The Financial Technology Law Review: Netherlands
The Netherlands has a strong presence in the fintech ecosystem. At present, a large number of companies and service providers are active in this sector. In fact, factors like a strong and stable financial sector, striking adoption rate in innovative technology and rapidly growing tech start-ups make the Netherlands an ideal hub for fintech companies.
This appeal is further enhanced by the Dutch tax regime. It includes a broad exemption for dividend income and absence of withholding taxes on interest and royalty payments. For companies realising a limited taxable profit (up to €200,000), a reduced corporate tax rate applies of 20 per cent, which will be gradually lowered to 15 per cent in 2021 (the headline rate is 25 per cent, reduced to 20.5 per cent in 2021). The Netherlands further stimulates innovation with a innovation box regime, which in essence applies a tax rate of 7 per cent to certain profits realised by R&D activities. Wage tax benefits can apply to reduce R&D labour costs, which benefits the employer. Employees relocating to the Netherlands may also benefit from a reduction in their effective income tax burden, subject to certain conditions.
The regulatory approach to fintech in the Netherlands can be described as encouraging and fintech-friendly. As in a number of the adjacent jurisdictions, the Netherlands has a twin peaks supervision model. This model focuses on conduct of business supervision on the one hand and system supervision and prudential supervision on the other hand. Whereas the Dutch Central Bank (DCB) is the competent regulator for system and prudential matters, the Netherlands Authority for the Financial Markets (AFM) is the competent regulator responsible for the conduct of business supervision.
Both supervisors are well aware of the chances, but also the risks that come along with new technological developments. They assist market players in applying the existing regulatory framework to new services and products and flag gaps that may require further amendment of such a framework by the Dutch legislator. This leads to an environment in which fintech players and solutions can thrive, albeit that the supervisors sometimes struggle with the (lack of) ability to apply the applicable rules proportionally.
i Licensing of fintech companies
In the absence of a specific fintech licence in the Netherlands, it should be assessed whether fintech companies fall within the existing legal framework which aims to regulate the provision of traditional financial services. The Netherlands does not have one act that includes all rules relating to fintech businesses. However, the Dutch Act on Financial Supervision (AFS) and its further regulations are considered the main statute when it comes to financial regulatory laws in the Netherlands. Many of the rules contained in the AFS implement the European directives, such as Payment Services Directive (PSD) II, Electronic Money Services Directive II, Markets in Financial Instruments Directive (MiFID) II, Undertakings for Collective Investments in Transferable Securities (UCITS) V and Alternative Investment Fund Managers Directive (AIFMD). Whether a fintech company falls within scope of such framework depends on the exact activities. One example is a crypto-exchange on which trading can take place in Bitcoin futures. Such futures qualify as financial instruments, as a result of which the exchange in principle requires a licence as an investment firm for operating a trading venue. If only cryptocurrencies can be traded on the crypto-exchange that do not qualify as financial instruments, the exchange falls (currently) in principle outside the scope of regulation.
Further developments are expected in the regulation of fintech companies. In a recent joint report,2 DCB and the AFM recommended the introduction of a licensing regime for fiat-crypto exchange platforms and wallet providers to ensure effective implementation of the Fifth Anti-Money Laundering Directive (Directive (EU) 2018/843, AMLD V), amend the European regulatory framework to enable blockchain-based developments of SME funding and introduce a European definition of a security.
ii Marketing of fintech products and services
There are no specific marketing rules for fintech products and services. Whether or not fintech companies are subject to marketing rules depends on the qualification of the products and services they offer as regulated financial products and services. In general, financial undertakings have to ensure that any information regarding their products and services is clear, correct and not misleading. Furthermore, sector-specific rules may apply to pre-contractual information and marketing material. For marketing materials of certain investment funds, it is, for example, mandatory to include a risk warning, and the way in which forward-looking statements may be presented to clients is prescribed.
iii (Semi-)automated digital advice
The provision of (semi-)automated digital advice or 'robo-advice' may be subject to a licence obligation as (1) a financial adviser on the basis of Section 2:75 AFS where it concerns advice to consumers (or clients where it concerns insurance products) on financial products, or (2) an investment firm under the Dutch implementation of MiFID II (Directive 2014/65/EU), if advice is provided to clients on financial instruments. The AFM has published guidance on the provision of robo-advice on financial products.3 According to the AFM, robo-advice can improve the accessibility and quality of advice on products in non-complex customer situations. In respect of more complex situations or when integral advice is required on the financial situation of a customer, the AFM still sees added value in physical advice. The AFM also published guidance on the duty of care in case of (semi-)automated asset management.4
iv Credit information services
Fintech companies that provide credit information services, such as offerors of credit comparison websites, may be subject to a licence obligation as a credit intermediary on the basis of Section 2:80 AFS. The performance of intermediary services is broadly defined and covers both activities aimed at the conclusion of a credit agreement between a credit offeror and a consumer and assistance in the servicing of such credit agreement. In its guidance on when companies are considered to be intermediaries, the AFM makes the distinction between intermediaries and lead generators.5 The latter solely receives and passes on the consumer's name, address, telephone number and email address to the credit offeror, and is as such not involved in the conclusion of the credit agreement. If a fintech company provides more information to the credit offeror than the name and address details, for instance information on the desired credit amount, the licence plate of the car which the consumer will buy or details on the financial situation of the consumer, the fintech company will likely be regarded as a credit intermediary.
v Cross-border issues
In general, Dutch licence requirements apply to fintech companies that offer regulated products and services 'in or from the Netherlands'. As a result of this geographical scope, companies with their registered seat in another EU Member State or a third country that provide services (to clients) in the Netherlands may come in scope of the Dutch regulatory framework.
A licensed company with its registered seat in another EU Member State can be active in the Netherlands without triggering additional licence requirements in the Netherlands if it can make use of a European passport. Generally, to make use of the European passport, the licensed company has to inform its home state regulator on its intention to provide cross-border services to the Netherlands or to open a branch office in the Netherlands. Examples of services for which a European passport is available are investment services, banking services, payment services, insurance intermediation and fund management services. However, if, for example, a credit agreement is concluded with a Dutch consumer by a credit offeror that is not a bank and with its registered seat outside the Netherlands, this in principle requires a local licence in the Netherlands.
Third-country fintech companies seeking to be active in the Netherlands are generally subject to licensing requirements, unless a specific exemption applies. Whether or not it is relevant that services or products are actively marketed to Dutch clients depends on the type of service or product provided. Under the AIFMD (Directive 2011/61/EU) and MiFID II, a licence requirement is triggered if Dutch clients are actively targeted by the third-country fintech company. If Dutch clients (under MiFID II) or professional investors (under the AIFMD) are accepted on the basis of reverse solicitation, this will generally not trigger Dutch licence requirements.
Digital identity and onboarding
i Digital identity
While numerous private enterprises are introducing various forms of digital identity, the only generally recognised method is currently 'DigiD' (Digital Identity), which is issued by the Dutch State. DigiD is accessible to all residents in the Netherlands, and enables them to make use of the electronic services of several government institutions and organisations that perform public services in the Netherlands (e.g., filing tax return). DigiD cannot be used for transactions.
The Dutch government is currently working on new legislation: the e-Government Act,6 which aims to ensure a more safe and reliable method for Dutch citizens and companies when logging into (semi)government online platforms. To realise this objective, the Dutch government has introduced an electronic identification medium known as eID (electronic identification), which will also meet the strict security measures as stipulated under the European eIDAS Regulation.7 The e-Government Act will become mandatory for the Dutch government, as well as for various industries regulated by the government (e.g., healthcare providers). The new legislation is currently under review by the Dutch House of Representatives, and is expected to enter into force mid-2019.
In addition, in 2016, Dutch banks developed an identification and login service together with the Dutch Payment Association (iDIN). With the use of iDIN, retail account holders can identify themselves online and login at participating organisations (iDIN-acceptants). iDIN meets the requirements under the eIDAS Regulation and the General Data Protection Regulation (GDPR).
The AFM and DCB qualify the situation in which the client is not physically present for verification of its identity, without extra guarantees, such as qualified electronical signatures, as high-risk. The AFM acknowledges that identification can take place from a distance by means of innovative technologies.8 It refers in that respect to the opinion of the European Supervisory Authorities (ESAs) in relation to the use of innovative solutions by financial undertakings in the customer due diligence process.9
In this opinion, the ESAs discuss that innovative solutions often involve non-face-to-face verification of customers' identity on the basis of traditional identity documents through various portable devices such as smartphones or the verification of customers' identity through other means, for example, central identity documentation repositories (often referred to as 'KYC utilities'). The ESAs encourage competent authorities to support those developments while also discussing the risks attached to these innovative solutions. In order to mitigate these risks, they note for example the possibilities to add a physical element in digitised onboarding of clients, such as a live chat solution, biometrical facial recognition by means of a webcam or the use of software that can detect images that are or have been tampered with (e.g., facial morphing). If the services are offered without any physical interaction, financial undertakings should be aware of the higher risks that are attached to this way of distribution (e.g., identity fraud, the risk that the customer is intimidated, threatened or under duress or geographical risks). Financial undertakings could, for example, make use of a qualified electronical signature in line with the eIDAS Regulation, confirm the identity of a client by sending a letter to the customer's verified home address, make use of voice-analysing software or combine different identification means.10
Digital markets, payment services and funding
i Collective investment schemes
Collective investment schemes may be subject to the Dutch implementation of the AIFMD or UCITS V (Directive 2009/65/EU, as amended by Directive 2014/91/EU). Under the Dutch implementation of the AIFMD, it is required to obtain a licence when:
- managing a Dutch alternative investment fund (AIF);
- marketing units in an AIF in the Netherlands; or
- for Dutch managers, when managing AIFs or marketing units in AIFs.
For Dutch managers, it is possible to register pursuant to the 'small managers registration regime' as a result of which no licence has to be obtained. Dutch managers can register pursuant to this regime provided that the assets under management do not exceed certain thresholds and certain marketing restrictions are taken into account (e.g., the units are only marketed to professional investors within the meaning of Section 1:1 AFS).
Crowdfunding and crowd-lending (also referred to as investment-based and loan-based crowdfunding) are both seen as important new funding means in the Netherlands. With loan-based crowdfunding, the project owner enters into a loan agreement with the crowdfunder or the crowdfunding platform. In the case of investment-based crowdfunding, the project owner issues either equity or debt instruments to the crowdfunder or crowdfunding platform.
There is no specific crowdfunding framework in the Netherlands. Instead, existing regimes, for example, for the provision of investment services or the offering of consumer credit, have been tailored to the use of such regimes for crowdfunding platforms. Certain licensing or registration obligations may be triggered. For example, crowdfunding platforms that are used for the provision of loans to consumers must obtain a licence for the offering of credit pursuant to Section 2:60 AFS, or alternatively, a banking licence pursuant to Section 2:11 AFS if the crowdfunding platform itself attracts repayable funds from the public. Crowdfunding platforms that only provide intermediary services in respect of attracting repayable funds from the public may obtain a dispensation from the AFM to conduct such activities.11 If a crowdfunding platform receives and transmits orders in financial instruments issued by the project owner, it will require obtaining a licence as an investment firm from the AFM. The applicable regime therefore depends on the type of activities that the crowdfunding platform conducts and the structure that is being applied. The possibilities for crowdfunders or crowd-lenders to freely trade their loans or securities on the secondary market may be restricted in the Netherlands.12
iii Payment services
The provision of payment services is regulated by the Dutch implementation of PSD II (Directive (EU) 2015/2366). Providers of payment services in the Netherlands require a licence from the Dutch Central Bank pursuant to Section 2:3a AFS, unless they operate on the basis of a EU passport. In addition, banks and electronic money institutions may provide payment services in the Netherlands on the basis of their licence without obtaining an additional licence. PSD II was implemented in the Netherlands on 19 February 2019.13 As part of the Dutch implementation of PSD II, banks have to cooperate when a user of an online bank account wants to provide third-party providers with access to such bank accounts.14
Cryptocurrencies, initial coin offerings (ICO) and security tokens
Other new business models
i Self-executing contracts
Under Dutch law, it is possible to conclude self-executing contracts or 'smart contracts'. There is no specific legal framework applicable to smart contracts. A smart contract can be seen as a computerised algorithm that automatically performs the terms of the contract. Smart contracts typically have the characteristics that execution is automated and performance is ensured without recourse to legal remedies. An example in the financial sector is a smart contract for a flood insurance policy, whereby insurance claims are paid out automatically if the policy is triggered on the basis of a linked data set. Smart contracts are not suitable for all types of agreements, since it may be difficult to convert the contractual agreements into computer code that follows the logic of 'if A then B'.
ii Third-party comparison websites
Third-party comparison websites that compare regulated financial products or services may be subject to a licence obligation as an intermediary (see Section II.iv). If personal data of interested customers is processed, then the third-party comparison website has to comply with the GDPR18 and the Dutch GDPR Implementation Act.19 In general, third-party comparison websites must check the information of offerors of regulated products to ensure that it is complete and reliable. The Netherlands Authority for Consumers & Markets takes the view that price transparency rules also apply to third-party comparison websites.20
Intellectual property and data protection
i Data protection
In the Netherlands, client data is protected under various data protection rules. This includes the GDPR and the Dutch GDPR Implementation Act, the Protection of Business Secrets Act (PBSA)21 and the Law to Protect Networks and Information Systems (LPNIS),22 as further described below.
Client data that relates to an identified or identifiable natural person (e.g., bank account details but also owners and representatives of a company) qualifies as personal data23 and is protected under these laws. Data relating to legal entities and deceased24 individuals do not fall within the scope of the GDPR or the GDPR Implementation Act.
Companies falling under the scope of the GDPR and the GDPR Implementation Act are accountable for processing personal data with a lawful basis25 and with transparency integrity and confidentiality. For instance, customer due diligence activities must be based on a statutory data processing ground and must be proportionate to its aim. In addition, data subjects (meaning the individuals to whom the personal data relates to) must be informed on the data processing activities carried out. There are no special rules that apply to digital profiling of clients under the GDPR. However, the GDPR does apply to automated processing of personal data that evaluates certain things about an individual (profiling) and sets out certain rules for such processing activities. For instance, such processing may require an individual's explicit consent.
The PBSA provides companies with a tool to protect their confidential know how and other business information. This can include any type of information, including client data. However, the information must be secret, must have a commercial value and must be adequately protected in order to qualify as a business secret, thereby falling under the scope of this Act.
The LPNIS requires providers of essential services and of digital services to implement measures that decrease the likelihood of cyber-incidents occurring. These measures should also ensure minimum negative consequences in the event that such incidents occur. This law also requires companies to report serious incidents to the Ministry of Justice and Safety, which is the incidents response team in the Netherlands.
ii Intellectual property rights
Several types of intellectual property rights may play a role when it comes to protecting fintech business models and related software. The most relevant type is copyright protection. In extraordinary cases, patent protection may be available as well. When a business model is not eligible for copyright protection or copyright protection, the PBSA may still provide protection of such a business model.
When it comes to copyright protection, the Dutch Copyright Act (DCA)26 requires that a work has an 'original character' and 'bears the personal mark of the author'. This is, in essence, the same criterion as the criterion developed by the European Court of Justice in the Infopaq judgment (16 July 2009): a work must be one's 'own intellectual creation'. A basic principle under the DCA is that mere 'ideas' do not qualify for copyright protection as such. Ideas need to be worked out in detail to become copyright protected. If a certain work has sufficient originality, it is automatically protected by the DCA. There are no registration formalities in the Netherlands.
With respect to software, the DCA explicitly provides that software and material to prepare software is eligible for copyright protection. The copyright protection of software programs applies to the expression (in any form) of a computer program. Equal to the aforementioned basic principle, ideas and principles that underlie elements of a computer program, or ideas that underlie interfaces, are not copyright protected. This means that financial company A and financial company B can have, in essence, the same software solution in place, while both solutions have been programmed in a different manner (have a different source code), by different persons (but with the same underlying ideas).
While it is relatively easy to qualify for copyright protection, qualifying for patent protection is a different – and complex – story. Software as such (the program 'stand-alone' or 'as such') cannot be protected by a patent in the Netherlands (nor in the European Union). If the software has a certain 'technical effect' – when it is for instance implemented in hardware and directs or determines a certain movement of such hardware – it may be eligible for patent protection included in the technical solution as a whole. The threshold for obtaining patent protection is, however, still rather high and process of obtaining patent protection is time consuming. During the application process, it will be assessed whether the technical solution is sufficiently 'new' as compared to existing solutions to the same problem. The technical solution may not be incorporated in prior art.
The copyrights to a certain software program are automatically attributed to the employer if an employee develops the software in the course of his or her employment. The same more or less applies to patentable inventions made by an employee in the course of his or her employment. In case of the latter, the Dutch Patent Act explicitly provides that the employee should be paid a reasonable compensation for the invention based on the financial interest of the invention. With respect to copyrights, the DCA does not require a reasonable compensation for the employee.
Financial companies that hire independent contractors for developing fintech business models or software, should arrange for the transfer of the copyrights that come into existence during or after the development by written contract. Otherwise, the independent contractor will be the owner of the copyrights. Patent protection will only be obtained after application and subsequent registration, but it is advisable to agree with an independent contractor in writing that only the client (in this case the financial company) shall be allowed to apply for patent protection.
Year in review
The year 2018 and the beginning of 2019 can be characterised by a further development of the regulation and legal treatment of fintech in the Netherlands. Both the AFM and DCB are following new developments closely and are providing guidance to market players, for example, through the InnovationHub. In the course of 2018, the AFM published its vision and guidance in respect of robo-advice and (semi)automatic portfolio management, while DCB is heavily involved in the practical implementation of PSD II. With the entry into force of PSD II on 19 February 2019, new fintech players may be welcomed in the Dutch arena of payment services.27
In addition, a consultation proposal was published in December 2018 for the implementation of the Fifth Anti-Money Laundering Directive. This proposal introduces a registration requirement for virtual currency exchange platforms and custody wallet providers in the Netherlands. In addition, the AFM and DCB published their recommendations for a regulatory framework for cryptos in January 2019.
At European level, some developments are taking a bit longer than expected, such as the development of the new European regime for crowdfunding services providers, but others are moving in a faster pace, such as the development of the thoughts on a new framework for cryptoassets.
From a more commercial perspective, the attitude of 'wait and see' of the Dutch legislator and supervisors and the ability to have open conversations with them, together with macro-economic developments like Brexit, have made the Netherlands an appealing jurisdiction for new market players to set up their operations. Accordingly, we have seen a large increase in the number of regulated companies that are active in the Netherlands.
Outlook and conclusions
Based on the fast pace in which the regulatory framework and the AFM and DCB are adapting to fintech solutions and players, it may be expected that the future will be characterised by further integration of fintech in the Dutch financial markets. Not only do we expect a further development and maturation in the products and services that are offered by incumbents and start-ups, but also in the outsourcing of certain back-office functions (such as compliance, AML/KYC and transaction reporting) to specialised IT providers. For 2019 and 2020, we expect further growth in payment solutions and more clarity on the regulation of security tokens.
1 Martijn Schoonewille is a partner and Wendy Pronk, Marije Louisse, Mariska Kool and Pepijn Pinkse are senior associates at Loyens & Loeff NV. The authors also wish to thank Joanne Zaaijer and Iram Velji for their invaluable contribution in respect of the data protection laws and regulations in the Netherlands. The information in this chapter is accurate as of April 2019.
2 AFM and DCB, 'Cryptos. Recommendations for a regulatory framework', December 2018.
3 AFM, 'Visie op robo-advies: kansen, zorgplicht en aandachtspunten', 15 March 2018.
4 AFM, 'Leidraad invulling van de zorgplicht bij (semi)automatisch vermogensbeheer', 15 March 2018.
5 AFM, 'Publicatie bemiddelen.', September 2014.
6 Kamerstukken II¸2017–2018, 34 972, No. 2.
7 Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.
8 AFM, Leidraad Wwft, Wwft BES en Sanctiewet, 25 July 2018, as amended per 2 January 2019, pp.20–21. At the time of writing, DCB has not published its updated guidelines in respect of customer due diligence yet. These are expected in Q1 2019.
9 ESA Opinion on the use of innovative solutions by credit and financial institutions in the customer due diligence process, 23 January 2018, JC 2017/81.
10 E van Praag and T van den Berg, 'Roboadvies: de robot de (menselijke) maat genomen', TFRiP 2018(5), pp. 50–51. TWG de Wit, 'Fintech & Wwft', TvC April 2018, pp. 125–132. JS van der Graaf, 'De toepassing van technologie in het klantacceptatie- en transactiemonitoringsproces ter bestrijding van financieel-economische criminaliteit', Jaarboek Compliance 2018, pp. 305–313.
11 M Williams, Peer-to-peer lending in the Netherlands, Journal of European Consumer and Market Law, p. 188.
12 L van der Velden & E van Rein, 'Crowdfunders willen verhandelbare aandelen en leningen, maar stuiten op AFM', Het Financieele Dagblad, 16 July 2018.
13 Stb. 2019, 60, as amended by Stb. 2019, 114.
14 Accidently, this obligation did not enter into force on 19 February 2019. This has been repaired by the amendment of the decree mentioned in footnote 13.
15 AFM and DCB, 'Cryptos. Recommendations for a regulatory framework', December 2018. AFM, 'Initial Coin Offerings (ICO's): grote risico's.', via: https://www.afm.nl/nl-nl/professionals/onderwerpen/ico.
16 Letter of the State Secretary of Finance published on 28 May 2018.
17 Supreme Court, 27 January 1988, ECLI:NL:HR:1988:ZC3744.
18 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
19 Law of 16 May 2018, laying down rules for implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (general data protection regulation) (PbEU 2016, L 119) (Implementing Act General Data Protection Regulation, Uitvoeringswet Algemene verordening gegevensbescherming).
20 ACM, 'Vergelijkingssites financiële producten.', February 2012.
21 Law of 17 October 2018, laying down rules for implementing Directive 2016/943/ EU of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against unauthorised acquisition, use and disclosure making them (PbEU 2016, L157) (Trade Secrets Protection Act, Wet bescherming bedrijfsgeheimen).
22 Law of 17 October 2018, laying down rules for the implementation of Directive (EU) 2016/1148 (Network and Information Systems Security Act, Wet beveiliging netwerk- en informatiesystemen).
23 Article 4, GDPR.
24 Recital 27, GDPR.
25 Article 5, Paragraph 1 Sub a, GDPR.
26 Law of 23 September 1912, among others laying down rules for implementing EU Software Directive (2009/24/EG).