from the law itself (e.g., determination of capital and solvency requirements). However, even in such cases the supervisory authorities will not grant an a priori approval. Instead, they conduct a risk-oriented assessment of the relevant decision-making and other procedures taking into account the available data and its quality.65

The approach of technological neutrality applies generally also to the regulation of KWG licence requirements. In this respect, one might consider high-frequency trading (a special form of proprietary trading)66 as an exception. Per definition, high frequency trading includes the use of algorithms for the sale and purchase of financial instruments.67 While German supervisory rules generally do not provide for specific notification obligations in the case of the use of particular software or algorithms, high frequency trades have to adhere to specific notification requirements.68

Worth mentioning in the context of recent and successful fintech-related business models is the increasing digitalisation in the insurance sector. New service providers have evolved that primarily broker insurance via smart phones quickly and simply. Certainly, such brokers must also comply with the general information duties relating to the brokerage of insurance contracts.

Also successful, but not strictly new, are product comparison websites, which have become very popular with price-conscious consumers. The influence of such offerings on the market is governed by the general competition rules. These include that price comparison tests must be performed in a competent manner, seek to be objectively accurate and be neutral.69 Finally, the incorporation of so-called fintech banks is noteworthy in connection with new business models. These fintech banks hold a comprehensive licence to conduct banking business but still perceive themselves to be fintech companies. Their business model is based on digitalisation, and they partly offer white-label solutions, namely they may seek to cooperate with other fintech companies that need licensed banks for their business model. This illustrates that some fintech banks position themselves as 'platform banks', where cooperation partners may find specific service offerings that they can use to complement their own products or services.

VII INTELLECTUAL PROPERTY AND DATA PROTECTION

i Intellectual property

A business model as such cannot be protected by copyright law. Therefore, it is not uncommon for successful fintech business models to be copied and optimised. Computer programs, however, that are characterised by a minimum of individuality and originality are subject to copyright protection according to Section 2 of the Act on Copyright and Neighbouring Rights (UrhG).70

Under German law copyright can be neither registered nor transferred, since the copyright itself emerges the moment the piece of work, such as the software, is created by its actual originator.71 The capacity of being the originator is strictly connected to a natural person and may therefore not be transferred.72 Obviously the lack of registration leads to various practical problems that often result in lawsuits. Nonetheless, a licence may be granted enabling the holder to make use of the piece of work in every or in particular matters (Section 31 of the UrhG). Employees and their employers implicitly agree on a full licence by drafting the employment contract.73 Therefore, the employer is allowed to make use of the piece of work. Concerning computer programs, another rule applies (Section 69b of the UrhG), granting the employer even more rights. Unless agreed otherwise, the employee is owed no compensation.74

ii Data protection

Generally speaking, data protection is governed the General Data Protection Regulation (GDPR), which replaced to a material extent the previous version of the Federal Act on Data Protection as of 25 May 2018 without, however, changing the fundamental principles of German data protection law. The GDPR intends to prevent the collection and use of data related to individuals unless it is duly necessary to do so (Article 1 of the GDPR). Data are considered to be related to individuals if the responsible body has the legal means that enable it to identify the data subject.75

Collection and processing of data related to individuals is only permitted if it is explicitly allowed by law or if the data subject consents (Article 6(1) GDPR). Additionally, the user must be informed about nature, extent and purpose of data collection.

Digital profiling has to comply with the general principles stated above. The GDPR does not regulate digital profiling as such but focuses on some of its typical forms: firstly, the automated individual decision-making, including profiling, must comply with Article 22 of the GDPR; secondly, a decision that produces legal effects on the data subject or has a similarly significant influence on the data subject must not be based solely on automated processing (Article 22(1) GDPR). However, Article 22(1) GDPR shall not apply, if the decision: (1) is necessary for entering into, or performance of, a contract between the data subject and the data controller; (2) is authorised by law to which the controller is subject and that also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or (3) is based on the data subject's explicit consent (Article 22(2) GDPR).

VIII YEAR IN REVIEW

Considering the developments in the fintech sector within the past 12 to 18 months, the following trends appear worth emphasising.

Overall, it seems that the fintech market in Germany has continued to demonstrate growing maturity and has recently reached a consolidation phase. This, and the fact that business models of German fintech companies have been able to implement commercially viable business models, is illustrated by one of the German fintech banks that became the first German fintech 'unicorn', with a market evaluation of more than €1 billion by significant financings in 2018. However, scaling their operations is still difficult for many local fintechs, which may also be a result of the increasing efforts of incumbent institutions to take advantage of the lessons learned from fintechs concerning innovation and customer experience. Traditional players in the financial sector use these insights not only by establishing cooperations and partnerships with fintech companies and including fintechs in their value chains but also by developing their own digital offerings.

ICOs and cryptocurrencies continue to be among the dominant topics in the fintech sector. This can be illustrated by the implementation of the Fifth EU-AML Directive into German law. The broad legal definition of crypto values introduced by the German legislator not only results in enhanced AML obligations for service providers engaging in the cryptocurrency business but also introduces a licence requirement for the crypto custody business.

The application of distributed ledger technology for other use cases remains a challenge, but market participants have deployed significant efforts to identify and realise corresponding business models, for instance, in the field of capital markets or supply chain finance.

The relevance of distributed ledger technology has also been recognised by politicians and by supervisory authorities. It seems that specific regulation of blockchain-based business models will be introduced rather sooner than later. The German legislator expressed its intention not to wait for a harmonised solution at the EU-level, but to initiate a blockchain initiative also involving specific legislation aimed at fostering business models using the distributed ledger technology.

Further, the introduction of the new Section 58a ZAG suggests that the implementation of PSD II may not be considered the final step towards increased competition and innovation in the payment sector. It appears, however, that technical constraints (the removal of which does not seem to be the primary objective of incumbent players) have prevented account information and payment initiation providers to take full advantage of the business opportunities expected as a consequence of PSD II.

IX OUTLOOK AND CONCLUSIONS

Given the numerous initiatives at an international, EU and national level dealing with the regulatory challenges of fintech, further specific regulation has to be expected. A recent illustration of this trend was the implementation of the Fifth EU-AML Directive into German law. This, however, does not need to be detrimental to fintechs and their offerings. Instead, this is a chance for a reliable legal framework to foster trust and create an attractive climate for investors. Further, German politicians have recognised that the legislation needs to provide a legal environment that promotes innovative solutions. Whether this will lead to the introduction of an option for EU Member States to elect a 'sandbox model' remains to be seen. The regulatory authorities in Germany would still not welcome such an option. Instead, it is currently more likely that special legislation will be introduced in Germany that addresses the needs of blockchain-based business models. Further, there are some indications (e.g., the harsh sanctions regime) that the GDPR might turn out to be an obstacle for future prosperity of the fintech sector. In particular, it is questionable how the requirements under the GDPR and, in particular, the 'right to be forgotten' can be fully implemented by the blockchain-based services and products. Finally, new developments can be expected in the area of big data and AI.


Footnotes

1 Jens H Kunz is a partner at Noerr LLP.

2 See the English version of BaFin's article: Evolutionary influence of fintechs on the financial sector: https://www.bafin.de/SharedDocs/Veroeffentlichungen/EN/Fachartikel/2019/fa_bj_1911_Fintech_en.html (23 March 2020).

3 Cf. the English version of BaFin's article: Evolutionary influence of fintechs on the financial sector: https://www.bafin.de/SharedDocs/Veroeffentlichungen/EN/Fachartikel/2019/fa_bj_1911_Fintech_en.html (23 March 2020).

4 See the English version of BaFin's article: Evolutionary influence of fintechs on the financial sector: https://www.bafin.de/SharedDocs/Veroeffentlichungen/EN/Fachartikel/2019/fa_bj_1911_Fintech_en.html (23 March 2020).

5 See Gregor Dorfleitner et al., 'FinTech-Markt in Deutschland', 17 October 2016, a study assigned by the Federal Ministry of Economics.

6 See German Federal Ministry of Finance (Bundesministerium der Finanzen),
www.bundesfinanzministerium.de/Content/DE/Pressemitteilungen/Finanzpolitik/2017/03/2017-
03-22-pm-fintech.html (23 March 2020).

7 See German Federal Ministry of Finance (Bundesministerium der Finanzen), https://www.bundesfinanzministerium.de/Content/DE/Standardartikel/Themen/Internationales_Finanzmarkt/2019-03-
08-eckpunkte-elektronische-wertpapiere.html (23 March 2020).

8 See the English version of the related BaFin-website where BaFin gives a summary of its position on fintech related regulatory questions: https://www.bafin.de/EN/Aufsicht/FinTech/fintech_node_en.html (23 March 2020).

11 See German Federal Ministry for Economics (Bundesministerium für Wirtschaft), www.bmwi.de/Redaktion/DE/Dossier/invest.html (23 March 2020).

13 More comprehensive capital and other requirements apply if the robo-adviser is entitled to hold the assets and funds of its clients.

14 Grischuk, Robo-Advice, BaFin Journal from August 2017, p. 20, www.bafin.de/SharedDocs/Downloads/DE/BaFinJournal/2017/bj_1708.html (24 March 2020).

15 Section 64(4) Securities Trading Act (WpHG).

16 Section 32(1) of the KWG within the meaning of Section 1 (1a)(2)(3) KWG.

17 Section 63(6) WpHG, Section 302 KAGB and Section 23 KWG.

18 BaFin, Notes regarding the licensing for conducting cross-border banking business and/or providing cross-border financial services, April 2005, https://www.bafin.de/SharedDocs/Veroeffentlichungen/EN/Merkblatt/mb_050401_grenzueberschreitend_en.html (24 March 2020).

19 Cf. Federal Administrative Court (Bundesverwaltungsgericht), decision of 22 April 2009, Az. 8 C 2/09, juris margin: 41.

20 BaFin, Freedom to provide services and freedom of establishment of credit institutions in the European Economic Area, https://www.bafin.de/EN/Aufsicht/BankenFinanzdienstleister/Zulassung/EU-EWR-Kreditinstitute/eu-ewr-kreditinstitute_node_en.html (24 March 2020).

21 See GwG, Annex 2 (factors for potentially higher risk).

22 BaFin, Circular 3/2017 (GW) - Video Identification Procedures, www.bafin.de/SharedDocs/Veroeffentlichungen/EN/Rundschreiben/2017/rs_1703_gw_videoident_en.html (24 March 2020).

23 BaFin, Auslegungs- und Anwendungshinweise zum Geldwäschegesetz, https://www.bafin.de/SharedDocs/Downloads/DE/Auslegungsentscheidung/dl_ae_auas_gw_2018.html (24 March 2020) (only available in German).

24 See Section(11) No. 10 KWG.

25 Cf. Financial Stability Board, Crypto-asset markets: Potential channels for future financial stability implications, 10 October 2018, https://www.fsb.org/wp-content/uploads/P101018.pdf. (25 March2020).

27 BaFin, Merkblatt zur Erlaubnispflicht von Kreditvermittlungsplattformen, https://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Merkblatt/mb_070514_kreditvermittlungsplattform.html;jsessionid=0510174E1578D35D6508C7AD5765DAF6.1_cid363?nn=7847010 (24 March 2020) (only available in German).

28 Section 32(1) KWG in connection with Section 1(1) Sent. 2 No 2 KWG.

29 Section 32(1) KWG in connection with Section 1(1) Sent. 2 No 1 KWG.

30 Section 1(1a) Sent. 2 No 9 KWG.

31 See in more detail at Section V.ii.

32 See the financial committee report to the draft bill implementing the Fifth EU-AML Directive into German law of 14 November 2019, p. 52, http://dipbt.bundestag.de/dip21/btd/19/151/1915196.pdf (25 March 2020) (available only in German).

33 See legal reasoning to the bill implementing the Fifth EU-AML Directive into German law of 9 October 2019, p. 110, http://dipbt.bundestag.de/dip21/btd/19/138/1913827.pdf (25 March 2020) (available only in German).

34 See Section 2(1) Sent. 2 No. 10 and 11 ZAG.

35 See legal reasoning to the bill implementing the Fifth EU-AML Directive into German law of 9 October 2019, p. 110, http://dipbt.bundestag.de/dip21/btd/19/138/1913827.pdf (25 March 2020) (available only in German).

36 Higher Regional Court of Berlin (Kammergericht Berlin), decision of 25 September 2018 – (4) 161 SS. 28/18 (35/18).

37 Section 1(1) sent. 2 No. 4 KWG.

38 Section 1(1a) sent. 2 No. 1 KWG.

39 Section 1(1a) sent. 2 No. 1a KWG.

41 See Section II above.

42 Cf. European Court of Justice, decision of 22 October 2015, C-264/14, V, Hedqvist.

44 Kirsch / von Wieding, Bilanzierung von Bitcoin nach HGB, BB 2017, 2731, 2734.

45 Kirsch / von Wieding, Bilanzierung von Bitcoin nach HGB, BB 2017, 2731, 2734.

46 Blockchain Bundesverband, Finance Working Group, Statement on token regulation with a focus on token sales (undated), p. 3.

47 See legal reasoning to the bill implementing the Fifth EU-AML Directive into German law of 9 October 2019, p. 110, http://dipbt.bundestag.de/dip21/btd/19/138/1913827.pdf (25 March 2020) (available only in German).

49 See in more detail in Section V.i.

50 Blockchain Bundesverband, Statement on token regulation with a focus on token sales, p. 16,
https://bundesblock.de/wp-content/uploads/2018/02/180209_Statement-Token-Regulation_blockchain-bundesverband.pdf (25 March 2020).

51 See legal reasoning to the bill implementing the Fifth EU-AML Directive into German law of 9 October 2019, p. 110, http://dipbt.bundestag.de/dip21/btd/19/138/1913827.pdf (25 March 2020) (available only in German).

52 Section 1(1)(2)(4) KWG.

53 Section 1(1a)(2)(1) KWG.

54 Section 1(1a)(2)(1a) KWG.

55 Section 1(1a) Sent.2 No. (1b) KWG.

56 See Section V above.

57 Blockchain Bundesverband, Statement on token regulation with a focus on token sales, p. 19,
https://bundesblock.de/wp-content/uploads/2018/02/180209_Statement-Token-Regulation_blockchain-bundesverband.pdf (25 March 2020).

59 See Section 25a KWG.

60 See BaFin's Circular: Rundschreiben 09/2017 (BA) - Mindestanforderungen an das Risikomanagement – MaRisk of 27 October 2017, https://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Rundschreiben/2017/rs_1709_marisk_ba.html (25 March 2020) (available only in German).

61 See BaFin's Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions of 5 February 2018, updated on 7 February 2019, https://www.bafin.de/SharedDocs/Downloads/EN/Rundschreiben/dl_rs_1710_ba_BAIT_en.html (25 March 2020).

62 See BaFin, Generelle Billigung von Algorithmen durch die Aufsicht? Nein, aber es gibt Ausnahmen, 17 March 2020, https://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Fachartikel/2020/fa_bj_2003_Algorithmen.html (25 March 2020) (available only in German).

63 See BaFin, Generelle Billigung von Algorithmen durch die Aufsicht? Nein, aber es gibt Ausnahmen, 17.03.2020, https://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Fachartikel/2020/fa_bj_2003_Algorithmen.html (25 March 2020) (available only in German).

64 Cf. BaFin, Generelle Billigung von Algorithmen durch die Aufsicht? Nein, aber es gibt Ausnahmen, 17.03.2020, https://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Fachartikel/2020/fa_bj_2003_Algorithmen.html (25 March 2020) (available only in German).

65 Cf. BaFin, Generelle Billigung von Algorithmen durch die Aufsicht? Nein, aber es gibt Ausnahmen, 17.03.2020, https://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Fachartikel/2020/fa_bj_2003_Algorithmen.html (25 March 2020) (available only in German).

66 See Section 1(1a) sent. 2 (4d) KWG.

67 Cf. BaFin, Generelle Billigung von Algorithmen durch die Aufsicht? Nein, aber es gibt Ausnahmen, 17 March 2020, https://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Fachartikel/2020/fa_bj_2003_Algorithmen.html (25 March 2020) (available only in German).

68 Cf. Section 80(2) sent.5 WpHG

69 BGH, decision of 9 December.1975 - VI ZR 157/73, 'Warentest II'.

70 Cf. Bullinger, Wandtke/Bullinger, Praxiskommentar zum Urheberrecht, edition 4, Section 2 rec. 24.

71 Cf. Bullinger, Wandtke/Bullinger, Praxiskommentar zum Urheberrecht, edition 4, Section 7 rec. 3.

72 Cf. Benkard, Patentgesetz, edition 11, Section 15 rec. 5.

73 Cf. Wandtke, Wandtke/Bullinger, Praxiskommentar zum Urheberrecht edition 4, Section 43 rec. 50.

74 Cf. Rother, Rechte des Arbeitgebers/Dienstherrn am geistigen Eigentum, GRUR Int. 2004, 235, 237.

75 CJEU, decision of 19 October 2016 – C-582/14.