The Financial Technology Law Review: Netherlands
The Netherlands has a strong presence in the global fintech ecosystem and is ranked sixth in the Global Fintech Index City Rankings 2020. At present, a growing number of companies and service providers are active in this sector. Factors like a strong and stable financial sector, striking adoption rate in innovative technology and rapidly growing tech start-ups make the Netherlands an ideal hub for fintech companies.
This appeal is further enhanced by the Dutch tax regime. It includes a broad exemption for dividend income and in many instances an exemption from withholding taxes on dividends, interest and royalty payments can be obtained. A 15 per cent corporation tax rate applies to companies realising a limited taxable profit of up to €245,000 and increased to €395,000 as of 2022 (the headline rate is 25 per cent). The Netherlands further stimulates innovation with an innovation box regime, which in essence applies a tax rate of 9 per cent to certain profits realised by R&D activities. Wage tax benefits can apply to reduce R&D labour costs, which benefits the employer. Employees relocating to the Netherlands may also benefit from a reduction in their effective income tax burden, subject to certain conditions.
The regulatory approach to fintech in the Netherlands can be described as encouraging and fintech-friendly. Similar to adjacent jurisdictions, the Netherlands has a twin peaks supervision model. This model focuses on conduct of business supervision on the one hand and system supervision and prudential supervision on the other hand. Whereas the Dutch Central Bank (DCB) is the competent regulator for system and prudential matters (unless it concerns banks in which case the European Central Bank is involved), the Netherlands Authority for the Financial Markets (AFM) is the competent regulator responsible for the conduct of business supervision.
Both supervisors are well aware of the chances, but also the risks that come along with new technological developments. They assist market players in applying the existing regulatory framework to new services and products and flag gaps that may require further amendment of such a framework by the Dutch legislator. This leads to an environment in which fintech players and solutions can thrive, albeit that the supervisors sometimes struggle with the (lack of) ability to apply the applicable rules proportionally.
i Licensing of fintech companies
In the absence of a specific fintech licence in the Netherlands, it should be assessed whether fintech companies fall within scope of the existing legal framework that aims to regulate the provision of traditional financial services. The Netherlands does not have one act that includes all rules relating to fintech businesses. However, the Dutch Act on Financial Supervision (AFS) and its further regulations are considered the main statute when it comes to financial regulatory laws in the Netherlands. Many of the rules contained in the AFS implement the European directives, such as Payment Services Directive (PSD) II, Electronic Money Services Directive II, Markets in Financial Instruments Directive (MiFID) II, Undertakings for Collective Investments in Transferable Securities (UCITS) V and Alternative Investment Fund Managers Directive (AIFMD). Whether a fintech company falls within scope of such framework depends on the exact activities. One example is a crypto-exchange on which trading can take place in Bitcoin futures. Such futures qualify as financial instruments, as a result of which the exchange in principle requires a licence as an investment firm for operating a trading venue. If only cryptocurrencies can be traded on the crypto-exchange that do not qualify as financial instruments, the exchange falls (currently) in principle outside the scope of regulation. Besides the assessment whether or not a licence obligation applies, it should independently be ascertained whether or not ancillary obligations (such as anti-money laundering or sanction law obligations) apply regardless of being obliged or being exempt from a licence.
Further developments are expected in the regulation of fintech companies of which we would like to highlight two. As part of the European Digital Finance package, which aims to enable and support the potential of digital finance in terms of innovation and competition, on 24 September 2020 the European Commission published a proposal for a Regulation on Markets in Cryptoassets (MiCA).2 In the draft regulation, the term 'cryptoasset' is defined very broadly as 'a digital representation of value or rights which may be transferred and stored electronically, using distributed ledger technology or similar technology'. However, it seeks to avoid regulatory overlap by carving out cryptoassets that are already within the scope of other European Union (EU) legislation (with the exception of e-money tokens). In relation to in-scope cryptoassets, the draft regulation covers, among others, transparency and disclosure requirements for the issuance and admission to trading of cryptoassets and the regulation of cryptoasset service providers and issuers of asset-referenced tokens3 and e-money tokens. Cryptoasset services, such as custodian services, trading, exchange, brokerage services or advice may only be provided by legal entities having their registered seat in an EU Member State and have to obtain prior authorisation by the national competent authority. Cryptoasset service providers can subsequently use such authorisation as a European passport. Furthermore, the draft regulation introduces an authorisation regime for issuers of asset-reference tokens (which may alternatively be authorised as a credit institution), while issuers of e-money tokens have to be authorised as an e-money institution or a credit institution. The regulation is expected to enter into force by 2023.
A second proposal from the European Commission under the Digital Finance Package is the Regulation on a pilot regime for market infrastructures based on distributed ledger technology.4 This Regulation lays down requirements on multilateral trading facilities and securities settlement systems using distributed ledger technology in respect of their market infrastructure.
ii Marketing of fintech products and services
There are no specific marketing rules for fintech products and services. Whether or not fintech companies are subject to marketing rules depends on the qualification of the products and services they offer as regulated financial products and services. In general, financial undertakings have to ensure that any information regarding their products and services is clear, correct and not misleading. Furthermore, sector-specific rules may apply to pre-contractual information and marketing material. For marketing materials of certain investment funds, it is, for example, mandatory to include a risk warning, and the way in which forward-looking statements may be presented to clients is prescribed.
iii (Semi-)automated digital advice
The provision of (semi-)automated digital advice or 'robo-advice' may be subject to a licence obligation as (1) a financial adviser on the basis of Section 2:75 AFS where it concerns advice to consumers (or clients where it concerns insurance products) on financial products, or (2) an investment firm under the Dutch implementation of MiFID II (Directive 2014/65/EU), if advice is provided to clients on financial instruments. The AFM has published guidance on the provision of robo-advice on financial products.5 According to the AFM, robo-advice can improve the accessibility and quality of advice on products in non-complex customer situations. In respect of more complex situations or when integral advice is required on the financial situation of a customer, the AFM still sees added value in physical advice. The AFM also published guidance on the duty of care in case of (semi-)automated asset management.6
iv Credit (information) services
Fintech companies that provide credit (information) services, such as offerors of credit comparison websites or platforms facilitating split payments, may be subject to a licence obligation as a credit intermediary on the basis of Section 2:80 AFS. The performance of intermediary services is broadly defined and covers both activities aimed at the conclusion of a credit agreement between a credit offeror and a consumer and assistance in the servicing of such credit agreement. In its guidance on when companies are considered to be intermediaries, the AFM makes the distinction between intermediaries and lead generators.7 The latter solely receives and passes on the consumer's name, address, telephone number and email address to the credit offeror, and is as such not involved in the conclusion of the credit agreement. If a fintech company provides more information to the credit offeror than the name and address details, for instance information on the desired credit amount, the licence plate of the car which the consumer will buy or details on the financial situation of the consumer, the fintech company will likely be regarded as a credit intermediary.
v Cross-border issues
In general, Dutch licence requirements apply to fintech companies that offer regulated products and services 'in or from the Netherlands'. As a result of this geographical scope, companies with their registered seat in another EU Member State or a third country that provide services (to clients) in the Netherlands may come in scope of the Dutch regulatory framework.
A licensed company with its registered seat in another EU Member State can be active in the Netherlands without triggering additional licence requirements in the Netherlands if it can make use of a European passport. Generally, to make use of the European passport, the licensed company has to inform its home state regulator on its intention to provide cross-border services to the Netherlands or to open a branch office in the Netherlands. Examples of services for which a European passport is available are investment services, banking services, payment services, insurance distribution and fund management services. However, if, for example, a credit agreement is concluded with a Dutch consumer by a credit offeror that is not a bank and with its registered seat outside the Netherlands, this in principle requires a local licence in the Netherlands.
Third-country fintech companies seeking to be active in the Netherlands are generally subject to licensing requirements, unless a specific exemption applies. Whether or not it is relevant that services or products are actively marketed to Dutch clients depends on the type of service or product provided. Under the AIFMD (Directive 2011/61/EU) and MiFID II, a licence requirement is triggered if Dutch clients are actively targeted by the third-country fintech company. If Dutch clients (under MiFID II) or professional investors (under the AIFMD) are accepted on the basis of reverse solicitation, this will generally not trigger Dutch licence requirements.
Digital identity and onboarding
i Digital identity
There are a number of private enterprises offering various forms of digital identity. One of the more broadly recognised and used methods is 'DigiD' (Digital Identity), which is issued by the Dutch State and was originally intended to be used for communication with the government. However, DigiD is now also used by other (private) parties. DigiD is accessible to all residents in the Netherlands having a social security number and persons living abroad with a Dutch nationality. 'eHerkenning' is another form of digital identity whereby entrepreneurs and companies can identify themselves online and exchange confidential data securely with (government) organisations (including, inter alia, the Dutch Tax and Income Administration). eHerkenning is used in the business, consumer and government domain up to the highest level of reliability.
The Dutch government is currently working on new legislation (which is in the final stages): the e-Government Act,8 which aims to create a basis which enables further digitalisation and generic digital facilities in a communal infrastructure of the government. To realise this objective, the Dutch government aims to introduce an electronic identification medium known as eID (electronic identification), which will also meet the strict security measures as stipulated under the European eIDAS Regulation.9 The act also makes open standards mandatory. The e-Government Act will become mandatory for the Dutch government, as well as for various industries regulated by the government (e.g., healthcare providers). The new legislation is currently under review by the Dutch Senate, and is expected to enter into force in phases in 2021. However, the legislative process is facing delays and therefore an exact date is not available.
In addition, in 2016 Dutch banks developed an identification and login service together with the Dutch Payment Association (iDIN). With the use of iDIN, retail account holders can identify themselves online and login at participating organisations (iDIN-acceptants). iDIN meets the requirements under the eIDAS Regulation and the General Data Protection Regulation (GDPR). However, so far iDIN has not yet been widely adopted in the market.
The AFM and DCB qualify the situation in which the client is not physically present for verification of its identity, without extra guarantees, such as qualified electronical signatures, as high-risk. The AFM acknowledges that identification can take place from a distance by means of innovative technologies.10 It refers in that respect to the opinion of the European Supervisory Authorities (ESAs) in relation to the use of innovative solutions by financial undertakings in the customer due diligence process.11
In this opinion, the ESAs discuss that innovative solutions often involve non-face-to-face verification of customers' identity on the basis of traditional identity documents through various portable devices such as smartphones or the verification of customers' identity through other means, for example, central identity documentation repositories (often referred to as 'KYC utilities'). The ESAs encourage competent authorities to support those developments while also discussing the risks attached to these innovative solutions. In order to mitigate these risks, they note for example the possibilities to add a physical element in digitised onboarding of clients, such as a live chat solution, biometrical facial recognition by means of a webcam or the use of software that can detect images that are or have been tampered with (e.g., facial morphing). If the services are offered without any physical interaction, financial undertakings should be aware of the higher risks that are attached to this manner of onboarding (e.g., identity fraud, the risk that the customer is intimidated, threatened or under duress). Financial undertakings could, for example, make use of a qualified electronical signature in line with the eIDAS Regulation, confirm the identity of a client by sending a letter to the customer's verified home address, make use of voice-analysing software or combine different means of identification.12
Digital markets, payment services and funding
i Collective investment schemes
Collective investment schemes may be subject to the Dutch implementation of the AIFMD or UCITS V (Directive 2009/65/EU, as amended by Directive 2014/91/EU). Under the Dutch implementation of the AIFMD, it is required to obtain a licence when:
- managing a Dutch alternative investment fund (AIF);
- marketing units in an AIF in the Netherlands; or
- for Dutch managers, when managing AIFs or marketing units in AIFs.
For Dutch managers, it is possible to register pursuant to the 'small managers registration regime' as a result of which no licence has to be obtained. Dutch managers can register pursuant to this regime provided that the assets under management do not exceed certain thresholds and certain marketing restrictions are taken into account (e.g., the units are only marketed to professional investors within the meaning of Section 1:1 AFS).
Crowdfunding and crowd-lending (also referred to as investment-based and loan-based crowdfunding) are both seen as important new funding means in the Netherlands. With loan-based crowdfunding, the project owner enters into a loan agreement with the crowdfunder or the crowdfunding platform. In the case of investment-based crowdfunding, the project owner issues either equity or debt instruments to the crowdfunder or crowdfunding platform.
There is no specific crowdfunding framework in the Netherlands. Instead, existing regimes – for example, for the provision of investment services or the offering of consumer credit – have been tailored to the use of such regimes for crowdfunding platforms. However, this changes when the European Crowdfunding Regulation becomes applicable on 10 November 2021.13 In short, this regulation shall apply to crowdfunding services provided to non-consumer project owners in an amount up to €5 million (calculated per 12 months per project owner). In this respect, crowdfunding services refers to the matching of business funding interests of investors and project owners through the use of a crowdfunding platform, while facilitating the granting of loans or placing of transferable securities and admitted instruments for crowdfunding purposes (without a firm commitment) and the receipt and transmission of orders in such instruments. A prospective crowdfunding platform in the Netherlands will need to request authorisation from the AFM. Further to notification, the crowdfunding service provider can also provide services in other EU Member States. The European Securities and Markets Authority (ESMA) shall maintain a register of crowdfunding service providers.
Other licensing or registration obligations may, however, still be triggered once the new regime becomes applicable. In respect of investment-based crowdfunding, whereby the crowdfunding platform facilitates crowdfunding offers with a consideration of more than €5 million, the platform requires a licence as an investment firm from the AFM. For example, crowdfunding platforms that are used for the provision of loans to consumers must obtain a licence for the offering of credit pursuant to Section 2:60 AFS, or alternatively, a banking licence pursuant to Section 2:11 AFS if the crowdfunding platform itself attracts repayable funds from the public.
iii Payment services
The provision of payment services is regulated by the Dutch implementation of PSD II (Directive (EU) 2015/2366). Providers of payment services in the Netherlands require a licence from the Dutch Central Bank pursuant to Section 2:3a AFS, unless they operate on the basis of an EU passport. In addition, banks and electronic money institutions may provide payment services in the Netherlands on the basis of their licence without obtaining an additional licence. PSD II was implemented in the Netherlands on 19 February 2019.14 As part of the Dutch implementation of PSD II, banks have to cooperate when a user of an online bank account wants to provide third-party providers with access to such bank accounts.15
Cryptocurrencies, initial coin offerings (ICO) and security tokens
i Regulation of cryptocurrencies
Because cryptocurrencies do not qualify as a legal currency or electronic money and in the absence of a specific legal framework for cryptocurrencies at the level of the EU and the Netherlands, the current viewpoint is that cryptocurrencies (i.e., cryptoassets without an issuer) do not fall within the scope of Dutch financial regulation. This may be different for instruments or contracts that have cryptocurrencies as their underlying value, such as the Bitcoin future that qualifies as a financial instrument. Furthermore, this may change if MiCA should be adopted, introducing a regulatory regime for cryptoassets (see Section II.i).
ii Regulation of tokens
Dependent on the characteristics, tokens may qualify as securities or another type of financial instrument, such as a unit in an investment fund or a derivative instrument. A case-by-case assessment needs to be made taking into account the specifics of the token at hand.
A utility token, which is structured as a prepaid right to receive a service or good from the issuer of the token, typically falls outside the scope of supervision. On the other hand, a security token may qualify as a security, for instance in case of a profit-sharing right.16 A security is defined in Section 1:1 of the AFS, inter alia, as a transferable share, or other similar transferable instrument, or a transferable bond or other transferable debt instrument. The Dutch supervisors have suggested bringing the Dutch law definition of 'security' more in line with the definition of security at the European level, which would make it broader. However, this suggestion may no longer be relevant if the utility token falls within scope of regulatory regime to be introduced by MiCA.
iii Money-laundering rules for cryptocurrencies and tokens
Under the current anti-money laundering legislation, certain financial institutions are subject to client due diligence controls. Fintech companies that do not provide regulated services or products do not typically fall within the scope of such legislation, with the exception of virtual currency exchange platforms and custodian wallet providers. As per 21 May 2020,17 a registration obligation was introduced in the Netherlands for these crypto service providers that has features of a licence regime. Consequently, virtual currency exchange platforms will have to comply with certain registration requirements and apply customer due diligence controls each time virtual and fiat currencies are exchanged, which effectively puts an end to the anonymity of virtual currency users. The same client due diligence controls apply to custodian wallet providers.
iv Marketing of cryptocurrencies and tokens
Depending on the qualification of cryptocurrencies and tokens, specific marketing rules may apply. The offering of securities to the public in the Netherlands is, for example, prohibited, unless an approved prospectus is made generally available or unless an exemption applies. General consumer and investor protection regulations may apply independent of the qualification of the token or cryptocurrency as a regulated financial product. These regulations provide that the offeror of the tokens or cryptocurrencies should properly inform investors in the token offering or initial coin offering (ICO) to enable them to make an adequate assessment of the investment; for instance, by issuing a white paper that does not only highlight the advantages of the offering but also potential risks and downsides.
v Tax treatment of cryptocurrencies and tokens
In the Netherlands, as in most jurisdictions, there are no specific tax laws on the taxation of cryptocurrencies. The tax treatment is based on general principles and guidance issued by the Dutch Tax Authorities.
For Dutch tax purposes, cryptocurrencies are not formally treated as money or liquid assets, but as (current) assets.18 As a corporate entity is deemed to carry out its business with all its assets, cryptocurrencies are deemed part of the business enterprise of the corporate entity (irrespective of the business it operates). This means that realised gains are taxed and losses are tax deductible. Cryptocurrencies on the balance sheet are valued at cost price or lower market value. If a corporate entity receives payments in cryptocurrency, these have to be converted to euros (or another functional currency if applicable).
No specific rules exist for the Dutch tax treatment of tokens. This means that the existing tax law framework has to be applied to tokens. In general, it can be expected that payments for utility tokens will be deemed as advance payments that do not have to be reported as taxable profit yet. Security tokens are generally qualified as equity or debt, depending on the characteristics of the token.
It can generally be stated that, if a token contains a repayment obligation, it could be considered as debt for corporate law purposes. However, Dutch tax law may still qualify such debt instruments as equity for Dutch tax purposes. Dutch Supreme Court case law19 dictates three specific situations in which a repayment obligation formally exists, but is ignored for tax purposes. Most notably, this is the situation if a debt instrument has a profit-dependent interest rate, has a term of over 50 years and is junior to other debt. The other two situations are the sham loan (equity is actually intended) and the bottomless pit loan (it is immediately apparent that no repayment will ever take place). In such situations, Dutch tax law requalifies such corporate law debt instruments to equity. One of the key differences between debt and equity for Dutch tax purposes is that interest payments are generally tax deductible for the payor and taxable at the hands of the payee. Conversely, dividend payments are not tax deductible for the payor, nor is dividend income usually taxed (depending on certain conditions). Another key difference is that dividend payments are in principle subject to Dutch dividend withholding tax, although in various cases exemptions may apply.
Other new business models
i Self-executing contracts
Under Dutch law, it is possible to conclude self-executing contracts or 'smart contracts'. There is no specific legal framework applicable to smart contracts. A smart contract can be seen as a computerised algorithm that automatically performs the terms of the contract. Smart contracts typically have the characteristics that execution is automated and performance is ensured without recourse to legal remedies. An example in the financial sector is a smart contract for a flood insurance policy, whereby insurance claims are paid out automatically if the policy is triggered on the basis of a linked data set. Smart contracts are not suitable for all types of agreements, as it may be difficult to convert the contractual agreements into computer code that follows the logic of 'if A then B'. The AFM and DCB encourages financial institutions, including fintech companies, to consider the responsible use and application of artificial intelligence in processes and have issued discussion papers setting out key considerations on technical characteristics and organisational conditions.20
ii Third-party comparison websites
Third-party comparison websites that compare regulated financial products or services may be subject to a licence obligation as an intermediary (see Section II.iv). If personal data of interested customers is processed, then the third-party comparison website has to comply with the GDPR21 and the Dutch GDPR Implementation Act.22 In general, third-party comparison websites must check the information of offerors of regulated products to ensure that it is complete and reliable. The Netherlands Authority for Consumers & Markets takes the view that price transparency rules also apply to third-party comparison websites.23
iii Tokenisation of assets
Asset tokenisation involves the issuance of traditional asset classes in tokenised form or the digital representation of real assets by applying distributed ledger technology (DLT) and smart contracts.24 The tokenisation of assets has evolved into of the most prominent and perhaps promising use cases of DLT in the financial sector. Examples include tokenisation of securities (e.g., shares and bonds), commodities (e.g., gold) and other non-financial assets (e.g., real estate). Asset tokenisation may potentially have a disruptive effect on trading, liquidity, pricing, clearing and settlement. However, the large-scale adoption of asset tokenisation is not in sight yet, as it would face governance-related risks, such as AML/CTF risks and data protection and privacy issues, and may also face technological challenges such as scalability. Although it can be argued that tokenisation merely replaces one technology (electronic book-entries in securities registries) with another (DLT-enabled networks) while providing huge benefits, the absence of a uniform regulatory treatment of tokenisation and an international law approach hinders a fast adoption.
Intellectual property and data protection
i Data protection
Fintech companies need to adequately protect their (client) data. In the Netherlands, rules in this regard are laid down in various laws and regulations. This includes the General Data Protection Regulation (GDPR)25 and the Dutch GDPR Implementation Act26, the Protection of Business Secrets Act (PBSA)27 and the Law to Protect Networks and Information Systems (LPNIS),28 as further described below. Depending on the type of fintech company and the types of data it processes, additional requirements may follow from sector specific legislation, including PSD2 (e.g., consent requirements) and MiFID II (e.g., data retention requirements).
The GDPR and GDPR Implementation Act aim to protect the privacy of individuals and lay down rules relating to the processing of their personal data. Personal data is broadly defined under the GDPR and includes any information relating to an identified or identifiable natural person (also named 'data subject').29 Examples of personal data relevant for the fintech sector are, inter alia, names, contact details, bank account numbers, identification documents, (electronic) signatures and credit information relating to individuals, including information relating to private clients, directors, ultimate beneficial owners (UBOs) and representatives of a company. The GDPR contains specific (more strict) rules for the processing of 'special categories' of personal data, including biometric data.30 Fintech companies falling under the scope of the GDPR need to process personal data lawfully and fairly and need to comply with obligations regarding transparency, security, data breach notifications and confidentiality. The GDPR furthermore prescribes that personal data needs to be collected and processed for specified, explicit and legitimate purposes. This means, for instance, that customer due diligence activities must be based on a statutory data processing ground and must be proportionate to its aim. Profiling31 as such is not regulated under the GDPR or Dutch GDPR Implementation Act, but the GDPR does grant data subjects the right not to be subject to any automated individual decision-making without any human involvement. When implementing new fintech business models or software solutions that involve the processing of personal data, companies need to comply with the principles of privacy by design and privacy by default.
The PBSA provides companies with a tool to protect their confidential know-how and other business information. This can include any type of information, including client data and algorithms used in fintech business models. The information must be secret, must have a commercial value and must be adequately protected to qualify as a business secret (and thereby falling under the scope of this Act).
The LPNIS applies to digital service providers, including fintech companies, that provide essential services (such as banking services or the provision of a financial markets infrastructure) and that have at least 50 or more employees or generate a revenue of at least €10 million. The LPNIS requires such providers to implement measures that decrease the likelihood of cybersecurity incidents taking place. These measures should also ensure minimum negative consequences if a cybersecurity incident would occur. The LPNIS also requires companies to report serious incidents to the Computer Emergency Response Team (CERT) of the Dutch Ministry of Justice and Safety.
ii Intellectual property rights
Several types of intellectual property rights may play a role when it comes to protecting fintech business models and related software. One important kind of intellectual property right is copyright protection. In certain cases, patent protection may be available as well. When a business model is not eligible for copyright or patent protection, the PBSA may under circumstances provide certain protection of such a business model.
When it comes to copyright protection, the Dutch Copyright Act (DCA)32 requires that a work has an 'original character' and 'bears the personal mark of the author'. This is, in essence, the same criterion as the criterion developed by the European Court of Justice in the Infopaq judgment (16 July 2009): a work must be one's 'own intellectual creation'. A basic principle under the DCA is that mere 'ideas' do not qualify for copyright protection as such. Ideas need to be worked out in detail to become copyright protected. If a certain work has sufficient originality, it is automatically protected by the DCA. There are no registration formalities in the Netherlands for copyright protection.
With respect to software, the DCA explicitly provides that software and preparatory materials for software are eligible for copyright protection. The copyright protection of software programs applies to the expression (in any form) of a computer program (inter alia, source and object code). Equal to the aforementioned basic principle, ideas and principles that underlie elements of a computer program, or ideas that underlie interfaces, are not copyright protected. This means that financial company A and financial company B can have, in essence, the same software solution in place, while both solutions have been programmed in a different manner (have a different source code), by different persons (but with the same underlying ideas).
While it is relatively easy to qualify for copyright protection, qualifying for patent protection is a different – and more complex – story. Software as such (the program 'stand-alone' or 'as such') cannot be protected by a patent in the Netherlands (nor in the European Union). If the software has a certain 'technical effect' – when it is for instance implemented in hardware and directs or determines a certain movement of such hardware – it may be eligible for patent protection included in the technical solution as a whole. The threshold for obtaining patent protection is, however, still rather high and process of obtaining patent protection is time consuming. During the application process, it will be assessed whether the technical solution is 'new' and contains a sufficient inventive step as compared to existing solutions.
The copyrights to certain software programs are automatically attributed to the employer if an employee develops the software in the course of his or her employment. The same more or less applies to patentable inventions made by an employee in the course of his or her employment. It is possible for the employee and employer to make other contractual arrangements, thereby deviating from the starting point that the intellectual property rights created by the employee during his or her employment vest in the employer.
Financial companies that hire independent contractors for developing fintech business models or software should arrange for the transfer of the copyrights and other intellectual property rights that come into existence during or after the development by written contract. Otherwise, the independent contractor will be, for instance, the owner of the copyrights.
Where certain business methods or certain know-how that is kept confidential is not eligible for copyright or patent protection, then such information could be eligible for trade secret protection under the PBSA, provided that the requirements set out in Section VII.i are met.
Year in review
The year 2020 and the beginning of 2021 can be characterised by a further development of the regulation and legal treatment of fintech in both Europe and the Netherlands. With the implementation of the Fifth Anti-Money Laundering regime, a registration requirement is introduced for virtual currency platforms and virtual wallet providers in the Netherlands.
At European level, a new European regime for crowdfunding services providers has been adopted, which introduces a single EU regime for crowdfunding service providers, thereby largely removing diverging national rules within the EU. With the Digital Finance Package, the European Commission has shown its ambitions in bringing digital finance strategy forward and it simultaneously introduces legislative proposals on cryptoassets (MiCA) and the use of distributed ledger technology for market infrastructure. MiCA has the ambition of setting up a true EU framework in respect of cryptoassets, as ESMA and the European Banking Authority (EBA) are tasked with administering MiCA.
From a more commercial perspective, the attitude of 'wait and see' of the Dutch legislator and supervisors and the ability to have open conversations with them, together with macro-economic developments like Brexit, have made the Netherlands an appealing jurisdiction for new market players to set up their operations. Accordingly, we have seen a large increase in the number of regulated companies that are active in the Netherlands.
Outlook and conclusions
Based on the fast pace in which the regulatory framework and the AFM and DCB are adapting to fintech solutions and players and boosted by Brexit developments, it may be expected that the future will be characterised by further integration of fintech in the Dutch financial markets. Not only do we expect a further development and maturation in the products and services that are offered by incumbents and start-ups, but also in the outsourcing of certain back-office functions (such as compliance, anti-money laundering/KYC and transaction reporting) to specialised IT providers. For 2021 and 2022, we expect further growth in payment solutions, tokenisation and more clarity on the regulation of cryptoassets.
1 Martijn Schoonewille is a partner and Wendy Pronk, Yannick Geryszewski, Pepijn Pinkse and Joanne Zaaijer are senior associates at Loyens & Loeff NV.
2 Proposal for a Regulation of the European Parliament and of the Council on Markets in Cryptoassets, and amending Directive 2019/1937, COM(2020) 593 final, 24 September 2020.
3 'Asset-referenced token' refers to a type of cryptoasset that purports to maintain a stable value by referring to the value of several fiat currencies that are legal tender, one or several commodities or one or several cryptoassets, or a combination of such assets.
4 Proposal for a Regulation of the European Parliament and of the Council on a pilot regime for market infrastructures based on distributed ledger technology, COM(2020) 594 final, 24 September 2020.
5 AFM, 'Visie op robo-advies: kansen, zorgplicht en aandachtspunten', 15 March 2018.
6 AFM, 'Leidraad invulling van de zorgplicht bij (semi)automatisch vermogensbeheer', 15 March 2018.
7 AFM, 'Publicatie bemiddelen', September 2014.
8 Kamerstukken I, 2019-2020, 34972, nr. A.
9 Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.
10 AFM, Leidraad Wwft en Sanctiewet, 19 October 2020, pp. 26–27; DCB, Leidraad Wwft en Sw, versie December 2020.
11 ESA Opinion on the use of innovative solutions by credit and financial institutions in the customer due diligence process, 23 January 2018, JC 2017/81.
12 E van Praag and T van den Berg, 'Roboadvies: de robot de (menselijke) maat genomen', TFRiP 2018(5), pp. 50–51. TWG de Wit, 'Fintech & Wwft', TvC April 2018, pp. 125–132. JS van der Graaf, 'De toepassing van technologie in het klantacceptatie- en transactiemonitoringsproces ter bestrijding van financieel-economische criminaliteit', Jaarboek Compliance 2018, pp. 305–313.
13 Regulation (EU) No. 2020/1503 of the European Parliament and of the Council of 7 October 2020 on European crowdfunding service providers for business, and amending Regulation (EU) 2017/1129 and Directive (EU) 2019/1937.
14 Stb. 2019, 60, as amended by Stb. 2019, 114.
15 Accidently, this obligation did not enter into force on 19 February 2019. This has been repaired by the amendment of the decree mentioned in footnote 13.
16 AFM and DCB, 'Cryptos. Recommendations for a regulatory framework', December 2018. AFM, 'Initial Coin Offerings (ICO's): grote risico's.', via: http://www.afm.nl/nl-nl/professionals/onderwerpen/ico.
17 In respect of the crypto service providers who submitted an application for registration prior to 18 May 2020, a six-month transitional regime was applicable, which entailed that activities could be continued until successful completion of the registration.
18 Letter of the State Secretary of Finance published on 28 May 2018.
19 Supreme Court, 27 January 1988, ECLI:NL:HR:1988:ZC3744.
20 See among others: AFM and DCB, Artificial intelligence in the insurance sector, December 2019; DNB, General principles for the use of Artificial Intelligence in the financial sector, July 2019.
21 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
22 Law of 16 May 2018, laying down rules for implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (PbEU 2016, L 119) (Implementing Act General Data Protection Regulation).
23 ACM, 'Vergelijkingssites financiële producten.', February 2012.
24 OECD (2020), The Tokenisation of Assets and Potential Implications for Financial Markets, OECD Blockchain Policy Series, http://www.oecd.org/finance/The-Tokenisation-of-Assets-and-Potential-Implications-for-Financial-Markets.htm.
25 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
26 Law of 16 May 2018, laying down rules for implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Dutch GDPR Implementation Act) (PbEU 2016, L 119).
27 Law of 17 October 2018, laying down rules for implementing Directive 2016/943/ EU of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against unauthorised acquisition, use and disclosure making them (PbEU 2016, L157) (Trade Secrets Protection Act).
28 Law of 17 October 2018, laying down rules for the implementation of Directive (EU) 2016/1148 (Network and Information Systems Security Act).
29 Data relating to legal entities and deceased individuals do not fall within the scope of the GDPR or the GDPR Implementation Act (see also recital 27 GDPR).
30 Article 9 GDPR: special (sensitive) categories of personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and genetic data, biometric data, data concerning health, sex life and sexual orientation. The General Data Protection Regulation (Implementation) Act (UAVG) furthermore prohibits the processing of a personal identification number, unless such processing is specifically allowed or required under applicable Dutch laws.
31 Profiling is defined under the GDPR in Article 4 under (4), as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
32 Law of 23 September 1912, among others laying down rules for implementing EU Software Directive (2009/24/EG).