The Financial Technology Law Review: Luxembourg
Luxembourg is a reference jurisdiction for the financial services industry and has always been keen to evolve and implement new innovative technologies in the day-to-day business framework. It should be highlighted that Luxembourg recently passed an amendment to the law on the circulation of securities to include the concept of distributed ledger technology such as blockchain.
The LHoFT Foundation, Luxembourg for Finance, Luxinnovation, Digital Luxembourg and ABBL Fintech map constitute useful sources of information.
Luxembourg provides for an attractive IP and tax regime that allows companies to benefit from a tax exemption of 80 per cent on certain types of eligible income streams, and for other incentives such as investment tax credits and government grants for innovative start-ups.
Regarding corporate tax, Luxembourg-resident companies are subject to corporate income tax (CIT) at a rate of 17 per cent on the basis of their worldwide income. However, companies whose taxable income does not exceed €175,000 are subject to a lower CIT rate of 15 per cent. A contribution to the unemployment fund (7 per cent of the CIT charge) and municipal business tax (6.75 per cent in Luxembourg city), i.e., the aggregate corporate tax rate amounts to 24.94. Luxembourg resident companies are also subject to an annual net wealth tax at a rate of 0.5 per cent on the basis of their total net assets (subject to certain exemptions).
Luxembourg has a prominent financial services industry and a unique opportunity to strategically leverage financial investment and services that could facilitate and accelerate the transition to a digitally interconnected economy through enhancing fintech and entrepreneurship. In that respect, Luxembourg Digital Tech Fund has contributed by investing in tech start-ups and supporting cybersecurity, fintech, big data and digital health. In addition, a good example would be Bitstamp, a Luxembourg-based Bitcoin exchange company that has been granted a payment institution licence by the Luxembourg financial supervisory authority (CSSF) and is acting as a payment institution However, although Luxembourg widely promotes innovation and embraces fintech, and is at the top of the list of fintech-friendly jurisdictions, there are further steps to be taken to ensure a long-lasting implantation of such highly innovative companies.
i Licensing and marketing
In Luxembourg, fintech companies are subject to the following main regulations:
- the Luxembourg Law of 10 November 2009 on payment services, as amended (the 2009 Law);
- the Luxembourg Law of 5 April 1993 on the financial sector, as amended (the 1993 Law);
- CSSF-related regulations and circulars, provided that their activities fall within the scope of the above-mentioned laws;
- the Luxembourg Law of 3 May 2018 on markets in financial instruments, implementing Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments;
- the Luxembourg Law of 7 December 2015 on the insurance sector (the 2015 Law);
- the Luxembourg Consumer Code (the Consumer Code); and
- the Luxembourg Law of 14 August 2000 on electronic commerce, as amended.
There is no special fintech licence in Luxembourg. However, activities performed by fintechs may be subject to licensing requirements pursuant to the 2009 Law, the 1993 Law, or the 2015 Law.
In addition, since activities performed by fintechs can be qualified as 'economic activities', they may be subject to the prior granting of a business licence.
Fintechs that would like to establish themselves in Luxembourg in order to carry out an activity of the financial sector (e.g., the issuing of means of payments in the form of virtual or other currencies, the provision of payment services using virtual or other currencies, or the creation of a market (platform) to trade virtual or other currencies) must define their business purpose and their activity in a sufficiently concrete and precise manner to allow the CSSF to determine for which status they need to receive the ministerial authorisation.2
Insurtechs and reinsurtechs that would like to establish themselves in Luxembourg in order to carry out an activity of the insurance or reinsurance sectors must submit their project to the Luxembourg Supervisor of the Insurance Sector (CAA).
The business licence is issued to businesses (professionals operating under their own name, or companies) within three months, which may be extended by an additional month in certain cases, if:
- the applicant fulfils the legal conditions for qualification (when required) and professional integrity for the activity concerned; and
- the business has a fixed physical establishment in Luxembourg (no 'letterbox companies').
The business licence is required for any person that wishes to engage in the following professional activities as a self-employed person or as a company:
- commercial activity (trade, HORECA (hotel, restaurant and catering sector), transports, industry, etc.);
- craft activity (food, fashion, construction, mechanical engineering, audiovisual, entertainment, art, etc.); or
- certain liberal professions that are mainly intellectual in nature.
Undertakings that carry out an activity of the financial sector must obtain an authorisation from the Minister of Finance and are subject to the prudential supervision of the CSSF.
The activity of direct insurance or reinsurance is subject to prior authorisation from the minister with responsibility for the insurance sector through the CAA.
With respect to the business licence, it is granted by the General Directorate for Small and Medium-Sized Enterprises.
In Luxembourg, digital financial advisory services, in the same manner as traditional financial advice services, are subject to the regulatory requirements of the CSSF. The type of licensing required by a robo-adviser to perform its activities depends on the operating model chosen including the services provided, the contractual arrangements and the structure of the platform. Robo-advisers need to obtain an authorisation as:
- investment advisers: in the same way as traditional, non-automated financial advisers that limit themselves to advisory services and do not intervene in the implementation of the advice provided by them (Article 24 of the 1993 Law);
- private portfolio managers: whenever robo-advisers use the technology to manage portfolios as per client's mandates on a discretionary client-by-client basis (Article 24-3 of the 1993 Law);
- brokers in financial instruments: when their servicing consists of the role of an intermediary by either encouraging parties to be brought together with a view to the conclusion of a transaction, or in passing on their clients' purchase or sale orders without holding the investments of the clients (Article 24-1 of the 1993 Law); and
- commission agents: in cases where robo-advisers execute orders on behalf of clients and in relation to one or more financial instruments (Article 24-2 of the 1993 Law).
To obtain a licence, a formal application needs to be submitted to the CSSF. The format of the application varies with the nature of the robo-advice activity envisaged.
Fintechs offering robo-advisers should regularly monitor the effectiveness and appropriateness (in line with MiFID II3 requirements) of the advice provided to avoid mis-selling. Precautionary mechanisms should be in place to be able to suspend the provision of advice should errors or bias be detected.4
Asset management company
Authorisation to act as a management company is subject to the requirements as set out in the Law of 17 December 2010 relating to undertakings for collective investment (the 2010 Law).
There are special rules on credit information services (e.g., pre-contractual information, information to be mentioned in the credit agreements, right of cancellation) to comply with those that are detailed in the Consumer Code.
Luxembourg payment institutions and electronic money institutions that intend to provide payment services in the territory of another Member State, either through the establishment of a branch, through the use of agents or through the freedom to provide services, are subject to information requirements to be disclosed to the CSSF.
Only Professionals of the financial sector (PFSs) belonging in the category of 'investment firms' (such as investment advisers, brokers in financial instruments, commission agents and private portfolio managers) can hold a European passport (the EU Passport).5
On the contrary, specialised PFSs (such as professionals providing company incorporation and management services, professionals performing lending operations and corporate domiciliation agents) and support PFSs (such as client communication agents, primary IT systems operators of the financial sector, secondary IT systems and communication networks operators of the financial sector) may not benefit from the EU Passport. As a consequence, specialised PFSs and support PFSs would need to obtain an authorisation from the competent authority of the host Member State in which they intend to operate.
The EU Passport covers:
- the investment services listed in Section A of Annex II of the 1993 Law (such as dealing on own account, portfolio management and investment advice); and
- where appropriate, one or more of the ancillary services listed in Section C of Annex II of the 1993 Law (such as safekeeping and administration of financial instruments for the account of clients, granting credits or loans to an investor to allow him or her to carry out a transaction in one or more financial instruments, or foreign exchange services where these are connected to the provision of investment services).
ii Cross-border issues
EU payment institutions and electronic money institutions
Payment institutions andelectronic money institutions for which the home Member State is a Member State other than Luxembourg, may provide payment services or electronic money services in Luxembourg, either through the establishment of a branch or through the engagement of an agent or the provision of services, provided that their activities are covered by their authorisation.
Third-country payment institutions and electronic money institutions
Payment institutions incorporated in third countries wishing to establish a branch in Luxembourg are subject to the same authorisation rules as payment institutions for which Luxembourg is the home Member State. Compliance by the foreign institution with the required conditions for authorisation shall be assessed (i.e., professional standing and experience of the persons responsible for the branch, central administration in Luxembourg and adequate administrative infrastructure in Luxembourg).
EU credit institutions, investment firms and financial institutions
Provided that their activities are covered by their authorisation, EU-based credit institutions, investment firms and financial institutions may exercise their activities in Luxembourg by the way of:
- the provision of services;
- through the establishment of a branch; or
- through the use of a tied agent.
The tied agent is assimilated to the Luxembourg branch and is subject to the provisions of the 1993 Law applicable to Luxembourg branches of EU credit institutions and investment firms.6
EU-based financial institutions may also benefit from the EU Passport provided that they meet certain requirements (such as the financial institution being the subsidiary of a credit institution or the jointly owned subsidiary of several credit institutions).7
Third-country credit institutions and third-country PFS other than investment firms
The exercise of third-country credit institutions (for their banking activities) and PFSs other than investment firms' activities in Luxembourg requires the establishment of a branch. They are subject to the same authorisation rules as those applying to credit institutions and other professionals governed by Luxembourg law, as respectively covered in the 1993 Law.8
On the contrary, if these third-country firms are not established in Luxembourg but occasionally and temporarily come to Luxembourg to, among other things, collect deposits and other repayable funds from the public and to provide any other service under the 1993 Law, they must hold an authorisation from the Minister responsible for the CSSF.
These third-country firms are subject to equivalent authorisation and supervisory rules to those of the 1993 Law in their home Member State.9
There is no distinction provided in the 2009 Law or in the 1993 Law between the different types of fintech services or products that may be offered from abroad into Luxembourg without a physical presence in Luxembourg.
Pursuant to both the 2009 Law and the 1993 Law, fintech services or products may be offered from abroad into Luxembourg by an entity without a physical presence in Luxembourg only through the provision of services by EU-based entities (payment institution or electronic money institutions, credit institutions, investment firms or financial institutions).
The establishment of a branch is, however, required if the fintech services or products are offered in Luxembourg from a third-country (non-EU) firm (payment institution or electronic money institutions, credit institutions or third-country PFSs other than investment firms.
Pursuant to both the 2009 Law and the 1993 Law, EU-based entities (payment institution or electronic money institutions, credit institutions, investment firms or financial institutions) do not need to obtain a local licence if they provide cross-border services and products and benefit from the EU Passport to the extent these services are all passportable.
Regarding whether services or products are actively marketed or if the client solicits the service or product, this is only relevant if a third-country firm intends to provide investment services (e.g., investment advice or portfolio management) in Luxembourg. In such case, the 1993 Law distinguishes two situations depending on the clients targeted and whether the provision of the investment service is exclusively initiated by the client, given below.10
First, when targeting eligible counterparties or professionals clients, equivalence and cooperation must be taken into account. In the absence of an equivalence decision of the European Commission taken in accordance with Article 47(1) of the Markets in Financial Instruments Regulation,11 the third-country firm may also provide investment services in Luxembourg to eligible counterparties and professional clients, provided that the following conditions are fulfilled:
- it is permitted within its jurisdiction to provide investment services and engage in investment activities that it wishes to offer to Luxembourg;
- it is subject to supervision and authorisation requirements that the CSSF considers equivalent to those of the 1993 Law; and
- cooperation between the CSSF and the supervisory authority of this firm is ensured.
Second, when targeting retail clients or clients who may be treated as professionals on request, obligation to establish a branch must be taken into account. If the third-country firm intends to provide in Luxembourg investment services to retail clients or clients who may be treated as professionals on request within the meaning of Annex III, Section B of the 1993 Law, it must establish a branch and is subject to the same authorisation requirements as the Luxembourg credit institutions and investment firms. CSSF approval is granted upon written request and after instruction by the CSSF. The decision taken on an application for approval shall be notified to the undertaking applicant within six months of the submission of a complete application, failing which the absence decision is equivalent to the notification of a refusal decision.
iii Provision of services at the exclusive initiative of the client
A third-country firm will not need any authorisation in Luxembourg in the case of reverse solicitation.
Where a client established or situated in the EU exclusively initiates the provision of investment services by a third-country firm, the requirement for authorisation will not apply to the provision of the investment services by the third-country firm. An initiative by such clients shall, nevertheless, not entitle the third-country firm to market new categories of investment products or investment services to those clients.
Digital identity and onboarding
Regarding digital identity in Luxembourg, the electronic ID (eID) card is a card with an electronic chip that contains digital data and two electronic certificates that allow the holder to authenticate themselves or to sign online documents in various web applications. The eID is issued by the state (i.e., the Government IT Centre (CTIE) – eID applications service). A card reader and a specific application on the user's computer are needed for use of eID. The reader can be purchased at the CTIE, as well as in certain municipalities. The required software application (middleware) can be downloaded for free on the LuxTrust website. After the application (middleware) is installed and the eID is detected by the card reader, a pin request (secret code) will pop up on the screen. The PIN code must be entered for the first time. After that, the PIN code must be entered at each authentication request from applications being used, or whenever it is needed to sign a document electronically.
The eID is available to Luxembourg nationals only, and not to non-nationals. Non-nationals can, however, use other forms of e-signing techniques (Token, Smartcard, etc.).
LuxTrust allows the identification of customers not residing in Luxembourg through a notary and a certificate (apostille) in accordance with international regulations in this area, subject to the production of certain documents (i.e., a copy of the identity card or passport of the person concerned, duly authenticated by a notary).
They can be used by any person of legal age who has requested the activation of the certificates at the time of application for their eID, or by minors of at least 15 years of age for whom the activation of the certificate was requested by either a parent with parental authority or by their legal guardian.
Under certain conditions, the CSSF allows (licensed) financial service providers to identify or verify the identity of their customers through video identification (i.e., the performance of the identification or verification of the identity of the customer by a professional of the financial sector under the supervision of the CSSF (the Professional) through an online videoconference).12
Professionals use this process to support and execute certain tasks for the purpose of fulfilling their customer identification and verification of identity obligations as required by the Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (the 2004 Law).
The Professional has the following possibilities:
- they perform the video identification process themselves using a tool developed internally;
- they perform the video identification process themselves using an external tool acquired from an external provider; or
- they delegate the identification process to an external provider using their own tool.
The video identification needs to be performed by a specifically trained employee, either of the Professional or, if applicable of the external provider.
The video identification or verification of the identity of a customer that is not actually performed by a specifically trained natural person, but where the customer is in contact only with a robot, or where the customer simply uploads (a video with) identity documents online, does not qualify as 'video identification' owing to the absence of a live video chat or real-time interaction between the aforementioned trained natural person and the customer.
Digital markets, payment services and funding
The following laws and regulations apply to collective investment schemes:
- the Luxembourg Law of 17 December 2010 relating to undertakings for collective investment, as amended;
- the Luxembourg Law of 13 February 2007 relating to specialised investment funds as amended;
- the Luxembourg Law of 15 June 2004 relating to the Investment company in risk capital as amended;
- the Luxembourg Law of 12 July 2013 on alternative investment fund managers, as amended;
- the Luxembourg Law of 23 July 2016 on reserved alternative investment funds;
- Regulation (EU) 2015/2365 of the European Parliament and of the Council of 25 November 2015 on transparency of securities financing transactions and of reuse; and
- Regulation (EU) 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories.
Crowdfunding can be regulated, depending on the platform, but there is no specific licence provided under Luxembourg law.
Whether crowd-lending is permitted depends on how it is structured. If the platform or fintech collects the money before distributing it to borrowers, a licence may be required. Peer-to-peer lending between individuals, however, is not specifically regulated. The role of the platform would then need to be assessed to understand what it actually does. If it is essentially a credit broker that is not linked to a specific credit institution, there is no particular regulation other than the potential need to have a business licence.
With regard to consumer lending regulations, the Consumer Code applies.
The legal restrictions on peer-to-peer lending depend on the terms of the loans, among other items.
For restrictions on trading such loans or financings on a secondary market, see the above text regarding lending professionals.
i Forms of debt securitisation
In specific circumstances, the structures in which the securitisation undertaking itself expressly grants loans instead of acquiring them on the secondary market may be regarded as securitisation, provided that the securitisation undertaking does not allocate the funds raised from the public to a credit activity on own account, and that the documentation relating to the issue either clearly defines the assets on which the service and the repayment of the loans granted by the securitisation undertaking will depend, or clearly describes (1) the borrower or borrowers; or (2) the criteria according to which the borrowers will be selected, so that the investors are adequately informed of the risks, including the credit risks and the profitability of their investment at the time securities are issued. In both cases, information on the characteristics of the loans granted must be included in the issue documents.13 The CSSF will assess compliance with these conditions on a case-by-case basis. Moreover, the participants are responsible for ensuring that any other applicable legal provisions are complied with.
ii Impact of the Alternative Investment Fund Managers Law14
Pursuant to the CSSF FAQ on Securitisation, according to the clarifications provided by the European Central Bank in its 'Guidance note on the definitions of 'financial vehicle corporation' and 'securitisation' under the European Central Bank (ECB) Regulation ECB/2008/30', point 4.1, page 3, a securitisation vehicle issuing 'collateralised loan obligations' would meet the definition of the ECB Regulation, so that these vehicles do not qualify as alternative investment funds.15
According to the same Guidance note (points 4.1 and 4.3, pages 3 and 4), securitisation undertakings whose core business is the securitisation of loans that they grant themselves (securitisation undertakings acting as 'first lender') do not meet the definition of the ECB Regulation, and thus cannot benefit from the exclusion. The same applies to securitisation undertakings that issue structured products that primarily offer a synthetic exposure to assets other than loans (non-credit-related assets) and where the credit risk transfer is only ancillary.
Payment services require a licence (see Section II.i.2009 Law).
Pursuant to the Payment Services Directive (PSD) II 'principle of non-discriminatory access to payment systems', credit institutions are required to open up access to account data to third parties at the request of customers and to support both account information and payment initiation services provided by the third-party payment service providers (TPPs).
Cryptocurrencies, initial coin offerings (ICO) and security tokens
For the purpose of specific regulation of blockchain technology, on 14 February 2019,16 a new law was passed by the Luxembourg lawmakers aiming to facilitate the use of distributed ledger technology in financial services. In particular, the law's main goals are to provide more legal certainty and transparency to the financial market participants, and to allow the use of blockchain technology for the transfer of securities.
Neither CSSF (Luxembourg's supervisory authority) nor the country's legislators have come up with any specific legislation related to cryptocurrencies. Thus, there is no legal status of cryptocurrencies yet in place. Nevertheless, both the government and the CSSF are keen to meet with any business intending to operate with cryptocurrencies to discuss the legal possibilities. There are several working groups at the government and CSSF's level continuously working on new legislation to cater for these business models.
Luxembourg does not cater for a clear statutory definition of 'securities', making it difficult to qualify tokens. The term 'securities' is viewed as quite general conceptually, and it entails the notions of both 'valeur mobilière' and of 'instrument financier' ('transferable security' and 'financial instrument', respectively). Depending on the token characteristics, it may or may not qualify as a security.
Based on Luxembourg legal literature, the term 'security' constitutes an application of the materialised rights deriving from a legal act with regard to an issuer and corresponding to specific legal elements that distinguish themselves as being fungible while being allowed to be circulated on the capital markets.17 Thus, the concept of security approaches more the notion of transferable security, a position that has been also supported by the Luxembourg courts. In general, owing to the broad interpretation of both notions of 'financial instrument' and 'transferable security' under Luxembourg law, tokens could fall to any of those categories if they are fungible and transferable, and produce cash flow rights or rights to proceeds and returns.
Money laundering rules always apply to cryptocurrencies and tokens. The 5th Anti-Money Laundering Directive also adds 'providers engaged in exchange services between virtual currencies and fiat currencies' and 'custodian wallet providers' as obliged entities.
In relation to regulated entities in Luxembourg, money laundering rules apply to natural or legal persons trading in goods (only to the extent that payments are made or received in cash in an amount of €10,000 or more, whether the transaction is executed in a single operation or in several operations that appear to be linked). Under these terms, they would fall within the scope of the 2004 Law.
In July 2018, the tax authorities issued a circular clarifying that they treat cryptocurrencies as an asset and not as a currency.18 The same should, in principle, apply to tokens purchased by a Luxembourg taxpayer. This means that the disposal of cryptocurrencies or tokens (including when used as means of payment) may in certain circumstances give rise to capital gains taxation. These assets will also form part of the net wealth tax base. As regards tokens issued by Luxembourg issuers, their features will be analysed to determine whether the tokens should qualify as debt or equity for Luxembourg tax purposes.
Under Luxembourg law, tokens may be offered to local residents from abroad. However, for such a legal action to be approved, it needs to be subject to Luxembourg consumer protection laws as well as money laundering law restrictions, as the case may be. In addition, if tokens were to be considered as securities, additional requirements would apply.
Other new business models
Under Luxembourg law, there are not any specific restrictions regarding the use of self-executing contracts. The following elements need to be met in respect of any contract:
- the consent of the party who binds himself or herself;
- his or her ability to sign the contract;
- a specific purpose or object for contracting; and
- a lawful cause.
Arbitration could be agreed upon in a contract (including a self-executing contract) between parties. However, consumers have the right to go to court and any clause prohibiting consumers from going to court would be considered as abusive under the Consumer Code and would be disapplied.
As far as mediation is concerned, a law of 24 February 2012 amended the Luxembourg Code of Civil Procedure to introduce mediation in civil and commercial matters. Any dispute in civil or commercial matters (with certain limited exceptions) may be settled via mediation, which can either be agreed between the parties or ordered by a court. Any contract may include a clause whereby the parties agree to use mediation to settle a dispute. Finally, the CSSF is competent for receiving complaints from customers of the entities subject to its supervision, and to act as an intermediary in order to seek an out-of-court resolution of these complaints.
Subject to specific legal requirements, a fully automated investment process is permitted.
Regarding third-party websites comparing products or providing information about financial products subject to regulation, data protection or competition rules, there is no particular law or regulation in Luxembourg governing comparison websites, and there is no particular definition of this activity. The specific activity of such a website would have to be considered on a case-by-case basis.
If the activity of the website goes beyond the mere comparison of products and disclosure of information and actually provides advice to potential clients, or puts potential clients in contact with credit institutions or professionals of the financial sector and allows them to purchase financial products or services, a licence may be required under the 1993 Law.
Generally speaking, where such a website is addressed to consumers, requirements of the Consumer Code may have to be complied with. In particular, unfair commercial practices, including in particular deceptive commercial practices (e.g., presenting false information) or aggressive commercial practices are prohibited. Assuming the comparison service is offered in exchange for remuneration, it may fall within the scope of the law of 14 August 2000 on electronic commerce, as amended, and specific information requirements may apply. Finally, under the law of 23 December 2016 on, among other things, misleading and comparative advertisement, as amended, misleading advertisement is prohibited.
As far as competition is concerned, the law of 23 October 2011 on competition, as amended:
- imposes the free determination of the price of goods, products and services based on free competition;
- prohibits agreements between undertakings, decisions by associations of undertakings and concerted practices that prevent, restrict or distort competition and in particular, for instance, those which directly or indirectly fix purchase or selling prices; and
- prohibits abuses of dominant position, but does not include specific provisions for this activity.
Finally, to the extent the website offers a service to data subjects in the European Union and processes their data (e.g., by collecting data), Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) would have to be complied with.
Additionally, the law of 13 June 2017 on payment accounts (implementing directive 2014/92/EU) is articulated around three pillars:
- access to basic payment accounts;
- bank account switching; and
- transparency and comparability of payment account fees.
Intellectual property and data protection
Upon their creation, such business models and related software are automatically protected by copyright.
The company may develop a trademark under which it wishes to sell this product and register such trademark with the European Union Intellectual Property Office.
Once the software is developed, the fintech may also use i-DEPOT operated by the Benelux Office for Intellectual Property (BOIP), as it is a reliable means of proving the existence of an idea at a specific date, before other intellectual property rights, such as trademarks, are acquired.
The fintech will deposit the source code of the program with the BOIP, which keeps the iDEPOT for a period of five to 10 years. However, the iDEPOT does not give rise to an intellectual property right.
Patent protection is not available under the Luxembourg law on patents of 20 July 1992, as amended – software is excluded from patent protection.
Regarding intellectual property rights, unless the provisions of the employment contract are more favourable to the employee, the employer is normally the owner of the developed software or business model. In addition, in principle, no compensation is due.
i Data protection rules
When processing personal data, fintech companies must comply with:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR); and
- the Luxembourg Law of 1 August 2018 on the organisation of the National Commission for Data Protection and implementing the GDPR.
Payment service providers shall only access, process and retain personal data necessary for the provision of their payment services with the explicit consent of the payment service user.
ii Secrecy rules
The members of the administrative, management and supervisory bodies, directors, employees and the other persons working for payment institutions and electronic money institutions must maintain secrecy of the information entrusted to them in the context of their professional activity. The disclosure of any such information is punishable by the sanctions laid down in Article 458 of the Luxembourg Criminal Code.
There are, however, some exceptions to the professional secrecy requirement, among others, where disclosure of information is required by the law or towards entities in charge of the provision of outsourced services.
Natural and legal persons, subject to prudential supervision of the CSSF pursuant to the 1993 Law or established in Luxembourg and subject to the supervision of the ECB or a foreign supervisory authority for the exercise of an activity referred to in the 1993 Law, as well as members of the management body, the directors, the employees and the other persons who work for these natural and legal persons shall maintain secrecy of the information entrusted to them in the context of their professional activity or their mandate. Disclosure of such information shall be punishable by the penalties laid down in Article 458 of the Criminal Code.
There are, however, some exceptions to the professional secrecy requirement, among others, where disclosure of information is required by the law or towards Luxembourg-based persons subject to the supervision of the CSSF, the ECB, or the CAA, and who are subject to a secret obligation that is criminally sanctioned when the information disclosed to these persons is provided within a service contract.
There are special rules regarding profiling, which are detailed in the GDPR. They mainly concern the following data subject's rights:
- the right of being informed of the existence of profiling and the consequences of such profiling;
- the right to object to the processing of his or her personal data for the purposes of direct marketing, including profiling to the extent that it is related to such direct marketing; and
- the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her that is based solely on automated processing and that produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention.
Year in review
The most relevant developments in the regulation and legal treatment affecting fintechs in Luxembourg are as follows.
i PSD II19
The Law of 20 July 2018 implementing PSD II and amending the 2009 Law, which offers equivalent operating conditions to exiting (credit institutions) and new players (TPPs) and submits them to transparency and information requirements.
ii Anti-Money Laundering Directive IV20
Changes to the Anti-Money Laundering Directive IV, include:
- the Law of 13 February 2018, transposing the provisions on the professional obligations and the powers of the supervisory authorities as regards the fight against money laundering and terrorist financing and amending the 2004 Law; and
- the Law of 13 January 2019, establishing a register of beneficial owners.
iii Circulation of securities
The Law of 1 March 2019 on the circulation of securities extends the scope of the Law of 1 August 2001 on the circulation of securities to allow account holders to book and transfer securities through secure electronic recording devices, including distributed electronic registers or databases such as blockchain.
Upcoming EU regulations implementation
The AMLD V21
One of the purposes of the AMLD V is to tackle the anonymity of virtual currencies, which may be subject to potential misuse for criminal purposes.
That is why the AMLD V now includes 'providers engaged in exchange services between virtual currencies'22 as well as 'custodian wallet providers'23 in the list of supervised entities subject to AMLD IV requirements.
AMLD V provisions are currently in the process of implementation in Luxembourg (Draft Bill No. 7467 amending the 2004 Law).
The eIDAS Regulation24
The aims of the eIDAS Regulation are:
- to provide a legal framework for secure cross-border electronic transactions; and
- to create an internal market for electronic trust services.
eIDAS Regulation provisions are being currently in the process of implementation in Luxembourg (Draft Bill No. 7427 amending the Luxembourg Law of 14 August 2000 on electronic commerce, as amended).
Outlook and conclusions
We expect Luxembourg to continue to attract fintechs and allow them to take advantage of Luxembourg's highly developed financial ecosystem, and the presence of leading industry players in e-commerce and e-payments, such as PayPal, Amazon and Rakuten or the first EU-licensed crypto-firm, Bitstamp. Luxembourg has also boosted its attractiveness to fintechs by providing a cloud-friendly framework and having the highest density of TIER4 data centres in Europe.
It is to be expected that after the legislator's recognition of blockchain technology, the next legislative moves will concern tokenisation (whether based on European positions or not) and the structures issuing or using tokens.
1 Anne-Marie Nicolas is a partner, Álvaro Garrido Mesa is a senior associate and Sandy Brumberg is a professional support lawyer at Loyens & Loeff Luxembourg Sàrl.
2 2015 CSSF Annual Report, p.81.
3 MiFID II refers to Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU.
4 Artificial Intelligence, CSSF White Paper, Opportunities, Risks and recommendations for the financial sector, December 2018. This document intends to provide some basic knowledge about artificial intelligence (AI) and describes the different types of AI and some practical use cases for the financial sector. Furthermore, the study covers the analysis of the main risks associated with AI technology and provides some key recommendations to take into account when implementing AI inside a business process.
5 CSSF Questions and Answers on how to obtain authorisation as PFS, as updated on 24 October 2018, Item 24 Which PFS can hold a 'European passport' and which services fall under this regime?, p.11.
6 Article 30(2) of the 1993 Law.
7 Article 31 of the 1993 Law.
8 Article 32(1) of the 1993 Law.
9 Article 32(5) of the 1993 Law.
10 Article 32(1) of the 1993 Law.
11 Regulation (EU) No. 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No. 648/2012.
12 CSSF Frequently asked questions on AML/CTF and IT requirements for specific customer on-boarding/KYC methods, version of 8 March 2018.
13 CSSF FAQ on Securitisation, What are the various possible forms of debt securitisation?, p.7.
14 AIFM Law means the Luxembourg law of 12 July 2013 on alternative investment fund managers.
15 CSSF FAQ on Securitisation, 19. What is the impact of the law of 12 July 2013 on alternative investment fund managers (the AIFM Law) on the securitisation undertakings within the meaning of the 2004 Law?, p.14.
16 Loi du 1er mars 2019 portant modification de la loi modifiée du 1er août 2001 concernant la circulation. de titres.
17 Cf. Y Prussen, 'Le régime des titres et instruments fongibles', Droit bancaire et financier, ALJB, 2004, pp.1287–1318; S Conin, J Schaffner, 'Les titres et instruments financiers innommés : aspects juridiques et fiscaux', Droit bancaire et financier, ALJB, 2004, pp.1411-1465; M Brouillet-Mc Sorley, L-C Van Burik, 'Le cadre juridique des systèmes de règlement des opérations sur titres en droit luxembourgeois', Droit bancaire et financier, ALJB, 2004, pp.1377–1409; P Mousel, F Fayot, 'La circulation des titres', Droit bancaire et financier, ALJB, 2004, pp.1319–1376.
18 Circulaire du directeur des contributions L.I.R. No. 14/5–99/3–99 bis/3 du 26 juillet 2018.
19 PSD II: Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market.
20 AMLD IV means Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing.
21 AMLD V means Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU.
22 'Virtual currencies' means a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically.
23 'Custodian wallet provider' means an entity that provides services to safeguard private cryptographic keys on behalf of its customers, to hold, store and transfer virtual currencies.
24 eIDAS Regulation means Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.