Chambers and Partners: Fintech 2023 Austria

Fintech 2023

Definitive global law guides offering comparative analysis from top-ranked lawyers

Austria: Law & Practice and Austria: Trends & Developments

Markus Fellner, Florian Kranebitter and Florian Henöckl Fellner Wratzfeld & Partners

Law and Practice

Contributed by: Markus Fellner, Florian Kranebitter and Florian Henöckl Fellner Wratzfeld & Partners see p.15

AUSTRIA Law and Practice

1. Fintech Market

1.1 Evolution of the Fintech Market

The digitisation of the financial markets is currently accompanied by exciting and rapid developments in the industry. Austria is following this trend and is establishing itself as a regional driver for innovation in the financial sector.

Financial technologies, or fintechs, are quickly changing the finance and banking sectors, with the result that sometimes even entire markets are being moved to the internet. Fintechs make it possible to trade, invest or borrow money without ever having to deal with a traditional bank.

In general, the diversity of fintech start-ups is increasing in Austria. From innovations in card payments, smart payment options to quick and easy granting of small loans, the number of people and companies with new ideas for the financial industry is constantly increasing.

The COVID-19 pandemic led to an exceptional situation with profound consequences for Austrian society and its economy. However, while investors have held back on funding for financial start-ups, Austrian fintech companies have generally been able to assert their position in the market. This is due to increased co-operation between incumbents and fintech firms as thirdparty providers. In addition, some established banks have developed innovative products, mostly in co-operation with fintech companies.

Even after COVID-19, the general economic situation has not really eased, perhaps further worsened by geopolitical crisis factors. Therefore it should be a declared goal to create a fintechfriendly environment.

The Digital Finance Strategy

With the Digital Finance Strategy, proposed by the European Commission on 24 September 2020, on the basis of which a regulatory framework – a regulatory framework for Markets in Crypto-assets (MiCA), a pilot regime for trading and settling in crypto-asset market infrastructures (DLT-pilot) and a framework on digital operational resilience to prevent and mitigate cyber threats (DORA) – is to be introduced at European level, it can be assumed that a fintechfriendly environment will be promoted and the fintech industry will experience a further rise. With a clear regulatory framework for it in place, the fintech market will probably become more attractive and interesting for a large number of companies due to increasing legal certainty and the associated economic predictability. Nevertheless, increased regulation always harbours the risk that interest in a certain market will decrease. In this respect, it is also necessary, at the national level, to implement the European requirements as purposefully as possible and to make complying with them easy for companies, especially start-ups – the support of the Austrian Financial Market Authority (FMA) will be crucial.

2. Fintech Business Models and Regulation in General

2.1 Predominant Business Models

The Austrian Financial Market Authority (FMA) has been dealing with the subject of fintech in Austria for some time, in particular with the questions of what a fintech is and what challenges it faces.

Fintechs are financial innovations based on information technology that:

AUSTRIA Law and Practice

• often, but not necessarily, are developed by unlicensed companies;

• typically include interfaces to licensed companies; and

• can bring about lasting changes in the way the financial sector functions.

From a new payment app to automated consulting systems, the term is broad and encompasses a variety of different models that affect numerous supervisory areas.

In Austria, fintech companies operate in all various subsectors, such as alternative lending platforms, automated banking advice tools, insurtechs, digital payment operators, crowd investing platforms, online pre-paid payment providers, robo-advice and alternative platforms for investment strategies, traders for cryptoassets, and technical service providers for fintechs.

The Austrian fintech industry is most active in providing interfaces and technical support for financial service providers, followed by the business areas of crowdfunding and crowd investing, virtual currencies and alternative payment methods, automated advisory methods such as robo-advisers and, finally yet importantly, mirror trading. “Virtual currency” and – associated with this – blockchain software are becoming increasingly important. However, the payment sector remains the most important fintech sector.

2.2 Regulatory Regime

Due to the fact that there are no fintech-specific laws in Austria, fintech companies may be subject to various regulatory licensing requirements depending on their particular business model:

• the Banking Act (BWG) – for example, if a business involves activities such as accepting third-party funds for management or granting loans;

• the Payment Services Act 2018 (ZaDiG 2018) – for example, when money is transferred to third parties, an account information or payment initiation service is involved;

• the Electronic Money Act 2010 (E-GeldG 2010) – if the company issues electronic money;

• the Securities Supervision Act 2018 (WAG 2018) – if the company provides investment advice or portfolio management, receives or transmits orders or operates a multilateral trading facility (MTF);

• the Act on Alternative Investment Fund Managers (AIFMG 2020) – if the start-up collects investors’ capital to invest in certain assets, including virtual currencies, based on a predefined investment strategy;

• the Insurance Supervision Act 2016 (VAG 2016) – if the company offers insurance contracts;

• the Financial Markets Anti-Money Laundering Act (FM-GwG 2016) regarding certain virtual asset service providers;

• the Markets in Crypto-Assets Regulation (MiCA), which will finally give the market for digital financial products and assets a regulatory framework;

• the Digital Operational Resilience Act (DORA), which aims to safeguard digital operational stability in Europe and ensure sound and adequate cybersecurity in the financial sector; and

• the DLT-pilot-framework, which is primarily aimed at investment firms, market operators and central securities depositories and is intended to pave the way for decentralised capital market infrastructures.

AUSTRIA Law and Practice

In addition, public offers of securities or investments might trigger a prospectus requirement pursuant to Regulation (EU) 2017/1129 (the “Prospectus Regulation”) or the Capital Markets Act 2019 (KMG 2019).

This is especially important in the crypto sector. Here, initial coin offerings or initial token offerings can trigger a prospectus requirement. This, however, depends on the features of the coin or token and requires careful examination of the case at hand.

The newly proposed MiCA aims at covering issuers of crypto-assets, and so-called “stablecoins”, as well as the trading venues and the wallets where crypto-assets are held. This regulatory framework should protect investors and preserve financial stability, while allowing innovation and fostering the attractiveness of the crypto-asset sector. The legislative change should provide greater clarity across the European Union, as some member states already have national legislation for crypto-assets, but so far there had been no specific regulatory framework at EU level. Once in force, crypto-asset service providers will have to respect strong requirements to protect consumers’ wallets and will be liable if they lose investors’ crypto-assets. MiCA will also cover any type of market abuse related to any type of transaction or service, notably for market manipulation and insider dealing.

2.3 Compensation Models

Special compensation models to charge customers do not exist under Austrian law. One possibility is to charge fees for the services provided.

2.4 Variations Between the Regulation of Fintech and Legacy Players

Currently, there are no regulations that are specifically tailored to the fintech industry. As a result, the fintech sector often applies laws and standards that were tailored to the non-digitised “old” economy.

However, there are efforts by EU as well as Austrian legislators to change this. In this context it is worth mentioning the Crowdfunding Enforcement Act, which entered into force at the beginning of 2022 and serves to make the EU Crowdfunding Regulation applicable with an EU-wide harmonised legal framework for the provision of crowdfunding services. With MiCA, DORA and the DLT pilot framework, the situation is likely to change significantly.

2.5 Regulatory Sandbox

Based on the amendment of the Financial Market Authority Act (FMaG 2016), the FMA opened a regulatory sandbox programme for fintech models in September 2020. It aims to pave the way into supervision for young fintech firms or their co-operation with incumbents regarding fintech business models.

The process can be divided into four phases.

The first phase clarifies whether the business model to be examined by the FMA is subject to its supervision. It considers whether a threat to financial market stability or consumer protection is to be expected, or whether a licensing obligation exists.

The next phase is the pre-support phase. Here, the FMA works closely with the sandbox participants and offers legal support in the context of a possible licensing procedure.

AUSTRIA Law and Practice

This is followed by the third phase, the “test phase”. In this phase, the company is allowed to carry out activities requiring a licence under the supervision of the FMA.

After the test phase, the business model is evaluated and released from the sandbox and transferred to regular supervision. If the requirements are met, a decision is made to lift the restrictions in the licence/registration notice.

2.6 Jurisdiction of Regulators

As explained in 2.2 Regulatory Regime, a large number of regulatory provisions apply to fintech firms. The regulatory conditions are defined especially (i) by the requirements of the EU legislature, and (ii) by the national legislature, whereby European law generally takes precedence over national law. In practice, an exact demarcation is only possible to a very limited extent, since both areas of regulation interlock and have a large number of interrelationships.

2.7 Outsourcing of Regulated Functions

As a rule, transactions are not only offered by one provider, so that all steps require a separate examination of whether – and which – regulatory provisions apply. As different providers, all actors handling a transaction come into consideration. An examination must be carried out from the point of view of whether purely technical services or services subject to a licence are provided.

Thus, all actors have to comply with general Austrian provisions, such as the protection of banking secrecy. In Austria, a violation of banking secrecy has significant civil and criminal law implications. The provision of payment services, for example, may lead to the applicability of the Payment Services Act 2018 (ZaDiG 2018). Due to the considerable legal consequences of a

violation of regulatory provisions, these must be taken into account when drafting the contract.

With the large number of applicable regulations, there are provisions that apply in any case and thus cannot be circumvented by outsourcing. However, as far as possible, regulated areas should be passed onto regulated market participants, as the capacities of a fintech company are not sufficient for this.

2.8 Gatekeeper Liability

Providers of financial services must comply with the provisions on the prevention of the use of the financial system for the purposes of money laundering and terrorist financing. Both participants in the financial market, such as credit institutions, and other traders are subject to certain obligations. The necessity of complying with such obligations applies first and foremost to the provision of regulated activities. All relevant provisions, as set out in 2.2 Regulatory Regime, contain a reference to the provisions on the prevention of money laundering and terrorist financing. In addition to the regulatory provisions, the Industrial Code can also be the basis for the necessity of compliance with these legal framework conditions. As well as direct applicability, there may also be indirect applicability of the provisions, provided that services are provided to regulated market participants.

2.9 Significant Enforcement Actions

There are no specific enforcement actions tailored to fintech firms in Austrian legislation. Nevertheless, the FMA has addressed the issue from the point of view of which regulatory environment is applicable. It remains unclear whether the general provisions will also cover the area of “fintech” in the future or whether this intensified discussion of the topic will lead to a more specific regulatory approach to fintech.

AUSTRIA Law and Practice

2.10 Implications of Additional, Nonfinancial Services Regulations Privacy

From a data protection point of view, a fintech firm, just like any other company, must comply with the applicable provisions, in particular the EU General Data Protection Regulation (GDPR) as well as the Austrian Data Protection Act. The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form a part of a filing system. Therefore, a data protection declaration is required that regulates the processing and use of customers’ data. In addition to the data protection declaration, precautions must also be taken for the exercise of the rights of the data subjects, in particular the right to rectification, the right to erasure (“right to be forgotten”) and the right to restriction of processing.

Cybersecurity

Cybersecurity is a decisive aspect for fintech firms due to the nature of the activity as well as the usually large amount of data processed. In this area, it can be assumed that fintech firms have a large number of obligations to ensure a sufficiently high level of protection for customers. The importance of this aspect is also reflected in the fact that a separate sub-area has now been established, specialising in cybersecurity solutions for fintech firms. Parallel to the growth of the fintech market, this area has also grown steadily.

The European Parliament has reacted to this with DORA. DORA sets uniform requirements for the security of the network and information systems of companies and organisations operating in the financial sector as well as critical third parties, which provide ICT (information communication

technologies) services to them, such as cloud platforms or data analytics services. DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across all EU member states. The core aim is to prevent and mitigate cyber threats.

Under the provisional agreement, the new rules will constitute a very robust framework that boosts the IT security of the financial sector. The efforts asked from financial entities will be proportional to the potential risks.

Almost all financial entities will be subject to the new rules. Under the provisional agreement, auditors will not be subject to DORA but will be part of a future review of the regulation, where a possible revision of the rules may be explored.

Social Media Content

The presence of fintech firms on social media channels entails the need to observe the legal framework in this area. In this area, competition law, copyright and data protection framework conditions are particularly relevant.

Software Development

In software development, for fintech firms as well as other companies, legal framework conditions must be observed from the outset, which are necessary for successful development of and later progress with the application. The software development can initially be done by the company itself, but also by way of a contract with a third party. In development, copyrights of third parties must be observed, in which no intervention may be made, otherwise the further development and market launch may fail. Once the development has been completed and the

AUSTRIA Law and Practice

software is offered to individual customers, warranty and compensation claims can be asserted if the software is defective.

All these aspects, as well as regulatory framework conditions, should be considered at an early stage in order to avoid later problems with ordinary business operations.

2.11 Review of Industry Participants by Parties Other than Regulators

The expertise of auditing firms is an important factor in the establishment of a fintech company. Auditing firms monitor the companies economically under the given legal framework conditions. From a legal point of view, the entrepreneur has the obligation to run the company with the care of a prudent businessperson. In order to comply with this standard, the entrepreneur must make a sufficiently detailed plan with regard to their entrepreneurial activity. This plan must consist of short, medium and long-term objectives. The liquidity of the company, the planned income and the asset situation of the company must be presented. The presentation should not be limited to a mere representation of numbers, but should provide a comprehensive description from which these numbers can be derived. The auditing firms support the preparation of the business plan with an analysis of the strengths and weaknesses of the business case including an assessment of the market. As a result, the company is continuously accompanied and, if necessary, supported in the individual aspects mentioned.

Further, the market is increasingly showing that companies specialising in fintech firms and their foundation and management are also establishing themselves. Here too, the constant growth of the fintech market has led to the emergence

of advice that is increasingly specialised in subareas.

2.12 Conjunction of Unregulated and Regulated Products and Services

It can be seen that primarily regulated entities are expanding their business area with the involvement of fintechs. In addition, new fintechs are coming onto the market that have a focus on banking. A third category combines different business models, regulated as well as unregulated. In this way, banking can be linked to a wide variety of other business models. Various business cases are combined, whereby in addition to well-known business models, emerging areas such as e-sports are also included. However, in the case of start-ups, it is clear that the regulatory requirements are one of the biggest hurdles.

2.13 Impact of AML Rules

Fintech firms have to comply with AML requirements if they provide activities that require a licence and are therefore subject to the FMA’s supervision. This applies to credit and insurance institutions, securities companies, alternative investment funds, payment service providers and e-money institutes. In addition, the AML requirements are also applicable for service providers of certain business models based on virtual currency.

3. Robo-advisers

3.1 Requirement for Different Business Models

Different asset classes initially require different business models, but the advice itself increases in quality with the most comprehensive data processing possible.

AUSTRIA Law and Practice

3.2 Legacy Players’ Implementation of Solutions Introduced by Robo-advisers

Legacy players are able to develop their own robo-advisers and implement them in their business model; this also enables them to operate their business independently of external factors. So far, however, this approach does not seem to have caught on. Strategic partnerships in this area will therefore remain important for the time being.

3.3 Issues Relating to Best Execution of Customer Trades

The best execution of customer trades will ultimately depend on the programmes being integrated into the business model in the best possible way in order to make the best possible use of the technology.

However, the principle of best execution as a benchmark for possible liability must be observed when using robo-advisers. Due to a lack of sufficient empirical values, the extent to which this standard of liability can be applied directly or will require appropriate modifications is not known. However, there is no justification as to why the standard of liability should be lower. Due to the amount of data that can potentially be processed, it is likely that new standards will be set in this area.

4. Online Lenders

4.1 Differences in the Business or Regulation of Loans Provided to Different Entities

There are differences between lending to private individuals and companies. There are structural differences in the financing itself as well as different economic and legal framework conditions. For example, if an entrepreneur grants a loan to

a consumer, the Austrian Consumer Loan Act applies. The Consumer Credit Act provides for comprehensive information obligations on the part of the lender to protect the borrower, and grants the borrower various rights, such as the right to early repayment of the loan.

4.2 Underwriting Processes

Industry participants use underwriting processes to conduct research on customers and their creditworthiness as well as insurability. There are no special regulations for this area, but due to automated data processing (sensitive data), data protection barriers, in particular the rights of those affected, must be observed.

4.3 Sources of Funds for Loans

The most common sources of funds for loans are classic lines of credit, peer-to-peer, taking deposits and lender-raised capital. In Austria, the central source of law is the Banking Act (BWG).

4.4 Syndication of Loans

Syndications of loans only occur in rare cases.

5. Payment Processors

5.1 Payment Processors’ Use of Payment Rails

Payment processors can use existing payment rails or may they create or implement new ones.

5.2 Regulation of Cross-Border Payments and Remittances

Cross-border payments and remittances are primarily regulated by the Payment Service Act 2018 (ZaDiG 2018).

AUSTRIA Law and Practice

6. Fund Administrators

6.1 Regulation of Fund Administrators

Fund administrators are regulated by the Alternative Investment Fund Manager Act (Alternative Investmentfonds Manager-Gesetz – AIFMG) depending on the specific activity.

6.2 Contractual Terms

Fund advisers can contractually adjust the provisions that apply under the specific legislation for fund administrators and general civil law to the extent permitted by law in order to achieve a higher level of protection, although the specific results can vary greatly in individual cases.

7. Marketplaces, Exchanges and Trading Platforms

7.1 Permissible Trading Platforms

The permissible forms are derived from the legal environment, whereby basically any type of fintech is available. The legal environment for trading platforms is largely defined by the Banking Act (BWG) and Securities Supervision Act 2018 (WAG 2018). The relevant legal regulations are therefore dependent on the specific service offered. After its entry into force on 23 March 2023, the DLT pilot regime should test the development of the European infrastructure for trading, clearing and settlement of DLT-based financial instruments. Irrespective of this, general provisions under civil law, public law and criminal law must always be taken into account.

7.2 Regulation of Different Asset Classes

Different regulatory framework conditions only exist as far as the regulatory requirements applicable to all are applied in different forms.

7.3 Impact of the Emergence of Cryptocurrency Exchanges

So far, cryptocurrencies have not yet led to a significant change in regulation. To date, regulators have instead attempted to integrate this new technology into the existing legal framework.

7.4 Listing Standards

Cryptocurrencies are not subject to the control of the FMA. However, this supervisory authority can become relevant if individual services fall within a regulated area.

7.5 Order-Handling Rules

The Securities Supervision Act 2018 (WAG 2018) is particularly relevant in connection with order handling. The forwarding of orders to banks, brokers or issuers falls within the scope of the acceptance and transmission of orders under the WAG 2018.

7.6 Rise of Peer-to-Peer Trading Platforms

The emergence of peer-to-peer trading platforms is changing market conditions for both traditional and fintech players. However, peer-topeer trading platforms also have to observe all regulatory framework conditions, if applicable.

7.7 Issues Relating to Best Execution of Customer Trades

According to the FMA, the Securities Supervision Act (WAG 2018) is applicable at least in some areas. The authority assumes that investment advice in accordance with WAG 2018 is applicable for investment strategies tailored to the customer with entry and exit scenarios. The principle of “best execution” also applies to WAG 2018. In particular, claims for damages by the customer can be derived from this principle in the event of a violation.

AUSTRIA Law and Practice

7.8 Rules of Payment for Order Flow

The business model “payment for order flow” is currently under investigation by the European Parliament. It is assumed that conflicts of interest may arise. It is currently being checked whether there is compliance with the existing legal framework specified by the European Parliament. There is no regulation tailored to this area yet.

7.9 Market Integrity Principles

The basic principles of market integrity and market abuse are essentially derived from the regulatory environment and any civil law claims, in particular claims for damages.

8. High-Frequency and Algorithmic Trading

8.1 Creation and Usage Regulations

Within the scope of the Banking Act (BWG), it is irrelevant whether trading is based on an algorithm or not. In principle, the use of a trading algorithm does not require a licence. However, the bank or broker must have a licence. Depending on the specific structure of the service relationship, other provisions of the Securities Supervision Act (WAG 2018) may also be applicable.

8.2 Requirement to Register as Market Makers When Functioning in a Principal Capacity

When functioning in a principal capacity, the players have to observe the provisions of the Stock Exchange Act (BörseG) and the Transparency Ordinance 2018 (Transparenz-Verordnung 2018).

8.3 Regulatory Distinction Between Funds and Dealers

Funds and dealers have a different structure and are therefore covered by regulatory provisions to varying degrees.

8.4 Regulation of Programmers and Programming

Programmers are not regulated, apart from general restrictions (civil law, public law and criminal law). The prerequisite for this, however, is that the algorithms are only used by the users themselves.

9. Financial Research Platforms

9.1 Registration

Financial research platforms are not subject to restrictions.

9.2 Regulation of Unverified Information

The spreading of rumours and other unverified information is not regulated. Such information can only be relevant in relation to a possible claim for damages, if the action is culpable; criminal law provisions can also be relevant if damage is intended by the actor.

9.3 Conversation Curation

Unacceptable behaviour on research platforms (eg, spreading inside information) can, as mentioned under 9.2 Regulation of Unverified Information, only be relevant in relation to a possible claim for damages, if the action is culpable; criminal law provisions can also be relevant if damage is intended by the actor.

AUSTRIA Law and Practice

10. Insurtech

10.1 Underwriting Processes

The acquisition of information is crucial in the insurtech area. The possibilities for collecting information and evaluating it vary. The approaches differ from well-established systems that are based on personal contacts to systems that use technical data collected in a variety of ways (eg, smartphones and sensors). Aspects of data protection law must always be observed in all areas in which automated data is collected and evaluated.

10.2 Treatment of Different Types of Insurance

In the area of insurtech, the Austrian trade regulations must be observed in addition to other regulations. For example, Section 137 of the Austrian Trade Act deals with brokering insurance. Insurance mediation is defined, among other things, as offering, proposing or carrying out preparatory work for the conclusion of insurance contracts or the conclusion of insurance contracts.

11. Regtech

11.1 Regulation of Regtech Providers

Compared to the more established categories of fintech, regtech receives comparatively little attention from a regulatory perspective. However, due to the close proximity in terms of content, it can be assumed that the general regulatory provisions are decisive.

11.2 Contractual Terms to Assure Performance and Accuracy

In the absence of explicit regulatory provisions, it is possible in this area to contractually provide for stricter standards in individual cases in addi-

tion to the general standards that must be met to ensure performance and accuracy.

12. Blockchain

12.1 Use of Blockchain in the Financial Services Industry

While the implementation of blockchain is often discussed and thought about, as far as can be seen there is still a certain scepticism from traditional players. In addition to these, start-ups coming onto the market are still trying to combine proven structures with this new technology. However, it can be assumed that at least most of the traditional players will quickly adapt their concepts once the individual technologies are ready for the market; an ongoing partial implementation is already underway.

12.2 Local Regulators’ Approach to Blockchain

The approach of the national legislature and the FMA is essentially based on the question of how to deal with coins such as bitcoin, ether and litecoin. This approach is primarily at the regulatory level, whereby there is an attempt to clarify the applicability of existing regulatory provisions on the basis of a missing general definition of the term “coin”.

12.3 Classification of Blockchain Assets

The current approach and status, as stated under 12.2 Local Regulators’ Approach to Blockchain, means that other types of blockchain assets still receive little attention. In practice, there are considerations and efforts to make a classification based on the general provisions, whereby in various areas – already with respect to the transfer of ownership – different questions arise that cannot really be satisfactorily solved using the existing legal framework.

AUSTRIA Law and Practice

Contributed by: Markus Fellner, Florian Kranebitter and Florian Henöckl, Fellner Wratzfeld & Partners

12.4 Regulation of “Issuers” of Blockchain Assets

According to the interpretation of the FMA, blockchain assets, such as coins, are not subject to their supervision. However, regulatory provisions may still be applicable depending on the specific activity being performed.

12.5 Regulation of Blockchain Asset Trading Platforms

Platforms that allow the trading of blockchain assets are required to take a large number of legal provisions into account due to the previously vague legal classification of this activity. A precise definition of the activity performed is of central importance in order to identify and comply with any legal provisions from a wide range of legal areas. Platforms that allow for the trading of blockchain assets such as cryptocurrencies and at the same time process payments can fall within the scope of the Payment Services Act 2018 (ZaDiG 2018).

12.6 Regulation of Funds

In the case of investments based on capital collected from a number of investors with a corresponding investment strategy, there is the possibility that a licence is required under the Alternative Investment Fund Manager Act. A prospectus requirement according to the Prospectus Regulation is possible, the prerequisite being that it is a public offer.

12.7 Virtual Currencies

As shown in 12.2 Local Regulators’ Approach to Blockchain, virtual currencies are the area that has received the most attention so far, and in which the FMA has dealt with the subject in detail.

12.8 Impact of Regulation on “DeFi” Platforms

There is no definition of “decentralised finance” in Austrian regulation.

12.9 Non-fungible Tokens (NFTs)

Non-fungible tokens (NFTs) are not regulated in detail. However, practice has shown that there is a fundamental need for regulation, since questions such as the pledging of NFTs have arisen that cannot be clearly resolved.

13. Open Banking

13.1 Regulation of Open Banking

The Second Payment Services Directive (PSD2) sets the requirements for payment service providers. In the current version, this Directive also affects open banking by granting access to payment systems and accounts. Access is provided to third-party services to access account information or initiate transactions on their behalf.

13.2 Concerns Raised by Open Banking

Open banking in accordance with the regulatory requirements always requires the consent of the customer with regard to the transfer of data. In order to meet the legal requirements in this area, the general data protection regulations as well as specific regulatory provisions, such as banking secrecy, must be taken into account. The data protection declarations, the declarations of release from banking secrecy – and, if necessary, a justification for breaching banking secrecy for other reasons – must be precisely adapted in individual cases and, if necessary, sufficiently justified.

AUSTRIA Law and Practice

Fellner Wratzfeld & Partners (fwp) has a team of more than 120 highly qualified legal personnel. The firm’s major fields of specialisation include banking and finance, corporate/M&A, real estate, infrastructure and procurement law, changes of legal form, reorganisation and restructuring. Fwp advises renowned credit institutions and financial services providers on financing projects, representing mainly Austrian

Authors

Markus Fellner was admitted to the Austrian Bar in 1998 and has been a partner at Fellner Wratzfeld & Partners since 1999, now heading the firm’s banking and finance practice group. He specialises in banking and finance, insolvency law and restructuring, corporate/M&A and dispute resolution. Markus has published a considerable number of articles and essays on topics related to these areas of expertise, including capital maintenance rules in Austria, M&A, and business restructuring and insolvency. He speaks German, English and Italian.

and international private companies, but also has clients from the public sector. The firm’s expertise has proven its worth repeatedly, not only in connection with project and acquisition financing, but also in regard to financing company reorganisations; fwp is also able to draw upon substantial experience gained in the financing of complex consortia in the last few years.

Florian Kranebitter is a partner at Fellner Wratzfeld & Partners and specialises in banking and finance, corporate/M&A, insolvency and restructuring, with a focus on IT projects (including cybercrime, platform businesses and AI). Florian has been advising financial institutions and corporates on national and international transactions for more than a decade. He has particular expertise in providing cross-disciplinary and cross-sector advice in the area of sustainable solutions (including ESG).

Florian Henöckl was admitted to the Austrian Bar in 2021 and has been an attorney at law with Fellner Wratzfeld & Partners since that year. He has particular experience and knowledge in the areas of banking and finance, restructuring law and insolvency, and corporate/M&A. Florian speaks German and English.

AUSTRIA Law and Practice

Contributed by: Markus Fellner, Florian Kranebitter and Florian Henöckl, Fellner Wratzfeld & Partners

Fellner Wratzfeld & Partners

Schottenring 12

A-1010 Vienna

Austria

Tel: +43 1 53770 351

Email: office@fwp.at

Web: www.fwp.at

Trends and Developments

New Developments in Financial Services in Europe and Austria – A Roadmap Introduction

Fintechs are still on the rise. However, 2022 was not an entirely good year for the sector, especially coins. The price development of bitcoin has shown that things do not always trend upwards. So what is surely the most famous cryptocurrency has fallen far short of expectations.

Regardless of the volatility of the exchange rate, which even a cursory glance at the history of its value makes clear, El Salvador has introduced bitcoins as legal tender. Further, 2022 also saw the largest bankruptcy of a crypto-exchange, FTX. The background to the insolvency of FTX is currently being examined, in particular with regard to tracing assets for creditors. The bankruptcy is not the first of a crypto-exchange, but perhaps the one with the most far-reaching consequences. From a legal point of view in particular, it is now necessary to clarify which existing (regulatory) provisions are applicable and what conclusions can be drawn and lessons learned. Even if the developments of the last year are to be viewed critically, problems in the wider global economy, which have no connection to the fintech sector per se, should not be misunderstood as specific to fintech.

European framework

The European Commission proposed its Digital Finance Strategy on 24 September 2020, which should introduce a regulatory framework for Markets in Crypto-assets (MiCA), a pilot regime for trading and settling in crypto-asset market

infrastructures (DLT-Pilot) and a framework on digital operational resilience to prevent and mitigate cyber threats (DORA). This new regulatory framework is scheduled to come into force in 2023/2024 and will have a significant impact on the development of fintechs over the next few years, which is why this newly introduced framework should be examined in more detail and compared with the current legal situation in Austria.

MiCA

MiCA is part of the European Digital Finance Strategy. The intention of the legislature is to harmonise rules for crypto-assets at EU level by (i) providing legal certainty for crypto-assets not covered by existing EU legislation, (ii) enhancing the protection of consumers and investors, and (iii) ensuring financial stability. The regulation seeks to promote innovation and the use of crypto-assets.

MiCA therefore lays down uniform rules for the following (Article 1 of the proposed MiCA):

• transparency and disclosure requirements for the issuance and admission to trading of crypto-assets;

• the authorisation and supervision of cryptoasset service providers, issuers of assetreferenced tokens and issuers of electronic money tokens;

• the operation, organisation and governance of issuers of asset-referenced tokens, issuers of electronic money tokens and crypto-asset service providers;

AUSTRIA trends and deve LoPments

• consumer protection rules for the issuance, trading, exchange and custody of cryptoassets; and

• measures to prevent market abuse to ensure the integrity of crypto-asset markets.

The scope of regulation of the proposed framework covers asset-referenced tokens (ART), electronic money tokens (EMT), and other crypto-assets not covered by existing EU law. ART are defined as a type of crypto-asset that purports to maintain a stable value by referring to the value of several fiat currencies that are legal tender, one or several commodities or one or several crypto-assets, or a combination of such assets (Article 3 paragraph 1 subparagraph 3 of the proposed MiCA). EMT are, pursuant to Article 3 paragraph 1 subparagraph 4 of the proposed MiCA, a type of crypto-asset the main purpose of which is to be used as a means of exchange and that purport to maintain a stable value by referring to the value of a fiat currency that is legal tender.

The personal scope of MiCA, pursuant to Article 2 of the proposed MiCA, covers issuers of crypto-assets or those that provide services related to crypto-assets in the European Union. However, financial instruments under Article 4 paragraph 1 subparagraph 15 of Directive 2014/65/ EU are excluded from the scope of application of the proposed MiCA (Article 2 paragraph 2 subparagraph (a) of the proposed MiCA).

In a nutshell, the following steps have to be taken by an issuer of crypto-assets, other than ART or EMT:

• it must be established in the form of a legal person;

• it must provide a white paper setting out the information requirements according to Article 5 of the proposed MiCA;

• a notification and publishing of the cryptoasset white paper according to Article 7 and 8 proposed MiCA must be made; and

• it must comply with in particular the following requirements (laid down in Article 13 of the proposed MiCA): act honestly, fairly and professionally and communicate in a fair, clear and not misleading manner.

As set out in Article 5 of the proposed MiCA, which contains in detail the content of the crypto-asset white paper, the issuer of crypto-assets has to provide various information about the crypto-asset to enable consumers and investors to make an informed decision. The information to be provided comprises:

• the issuer itself;

• the main participants;

• the design of the project’s crypto-asset;

• the crypto-asset itself (its type, the characteristics of the offer to the public with the number of crypto-assets offered, its issue price, and the terms and conditions of subscription including the attached rights and obligations of the crypto-asset); and

• a structured summary.

The European Parliament takes the approach of protecting consumers and investors by ensuring that information is provided about the product itself, enabling consumers and investors to make an informed decision.

It is true that more available information about crypto-assets will enable market participants to make better-informed decisions. Thus, the violation of Article 5 of the proposed MiCA will qualify for a special liability clause under Article

AUSTRIA trends and deve LoPments

14 of the proposed MiCA. Information as the sole determinant to protect market participants from a default of the legal entity that has issued the crypto-asset, however, will not be sufficient.

If trading of the crypto-asset is permissible, but the legal entity that has provided the cryptoasset suffers from financial distress for any reason, then there will be a high risk of default if the legal entity is not equipped with sufficient liquidity to mitigate the distress scenario. Certainly, the provision of sufficient information is important but legal entities should also be equipped with sufficient liquidity to mitigate financial distress.

The issuing of ART requires that the competent authority (Article 19 of the proposed MiCA) authorise the issuance, because the issuer is (i) a legal entity established in the European Union and received authorisation to issue ART and (ii) an approved crypto-asset white paper of the competent authority has been published (Article 17 and Article 24 of the proposed MiCA). Thus, the issuer of ART has to provide sufficient own funds exceeding EUR350,000 and 2% of the average amount of the reserve assets referred to in Article 32 according to Article 31 of the proposed MiCA.

In contrast to issuers of crypto-assets that are not ART or EMT, issuers of ART have to be authorised by the competent authorities and should have a compliant governance arrangement according to Article 30 of the proposed MiCA in place. The legal basis for this different treatment of ART is that ART provide a cryptoasset that purports to maintain a stable value by referring to the value of several fiat currencies that are legal tender. Therefore, it is more likely that these types of crypto-assets will be traded more compared to non-ART crypto-assets. Similar to the treatment of issuers of ART, issuers of

EMT have to observe stricter rules, because of the intended trading of the EMT and potential risks to consumers.

An issuer of EMT should observe Article 43 of the proposed MiCA as it states that the issuer of such EMT must be authorised as a credit institution or as an “electronic money institution”, has to comply with requirements applying to electronic money institutions and has to publish a crypto-asset white paper notified to the competent authority (Article 46 of the proposed MiCA).

The European Banking Authority (EBA) will be involved in the classification of ART (Article 39 of the proposed MiCA) and EMT (Article 50 of the proposed MiCA) as significant on the basis of the following criteria:

• size of the customer base of the promoters, shareholders of the issuer or any of the thirdparty entities;

• value of the ART (or EMT) or their market capitalisation;

• number and value of transactions in those ART or EMT;

• size of the reserve of assets of the issuer of the ART or EMT;

• significance of the cross-border activities of the issuer, including the number of member states where the ART are used, the use of the ART for cross-border payments and remittances and the number of member states where the third-party entities are established; and

• interconnectedness with the financial system.

In addition, a voluntary classification of ART (Article 40 of the proposed MiCA) or EMT (Article 39 of the proposed MiCA) as significant is possible. Per Article 41 and 52 of the proposed MiCA, the consequence of classification as sig-

AUSTRIA trends and deve LoPments

nificant results in specific additional obligations for issuers such as:

• a remuneration policy for sound and effective risk management;

• crypto-asset service providers being permitted to hold tokens in custody;

• the monitoring of liquidity needs to meet redemption requests or the exercise of rights; and

• establishing a liquidity management policy and procedures.

DLT-Pilot

By introducing the DLT-Pilot regime the European Parliament aims to ensure that EU financial services legislation will be fit for the digital age and contribute to a future-ready economy that works for the people, including by enabling the use of innovative technologies. The aim of the DLT-Pilot is to temporarily exempt certain distributed ledger technology (DLT) market infrastructures from some of the specific requirements of EU financial services legislation in connection with trading and settlement of transactions in crypto-assets, which would otherwise qualify as financial instruments.

The DLT-Pilot regulates the requirements of DLT market infrastructures and their operators such as granting and withdrawing specific permissions to operate DLT market infrastructures (Article 1 of the DLT-Pilot). A DLT market infrastructure could be either a DLT multilateral trading facility, a DLT settlement system or a DLT trading and settlement system.

Article 3 of the DLT-Pilot sets out that DLT financial instruments shall only be admitted to trading on a DLT market infrastructure or be recorded on a DLT market infrastructure under certain conditions. These conditions are:

• shares, the issuer of which has a market capitalisation, or a tentative market capitalisation, of less than EUR500 million; or

• bonds, other forms of securitised debt, including depositary receipts in respect of such securities, or money market instruments, with an issue size of less than EUR1 billion, or units in collective investment undertakings covered by Article 25(4), point (a) (iv), of Directive 2014/65/EU, the market value of the assets under management of which is less than EUR500 million.

Thus, the aggregate market value of all the DLT financial instruments shall not exceed EUR6 billion.

Specific regulation (requirements and exemptions) exists in the DLT-Pilot for DLT multilateral trading facilities (Article 4, DLT-Pilot), DLT settlement systems (Article 5, DLT-Pilot) and DLT trading and settlement systems (Article 6, DLT-Pilot).

By excluding certain DLT market infrastructures from current financial regulation the DLT-Pilot creates a test environment for new developments in the financial sector. Through its limited application (Article 3 of the DLT-Pilot), the regulation provides that only specific instruments may be tested under the new regime; other instruments must follow the current legislation. The new approach certainly enhances the appeal of technological developments in the financial sector and encourages businesses to test their technical developments under real conditions in a financial market.

DORA

The European Parliament aims to raise the level of harmonisation on digital resilience components, by introducing requirements on information and communication technology (ICT) risk

AUSTRIA trends and deve LoPments

management and ICT-related incident reporting that are more stringent than those laid down in current European Union financial services legislation. The framework aims at establishing uniform requirements in relation to the security of network and information systems with regard to:

• financial entities and their ICT risk management, major incident reporting, digital operational resilience testing, information and intelligence sharing of cyber threats and vulnerabilities;

• contractual arrangements between ICT thirdparty service providers and financial entities;

• an oversight framework for critical ICT third-party service providers when providing services to financial entities; and

• rules on co-operation among competent authorities and rules on supervision and enforcement by competent authorities (Article 1 of DORA).

The regulation defines digital operational resilience as the ability of a financial entity to build, assure and review its operational integrity from a technological perspective (Article 3 paragraph 1 of DORA) and requires financial entities to have in place internal governance and control frameworks that ensure an effective and prudent management of all ICT risks (Article 4 and 5 of DORA). Financial entities should be able to identify all ICT-related business functions (Article 7 of DORA), protect their ICT systems and – in particular – prevent a leakage of information (Article 8 of DORA), detect anomalous activities (Article 9 of DORA) and establish suitable ICT-related governance (Articles 11 to 15 of DORA).

The regulatory framework establishes a comprehensive and detailed system for financial entities to mitigate digital operational risk. The framework prescribes adequate ICT risk management

tools, methods, processes and policies. The regulation clearly suggests that the management of financial entities invest in operational resilience and increase the size of their risk management divisions to comply with the act. In addition, there is a comprehensive reporting, information sharing and supervision requirement vis-à-vis the competent authorities in place. Whether such detailed rules will be sufficient to mitigate ICT risks shall be seen.

Current legislative framework in Austria

The Austrian Financial Market Authority (FMA) established, in September 2020, a regulatory sandbox for fintech models. Through this, the FMA is attempting to simplify the pathway to becoming a supervised entity for young fintechs as well as incumbent players that, together with an unlicensed entity, operate fintech business models and co-operations. This is to be achieved by supporting the business model in question with close supervision and allowing its operation in a test phase. However, there is currently no specific regulation with regard to DLT or crypto-assets in place; these are now part of the new regulatory approach of the European Parliament with MiCA, DORA and the DLT-Pilot regime.

Conclusion

The European Parliament is attempting to tackle possible risks of digital innovation with a comprehensive and detailed set of rules. In alignment with previous European legislation, the proposed acts provide a detailed set of governance and supervision rules. Instead of creating a minimum standard to protect consumers and other market participants and allow business opportunities to thrive, regulatory authorities are prescribing in detail the requirements on specific topics, and monitor and supervise the activities of supervised entities.

AUSTRIA trends and deve LoPments

From a supervisory perspective, MiCA and DORA will be powerful tools for supervisors to cope with the risks of the upcoming challenges in the financial sector. From the perspective of financial entities, the proposed acts will set comprehensive and detailed rules with which to comply but will allow financial entities to operate in a fair and equal market across the EU.

AUSTRIA trends and deve LoPments

Fellner Wratzfeld & Partners (fwp) has a team of more than 120 highly qualified legal personnel. The firm’s major fields of specialisation include banking and finance, corporate/M&A, real estate, infrastructure and procurement law, changes of legal form, reorganisation and restructuring. fwp advises renowned credit institutions and financial services providers on financing projects, representing mainly Austrian

Authors

Markus Fellner was admitted to the Austrian Bar in 1998 and has been a partner at Fellner Wratzfeld & Partners since 1999, now heading the firm’s banking and finance practice group. He specialises in banking and finance, insolvency law and restructuring, corporate/M&A and dispute resolution. Markus has published a considerable number of articles and essays on topics related to these areas of expertise, including capital maintenance rules in Austria, M&A, and business restructuring and insolvency. He speaks German, English and Italian.

and international private companies, but also has clients from the public sector. The firm’s expertise has proven its worth repeatedly, not only in connection with project and acquisition financing, but also in regard to financing company reorganisations; fwp is also able to draw upon substantial experience gained in the financing of complex consortia in the last few years.

Florian Kranebitter is a partner at Fellner Wratzfeld & Partners and specialises in banking and finance, corporate/M&A, insolvency and restructuring, with a focus on IT projects (including cybercrime, platform businesses and AI). Florian has been advising financial institutions and corporates on national and international transactions for more than a decade. He has particular expertise in providing cross-disciplinary and cross-sector advice in the area of sustainable solutions (including ESG).

Florian Henöckl was admitted to the Austrian Bar in 2021 and has been an attorney at law with Fellner Wratzfeld & Partners since that year. He has particular experience and knowledge in the areas of banking and finance, restructuring law and insolvency, and corporate/M&A. Florian speaks German and English.

AUSTRIA trends and deve LoPments

Contributed by: Markus Fellner, Florian Kranebitter and Florian Henöckl, Fellner Wratzfeld & Partners

Fellner Wratzfeld & Partners

Schottenring 12

A-1010 Vienna

Austria

Tel: +43 1 53770 0

Email: office@fwp.at

Web: www.fwp.at

CHAMBERS GLOBAL PRACTICE GUIDES

Chambers Global Practice Guides bring you up-to-date, expert legal commentary on the main practice areas from around the globe. Focusing on the practical legal issues affecting businesses, the guides enable readers to compare legislation and procedure and read trend forecasts from legal experts from across key jurisdictions.

To find out more information about how we select contributors, email Katie.Burrington@chambers.com