NETHERLANDS: An Introduction to FinTech Legal

THE NETHERLANDS: AN INTRODUCTION 

The Netherlands is a welcoming country for FinTech companies. Both the Dutch government and the Dutch regulators have a positive attitude towards financial innovation. In this introduction, we aim to give you a general overview of the FinTech landscape in the Netherlands, the trends we have seen in 2022 and an outlook for 2023.

The FinTech industry has a wide scope and is subject to a continuous development of the regulatory framework applicable to innovations developed by FinTech companies. The ongoing changes in the legal framework applicable to FinTech companies in the Netherlands are mostly driven by the European legislative initiatives. These include the Digital Finance Strategy and Retail Payments Strategy, which were published by the European Commission in September 2020 (source). Fuelled by the COVID-19 pandemic, the importance of further digitisation and the need to develop safe, trustworthy and comprehensible products and services became even more apparent. In response to a call for advice on Digital Finance from the European Supervisory Authorities (source), the European Commission received lengthy advice which includes recommendations for strengthening the existing legal framework to ensure it can be applied in the digital age we live in today and which aims at enhancing consumer protection in digital, cross-border working, environments, platforms and ecosystems. Source

Despite the financial markets trend that was set in early 2022, having effect on investors’ appetite to invest in FinTech ventures and showing the extreme volatility that comes along with crypto-assets investments, FinTech companies are still increasing their territory in the broader financial services landscape. More and more co-operation between the more incumbent players in the financial markets, such as banks, insurance companies and asset managers, and FinTech companies is visible.

In line with the global trend, interest in and attention for ESG considerations is growing in the FinTech industry. This includes potential ethical and moral discussions that arise in respect of Artificial Intelligence use cases, intensified debates relating to the high energy usage needed to maintain the bitcoin network and the expectations of policymakers of financial undertakings, including FinTech companies, to meet the goals set in the Paris Climate Agreement.

The Dutch FinTech Market 

For FinTech companies it may be a complicated task to determine which financial regulatory framework is applicable. European and Dutch financial legislation will generally apply to a FinTech company if the products or services offered fall under the scope of the existing financial regulatory framework. This framework is intended to be ‘technology neutral’, meaning that it applies irrespective of the underlying technology used.

This principle, as well as the principle ‘same activity, same risk, same rules’, aims at safeguarding a level playing field between the parties active in the financial services sector. It was emphasised again by the European Commission when promoting the digital transformation under its Digital Finance Strategy for the EU recently. The priorities of the Commission under the Digital Finance Strategy includes tackling fragmentation in the Digital Single Market and ensuring that the financial regulatory framework facilitates digital innovation. Source These EU priorities are shared by the Dutch Minister of Finance. Source

The Dutch FinTech Action Plan that was published in July 2020 (source) and in respect of which a progress report was published in October 2021 (source) is in line with the many European initiatives. It shows the political aim to stimulate new innovation by laws and regulation for open banking and open finance in the Netherlands.

This is also shared by the Dutch financial regulators, the Authority for the Financial Markets (AFM) and the Dutch Central Bank (DNB). After launching the InnovationHub and the ‘Regulatory Sandbox’ (Maatwerk voor Innovatie) in 2016 and evaluated in 2019, the regulators were closely involved in many FinTech initiatives to be launched. In November 2019, DNB launched a digital platform iForum, which is aimed at bridging the gap between the financial ecosystem and DNB in the field of technological innovation by sharing best practices in the FinTech sector. The ultimate goal for DNB is to be a smart supervisor in 2025, using the most modern techniques. Source

The Legal Framework Applicable to FinTech Companies

To further embrace one of the fundamental principles behind the European Economic Area – creating a Single Market – the trend in Brussels is to adopt European Regulations rather than European Directives. A European Regulation has direct effect in the member states and enables a more harmonised framework in the whole European Economic Area, whilst a European Directive needs to be implemented in the national laws of the member states, which gives room to local national deviations. As a result, the legal framework that applies to FinTech companies in the Netherlands is largely based on European legislation. In general, European Directives are implemented in Dutch laws in a harmonised manner. This facilitates the cross-border offering of FinTech services and products from another member state in the Netherlands.

Recent Trends in 2022 

Driven by the regulatory, legal and macro-economic developments, we saw a lot of attention for crowdfunding service providers, crypto service providers, intensified attention for integrity and cyber risks, including attention for compliance with anti-money laundering, counter financing terrorism and sanctions laws and regulations. Moreover, the buy now pay later payment methods and similar short-term consumer credit products are increasingly gaining ground in the Netherlands. Furthermore, we saw initial steps in the contemplated move from open banking to open finance. In this overview, we briefly touch upon these trends from a Dutch financial regulatory perspective.

Crowdfunding service providers 

As of 10 November 2021, Regulation (EU) 2020/1503 on European crowdfunding service providers for business (the Crowdfunding Regulation) applies to crowdfunding service providers (CSPs) in the European Union. The Crowdfunding Regulation creates a European harmonised framework for CSPs, including CSPs in the Netherlands. Under the Crowdfunding Regulation, CSPs need to obtain a licence from the national competent authority of their home member state. This means that CSPs that are established in the Netherlands will need to apply for a licence with the AFM. Only legal persons established in the European Union can obtain such a licence. Upon being licensed as a CSP and such licence being duly passported to other member states, the CSP can offer the crowdfunding services in such other member states of the European Union. In Q4 2021 and 2022, both EBA (source and source) and ESMA (source) published final draft technical standards which give further substance to numerous provisions in the Crowdfunding Regulation. We expect these to be published in the Official Journal of the European Union in Q4 2022. ESMA periodically updates its Q&As on the Crowdfunding Regulation. The AFM also published Q&A on its website (in the Dutch language only). Source.

A transitional period applies to existing CSPs. Originally the transitional period would end on 10 November 2022. After advice of ESMA, the Commission proposed an extension of the transitional period until 10 November 2023 in July 2022. Source.

Crypto service providers 

Crypto-assets are digital representations of value or rights which may be transferred and stored electronically, using distributed ledger technology or similar technology. As part of the Digital Finance Package, a provisional agreement on the Markets in Crypto-Assets Regulation (MiCA) was reached by the European legislative bodies in June 2022. Source It is expected that MiCA shall enter into force approximately 18 months after its publication in the Official Journal, which publication is expected by the end of 2022/Q1 2023.

MiCA provides for a specific and extensive regulatory framework for crypto-assets which is highly based on the existing regulatory framework applicable to other financial undertakings such as investment firms (MiFID II), e-money institutions (EMD2), offerors of securities (Prospectus Regulation), and to investors on the basis of market abuse rules. The main difference is the type of instrument (crypto-asset versus financial instrument or e-money). MiCA will apply to issuers of crypto-assets and crypto-asset service providers that do not already fall under an existing regulatory framework. It aims at (i) creating legal certainty within the EU, (ii) stimulating innovation, (iii) organising consumer protection and preventing market abuse, and (iv) safeguarding financial stability.

Until now, only limited services in relation to crypto-assets that do not qualify as financial instruments or e-money are subject to integrity oversight pursuant to the Fifth Anti-Money Laundering Directive (AMLD V). Crypto service providers that offer exchange services between crypto-assets and fiat currencies and/or that offer custodial wallet services are subjected to a national registration requirement in each member state of the EEA where they want to offer such services. It is illegal to offer these services without being registered. By imposing a €3,325,000 fine on Binance Holdings Ltd in August 2022, the Dutch Central Bank set an example that it will strictly enforce on this registration requirement. Source

One of the main challenges for crypto service providers appeared to be compliance with the Sanctions Act in respect of ensuring that a non-client of the crypto service provider can be screened against sanctions and freeze lists when a crypto service provider facilitates in a crypto transaction to a third-party crypto wallet. The crypto services provider must take adequate measures to ascertain that the identity of the person holding a crypto address on which crypto-assets can be stored, received and sent from can be checked against the Sanctions screening lists and to ensure that the crypto service provider is not facilitating transactions in violation of the AML/CFT and Sanctions rules and regulations. DNB initially required crypto service providers to verify the identity of the holder of a third-party crypto address, for example by means of initiating a crypto ‘penny check’ transaction from such third-party crypto address. After an administrative court case, DNB confirmed that compliance with this requirement may be risk-based and amended its policy in May 2021. Source Recently, in September 2022, DNB published a feedback statement on Q&A Sanctions screening for (incoming and outgoing) crypto transactions. Source

Intensifying attention for integrity and cyber risks

AML and CFT rules 

Anti-money laundering (AML) and counter financing terrorism (CFT) compliance is a hot topic in the Netherlands. The recent publication of the FATF’s evaluation report in August 2022 is expected to result in further tightening of the Dutch AML rules and regulation. Source. This will be in addition to the four new AML proposals that were published by the European Commission in July 2021. These proposals relate to (i) the establishment of a new Anti-Money Laundering Authority (AMLA); (ii) an Anti-Money Laundering Regulation (AMLR); (iii) the AMLD VI; and (iv) a recast of the Regulation on Transfers of Funds. It is expected that this new EU AML package will enter into force in 2024. Source

In accordance with the current EU AML Directive, as implemented in the Dutch AML Act, the main obligations of entities falling under the scope of such act are to perform customer due diligence prior to entering into business relationships with customers, to monitor customer activity and to report suspicious transactions to the national financial intelligence unit (FIU).

As per 27 March 2022, Dutch entities (including vehicles without legal personality) are required to register the ultimate beneficial owners (UBOs) of such entity and UBOs are required to provide their full co-operation. As part of the customer due diligence processes, entities falling under the scope of the Dutch AML Act have a separate requirement to identify the UBOs of their customers and have a reporting obligation if they obtain information (such as a shareholders' register) on the basis of which it becomes clear that the UBOs registered in the register do not reflect the accurate situation. A separate register will become applicable, and registration will be required, for trusts and similar legal constructions including Dutch mutual funds (fondsen voor gemene rekening). This separate UBO register is expected to become effective before the year-end of 2022 and the registration requirement itself is expected to apply three months after the date of this separate UBO register becoming effective.

In recent years, huge AML scandals of Dutch banks shone front-paper deadlines. Five of the main banks in the Netherlands joined forces in the fight against money laundering and launched Transaction Monitoring Netherlands in 2020, an organisation that monitors all payment transactions of these banks since 2021. Source

IT and cyber security rules 

As part of its Digital Finance Strategy, the European Commission published the draft Regulation on the digital operational resilience for the financial sector (the Digital Operational Resilience Act, DORA). In May 2022 a provisional agreement on DORA was reached between the EU institutions. Source DORA aims at aligning the requirements relating to the ICT risk for the financial sector or, if these are not really existing as yet, to introduce such requirements for financial market actors. The current regulatory framework applicable to credit institutions, investment firms, asset managers, insurers, payment institutions, etc, will be amended to subject each of these financial undertakings to the same set of rules as it comes to mitigate ICT risks involved in their respective businesses. DORA introduces a set of requirements to manage and mitigate the risks of ICT incidents, a notification requirement for material ICT incidents, the requirement to periodically perform cyber resilience stress tests, including the requirement to undertake threat-led penetration testing which mimics a real-life cyber threat. DORA also includes a requirement to monitor the functioning of and risks imposed by third-party service providers, such as cloud service providers, to whom financial undertakings have outsourced certain services.

Buy now pay later and short-term consumer credit

Recently, the European Commission published a proposal for amendment of the Consumer Credit Directive (CDD). Source

In the most recent position of the European Council on the new rules for consumer credit dated 7 June 2022: (i) deferred payment as well as (ii) deferred debit cards are excluded from the scope of the CCD and clearly distinguished from the buy now pay later schemes, which are included within the scope of the proposal. For credit agreements free of interest and without any other charges and credit agreements with a maximum repayment term of three months, the European Council proposes an optional and partial derogation option for Member States in respect of certain obligations under the CDD. Source

In the Netherlands, some forms of credit offering fall out of scope of the Dutch Financial Supervision Act (DFSA) or are exempt from the obligation to obtain a licence from the AFM. The DFSA does not apply to financial services in respect of consumer credit (excluding mortgage credit) which (i) needs to be repaid in full within three months, and (ii) in respect of which no or insignificant costs, fees or other expenses are charged to consumers. Some market parties rely on this exemption in the Netherlands, which is known as the low-cost credit exemption. The revision of the CDD described above may impact the use of what is known as the low-cost credit exemption in the Netherlands by market parties in the relatively near future.

The proposal for amendment of the CCD was published on 30 June 2021 and includes a proposed implementation date of two years after the publication of the final version of the amended Directive in the Official Journal. It generally takes quite some time between the publication of the first proposal for amendment of a European Directive, such as the CCD, and the publication of it in its final form in the Official Journal. As such, we do not expect the amended CCD to become applicable in the Netherlands before (end) 2024.

From open banking to open finance 

Since the implementation of PSD2 in Dutch law, a relatively small number of Dutch PIs have obtained authorisation from DNB to offer these new payment services in the Netherlands. These PIs compete with an increasing number of payment service providers that are authorised by the national competent authority in their respective home member states and active through a passport in the Netherlands. Source

Recent legal developments in the payments and paytech market are:

- the publication of a final report by EBA in April 2022 aiming at further harmonisation on the exemption to apply strong customer authentication (SCA) requirements, which exemption is (or should be) available to AISPs under specific circumstances; Source

- the publication by EBA of the final guidelines on the limited network exclusion under PSD2, with the aim of further harmonising the assessment by national competent authorities to register PSPs under the limited network or limited gamma exemption. In line with the guidelines, DNB re-assessed and, where appropriate, re-registered the PSPs that were registered pursuant to this exclusion in DNB’s public register in September 2022; Source

- as part of the Retail Payments Strategy, the European Commission announced further amendments to PSD2. As part of the review of PSD2, EBA responded to a call for advice that it received in October 2021 from the Commission in June 2022. (Source). EBA advised, amongst other things, a merge between the E-money Directive and PSD2, a number of amendments to address the current issues and obstacles formed by the SCA requirements and moving from ‘open banking’ to ‘open finance’. This EBA publication was followed by the European Commission closing a call for evidence in respect of evaluating PSD2 (source) and both a targeted consultation (source) and a public consultation on PSD2 (source) in the summer of 2022;

- while emphasising the importance of maintaining the availability of cash money, the European Commission and the ECB research the possibilities of issuing a retail central bank digital currency (CBDC). In June 2022 the Commission closed a targeted consultation on a digital euro. Source. The ECB is currently investigating digital euro project. The investigation phase aims to address key issues regarding the design and distribution of such a CBDC. The project commenced in October 2021 and is expected to last for 24 months, after which it will be decided whether a digital euro will be developed and issued. Source The Dutch Minister of Finance endorses these initiatives of the ECB. Source

Outlook 

It follows from the above that the penetration of FinTech solutions in the (digital) financial markets is following the footsteps of the more traditional financial market players. 2022 and 2023 will bring the publications of numerous new sets of regulations to which both FinTech companies and traditional players will need to comply with. We expect 2023 to be a year of preparation for these new regulations, most of which are expected to become effective in 2024. Consequently, we also expect 2023 to become a year of reflection. Existing regulatory frameworks already apply to FinTech companies on a tech-neutral basis, whilst new FinTech products or services are becoming regulated to the extent they do not fall under the existing regulatory framework. The strengthening of the legal framework impacts the costs of compliance for FinTech companies. Will FinTech companies be able to offer the same high level of user experience despite these intensified set of rules that need to be complied with? If the current development of less (venture) capital being available for FinTech companies continues, we expect the cooperation between FinTech companies and the more traditional players in the market to further intensify in 2023.

About us 

FG Lawyers is a boutique law firm offering corporate and financial regulatory expertise. We have a special focus on innovative business models. We offer unique advisory services, firmly nourishing on our corporate and regulatory roots but also constantly addressing issues that require an out-of-the-box mindset. We find joy in facilitating all sorts of clients in this fascinating interplay of financial regulation, corporate law and business strategies.