The Netherlands is a welcoming country for FinTech companies. Both the Dutch government and the Dutch regulators have a positive attitude towards financial innovation. In this introduction, we aim to give you a general overview of the FinTech landscape in the Netherlands. Due to the wide scope of the FinTech sector and the inherent continual development of the regulatory framework applicable to the innovations created by FinTech companies, we will dive into a bit more detail in respect of recently introduced or expected upcoming regulatory changes. These mainly relate to the use of blockchain, crypto assets, retail payments, crowdfunding and digital operational resilience.
In July 2020, the Dutch FinTech Action Plan was published. It shows the political aim to stimulate new innovation by laws and regulation for open banking and open finance in the Netherlands. In considering next steps, the Dutch government is closely following the initiatives taken by the European Commission as part of its efforts to build a Capital Markets Union and a Digital Single Market, in particular initiatives such as the Digital Finance Strategy and Retail Payments Strategy. These recently published initiatives will be described in this introduction, as well as the preliminary Dutch response to those initiatives. Source
Although FinTech companies are not disrupting the stability of the Dutch financial system, the FinTech industry is expanding and growing exponentially. FinTech companies are increasingly gaining territory in the broader financial services landscape. The ongoing trend of digitisation in the financial sector, and the acknowledgement of the importance thereof, on a national, a European as well as a global level, will only be a boost for more FinTech solutions to become part, directly or indirectly, of the products and services offered to end customers. The recent COVID-19 pandemic also shows the importance of further digitisation and the need to develop safe, trustworthy and comprehensible products and services strengthening financial inclusion for all customers.
The Dutch FinTech market
FinTech covers a broad spectrum of technology-driven innovation in the financial services sector, where the main driver is to improve user and customer experience. In a recent report drawn up by EY at the request of the Dutch government, EY distinguished 20 different FinTech services, including payment, digital banking, online lending and investing, InsurTech, RegTech, blockchain solutions, cryptocurrencies, artificial intelligence and machine learning and different types of market support (cloud) solutions. Source
FinTech companies active in the Netherlands mainly focus on offering services in the following three subsectors: payments and remittances (17%), financial software (14%) and SME lending (10%). The least activity is shown in the fields of artificial intelligence and machine learning, credit reference data and scoring, and trade finance and supply chain solutions (each representing 1%). Source
Other recent research conducted by EY shows that the Netherlands has the highest percentage of consumer FinTech adoption in Europe (73%, compared with a global average of 64%). Source
The Netherlands is thus the perfect testing market for FinTech startups.
Financial regulatory environment
Determining which financial regulatory framework applies to FinTech companies is a rather complicated task. European and Dutch financial legislation will generally apply to a FinTech company if the products or services offered fall under the scope of the existing financial regulatory framework. This framework is intended to be ‘technology neutral’, meaning that it applies irrespective of the underlying technology used.
This principle, as well as the principle ‘same activity, same risk, same rules’, aims at safeguarding a level playing field between the parties active in the financial services sector. It was emphasised again by the European Commission when promoting the digital transformation under its Digital Finance Strategy for the EU recently. The priorities of the Commission under the Digital Finance Strategy include tackling fragmentation in the Digital Single Market and ensuring that the financial regulatory framework facilitates digital innovation. Source
These EU priorities are shared by the Dutch Minister of Finance. In its preliminary response to the Digital Finance Package, the Standing Committee of Finance within the Dutch House of Representatives has generally endorsed the initiatives taken by the European Commission. We will elaborate in a bit more detail in the relevant paragraphs below. Source
These European initiatives are in line with the Dutch FinTech Action Plan which was published in July 2020. In the Dutch FinTech Action plan, three pillars are proposed to stimulate innovation in the Dutch financial sector and to enable Dutch FinTech companies to flourish. These pillars are: (i) putting the Dutch FinTech climate and the Dutch FinTech industry on the map, both nationally and internationally; (ii) creating easy access to knowledge and talent for FinTech companies; and (iii) having in place future-proof legislation and regulations that facilitate innovation. Within each pillar, a number of contemplated actions are proposed, on a European, an international and a national level. The actions on a national level include, for example, the offering of guaranteed SME loans, developing residency arrangements for foreign key personnel of startups and making it more attractive to grant stock options as part of salaries from a Dutch tax perspective. The national actions proposed in the FinTech Action Plan also aim to ensure that FinTech companies have easy access to material information in respect of the regulatory framework applicable to them and to keep in mind how this regulatory framework, as well as the costs involved with regulatory oversight, can be applied in a more proportionate manner to small companies and startups. Lastly, the national actions would aim at strengthening the existing initiatives of the Dutch financial regulators such as the InnovationHub, ‘Regulatory Sandbox’ and iForum. Source
The InnovationHub and the ‘Regulatory Sandbox’ (Maatwerk voor Innovatie) were launched by the Dutch financial regulators (the Authority for the Financial Markets (AFM) and the Dutch Central Bank (DNB)) in 2016. The InnovationHub is an information portal where new and existing market parties can raise general questions relating to the regulatory framework applicable to their FinTech solutions. The ‘Regulatory Sandbox’ is a more extensive process of knowledge sharing between companies and regulators. The sandbox enables FinTech companies to discuss a customised approach if they experience disproportionate regulatory obstacles.
iForum is a digital platform launched by DNB in November 2019. With iForum, DNB aims to create a link between the financial ecosystem and DNB in the field of technological innovation and share best practices in the FinTech sector.
FinTech laws and regulations
A brief – non-exhaustive – summary of the most relevant Dutch laws and regulations applicable to FinTech companies is provided below.
PSD2, regulating payment institutions, is implemented in Dutch laws in a harmonised manner. Account Information Service Providers (AISPs) need to obtain a (light) licence in the Netherlands, instead of a mere registration as required pursuant to PSD2.
DNB maintains a relatively narrow reading of the scope of the licence obligation, clarifying that it considers a party to be a payment institution if “it provides a payment service for a payer’s or payee's expense as a separately identifiable activity. This means the activity must be separate and not indissolubly linked to another activity unrelated to payment services.” Source
While the dust of PSD2 is still settling, in particular when it comes to the standardisation and implementation of strong customer authentication requirements, the European Commission has already announced further amendments to come as part of the recently published Retail Payments Strategy. Source Part of that strategy is to adopt a legal framework which would enable the use of interoperable digital identity solutions such as an eID to satisfy the strong customer authentication requirements.
One of the four pillars in the Retail Payments Strategy focuses on the publication of a new proposal for an open finance (rather than mere open banking) ecosystem by mid-2022. The review of PSD2 (expected by the end of 2021) will likely include a proposal to merge EMD2 into PSD2 by introducing the issuance of e-money as a new payment service under PSD2 (or PSD3). It will also examine whether technical service providers that provide ancillary services to actors in the payments chain should be subjected to regulatory supervision as well. These technical service providers are currently still exempt from oversight pursuant to PSD2.
Another pillar focuses on the full uptake of instant payments by the end of 2021, potentially by requiring payment service providers to adhere to the scheme for instant payments as developed by the European Payment Council by the end of 2021. While emphasising the importance of maintaining the availability of cash money, the European Commission is researching the possibility of issuing a retail central bank digital currency (CBDC) as well.
A third pillar aims at facilitating an open and accessible payments ecosystem. The European Commission will look into an extension of the scope of the Settlement Finality Directive to include e-money institutions and payment institutions enabling these financial undertakings to get access to, for example, the TARGET2 payment system directly, rather than the current indirect access via credit institutions or central banks.
Lastly, the European Commission will look into the possibilities of improving the speed, costs, availability, transparency and convenience of cross-border payments to or from a non-member state of the EU. In the key actions formulated by the Commission, it strikes us that no mention is made of the possibility to use (then) regulated forms of stable coins or central bank digital currencies for cross-border payments and remittances involving a payer or beneficiary outside the EU.
The Dutch government endorses the Retail Payments Strategy of the European Commission. On a national level, there are already several regulations to ensure that each Dutch resident has good access to payment infrastructure, such as a maximum distance to an ATM and detailed rules applicable to the larger payment service providers to ensure a proper functioning of cashless payments. Also, instant payment is already well implemented in the Netherlands. One of the objectives of the Dutch government – the introduction of account number portability, enabling account holders to easily transfer to another bank (or other payment service provider) – is not taken into account in the Retail Payments Strategy. For the Dutch government, other important factors that should be considered when developing a more open European financial ecosystem are data protection and consumer protection, in particular in respect of consumers’ payment data and taking into account the increasing influence of BigTechs. Source
Crowdlending and crowdinvesting platforms
Under the current Dutch regime applicable to crowdlending platforms, the operator of the platform generally must obtain authorisation from the AFM to offer intermediary services in lending activities between investors and borrowers. Depending on the type of lending activities, the authorisation takes the form of a dispensation or a licence. Fundraisers who attract repayable funds from the public up to EUR2.5 million via an authorised crowdlending platform are exempt from a Dutch prohibition that would otherwise be applicable to them.
Under the current Dutch regime applicable to crowdinvesting platforms, the operator of the platform generally must obtain a MiFID II licence, as it is considered to provide brokerage and placement activities in respect of financial instruments. Issuers of securities (i.e., the fundraisers) are subject to the Prospectus Regulation. An issuer of securities to the public in the Netherlands is exempt from the obligation to publish an approved prospectus if the total offering size is less than EUR5 million per category of security (debt versus equity), taking into account all group companies affiliated to the issuer and all offerings of securities in the European Economic Area within the preceding period of 12 months. However, any such exempt issuers must publish and submit to the AFM an information memorandum drawn up in a prescribed format.
Recently, on 20 October 2020, Regulation (EU) 2020/1503 on European crowdfunding service providers for business (the Crowdfunding Regulation) was published in the Official Journal of the European Union. It shall apply as per 10 November 2021. The Crowdfunding Regulation will create a European harmonised framework applicable to any crowdfunding service provider active on the European market, including the Netherlands. The above-mentioned national regimes will be trumped by the Crowdfunding Regulation to the extent the services provided by a crowdfunding platform fall under the scope of the Crowdfunding Regulation. An important exclusion is crowdfunding services in respect of lending to consumers; this remains subject to national laws and regulations (and requires a licence as consumer credit offeror as well as a dispensation for a specific prohibition under Dutch law). Furthermore, the offering size of a fundraising via a crowdfunding service provider’s platform under the Crowdfunding Regulation is limited to EUR5 million in a period of 12 months. Any person (which can be juridical persons only) offering crowdfunding services to businesses needs to obtain a licence under the Crowdfunding Regulation, as of 10 November 2021. Existing crowdfunding service providers may rely on a transitional period of one year and need to have obtained their licence under the Crowdfunding Regulation ultimately on 10 November 2022. Upon being licensed as a crowdfunding service provider under the Crowdfunding Regulation, the services can be offered in all member states of the European Union. Source
Distributed ledger technology and blockchain
Distributed ledger technologies (DLT) such as blockchain technology can be used in many different ways and for many different purposes. The use of blockchain technology in itself does not cause a company to fall under the scope of Dutch financial regulatory laws, but it is inherent that blockchain-based products and services will present multiple potential legal implications. The existing laws do not apply neatly to innovations based on this technology, which results in both regulatory obstacles for regulated financial undertakings when using DLT, as well as in certain crypto assets falling out of the scope of existing legislation.
In the Digital Finance Package, explicit attention is given to the use of DLT for market infrastructures. A draft Regulation on a pilot regime for these DLT market infrastructures has been published by the European Commission. The draft Regulation aims to take away regulatory obstacles by providing for a specific regime (including exemptions to existing EU legislation) for authorised operators of multilateral trading facilities (MTFs) and for authorised central securities depositaries (CSDs) to use DLT when operating their MTF or securities settlement system. An example is an exemption to MiFID’s requirement to only offer direct access to the trading venue to professional parties such as investment firms and credit institutions. Under the draft Regulation, MTFs would be able to give retail investors direct access to the ‘DLT MTF’ when trading in crypto assets that qualify as financial instruments.
It is a remarkable and rather new way of providing a regulatory framework by the Commission. In essence, it offers a temporary regulatory sandbox to authorised operators of MTFs and authorised CSDs. DLT market infrastructures could potentially combine trading, clearing and settlement in financial instruments and therefore could make capital market transactions more efficient, cheaper and quicker. In theory, the counterparty risk – and therefore the need for a clearing house be involved in a transaction – is taken away when DLT is used for trading and settlement. Use of DLT by authorised operators of market infrastructures could result in an incredible change in trading compared with the current standards. Source
The Dutch government is in favour of this draft Regulation offering a pilot regime for DLT market infrastructures, but it also needs clarification in respect of certain parts of the draft Regulation. We note that the Commission is looking into amending the SFD for the purpose of giving e-money institutions and payment institutions direct access to payment systems such as TARGET2. The Dutch government will, presumably, request the Commission to look into the TARGET2 Securities system for the above purposes. Source
Crypto assets are digital representations of value or rights which may be transferred and stored electronically, using distributed ledger technology or similar technology. As part of the Digital Finance Package, the Commission published a draft proposal for a regulation on Markets in Crypto-assets (MiCA). The MiCA Regulation aims to provide an EU framework for issuance of and provision of services in respect to crypto assets. Source
Three subcategories of crypto assets are distinguished in the draft Regulation: (i) utility tokens; (ii) asset-referenced tokens with a payment functionality which aim at maintaining a stable value by referencing (a) several fiat currencies, (b) one or several commodities, (c) one or several crypto assets, or (d) a basket of such assets; and (iii) e-money tokens which are crypto assets used as a means of payment which aim at stabilising their value by referencing a single fiat currency.
The draft MiCA Regulation provides for a specific regulatory framework applicable to issuers of crypto assets and to crypto asset service providers that do not already fall under the existing regulatory framework. It aims at (i) creating legal certainty within the EU, (ii) stimulating innovation, (iii) organising consumer protection and preventing market abuse, and (iv) safeguarding financial stability.
Issuers will generally be required to publish a whitepaper and to provide it to the regulator who then can determine whether the crypto assets contemplated to be offered fall under the scope of MiCA or under the scope of a regulatory framework already in place. Whitepapers published by issuers of asset-referenced tokens generally need to be approved by the regulator. Moreover, licence requirements are introduced for these types of issuers (except for credit institutions issuing asset-referenced tokens). E-money tokens can only be issued by licensed credit institutions and licensed e-money institutions. Exemptions to these more stringent requirements applicable to issuers of asset-referenced tokens or e-money tokens are available if the offering size remains lower than EUR5 million on a 12-month period basis or if the tokens are offered to professional investors only.
Crypto service providers offering services in respect of crypto assets that fall under the scope of MiCA will be subject to a licence requirement with passporting rights throughout the EEA (unless they already hold a banking licence or a MiFID licence). Such services include several brokerage and investment services that are derived from MiFID II, as well as the offering of a trading platform for crypto assets, offering exchange services from and to fiat currencies and offering custodial services. Crypto services providers offering the latter two services are already subject to integrity oversight pursuant to AMLD V.
The Dutch government embraces the proposed MiCA Regulation. It contributes to the urgency and need of regulating the crypto industry which the Dutch government insisted on with the European legislator. The Dutch government would, however, prefer further clarification on the difference between the two types of stable coins. It also urges the European Commission to take further measures to better protect consumers. The Dutch government also welcomes clearer definitions for the crypto assets that fall under the scope of MiCA to prevent regulatory arbitrage. Lastly, the Dutch government questions whether the proposed rules around whitepapers, such as the requirement to provide the whitepaper to the regulator but not subject it to a substantive review by the regulator (other than whitepapers issued by asset-referenced token issuers) suffice to protect consumers and whether the proposed role of the regulator does not create false expectations. Source
AML and CFT rules
The Dutch AML and CFT rules require such entities falling under the scope of the Dutch AML Act to perform customer due diligence prior to entering into business relationships with customers, to monitor customer activity and to report suspicious transactions to the national financial intelligence unit (FIU). AML and CFT compliance is a hot topic in the Netherlands. In recent years, huge AML scandals of Dutch banks created front-page headlines. Five of the main banks in the Netherlands joined forces in the fight against money laundering and launched Transaction Monitoring Netherlands in 2020, an organisation that will monitor all payment transactions of these banks as per 2021.
Since the implementation of AMLD V, applicable as per 21 May 2020, custodial wallet providers and providers engaged in exchange services between virtual currencies and fiat currencies fall under the scope of the Dutch AML and CFT rules as well. They need to register with DNB, which acts as integrity supervisor. Without such registration, crypto service providers cannot provide these custodial or exchange services in the Netherlands. This registration requirement also applies to crypto service providers having their statutory seat outside the Netherlands but offering their services in the Netherlands.
A transitional period was available to existing crypto service providers until 21 November 2020. One of the main challenges for crypto service providers appeared to be compliance with the Sanctions Act in respect of ensuring that a non-client of the crypto service provider can be screened against sanctions and freeze lists when a crypto service provider facilitates in a crypto transaction to a third-party crypto wallet. DNB requires crypto service providers to validate the identity of the holder of such third-party crypto wallet, for example by means of initiating a crypto ‘penny check’ transaction from such third-party crypto wallet.
MiFID II and brokerage
FinTech companies involved in intermediary brokerage services in relation to financial instruments are generally subject to a licence obligation as an investment firm. MiFID II has been implemented in a harmonised manner in Dutch laws, resulting in Dutch laws not deviating materially from the European framework applicable to investment firms.
There is one exception though. Offering a digital secondary trading market generally results in the AFM taking the view that the operator/offeror of such trading venue requires a licence. The AFM is not in favour of bulletin boards; it therefore came to the conclusion relatively quickly that a party offering a mere bulletin board must also have a MiFID licence for operating a trading venue. The AFM takes this position even though MiFIR and the Crowdfunding Regulation allow the option of offering a secondary market via a mere bulletin board without such a licence being required.
AIFMD and collective asset management services
FinTech companies offering collective investment schemes are generally required to obtain a licence for managing or marketing units in investment institutions in the Netherlands.
A Dutch manager may opt for a light registration regime instead of a full AIFM licence if: (i) its aggregate assets under management remain below either EUR100 million or EUR500 million on an unleveraged basis, subject to no units being redeemable within five years upon issuance; and (ii) subject to it complying with at least one additional condition by either offering the units in a particular investment institution (a) to professional investors only, (b) to fewer than 150 investors in total per investment institution under its management, or (c) against a value of at least EUR100,000 per investor.
Roboadvice, and other use cases of artificial intelligence (AI), has attracted the interest of the Dutch financial regulators. Self-learning algorithms can develop themselves on a continuous basis with data input, resulting in output which is generated incredibly fast. Humans cannot compete with the pace of this technology. This not only offers potential, but also bears risks and raises ethical questions. Data input must still be provided through human interference, which could result in biased or incorrect output. Bad input can never become good output.
Artificial intelligence is developing rapidly and has caught the interest of the Dutch government. In February 2020 a general round table discussion took place in respect of a legal framework and supervision in respect of a digital future, including the use of AI, algorithms and machine learning. In the same month, the European Commission published a consultation on a whitepaper on AI. The whitepaper stresses the need to achieve an ecosystem of excellence and an ecosystem of trust. Source
The Dutch government endorsed this whitepaper, albeit that the Dutch government believes that these two ecosystems of excellence and of trust are inevitably intertwined instead of existing as separate modules. The Dutch response was based on three documents which were published in October 2019 focusing on the risks involved with AI, such as the ethical risks, the risk of bias and the ability to explain an outcome when using AI. The main objective of the Dutch government is to ‘capitalise on AI’s societal and economic opportunities, as well as to safeguard the public interests of AI, thus contributing to prosperity and well-being’. The leading principle is an inclusive approach that puts the human being first. Source
These documents govern a broader use of AI than just the use of AI in the financial sector. In respect of the financial sector, the Dutch financial regulators have published initial guidelines relating to the use of AI and self-learning algorithms in the financial sector. For example, the AFM published guidelines on the duty of care involved in semi-automated asset management and its views on roboadvice. Source DNB also published guidelines for the use of AI. The acronym of these DNB guidelines is ‘SAFEST’, which hints at DNB’s main message. The guidelines urge financial undertakings to use AI responsibly. AI applications in the financial sector should be Sound; someone must be Accountable; the outcome of AI should be Fair and Ethical; only sufficiently Skilled people should be involved in developing AI applications; and the use of AI should be Transparent and explainable. Responsible use of AI is key to preventing incidents that could have a substantial impact on financial stability. Source
The Dutch government is currently working on draft principles that assist developers to mitigate risks involved with the use of AI.
The AFM and DNB published a report describing the ten key focus areas when using AI in the insurance sector, in which the technical aspects of the use of AI are considered. Source In line with the European Insurance and Occupational Pensions Authority’s report (Source), the Dutch regulators emphasise that the fast-evolving InsurTech market should be monitored closely. The regulators will pay special attention to the ethical aspects involved in InsurTech solutions. The effects of AI (and other types of technology) on solidarity and insurability are important areas of focus.
Compliance and risk management is an immanent part of the business operations of each company but in particular of regulated companies. As a general rule, all financial undertakings must have controlled and sound business operations, and must have internal procedures and processes in place to safeguard the same and mitigate operational and compliance risks as much as possible.
Key functions, such as compliance, internal audit and risk management, must generally be fulfilled independently; however, for regulated FinTech companies that are still relatively small in size, the Dutch regulators tend to accept that some of these key functions are combined under the responsibility of one or several persons. Given the tech basis and the platform-driven business model of FinTech companies, a shift in risk strategy and risk management may be identified, for example by giving more importance to cybersecurity and data protection.
GDPR and privacy rules
The applicable data protection regime in the Netherlands mainly follows from the European General Data Protection Regulation (GDPR) and the Dutch Implementation ACT GDPR (Uitvoeringswet AVG). This regime does not have specific implications for FinTech companies; it applies to any type of company processing personal data within the meaning of GDPR.
Depending on the type of FinTech company and the manner in which it uses personal data, additional requirements pursuant to sector-specific legislation may apply, such as the explicit consent requirement under PSD2. Another example is, if a FinTech company makes use of big data and/or artificial intelligence, specific requirements pursuant to GDPR with regard to profiling apply.
Consumer protection rules
Due to the digital and tech-driven nature of FinTech companies, FinTech companies mainly use online channels for offering financial services and/or products, which could result in e-commerce rules becoming applicable. These include, for example, pre- and post-contractual information obligations, language requirements and an information obligation regarding the existence of the Online Dispute Resolution Platform. Furthermore, specific consumer protection rules, such as rules aimed at mitigating risks involved with contracting online, may become applicable.
IT and cybersecurity rules
As part of its Digital Finance Strategy, the European Commission published a draft Regulation on the digital operational resilience for the financial sector (the Digital Operational Resilience Act, DORA). It aims to align the requirements relating to the ICT risk for the financial sector or, if these are not really existing as yet, to introduce such requirements for financial market actors. The current regulatory framework applicable to credit institutions, investment firms, asset managers, insurers, payment institutions, etc. will be amended to subject each of these financial undertakings to the same set of rules as it comes to mitigate ICT risks involved in their respective businesses. It aims at introducing a set of requirements to manage and mitigate the risks of ICT incidents, a notification requirement for material ICT incidents, the requirement to periodically perform cyber resilience stress tests including, for significant financial undertakings the requirement to undertake threat-led penetration testing (TLPT) which mimics a real-life cyber threat. DORA also includes a requirement to monitor the functioning of and risks imposed by third-party service providers, such as cloud service providers, to whom financial undertakings have outsourced certain services. Lastly, DORA includes a proposal enabling financial undertakings to exchange information in respect of cyber threats. Source
The Dutch government attaches great value to digital operational resilience. There are already several operational requirements in place on a national level which are similar to the ones suggested in DORA, including the Dutch Act on Security Network and Information Systems. Pursuant to this Act, companies that have at least 50 or more employees and/or generate a revenue of at least EUR10 million and provide essential services (e.g., energy, banking, financial markets infrastructure) fall under the scope of the Act. They have a duty of care and must take adequate technical and organisational measures to control identified security risks.
Moreover, the Dutch Threat Intelligence Based Ethical Red Teaming model (TIBER) used for TLPT is already used in the Dutch market and taken over by the ECB as the model for TLPT within the EU. Source
The Dutch government endorses DORA in full, albeit that it will raise some questions for further clarification. It considers DORA a complete and proportionate framework based on the right principles which will improve digital operational resilience and considers DORA to be an important step in harmonising the operational requirements within the financial sector. According to the Dutch government, DORA ensures a better level of cyber resilience while not posing unnecessary obstacles to innovation. It will bring the TIBER model under the attention of the Commission to prevent a new EU TLPT model to be developed. Source