The Financial Technology Law Review: Germany


Since the publication of the third edition of The Financial Technology Law Review in 2020, the fintech market in general has been exposed to significant challenges caused by the current covid-19 pandemic. At the same time, this crisis has demonstrated the need for reliable and innovative digital solutions for the financial sector. Thus, the pandemic offered business opportunities for agile service providers offering, in particular, solutions for cashless payments or 'neo-brokering' (i.e., online brokerage services at low or even nil execution costs).

As a matter of general tendency, the fintech market in Germany has already become relatively consolidated and mature and its influence on the financial sector has been rather revolutionary in nature.2 Although a 'winner-takes-all' phenomenon has been observed (attributed to increased competition and high acquisition costs), fintechs are still expected to benefit from new business opportunities, especially in the field of artificial intelligence, big data and distributed ledger technology.3 It might also be perceived as an indication of a matured market that fintech companies have increasingly been integrated by banks and financial institutions into their value chains.4

These developments, however, do not mean that the German fintech market has become stagnant. The opposite is true. Fintech-related topics have been frequently and intensively discussed in Germany not only by participants in the financial sector but also by politicians and regulatory authorities. The public interest caused by Facebook's initiative to introduce Diem (initially Libra) as a global virtual payment instrument backed by fiat currencies has certainly contributed to the momentum of the current developments. In particular, the question of whether the present legal framework gives sufficient leeway for the application of blockchain-based business models while simultaneously providing a sufficient level of protection for market participants has been the subject matter of such discussions. As a result, a European Union (EU)-wide framework for cryptoassets and an EU-level sandbox model have been proposed by the Commission as part of the Digital Finance Package.5 In Germany, the federal legislator recently introduced statutory provisions according to which crypto values qualify as financial instruments for financial licencing purposes. Further, the crypto custody business was introduced as a new type of service, which is subject to a licence requirement under the German Banking Act (KWG).

In recent years, the activities in the field of policy and financial market regulation that have been sparked by the insight that digitalisation will fundamentally change the financial industry included the assignment of a study to get a better understanding of the fintech market in Germany,6 the formation of the FinTech Council by the German Federal Ministry of Economics that aims to enhance the dialogue among business, politics and academia7 as well as a joint paper of the German Federal Ministry of Finance and the German Federal Ministry of Justice and Consumer Protection concerning the regulatory framework for blockchain-based securities and crypto tokens aimed at fostering innovation and investor protection.8 This led to a recent legislative proposal aiming to facilitate the full dematerialisation of securities in Germany and the use of blockchain and digital ledger technology for the settlement of transactions in securities. Further, the German Federal Financial Supervisory Authority (BaFin) has published several statements, explanations and opinions,9 including the perspective of BaFin on topics such as big data and artificial intelligence, distributed ledger technologies as well as digitalisation and information security.10 The new statutory rules on crypto values and the crypto custody business as well as the legislative proposal for blockchain-based securities also indicate that the legislator has realised the need to provide legal certainty for innovative business models and services.

Generally, the German legislator and BaFin apply the technology-neutral principle of 'same business, same risk, same regulation'.11 This includes that neither the legislator nor BaFin has promulgated rules that privilege fintech companies compared to traditional players in the financial sector. Therefore, a 'sandbox' model that establishes an innovation space where fintech companies may test business models without tight regulation as established in the United Kingdom and in Switzerland has not been introduced in Germany yet.

Hence, BaFin attempts to find a balance between supervisory concerns and the start-up culture that often exists in fintech companies. As part of its efforts in this regard, BaFin provides fintech companies with information concerning supervisory issues on their website.

There is no special public funding instrument for fintech companies, but the German Ministry of Economics has set up the programme 'INVEST' to help start-ups raise venture capital. If business angels purchase shares of newly founded innovative companies and hold them for more than three years, 20 per cent of their original investment will be reimbursed by the state up to a limit of €100,000.12 To qualify for the programme, investors have to spend at least €10,000. Invested capital must not result from a third-party loan to the investor. Furthermore, the business angel has to participate in the new company's gains and losses. Investors must be natural persons living in the European Economic Area or must use special investment companies registered in Germany (e.g., the limited liability company, GmbH).

Generally speaking, German regulatory authorities and the government emphasise that they recognise the potential of fintech for public economic benefit, while the regulation partly still seems rather conservative when the traditional regulatory standards, which stem from the pre-digitalisation era, are applied (although the efforts of BaFin to support fintech companies by offering detailed legal information and by improving the communication channels, as well as recent legislative changes concerning the regulatory requirements for cryptoasset-related services, are evident). The current dynamics in the field of regulating digital finance, blockchain and cryptoassets, both at the EU and a national level, indicates that the legal framework relevant for fintech companies has gained material momentum and may be expected to evolve quite fast.

The potential of digitalisation has not only been recognised by the participants in the financial industry, but also by central regulators for the purposes of the monetary system. In particular, the Governing Council of the European Central Bank (ECB) has decided to work on the development of a digital euro, which would be an electronic form of a legal tender, introduced for the use by natural persons and firms alongside cash.13 However, it remains yet to be seen whether and how this project will evolve.


i Licensing and marketing

The general rules apply to licensing and marketing of fintech companies in Germany. Because there is no specific fintech licence available in Germany, the regulation of fintech companies depends ultimately on the business they carry out. This again results from the technology-neutral 'same business, same risk, same rules' approach. The entire array of licences and marketing restrictions may therefore become relevant for fintech business models.

In particular, the following types of licences have to be taken into account:

  1. licence pursuant to Section 32 (1) Banking Act (KWG) for providing banking businesses within the meaning of Section 1(1) sent. 2 KWG or financial services within the meaning of Section 1(1a) sent. 2 KWG (including, since 1 January 2020, the crypto custody business within the meaning of Section 1(1a) sent. 2 No. 6 KWG, which is of particular relevance for fintech companies);
  2. licence pursuant to Section 10(1) Payment Services Supervisory Act (ZAG) for providing payment services or pursuant to Section 11 ZAG for the issuance of e-money;
  3. licence pursuant to Section 20(1) Capital Investment Code (KAGB) or, less burdensome, the mere registration pursuant to Section 44(1) KAGB for offering collective asset/funds management;
  4. licence pursuant to Sections 34c, 34d and 34f Industrial Code (GewO) for the brokerage of loans, insurance contracts and certain financial products; and
  5. licence pursuant to Section 8(1) Insurance Supervisory Act (VAG) for conducting insurance business.

In general, a licence requirement is triggered if one intends to provide in Germany commercially or on a scale that requires a commercially organised business undertaking one of the services listed in the comprehensive catalogues of regulated activities referred to above. Consequently, it needs to be carefully analysed whether a fintech business model falls within the scope of one or several of such regulated services.

Depending on the type of licence, different authorities might be competent to grant the relevant licence. Placing the competent authorities in a hierarchy, ECB is at the top with its competence for granting licences for institutions that intend to carry out banking business that includes lending and deposit-taking business. Beneath the ECB, BaFin is the competent authority for institutions that intend to provide banking business except for lending and deposit taking, including investment services and other financial services, payment services, collective asset or funds management and insurance business. The third level in the hierarchy would consist of the authorities that have been endowed under the German federal state laws with the competence to grant licences pursuant to the GewO.

All these types of licences may become relevant for fintech business models. This can be illustrated by the observation that 'fintech banks' were established in Germany holding a banking licence granted by ECB.

Both the requirements to obtain a licence under the German financial supervisory laws and subsequent ongoing legal requirements depend on the type of licence. For instance, the requirements to obtain a licence pursuant to Section 32(1) KWG for providing investment brokerage or investment advice are less tight than for guarantee or for safe custody business. In this regard, it makes a significant difference for regulatory purposes whether an institution is entitled to hold funds or assets for its clients because in this case the regulatory requirements are more comprehensive and stricter.

The recently introduced licence requirement for the crypto custody business under the KWG in 2020 may be considered the first fintech-specific or at least fintech-focused licence requirement under German law. The corresponding changes to the KWG were made in the course of the implementation of the Fifth EU AML-Directive (Directive (EU) 2018/843) but without the legal necessity under EU law to make such changes of the KWG. The relevant Section 1(1a) sent. 2 No. 6 KWG defines crypto custody business as custody, management and safeguarding of crypto values or private cryptographic keys used to hold, store or transfer crypto values as a service for others. Cryptographic values, which are now explicitly included in the catalogue of financial instruments under Section 1(11) sent. 1 No. 10 KWG, are defined as digital representations of value that are not issued or guaranteed by a central bank or a public authority, do not possess statutory status of currency or money, but are accepted by natural or legal persons as a means of exchange or payment, or which serve investment purposes and which can be transferred, stored and traded electronically. Consequently, the term crypto value includes not only crypto currencies like Bitcoin but also investment tokens. The broad definition of the terms crypto value and crypto custody business (including also the activities relating to private cryptographic keys) results in a wide scope of the new licence requirement. The KWG, however, provides for certain relief insofar as crypto custody service providers focusing on this type of financial service (i.e., that do not carry out any other regulated activities) do not have to meet all regulatory obligations applying to other providers of financial services. Instead, such crypto custody service providers are exempted from the general capital and liquidity requirements under the CRR (Regulation (EU) No. 575/2013) recently amended by CRR II (Regulation (EU) No. 2019/876) and some other rules. However, the requirements on the initial capital, reputation of the board members, proper business organisation and related reporting obligations do apply. Further guidance with respect to crypto custody business has been provided by BaFin.14

At the same time, the licensing regime that may apply to fintech business models is constantly evolving in the EU and so in Germany. This includes the changes of the licensing regime relevant for fintech businesses as introduced by the new EU legislation on European crowdfunding service providers for business (Regulation (EU) No. 2020/1503, ECSPR), which also require changes of the German legal framework, the proposed EU markets in crypto-assets regulation as well as the pending legislative procedure in Germany relating to securities dematerialisation.15 Although it would exceed the given framework to elaborate on the licence requirements for every single fintech-relevant business model, it may be worth illustrating the licence requirement by reference to the robo-advice business models, as these have become popular in Germany in recent years.

Generally speaking, a robo-adviser might be subject to a licence requirement pursuant to Section 32(1) KWG, in particular to provide investment brokerage, investment advice or portfolio management services. BaFin will only grant the necessary licence if, among other requirements, the applicant has at least €50,000 at its free disposal,16 if its managing directors are professionally qualified and with an impeccable reputation and if the applicant can prove that proper risk management will be in place when the regulated business will be commenced.

By way of exception from this general licence requirement under the KWG, investment brokerage and investment advice may be provided under the less restrictive licence pursuant to Section 34f GewO; however, only specific financial products may be brokered or recommended under this privileged licence, which is granted not by BaFin but by the competent authorities in accordance with the laws of the relevant federal state. An additional exception is available for tied agents who closely cooperate with a licensed institution.

When robo-advisory models were introduced, some of the service providers offered robo-advice in the form of investment brokerage by connecting the supply of specific financial products to customers' demand for financial instruments. These models try to implement a structure where the client stays in charge of the investment process so that the client makes the ultimate decision to buy or sell a financial instrument. There is, however, a thin line between investment brokerage and investment advice. Although BaFin did not pursue a strict approach until 2017, it then made clear that a robo-adviser provides investment advice if clients could get the impression that the investment proposals presented by the robo-adviser are tailored to their individual circumstances.17 The distinction between both types of investment services becomes relevant for the type of licence that is required and, in practice more important, with respect to the requirements with which the robo-adviser must comply in offering its services. In particular, the suitability report that an investment adviser must prepare and that aims to show how the recommended financial products suit the needs of the client18 is for many robo-advisers a bureaucratic obstacle they would like to avoid.

Both the stricter position of BaFin and the preference not to prepare for each investment a suitability report have led to many robo-advisers becoming licensed as portfolio managers.19 Providing this type of investment service, however, involves the obligation to adhere to a comprehensive set of rules of conduct so that robo-advisers must thoroughly analyse which route suits them best and which type of licence they need for their individual business model.

With respect to marketing regulations applicable to fintech companies in Germany, the general rule is that marketing must be fair, transparent and not misleading. These principles follow from the Act against Unfair Competition (UWG) but are also included in some of the statutory provisions for financial services.20 Whether additional rules have to be taken into account depends primarily on the understanding of the term 'marketing'.

As far as marketing for investment services within the meaning of Section 2(8) of the WpHG is concerned (including investment brokerage, investment advice, portfolio management, underwriting business etc.), it is rather difficult to distinguish marketing from the rules of conduct for service providers set out, inter alia, in Section 63 et seq. of the WpHG and a regulation promulgated thereunder (WpDVerOV) but also in various delegated regulations promulgated under the Markets in Financial Instruments Directive (MiFID) II. These require that offerors of investment services provide their potential clients with mandatory information regarding, for instance, their products (e.g., key information sheets), potential conflicts of interest and inducements, and that they obtain certain information from their clients. Further, investment service providers must comply with detailed requirements set out in the Minimum Requirements for the Compliance Function and Additional Requirements governing Rules of Conduct, Organisation and Transparency (MaComp) which have been promulgated by BaFin.

Similar rules as for investment services apply to the marketing of funds under Section 298 et seq. of the KAGB. The information obligations for professional or semi-professional clients are less comprehensive than those for retail clients.

Regarding marketing for payment services, a comprehensive set of pre-contractual information obligations is provided for in the German Civil Code (BGB) in conjunction with Article 248 of the Introductory Act to the BGB (EGBGB).

Further, marketing for certain fintech related services might entail the obligation to publish a prospectus. Such obligation will usually be triggered once a public offer for securities or financial assets has been made in accordance with the Prospectus Act (WpPG) or the Asset Investment Act (VermAnlG). In particular, the prospectus obligation under the VermAnlG may become relevant for fintech business models such as, for instance, crowdfunding or peer-to-peer (P2P) lending platforms.

Fintech companies in Germany should therefore check whether marketing for their business might be captured by one of the comprehensive legal regimes for marketing.

ii Cross-border issues

As a general rule, the German regulations apply to each service provider conducting its business in Germany. This means that the rules – particularly the licensing requirement – not only apply if the service provider has its registered office in Germany, but also if it actively targets the German market cross-border.21

Pure accessibility of the relevant services via the internet in Germany may be considered sufficient to assume that a service provider is actively targeting the German market. The regulations apply if the offeror of the relevant services intends the service to be used by German customers among users of different nationalities.22 If a service provider maintains its website in German, this is considered to be a strong indication of actively targeting the German market.

If, however, the provision of regulated services cross-border is concerned, the privilege to notify German regulators of existing licences from a home Member State within the European Economic Area (EEA) might offer an exception from this general rule, which may appear very strict at the first glance. The European 'passport' has been introduced for many regulated services such as, for instance, certain types of banking business, investment services as set out in Annex 1 of MiFID II, payment services and recently, by way of Regulation (EU) 2020/1503, also for crowdfunding services providers. If a service provider has been licensed in its EEA-home Member State, the service provider may notify its competent supervisory authority of its intent to also offer the regulated services in Germany.23 Generally speaking, the service provider may commence the regulated business without a separate licence in Germany either on a cross-border basis or through a branch once the competent supervisory authority in the home Member State has informed BaFin, which subsequently has confirmed that the service provider may commence its business in Germany. In this scenario, the supervisory authority in the home Member State is generally responsible for the supervision of the service provider's activities in Germany, subject to certain residual competences of BaFin and the German Federal Bank. Following the withdrawal of the United Kingdom from the EU (and the lapse of the transition period on 31 December 2020) licensed UK companies active in the fintech business may no longer use the EU 'passport' to offer their services in other Member States (and vice versa) and generally need to establish a subsidiary in Germany or another EU Member State to obtain a licence and comply with EU regulatory requirements, basically as any third-country licensed institution. It remains to be seen whether future (bilateral) agreements or equivalence decisions will impact the market access conditions for licensed institutions in the EU and the UK.

Another possibility for fintech companies to access the German market without being subject to a licence requirement is to cooperate with a licensed service provider, typically a bank. Such ventures are 'white label structures' where a regulated entity (fronting bank) effectively makes available its licence for the business activities of a third party. For this purpose, the third party must subordinate its business to the bank's management by granting instruction and control rights to the bank, which for regulatory purposes is responsible for the regulated services.

Digital identity and onboarding

To date, there is no generally recognised digital identity available in Germany. However, it is possible to identify oneself electronically via the internet if the requirements of the eIDAS Regulation (Regulation (EU) No. 910/2014 on electronic identification and trust services for electronic transactions in the internal market) are met. Details relating to this have been provided for in the Act on Trust Services (VDG).

Regarding the onboarding process as required under the statutory anti-money laundering and counterterrorism rules, the Anti-Money Laundering Code (GwG), which was revised as part of the implementation of the Fifth EU AML Directive, includes various possibilities for remote identification. However, non-face-to-face business relationships or transactions may indicate higher anti-money laundering (AML) risks24 and thus may trigger enhanced customer due diligence requirements. BaFin has published the standards for video identification25 as well as its guidance on the interpretation of the GwG26, which are generally rather strict.

Possibly, solutions enabling the creation and management of a digital identity will be available in the EU and therefore also in Germany in the future. At the EU level, efforts can be observed within the European Self-Sovereign Identity Framework (ESSIF) to develop solutions that could allow EU citizens to create and use their digital identity and that would be compatible with the eIDAS electronic identification framework. A corresponding initiative is also pursued in Germany within the project IDunion.27

Digital markets, payment services and funding

Innovative funding solutions and business models related to payment services are typical areas in which fintech companies conduct business in Germany. Regulators have been struggling for some years to find a position on collective investment schemes balancing regulation to protect investors, in particular retail investors, and to allow innovative solutions that may also serve retail investors' interests. Eventually, both EU and German legislators concluded that the regulatory requirements applicable for already known investment business models shall generally (subject to limited privileges) also apply to collective investment schemes. Similarly, with regard to digital markets in general, the German legislator and BaFin apply the technology-neutral principle of 'same business, same risk, same regulation'. Therefore, the exact scope of the applicable requirements, in particular the assessment of whether a licence requirement under the KWG may be triggered, generally requires an in-depth analysis on the specific business model and should be reviewed on a case-by-case basis.

At the same time, in light of this common 'same business, same risk, same regulation' approach, certain significant legislative developments have recently taken place. The implementation of the Fifth EU AML Directive into German law at the beginning of 2020 provided a certain level of clarity on the regulatory qualification of activities in the cryptocurrency or cryptoassets business. As part of the implementation package, the German federal legislator introduced a legal definition of 'crypto values' and explicitly included these in the catalogue of financial instruments under the KWG.28 In line with the Fifth EU AML Directive, the statutory definition of crypto values is broad in scope so that all potential uses of virtual currencies, including as a means of investment, are covered. On the international level, these various types of virtual units of value, described also as coins or tokens, are often referred to collectively as 'cryptoassets'.29

In September 2020, the Commission published the EU Digital Finance Package30 aiming to develop the digital single market, promote innovation and growth of fintech start-ups and adjust the existing regulatory regime to new technologies such as artificial intelligence and blockchain. In essence, the EU Digital Finance Package consists of a retail payments strategy to facilitate payments in shops and e-commerce, the proposal for an EU-wide directly applicable regulation on digital resilience for the financial sector (DORA) addressing cybersecurity and ICT-related risks as well as legislative proposals for an EU markets in crypto-assets regulation along with an EU-level pilot regime for market infrastructures based on distributed ledger technology.

In the field of crowdfunding, in October 2020 the EU legislator adopted an EU-wide regulation setting out a comprehensive regulatory regime applicable to EU crowdfunding service providers for business, the ECSPR (Regulation (EU) No. 2020/1503). Starting from November 2021, the ECSPR will be directly applicable in all EU Member States as a unified EU standard for lending-based and equity-based crowdfunding.

In Germany, recent key developments relevant for digital markets include the pending legislative procedure providing for the optional dematerialisation of securities. For more details concerning the new rules and proposals referred to above, see Section V.

i Peer-to-peer-lending

So far, whether and which regulatory rules apply for peer-to-peer-lending depends on the specific business model. Crowdfunding based on donations the investors make to support a special project (crowd-sponsoring) is generally not subject to financial regulation. If, however, the investor benefits financially from his or her investment, for example by participating in future profits of the project (crowd investing) or by being reimbursed with or without interest (crowd-lending), special regulations apply.31 Such regulations may be distinguished as falling under supervisory law, consumer law and capital market law. In the future (from 10 November 2021) the special regime for a crowdfunding service provider under Regulation (EU) 2020/1503 (ECSPR) and the corresponding changes of the German law which are currently in the legislative process have also to be analysed to determine the regulatory obligations in connection with peer-to-peer-lending.

Supervisory law

Peer-to-peer lending in the form of crowd investing or crowd-lending may entail consequences under financial supervisory law for the lender, the borrower and the platform.32 The key concern relates to possible licensing requirements. In particular, the licensing requirement for lending business must be considered.33 A licence requirement is triggered if the lender acts commercially or in a manner that requires a commercially established business operation. It is sufficient if the lender intends to repeatedly engage in the lending business to make profits.

The taking of deposits commercially or on a scale that requires a commercially established business operation is also subject to a licensing requirement.34 These requirements may become relevant for all involved parties; for example, the platform if it keeps the funds extended by the lenders until the funds are transferred to a single or several borrowers. If the platform performs such function and transfers funds from the investors to the borrowers, the platform may also be subject to a licensing requirement under the ZAG for providing payment services. The licensing requirement under the KWG may become relevant for the investors who provide the funds extended to a single or various borrowers too. Even the borrowers may be subject to a licensing requirement for conducting the deposit taking business when they receive the funds from the platform or the investors.

Given these regulatory restrictions, peer-to-peer-lending business models in Germany typically include a fronting bank that holds a licence for the lending and deposit-taking business. In these models, the fronting bank extends the loans to the borrowers, and the bank refinances the loans by selling the repayment claims arising under them to the platform for on-selling to investors or directly to investors who ultimately receive the repayment claim against the borrower. The various business transactions between the involved parties relating to the extension of a loan are interdependent by way of conditions precedent. Therefore, the bank is only obliged to extend the loan if investors have committed to provide sufficient funds for the purchase of the repayment claims arising under the loan. The platform, which is typically a fintech company, is acting in this model as a broker that brings together investors and borrowers.

This structure is usually not critical for the investors as they only acquire a repayment claim, which is as such not subject to a licensing requirement, provided that the acquisitions do not occur under a framework agreement. In the latter case, a licensing requirement for providing factoring business could be triggered.35 For the borrowers, this model is not problematic either. One might consider whether they engage in deposit-taking business. However, it is generally recognised under German law that borrowing funds from a licensed bank does not constitute deposit-taking. The fronting bank has in this model the necessary licences so the remaining question is whether the platform performs business activities subject to a licence requirement. The platform might conduct the factoring business if it acquires the repayment claims from the bank prior to selling them on to investors. Usually, however, the factoring business can be avoided by certain structural arrangements. In this case, the regulated activities of the platform consist of brokering loans (between the bank and the borrowers) and investments (between the platform or the bank and investors as purchasers of the repayment claims). These are activities that can be structured to avoid regulation under the KWG and to ensure that 'only' the licence requirements under Sections 34c and 34f GewO need to be met. BaFin considers the repayment claims brokered by the platform to be financial assets within the meaning of the VermAnlG and, therefore, financial instruments within the meaning of the KWG so that, in principle, the brokering activity could also be subject to a licensing requirement pursuant to Section 32(1) KWG which is, however, typically avoided by taking advantage of an exception.

Consumer law

In Germany, as in the European Union generally, relatively strict consumer protection rules apply. This is also the case for consumer loans. Consequently, a direct contract between the lender and the borrower brokered by a peer-to-peer lending platform triggers far-reaching information obligations for the lender under Section 491 et seq. BGB, provided that the lender acts commercially and the borrower is a consumer. Given the typical structure for peer-to-peer lending platforms in Germany, the fronting bank implemented in the structure must typically comply with these obligations.

Further, given that peer-to-peer lending platforms typically offer their services online, the consumer protection rules on distance selling must be considered (Section 312a et seq. BGB). These rules are based on EU law and should in general not differ in the EU Member States.

Capital market law

Generally speaking, the WpPG and the VermAnlG have to be considered if the regulatory framework for crowdfunding and crowd-lending platforms is analysed under German law from a capital market point of view.

The VermAnlG generally applies to profit participating loans, subordinated loans and all other investments that grant a claim to interest and repayment. If such investments are publicly offered, a prospectus or at least an information sheet concerning the investment must be published, unless certain exceptions apply. One of these is explicitly directed to internet platforms engaging in crowd-investment (Section 2a VermAnlG). Under this exception, the obligation to publish a prospectus does not apply to investments that are only brokered via the internet and do not exceed low thresholds ranging from €1,000 to €10,000 per investment. Even if this exception applies, an information sheet must be published.

Should a crowdfunding platform issue or publicly offer securities within the meaning of the WpPG, a prospectus must, subject to certain limited exceptions, also be published. The WpPG obligations, however, have not yet gained material significance in the German fintech market, except for the very few fintech companies using securitisation to refinance. This might change in the future owing to the rise of initial coin offerings (ICOs).36

Future crowdfunding regulatory regime

Starting from November 2021, crowdfunding service providers in the EU will be subject to a single regulatory regime set out in the ECSPR. The key notion of the ECSPR is the 'crowdfunding service' defined as the matching of business funding interests of investors and project owners through the use of a crowdfunding platform and which consists of the facilitation of granting loans or placing without a firm commitment basis, as referred to the MiFID II, of transferable securities and admitted instruments for crowdfunding purposes issued by project owners or a special purpose vehicle, and the reception and transmission of client orders in relation to those transferable securities and admitted instruments for crowdfunding purposes.

Outside the scope of the ECSPR are: crowdfunding services provided to project owners that are consumers (consumer loans are already subject to a separate regulatory regime provided for in the Consumer Credit Directive (Directive (EU) No. 2008/48/EC)) and crowdfunding offers with consideration thresholds exceeding €5 million calculated over 12 months. The rationale behind the €5 million threshold is that most EU Member States have used it for the purposes of the prospectus requirement exemption. Under German law, the WpPG generally sets the total consideration threshold for the prospectus requirement at €8 million (calculated over 12 months) and in the case of consideration between €100,000 and below €8 million (calculated over twelve months) a simplified securities information sheet is required. To address the possible overlapping between the prospectus regime and the ECSPR regime, the ECSPR provides for a temporary derogation provision, pursuant to which – where in a Member State the threshold of total consideration for the publication of a prospectus is below €5 million – the ECSPR will apply in that Member State only to crowdfunding offers with a total consideration up to the amount of that threshold for a period of 24 months from 10 November 2021 (i.e. from the date on which the ECSPR will start to apply).

Pursuant to the ECSPR, crowdfunding services providers will need to apply for authorisation from the national supervisory authority in the EU Member State and will be registered in an EU register of all operating crowdfunding platforms to be established by the European Securities and Markets Authority (ESMA). The ECSPR sets out unified requirements on the provision of crowdfunding services, including prudential requirements (safeguards of generally no less than €25,000), effective and prudent management, minimum due diligence requirements in respect of project owners to be offered on the crowdfunding platform, requirements on complaints handling and conflicts of interest. In the meantime, ESMA has already issued nine draft regulatory technical standards under the ECSPR on matters such as complaints handling, conflicts of interest, application for authorisation, a key investment information sheet, information and reporting obligations, which are currently in the consultation stage.

It is expected that by providing a single EU-wide regulatory regime, the ECSPR will facilitate the development of the crowdfunding platforms and enable the provision of cross-border crowdfunding services. It remains to be seen how the ECSPR will impact the crowdfunding business in the future.

ii Payment services

The payment services sector was one of the first in the German financial industry where fintech companies became active and visible. This is one of the reasons for fragmentation of the payment services market, which has recently begun to consolidate. Significant changes from the fintech perspective came with the second Payment Services Directive (EU) 2015/2366 (PSD II), implemented into German law at the beginning of 2018. The revised payment services regime has offered new business opportunities especially for nimble fintech companies. The reason behind this was that account information services and payment initiation services as new payment services were introduced under the revised ZAG. The providers of such services have been granted a legal claim for access to payment accounts against the banks that maintain such payment accounts for their customers. This has been perceived as a game changer insofar as traditional banks can no longer prevent their competitors from accessing the accounts of customers who consent to such access (open banking). However, experiences so far suggest that providing the required application programming interfaces is a time-consuming process. In addition, some market observers have criticised credit institutions for using the PSD II rules as an instrument to prevent competition by fintechs (e.g., by no longer offering the previously established connections via the German independent online banking protocol (FinTS)).

Further business opportunities have come with additional regulatory burdens. Providing payment services is generally subject to a licence requirement, unless certain exceptions apply. The scope of this licence requirement comprises the providers of account information and payment initiation services even though these service providers do not acquire at any time possession of their customers' funds. On account of this consideration, the regulatory requirements for a licence to provide payment initiation or account information services are less strict than for a licence to provide traditional payment services.

The revised ZAG aims to foster technological innovation and competition on the payment market.37 Under the relevant provisions (Section 58a ZAG) – which have been labelled by some market observers as 'Lex Apple Pay' – payment services providers and e-money issuers have been granted the right to obtain access to certain key technical infrastructure. 'System companies' contributing through technical infrastructure services to the provision of payment services or the conduct of e-money business in Germany are obliged, upon request of a payment services provider or e-money issuer, to make such technical infrastructure services available and provide necessary access against consideration and without undue delay. The obligation does not apply if the relevant technical infrastructure is used by no more than 10 payment services providers or e-money issuers or if the company has no more than 2 million registered users. The company may also deny access in case of objective reasons; for example, if the security and integrity of the technical infrastructure services would be jeopardised. The recent statutory rules are not based on EU law and are considered to be the reaction to some system providers refusing to open their systems to facilitate more competition in the area of mobile payments.

Cryptocurrencies, initial coin offerings (ICO) and security tokens

i Cryptocurrencies

Cryptocurrencies such as Bitcoin undoubtedly constitute a challenge for the German law from regulatory, civil law and tax perspectives. Certain clarity has been achieved by the legal definition of crypto values (such as Bitcoin) in connection with the implementation of the Fifth EU AML Directive into German law in 2020. Crypto values are now included in the catalogue of financial instruments under the KWG so that various activities relating to crypto values are clearly within the scope of certain licence requirements. Further, the crypto custody business has been introduced as a new type of financial service, which is subject to a licence requirement under the KWG.

Crypto values are defined as digital representations of a value that is not issued or guaranteed by a central bank or a public authority, does not possess a statutory status of currency or money, but which is accepted by natural or legal persons as a means of exchange or payment, or which serves investment purposes and which can be transferred, stored and traded electronically. This broad definition is aimed at comprising any uses of virtual currencies, including as a means of investment. So far, the definition of crypto values includes not only tokens with exchange and payment functions (including cryptocurrencies), which may anyway fall under the scope of financial instruments as the 'units of account' within the meaning of Section 1(11) sent. 1 No. 7 KWG, but also tokens used for investment. Such security or investment tokens may also qualify as investment products, debt instruments or units in collective investment schemes under Section 1 (11) sent. 1 Nos. 2, 3 or 5 KWG.38

Not covered by the definition of crypto values are domestic and foreign legal tender, electronic money, monetary value stored on payment instruments falling under the limited network exemption within the meaning of PSD II and payment transactions of providers of electronic communications networks or services.39 Also not covered are electronic vouchers for the purchase of goods or services from the issuer or a third party that are intended to have an economic function in relation to the issuer only through redemption and that are therefore not tradable and, as a result of their design, do not reflect investor-like expectations regarding the performance of the voucher or the general business performance of the issuer or a third party in terms of value or accounting.40

The amendments with respect to crypto values reflect to a certain extent the previous administrative practice of BaFin that took the first steps towards the regulation of cryptocurrencies in Germany by adopting a broad interpretation of the term 'financial instrument' within the meaning of the KWG. This approach was partially criticised and not shared in a ruling of a higher regional court in criminal proceedings.41

The recent changes of the KWG have resolved the controversy on the qualification of cryptocurrencies as financial instruments and has, in doing so, contributed to more legal clarity. However, the German legislator only changed the definition of 'financial instrument' for the purpose of the licensing requirement but not with regard to the conduct rules set out in the WpHG, which effectively reflect the MiFID II provisions. Therefore, a service provider operating a marketplace for cryptocurrencies may fall within the licence requirement for an operator of multilateral trading facilities within the meaning of the KWG but may not be obliged to adhere to the rules of conduct set out for such operators in the WpHG.

Against this background, one should thoroughly analyse the legal risks related to relevant business models and assess whether and which licence requirements and conduct rules may apply. In particular, buying and purchasing cryptocurrencies in the service provider's own name for the account of others may constitute banking business in the form of principal brokering business.42 Further, brokering cryptocurrencies may constitute for licensing purposes investment brokerage,43 whereas advising on the purchase or sale of cryptocurrencies may be considered investment advice.44 Also, the operation of a platform on which cryptocurrencies can be traded may qualify as a multilateral trading platform within the meaning of Section 1(1a) sent. 2 No. (1b) KWG and may, therefore, be subject to a licence requirement.45 The activity involving custody, management and safeguarding of crypto values or private cryptographic keys may also fall within the scope of the recently regulated crypto custody business. This new type of financial service and the related licence requirement may be relevant for domestic companies as well as cross-border service providers and their agents that intend to or have already been offering such services.46

However, neither the mining, nor the purchase or sale of cryptocurrencies in one's own name and for one's own account is subject to a licence requirement. Therefore, cryptocurrencies may generally be used as means of payment and generated by mining without any special permission.

From a civil law perspective, many questions have not yet definitively been answered. The uncertainty starts with the applicable jurisdiction and laws generally for a cryptocurrency. These questions become relevant if, for instance, cryptocurrency units are transferred or pledged. Further, it is still unclear which disclosure and information obligations apply in cryptocurrency transactions.

Interestingly, the usually complex tax analysis has at least partly been clarified for cryptocurrencies through a decision by the European Court of Justice (CJEU).47

According to the principles of this decision that were incorporated into German tax law,48 exchanging regular currencies into Bitcoin (or comparable cryptocurrencies) and vice versa shall be tax-free with respect to value added tax according to Section 4 No. 8b of the Turnover Tax Code (UStG). In addition, using Bitcoin or comparable cryptocurrencies as payment and the process of mining are tax-free.

Other transactions concerning cryptocurrencies may, however, be affected by tax law.

From an accounting perspective, cryptocurrency units like Bitcoin are transferable so that it appears necessary to account for them as assets on the balance sheet.

If they qualify as assets that support the business for only a short period (current assets), they may have to be recorded as 'other assets' according to Section 266 (2) B II No. 4 of the Commercial Code (HGB).49 If the cryptocurrency units qualify as assets that support the business for a long period (fixed assets) they should be taken accounted for as acquired immaterial assets according to Section 266(2) A I No. 2 of the HGB.50

ii Initial coin offerings

Initial coin offerings (ICOs) are sales of virtual tokens to raise funds for general corporate purposes or a specific project typically described in more detail in a White Paper. Depending on the structure of the ICO, tokens may be bought with regular or virtual currencies and may grant specific rights such as participation rights and profit shares, or no right at all. While the discussions and structures of ICOs and tokens are still in flux, tokens that can be offered in an ICO may be categorised as follows:

  1. cryptocurrency tokens are meant to pay for goods or services external to the platform or not only exclusively between the platform and its users but also between users;
  2. utility tokens are supposed to convey some functional utility to token holders other than or in addition to payment for goods or services, in the form of access to a product or service. These tokens come with particular rights, such as a right of access to a future service, a right to redeem the token for another token or service or voting rights which are often designed to shape the functionality of the product; and
  3. security tokens are comparable to traditional securities set out in Article 4(1)(44) MiFID II such as conventional debt or equity instruments.51

This rough categorisation – which corresponds to the general approach pursued by BaFin – illustrates that tokens may differ significantly. Following the amendments to the KWG, as from 1 January 2020, tokens with exchange and payment functions and tokens used for investment – for example, security tokens and investment tokens – are likely to fall within the broad definition of cryptographic values and thus constitute financial instruments under KWG (aside from possible classification of such tokens as other types of financial instruments, which is to be assessed on a case-by-case basis).52

Consequently, each ICO must be thoroughly analysed with respect to its regulatory and capital market requirements. BaFin determines the applicability of the relevant legislation including the KWG, the ZAG, the WpPG, the KAGB and the VermAnlG case by case, depending on the specific contractual arrangements. Where tokens resemble participation rights that might be classified as securities under the WpPG or capital investments under the VermAnlG, a prospectus for the marketing of the tokens may be required. So far it could be questioned whether a fully digitalised token constitutes a security within the meaning of the WpPG, as under German securities law such a security requires a certificate. However, in February 2019, for the first time BaFin approved a prospectus for a public offer of fully digitalised blockchain-based tokens under the WpPG regime, which was quite unexpected.

In the meantime, the issue of fully digitalised offerings of securities has been the subject matter of extensive discussions that were supported through a joint paper published by the German Federal Ministry of Finance and the German Federal Ministry of Justice concerning the future regulatory framework for blockchain-based securities and crypto-tokens.53 In light of the objectives pursued by this paper, the German government has recently presented a draft bill concerning securities dematerialisation and the use of the distributed ledger technology for transactions in securities. The draft bill, if adopted in this or a comparable form, would enable the (optional) full dematerialisation of securities, so far mandatorily issued in the form of certificates, and facilitate the use of distributed-ledger/blockchain technology in the field of financial instruments. The newly proposed regulation introduces the notion of an 'electronic security' defined as a property object that is subject of a right in rem. The new law, if adopted, will give the issuers the choice between two types of dematerialised securities. The first type of securities will be subject to registration with a central securities depository within the meaning of Regulation (EU) 909/2014 (CSDR), which is in Germany currently only Clearstream Banking AG, or with a licensed custodian. The second type will be crypto securities, registered in a crypto securities registry kept by the issuers themselves or by other entities. In this regard, keeping crypto securities registries will require a licence from BaFin and be subject to regulatory supervision. The proposed law is currently subject to intensive discussions; therefore, it remains to be seen whether and with what modifications it will be adopted. Although it generally follows the technology-neutral approach of 'same business, same risk, same regulation', if adopted, it will likely facilitate the use of distributed ledger and blockchain technology in Germany and other EU Member States.

In addition to a prospectus requirement, any professional service provided in connection with the trading of tokens – including an agreement to acquire, or the sale or purchase of tokens, when qualified as units of account or crypto values – would, as a general rule, require a licence from BaFin.54 Further, issuers of tokens should be aware that consumer protection laws might apply to the sale of tokens via internet. So, the underlying contract may qualify as a distance contract resulting in information obligations according to Section 312(i) BGB. Provided that the contract is considered as financial service, further information must be provided according to Section 312(d) BGB.55

At the EU level, the issue of cryptoassets and, thus, also ICOs has been recently addressed by the Commission as part of the EU Digital Finance Package published in September 2020.56 The Commission submitted a proposal for an EU-wide directly applicable regulation on Markets in Crypto-assets (MiCA). The proposal generally applies a comprehensive full harmonisation approach, including a unified regime on transparency and disclosure requirements for the issuance and admission to trading, operation, organisation and governance of issuers and in-scope service providers, consumer protection rules, preventing market abuse and ensuring integrity of cryptoassets markets. The proposal differentiates between the categories of cryptoassets, including cryptoassets (as such), asset-referenced tokens (often referred to as 'stablecoins'), electronic money tokens and utility tokens. Generally, all cryptoassets (defined as digital representation of value or rights which may be transferred and stored electronically, using distributed ledger technology or similar technology) shall be in-scope of MiCA if not already covered by the existing EU financial services regime (e.g., as financial instruments under MiFID II). Regulated cryptoasset services shall include custody and administration on behalf of third parties, operation of a trading platform, exchange of cryptoassets for fiat currency that is legal tender and for other cryptoassets, execution of orders on behalf of third parties, placing, reception and transmission of orders on behalf of third parties and providing advice. Certain reliefs, including exemption from the rather detailed white paper requirement shall apply to small and medium issuers where the total consideration of an offer to the public does not exceed €1 million over twelve months. Stringent requirements shall generally apply to stablecoins.

MiCA is expected to provide legal clarity and certainty, promote safe development of cryptoassets and the use of digital ledger technology in financial services, support competition and innovation while protecting consumers and investors and address potential financial stability and monetary risks. In addition, the proposal is expected to increase the funding of companies through ICOs and securities token offerings.

EU-wide regulation of the cryptoassets, which are as such the major application of distributed ledger technology (DLT) and blockchain technology in finance, goes hand in hand with proposed EU-level pilot blockchain sandbox regime. As part of the EU Digital Finance Package, the Commission proposed EU regulation for market infrastructures based on distributed ledger technology The proposed regulation if adopted will provide rules for a pan-European blockchain regulatory sandbox aimed at allowing fintech companies active in the field of DLT and blockchain technology to benefit from temporary derogation of regulatory requirements under regulatory supervision ensuring the keeping of appropriate safeguards and it will enable the regulators to deepen their understanding of the innovative fintech models and emerging technologies.

iii Money laundering rules

Tokens and cryptocurrencies in general are perceived as highly susceptible to money laundering and terrorism financing. In this respect, a certain clarity with regard to the applicability of the AML regime has been provided by the law implementing the Fifth EU-AML Directive in Germany, in force since 1 January 2020. As already outlined above, the law introduced a broad definition of crypto values and classified them as financial instruments under the KWG. In principle, the scope of the definition generally includes tokens with exchange and payment functions (e.g., cryptocurrencies) and tokens used for investment (e.g., security tokens and investment tokens).57 This generally means that services concerning cryptocurrencies and tokens – for instance, buying and purchasing cryptocurrencies in the service provider's own name for the account of others, advising on the purchase or sale of cryptocurrencies or operation of a platform on which cryptocurrencies can be traded – may fall under the scope of regulated services and require a KWG licence for, in particular, principal brokering business,58 investment brokerage,59 investment advice60 or operation of a multilateral trading platform.61 In addition, the management and safeguarding of crypto values or private cryptographic keys may require obtaining a KWG licence if other general statutory prerequisites under KWG (in essence, commercial character or a scale that requires a commercially organised business undertaking) are fulfilled. Services providers whose activities fall within the scope of the KWG licence requirements are obliged entities within the meaning of the GwG and must, therefore, adhere to the duties set out therein. These include the obligation to conduct adequate customer due diligence, to implement adequate risk management systems aimed at preventing money laundering and terrorism financing and, as appropriate, notifying the Financial Intelligence Unit of any suspect transactions as well as fulfilling respective reporting obligations in relation to the transparency register. Nonetheless, even prior to the implementation of the Fifth EU-AML Directive into German law, cryptocurrency and ICO service providers were often required to obtain a KWG licence and, as a result, comply with the German AML requirements. This was owing to the broad interpretation of the term 'financial instrument' within the meaning of the KWG according to BaFin's previous administrative practice.62

An interesting and, so far, not fully clarified question is whether the issuer of tokens in an ICO may be subject to such obligations under the GwG. This may well be the case because such an issuer might be regarded as a person trading in goods within the meaning of Section 1(9) GwG.63 For persons trading in goods, however, the full set of obligations under the GwG does not apply; instead, they need only – in the absence of a specific suspicion – identify their counterparty if they pay or receive a cash payment of at least €10,000 (Section 10(6) GwG).

Even aside from the significant developments concerning the licensing regime under which certain new entities involved in the fintech business may require a licence from BaFin and, thus, become – as obliged entities – subject to the AML requirements, the AML regime is also as such constantly evolving. Pursuant to the Commission's action plan for a comprehensive EU policy on preventing money laundering and terrorist financing published in May 2020,64 certain matters currently regulated by the Fourth and the Fifth EU-AML Directive should be in future governed by an EU-wide regulation directly applicable in all EU member states. Therefore, it may be expected that forthcoming developments of the EU AML regime will further result in even higher and more harmonised standards in the EU Member States.

Other new business models

Generally speaking, it seems difficult to identify totally new business models that have already established themselves in the past one or two years. Instead, one can observe various trends accommodating the needs caused by the covid-19 pandemic as well as enhanced efforts to find specific uses for blockchain technology and for artificial intelligence.

These efforts can be illustrated by the cooperation of Deutsche Bundesbank with Deutsche Börse aimed to develop solutions for a securities settlement system that facilitates the delivery of securities against virtual currency units on the basis of the distributed ledger technology.65 Participants in the capital markets in general appear to seek increasingly successful business models exploiting the potential of fintech. The first placings of promissory notes and commercial papers (even though these papers have not been governed by German law) have been made in Germany by taking advantage of the blockchain technology and of highly digitalised platforms.

A relatively new and successful phenomenon on the German fintech market is development of 'neo-brokerage apps' operating mostly on a commission-free (or almost commission-free) basis. The neo-brokerage firms offer trading in a variety of products, from very selective to a wide range, including stocks, forex, commodities, exchange traded funds and digital assets. The neo-brokers have recently become very popular because of the nil cost (or a very low flat fee) for the users and also as a result of the growing interest in investments and capital markets among retail investors trying to find new investment opportunities beyond bank deposits bearing no or even negative interests. Neo brokers operate either on the basis of their own BaFin-licence for the provision of financial services or they use the services of a fronting BaFin-licensed institution that ensures compliance with the regulatory requirements.

A current DLT and blockchain-related trend known as decentralised finance (DeFi) is a recent phenomenon in the fintech business that could potentially become a part of the digital disruption. As a digital environment of a wide range of financial applications built on blockchain, including borrowing, lending, exchange, issuance of tokens, asset-backed cryptoassets (stablecoins) etc., DeFi has raised significant interest and a financial boost since mid-2020, although not yet shaped as a concrete business model, but rather a collection of multiple individual projects and apps. A sub-trend in the fintech world that has recently started to develop is 'wealthtech', focused on wealth and property management with the use of the fintech tools. Further, the way in which artificial intelligence could support anti-money laundering compliance and the compliance function in general, which is sometimes called 'digital compliance', is also being investigated. In this regard, however, it seems too early to maintain that new business models have already established themselves on the German market. In general, the operation of business models involving the use of AI is subject to the regulatory requirements applicable to already known business models in line with the technology-neutral approach of 'same business, same risk, same regulation'. This means that for each relevant fintech business model, careful analysis should judge whether it falls within the scope of one or several regulated services and which regulatory requirements apply. In essence, the KWG-licensed institutions using programs and algorithms involving AI must ensure that they maintain a proper business organisation,66 in particular, adequate and effective risk management, and that the use of such programs and algorithms is in line with such general regulatory requirements. This includes processes for determining and safeguarding the sustainability of services, internal control procedures and internal control systems, adequate contingency plans, especially for IT systems, complete documentation of business operations permitting seamless monitoring by BaFin as well as compliance with outsourcing requirements. The exact arrangement of the business organisation should be appropriate for the nature, scope, complexity and risk content of the institution's business activities. In this regard, the minimum requirements for risk management in BaFin's Circular No. 09/2017 (MaRisk)67 and with the supervisory requirements for IT in BaFin's Circular No. 10/2017 (BAIT)68 have to be met.

With respect to the use of algorithms by KWG-licensed institutions, BaFin has recently confirmed its approach that it does not grant general a priori approvals for the use of algorithms in decision-making processes and that its administrative practice is technology-neutral.69 The legal reasoning behind this approach is generally twofold: the nature of the risk-oriented and ad hoc financial supervision on the one hand and the lack of a statutory basis for general a priori algorithms approvals on the other.70 As to the former, the supervisory requirements do not primarily concern the algorithm itself; instead, the focus of supervision is on the entire decision-making process in which the relevant algorithm is embedded; therefore, compliance with general requirements on proper business organisation and risk management plays a key role.71 With respect to the lack of a statutory legal basis for algorithms approval, two exceptions should be noted in which the regulation of the use of algorithms may be derived from the law itself (e.g., determination of capital and solvency requirements). However, even in such cases the supervisory authorities will not grant an a priori approval. Instead, they conduct a risk-oriented assessment of the relevant decision-making and other procedures taking into account the available data and its quality.72

The approach of technological neutrality applies generally also to the regulation of KWG licence requirements. In this respect, one might consider high-frequency trading (a special form of proprietary trading)73 as an exception. Per definition, high frequency trading includes the use of algorithms for the sale and purchase of financial instruments.74 While German supervisory rules generally do not provide for specific notification obligations in the case of the use of particular software or algorithms, high frequency trades have to adhere to specific notification requirements.75

Worth mentioning in the context of recent and successful fintech-related business models is the increasing digitalisation in the insurance sector. New service providers have evolved that primarily broker insurance via smartphones quickly and simply. Certainly, such brokers must also comply with the general information duties relating to the brokerage of insurance contracts.

Also successful, but not strictly new, are product comparison websites, which have become very popular with price-conscious consumers. The influence of such offerings on the market is governed by the general competition rules. These include that price comparison tests must be performed in a competent manner, seek to be objectively accurate and be neutral.76 Also, the incorporation of 'fintech banks' is noteworthy in connection with new business models. These fintech banks hold a comprehensive licence to conduct banking business but still perceive themselves to be fintech companies. Their business model is based on digitalisation, and they partly offer white-label solutions, namely they may seek to cooperate with other fintech companies that need licensed banks for their business model. This illustrates that some fintech banks position themselves as 'platform banks', where cooperation partners may find specific service offerings that they can use to complement their own products or services.

Intellectual property and data protection

i Intellectual property

A business model as such cannot be protected by copyright law. Therefore, it is not uncommon for successful fintech business models to be copied and optimised. Computer programs, however, that are characterised by a minimum of individuality and originality are subject to copyright protection according to Section 2 of the Act on Copyright and Neighbouring Rights (UrhG).77

Under German law, copyright can be neither registered nor transferred, as the copyright itself emerges the moment the piece of work, such as the software, is created by its actual originator.78 The capacity of being the originator is strictly connected to a natural person and may therefore not be transferred.79 Obviously, the lack of registration leads to various practical problems that often result in lawsuits. Nonetheless, a licence may be granted enabling the holder to make use of the piece of work in every or in particular matters (Section 31 of the UrhG). Employees and their employers implicitly agree on a full licence by drafting the employment contract.80 Therefore, the employer is allowed to make use of the piece of work. Concerning computer programs, another rule applies (Section 69b of the UrhG), granting the employer even more rights. Unless agreed otherwise, the employee is owed no compensation.81

ii Data protection

Generally speaking, data protection is governed the General Data Protection Regulation (GDPR), which replaced to a material extent the previous version of the Federal Act on Data Protection as of 25 May 2018 without, however, changing the fundamental principles of German data protection law. The GDPR intends to prevent the collection and use of data related to individuals unless it is duly necessary to do so (Article 1 of the GDPR). Data are considered to be related to individuals if the responsible body has the legal means that enable it to identify the data subject.82

Collection and processing of data related to individuals is only permitted if it is explicitly allowed by law or if the data subject consents (Article 6(1) GDPR). Additionally, the user must be informed about nature, extent and purpose of data collection.

Digital profiling has to comply with the general principles stated above. The GDPR does not regulate digital profiling as such but focuses on some of its typical forms: firstly, the automated individual decision-making, including profiling, must comply with Article 22 of the GDPR; secondly, a decision that produces legal effects on the data subject or has a similarly significant influence on the data subject must not be based solely on automated processing (Article 22(1) GDPR). However, Article 22(1) GDPR shall not apply, if the decision: (1) is necessary for entering into, or performance of, a contract between the data subject and the data controller; (2) is authorised by law to which the controller is subject and that also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or (3) is based on the data subject's explicit consent (Article 22(2) GDPR).

Year in review

Considering the developments in the fintech sector within the past months and years, the following trends appear worth emphasising.

Overall, it seems that the fintech market in Germany has continued to demonstrate growing maturity and has recently reached a consolidation phase. This, and the fact that business models of German fintech companies have been able to implement commercially viable business models, is illustrated by one of the German fintech banks that became the first German fintech 'unicorn', with a market evaluation of more than €1 billion by significant financings in 2018. However, scaling their operations is still difficult for many local fintechs, which may also be a result of the increasing efforts of incumbent institutions to take advantage of the lessons learned from fintechs concerning innovation and customer experience. Traditional players in the financial sector use these insights not only by establishing cooperations and partnerships with fintech companies and including fintechs in their value chains but also by developing their own digital offerings.

In the past months, the fintech market and the financial market in general has been exposed to significant changes caused by the current covid-19 pandemic. Yet, although the dynamics of the capital investments in the opening of new start-ups has been reported to slightly decline, new opportunities have emerged as a result of an increased need for payment and digital fintech products, including online trading apps (hand in hand with the necessity of preventing massive price fluctuations of stocks via such apps).

Certain challenges for the regulatory sector in Germany have been identified in the aftermath of the Wirecard insolvency considered to be the result of an extensive fraud. Recently, the German government has prepared a draft legislation, including a significant increase on the liability caps of auditors, mandatory rotation rules and auditors' rights with regard to outsourcing service providers. It is to be expected that, in light of the Wirecard insolvency, the administrative practice will adhere to its principle 'same business, same risk, same regulation' approach and pursue it even more diligently.

The importance of the digital technologies for the financial markets and the need for legal clarity has been visibly recognised by the legislators and supervisors. At the EU level, this is reflected in particular by several proposals of legislative packages including on matters such as cryptoassets, cryptocurrencies, stablecoins and ICOs providing for a unified regulatory and licensing regime in the EU. Also, the Commission proposed to introduce an EU-level sandbox model to facilitate the development of DLT and blockchain-based technologies and increasing the regulators' understanding of these technologies.

In Germany, the recent implementation of the Fifth EU-AML Directive providing for a broad legal definition of crypto values not only resulted in enhanced AML obligations for service providers engaging in the cryptocurrency business but also introduced a licence requirement for the crypto custody business. Also, the currently pending legislative process, if successfully completed, will provide a legal framework for dematerialisation of securities that could be partly kept with the use of DLT and blockchain technologies.

Outlook and conclusions

Given the numerous initiatives at an international, EU and national level dealing with the regulatory challenges of fintech, both those recently adopted and those still in the legislative procedure, it seems that the legal framework for the operation of fintech business models is becoming significantly more harmonised and expressly regulated. This, however, does not necessarily need to be detrimental to fintechs and their offerings. The new regulatory and licensing regime is likely to bring more clarity for the market participants as well as further increase the transparency and protection of the customers.

A clear and harmonised licensing regime in all EU Member States, addressing certain fintech-related services such as in the field of markets in cryptoassets, once adopted, would facilitate the use of the EU passport. Fintech and DLT and blockchain technology will most likely benefit from the adoption of the proposed EU sandbox model. However, because various key legislative proposals have been adopted, but are not yet applicable, and because some of them are even still in the legislative procedure, it remains to be seen how the harmonised regime will influence the fintech market in practice and how the regulators will deal with the application of more and more detailed regulatory framework to the constantly evolving fintech environment. It is not yet certain whether fintechs will continue with their ability to find innovative solutions or whether the regulatory restrictions will turn out to be an inhibiting factor for their future success.

Aside from further DLT and blockchain development and its possible challenges (including compliance with GDPR requirements and the 'right to be forgotten' fenced with a harsh sanctions regime), new developments can be expected in the area of big data and AI.

Finally, it remains to be seen whether and how permanently the current pandemic will impact the fintech market.


1 Jens H Kunz is a partner at Noerr Partnerschaftsgesellschaft mbB.

2 See the English version of BaFin's article: Evolutionary influence of fintechs on the financial sector:

3 ibid.

4 ibid.

5 Commission, Communication: Digital finance package,

6 See Gregor Dorfleitner et al., 'FinTech-Markt in Deutschland', 17 October 2016, a study assigned by the Federal Ministry of Economics.

9 See the English version of the related BaFin-website where BaFin gives a summary of its position on fintech related regulatory questions:

11 ibid.

12 See German Federal Ministry for Economics (Bundesministerium für Wirtschaft),

13 European Central Bank, Report on a digital euro, October 2020,

15 For more details, see Section V.

16 More comprehensive capital and other requirements apply if the robo-adviser is entitled to hold the assets and funds of its clients.

17 Grischuk, Robo-Advice, BaFin Journal from August 2017, p. 20,

18 Section 64(4) Securities Trading Act (WpHG).

19 Section 32(1) of the KWG within the meaning of Section 1 (1a)(2)(3) KWG.

20 Section 63(6) WpHG, Section 302 KAGB and Section 23 KWG.

21 BaFin, Notes regarding the licensing for conducting cross-border banking business and/or providing cross-border financial services, April 2005,

22 See, Federal Administrative Court (Bundesverwaltungsgericht), decision of 22 April 2009, Az. 8 C 2/09, juris margin: 41.

23 BaFin, Freedom to provide services and freedom of establishment of credit institutions in the European Economic Area,

24 See GwG, Annex 2 (factors for potentially higher risk).

26 BaFin, Auslegungs- und Anwendungshinweise zum Geldwäschegesetz, (only available in German).

28 See Section(11) No. 10 KWG.

29 See Financial Stability Board, Crypto-asset markets: Potential channels for future financial stability implications, 10 October 2018,

30 European Commission, Communication: Digital finance package, 24 September 2020.

32 BaFin, Merkblatt zur Erlaubnispflicht von Kreditvermittlungsplattformen, (only available in German).

33 Section 32(1) KWG in connection with Section 1(1) sent. 2 No 2 KWG.

34 Section 32(1) KWG in connection with Section 1(1) sent. 2 No 1 KWG.

35 Section 1(1a) sent. 2 No 9 KWG.

36 See in more detail at Section V.ii.

37 See the financial committee report to the draft bill implementing the Fifth EU-AML Directive into German law of 14 November 2019, p. 52, (available only in German).

38 See legal reasoning to the bill implementing the Fifth EU-AML Directive into German law of 9 October 2019, p. 110, (available only in German).

39 See Section 2(1) sent. 2 No. 10 and 11 ZAG.

40 See legal reasoning to the bill implementing the Fifth EU-AML Directive into German law of 9 October 2019, p. 110, (available only in German).

41 Higher Regional Court of Berlin (Kammergericht Berlin), decision of 25 September 2018 – (4) 161 SS. 28/18 (35/18).

42 Section 1(1) sent. 2 No. 4 KWG.

43 Section 1(1a) sent. 2 No. 1 KWG.

44 Section 1(1a) sent. 2 No. 1a KWG.

45 Münzer, BaFin Journal from January 2014, p. 28 f.

46 See Section II.

47 See European Court of Justice, decision of 22 October 2015, C-264/14, V, Hedqvist.

49 Kirsch / von Wieding, Bilanzierung von Bitcoin nach HGB, BB 2017, 2731, 2734.

50 ibid.

51 Blockchain Bundesverband, Finance Working Group, Statement on token regulation with a focus on token sales (undated), p. 3.

52 See legal reasoning to the bill implementing the Fifth EU-AML Directive into German law of 9 October 2019, p. 110, (available only in German).

54 See in more detail in Section V.i.

55 Blockchain Bundesverband, Statement on token regulation with a focus on token sales, p. 16,

56 Commission, Communication: Digital finance package,

57 See legal reasoning to the bill implementing the Fifth EU-AML Directive into German law of 9 October 2019, p. 110, (available only in German).

58 Section 1(1) sent. 2 No. 4 KWG.

59 Section 1(1a) sent. 2 No. 1 KWG.

60 Section 1(1a) sent. 2 No. 1a KWG.

61 Section 1(1a) sent. 2 No. 1b KWG.

62 See Section V.

63 Blockchain Bundesverband, Statement on token regulation with a focus on token sales, p. 19,

64 Communication from the Commission on an Action Plan for a comprehensive Union policy on preventing money laundering and terrorist financing, 7 May 2020,

66 See Section 25a KWG.

67 See BaFin's Circular: Rundschreiben 09/2017 (BA) - Mindestanforderungen an das Risikomanagement – MaRisk of 27 October 2017, (available only in German).

68 See BaFin's Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions of 5 February 2018, updated on 7 February 2019,

69 See BaFin, Generelle Billigung von Algorithmen durch die Aufsicht? Nein, aber es gibt Ausnahmen, 17 March 2020, (available only in German).

70 ibid.

71 ibid.

72 ibid.

73 See Section 1(1a) sent. 2 No. 4d KWG.

74 See BaFin, Generelle Billigung von Algorithmen durch die Aufsicht? Nein, aber es gibt Ausnahmen, 17 March 2020, (available only in German).

75 See Section 80(2) sent.5 WpHG.

76 BGH, decision of 9 December 1975 – VI ZR 157/73, 'Warentest II'.

77 See Bullinger, Wandtke/Bullinger, Praxiskommentar zum Urheberrecht, edition 4, Section 2 rec. 24.

78 id., Section 7 rec. 3.

79 See Benkard, Patentgesetz, edition 11, Section 15 rec. 5.

80 See Wandtke, Wandtke/Bullinger, Praxiskommentar zum Urheberrecht edition 4, Section 43 rec. 50.

81 See Rother, Rechte des Arbeitgebers/Dienstherrn am geistigen Eigentum, GRUR Int. 2004, 235, 237.

82 CJEU, decision of 19 October 2016 – C-582/14.

Get unlimited access to all The Law Reviews content