The Netherlands is a welcoming country for FinTech companies. Both the Dutch government and the Dutch regulators have a positive attitude towards financial innovation. This can be explained by the fact that the Dutch financial market is controlled by a limited number of incumbents, resulting in a less competitive market. FinTech companies have the potential to influence the dominant position of the Dutch incumbents.
Although FinTech companies are not disrupting the stability of the Dutch financial system, the FinTech industry is expanding and growing exponentially – both globally and in the Netherlands. FinTech companies are increasingly gaining territory in the broader financial services landscape.
The Netherlands is generally considered the perfect pan-European hub. The Netherlands has a healthy economy, striving international business areas, is home to the oldest stock exchange and is known for its lenient business immigration policy offering multiple immigration schemes and interesting tax incentives to attract specialist talent from abroad (such as the possibility to offer 30% of the salary of a foreign specialist talent tax free). In addition, the Netherlands houses two of the largest internet exchange points in the world (AMS-IX and NL-IX), resulting in a perfect digital ecosystem and high connectivity. As the world’s second datacentre hotspot, Amsterdam is known as the digital gateway to Europe.
External factors may also cause growth of the FinTech industry in the Netherlands. Particularly Brexit, or the threat thereof, has resulted in the transfer of UK based FinTech companies to the Netherlands
The Dutch FinTech market
FinTech covers a broad spectrum of technology-driven innovation in the financial services sector, where the main driver is to improve user and customer experience. The Financial Stability Board divides FinTech activities into five sub-sectors based on their economic functions.
• payments, clearing and settlement – examples include the new payment services under PSD2 (payment initiation services and account information services) and the use of APIs to achieve a more open banking environment;
• deposits, lending and capital raising – examples include alternative financing and crowdfunding platforms, whether or not based on blockchain technology;
• InsurTech – examples include insurance policies programmed as smart contracts, Internet of Things developments and similar big data collecting wearables, sensors or software;
• investment management – examples include robo-advisory investment services, mobile trading applications and algorithm-based trading robots; and
• market support – examples include cloud computing solutions (software as a service, platform as a service, business process as a service, data as a service and infrastructure as a service), RegTech and innovative digital and biometric ID (know your customer) services.
Recent research conducted by EY shows that the Netherlands has the highest percentage of consumer FinTech adoption in Europe (73%, compared to a global average of 64%) (Source: EY, Global FinTech Adoption Index 2019). The Netherlands is thus the perfect testing market for FinTech start-ups.
Determining which regulatory framework applies to FinTech companies is a rather complicated task. European and Dutch financial legislation will generally apply to a FinTech company if the products or services offered fall under the scope of the existing financial regulatory framework. This framework is intended to be ‘technology neutral’, meaning that it applies irrespective of the underlying technology used.
These underlying technologies, such as artificial intelligence and blockchain technology, do not in itself result in specific Dutch laws to become applicable. However, it is attracting growing interest from the Dutch regulators.
Traditionally, European financial services legislation is institution driven rather than activity driven. Where incumbents such as banks typically focus on a full service approach as an institution, FinTech companies aim to improve customer experience, financial inclusion and competition in respect of just part of the value chain.
A more activity-based regulatory framework would better suit FinTech companies. However, due to the Europeanisation of the regulatory framework governing financial services, the Dutch legislature and the Dutch financial regulators have limited discretion to adopt a more flexible approach towards FinTech companies.
Although in the last coalition agreement the ruling parties of the Dutch government agreed to introduce less stringent licensing requirements for FinTech companies, this goal has not yet been achieved. The Dutch financial regulatory laws have not changed in a way that makes it easier for FinTech companies to access the market.
However, these intentions did result in the Dutch financial regulators (the Authority for the Financial Markets (AFM) and the Dutch Central Bank (DNB)) jointly launching two initiatives with the aim of both facilitating FinTech and gaining knowledge of FinTech developments in 2016:
• the InnovationHub which is an information portal where new and existing market parties can raise general questions relating to the regulatory framework applicable to their FinTech solutions; and
• the Regulatory Sandbox (Maatwerk voor Innovatie) which is a more extensive process of knowledge sharing between companies and regulators. The sandbox enables FinTech companies to discuss a customised approach if they experience disproportionate regulatory obstacles. This is only possible if the applicable laws and regulations provide room for a more proportionate approach. In August 2019, the initiators published an evaluation report which stated that this has occurred on a few occasions since the creation of the sandbox.
Moreover, the Dutch Minister of Finance recently announced further examination of the Dutch FinTech sector and proposed, on the basis of the outcome of third party research, more concrete measures to facilitate and stimulate FinTech in the Netherlands as much as possible (source: Parliamentary papers House of Representatives, 2018-2019, 32 013, nr. 213).
FinTech laws and regulations
A brief – non-exhaustive - summary of the most relevant Dutch laws and regulations applicable to FinTech companies is provided below.
PSD2 as implemented in Dutch laws regulates payment services providers. PSD2 was implemented in a harmonised manner in Dutch law, albeit that Account Information Service Providers (AISPs) need to obtain a (light) licence in the Netherlands, instead of a mere registration as required pursuant to PSD2.
For open banking purposes, Access to the Account (XS2A) is the most important innovation enabled by PSD2. XS2A entails the possibility for third party providers (TTPs, such as AISPs, Payment Initiation Service Providers (PISPs) and Payment Services Providers (PSPs) other than the Account Servicing Payment Service Provider (ASPSP)) to get access to online available payment accounts administered by ASPSPs subject to the explicit consent of the account holder. XS2A was a heavily debated provision in PSD2. From the incumbent banks perspective, it is understandable. They are confronted with an enormous competition risk. The payment transaction data which were, to a great extent, an asset of the incumbent banks only, no longer come to the exclusive use of those incumbent banks since PSD2.These transaction data can – and will - now also be used by TTPs.
It should be noted though that XS2A is a right of an account holder, rather than of a TTP. As such, FinTech companies offering payment services are dependent on the interest in such services from account holders. Recent research shows that Dutch residents are not yet open minded as it comes to open banking. Dutch residents appear to put great trust in the incumbent banks and do not feel comfortable with granting TTPs the required consent to access their payment accounts .
In addition, ASPSPs are only required to give XS2A to TTPs without an underlying contractual relationship between the ASPSP and the TTP if the TTP qualifies as a PSP. In this respect it is worth noting that DNB maintains a relatively narrow reading of the scope of the licence obligation, clarifying that it considers that a party pursues the business of a PSP only if “it provides a payment service for a payer’s or payee's expense as a separately identifiable activity. This means the activity must be separate and not indissolubly linked to another activity unrelated to payment services”.
Crowdlending and crowdinvesting platforms
Under the Dutch regime applicable to crowdlending platforms, the operator of the platform generally must obtain authorisation from the AFM to offer intermediary services in lending activities between investors and borrowers. Depending on the type of lending activities, the authorisation takes the form or a dispensation or a licence. The granting of such authorisation is subject to among other things the platform’s compliance with minimum conditions to ensure prudent and sound business operations, adequate client handling and suitable and reliable management. Moreover, the operator of a crowdlending platform is subjected to Crowdfunding Rules as published by the AFM, which include for example a requirement to conduct retail investor tests and to cap the aggregate investments that a retail investor can make in crowdlending projects via the platform (the maximum is EUR80,000 per retail investor).
Operators of crowdinvesting platforms generally require a MiFID II licence, as they are considered to provide brokerage and placement activities in respect of financial instruments. Issuers of securities (i.e. the fundraisers) are subject to the Prospectus Regulation. An issuer of securities to the public in the Netherlands is exempt from the obligation to publish an approved prospectus if the total offering size is less than EUR5 million per category of security (debt versus equity), taking into account all group companies affiliated to the issuer and all offerings of securities in the European Economic Area within the preceding period of 12 months. However, any such exempt issuers must publish and submit to the AFM an information memorandum drawn up in a prescribed format.
Blockchain and cryptosBlockchain technology can be used in many different ways and for many different purposes. The use of blockchain technology in itself does not cause a company to fall under the scope of Dutch financial regulatory laws, but it is imminent that blockchain-based products and services present multiple potential legal implications. The existing laws do not apply neatly to innovations based on this technology. Examples include privacy-related issues such as the right to be forgotten under the GDPR, property law consequences (are cryptos goods that can be pledged?) and questions regarding private international law.
In respect of cryptocurrencies, multiple appearances can be distinguished. Examples are native coins, stable coins, commodity-backed tokens, (pre)payment or currency tokens, asset or investment tokens, utility tokens and hybrid tokens combining one or more of the terms of the aforementioned tokens.
Where up until now the position is taken that native coins (such as bitcoin and Ether) which are distributed to miners to incentivise them to maintain the consensus mechanism of the related blockchain (such as Bitcoin and Ethereum) do not fall under the current existing regulatory framework, such clear regulatory boundary cannot be given in respect of cryptographic tokens. Investment tokens that in essence provide the same type of rights that would normally be offered to holders of debt or equity securities, are generally considered security tokens under Dutch laws. The offering of or trading in such security tokens could trigger the applicability of securities laws such as the Prospectus Regulation and MiFID II. But also stable coins and commodity-backed tokens raise regulatory questions, in particular in the field of electronic money and derivatives legislation.
AMLD V is the first European Directive that results in specific rules to become applicable to virtual currencies (as defined in AMLD V) (see below).
AML and CFT rulesThe Dutch AML and CFT rules require such entities falling under the scope of the Dutch AML Act to perform customer due diligence prior to entering into business relationships with customers, to monitor customer activity and to report suspicious transactions to the national financial intelligence unit (FIU).
As gatekeepers of the financial markets, all regulated financial undertakings fall under the scope of this Act. Upon implementation of AMLD V (expected 10 January 2020), custodian wallet providers and providers engaged in exchange services between virtual currencies and fiat currencies fall under the scope of the act. They need to register with DNB following which these crypto service providers will fall under the integrity supervision of DNB.
Five of the main banks in the Netherlands recently announced their intention to join forces in the fight against money laundering and are considering jointly launching an organisation (Transactie Monitoring Nederland) that would monitor all payment transactions of these banks.
MiFID II and brokerageFinTech companies involved in intermediary brokerage services in relation to financial instruments are generally subject to a licence obligation as an investment firm (beleggingsonderneming). MiFID II was implemented in a harmonised manner in Dutch laws, resulting in Dutch laws not deviating materially from the European framework applicable to investment firms.
There is one exception though. Offering a digital secondary trading market generally results in the AFM taking the view that the operator/offeror of such trading venue requires a licence. The AFM is not in favour of bulletin boards; it therefore comes to the conclusion relatively quickly that a party offering a mere bulletin board must also have a MiFID licence for operating a trading venue. The AFM takes this position even though MiFIR and the proposed EU Crowdfunding Regulation allow the option of offering a secondary market via a mere bulletin board without such a licence being required.
AIFMD and collective asset management services
FinTech companies offering collective investment schemes (such as crypto funds) are generally required to obtain a licence for managing or marketing units in investment institutions in the Netherlands.
A Dutch manager may opt for a light registration regime instead of a full AIFM licence if:
• its aggregate assets under management remain below either:
o EUR100 million; or
o EUR500 million on an unleveraged basis, subject to no units being redeemable within five years upon issuance; and
• it complies with at least one additional condition by either offering the units:
o to professional investors only;
o to fewer than 150 investors in total; or
o against a value of at least EUR100,000 per investor.
Roboadvice, and other use cases of artificial intelligence (AI), has attracted the interest of the Dutch financial regulators. Self-learning algorithms can develop themselves on a continuous basis with data input, resulting in output which is generated incredibly fast. Humans cannot compete with the pace of this technology. This not only offers potential, but also bears risks and raises ethical questions. Data input must still be provided through human interference, which could result in biased or incorrect output. Bad input can never become good output.
The Dutch financial regulators have published initial guidelines relating to the use of AI and self-learning algorithms in the financial sector. For example, the AFM published guidelines on the duty of care involved in semi-automated asset management and its views on roboadvice. DNB also recently published guidelines for the use of AI . The acronym of these DNB guidelines is ‘SAFEST’, which hints at DNB’s main message. The guidelines urge financial undertakings to use AI responsibly. AI applications in the financial sector should be Sound; someone must be Accountable; the outcome of AI should be Fair and Ethical; only sufficiently Skilled people should be involved in developing AI applications; and the use of AI should be Transparent and explainable. Responsible use of AI is key to prevent incidents which could have a substantial impact on financial stability.
Thus far, the existing legal framework is believed to be sufficient to safeguard the security of the financial markets and to adequately protect consumers.
The AFM and DNB recently published a report describing the 10 key focus areas when using artificial intelligence (AI) in the insurance sector, in which the technical aspects of the use of AI are considered. In line with the European Insurance and Occupational Pensions Authority’s recent report, the Dutch regulators emphasise the fact that the fast-evolving insurtech market should be monitored closely. The regulators will pay special attention to the ethical aspects involved in InsurTech solutions. The effects of AI (and other types of technology) on solidarity and insurability are important areas of focus.RegTech
Compliance and risk management is an imminent part of business operations of each company but in particular of regulated companies. As a general rule, all financial undertakings must have controlled and sounds business operations, and must have internal procedures and processes in place to safeguard the same and mitigate operational and compliance risks as much as possible.
Key functions, such as compliance, internal audit and risk management, must generally be fulfilled independently; however, for regulated FinTech companies that are still relatively small in size, the Dutch regulators tend to accept that some of these key functions are combined under the responsibility of one or several persons. Given the tech basis and the platform-driven business model of FinTech companies, a shift in risk strategy and risk management may be identified. Cybersecurity risks and privacy risks are graver for FinTech companies than for other ‘regular’ companies.
GDPR and privacy rules
All companies, including FinTech companies, that process personal data within the meaning of the GDPR must comply with the requirements laid down in this European regulation. These include among other things specific requirements and limitations in respect of the processing, transferring and retention of personal data.
Depending on the type of FinTech company and the manner in which it uses personal data, additional requirements pursuant to sector-specific legislation may apply, such as the explicit consent requirement under PSD2. If a FinTech company makes use of big data and/or artificial intelligence, specific requirements pursuant to GDPR with regard to profiling apply.
Consumer protection rules
Due to the digital and tech-driven nature of FinTech companies, FinTech companies mainly use online channels for offering financial services and/or products, which could result in e-commerce rules to become applicable. These include for example pre- and post-contractual information obligations, language requirements and an information obligation regarding the existence of the Online Dispute Resolution Platform. Furthermore, specific consumer protection rules, such as rules aimed at mitigating risks involved with contracting online, may become applicable.
IT and cyber security rulesThe IT and cyber security rules applicable to a FinTech company mainly follow from requirements included in specific legislation such as PSD2, MiFID II and/or GDPR. Examples are the requirement to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved with the processing of the personal data under GDPR, as well as the requirement to have procedures and measures in place to ensure the integrity, continuous availability and security of automated data processing under financial regulatory rules.
In 2018 the Dutch Act on Security Network and Information Systems implementing the EU Cybersecurity Directive entered into force. The requirements laid down in the Act apply to digital service providers, including FinTech companies, that have at least 50 or more employees and/or generate a revenue of at least EUR10 million and provide essential services (eg, energy, banking, financial markets infrastructure). Pursuant to the act, these companies have a duty of care and must take adequate technical and organisational measures to control identified security risks.