NETHERLANDS: An Introduction to FinTech Legal

THE NETHERLANDS: AN INTRODUCTION 

INTRODUCTION 

The Netherlands is a welcoming country for FinTech companies. Both the Dutch government and the Dutch regulators have a positive attitude towards financial innovation. In this introduction, we aim to give you a general overview of the FinTech landscape in the Netherlands. Due to the wide scope of the FinTech sector and the inherent continuous development of the regulatory framework applicable to innovations developed by FinTech companies, we will dive into a bit more detail in respect of recently introduced or expected upcoming regulatory changes. These mainly relate to the use of blockchains, crypto assets, retail payments, crowdfunding and digital operational resilience.

In July 2020, the Dutch FinTech Action Plan was published (source). It shows the political aim to stimulate new innovation by laws and regulation for open banking and open finance in the Netherlands. In considering next steps, the Dutch government closely follows the initiatives taken by the European Commission as part of its efforts to build a Capital Markets Union and a Digital Single Market, in particular initiatives like the Digital Finance Strategy and Retail Payments Strategy, which were published by the European Commission in September 2020 (source). This is also evidenced by the report on the progress of FinTech Action Plan as published in October 2021 (source), which mainly shows developments in the field of European legislative proposals as described in more detail in this introduction, as well as the initial Dutch government’s response to and discussions in respect of the Digital Finance Package. Source The European Commission requested the European Supervisory Authorities for technical advice on Digital Finance. Source ESMA closed a call for evidence on Digital Finance in August 2021. It is expected that ESMA will deliver a report with its findings to the European Commission by the end of January 2022. Source

Although FinTech companies are not disrupting the stability of the Dutch financial system, the FinTech industry is expanding and growing exponentially. FinTech companies are increasingly gaining territory in the broader financial services landscape. The ongoing trend of digitisation in the financial sector, and the acknowledgement of the importance hereof, on a national, European as well as a global level, will only be a boost for more FinTech solutions to become part, directly or indirectly, of the products and services offered to end-customers. The ongoing COVID-19 pandemic also shows the importance of further digitisation and the need to develop safe, trustworthy and comprehensible products and services strengthening financial inclusion for all customers.

THE DUTCH FINTECH MARKET 

FinTech covers a broad spectrum of technology-driven innovation in the financial services sector, where the main driver is to improve user and customer experience. In a report drawn up by EY at the request of the Dutch government in 2019, EY distinguished twenty different FinTech services, including payment, digital banking, online lending and investing, InsurTech, RegTech, blockchain solutions, cryptocurrencies, artificial intelligence and machine learning and different types of market support (cloud) solutions. Source

Holland FinTech, an organisation aiming at building an independent inclusive FinTech ecosystem in the Netherlands, publishes interesting content in respect of the Dutch FinTech market. On a yearly basis, Holland FinTech publishes the Dutch FinTech Map, distinguishing the different FinTech subsegments and the parties active in the Netherlands in respect of those subsegments. In June 2020, Holland FinTech also published a market research report giving some insight into the Dutch FinTech market size, the Dutch business climate for FinTech companies and the Dutch FinTech market trends. Source

The Netherlands is thus the perfect testing market for FinTech start-ups. The Dutch government closely monitors this position and expects to present follow-up research in the summer of 2022.

FINANCIAL REGULATORY ENVIRONMENT 

For FinTech companies it may be a rather complicated task to determine which financial regulatory framework is applicable; European and Dutch financial legislation will generally apply to a FinTech company if the products or services offered fall under the scope of the existing financial regulatory framework. This framework is intended to be ‘technology neutral’, meaning that it applies irrespective of the underlying technology used.

This principle, as well as the principle ‘same activity, same risk, same rules’, aims at safeguarding a level playing field between the parties active in the financial services sector. It was emphasised again by the European Commission when promoting the digital transformation under its Digital Finance Strategy for the EU recently. The priorities of the Commission under the Digital Finance Strategy includes tackling fragmentation in the Digital Single Market and ensuring that the financial regulatory framework facilitates digital innovation. Source

These EU priorities are shared by the Dutch Minister of Finance. In its response to the Digital Finance Package, the Standing Committee of Finance within the Dutch House of Representatives generally endorses the initiatives taken by the European Commission. We will elaborate in a bit more detail in the relevant paragraphs below. Source

The Dutch FinTech Action Plan is in line with the European initiatives. In the Dutch FinTech Action plan, three pillars are proposed to stimulate innovation in the Dutch financial sector and to enable Dutch FinTech companies to flourish. These pillars are: (i) putting the Dutch FinTech climate and the Dutch FinTech industry on the map, both nationally and internationally, (ii) creating easy access to knowledge and talent for FinTech companies, and (iii) having in place future-proof legislation and regulations that facilitate innovation. Within each pillar, a number of contemplated actions are proposed, both on a European, an intentional and a national level. The actions on a national level include, for example, the offering of guaranteed SME loans, developing residency arrangements for foreign key personnel of start-ups and making it more attractive to grant stock options as part of salaries from a Dutch tax perspective. The national actions proposed in the FinTech Action Plan also aim to ensure that FinTech companies have easy access to material information in respect of the regulatory framework applicable to them and to keep in mind how this regulatory framework, as well as the costs involved with regulatory oversight, can be applied in a more proportionate manner to small companies and start-ups. Lastly, the national actions would aim at strengthening the existing initiatives of the Dutch financial regulators such as the InnovationHub, ‘Regulatory Sandbox’ and iForum. Source

The InnovationHub and the ‘Regulatory Sandbox’ (Maatwerk voor Innovatie) were launched by the Dutch financial regulators (the Authority for the Financial Markets (AFM) and the Dutch Central Bank (DNB)) in 2016 and evaluated in 2019. The InnovationHub is an information portal where new and existing market parties can raise general questions relating to the regulatory framework applicable to their FinTech solutions. The ‘Regulatory Sandbox’ is a more extensive process of knowledge sharing between companies and regulators. The sandbox enables FinTech companies to discuss a customised approach if they experience disproportionate regulatory obstacles. In the evaluation report, the AFM and DNB conclude that both initiatives play an important role in responding to innovation in the financial sector. This is largely due to the knowledge exchange that takes place through the open interaction with the market. Source

iForum is a digital platform launched by DNB in November 2019. With iForum, DNB aims to create a link between the financial ecosystem and DNB in the field of technological innovation and share best practices in the FinTech sector.

In a joint exploratory study published by DNB in August 2021, market participants and supervisory authorities have identified the bottlenecks in the regulatory legal framework that arise in relation to innovation in the Dutch financial sector, and looked at possible improvements. The insights form the basis for follow-up actions: 

FINTECH LAWS AND REGULATIONS 

A brief – non-exhaustive – summary of the most relevant Dutch laws and regulations applicable to FinTech companies is provided below.

PayTech 

PSD2, regulating payment institutions, is implemented in Dutch laws in a harmonised manner. Account Information Service Providers (AISPs) need to obtain a (light) licence in the Netherlands, instead of a mere registration as required pursuant to PSD2.

DNB maintains a relative narrow reading of the scope of the licence obligation, clarifying that it considers a party to be a payment institution if “it provides a payment service for a payer’s or payee's expense as a separately identifiable activity. This means the activity must be separate and not indissolubly linked to another activity unrelated to payment services” Source

Whilst the dust of PSD2 is still settling, in particular when it comes to the standardisation and implementation of strong customer authentication (SCA) requirements, in particular as it comes to the use of application programming interfaces under PSD2 (source), EBA published a consultation document in relation to the exemption to the SCA requirements applicable pursuant to Article 10 of the Regulatory Technical Standards for SCA (Delegated Regulation (EU) 2018/389) in October 2021. Under this exemption SCA requirements only have to be applied initially and once every 90 days thereafter when certain payment account data (limited to the balance of the account and recent transaction history without disclosure of sensitive payment data) are accessed online by a payment service user, either directly or via an AISPs. Due to divergent use of this exemption resulting from its voluntary character, EBA proposes to make the exemption mandatory for account servicing PSPs (ASPSPs) when AISPs access the accounts. Source

Moreover, as part of the Retail Payments Strategy, the European Commission already announced further amendments to PSD2. Source Part of that strategy is to adopt a legal framework which would enable the use of interoperable digital identity solutions such as an eID to satisfy the strong customer authentication requirements. In the conclusions of the European Council on the Retail Payments Strategy communication adopted in March 2021, the Council gives the Commission a strong push forward to roll out its proposed strategy. Source

The Retail Payments Strategy is based on four pillars:

1. One of the four pillars in the Retail Payments Strategy focuses on the publication of a new proposal for an open finance (rather than mere open banking) eco-system by mid-2022. The review of PSD2 will likely include a proposal to merge EMD2 into PSD2 by introducing the issuance of e-money as a new payment services under PSD2 (or PSD3). It will also examine whether technical service providers that provide ancillary services to actors in the payments chain should be subjected to regulatory supervision as well. These technical service providers are currently still exempt from oversight pursuant to PSD2.

2. Another pillar focuses on the full uptake of instant payments by the end of 2021, potentially by requiring payment service providers to adhere to the scheme for instant payments as developed by the European Payment Council.

While emphasising the importance of maintaining the availability of cash money, the European Commission does research the possibilities of issuing a retail central bank digital currency (CBDC) as well. In July 2021, the ECB announced its decision to launch the investigation phase of a digital euro project, a decision which received positive feedback from the Dutch Minister of Finance. The investigation phase aims to address key issues regarding the design and distribution of such a CBDC. The project commenced in October 2021 and is expected to last for 24 months, after which it will be decided whether a digital euro will be developed and issued. Source The Dutch Minister of Finance endorses these initiatives of the ECB. Source

3. A third pillar aims at facilitating an open and accessible payments ecosystem. The European Commission will look into an extension of the scope of the Settlement Finality Directive to include e-money institutions and payment institutions enabling these financial undertakings to get access to, for example, the TARGET2 payment system directly, rather than the current indirect access via credit institutions or central banks.

4. Lastly, the European Commission will look into the possibilities of improving the speed, costs, availability, transparency and convenience of cross-border payments to or from a non-member state of the EU. In the key actions formulated by the Commission, it strikes us that no mention is made of the possibility to use (then) regulated forms of stable coins or central bank digital currencies for cross-border payments and remittances involving a payer or beneficiary outside the EU.

The Dutch government endorses the Retail Payments Strategy of the European Commission. On a national level, there are already several regulations to ensure that each Dutch resident has good access to the payment infrastructure such as a maximum distance to an ATM and detailed rules applicable to the larger payment service providers to ensure a proper functioning of cashless payments. Also instant payments is already well implemented in the Netherlands. One of the objectives of the Dutch government – introduction of account number portability enabling account holders to easily transfer to another bank (or other payment service provider) – is not taken into account in the Retail Payments Strategy. However, in the area of number portability, the European Commission is evaluating the Payment Accounts Directive resulting in a first study on EU payment accounts market dated January 2021. Source For the Dutch government other important factors that should be considered when developing a more open finance European ecosystem are data protection and consumer protection, in particular in respect of consumers’ payment data and taking into account the increasing influence of BigTechs. Source This intensifying positioning of BigTechs in the financial sector has the special attention of the Dutch supervisory authorities. DNB published a report in June 2021 setting out the changes that BigTech brings in the financial sector as well as the supervisory tasks of the Dutch supervisory authorities in that respect. Source In its annual trends report 2021, as published in November 2021, the AFM also emphasised the importance of protection of customer data and of managing other risks that are introduced by BigTechs, including concentration risks resulting from financial undertakings being dependent on a limited number of cloud service providers and the outsourcing risks that come along with that. Source

Crowdfunding service providers 

As of 10 November 2021, Regulation (EU) 2020/1503 on European crowdfunding service providers for business (the Crowdfunding Regulation) applies to crowdfunding service providers (CSPs) in the European Union. The Crowdfunding Regulation creates a European harmonised framework for CSPs, including CSPs in the Netherlands. Under the Crowdfunding Regulation, CSPs need to obtain a licence from the national competent authority of their home member state. This means that CSPs that are established in the Netherlands will need to apply for a licence with the AFM. Only legal persons established in the European Union can obtain such a licence. Upon being licensed as a CSP and such licence being duly passported to other member states, the CSP can offer the crowdfunding services in such other member states of the European Union.

The Crowdfunding Regulation applies to two types of crowdfunding: (i) crowdfunding in the form of loans and (ii) crowdfunding in the form of securities. The Crowdfunding Regulation amends the Prospectus Regulation, resulting in an offer of securities via a licenced CSP under the Crowdfunding Regulation to be excluded from the scope of the Prospectus Regulation. The Crowdfunding Regulation is not applicable to crowdfunding services in respect of lending to consumers; this remains subject to national laws and regulations (and requires a licence as consumer credit offeror as well as a dispensation for a specific prohibition under Dutch law). Furthermore, the offering size of a fundraising via a CSP’s platform under the Crowdfunding Regulation is limited to EUR5 million in a period of 12 months. Existing crowdfunding service providers may rely on a transitional period of one year and need to have obtained their licence under the Crowdfunding Regulation ultimately on 10 November 2022. Recently, the AFM announced that existing CSPs must apply for a licence by 10 May 2022. Source

The entry into force of the Crowdfunding Regulation means that CSPs that fall within the scope of this Regulation no longer need a dispensation or a licence on the basis of the Dutch Financial Supervisory Act. It is expected that the Dutch legislation will be amended accordingly before the year-end of 2021. Source

Distributed ledger technology and blockchain 

Distributed ledger technologies (DLT) such as blockchain technology can be used in many different ways and for many different purposes. The use of blockchain technology in itself does not cause a company to fall under the scope of Dutch financial regulatory laws, but it is imminent that blockchain-based products and services present multiple potential legal implications. The existing laws do not apply neatly to innovations based on this technology, which results in both regulatory obstacles for regulated financial undertakings when using DLT as well as in certain crypto assets falling out of scope of existing legislation.

In the Digital Finance Package, explicit attention is given to the use of DLT for market infrastructures. A draft Regulation on a pilot regime for these DLT market infrastructures is published by the European Commission and the European Parliament published its final report in August 2021. Source The European Parliament will defend this position during the trialogue with the European Commission and the Council of the European Union. Source The draft Regulation aims to take away regulatory obstacles by providing for a specific regime (including exemptions to existing EU legislation) for authorised operators of multilateral trading facilities (MTFs) and for authorised central securities depositaries (CSDs) to use DLT when operating their MTF or securities settlement system. An example is an exemption to MiFID’s requirement to only offer direct access to the trading venue to professional parties such as investment firms and credit institutions. Under the draft Regulation, MTFs would be able to give retail investors direct access to the ‘DLT MTF’ when trading in crypto assets that qualify as financial instruments.

It is a remarkable and rather new way of providing a regulatory framework by the Commission. In essence, it offers a temporary regulatory sandbox to authorised operators of MTFs and authorised CSDs. DLT market infrastructures could potentially combine trading, clearing and settlement in financial instruments and therefore could make capital market transactions more efficient, cheaper and quicker. In theory, the counterparty risk – and therefore the need for a clearing house to be involved in a transaction – is taken away when DLT is used for trading and settlement. Use of DLT by authorised operators of market infrastructures could result in an incredible change in trading compared to the current standards. Source

The Dutch government is in favour of this draft Regulation offering a pilot regime for DLT market infrastructures, but it also needs clarification in respect of certain parts of the draft Regulation. We note that the Commission is looking into amending the SFD for the purpose of giving e-money institutions and payment institutions direct access to the payment systems such as TARGET2. The Dutch government will, presumably, request the Commission to look into the TARGET2 Securities system for the above purposes. Source

Crypto assets 

Crypto assets are digital representations of value or rights which may be transferred and stored electronically, using distributed ledger technology or similar technology. As part of the Digital Finance Package, the Commission published a draft proposal for a regulation on Markets in Crypto-assets (MiCA), in respect of which the European Council adopted its position in November 2021, which kicks off the trialogue negotiations with the European Parliament. Source The MiCA Regulation aims to provide an EU framework for issuance of and provision of services in respect to crypto-assets. Source

Three sub-categories of crypto-assets are distinguished in the draft Regulation:

(i) utility tokens

(ii) asset-referenced tokens with a payment functionality which aim at maintaining a stable value by referencing (a) several fiat currencies, (b) one or several commodities, (c) one or several crypto assets, or (d) a basket of such assets; and

(iii) e-money tokens which are crypto-assets used as a means of payment which aim at stabilising their value by referencing a single fiat currency.

The draft MiCA Regulation provides for a specific regulatory framework applicable to issuers of crypto assets and to crypto asset service providers that do not already fall under the existing regulatory framework. It aims at (i) creating legal certainty within the EU, (ii) stimulating innovation, (iii) organising consumer protection and preventing market abuse, and (iv) safeguarding financial stability.

Issuers will generally be required to publish a white paper and to provide it to the regulator who then can determine whether the crypto assets contemplated to be offered fall under the scope of MiCA or under the scope of a regulatory framework already in place. White papers published by issuers of asset-referenced tokens generally need to be approved by the regulator. Moreover, licence requirements are introduced for these type of issuers (except for credit institutions issuing asset-referenced tokens). E-money tokens can only be issued by licensed credit institutions and licensed e-money institutions. Exemptions to these more stringent requirements applicable to issuers of asset-referenced tokens or e-money tokens are available if the offering size remains lower than EUR5 million on a 12-month period basis or if the tokens are offered to professional investors only.

Crypto service providers offering services in respect of crypto assets that fall under the scope of MiCA will be subject to a licence requirement with passporting rights throughout the EEA (unless they already hold a banking licence or a MiFID licence). Such services include several brokerage and investment services that are derived from MiFID II, as well as the offering of a trading platform for crypto assets, offering exchange services from and to fiat currencies and offering custodial services. Crypto services providers offering the latter two services are already subject to integrity oversight pursuant to AMLD V.

The Dutch government embraces the proposed MiCA Regulation. It builds to the urgency and need of regulating the crypto industry which the Dutch government insisted on with the European legislator. The Dutch government would, however, prefer further clarification on the difference between the two types of stable coins. It also urges the European Commission to take further measures to better protect consumers. The Dutch government also welcomes clearer definitions for the crypto assets that fall under the scope of MiCA to prevent regulatory arbitrage. Lastly, the Dutch government questions whether the proposed rules around white papers, such as the requirement to provide the white paper to the regulator but not subject it to a substantive review by the regulator (other than white papers issued by asset-referenced token issuers) suffices to protect consumers and whether the proposed role of the regulator does not create false expectations. Source

AML and CFT rules 

The Dutch AML and CFT rules require such entities falling under the scope of the Dutch AML Act to perform customer due diligence prior to entering into business relationships with customers, to monitor customer activity and to report suspicious transactions to the national financial intelligence unit (FIU). AML and CFT compliance is a hot topic in the Netherlands. In recent years, huge AML scandals of Dutch banks shone in front-page headlines. Five of the main banks in the Netherlands joined forces in the fight against money laundering and launched Transaction Monitoring Netherlands in 2020, an organisation that monitors all payment transactions of these banks since 2021. Source

Since the implementation of AMLD V, applicable as per 21 May 2020, custodial wallet providers and providers engaged in exchange services between virtual currencies and fiat currencies fall under the scope of the Dutch AML and CFT rules as well. They need to register with DNB, which acts as integrity supervisor. Without such registration, crypto service providers cannot provide these custodial or exchange services in the Netherlands. This registration requirement also applies to crypto service providers having their statutory seat outside the Netherlands but offering their services in the Netherlands.

One of the main challenges for crypto service providers appeared to be compliance with the Sanctions Act in respect of ensuring that a non-client of the crypto service provider can be screened against sanctions and freeze lists when a crypto service provider facilitates in a crypto transaction to a third-party crypto wallet. The crypto services provider must take adequate measures to ascertain that the identity of the person holding a crypto address on which crypto assets can be stored, received and sent from can be checked against the Sanctions screening lists and to ensure that the crypto service provider is not facilitating transactions in violation of the AML/CFT and Sanctions rules and regulations. DNB initially required crypto service providers to verify the identity of the holder of a third party crypto address, for example by means of initiating a crypto ‘penny check’ transaction from such third party crypto address. After an administrative court case, DNB confirmed that compliance with this requirement may be risk-based and amended its policy in May 2021. Source Recently, in November 2021, DNB published a draft Q&A to consult the market. The draft Q&A describe DNB’s views of good practices and examples of ways in which a crypto services provider can comply with sanctions legislation. Source

In July 2021, four new proposals regarding AML were published by the European Commission. Firstly, the proposal for a regulation establishing a new Anti-Money Laundering Authority (AMLA). It is contemplated that this AMLA will be the central authority coordinating national authorities to ensure that the private sector applies EU AML rules correctly and consistently. Secondly, a proposal for an Anti-Money Laundering Regulation (AMLR) was published. This new AMLR contains rules that are directly applicable in all the member states, including in the areas of customer due diligence and beneficial ownership. Thirdly, a proposal for the Anti-Money Laundering Directive VI (AMLD VI) was published including, amongst others, the introduction of certain predicate offences and extension of criminal liability and rules on national supervisors and financial intelligence units. Finally, a proposal for the recast of the Regulation on Transfers of Funds was published. This proposal aims to expand the traceability requirements to also include transfers of crypto-assets, since those requirements currently only apply to transfers of fiat funds. Source The Dutch government published its initial responses to these EC proposals in the field of AML in September 2021. Source

MiFID II and brokerage 

FinTech companies involved in intermediary brokerage services in relation to financial instruments are generally subject to a licence obligation as an investment firm. MiFID II was implemented in a harmonised manner in Dutch laws, resulting in Dutch laws not deviating materially from the European framework applicable to investment firms. There is one exception though. Offering a digital secondary trading market generally results in the AFM taking the view that the operator/offeror of such trading venue requires a licence. The AFM is not in favour of bulletin boards; it therefore comes to the conclusion relatively quickly that a party offering a mere bulletin board must also have a MiFID licence for operating a trading venue. The AFM clarified that the (passive) bulletin board under the Crowdfunding Regulation is not to be equated with a trading venue, which brings together buying and selling intentions and results in an agreement and being subject to the licence obligation of MiFID II. By offering a bulletin board, a crowdfunding service provider should not in any way, nor via the systems running the crowdfunding platform, be involved in matching these intentions.

We note for the sake of completeness that if FinTech companies fall within the scope of the Crowdfunding Regulation – which they generally will do if they provide services in respect of crowdfunding projects up to EUR5 million – these parties are required to obtain a licence as a crowdfunding service provider from the AFM, irrespective of such company possibly already holding a MiFID II licence. Source

AIFMD and collective asset management services 

FinTech companies offering collective investment schemes are generally required to obtain a licence for managing or marketing units in investment institutions in the Netherlands.

A Dutch manager may opt for a light registration regime instead of a full AIFM licence if: (i) its aggregate assets under management remain below either (x) EUR100 million or (y) EUR500 million on an unleveraged basis and subject to no units being redeemable within five years upon issuance; and (ii) subject to it complying with at least one additional condition by either offering the units in a particular investment institution (a) to professional investors only, (b) to less than 150 investors in total per investment institution under its management, or (c) against a value of at least EUR100,000 per investor.

Roboadvice  

Roboadvice, and other use cases of artificial intelligence (AI), have attracted the interest of the Dutch financial regulators. Self-learning algorithms can develop themselves on a continuous basis with data input, resulting in output which is generated incredibly fast. Humans cannot compete with the pace of this technology. This not only offers potential, but also bears risks and raises ethical questions. Data input must still be provided through human interference, which could result in biased or incorrect output. Bad input can never become good output.

Artificial Intelligence is developing rapidly. On April 21, 2021, the European Commission presented the proposal for a regulation laying down harmonised rules on artificial intelligence (AI). The aim of the proposal is to ensure that AI systems that are available to market participants in the EU are safe and in accordance with the applicable fundamental rights and values within the EU and to facilitate an internal market for safe and reliable AI systems, while preventing market fragmentation. The draft Regulation also aims to provide legal certainty to facilitate investment and innovation in AI. Source The Dutch government welcomes the proposal and is positive about the objectives as described in the proposal, however also raises questions and concerns. This mainly concerns the definitions and feasibility of the proposal in practice as well as its relationship to existing legislation. Source

These documents govern a broader use of AI than just the use of AI in the financial sector. In respect of the financial sector, the Dutch financial regulators have published initial guidelines relating to the use of AI and self-learning algorithms in the financial sector. For example, in 2018, the AFM published guidelines on the duty of care involved in semi-automated asset management and its views on roboadvice. Source DNB also published guidelines for the use of AI. The acronym of these DNB guidelines is ‘SAFEST’, which hints at DNB’s main message. The guidelines urge financial undertakings to use AI responsibly. AI applications in the financial sector should be Sound; someone must be Accountable; the outcome of AI should be Fair and Ethical; only sufficiently Skilled people should be involved in developing AI applications; and the use of AI should be Transparent and explainable. Responsible use of AI is key to prevent incidents which could have a substantial impact on financial stability. Source

On 1 July 2021, the results of a study initiated within DNB’s iForum initiative were published. In this study, the issue of explainability (also referred to as xAI) and its relevance with regard to the responsible use of AI in the financial sector was explored. One of the main conclusions from this study is that xAI calls for enhanced cooperation between national and European supervisory authorities to create alignment on the topic of AI and xAI. Source

InsurTech  

At the end of 2019 AFM and DNB published a report describing the 10 key focus areas when using artificial intelligence (AI) in the insurance sector, in which the technical aspects of the use of AI are considered. Source In line with the European Insurance and Occupational Pensions Authority’s (EIOPA) report (source), the Dutch regulators emphasised that the fast-evolving InsurTech market should be monitored closely. The regulators stated they would pay special attention to the ethical aspects involved in InsurTech solutions, with the effects of AI (and other types of technology) on solidarity and insurability as important areas of focus.

In line with the above, EIOPA published the artificial intelligence governance principles in June 2021. EIOPA acknowledges the advantages of the use of AI in the insurance industry, but also addresses the importance of digital ethics. The AI governance principles consist of six principles, accompanied by more practical guidelines for insurance companies on how to implement the principles in practice. These are principles of (i) proportionality, (ii) fairness and non-discrimination, (iii) transparency and explainability, (iv) human oversight, (v) data governance and record keeping and (vi) robustness and performance. Source

RegTech  

Compliance and risk management is an imminent part of business operations of each company but in particular of regulated companies. As a general rule, all financial undertakings must have controlled and sound business operations, and must have internal procedures and processes in place to safeguard the same and mitigate operational and compliance risks as much as possible.

Key functions, such as compliance, internal audit and risk management, must generally be fulfilled independently; however, for regulated FinTech companies that are still relatively small in size, the Dutch regulators tend to accept that some of these key functions are combined under the responsibility of one or several persons. Given the tech basis and the platform-driven business model of most FinTech companies, a shift in risk strategy and risk management may be identified, for example by giving more importance to cyber security and data protection.

On 29 June 2021, EBA published an analysis of the current RegTech landscape in the EU financial sector. Financial institutions using RegTech highlight enhanced risk management, better monitoring and sampling capabilities and reduced human errors as the main benefits of use of RegTech solutions.

EBA has decided to take the following actions: (i) continue building knowledge and raising awareness about RegTech among the regulatory and supervisory community and build convergent supervisory practices, (ii) continue the effort to identify where there is a need to harmonise the legal and regulatory framework, and (iii) facilitate innovation by fostering collaboration and dialogue between financial institutions, RegTech providers and competent authorities. Source

GDPR and privacy rules 

The applicable data protection regime in the Netherlands mainly follows from the European General Data Protection Regulation (GDPR) and the Dutch Implementation Act GDPR (Uitvoeringswet AVG). This regime does not have specific implications for FinTech companies; it applies to any type of company processing personal data within the meaning of the GDPR. The open finance pillar as presented under the Digital Finance Strategy strengthens the importance of clear and harmonised rules in respect of data applications. The European Commission consulted the market in 2021 in respect of a draft Data Act, which has the purpose of creating a framework in relation to data sharing and the use of data for legitimate purposes. Source

Depending on the type of FinTech company and the manner in which it uses personal data, additional requirements pursuant to sector-specific legislation may apply, such as the explicit consent requirement under PSD2. Another example is that if a FinTech company makes use of big data and/or artificial intelligence, specific requirements pursuant to GDPR with regard to profiling apply.

Consumer protection rules 

Due to the digital and tech-driven nature of FinTech companies, FinTech companies mainly use online channels for offering financial services and/or products, which could result in e-commerce rules becoming applicable. These include for example pre- and post-contractual information obligations, language requirements and an information obligation regarding the existence of the Online Dispute Resolution Platform. Furthermore, specific consumer protection rules, such as rules aimed at mitigating risks involved with contracting online, may become applicable. The AFM, as conduct supervisory authority, often finds an (additional) basis for supervision in consumer protection regulations.

IT and cyber security rules 

As part of its Digital Finance Strategy, the European Commission published a draft Regulation on the digital operational resilience for the financial sector (the Digital Operational Resilience Act, DORA). The European Council adopted its position in respect of the draft proposal for DORA in November 2021, which kicks off the trialogue negotiations with the European Parliament. Source

It aims at aligning the requirements relating to the ICT risk for the financial sector or, if these are not really existing as yet, to introduce such requirements for financial market actors. The current regulatory framework applicable to credit institutions, investment firms, asset managers, insurers, payment institutions etc. will be amended to subject each of these financial undertakings to the same set of rules as it comes to mitigate ICT risks involved in their respective businesses. It aims at introducing a set of requirements to manage and mitigate the risks of ICT incidents, a notification requirement for material ICT incidents, the requirement to periodically perform cyber resilience stress tests including, for significant financial undertakings, the requirement to undertake threat-led penetration testing which mimics a real-life cyber threat. DORA also includes a requirement to monitor the functioning of and risks imposed by third party service providers, such as cloud service providers, to whom financial undertakings have outsourced certain services. Lastly, DORA includes a proposal enabling financial undertakings to exchange information in respect of cyber threats. Source

The Dutch government attaches great value to digital operational resilience. There are already several operational requirements in place on a national level which are similar to the ones suggested in DORA, including the Dutch Act on Security Network and Information Systems. Pursuant to this act, companies that have at least 50 or more employees and generate a revenue of at least EUR10 million and provide essential services (eg, energy, banking, financial markets infrastructure) or digital services fall under the scope of the Act. They have a duty of care and must take adequate technical and organisational measures to control identified security risks.

Moreover, the Dutch Threat Intelligence Based Ethical Red Teaming model (TIBER) used for threat level penetration testing (TLPT) is already used in the Dutch market and taken over by the ECB as the model for TLPT within the EU. Source

The Dutch government endorses DORA in full, albeit that it will raise some questions for further clarification. It considers DORA a complete and proportionate framework based on the right principles which shall improve digital operational resilience and considers DORA to be an important step in harmonising the operational requirements within the financial sector. According to the Dutch government DORA ensures a better level of cyber resilience whilst not posing unnecessary obstacles for innovation. It will bring the TIBER model under the attention of the Commission to prevent a new EU TLPT model to be developed. Source

The AFM expects DORA to enter into force at the end of 2022 and calls for the importance of timely preparation for DORA by financial companies. Source

About us 

FG Lawyers is a boutique law firm offering corporate and financial regulatory expertise. We have a special focus on innovative business models. We offer unique advisory services, firmly nourishing on our corporate and regulatory roots but also constantly addressing issues that require an out of the box mindset. We find joy in facilitating all sorts of clients in this fascinating interplay of financial regulation, corporate law and business strategies.

If you have any questions on FinTech topics or need assistance in preparing and applying for a regulatory licence in the Netherlands, please do reach out!