Angola
There are no specific laws applicable to fintech products. General legislation, such as the consumer protection act or the personal data protection law, among others, are applicable to said products.
Australia
General financial regulatory regime
ASIC is the financial services regulator in Australia.
General
To conduct a financial services business in Australia, businesses must hold an AFSL issued by the ASIC. Most FinTech services are captured in the definition of financial services and financial products in the Corporations Act 2001 (Cth) and unless an exemption applies, FinTech companies will require an AFSL. There are limited statutory exemptions available to foreign entities who conduct financial services in Australia.
Additionally, an Australian credit license (ACL) issued by ASIC is required for a business engaging in consumer credit activities in Australia which are captured in the National Consumer Credit Protection Act 2009 (Cth), unless an ASIC exemption applies.
National Innovation and Science Agenda
In December 2015, the Australian Government introduced the National Innovation and Science Agenda (NISA) to facilitate the development of FinTech. NISA, among other things:
- encourages investment in FinTech companies through tax incentives for early-stage investment;
- enables crowdsourced equity funding of public companies (described further below); and
- establishes the FinTech Advisory Group to advise the Treasurer and the ASIC Innovation Hub.
The ASIC Innovation Hub assists FinTech startup companies to navigate the Australian financial regulatory system by engaging with FinTech businesses and providing information to streamline the licensing process.
Electronic payments platforms and regulation of peer-to-peer lenders
Electronic payment platforms
The New Payments Platform (NPP) is an industry initiative to develop a new national infrastructure for fast, versatile, data-rich payments in Australia between financial institutions and their customers. The NPP will connect to all financial institutions and, as a result, to businesses and consumers, allowing funds to be accessible almost immediately upon receipt of a payment.
Peer-to-peer lenders
Peer-to-peer lending involves a financial service provider (the lending platform) acting as the intermediary between investors and borrowers. Lending platforms are generally set up as managed investment schemes, meaning the platform operator must have an AFSL that allows them to run the scheme. Accordingly, these transactions will be caught by the Corporations Act 2001 (Cth) and must comply with the regulatory regime.
Where the borrower is an individual and not a business, the loan will be a consumer credit contract and the platform operator will be required to comply with the National Consumer Credit Protection Act 2009 (Cth), in addition to holding an AFSL.
Regulation of payment services
The Reserve Bank of Australia
RBA is responsible for the designation and regulation of systems facilitating the transfer of funds in Australia under the Payment Systems (Regulation) Act 1998 (Cth) and the Payment Systems and Netting Act 1998 (Cth). The RBA has established the Payment Systems Board to take responsibility for the payments system policy. The powers of the RBA include designating a payment system as being subject to regulation, imposing an access regime to establish rules of participation in a payment system and setting standards for payment systems to promote safety and efficiency.
To this end, the RBA has established a number of standards for compliance and access regimes applicable to participants in payment systems.
ePayments Code
Consumer electronic payment transactions in Australia are regulated by the ePayments Code, administered by ASIC. The ePayments Code applies to voluntary subscribers, including banks, credit unions and building societies.
The Code, among other things:
- requires subscribers to give consumers clear and unambiguous terms and conditions;
- stipulates how terms and conditions changes (such as fee increases), receipts and statements need to be made;
- sets out the rules for determining who pays for unauthorized transactions; and
- establishes a regime for recovering mistaken internet payments.
Application of data protection and consumer laws
The Privacy Act 1988 (Cth) regulates the use of personal data within Australia. Where a FinTech business provides credit or handles information relevant to credit, the Privacy Act will apply. The Australian Privacy Principles that are set out in the Privacy Act outline the obligations on the collection, use, disclosure and management of personal information. Where a business undertakes an act outside Australia and there is some link to an Australian citizen or organization, or where it carries out business in Australia, the Privacy Act will apply.
The Office of the Australian Information Commissioner (OAIC) is the body responsible for administering the Privacy Act and has the power to investigate non-compliance.
Money laundering regulations
The Anti-money Laundering and Counter-terrorism Financing Act 2006 (Cth) establishes a regime to target and deter money laundering and terrorism financing in designated services. Where a FinTech company provides a designated financial service, such as lending or issuing or selling interests in managed investment schemes, they will become a reporting entity and have obligations under the Anti-money Laundering and Counter-terrorism Financing Act 2006 (Cth). These obligations include compliance reporting and conducting due diligence on customers prior to engaging in any financial services.
Licensing exemption for FinTech testing
ASIC has implemented a FinTech licensing exemption, to facilitate the testing of new FinTech services before requiring a business or start-up to obtain an AFSL or ACL. Based on the regulatory guide published by ASIC, allowing FinTech businesses to test their new products and services before they obtain a license can help alleviate the barriers to innovation (including access to capital and speed to market) by:
- allowing concepts to be validated and refined before businesses spend the time and money associated with obtaining a license; and
- providing increased opportunities for businesses to obtain investment that may assist with meeting the costs of complying with the law.
Three components are necessary in this regard:
- existing flexibility in the regulatory framework or exemptions provided by the law which means that a license is not required;
- tailored, individual licensing exemptions granted by the ASIC to a particular business to facilitate product or service testing (individual exemptions of this nature are similar to the regulatory sandbox frameworks established by financial services regulators in other jurisdictions); and
- ASIC’s ‘FinTech licensing exemption’ – provided under ASIC Corporations (Concept Validation Licensing Exemption) Instrument 2016/1175 and ASIC Credit (Concept Validation Licensing Exemption) Instrument 2016/1176, which apply to certain products or services (FinTech Exemption).
Under the FinTech exemption, a business may, without needing to hold an AFSL, give financial product advice in relation to (or deal in) the following products:
- listed or quoted Australian securities;
- debentures, stocks or bonds issued or proposed to be issued by the Australian Government;
- simple managed investment schemes;
- deposit products;
- some kinds of general insurance products; and
- payment products issued by Australian banks.
Initial Coin Offerings
The ASIC is due to release guidelines in relation to Initial Coin Offerings (ICOs) (which have not been released to date). It is expected that the ASIC will follow the lead of the US, Canada and Hong Kong regulators by including the fundraising method within the regulatory framework governing Initial Public Offerings. The ASIC is reportedly working with advocates in the startup community (including FinTech Australia), to develop guidelines although it is expected that the ASIC may take the view that many of the 'tokens' currently being issued through ICOs would fall within ASIC definitions of 'securities'.
Crowdfunding in Australia
Australia’s previous regulatory requirements generally created a barrier to widespread use of crowdsourced equity funding. However changes are underway to make it easier and less expensive for businesses, including start-ups, to raise equity from the general public up to A$5 million in any 12-month period, while ensuring adequate investor protection. However, the Australian Parliament has enacted the Corporations Amendment (Crowd-sourced Funding) Act 2017 (Cth), which will allow eligible Australian businesses (including start-ups) to access crowdsourced equity investments through a licensed online portal.
For companies to access the benefits of the new crowdsourced funding regime, providers of crowdsourced funding services must hold an AFSL issued by ASIC. ASIC accepts applications from potential crowdsourced funding intermediaries for AFSL authorizations to provide crowdfunding services.
The following general restrictions apply:
- Individuals seeking to invest using a crowdsourced funding platform can contribute up to AUD10,000 per year, per company.
- Crowdsourced funding will also be available to Australian public companies with turnover/gross assets less than AUD25 million.
- Proprietary companies will be subject to additional governance and reporting requirements (including the provision of annual financial reports to shareholders).
Belgium
Regulation of payments services
Businesses that aim to provide payment services require prior authorization from the NBB under the Law of Law of 11 March 2018 transposing the Second European Union Payment Services Directive (PSD II). In order to become authorized, payment service providers need to meet certain criteria, including in relation to the business plan, initial capital, processes and procedures in place for safeguarding relevant funds, sensitive payment data and money laundering and other financial crime controls.
Application of data protection and consumer laws
The European General Data Protection Regulation (GDPR) entered into force with direct effect on 25 May 2018. The GDPR offers citizens a wider control around the use of their personal data.
Money laundering regulations
The Law of 18 September 2017 on the prevention of money laundering and terrorist financing and on the restriction of the use of cash implements the Fourth Anti Money Laundering Directive (4AMLD). Suspicious transactions have to be reported to the Belgian Financial Intelligence Processing Unit. As mentioned above, the Belgian Minister of Justice intends to bring virtual currency exchanges into the scope of the Belgian Anti-Money Laundering Act in the future.
Brazil
General financial regulatory regime
The basic structure of the Brazilian financial system (Sistema Financeiro Nacional) was established by Law No. 4.595, which created the CMN (as defined below) and granted the Central Bank, among other things, the powers to issue money and control credit.
Main regulatory agencies
The Brazilian financial system (Sistema Financeiro Nacional) consists, among others, of the following regulatory and fiscal bodies:
- National Monetary Council (Conselho Monetário Nacional or CMN);
- Central Bank of Brazil;
- Brazilian Securities Commission (Comissão de Valores Mobiliários or CVM);
- Brazilian Council of Private Insurance (Conselho Nacional de Seguros Privados – CNSP);
- Superintendence of Private Insurance (Superintendência de Seguros Privados or SUSEP); and
- Complementary Pensions Secretariat (Superintendência Nacional de Previdência - PREVIC).
The CMN and the Central Bank regulate the Brazilian banking sector. The CVM is responsible for the policies of the Brazilian securities market. Below is a summary of the main attributes and powers of each of these regulatory bodies.
The CMN
Currently, the CMN is the highest authority in the system and is responsible for Brazilian monetary and financial policy and for the overall formulation and supervision of monetary, credit, budgetary, fiscal and public debt policies.
The Central Bank
Law No. 4,595 granted the Central Bank powers to implement the monetary and credit policies established by the CMN, as well as to supervise public and private sector financial institutions and to apply the penalties provided for in law, when necessary. According to Law No. 4,595, the Central Bank is also responsible for, among other activities:
- controlling credit and foreign capital;
- receiving mandatory payments and voluntary demand deposits from financial institutions;
- carrying out rediscount operations and providing loans to banking institutions;
- functioning as the depositary for official gold and foreign currency reserves;
- controlling and approving the operations, the transfer of ownership and the corporate reorganization of financial institutions;
- the establishment of transfers of principal places of business or branches (whether in Brazil or abroad); and
- requiring the submission of periodical and annual financial statements by financial institutions.
The President of the Central Bank is appointed by the President of Brazil, subject to ratification by the Federal Senate, and holds office for an indefinite period of time.
The CVM
The CVM is a government agency of the Ministry of Economy, with its headquarters in Rio de Janeiro and with jurisdiction over the whole Brazilian territory. The agency is responsible for implementing the securities policies of the CMN and is able to regulate, develop, control and supervise this market strictly in accordance with the Brazilian Corporate Law and securities laws.
The CVM is responsible for regulating the supervision and inspection of publicly-held companies (including with respect to disclosure criteria and penalties applicable to violations in the securities market), the trading and transactions in the securities and derivatives markets, the organization, functioning and operations of the stock exchanges and the commodities and futures exchanges and the custody of securities.
Electronic payments platforms and regulation of peer-to-peer lenders
Electronic payment platforms
Law No. 12,865/2013 regulates the payment schemes and payment institutions, which have become part of the Brazilian Payments System. A number of FinTech businesses are offering electronic payment platforms to rival the traditional payment systems.
Peer-to-peer lenders
The CMN approved on April 26, 2018, resolutions No. 4,656 and 4,657, regulating the activities of financial technology companies that operate in the credit market and enabled these companies, which used to operate as banking correspondents in the credit market, to grant credit without the intermediation of a bank. The new rules applied immediately to these entities and allowed interested companies to start the authorization process.
As per the approved regulation, FinTechs could be structures as (i) Direct Credit Companies, which will carry out operations with their own resources through an electronic platform; or (ii) Interpersonal Loans Company, focused on financial intermediation (peer-to-peer). Furthermore, on October 29, 2018, the Federal Government enacted Decree No. 9,544, authorizing the foreign investment up to 100% in the capital stock of Direct Credit Companies or Interpersonal Loans Company.
Regulation of payment services
General overview
A payment institution in Brazil is a legal person subject to the Central Bank’s provisions, adhering to one or more payment schemes, having as main or ancillary activity one or more of the following (a Payment Institution):
- providing cash-in and cash-out services of the funds held on payment accounts;
- performing or facilitating payment instructions related to definite payment service, including transfers originated from or intended for a payment account;
- managing payment accounts;
- issuing payment instruments;
- acquiring payment instruments;
- remit funds;
- converting physical or book-entry currency into e-money, or vice-versa, acquiring the acceptance or managing the use of e-money; and
- other activities related to payment services, designated by the Central Bank.
Legal framework
Payment Institutions in Brazil are subject, primarily, to the following laws and regulations:
- Law No. 12,865/2013, as amended, regulates the payment schemes and payment institutions, which have become part of the Brazilian Payments System (SPB);
- Resolution No. 4,282/2013 presents a guideline for the regulation of the Central Bank regarding payment schemes and payment institutions;
- Central Bank Circular No. 3,680/2013, as amended, regulates payment accounts;
- Central Bank Circular No. 3,681/2013, as amended, regulates the risk management, minimum capital requirements and governance of payment institutions, among others;
- Central Bank Circular No. 3,682/2013, as amended, regulates payment schemes within the SPB;
- Central Bank Circular No. 3,885/2018, as amended, regulates payment institutions;
- Central Bank Circular No. 3,856/2017 provides for the internal audit activity in the institutions of payment;
- Central Bank Circular No. 3,704/2014 regulates the account held at the Central Bank regarding e-money and the performance of the payment institutions and transfer of reserves system (Sistema de Transferência de Reservas – STR);
- Central Bank Circular Letter No. 3,949/2019 provides clarifications and models regarding the procedures to request authorization for payment schemes;
- Central Bank Circular Letter No. 3,897/2018 provides models of necessary documents to support the proceedings addressed in Central Bank Circular No. 3,885/2018;
Categories
Under Article 4 of Circular No. 3,855, payment institutions are classified in the following categories, according to the services that will be rendered:
| Category | Services rendered |
| Issuer of e-money |
|
| Issuer of post-paid payment instrument |
|
| Accrediting entity |
|
Operations
According to Circular No. 3,855, the essential conditions for a Payment Institution to operate are:
- due incorporation according to the current rules and regulations;
- Central Bank authorization (only for payment institutions that operate with a volume greater than R$500 million in payment transactions or R$50 million in funds held in prepaid payment account for any given period of 12 months); and
- compliance with the minimum capital requirements in case the payment institution is authorized by the Central Bank.
Application of data protection and consumer laws
Brazilian Consumer Defense Code
Financial activities are also generally subject to the restrictions of the Consumer Defense Code and certain other related regulations from the Central Bank. In 1990, the Brazilian Consumer Defense Code was enacted to establish rigid rules to govern the relationship between product and service providers and consumers with the overall aim to protect final consumers. In June 2006, the Brazilian Supreme Court of Justice ruled that the Brazilian Consumer Defense Code also applies to transactions between financial institutions and their clients. Financial institutions are also subject to specific regulation from the National Monetary Council (CMN), which regulates the relationship between financial institutions and their clients. CMN Resolution No. 3,694 dated March 26, 2009, as amended by CMN Resolution No. 3,919 dated November 25, 2010 and CMN Resolution No. 4,283 dated November 4, 2013, established new procedures with respect to the settlement of financial transactions and to services provided by financial institutions to clients and the public in general, aimed at improving the relationship between market participants by fostering additional transparency, discipline, competition and reliability on the part of financial institutions. The new regulation consolidates all the previous related rules. The main changes introduced by the Consumer Defense Code are described below.
- Financial institutions must ensure that clients are fully aware of all contractual clauses, including responsibilities and penalties applicable to both parties, in order to protect the counterparties against abusive practices. All queries, consultations or complaints regarding agreements or the publicity of clauses must be promptly answered, and fees, commissions or any other forms of service or operational remuneration cannot be increased unless reasonably justified (in any event these cannot be higher than the limits established by the Central Bank).
- Financial institutions are prohibited from transferring funds from their clients’ various accounts without prior authorization.
- Financial institutions cannot require that transactions linked to one another must be carried out by the same institution. If the transaction is dependent on another transaction, the client is free to enter into the latter with any financial institution it chooses.
- Financial institutions are prohibited from releasing misleading or abusive publicity or information about their contracts or services. Financial institutions are liable for any damage caused to their clients by their misrepresentations.
- Interest charges in connection with personal credit and consumer directed credit must be proportionally reduced in case of anticipated settlement of debts.
- There must be adequate treatment for the elderly and physically disabled.
Data protection
Brazil enacted the Brazilian General Data Protection Law (Federal Law no. 13,709/2018 or “LGPD”) on August 15, 2018. The LGPD is Brazil’s first comprehensive data protection regulation and it is largely aligned to the EU General Data Protection Act (“GDPR”). Certain LGPD provisions were later amended to, among other modifications, create the National Data Protection Authority (“ANPD”) and postpone its effectiveness to August 2020, rather than February 2020, as set forth when the LGPD was first published.
The LGPD applies to any processing operation carried out by a natural person or a legal entity, of public or private law, irrespective of the means used for the processing, the country in which its headquarter is located or the country where the data are located, provided that:
- The processing operation is carried out in Brazil;
- The purpose of the processing activity is to offer or provide goods or services, or the processing of data of individuals located in Brazil; or
- The personal data was collected in Brazil.
LGPD provides rights to data subjects and several obligations to the processing of personal data (defined as any information related to an identified or identifiable natural person). LGPD also imposes obligations to be observed prior to international transfer of personal data as well as notification requirements in scenarios of data breaches which may cause relevant risk or damage to data subjects.
Prior to the LGPD, data privacy regulations in Brazil consisted of various provisions spread across Brazilian legislation. For example, Federal Law no. 12,965/2014 and its regulating Decree no. 8,771/16 (together, the Brazilian Internet Act), which imposes some requirements regarding on security and the processing of personal data and other obligations on service providers, networks and applications providers, as well as rights of Internet users.
Furthermore, general principles and provisions on data protection and privacy are set forth in the Federal Constitution, in the Brazilian Civil Code and other specific laws and regulations that address particular types of relationships (eg Brazil’s Consumer Defense Code and labor laws), particular sectors (eg financial institutions, health industry and telecommunications) and professional activities (eg medicine and law).
Specially in relation to finance institutions, Resolution no. 4,658/2018 of the Central Bank imposes cyber security requirements and set forth standards for contracting data processing services, such as storage and cloud computing services. The provisions of such Resolution must be observed by financial institutions and other institutions authorized to operate by the Central Bank of Brazil.
Money laundering regulations
Brazilian Law No. 9,613, of March 3, 1998, as amended by Law No. 12,683, of July 9, 2012 (the Anti-Money Laundering Law) plays a major role for those engaged in banking and financial activities in Brazil. The Anti-Money Laundering Law sets forth the definition and the penalties to be incurred by persons involved in activities that comprise the laundering or concealing of property, rights and assets, as well as a prohibition on using the financial system for these illicit acts.
In addition, the Brazilian Anti-Money Laundering Law created the Financial Activity Control Council (Conselho de Controle de Atividades Financeiras or “COAF”). The main role of the Financial Activity Control Council is to promote cooperation among the Brazilian governmental bodies responsible for implementing national anti-money laundering policies, in order to stem the performance of illegal and fraudulent acts. Their activities also include imposing administrative fines and examining and identifying suspected illegal activities pursuant to the Anti-Money Laundering Law.
Canada
General financial regulatory regime
The regulation of financial products and services is a combination of both federal and provincial regimes, which can often be divergent and overlapping.
General
There is not currently a comprehensive regime which specifically regulates FinTech in Canada. However, a person carrying on business in the area of financial products and services will be required to comply with a variety of banking, securities, consumer protection and privacy laws.
Competition Bureau of Canada’s MARKET STUDY REPORT: TECHNOLOGY-LED INNOVATION IN THE CANADIAN FINANCIAL SERVICES SECTOR
After conducting an 18 month long study which included holding a FinTech workshop for stakeholders, founders and regulators held in February 2017, the Competition Bureau of Canada published its market study report in December 2017. The report set out 30 recommendations for regulators and policy makers. 19 of the recommendations identified specific, technical improvements in the areas of retail and payment systems, investment dealing and advice, P2P lending and equity crowdfunding while 11 of the recommendations focused on how to strike the right balance between regulation and innovation. Some of the broader recommendations that the Competition Bureau had for regulators are as follows:
- Principles based regulation – Regulators should adopt a principles-based approach instead of prescribing exactly how a service must be carried out, which would allow for more flexibility with regards to enforcement as technology continues to change.
- Function focused regulation – Regulators should focus on the function that an entity carries out which will ensure that all entities that perform the same function carry the same regulatory burden and consumers have the same protections when dealing with competing service providers.
- Collaboration – Regulators should encourage collaboration throughout the sector, using mechanisms such as regulatory sandboxes and innovation hubs.
- FinTech Policy Lead – Regulators should identify a FinTech policy lead for Canada in order to facilitate FinTech development to provide industry participations with a one-stop resource for information and encourage greater investment in innovative businesses.
- Access, Harmonization and Review – Regulators should promote greater access to core infrastructure and services, continue their efforts to harmonize regulations across jurisdictions in Canada and continue to review their regulatory frameworks frequently.
CANADIAN SECURITIES ADMINISTRATORS BUSINESS PLAN 2019-2022
In June 2019, the Canadian Securities Administrators (CSA) published the CSA Business Plan 2019-2022, which includes considering the development and adaptation of the regulatory framework to address challenges brought by emerging technologies as one of the strategic goals. This goal consists of (i) identifying emerging regulatory issues which require regulatory action or clarity, and (ii) developing a tailored and effective regulatory resposne.
Electronic payments platforms and regulation of peer-to-peer lenders
Electronic payment platforms
Federally-regulated financial instructions (FRFIs) must comply with payment rules and standards set out in the federal Bank Act. The Office of the Superintendent of Financial Institutions (OSFI) regulates, among other things, the payment processing services of FRFIs. FinTech mobile payment providers are not usually FRFIs, and therefore not subject to OSFI oversight. However, FinTech companies are required to comply with various codes of conduct and standards in Canada’s payment industry, including the Code of Conduct for the Credit and Debit Card Industry in Canada and the Canadian NFC Mobile Payments Reference Model.
In July 2017, the federal Department of Finance issued a consultation paper entitled 'A New Retail Payments Oversight Framework', which outlined various aspects of a proposed new framework for regulating retail payments. With limited exceptions, the new proposed framework would apply to any payment service provider (PSP) that is engaged in the following payment functions:
- provision and maintenance of a payment account – providing and maintaining an account held in the name of one or more end-users for the purpose of making electronic fund transfers;
- payment initiation – enabling the initiation of a payment at the request of an end-user;
- authorization and transmission – providing services to approve a transaction and/or enabling the transmission of payment messages;
- holding of funds – enabling end-users to hold funds in an account held with a PSP until it is withdrawn by the end-user or transferred to a third party through an electronic fund transfer; and
- clearing and settlement – enabling the process of exchanging and reconciling the payment items (clearing) that result in the transfer of funds and/or adjustment of financial positions (settlement).
The new oversight framework would only apply to retail payments carried out solely in fiat currencies and not virtual currencies.
The Government of Canada’s 2019 Budget “Investing in the Middle Class” included plans to legislate first measures of a new retail payment oversight framework, drawn from the Department of Finance’s 2017 consultation paper discussed above. These commitments to legislate include end-use fund safeguarding and operational standard requirements, however new legislation has not yet been published to introduce the aforementioned measures.
PAYMENTS MODERNIZATION
Modernization is a multi-year Payments Canada initiative to modernize the systems and rules that are essential to Canada’s payments ecosystem. In April 2016, Payments Canada published the initial Vision for the Canadian Payments Ecosystem (the “Vision”) and in December 2016 published an Industry Roadmap & High Level Plan which discusses how Payments Canada and the industry can modernize the Canadian payments ecosystem to advance the Vision. On December 21, 2017, Payments Canada published the Modernization Target State, which provides an in-depth view of the target end state for payment system modernization in Canada, including the infrastructure, rules and standards that will benefit Canadians and businesses from coast-to-coast.
Most recently, on December 19, 2018, Payments Canada published the Modernization Delivery Roadmap 2018 Update (the “Roadmap”).The Roadmap provides an update on Canada’s progress on its payments modernization program, which includes implementing a new credit risk model for Canada’s retail payment system and enhancing to Automated Funds Transfer. The Roadmap provides revised timelines for the implementation of the modernization initiative.
The Roadmap discusses:
- High-value payments system - Lynx: The appointment of a prime vendor for hosting and system integration services as an additional step to manage risk and effectively deliver on Payments Canada’s commitment to meet the highest international security, resiliency and operating standards. The prime vendor will support the end-to-end delivery and operations of Lynx, including oversight of SIA, the application provider for Lynx.
- Real-time rail: Clearer articulation of the release schedule for the new real-time payments system in Canada. The first release (referred to as R1) of Canada's new real-time payments system is a foundational release that will deliver the real-time processing of transactions, real-time deposit and real-time availability of funds. R1 will include an enhanced risk model using collateral pledged through the Bank of Canada to support final and irrevocable real-time payments, which will lower settlement risk and support broadening access to new participants; an alias management capability that allows for the routing of payments using an email address or mobile phone number; the capability to carry additional payment information based on ISO 20022 message standards; and the availability of standardized APIs. Future releases of Canada’s new real-time payments rail will build on this foundation, creating opportunities for innovation and competition in the Canadian marketplace.
- Retail batch payments: The prioritization of additional improvements to the current retail batch payments system in advance of progressing to a new, centralized system, which will reduce system risk and support broadening access to members. The additional enhancements to the current system will build on the series of enhancements introduced in 2018. In 2018, modifications were implemented to the existing retail batch payments system, the Automated Clearing and Settlement System (ACSS), that allow Canadian businesses to move funds more frequently and make same day settlements. The delivery date of an enhanced centralized retail batch system has been extended beyond the R1 launch of the Real-Time Rail (RTR) and Lynx. Focus has shifted to the delivery of regulatory enhancements that will reduce system risk including increasing collateral coverage and implementing value caps on individual transactions.
Please see below the Roadmap providing revised timelines for Lynx, the real-time rail and the retail batch payment system.
Peer-to-peer lenders
The scope of regulation and legislation applicable to peer-to-peer (P2P) lenders will depend on the specific nature of the operations; however, P2P lending platforms will typically fund loans or portion of loans and operators of such a platform and will need to be aware of, among other things, Canadian securities law requirements (including prospectus and registration requirements as well as available exemptions) and applicable money laundering, criminal activity and terrorist financing legislation such as the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA).
Regulation of payment services
See Electronic payment platforms above.
Application of data protection and consumer laws
In Canada, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) governs the way private sector organizations may collect, use and disclose personal information in the course of commercial activity. Where provincial privacy legislation governing the private sector’s collection, use and disclosure of personal information has been deemed as 'substantially similar' to PIPEDA, the provincial legislation will apply instead. Alberta, British Columbia and Quebec each have provincial legislation that supersedes PIPEDA in regulating personal information collection, use and disclosure in the private sector.
Canada’s federal Bank Act also contains provisions regulating the use and disclosure pf personal financial information by FRFIs.
Money laundering regulations
The PCMLTFA gives the Financial Transactions and Reports Analyst Centre of Canada (FINTRAC) responsibility for supervising anti-money laundering controls of businesses in Canada that engage in foreign exchange dealing, remittance or transmission of funds, securities dealing, portfolio management and investment advice.
Pursuant to PCMLTFA, businesses are required to verify their clients’ identities, maintain certain records, and report suspicious transactions to FINTRAC.
On July 10, 2019, Canada’s Department of Finance published amendments to the regulations made under the PCMLTFA which are set to come into force on June 1, 2020 and 2021. Among these regulations is an expanded definition of money services businesses to include domestic and foreign business that are dealing in virtual currency (see What is a Cryptocurrency? above). Accordingly, person and entities dealing in virtual currencies will soon be subject to similar obligations as other reporting entities.
Chile
General financial regulatory regime
Most of the regulatory regime for banking and financial services in Chile is established through the General Banking Law, and the regulatory rules of the Chilean Central Bank and the CMF, which prevents non-banking institutions from performing banking activities.
Electronic payments platforms and regulation of peer-to-peer lenders
In Chile there are two well-established electronic payments platforms: Transbank (which is controlled by banks) and Multicaja (which is owned by a private company). There have been several attempts from other non-banking entities to provide similar services, but large financial institutions have been reluctant to partner up with them, making it a difficult area of the market for smaller market players to penetrate.
Banks have further challenged non-banking entities which were providing electronic payment services which they argued constituted performing placement operations, an activity which can only be carried out by regulated banks; however, this claim did not succeed in trial and non-banking entities were permitted to continue providing such services.
Regulation of payment services
In Chile, low cost payment systems, or retail payment systems, are used to carry out transactions among individuals and/or companies. This kind of payment can be made through a variety of methods such as cash, checks, credit and debit card and electronic transfers. Currently in Chile, only certain institutions are allowed to issue this means of payment; however, a new law which allows the issuance and operation of different means of payment by non-banking entities was enacted in October 2016.
Payment services transactions are regulated mainly by the SBIF, which has established a series of technical criteria to ensure that all payment services are reliable and secure.
Application of data protection and consumer laws
Data protection and consumer laws apply equally to FinTech operations. Furthermore, there are specific laws that regulate terms and conditions of consumer loans and financial contracts with consumers (Law No 20,555). There is also a non-privacy and security regulation which is specific to banks, established in article 154 of General Law of Banks. The regulation aims to maintain the confidentiality of the transactions that individuals perform with and through the banks, by classifying them into the following two categories:
- operations covered by secrecy, meaning that they are private and it is therefore not possible to make them known; and
- operations covered by reserve, which imposes a significant limitation on the reporting of such transactions.
Money laundering regulations
The Finance Analysis Unit (UAF) is the dedicated public entity whose purpose it is to prevent the use of the financial systems to commit crimes such as money laundering and financing of terrorism. The UAF is aimed at controlling certain subjects related to financial activities and establishing a series of information obligations, such as:
- keeping registries;
- declaring corporate legal changes;
- reporting cash transactions and transactions that exceed the US$10,000 limit;
- reporting of suspicious activities;
- due diligence and knowledge of their clients (know your customer (KYC));
- keeping records for at least five years;
- training employees; and
- appointing a compliance officer.
The SBIF has also established a series of rules with similar aims.
Colombia
General financial regulatory regime
Regulatory entity
The Financial Superintendence of Colombia (SFC) is a technical entity affiliated with the Ministry of Finance that acts as the inspection, supervision and control authority of persons involved in financial, insurance and securities exchange activities, and any other operations related to the management, use or investment of resources collected from the public. The SFC is responsible for supervising the Colombian financial system with the purpose of preserving its stability and trustworthiness, as well as promoting, organizing and developing the Colombian securities market and protecting the users of financial and insurance services and investors in general.
Financial institutions must obtain the authorization of the SFC before commencing operations. In addition, all public offerings of securities require the prior approval of the SFC.
General
A person must not carry on a regulated activity in Colombia, unless authorized by the SFC. The SFC authorizes the incorporation and operation of all financial institutions. Authorization of the SFC shall be obtained whenever FinTech products or applications involve any financial activity which requires regulatory authorization.
A person undertaking a regulated activity without being authorized or exempt commits a criminal offence and may be liable to imprisonment and economic sanctions.
Project RegTech
The SFC has a FinTech division that seeks to create and develop applications that support regulatory compliance. Currently, the main focus of the FinTech division is to optimize the transmission of information among the different financial controlled entities (ie banks, stock exchange, fiduciaries and financial institutions). This initiative is known as 'project RegTech'.
FinTech subcommittee
In 2016, the Financial Regulation Unity (URF) formed the FinTech subcommittee to provide a formal space in which the public and private sectors may participate and contribute in the construction of FinTech regulations.
The remit of the FinTech subcommittee includes the following:
- robo advisors;
- cloud computing;
- blockchain; and
- algorithm tradition.
The FinTech subcommittee has not yet issued formal guidelines in connection with the abovementioned matters, although it is expected that it will issue these guidelines no later than December 2017.
Asociación Colombiana FinTech
Asociación Colombiana FinTech is a group of entities whose aim is to create a proactive place for the development of FinTech business in Colombia. This association is working in the following areas:
- international transmission of data;
- digital identity;
- digital consultancy;
- digital payment;
- crowdfunding;
- InsurTech;
- bitcoin and blockchain;
- open data for the financial sector; and
- sandboxes.
Electronic payments platforms and regulation of peer-to-peer lenders
Electronic payment platforms
E-commerce is regulated by Law 527 of 1999, known as the Electronic Commerce Law. E-commerce is defined as all issues arising from a commercial relationship, whether contractual or not, originating from the use of one or more data messages or other similar media. Commercial relationships include the following transactions:
- supply or exchange of goods and services;
- distribution agreements;
- agency of mandate agreements;
- all types of financial, securities and insurance operations;
- infrastructure and construction agreements; and
- licensing.
Electronic security is a component of the SFC's operational risk review. Supervised firms are required to design and implement electronic security policies and contingency plans. The SFC establishes minimum requirements for security and quality of information transmitted through electronic channels.
Colombia has adopted measures aimed at reducing regulatory burdens on the financial sector with the aim of encouraging the expansion of access to financial services and to engage in online commerce. As an example, the financial inclusion law allows the creation of nonbank deposit entities known as specialized companies in deposits and electronic payments (SEDPE). SEDPEs are intended to give individuals access to a savings account, and facilitate safe, quick and cheap money transfers. SEDPEs help individuals who do not necessarily own credit or debit cards to carry out online purchases. Moreover, the law allows mobile phone operators to obtain financial licenses from the SFC to operate SEDPEs.
Peer-to-peer lenders
Peer-to-peer lenders are not currently regulated under Colombian law.
Regulation of payment services
The Financial Superintendence of Colombia has regulatory and supervisory authority over financial entities regarding payment services.
In addition, the Banco de la República (Central Bank or BR) is responsible for monetary policy and foreign exchange. It has the authority to adopt certain macroprudential measures, manages and exercises surveillance functions over the payment system, provides liquidity to markets, and acts as a lender of last resort.
Application of data protection and consumer laws
Data protection and consumer regulations
Law 1266 of 2008, Law 1581 of 2012 and Decree 1337 of 2013, each regulate data collection and processing by any financial, commercial and credit institution. The regulations differentiate between the controller and the processor of the data. The data controller is any individual or legal, public or private entity, which by itself or in association with others, makes decisions regarding the database or the treatment of the data and is responsible for it. The data processor is any natural or legal, public or private entity, which by itself or in association with others, processes personal data on behalf of the controller.
Difference between transferring of data and transmission of data
Regulations differentiate between the transferring of data and the transmission of data. The transferring of data is the operation in which the data controller of the personal data within Colombia sends the information to a receptor (in Colombia or abroad). In this case, the receptor also becomes responsible for the data processing, and therefore shall comply with all applicable laws. Transferring data to foreign countries is prohibited, unless the recipient foreign country is deemed to provide an adequate level of data protection. The transferring prohibition shall not apply, however, in the following cases:
- the owner of the data has authorized the transfer;
- exchange of medical information;
- bank transfers;
- transfers in accordance with international treaties;
- transfer is required due to the existence of an agreement between the owner of the information and the data controller; and
- legally required transfer in order to safeguard public interest.
Any event different from the above mentioned, requires the authorization of the Colombian Superintendence of Industry and Commerce (SIC).
For instance, the transmission of data is the communication between the data controller and the data processor in which the data is sent by the data controller and processed by the data processor on behalf of the data controller. International transmission does not require the authorization of the data owner, as long as an agreement has been executed between the data controller and data processor.
Money laundering regulations
Firms that are supervised and controlled by the SFC must implement an asset laundering and financing terrorism risk management system (SARLAFT) in order to prevent money laundering and terrorist financing. The SFC has the responsibility to report to the Special Administrative Unit and Financial Analysis (UIAF) any operations conducted by controlled or supervised firms that may be categorized as suspicious, in order for the UIAF to initiate an investigation.
The UIAF has the responsibility to detect, prevent and overcome practices related to money laundering and financing of terrorism by centralizing and analyzing all of the information collected in the exercise of its faculties.
Czech Republic
General financial regulatory regime
The Czech National Bank (CNB) is the conduct regulator for firms providing financial products and services in both retail and wholesale markets.
General
A person must not carry on a regulated activity in the Czech Republic unless authorized or exempt (known as the general prohibition). A financial activity requires regulatory authorization when it is identified as a specified activity in relation to a specified investment, it is carried on by way of business in the Czech Republic and it does not fall within any of the available exemptions. Where FinTech products and/or applications involve financial activity which requires regulatory authorization, the firms providing such products and/or applications must be authorized by the CNB.
Peer-to-peer lending
A person carries out a regulated activity (requiring authorization by the CNB) if they facilitate lending and borrowing between two individuals or between individuals and businesses in its ordinary course of business.
Regulation of payment services
Where a Czech business provides payment services as a regular occupation or business activity in the Czech Republic, it will require authorization by the CNB to become an authorized payment institution under the Payment Services Regulations 2017. Failure to obtain the required authorization is a criminal offence. The regulations implement the European Union Payment Services Directive II.
In order to become authorized by the CNB, a payment services business will need to meet certain criteria, including in relation to its business plan, initial capital, processes and procedures in place for safeguarding relevant funds, sensitive payment data and money laundering and other financial crime controls.
Application of data protection and consumer laws
The Czech Act No. 101/2000 Coll. on the Protection of Personal Data (DPA) regulates the processing of personal data within the Czech Republic. The DPA implements the European Data Protection Directive. Where a business determines the purposes and manner in which any personal data is processed, it will be regulated by the DPA and have certain notification and compliance obligations.
The European General Data Protection Regulation (GDPR) is due to replace the DPA from 25 May 2018 (which will result in a newly drafted Czech Act reflecting the provisions of the GDPR). The GDPR is more prescriptive and restrictive compared to the principles-based DPA, including mandatory notifications where a breach occurs and provides for severe monetary sanctions for breach.
Money laundering regulations
The Czech Act No. 253/2008 Coll. on certain measures against legalization of revenues from criminal acts and financing of terrorism, as amended, gives the CNB responsibility for supervising the anti-money laundering controls of businesses that offer certain services, such as lending, providing payment services and issuing and administering other means of payment. This act also implements the European Union's Fourth Money Laundering Directive.
Generally, where a firm is authorized and supervised by the CNB it will also be authorized and supervised by the CNB for complying with anti-money laundering requirements. Electronic currencies such as bitcoin and cryptocurrencies tend to represent a higher money laundering risk.
Finland
General financial regulatory regime
The Finnish Financial Supervisory Authority (FIN-FSA) is the regulator for firms providing financial products and services in both retail and wholesale markets.
General
A person must not carry on a regulated activity in Finland unless authorized or exempt. A financial activity requires regulatory authorization when it:
- is identified as a specified activity in relation to a specified investment;
- is carried on by way of business in Finland; and
- does not fall within any of the available exemptions.
Where FinTech products and/or applications involve financial activity which require regulatory authorization, the firms providing such products and/or applications must be authorized by the FIN-FSA.
FIN-FSA Innovation Help Desk
To foster the growth and development of startup companies and other innovators, the FIN-FSA has set up an Innovation Help Desk to advise whether an innovation requires authorization and to advise further on permits, registration and other authorization issues. The FIN-FSA Innovation Help Desk is available to both startup companies in the sector and enterprises that are already established and are planning a new type of product, service or way of operating. More information can be found here.
Virtual currency
The Act on virtual currency providers (572/2019) entered into force 1 May 2019. The Act is part of the national implementation of the EU's Fifth Anti-Money Laundering Directive. According to the definition, a virtual currency means a digital representation that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically. Further FIN-FSA regulations and guidelines 4/2019 concerning virtual currency providers enter into force on 1 July 2019.
According to the Act on virtual currency providers, virtual currency issuers, operators of virtual currency exchange services (including marketplaces) and providers of virtual currency custodian wallet services are subject to a registration obligation as of 1 May. Virtual currency providers operating in the market prior to the entry into force of the Act must submit an application for registration with the FIN-FSA by 18 August 2019 in order that their qualification for registration can be assessed by 1 November. New providers considering the launch of activities after the entry into force of the Act may only provide services to customers after their applications for registration have been processed and approved.
Virtual currency providers are considered obliged entities under the Anti-Money Laundering Act as of 1 December 2019, which means that they must report suspicious transactions to the Financial Intelligence Unit of the Police. The FIN-FSA supervises the actions and measures of virtual currency providers related to anti-money laundering and counter-terrorist financing.
Crowdfunding services and peer-to-peer lenders
Crowdfunding services
The Crowdfunding Act (Fi: Joukkorahoituslaki 734/2016, as amended) (Crowdfunding Act) entered into force in September 2016. The objective of the Crowdfunding Act was to clarify the responsibilities of various authorities in the supervision of crowdfunding, to improve investor protection, to diversify the financial markets and to ease the regulation on entities offering crowdfunding services.
The Crowdfunding Act covers both loan-based crowdfunding and investment-based crowdfunding (ie which involves the issue of securities or other instruments), but is not applied to either peer-to-peer (P2P) lending or to money collection. Under the Crowdfunding Act, entities offering crowdfunding services (ie crowdfunding intermediaries) must have a permit issued by, and entered in, a register maintained by the FIN-FSA. Depending on the operating model of the crowdfunding intermediary, the operations may also be subject:
- to other regulations, such as the:
- Money Collection Act (Fi: Rahankeräyslaki 255/2006, as amended);
- Sale of Goods Act (Fi: Kauppalaki 355/1987, as amended) and;
- Consumer Protection Act (Fi: Kuluttajansuojalaki 38/1978, as amended) (as is the case with loan-based crowdfunding); or
- to financial markets legislation, such as the:
- Credit Institutions Act (Fi: Laki luottolaitostoiminnasta 610/2017, as amended);
- Investment Services Act (Fi: Sijoituspalvelulaki 747/2012, as amended);
- Act on Alternative Investment Fund Managers (Fi: Laki vaihtoehtorahastojen hoitajista 162/2014, as amended); and
- Securities Markets Act (Fi: Arvopaperimarkkinalaki 746/2012, as amended) (with investment-based crowdfunding).
Intermediaries providing services under the Crowdfunding Act are within the optional exemption available to European Union member states under article 3 of the Markets in Financial Instruments Directive (MiFID 1). This means that crowdfunding intermediaries operating under the Crowdfunding Act do not require authorization as MiFID investment firms. Consequently, entities permitted by FIN-FSA to offer crowdfunding services are not within the European Union passporting regime and may not offer crowdfunding services in other European Economic Area (EEA) countries and, vice versa, entities authorized in other EEA countries may not offer such services in Finland without FIN-FSA’s permission. It should be noted, however, that this position does not apply to entities which have been authorized to carry out a regulated activity which is within the scope of MIFID I. These include inter alia credit institutions operating under the Credit Institutions Act (Fi: Laki luottolaitostoiminnasta 610/2017, as amended) and investment firms operating under the Investment Services Act (Fi: Sijoituspalvelulaki 747/2012, as amended). Such entities may act as crowdfunding intermediaries under their authorization without needing separate permission for crowdfunding services.
Peer-to-peer lenders
P2P lending so far, requires no authorization; hence, for example, the administrative staff, internal control or risk management systems of a P2P lending intermediary are not subject to official supervision. This also means that there is no supervision of the credit ratings that may be assigned to borrowers by P2P lending companies. However, authorities have decided that certain participating parties in P2P lending must be entered in a register of credit providers maintained by, and must be supervised by, the Regional State Administrative Agency of Southern Finland (Fi: Etelä-Suomen aluehallintovirasto). Under the Act on Registration of Certain Loan Providers and Credit Brokers (Fi: Laki eräiden luotonantajien ja luotonvälittäjien rekisteröinnistä 853/2016, as amended) the lending intermediary must be registered in the register maintained by the Regional State Administrative Agency of Southern Finland if they provide consumer credit or are considered to offer consumer credit, as defined in the Consumer Protection Act (Fi: Kuluttajansuojalaki 38/1978, as amended) or if they act as an intermediary in P2P lending.
Regulation of payment services
Payment services include, for example, account transfers, card payments and direct debits (where the service provider acts as intermediary between payer and payee and transfers funds between the parties in accordance with given instructions). In Finland, payment services can only be provided by service providers that meet the requirements laid down in the Payment Institutions Act (Fi: Maksulaitoslaki 297/2010, as amended), either acting as authorized payment institutions or entities that the FIN-FSA has approved for the provision of payment services without actual authorization.
Payment services can be provided without authorization, as long as the total value of completed transactions does not exceed:
- for natural persons, an average of €50,000 a month over a period of 12 months; and
- for legal persons, an average of €3 million a month.
However, those providing payment services without authorization must submit a notification to FIN-FSA prior to the commencement of the service. After receiving such a notification, FIN-FSA investigates whether the service provider meets the statutory requirements.
- A natural person cannot be authorized as a payment institution.
- Legal persons must apply for authorization as a payment institution if the total value of their payment services exceeds the above-mentioned limit.
- A credit institution may provide payment services based on its own authorization.
- A foreign payment institution authorized in EEA may also provide payment services in Finland, provided that proper notification is made to FIN-FSA.
The legal requirements for the provision of payment services, such as the disclosure requirements and contract terms and conditions, are laid down in the Payment Services Act (Fi: Maksupalvelulaki 290/2010), as amended. It regulates, for example, the service provider's obligation to provide information to end users on the terms of the relevant agreement governing the provision of the services and executed payments. It also regulates how payments are executed, what the terms and conditions are, and what responsibilities the parties have.
FIN-FSA supervises terms and conditions, disclosure obligations and the carrying out of such services in respect of payment institutions, credit institutions and their agents.
The European Union’s Payment Services Directive II has been transposed into Finnish law through changes to the Payment Institutions Act and the Payment Services Act. It can be noted that the FIN-FSA complies with European Banking Authority’s proposed additional time for strong customer authentication in e-commerce card-based payments and such requirements must be implemented by 31 December 2020.
Application of data protection and consumer laws
General principles of processing and disclosing personal data are regulated by the European General Data Protection Regulation (GDPR), supplemented by the Personal Data Act of Finland (Tietosuojalaki 1050/2018, as amended). Criminal liability may ensue if obligations of the Data Protection Act are not followed.
In addition to sector-specific regulations, general consumer protection regulation applies to the provision of payment services to consumers. A consumer is defined in the Consumer Protection Act (Fi: Kuluttajansuojalaki 38/1978, as amended) as a natural person who acquires consumer goods and services primarily for other purposes than to his or her professional purposes. The Finnish consumer ombudsman supervises the terms and conditions and disclosure obligations and the carrying out of such services in respect of payment services providers without authorization, where the users of the service are consumers.
Money laundering regulations
Payment services providers must comply with anti-money laundering requirements as provided in the new Finnish Act on Preventing Money Laundering and Terrorist Financing (Fi: Laki rahanpesun ja terrorismin rahoittamisen estämisestä 444/2017, as amended), which entered into force in July 2017. The new Act implements the European Union's Fourth Money Laundering Directive.
France
General financial regulatory regime
The Prudential and Resolution Supervisory Authority (Autorité de contrôle prudentiel et de résolution or ACPR) and the Financial Markets Authority (Autorité des Marchés Financiers or AMF) are the supervising entities and regulators of firms providing banking and financial products and services.
General
A person must not carry on a regulated activity in France unless authorized or exempted. A banking or financial activity requires regulatory authorization when it is identified as a regulated activity, carried on by way of business on a regular basis in France and it does not fall within any of the available exemptions. Where FinTech products and/or applications involve banking or financial activity which requires regulatory authorization, the firms providing such products and/or applications must be authorized by the ACPR or the AMF.
ACPR’s FinTech Innovation Unit
The FinTech Innovation Unit is the ACPR team dedicated to FinTech and to innovative project initiators. The unit provides an interface between project initiators and the relevant ACPR departments, as well as the Bank of France (for projects regarding payment services) and the AMF (for projects regarding investment services). The ACPR considers that an innovative financial project consists of the creation of a company ('startup style') with a strong level of innovation and acting in one or several financial fields under ACPR’s supervision.
AMF’s FinTech, Innovation and Competitiveness Division
The AMF’s FinTech, Innovation and Competitiveness Division assists stakeholders in analysing innovations in the investment services industry, identifying competitiveness and regulation challenges and, where applicable, evaluating the need to modify European regulations or the AMF policy. The ambition of the AMF is to develop an ecosystem that promotes FinTechs in order to make the Paris financial centre more attractive to foreign participants and facilitate the development and support of FinTechs.
Electronic payments platforms and regulation of peer-to-peer lenders
Electronic payment platforms
Electronic payment platforms’ activities are generally considered as regulated payment services activities requiring a payment institution authorization with the ACPR. Electronic payments platforms may also be authorized as lightly-supervised payment institutions if they do not exceed the threshold of an average volume of monthly payment transactions of EUR3 million. Depending on their features, such platforms may also trigger other qualifications and regulatory regimes, and notably, enter into the scope of the new “Pacte” law (dated 22 May 2019) – digital assets framework,
Peer-to-peer lenders
A person carries out a regulated banking activity if they provide lending or facilitate lending and borrowing between individuals or between individuals and businesses, in particular through an electronic platform, by way of business on a regular basis. Such regulated activity can be carried out if the person is authorized as a credit institution or financing company, or, if the person is registered as a crowdfunding intermediary.
Crowdfunding intermediaries
Any person or entity proposing, through a website, to fund projects in the form of a loan with or without interest must be registered in the Banking, Insurance and Financial Intermediaries Register (ORIAS), as a crowdfunding intermediary. Crowdfunding intermediaries are subject to organizational and business conduct rules (in particular information obligations).
Regulation of payment services
Where a person provides payment services as a regular occupation or business activity in France, it will require authorization by the ACPR to become an authorized payment institution. Failure to obtain the required authorization is a criminal offence.
In order to become authorized by the ACPR, a payment services business will need to meet certain criteria, including in relation to its business plan, initial capital, processes and procedures in place for safeguarding relevant funds, sensitive payment data and money laundering and other financial crime controls.
PSD 2 regulation, as implemented into French law, has broaden the scope of payment service, which now extended to payment initiation and aggregation of payments.
Money laundering regulations
The Monetary and Financial Code (CMF), which will implement the European Union's Fifth Money Laundering Directive by 10 January 2020, contains the legal provisions governing anti-money laundering and terrorism financing. The ACPR and AMF are responsible for supervising the compliance of regulated banking and financial entities with anti-money laundering requirements.
The CMF expressly includes platforms facilitating the trade of virtual currencies under the scope of the anti-money laundering legal and regulatory framework.
Germany
General financial regulatory regime
The Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht or BaFin), and the Deutsche Bundesbank are the regulatory authorities in Germany with respect to firms providing banking or financial products and services.
A person must not carry out a regulated activity in Germany unless authorized or exempt under the German Banking Act or the Payment Services Supervision Act. Where FinTech products or applications involve any financial activity which requires regulatory authorization, the firms providing such products or applications must obtain such authorization prior to commencing their regulated business activity. Carrying out regulated activities without the necessary authorization is a criminal offence.
The BaFin has published guidance for FinTech companies, in particular as to the question of whether certain business activities (eg crowdlending, crowdinvesting or robo advice) require a license in Germany.
Banks and financial services providers
Any FinTech provider that either conducts banking business or provides financial services must obtain a prior written authorization under the German Banking Act.
Regulation of payment services
Payment services providers are regulated under the Payment Services Supervision Act and require a prior written authorization by the BaFin for carrying out payment services.
Application of data protection and consumer laws
FinTechs dealing with consumers must comply with all relevant consumer protection laws (eg in relation to information obligations). FinTechs must also comply with the applicable data protection legislation, in particular if they come in contact with any personal data.
Money laundering regulations
Generally, where a firm is authorized as either a financial institution or a payment services provider it will need to comply with the regulations on money laundering, in particular with the requirements set out in the German Money Laundering Act.
Ghana
General financial regulatory regime
Other than as specified in this section, there are as yet no fintech-specific laws or regulations. Where fintech businesses engage in regulated activity such as deposit-taking, lending, insurance or investment, they are subject to the rules generally applicable to those activities.
The Payment Systems and Services Act, 2019 (Act 987) which entered into force on 14 May 2019 establishes a regime of licensing and regulation by the central bank of payment service providers, operators of payment systems, and electronic money issuers. Existing operators have been given nine months to comply with the new regime. It is not yet clear if all electronic payment platforms will be regulated as payment systems under the Act.
A payment service provider or electronic money issuer must have at least 30% Ghanaian ownership. The Bank of Ghana may prescribe minimum capital requirements.
Regulations under the Payment Systems and Services Act are to be issued by the Minister of Finance on the advice of the central bank.
Application of data protection
A registration certificate from the Data Protection Commission is required in an application for a license by a payment service provider or electronic money issuer. The data protection principles enacted in the data protection legislation apply to entities providing these services.
Consumer laws
Consumer protection principles, including transparency, disclosure of sufficient information, fair treatment and client access to redress are laid down in Act 987. The central bank has the authority to make final determination of complaints by clients against payment services providers and electronic money issuers.
Money laundering regulations
Fintech businesses are likely to belong to the extensive list of entities identified as “accountable institutions” under the anti-money laundering legislation e.g. as businesses which provide financial services that involve the remittance or exchange of funds; they are therefore subject to record-keeping, due diligence, client identification and verification, reporting and disclosure obligations and liable to sanctions prescribed for breach of these obligations.
Cryptocurrency
The Securities and Exchange Commission and the Bank of Ghana have both issued directives on cryptocurrency indicating that they do not license or regulate cryptocurrency. Act 987 does not appear to have changed that position.
Hungary
General financial regulatory regime
The National Bank of Hungary (National Bank) is the conduct regulator for firms providing financial products and services in both retail and wholesale markets, and also the prudential regulator for many firms. It is also responsible for enforcing the market abuse and listing regimes.
General
Under Hungarian law, carrying on finance and investment activities by way of business is subject to government authorization. All financial institutions/investors must apply to the National Bank for authorization. The National Bank will also approve key individuals (eg senior management) in their roles. Authorized firms and individuals are listed on the Registry of the National Bank. Where FinTech products and/or applications involve financial activity which requires regulatory authorization, the firms providing such products and/or applications must be authorized by the National Bank.
Regulatory developments on investment platforms
The Hungarian regulatory framework on investment platforms follows the direction of European Union developments.
Electronic payments platforms and regulation of peer-to-peer lenders
Electronic payment platforms
Act CCXXXV of 2013 on Payment Service Providers (Payment Service Act) regulates the establishment and the operation of electronic payment platforms. A number of FinTech businesses are offering electronic payment platforms to rival the traditional payment systems. The Payment Service Act and Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises (Financial Institutions Act) contain a number of electronic money (e-money)-related rules, aimed at businesses that are issuing or considering the issuance of e-money. E-money is defined by the Financial Institutions Act as electronically, including magnetically, stored monetary value as represented by a claim on the issuer of the e-money which is issued on receipt of funds for the purpose of making payment transactions, and which is accepted by a natural or legal person, unincorporated business association or private entrepreneur other than the e-money issuer. Generally, firms issuing e-money must be authorized or registered with the National Bank.
Peer-to-peer lenders
A person carries out a regulated activity (requiring authorization by the National Bank) if they facilitate lending and borrowing on a commercial scale.
Regulation of payment services
Under Hungarian law, carrying on finance and investment activities by way of business is subject to authorization. By way of business means gainful (for-profit) economic activities performed on a regular basis for compensation, involving the conclusion of deals which have not been individually negotiated. In order to become authorized by the National Bank, a payment services business needs to meet certain criteria, including in relation to its business plan, initial capital, processes and procedures in place for safeguarding relevant funds, sensitive payment data and money laundering and other financial crime controls.
Application of data protection and consumer laws
The Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Data Protection Act) regulates the processing of personal data within Hungary. The Data Protection Act implements the European Data Protection Directive. Where a business determines the purposes and manner in which any personal data is processed, it will be regulated by the Data Protection Act and have certain notification and compliance obligations. In addition, Act CVIII of 2001 on Electronic Commerce and on Information Society Services stipulates further data protection provision related to transactions made through electronic commerce.
The European General Data Protection Regulation (GDPR) is set to come into effect on 25 May 2018. The GDPR is more prescriptive and restrictive compared to the Data Protection Act, including mandatory notifications where a breach occurs and provides for severe monetary sanctions for breach.
Money laundering regulations
Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing gives the National Bank responsibility for supervising the anti-money laundering controls of businesses that offer certain services, such as lending, providing payment services and issuing and administering other means of payment. These regulations implement the European Union's Fourth Money Laundering Directive.
Generally, where a firm is authorized and supervised by the National Bank it will also be authorized and supervised by the National Bank for complying with anti-money laundering requirements. Electronic currencies such as bitcoin and cryptocurrencies tend to represent a higher money-laundering risk.
Ireland
The Central Bank of Ireland is the conduct regulator providing financial products in both retail and wholesale markets.
General
A person must not carry on a regulated activity in Ireland unless authorized or exempt. A financial activity requires regulatory authorization when it involves the provision of services or undertaking of activities constituting a regulated activity (as defined in legislation). Where fintech businesses do provide a regulated activity and which cannot avail of an exemption – they will fall within the existing body of financial regulation and so require prior authorization from the Central Bank of Ireland to conduct business.
Where a fintech business is authorized the firms will be subject to Irish legislation and various ongoing Central Bank of Ireland requirements, but fintech companies authorized by the Central Bank of Ireland can benefit from regulatory passporting across the EU. Payment institutions, electronic money institutions (EMIs), investment companies, money transmission businesses and payment initiation and account information service providers are examples of business models which may require authorization, as will certain crowdfunding platforms when the EU Crowdfunding Regulation comes into force.
Innovation Hub
The Central Bank of Ireland launched its Innovation Hub in April 2018 to enable open and active engagement with all firms innovating in financial services. The Innovation Hub provides firms with a direct and dedicated point of contact at the Central Bank of Ireland as a means to pose questions on the authorizations process, the regulatory framework or engage in a discussion on their product or service outside of more formal regulatory process.
Crowdfunding and Peer-to Peer Lenders
Crowdfunding is a relatively new and growing industry and is working for businesses in Ireland by providing peer-to-peer lending. The speed at which funds can be raised through platforms such as LinkedFinance, Flender, Fund:it and Kickstarter makes this a particularly attractive option for small businesses. Currently, the lending model is more prevalent in Ireland (as opposed to equity investment) but Spark Crowd Funding launched Ireland's first equity crowdfunding platform and the company seeking to raise new money to finance its growth plans offers a fixed number of shares to subscribers i.e. crowd in return for finance.
Ireland does not currently have a bespoke regulatory regime for crowdfunding. However, the EU Commission has published a proposal for an EU Crowdfunding Regulation which would include a comprehensive authorization and passporting regime for crowdfunding platforms across Europe. The Central Bank of Ireland also issued a Feedback Paper on the Regulation of Crowdfunding in Ireland, which indicated that “proportionate” regulation was favored generally.
Plans by the Department of Finance to regulate crowdfunding could further develop the debt funding options for fintech businesses.
Cryptocurrencies
Cryptocurrencies and cryptoassets are not subject to specific regulation in Ireland, and the Central Bank of Ireland confirmed that such virtual currencies do not have legal tender status in Ireland. While there is no specific regulation, it should be noted that cryptocurrencies or cryptoassets may be subject to the existing regulatory frameworks that are in place.
The regulation of cryptoassets is currently being considered at an EU level and Ireland would likely follow any proposed approach to ensure the implementation of a uniform regulatory regime.
Electronic Money
Electronic money (E-Money) is a relatively recent kind of payment instrument. Instead of using a debit card (which requires a bank account) or a credit card (which requires a contract agreement) the customer has purchased a non-cash means of payment. This may be in the form of value stored on a technical device such as a chip card or a computer and can be best described as a digital form of cash since it has many of the characteristics of cash. E-money can therefore be defined as monetary value as represented by a claim on the issuer, which is electronically stored, issued on receipt of funds for the purposes of making payment transactions and accepted as means of payment by a natural or legal person other than the issuer.
An E-Money institution is an undertaking that has been authorized to issue E-Money in accordance with the European Communities (Electronic Money) Regulations 2011, as amended (the EMR). An applicant seeking authorization must satisfy the Central Bank of Ireland that it can meet the authorization standards set out in the EMR. In complying with these standards, the Central Bank of Ireland, as gatekeeper, adopts a robust and structured process and so only applicants that can demonstrate compliance with these authorization requirements are authorized. The Central Bank of Ireland provides guidance on its website for to firms considering applying for authorization as an electronic money institution to provide clarity with regard to the process, its requirements and timelines.
Regulation of payment services
The Payment Services Regulations 2018 enhance regulation in the area of fintech by: (i) increasing reporting obligations applicable to providers offering payment services; (ii) applying new authorization requirements for providers offering payment services (payment initiation and account information service providers now require authorization); and (iii) requiring that all remote and online payment transactions meet strong customer authentication requirements.
The issue of strong customer authentication is subject to regulatory technical standards published by the European Banking Authority.
Application of data protection and consumer laws
The Data Protection Acts 1988-2018 (the DPA) regulate the processing of personal data within Ireland. The DPA gives further effect to the European General Data Protection Regulation (EU) 2016/679 (the GDPR), which came into effect on May 25, 2018. As a European Regulation, GDPR has direct effect in Irish law and automatically applies in Ireland. Where a business determines the purposes and manner in which any personal data is processed, it will be regulated by the DPA and have certain notification and compliance obligations.
The GDPR is more prescriptive and restrictive compared to the principles-based DPA, including mandatory notifications where a breach occurs and provide for severe monetary sanctions for breach. GDPR sets the key principles, rights and obligations for most processing of personal data.
The ePrivacy Regulations (SI 336/2011) regulate direct marketing by electronic means. The general rule is that the affirmative consent of the recipient is required (such as by specifically opting-in). Even where the direct marketer has the consent of the data subject to use their personal data for marketing, that consent may be withdrawn by the data subject. Article 21 of GDPR provides that a data subject has the right to object at any time to the use of their data for such marketing.
Money laundering regulations
The Irish legislation in this area is the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 as amended by Part 2 of the Criminal Justice Act 2013 and the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2018 (the MLA). The MLA give the Central Bank of Ireland responsibility for supervising the anti-money laundering controls of businesses that offer certain services, such as lending, providing payment services and issuing and administering other means of payment. Generally, where a firm is authorized and supervised by the Central Bank of Ireland it will also be authorized and supervised by the Central Bank of Ireland for complying with anti-money laundering requirements. The Central Bank of Ireland has published guidelines setting out its expectations for credit and financial institutions in relation to compliance with their obligations with regards to anti-money laundering and countering the financing of terrorism.
In addition, the General Scheme of the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2019 will transpose the Fifth EU Anti Money Laundering Directive (EU) 2018/843 into Irish law and will impose obligations on (certain types of) exchanges and wallet providers and will bring the following firms within the scope of the MLA:
- cryptoasset exchange providers (including Cryptoasset Automated Teller Machine (ATM), Peer to Peer Providers, Issuing new cryptoassets, e.g. Initial Coin Offering (ICO) or Initial Exchange Offerings); and
- custodian wallet providers.
Italy
General financial regulatory regime
In relation to the performance of banking, financial or payment services, the main Italian supervisory authorities are:
- the Bank of Italy, which is the central bank of Italy and is entrusted with the overall regulatory supervision of banks and other financial intermediaries, including payment services providers and e-money issuers; and
- the CONSOB, which is the Italian government authority responsible for regulating the Italian securities market as well as the provision and marketing of investment services.
CONSOB is entrusted with supervision on transparency and correctness of regulated entities, including banks and financial intermediaries providing investment services and monitoring compliance with the rules of conduct generally imposed on such intermediaries.
Additional authorities also operate, in relation to specific sectors (eg insurance) or in connection with specific issues (eg competition and data protection).
General
The provision of banking, financial and payment services in Italy is reserved to authorized intermediaries. A person must not carry on a regulated activity in Italy unless authorized or exempt.
Consequently, where FinTech products and applications involve financial activities falling within the scope of the required regulatory authorizations, the firms providing such products and applications, if not otherwise exempt, must be authorized/passported, as the case may be.
Following a public debate involving market operators and based on a document for discussion CONSOB recently published a report on the initial offers and exchanges of crypto-activities. Pending the establishment of a shared European regulatory framework on crypto-assets and, in particular, on their possible qualification as securities, CONSOB’s intention was to start a debate at national level on initial coin offerings (ICOs) and crypto-assets exchanges, in connection with the recent spread of ICOs and therefore, of crypto-assets invested in by Italian investors.
Electronic payments platforms and regulation of peer-to-peer lenders
Electronic money (e-money)
Reference shall be made to the provisions of the e-money directive No. 2009/110/EC (EMD) and to its national implementing measures, which include the Consolidated Banking Act and Legislative Decree No. 45, 16 April 2012, containing the EMD's implementing decree, both as amended from time to time. Moreover, for a complete understanding of the applicable legal and regulatory framework, also the rules regulating the provision of payment services shall be considered, as well as the Bank of Italy secondary level provisions.
E-money is defined as the electronically (including magnetically) stored monetary value, represented by a claim on the issuer, which is issued on receipt of funds for the purpose of making payment transactions. E-money must be accepted by a person other than the e-money issuer and include pre-paid cards and electronic pre-paid accounts for use online.
All providers performing payment services or e-money related activities must be authorized by, or passported with, the Bank of Italy, although, based on the specific functioning mechanism, the management of electronic payment platforms could qualify as a reserved activity, subject to regulations governing payment service providers and e-money issuers, or fall within one of the possible exemptions (eg if the firm qualifies as a mere technical service provider supporting the provision of the relevant services without any involvement in their offering or performance).
Peer-to-peer lending
Peer-to-peer lending activities (also 'social lending' or 'lending based crowdfunding') are defined, under the Italian regulatory framework, as 'the mechanism through which a plurality of borrowers could demand to a plurality of potential lenders, by means of online platforms, refundable funds for personal use or to fund a project'.
Based on the similarity of such activities with those relating to the public savings collection and considering that the latter, in accordance with the Consolidated Banking Act, are exclusively reserved to duly authorized credit institutions, since November 2016, the Bank of Italy has regulated social lending by a regulation governing the performance of collection activities carried out by subjects other than banks. The relevant provisions mainly clarify the conditions to be complied with in order to avoid a qualification of social lending services as reserved savings collection activities.
Bank of Italy's regulation refers both to the managers of social lending platforms and to the subjects who collect or lend funds through such platforms and is generally aimed at preventing non-banking entities from raising significant amounts of funds vis-à-vis an indefinite number of borrowers. In this sense, managers and collectors are, in any case, precluded from collecting demand deposits and from carrying out other forms of collection whatsoever involving the issuance or management of payment instruments having generalized usability. No limits are imposed on banks in carrying out social lending activities through online portals.
The Bank of Italy does not have investigation or sanctioning powers on non-banks entities providing collection activities. Any infringement of the aforesaid provisions is governed by criminal law.
A special regime for the collection of risk capital via online portals (equity crowdfunding) is regulated by the Italian securities law (in particular by the Crowdfunding Regulation ( as amended by CONSOB resolution No. 21110 dated 10 October 2019), adopted by CONSOB pursuant to articles 50- quinquies and 100- ter of the Consolidated Financial Act). In equity crowdfunding, the securities respectively sold are issued by Italian innovative startups and small-to-medium-size companies or by certain undertakings for collective investments investing in those kind of companies. The managers of such portals shall comply with a set of requirements, and in order to be entitled to operate are then enrolled in a specific register kept by CONSOB.
Following recent amendments to the Consolidated Financial Act and the Crowdfunding Regulation, the Italian regulation also introduced the possibility, within certain limits, for the aforesaid entities to collect of bonds and other debt financial instruments through such online portals (debt crowdfunding).
The other possible forms of crowdfunding are not formally regulated and may be included – depending on the specific features and structures adopted – in other forms of financial activity, such as those relating to the granting of loans (whose performance is reserved to duly authorized financial intermediaries).
Regulation of payment services
Reference shall be made to the provisions of the PSD)2 and to its national implementing measures, which include the Consolidated Banking Act, and Legislative Decree No. 11, 27 January 2010, containing the PSD2's implementing decree (PS Decree), both as amended from time to time, as well as Bank of Italy secondary level provisions.
All providers performing payments services related activities shall be authorized by (or passported with) by the Bank of Italy.
In providing and marketing their services, payment services providers must also comply with the transparency and disclosure requirements set forth in the Transparency Provisions.
Application of data protection and consumer laws
The Italian Data Protection Code (Legislative Decree No. 193/2003) applies to the processing of personal data, including data held abroad, if the processing is performed by:
- an Italian or European Union company with a branch/stable organization in Italy;
- an entity established in the territory of a country outside the European Union, where said entity makes use in connection with the processing of equipment, whether electronic or otherwise, situated in the Italian territory, unless such equipment is used only for purposes of transit through the territory of the European Union; and
- a non-European Union controller processing data through a branch/stable organization in Italy.
Data processing under the Italian legislation may imply certain notification and compliance obligations and can give rise to privacy issues such as:
- whether the data is used appropriately;
- whether the collection of data is carried out in an appropriate manner;
- whether the data is disclosed only where disclosure is appropriate;
- whether the data is stored and transmitted safely;
- how long the data will be retained for;
- the circumstances under which the data subject can access and correct the data; and
- whether the data subject is sufficiently and appropriately informed about these matters.
The European General Data Protection Regulation (GDPR) will officially replace some of the provisions of the Italian Data Protection Code from 25 May 2018, but its principles are already being enacted in the Measures issued by the Italian Data Protection Authority. The GDPR is more prescriptive and restrictive and includes mandatory notifications where a breach occurs and provide for severe monetary sanctions in case of breach.
The Italian Consumer Code (Legislative Decree No. 206/2005) applies to any service offered to natural persons acting for purposes outside their trade, craft, business or profession. It includes rules relating to matters such as unfair commercial practices and unfair terms. In order to ensure compliance with the Italian Consumer Code, Fintech companies may consider the implementation of solutions aimed at monitoring and analyzing customer services, mitigating fraud and abuse, and implementing fair lending systems.
Money laundering regulations
The Italian rules governing the prevention of the use of the financial system for money laundering (AML) and/or terrorist financing (CTF) purposes are mainly contained in Legislative Decrees No. 231 of 21 November 2007 (AML Decree), and No. 109 of 22 June 2007, which implement the Fourth AML Directive) and Fifth AML Directives. Additional secondary level provisions which complete the new regulatory framework introduced by the Fourth and Fifth AML Directives have been issued by the Bank of Italy.
In general terms, the Central Information Unit (Unità di Informazione Finanziaria), established within the Bank of Italy, is empowered with supervision and monitoring powers on AML and CTF issues. The overall prevention system:
- is based on the collaboration and coordination between each of the operators and the administrative and investigation authorities;
- is regulated according to the risks involved; and
- requires the operators to comply with a series informative and record-keeping obligations.
FinTech services and activities, where relevant in light of the above, are subject to AML and CTF provisions, especially when involving activities considered as high money-laundering risks. Furthermore, with the implementation of the Fourth and Fifth AML Directives, the Italian legislator has expressly included “crypto currency operators” and “custodian wallet providers” within the category of the “other non-financial operators” subject to the provisions of the AML Decree. Crypto currency operators are defined as “any natural or legal person which provides third parties, in a professional capacity, with services that are functional to the use, the exchange, the custody and storage of virtual currencies and their conversion from, or into, currency of legal tender”, or in digital representations of value, including those convertible in other virtual currencies as well as issuing, offering, transfer and clearing any other service instrumental to the acquisition, negotiation or intermediation in the exchange of the virtual currencies”. Custodian wallet providers are, in turn, defined as “any natural person or entity that provides services to safeguard private cryptographic keys on behalf of its customers, to hold, store and transfer virtual currencies”.
It should be noted that, according to the aforesaid AML regulations, crypto-currencies operators and custodian wallet providers are, as of today, subject to the AML obligations to the extent that their operations include the performance of the activity of cryptographic storage or of conversion of virtual currencies from, or into, currency of legal tender.
In addition to the above, FinTech providers qualifying as banking or financial institutions or payment services providers shall also comply with the customer due diligence and on organisational requirements set forth in the secondary level regulations of the Bank of Italy.
Ivory Coast
General financial regulatory regime
The Regional council for public savings and financial market (CREPMF) is the regulator for the provision of financial products and services.
General
The conduct of regulated financial activities requires prior authorizations, approvals, generally, from the CREPMF and the BCEAO.
Some restrictions, specific laws, regulations and procedures may apply to fintech products.
Entities providing fintech products and services with regulated financial activity components are required to be authorized and comply with different laws, rules and regulations such as data protection and the like.
Electronic payments platforms and regulation of peer-to-peer lenders
Electronic payments platforms are governed through BCEAO Instructions, mainly Instruction N° 008-05-2015 governing the terms and conditions for the exercise of the activities of issuers of electronic money in the Member States of the West African Monetary Union (WAMU).
E-money transactions done through cards, internet and telephone are regulated under said instruction.
The definition of e-money has been made, taking into account “good international practice” and is characterized by a monetary value electronically stored, issued against funds provided in at least an equal amount and that has been accepted as a means of payment by both individual and corporate third parties.
Banks, payment services companies and microfinance institutions (MFIs) are allowed to issue e-money and can conduct e-money transactions.
Banks and payment services companies holding existing BCEAO licenses along with e-money authorizations, as FI issuers, must notify BCEAO (two months) in advance of any deployment, while microfinance institutions (MFIs) must get prior authorization from the Minister of Finances after BCEAO consent.
Nonfinancial companies may also issue e-money after obtaining a license. These issuers are called Etablissements de Monnaie Electronique (EMEs or non-FI issuers). They must meet separate standards on corporate governance and related matters to obtain a license. These EME companies must be solely dedicated to e-money issuance, (i.e. providing payment, transfer, and cash-in/out services. They cannot provide savings or credit services. EMEs can own shares only in other entities involved in e-money issuance.
Peer-to-peer lenders
It is important to mention that there is no specific regulation regarding this matter.
However, the need to regulate this type of product in order to protect consumers has been noted in some countries. The Regional Council and the BCEAO are conducting reflections in this direction, in order to propose protection mechanisms for consumers.
Regulation of payment services
Structures or establishments intending to exercise payment services are required to be duly approved or authorized, beforehand, by the Central bank. Banks and financial payment institutions authorized by laws regulating banking are allowed to conduct transactions related to payment services.
However, they are required to inform BCEAO, at least two months before the start of their electronic money issuance activities or the marketing to the general public, of any new money-related electronic service.
Electronic money institutions must be approved by the Central Bank before starting their electronic money issuing activities.
The exercise, by decentralized financial systems, of activities linked to electronic money, is subject to the prior authorization of the BCEAO. (Article 8 of the Instruction).
Electronic money institutions must have a specific legal form and corporate purpose. They must be constituted in the form of Joint Stock Companies or Companies with Limited Pluripersonal Liability, Mutuals, Cooperatives or Economic interest Groups.
With the exception of banks, financial payment institutions and decentralized financial systems, the issuance of electronic money can only be carried out by a legal person whose corporate object relates exclusively to this activity.
Diverse forms of electronic payment are available in Ivory Coast. These include the use of credit and debit cards, mobile phones, online payment services such as Paypal, Alipay or Apple using the iTunes card, bank transfers and payment upon delivery.
Application of data protection and consumer laws
Data Protection in Ivory Coast is regulated under Law No. 2013-45 of June 19, 2013 on the protection of personal data provides for the processing, transfer and other activities The transfer of personal data to third countries is allowed subject to sufficient protection guarantees. The Ivoirian's Data Protection Act 2012 (DPA) regulates the processing of personal data within the Ivory Coast. It implements the Supplementary Act on Personal Data Protection within ECOWAS.
Sensitive data collection, processing is subject to prior authorization from the Ivorian Telecommunications Regulatory Authority (Autorité de régulation des télécommunications/TIC de Cote d’Ivoire (ARTCI).
That Law regulates, among others, direct solicitation marketing by electronic means (Article 14).
The General Regulation of the CREPMF also regulates solicitation of the WAMU public (Article 176…).
Furthermore, there is a 2016 Ivorian consumer code that provides for consumer protection rules. It introduces competition rules and regulates consumer protection agencies in the marketplace.
Money laundering regulations
The applicable law is Law n° 2016-992 of November 14, 2016 relating to the fight against money laundering and the financing of terrorism (AML/CFT) and a decree gives competence to the Coordinating Committee to identify, assess, understand and mitigate the money laundering and terrorist financing risks to which the country is exposed. It is responsible for coordinating and conducting the work of the National Risk Assessment (ENR) and the elaboration of the National Strategy on AML/CFT.
The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2015 give the National Financial Intelligence Processing Unit CENTIF responsibility for supervising the anti-money laundering controls of businesses that offer certain services, such as lending, providing payment services and issuing and administering other means of payment.
Generally, where a firm is authorized and supervised by the CENTIF, it will also be authorized and supervised by the CENTIF for complying with anti-money laundering requirements. Electronic currencies and other cryptocurrencies tend to represent a higher money-laundering risk.
Japan
General financial regulatory regime
General
The Financial Services Agency (FSA) is the Japanese governmental authority tasked with regulating companies dealing in financial businesses, which would include FinTech businesses. There are many types of FinTech products currently available, and various types of laws or regulations may apply to such products, depending on their nature and conditions. There are three main laws, among others, which govern FinTech products:
- the Financial Instruments Exchange Act (FIEA);
- the Payment Services Act (PSA); and
- the Act on the Prevention of Transfer of Criminal Proceeds (APTCP).
Restriction on FinTech products
Financial Instruments Exchange Act (FIEA)
Financial business activities such as the sale or management of securities or financial instruments are subject to FIEA, which has two main categories of requirements: filing requirements and registration requirements. However, it is still unclear whether FinTech products such as cryptocurrencies are deemed 'securities or financial instruments' to be regulated by FIEA. If FIEA applies, a company dealing in FinTech products would be required to file a Securities Registration Statement and other periodical reports with the FSA as part of its filing requirements, and would also be required to obtain a certain form of registration from the FSA as its registration requirement.
Payment Services Act (PSA)
From May 2016, PSA clearly regulates virtual currency businesses, which would include the purchase, sale or exchange of virtual currency for Japanese customers. Virtual currency exchange companies which intend to enter into the Japanese market should consider the feasibility of both obtaining the registration from the FSA and complying with the restrictions on registrants.
The restrictions imposed by PSA include:
- segregation of customer funds and virtual currencies;
- provision of mandatory information to customers; and
- preparation and maintenance of transaction records for customers.
Act on the Prevention of Transfer of Criminal Proceeds (APTCP)
APTCP contains the Japanese anti-money laundering and counter-terrorist financing regulations. In general, APTCP requires financial institutions or virtual-currency business operators to implement a 'know-your-customer' process including the verification of customer identities and the maintenance of customer transaction records.
Electronic payments platforms and regulation of peer-to-peer lenders
Electronic payment platforms
The Banking Act and PSA regulate businesses which transfer funds between accounts regardless of whether or not such transfers would be considered payments; they require operators of a funds-transfer business to be registered or licensed. Because e-commerce markets such as Rakuten or Amazon use a payment process that contains a funds transfer, such payment platforms necessarily must be registered or licensed. However, as e-commerce market operators are given the authority to receive payments from online stores, whereby customer payments are made directly to these stores, such e-commerce market operators are not deemed to be transferring funds but rather only redeeming received funds. Construed in this manner, e-commerce market operators can avoid the registration obligation.
Peer-to-peer lenders
When peer-to-peer (P2P) lenders lend money as part of their business, even if such lenders are individuals, they must register as a money lending business. Since this would place an onerous registration requirement on lenders using P2P platforms, a partnership agreement (Tokumei-Kumiai) is used instead. Under this scheme, P2P investors do not lend but rather invest in platform providers as silent partners. An entity operating as a P2P platform provider, however, has an obligation to register as a money lending business and a financial instruments business under the Money Lending Business Act and the Financial Instruments and Exchange Act.
Regulation of payment services
In Japan, payment services are regulated mainly by two pieces of legislation:
- PSA regulates funds transfer services, issuance of prepaid payment instruments and virtual currency exchange businesses.
- Instalment Sales Act (ISA) regulates credit card issuers, merchant acquirers, payment service providers and merchants maintaining credit card services.
Funds transfer services are services provided by an entity other than a bank that involves the transfer of money in an amount of JPY 1 million or less, using a system to send money remotely. Where the amount transferred exceeds JPY 1 million, only banks are permitted to provide such service under the Banking Act. Credit card transactions are understood to be out of scope of the definition of funds transfer because such transactions are regulated by ISA instead. Prepaid payment instruments and credit cards share common features, such that they are both used in exchange for providing goods or services; however, they differ in the credit directions, in that consumers grant credit to business operators when issuing prepaid payment instruments, while business operators grant credit to consumers in credit card transactions.
Payment service providers must register their business or notify their transactions to each governing agency and maintain their internal compliance systems depending on the type of payment service and the relevant legislation. Since PSA and ISA were established separately and are regulated by separate governmental agencies, it is sometimes unclear which regime would apply to new and unique service providers. Where it is unclear which regime a business needs to be registered under, confirmation should be obtained from the governmental agencies when establishing the business.
Application of data protection and consumer laws
The Act on Protection of Personal Information (APPI) regulates the processing of personal data in Japan. For matters under its jurisdiction, the FSA has issued guidelines regarding the application of APPI which should be followed in general.
APPI was amended recently and a new concept of 'de-identified information' was introduced, meaning it would not be necessary to obtain consent to transfer de-identified information to a third party and such de-identified information can be used for any purposes regardless of the purpose for which the personal information was originally obtained. This rule may accelerate FinTech innovation in Japan. On the other hand, the new APPI also introduced other regulations including a new concept for 'sensitive information' which requires that a business entity obtain prior consent to collect 'sensitive' information from a data subject.
In 2017 the Banking Act was amended to require that settlement agents for electronic settlement systems be registered as well as imposing a duty on settlement agents to explain certain matters (e.g. compensation) to consumers. The amendments are due to become effective in 2018.
Money laundering regulations
Under APTCP, business operators such as banks and money lending business operators should conduct identity verification procedures when lending money or intermediating such money lending while also creating and maintaining records regarding identity verification. If the transactions are not conducted face-to-face, business operators should ask the borrowers for a copy of their identity verification documents and send any documents related to the transaction to them as a transfer-prohibited postal item.
Luxembourg
General financial regulatory regime
The Commission de Surveillance du Secteur Financier (CSSF) supervises the professionals and products of the Luxembourg financial sector. It supervises, regulates, authorizes, informs, and, where appropriate, carries out on-site inspections and issues sanctions.
The National Commission for Data Protection (Commission Nationale pour la Protection des Données or CNPD), is the Luxembourg independent authority verifying the legality of the processing of personal data and ensuring the respect of personal freedoms and fundamental rights with regard to data protection and privacy. Its mission also extends to ensuring the respect of the Law of 30 May 2005 regarding the specific rules for the protection of privacy in the sector of electronic communications and the Luxembourg law of 1 August 2018 on the organisation of the National Data Protection Commission and the general data protection framework (short title).
General CSSF positions
The CSSF was one of the first European regulators to take position on FinTech. On 14 February 2014, the CSSF published a communique, with the following points in respect of virtual currencies:
- Virtual currencies are considered as scriptural money (as opposed to cash money in the form of bank notes and coins), since they are accepted as a means of payment for goods and services. The issuing of virtual money is not regulated from a monetary point of view, they are not legal tender and they entail risks.
- No one can be established in Luxembourg to carry out an activity in the financial sector without an authorization by the Minister of Finance and without being subject to the prudential supervision of the CSSF. The potentially interested persons who would like to establish themselves in Luxembourg in order to issue means of payments in the form of virtual currencies, provide payment services using virtual currencies or create a platform to trade virtual currencies, are required to define their business purpose and their activity in a sufficiently concrete and precise manner to allow the CSSF to determine which status they need to receive a ministerial authorization for.
The position of the CSSF in respect of virtual currencies has been confirmed by the European Court of Justice on 22 October 2015.
More generally, the CSSF has a balanced approach toward FinTech companies and applies the existing regulatory framework (ie the current European Union regulatory framework, as implemented in Luxembourg) in a proportionate way. The CSSF has to determine the potential benefits of the submitted innovation and whether there could be regulatory barriers linked to the innovative character of the business model it could address without circumventing the regulatory requirements. One of the main challenges is to identify risks (cyber-risks, fraud and anti-money laundering/combatting the financing of terrorism risks), which have to be properly assessed together with the mitigating measures that can be applied.
The CSSF has established a division dedicated to financial innovation and technology, focused on developing, facilitating and securing FinTech businesses.
The blockchain has also been implemented in Luxembourg law with, inter alia, the law of 1rst March 2019 amending the Luxembourg law of 1rst August 2001 on the circulation of securities introducing a new article 18bis in the law of 1rst August 2001 by specifying that securities may be booked and transferred through secure electronic recording devices, in particular through distributed ledgers such as blockchain, providing an alternative to the dematerialisation processes already known.
Electronic payments platforms, payment services and regulation of peer-to-peer lenders
Payment institutions
The services offered by Payment Institutions (PIs) can vary from the provision of payment infrastructures to customers (eg for services industries) to services enabling payments between individuals. It also includes facilitation of secure credit and debit card transactions, both nationally and internationally.
Electronic money institutions
Pursuant to article 1 (29) of the Luxembourg law of 10 November 2009 on payment services, on the activity of electronic money institutions (EMIs) and settlement finality in payment and securities settlement systems, as amended (PSL), electronic money (Electronic Money) means a monetary value represented by a claim on the issuer, which is:
- electronically, including magnetically, stored;
- issued on receipt of funds for the purpose of making payment transactions; and
- accepted by a natural or legal person other than the Electronic Money issuer.
EMIs are institutions issuing Electronic Money.
In addition to issuing Electronic Money, EMIs are also permitted to supply all services of PIs, to grant loans (under certain conditions) linked to payment services, to supply operational services and other services closely linked to the issuing of electronic money or to the supply of payment services.
Regulation of payment services, payment institutions and EMIs
PIs and EMIs in Luxembourg are governed by the PSL, deriving from the interpretation of Directive 2015/2366 on payement services in the internal market (the second payment services Directive) (“PSD 2”) repealing Directive 2007/64/EC of 13 November 2007 on payments services in the internal market, and of Directive 2009/110/EC of 16 September 2009 on the taking up, pursuit and prudential supervision of the business of EMIs.
Since 2007, many changes in the digitalization of financial services have led to the need for an update of the Directive 2007/64. The PSD 2 aims to tackle the shortcomings of the first directive in the modern era by impacting PIs and EMIs. PSD 2 introduced two new third-party payment service providers: Payment Initiation Services Providers and Account Information Service Providers.
Before taking a formal decision to set up an EMI or PI in Luxembourg, the prospective institutions should be approved by the CSSF and comply with mandatory conditions (eg legal form, capital requirements).
Peer-to-peer lenders
Under Luxembourg law, there is no specific regulatory framework in respect of peer-to-peer lending. As a result, European regulation, which mainly consists of the following, applies:
-
Regulation (EU) 2017/1129 of the European Parliament of 14 June 2017 on the prospectus to be established when securities are offered to the public or admitted to trading on a regulated market;
-
Directive 2008/48/EC of the European Parliament and of the Council of 23 April 2008 on credit agreements for consumers; and Directive 2007/64.
Note that the current position of the European Commission is that there is no need for a specific European regulation in respect of marketplace lending activities. Priority will be given to updating the current regulatory framework regulating the marketplace lending activities.
In addition, no one can be established in Luxembourg to carry out an activity of the financial sector without an authorization by the Minister of Finance and without being subject to the prudential supervision of the CSSF. The potentially interested persons who would like to establish themselves in Luxembourg to carry out marketplace lending activities are required to define their business purpose and their activity in a sufficiently concrete and precise manner to allow the CSSF to determine for which status they need to receive a ministerial authorization.
Under Luxembourg law (article 24-8 of the law of 5 April 1993 on the financial sector, as amended (1193 Law)), professionals carrying on lending operations are professionals engaging in the business of granting loans to the public for their own account, are required to be authorized to carry out these activities. The following, in particular, shall be regarded as lending operations for the purposes of this article:
- financial leasing operations involving the leasing of moveable or immoveable property specifically purchased with a view to such leasing by the professional, who remains the owner thereof, where the contract reserves to the lessee the right to acquire, either during the course of or at the end of the term of the lease, ownership of all or any part of the property leased in return for payment of a sum specified in the contract; and
- factoring operations, either with or without recourse, whereby the professional purchases commercial debts and proceeds to collect them for his own account.
This article shall not apply to persons engaging in the granting of consumer credit, including financial leasing operations as defined in paragraph 2(a) of this article, where that activity is incidental to the pursuit of any activity covered by the law dated 2 September 2011 regulating the access to the profession of craftsman, merchant, industrial as well as certain liberal professions.
Article 24-8 of the 1993 Law shall not apply to persons engaging in securitization operations. Also, authorization to act as a professional carrying on lending operations may be granted only to legal persons and shall be conditional on the production of evidence showing the existence of a share capital of not less than €730,000.
Also, applicable regulation will depend on the form of the vehicle used for the purposes of carrying out the marketplace lending activities (eg securitization vehicle or investment fund).
Application of data protection and consumer laws
The European General Data Protection Regulation ("GDPR") regulates the processing of personal data in Luxembourg. Where a business determines the purposes and manner in which any personal data is processed or processes personal data upon instructions and on behalf of a third party, it will be regulated by the GDPR and have certain compliance obligations. For instance, depending on the situation, a business may have to carry out mandatory notifications where a personal data breach occurs, or where it wishes to put in place a system allowing the surveillance of its employees. In any case, businesses will have to abide by the "data protection by design and by default" principles, which include e.g. the provision of transparent information to individuals whose personal data is processed, and the maintenance of extensive internal compliance documentation.
The Luxembourg law of 1 August 2018 on the organisation of the National Data Protection Commission and the general data protection framework (short title).The Luxembourg law of 30 May 2005, laying down specific provisions for the protection of persons with regard to the processing of personal data in the electronic communications sector, regulates unsolicited direct marketing by electronic means.
Cloud computing
On 17 May 2017, the CSSF published the Circular 17/654, as amended by Circular 19/714 (Circular) on IT outsourcing based on a cloud computing infrastructure. The Circular is designed to clarify the regulatory framework for the use of a cloud computing infrastructure supplied by an external service provider. The Circular confirms that CSSF considers that cloud computing is a form of outsourcing. The Circular applies immediately to financial professionals, including credit institutions, investment firms, specialized financial sector professionals (FSPs), support specialized financial sector professionals, as well as PIs, and EMIs.
According to the CSSF, cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (eg networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Money laundering regulations
The CSSF is in charge of supervising the anti-money laundering (AML) controls of supervised entities (eg FinTech companies) which have to comply with:
- the law of 12 November 2004 as amended (Title I, coordinated version);
- the Luxembourg law of 27 October 2010 enhancing the AML and counter-terrorist financing legal framework;
- the grand-ducal regulation of 29 October 2010; and
- the CSSF Regulation N°12-02 on the fight against money laundering and terrorist financing.
Generally, where a firm is authorized and supervised by the CSSF it will also be authorized and supervised by the CSSF for complying with AML requirements. Electronic currencies such as bitcoin and other cryptocurrencies tend to represent a higher money-laundering risk.
Mauritius
General financial regulatory regime
At the beginning of 2019, the Financial Services Commission stated that the Framework relating to FinTech in Mauritius was finalized. The latter was published via the Government Gazette in March 2019. Throughout this framework, among other initiatives to position Mauritius as the African Fintech Hub, rules regarding the creation of a license for digital asset custodians were set out, a precedent not only in Africa but worldwide.
In its quest to become the blockchain hub of the Indian Ocean, Mauritius also issued an open call for innovators to take advantage of the country's new Regulatory Sandbox License (RSL). The sandbox allows companies operating in areas such as financial, medical and communications technology to start operating despite the absence of a formal legislative or licensing framework. Modeled after similar approaches employed in Australia, Singapore and the UK, the RSL is open to all innovators, but there is an emphasis on attracting blockchain innovators across all verticals. The expectation is that completed projects will help drive domestic and cross-border commerce and eventually expand into a smart city concept that links to other hub cities.
Since launching in November 2016, the RSL has fielded several project proposals, with most under the FinTech umbrella.
To be considered for approval, applicants must demonstrate their project is innovative, beneficial to the Mauritian economy and it cannot be accommodated in the investor’s home jurisdiction because of legal or regulatory gaps. Qualified applicants can obtain licensure in as little as 30 days, provided that all relevant information is received and risks are properly addressed.
Electronic payments platforms and regulation of peer-to-peer lenders
The Financial Services Commission, which is the non-bank financial services regulator, has issued a draft Financial Services (Peer-to-Peer Lending) Rules 2017 (P2P Rules) for discussion in or around November 2017.
The aim of these P2P Rules is to, inter alia, establish a sound and conducive automated environment or platform for the offer and execution of alternative peer-to-peer lending, other than bank lending, for the benefits of borrowers and stakeholders in the non-banking sector of Mauritius. The small and medium sized community of entrepreneurs/innovators will be a key category of borrowers targeted by these P2P Rules.
Regulation of payment services
Payment services are regulated in Mauritius by the central bank, the Bank of Mauritius, which has as one of its responsibilities to regulate the banking and credit system to ensure a proper distribution of credit and a sound financial structure.
Application of data protection and consumer laws
The new Data Protection Act 2017 repeals and replaces the previous Data Protection Act 2004. The Data Protection Act 2017 is to a large extent in line with the provisions of European General Data Protection Regulation (GDPR).
Money laundering regulations
Money Laundering is regulated by the Financial Intelligence and Anti Money Laundering Law. This law, inter alia, provides for the offences of money laundering; the reporting of suspicious transactions; the exchange of information in relation to money laundering; mutual assistance with overseas bodies in relation to money laundering; and for matters connected therewith and incidental thereto.
In February 2019, Mauritius was taken out of the European Commission’s high-risk third countries list. After undergoing a peer review assessment from the OECD’s Forum on Harmful tax Practices, the latter found Mauritius’ tax regimes not to be harmful given the changes and steps taken to ensure the compliance of Mauritian provisions with international standards.
Mexico
General financial regulatory regime
Financial Technology Institutions Law (Ley de Tecnología Financiera or LTF) was published on March 9, 2018, in the Official Gazette of the Federation.
General
FinTech companies in Mexico will need to be analyzed carefully to verify whether it falls under the scope of financial regulations requiring such activities to be carried on by authorized and supervised entities. Relevant regulations include those relating to banking, securities brokerage, insurance, and fund formation, among other services.
The Comisión Nacional Bancaria y de Valores (CNBV) supervises and regulates all entities in the Mexican financial system –including banks, non-bank finance companies, stockbrokerage houses, and mutual funds – in order to ensure its stability and proper operation as well as to protect the interests of the general public. Most financial entities require authorization for incorporation from CNBV (in some cases with an opinion from Mexico’s Central Bank – Banco de México or BANXICO).
Regulatory developments
The main elements of the Financial Technology Institutions Law (Ley de Tecnología Financiera or LTF) are:
- principles – financial inclusion, consumer protection, financial stability, promotion of competition and prevention of money laundering and financing of terrorism;
- regulated Financial Technology Institutions (FTIs) –
- crowdfunding institutions (instituciones de financiamiento colectivo);
- electronic payment institutions (instituciones de fondos de pagos electrónicos); and
- regulatory sandboxes/innovative companies (empresas innovadoras);
- authorization of FTIs – to be granted discretionally by the CNBV, with prior approval by the Financial Technology Committee which will be formed by officers of BANXICO, CNBV and the Ministry of Finance;
- corporate governance – FTIs will have to be incorporated as Mexican stock corporations (sociedad anónima or SA) or limited liability companies (sociedad de responsabilidad limitada or Sde RL) in order to provide services in Mexico (CNBV will issue regulations on board of directors, officers and committee requirements for FTIs);
- regulatory sandbox – innovative companies that obtain a temporary authorization (up to two years) to provide services to a reduced number of clients to test innovative products, services, business models and delivery mechanisms; and
- a Fintech Council – the draft bill provides for the creation of a FinTech Council to act as a means of consultation, advice and coordination between public and private sectors.
Crowdfunding institutions
The LTF defines crowdfunding institutions as those that regularly and professionally carry out activities with the purpose of connecting an investor (funds provider) and an applicant (funds requester), through interfaces, websites or any other digital or electronic means of communication.
Crowdfunding institutions may perform the following activities:
- debt-based crowdfunding – loans or any other type of financing by investors resulting in a direct or contingent liability of applicants;
- equity-based crowdfunding – acquisition on instruments by investors representing the capital stock of applicants; or
- royalty-based crowdfunding – acquisition by investors of a portion or share of a present or future asset, or the income, profits, royalties or losses resulting from projects developed by applicants.
Electronic payment institutions
The LTF defines electronic payment institutions as those institutions which regularly and professionally carry out activities through interfaces, websites or any other digital or electronic means of communication, consisting in the issuance, management, redemption and transfer of electronic payment funds, by opening accounts for their clients to make deposits in exchange of electronic payment funds, making transfers to different accounts, and delivering money in amounts equivalent to the electronic payment funds withdrawn from the relevant account.
Electronic payment funds will be those funds that:
- are linked to monetary value equivalent to an amount in Mexican pesos or virtual assets;
- result in a payment obligation against the electronic payment institution;
- are issued against receipt of an amount of money or virtual assets; and
- are accepted by a third party as money or virtual assets.
Application of data protection and consumer laws
Pursuant to the Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares or Privacy Law), in the processing of personal data, the person or entity collecting personal data (data controller) must provide a privacy notice (Aviso de Privacidad or the Privacy Notice), which must be made available to the data owner prior to the processing of his or her personal data.
The term ‘processing’ is broadly defined in the Privacy Law to include the collection, use, communication, or storage of personal data by any means. Use includes all access, management, procurement, transfer and disposal of personal data.
Consent is required for all processing of personal data, except as otherwise provided by the Privacy Law. Implicit consent (notice and opt out) applies to the processing of personal data; express consent (notice and opt in) applies to the processing of financial or asset data; and express and written consent applies to the processing of sensitive personal data. Consent may be communicated verbally, in writing, by electronic or optical means, via any other technology, or by any other unmistakable indications. Express written consent may be obtained through the data owner’s written signature, electronic signature, or any other authentication mechanism set up for such purpose.
The Financial Services Consumer Protection Law (Ley de Protección y Defensa al Usuario de Servicios Financieros) and the Federal Law on Consumer Protection (Ley Federal de Protección al Consumidor) provide that product information and fees must be available to consumers.
Money laundering regulations
The Mexican anti-money laundering law (Ley Federal para la Prevención e Identificación de Operaciones con Recursos de Procedencia Ilícita) and its regulations apply to FinTech entities performing activities listed in such law as vulnerable activities. FinTech entities which fall within the scope of the regulations are required to verify the client’s identity, any beneficiaries of transactions, register with the regulators and file monthly reports, among other requirements.
The LTF proposes that full identification of investors and applicants will be required and will further require FTIs to only use banks accounts with authorized financial institutions to receive and transfer funds to their clients and the use of cash would be limited to specific situations authorized by CNBV, taking into account the particular business model of the FinTech entity and the establishing of appropriate limits.
Morocco
General financial regulatory regime
Bank Al-Maghrib and the Moroccan Capital Market Authority (AMMC) are the main entities that supervise and regulate companies that provide banking and financial products and services.
It is prohibited to carry out a regulated activity in Morocco without a permit or exemption. A banking or financial activity is subject to authorization when it is identified as a regulated activity. As far as Fintechs are concerned, this is still a new concept in the Moroccan legal sphere. Strictly speaking, there are no specific regulations prohibiting or authorizing a particular type of FinTech activity.
However, the creation and operation of a high-tech company must be analysed on a case-by-case basis, taking into account existing laws and regulations applicable to banking, finance and insurance.
Financial regulators and legislators in Morocco have nevertheless been receptive to innovation in the field of information technology. For example, Moroccan law introduces the concept of participatory banking and Islamic banking for its contribution to the Fintechs.
It also introduces the concept of payment institution and agent of payment. In addition, the same company recognizes its electronic currency.
Electronic payment platforms and regulation of peer-to-peer lenders
Electronic payment platforms
Electronic payment platforms are considered as regulated payment service activities, offered by payment institutions and requiring an authorisation from Bank Al-Maghrib in accordance with Moroccan law.
Regulation of peer-to-peer lenders
The exercise of a regulated banking activity is considered as such if the company in question provides or facilitates loans and borrowings between individuals or between individuals and companies, through an electronic platform. Such activity may be carried out if the company is authorised as a credit institution, financing company or payment institution.
Regulation of payment services
When a company provides payment services as part of a regular activity in Morocco, it must be approved in advance by Bank Al-Maghrib. The provision of such services without authorization is a criminal offence.
Money laundering regulations
Moroccan law provides the regulations applicable to this type of offence.
In addition, the Anti-Money Laundering Act designates Bank Al-Maghrib as the authority responsible for controlling and supervising taxable persons within its field of competence.
In this respect, it is responsible, with regard to these persons subject to tax, for:
- Ensure that taxable persons comply with the provisions of the Law anti-money laundering;
- Establish the procedures for implementing the provisions of the said law (relating to the obligation of supervision and the obligation of internal monitoring).
Netherlands
General financial regulatory regime
General
Supervisors
The Netherlands has a ‘twin-peaks’ supervisory model. This entails that financial regulatory supervision is divided into two areas:
- prudential supervision, on the soundness of financial entities and the stability of the financial industry (this area is supervised by the Dutch Central Bank (de Nederlandsche Bank or DNB)); and
- market conduct supervision, on the market conduct of entities that are active on the financial markets (this area is supervised by the Autoriteit Financiële Markten (AFM)).
In addition, since 4 November 2014, the European Central Bank – in cooperation with DNB carries out the prudential supervision on Dutch ‘significant banks’ directly and Dutch ‘less significant banks’ indirectly. The market conduct supervision of all (significant and less significant) banks remains with the AFM.
Main laws and regulations
The main laws and regulations that apply to FinTech products are the:
- Financial Supervision Act (Wet op het financieel toezicht);
- Market Conduct Supervision Decree (Besluit gedragstoezicht financiële ondernemingen);
- Prudential Rules Decree (Besluit prudentiële regels Wft);
- exemption regulation as part of the Financial Supervision Act (Vrijstellingsregeling Wft); and
- Anti-Money Laundering Directive (2015/849/EU), as, among others, implemented in the Anti-Money Laundering Act (Wet ter voorkoming van witwassen en financieren van terrorisme).
General financial regulatory regime
A financial entity must not carry on a regulated activity in the Netherlands unless authorized or exempt. Where FinTech products and/or applications involve financial activity which requires regulatory authorization, the entities providing such products and/or applications must be authorized.
AFM and DNB InnovationHub
The InnovationHub is a joint initiative of the AFM and DNB. It provides support on queries that entities may have about supervision and regulations on innovative financial products and services.
The InnovationHub can be used for:
- explanation of specific supervision rules and policy rules applying to innovative products and services;
- guidance in navigating the Dutch supervisory landscape; and
- information on potential supervision issues, eg when developing an innovative concept.
Regulatory sandbox
Since December 2016, AFM and DNB are easing access of innovative services to the financial services market through the regulatory sandbox. The regulatory sandbox allows for tailored supervision that is driven by meeting the purpose of the standards, rather than the standards themselves. The purpose of providing the tailored policy options is to enable market operators to roll out their innovative financial products, services and business models without unreasonable obstacles.
Electronic payments platforms and regulation of peer-to-peer lenders
Electronic payments platforms
In the Netherlands, the role of FinTech businesses in the electronic payments sector is growing. Depending on the characteristics of the performed activities, based on the Dutch Financial Supervision Act (Wet op het financieel toezicht or FSA), electronic payments platforms mostly engage in the following regulated activities for which authorization is likely to be required:
- pursuing the business of providing payment services;
- issuing electronic money; and
- conducting the business of a bank.
Pursuing the business of payment service provider
Electronic payments platforms established in the Netherlands in principle require authorization as payment service provider when pursuing the business of providing payment services (eg the execution of payments or direct debits).
Issuing electronic money
Electronic payments platforms established in the Netherlands in principle require authorization as an electronic money institution when they issue electronic money. Electronic money has four characteristics, which are set out below.
Electronic money:
- is a monetary value stored on an electronic carrier or remotely in a central accounting system;
- represents a claim on the issuer;
- is intended to be used to perform payment transactions; and
- with which payments to parties others than the issuer can be made.
Conducting the business of bank
A payment platform established in the Netherlands (eg pre-finance payment settlements) may require authorization as a bank.
Regulation of peer-to-peer lenders
Peer-to-peer (P2P) lending (also known as loan based crowdfunding) is a generic term, that in itself is not regulated in the Netherlands. Whether a regulated activity in terms of Dutch regulatory law is carried out depends on the lending structure.
Based on the FSA, authorization is likely to be required for P2P lending, when it is structured in such a way that the entity performs one of the following activities:
- in the course of business offering credit to a consumer and/or advisory or brokerage services in relation thereto;
- attracting, obtaining or having the disposal of callable funds and/or performing brokerage services in relation thereto; and
- conducting the business of a bank.
Regulation of payment services
The amended European Union Payment Services Directive (2015/2366/EU) is implemented in the FSA and delegated regulations thereto.
When a person established in the Netherlands pursues the business of providing payment services, it will require authorization by the Dutch Central Bank (de Nederlandsche Bank or DNB) to become an authorized payment institution under the FSA, unless an exemption or exception applies.
- A party pursues the business of providing payment services if the payment service is an identifiably separate activity. This is, generally, not the case if the payment service is performed merely in support of principal activities of the entity that are not payment services.
- Payment services are any business pursuit listed in the Annex I to the amended Payment Services Directive.
Application of data protection and consumer laws
As of 25 May 2018, the processing of personal data in the Netherlands is regulated by the General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR"). The Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening Gegevensbescherming) constitutes the local implementation of the GDPR in the Netherlands. Businesses (including FinTech businesses) that process personal data may be subject to the obligations set out in the GDPR. The GDPR sets out rules with regard to e.g. the grounds for processing personal data lawfully, notification obligations, transparency obligations and transfer of personal data to countries outside the European Economic Area. The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million (whichever is higher sanctions) for violations of the GDPR.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens or "Dutch DPA") is the authority for the supervision of the GDPR (and Dutch GDPR) Implementation Act. In relation to FinTech-related matters, the Dutch DPA may be involved insofar privacy aspects are concerned, for example by supervising compliance with the privacy provisions set out in PSD2.
Consumer laws
There are no consumer regulations specifically aimed at the FinTech industry. Businesses (including FinTech businesses) that provide services or products to consumers may be subject to certain information requirements set out in the Dutch Civil Code. These requirements are an implementation of the Consumer Rights Directive and (among other things) the Unfair Contract Terms Directive. For the provision of online services and products, additional (consumer protection) requirements may apply, eg with regard to the use of cookies, misleading advertising and unsolicited direct marketing.
The Authority for Consumers & Markets (Autoriteit Consument & Markt or ACM) is the authority for the supervision of consumer related regulations. ACM cooperates with other regulatory authorities, including the Netherlands Authority for the Financial Markets (Autoriteit Financiële Markten) and the Dutch Central Bank (De Nederlandsche Bank), in order to stimulate and boost FinTech businesses to contribute to the competition in the financial industry.
Money laundering regulations
The Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme, Wwft) implements the European Union's Fourth Anti-Money Laundering Directive ((2015/849/EU). The Wwft is based on two principles: customer due diligence and the duty to report unusual transactions to the Financial Intelligence Unit-the Netherlands (FIU-NL).
Although the Wwft has a broader scope, it can generally be said that where an entity is authorized and/or supervised by the DNB or AFM, it will also be obliged to comply with the Wwft obligations.
Crypto currencies and virtual wallets are set to be regulated under the implementation of the Fifth Anti-Money Laundering Directive.
New Zealand
General financial regulatory regime
All persons providing financial services by way of business must be registered under the Financial Service Providers (Registration and Dispute Resolution) Act 2008 (FSPA) and, if providing services to retail customers, be a member of an approved disputes resolution scheme.
The Financial Markets Authority (FMA) is the licensing body and market conduct regulator for persons who are registered, licensed, appointed, accredited or authorized under the Financial Markets Conduct Act 2013 (FMCA) (discussed below), the Financial Markets Supervisors Act 2011, the Financial Advisors Act 2008 and the FSPA.
The Reserve Bank of New Zealand (RBNZ) is the conduct regulator for registered banks, non-bank deposit takers and licensed insurers.
General
Under the FMCA, a person must not provide a market service without holding, or being authorized to provide the service under, a market services license from the FMA that covers the service. A 'market service' includes acting as a:
- manager of a registered managed investment scheme;
- provider of a discretionary investment management service;
- peer-to-peer (P2P) lending intermediary;
- crowdfunding intermediary; and
- from 29 June 2020, a financial advice service.
An offer of financial products that is received by a retail investor in New Zealand will require disclosure and will be regulated under the FMCA unless the issuer demonstrates that it has taken all reasonable steps to ensure that retail investors in New Zealand may not accept the offer.
Where FinTech products and applications involve financial activity which requires regulatory authorization, then firms providing such products and applications must be authorized by the FMA.
The FMA's approach to FinTech
It is an express purpose of the FMCA to promote innovation and flexibility in the financial markets.
The FMA has stated that it wants to see innovative financial products and services coming to market, delivering customer benefits and supporting the integrity of New Zealand's capital markets. It will encourage innovation where it improves the range or quality of financial services in New Zealand. The amendment of the FMCA to provide for licensed digital financial advice services is an example of this.
The FMA has so far discounted the use of a regulatory sandbox in New Zealand but has said that it will maintain an open and flexible approach for businesses that wish to engage with the FMA at an early stage on innovation in financial services and that it will also ensure that it supports an appropriate environment for innovation to flourish.
Electronic payments platforms and regulation of peer-to-peer lenders
Electronic payment platforms
Retail payment systems are used to transfer funds from consumers to merchants in exchange for goods and services. They include credit and debit cards, the EFTPOS system, as well as cash, checks and bank transfers.
Retail payment systems are subject to relatively light-handed regulation in New Zealand.
Peer-to-peer lenders
A P2P lending service is one where a person provides a facility by means of which offers of debt securities may be made, and the principal purpose of the facility is to facilitate the matching of lenders with borrowers who are seeking loans for personal, charitable or small business purposes.
Providing a P2P lending service requires a market services license from the FMA. The eligibility criteria for a P2P lending services license under FMCA include the following.
- The provider has fair, orderly and transparent systems and procedures for the service.
- The service is designed primarily for offers by persons other than the provider.
- The provider has adequate systems and procedures for checking the identity of each issuer of debt securities, assessing the risk of investors not being repaid in full or not receiving interest and for disclosing information about that checking and assessment to investors.
- The provider has a fair dealing policy to exclude issuers that have engaged in misleading or deceptive conduct.
- The provider has adequate systems and procedures for ensuring that each issuer does not raise more than NZD2 million in any 12-month period under the service.
- The provider has adequate systems and procedures for handling conflicts of interest.
Regulation of payment services
Retail payment systems are used to transfer funds from consumers to merchants in exchange for goods and services. They include credit and debit cards, the EFTPOS system, as well as cash, checques, bank transfers and new forms of app-based payment.
Retail payment systems are subject to relatively light-handed regulation in New Zealand:
- RBNZ has a mandate to promote the maintenance of a sound and efficient financial system; however the performance and efficiency of retail payment systems are not the primary focus of the RBNZ.
- Payments New Zealand is the operator of a number of payment systems in New Zealand (including the Consumer Electronic Clearing System, which includes proprietary EFTPOS) but has no role in determining the allocation of costs or incentives within retail payments systems or the business models that schemes operate under. It was established in 2010 by eight banks with a mandate to open access to and preserve the integrity of New Zealand’s payment systems. Forty organisations now make up the Payments NZ community - 12 Participants (banks and financial institutions) and 28 Members (payment system organisations (such as card schemes, merchants, smaller non-shareholding banks, tech providers, retailers, fintechs and payments infrastructure owners) that want to be actively involved in the ongoing development and strategic direction of payment systems.
In February 2016, the New Zealand government asked the Ministry of Business, Innovation and Employment (MBIE) to examine whether New Zealand’s retail payment systems were producing good economic outcomes. In particular, MBIE asked are:
- consumers and merchants benefiting from ongoing innovation in payment systems;
- card payment systems being used efficiently; and
- consumers and merchants bearing a fair share of the costs?
Following a public consultation process, Payments NZ have been working with industry to advance the Payments Direction strategic initiative and engaging with banks and card schemes to improve the transparency of merchant service and interchange fees. The Payments Direction initiative aims to deliver a core payments system that:
- simplifies and removes friction from customers' payment experiences;
- gives customers choice across a greater range of value propositions;
- enables newcomers to partner and compete with existing players
- ensures relevant opinions are heard in relation to design and governance matters; and
- balance innovation with preserving security and need to meet increasingly complex compliance requirements.
By 2020, Payments NZ is expecting to have endorsed the implementation of a shared application programming interface (API) framework and a 365-day service availability for the settlement before interchange (SBI) system - both of which are key initiatives aimed at future-proofing the core payments system. Other key priorities include investigating and developing opportunities relating to the use of proxy identifiers to identify bank accounts, request to pay (API-enabled push payments), speeding up payments and the ISO 20022 payments messaging format.
Application of data protection and consumer laws
The Privacy Act 1993 governs the collection, use and disclosure of personal information and the access by individuals to that information. Following a comprehensive review, this will be repealed and replaced with a new Privacy Act which is currently progressing through Parliament and expected to come into force in 2020. Amongst other things, the new legislation proposes stronger powers for the Privacy Commissioner, mandatory reporting of privacy breaches, new offences and increased penalties.
The Unsolicited Electronic Messages Act 2007 regulates and prohibits unsolicited commercial electronic messages with a New Zealand link from being sent and requires commercial electronic messages to include accurate information about the person who sent the message and a functional unsubscribe facility. The act also prohibits address-harvesting software or a harvested-address list from being used to send unsolicited messages in contravention of the act.
The Credit Contracts and Consumer Finance Act 2003 sets out the requirements for borrower disclosure, responsible lending processes and reasonable fees in the context of consumer lending.
New Zealand has trade practices and fair dealing legislation that requires all businesses to ensure that they do not engage in misleading or deceptive conduct, make unsubstantiated claims or enter into unfair contract terms with consumers.
Money laundering regulations
The Anti-Money Laundering and Countering Financing of Terrorism Act 2009 has the purposes of:
- detecting and deterring money laundering and the financing of terrorism;
- maintaining and enhancing New Zealand's international reputation by adopting (where appropriate in the New Zealand context) recommendations issued by the Financial Action Task Force; and
- contributing to public confidence in the financial system.
Generally, where a firm provides a financial service by way of business and is required to be registered under the FSPA, it will be supervised by the FMA for compliance with anti-money laundering requirements.
If a reporting entity establishes a business relationship or conducts an occasional transaction or activity that involves new or developing technologies, or new or developing products, that might favor anonymity (such as bitcoin and other cryptocurrencies), the reporting entity must take any additional measures that may be needed to mitigate and manage the risk of such technologies or products being used in a money laundering offence.
Norway
General financial regulatory regime
The Norwegian Financial Supervisory Authority (Finanstilsynet or FSA) is the conduct regulator for firms providing financial products and services in both retail and wholesale markets.
General
A person must not carry on a regulated activity in Norway unless authorized or exempt (known as the general prohibition). A financial activity requires regulatory authorization when: it is identified as a specified activity, it is carried on by way of business in Norway and it does not fall within any of the available exemptions. Where FinTech products and/or applications involve financial activity which requires regulatory authorization, the firms providing such products and/or applications must be authorized by the FSA.
Point of contact at the FSA
The Norwegian Ministry of Finance has proposed to establish a contact point at the FSA for guidance of FinTech companies. The Ministry of Finance believes that the emergence of new players, new technologies and new business models creates the need for guidance and clarifications in areas where current rules are based on well-known business models and methods of production. The proposal is currently under assessment at the FSA.
Electronic payments platforms and regulation of peer-to-peer lenders
The emergence of new entrants, who are using technology to provide financial services in new ways can be seen in Norway. The rise of FinTech as a separate industry also reflects a change in the way that the supply-side is interfacing with customers in Norwegian markets. For example, in the payment services and financing segments, new players are entering the market and offering financial services outside the established financial system, at the same time as financial undertakings are developing competing services within the system.
Electronic payment platforms
A number of FinTech businesses are offering electronic payment platforms to rival the traditional payment systems and the introduction of new regulations recognizes the rise in such businesses, with the aim of creating a more level playing field for payment services providers, while addressing the need for enhanced security and customer protection.
All participants in a payment system will be regulated by the Norwegian Financial Institutions Act of 2015 (Finansforetaksloven or Financial Institutions Act), if the participant is deemed to perform payments services.
E-money
The Financial Institutions Act regulates e-money institutions and issuance of e-money. E-money is defined as electronically (including magnetically) stored monetary value, represented by a claim on the issuer, which is issued on receipt of funds for the purpose of making payment transactions. E-money must be accepted by a person other than the electronic money issuer and include pre-paid cards and electronic pre-paid accounts for use online. Firms issuing e-money must be authorized with the FSA.
Peer-to-peer lenders
Lending is a regulated activity in Norway, and unless any exemptions apply, a lender will need to be authorized by the FSA to conduct such business.
Businesses conducting brokerage of loans must notify the FSA of their business. Loan brokers are subject to certain requirements in the Financial Institutions Act and is, among other things, obligated to give the lenders and borrowers information concerning the terms and conditions of the loans.
Regulation of payment services
Where a Norwegian business provides payment services, as a regular occupation or business activity in Norway, it will require authorization by the FSA to become an authorized payment institution under the Financial Institutions Act. Failure to obtain the required authorization is a criminal offence.
In order to become authorized by the FSA, a payment services business will need to meet certain criteria, including, in relation to its business plan, initial capital, processes and procedures in place for safeguarding client funds, sensitive data and money laundering and other financial crime controls.
There is ongoing legislative work in Norway with a new Financial Contracts Act (Finansavtalelov). The new law will among other European Union regulations, implement the European Union Payment Services Directive II.
Application of data protection and consumer laws
The Norwegian Data Protection Act 2000 (Personopplysningsloven or DPA) regulates the processing of personal data in Norway. The DPA implements the European Data Protection Directive of 1995. Where a business determines the purposes and manner in which any personal data is processed, it will be regulated by the DPA and have certain notification and compliance obligations.
The European General Data Protection Regulation (GDPR) is due to replace the DPA from 25 May 2018. It is proposed that a new data protection act will therefore replace the existing DPA. The GDPR introduces some new obligations and is more specific than the current DPA on certain issues, including mandatory notifications where a breach occurs and provide for severe monetary sanctions for breach.
The Norwegian Marketing Act 2009 (Markedsføringsloven or Marketing Act) regulates unsolicited direct marketing by electronic means and other special categories of marketing. The proposal for a new Regulation on Privacy and Electronic Communications by the European Commission is, however, expected to lead to amendments to the Marketing Act, if the regulation is implemented in Norway.
Money laundering regulations
The Norwegian Act on Money Laundering and Terrorist Financing (Hvitvaskingsloven) imposes certain obligations on financial institutions and others who perform services on their behalf, such as credit institutions, investment firms and payment service providers. The obligations generally include customer due diligence and a duty to report suspicious activities, and are intended to prevent money laundering and terrorist financing.
New anti-money laundering legislation, based on the European Union's Fourth Money Laundering Directive, is currently under development and a revised act is expected to be presented to the Norwegian parliament before the end of 2017. It is assumed that the new act will take greater account of the new service providers created through the development of FinTech. The FSA is responsible for supervising entities' adherence, under both current and future legislation.
Peru
General financial regulatory regime
In Peru, the main applicable regulations are the General Act of the Financial and Insurance Systems and Internal Organization Act of the Superintendence of Banking and Insurance – Law 26702 and the Securities Act – Executive Order 861 which regulate lending and public offering of securities. There is not a specific regulatory regime for FinTech products.
Lending will be considered to be a regulated activity if it is conducted using public money which is defined as funds obtained from individuals. Under these circumstances, a lender will need to be authorized by the Superintendence of Banking, Insurance and Private Pension Fund Management Companies to conduct such business.
A public offering of securities is, on the other hand, a public invitation to one or more individuals or legal entities of the general public, or specific segments thereof, to carry out a legal placement, acquisition or disposal of marketable securities. It is important to highlight that it is not necessary to state that the activity is employing securities; the Superintendence of Securities Market considers that it is enough that the characteristics of the financing fit in the definition of public offering of securities.
Regulations on crowdfunding and peer-to-peer lending
Current situation
There is no specific regulation on crowdfunding and peer-to-peer (P2P) lending. However, this activity may fall within the definition of a public offering of securities making it subject to the general financial regulatory regime.
Warning from the regulator
The position of the Superintendence of Securities Market is that financing by crowdfunding through securities issuing is a non-authorized activity. Moreover, the Superintendence of Securities Market warns the public against investing through entities that promote crowdfunding through securities as they may not have the required license. The statement extends and applies to initial coin offerings as they follow a similar purpose.
Regulation projects
Both public and private sectors recognize the need to enact specific regulation on crowdfunding and P2P lending. Consequently, there have been some initiatives, particularly from the private sector, for implementing an act issued by Congress, appointing the Superintendence of Securities Market as the natural supervisor of these activities. However, it is been discussed if there is a need to have a FinTech regulation in Peru instead of applying the general rules.
Moreover, there is consensus on the fact that FinTech regulations must be flexible enough for promoting FinTech development in Peru.
Regulations on payment services
There are no specific regulations for payment services. It is therefore not in scope of the general financial regulatory regime, and currently no specific authorization from the regulator is required to carry on this activity.
Application of data protection and consumer laws
The Data Protection Act, Law 29733, regulates the processing of personal data within Peru which aims to guarantee the fundamental right to protection of personal data and must be applied by public entities and private companies. Whenever any personal data is processed, it will be regulated by the Data Protection Act and be subject to certain registration and compliance obligations such as:
- registration requirements with the National Registry of Data Protection;
- obtaining consent for processing and treatment of personal data from clients, providers and employees; and
- restrictions on using data for purposes other than those for which personal data was given, amongst others.
Anti-money laundering regulations
The Anti-Money Laundering Act, Law 27693, establishes the obligation for companies, depending on the business activity they perform, to implement an anti-money laundering system which allows them to satisfy certain registration and compliance obligations. Among others included in the list prepared by the Financial Intelligence Unit (which itself is part of the Superintendence of Banking, Insurance and Private Pension Fund Management Companies), companies subject to the anti-money laundering regulations are:
- financial companies;
- credit unions;
- credit and debit card issuers;
- individuals or legal entities engaged in foreign exchange activities;
- brokerage firms, stock exchanges, securities clearing, mutual fund management companies, investment fund management companies, collective fund management companies.
The main obligations within the framework of the anti-money laundering regulations include:
- appointment of an employee as the anti-money laundering compliance officer;
- adoption of internal regulations such as employee manuals;
- implementation of policies in relation to know-your-clients-and-workers requirements;
- implementation of an operations log; and
- reporting of suspicious operations.
However, the specific regulations applicable to a company depends on the entity type; therefore, obligations may vary between different types of companies.
Poland
General financial regulatory regime
Due to the variety of products and legal constructions used in the FinTech industry, there is no one legal act in Polish law that comprehensively regulates this area. Depending on the specific product, the main pieces of legislation that need to be taken into consideration are:
- the Payment Services Act, which constitutes the legal framework for all types of payment services, including the issuance of payment instruments, e-money, and payment transactions;
- the Civil Code, which constitutes the main source of regulations referring to contracts in general, but also to certain specific agreements (eg loan agreements) – it also covers consumer law issues;
- the Consumer Credit Act, relevant for credit facilities and loans granted to consumers;
- the Consumer Rights Act, relevant if services are provided to consumers remotely;
- the Act on Anti-Money Laundering and Combatting the Financing of Terrorism; and
- the Foreign Currencies Act, which should be taken into account where currency conversion is involved in a given service.
Other pieces of legislation that may be of importance to providers of FinTech products include the Act on Personal Data Protection, the Act on the Provision of Services Online and the Act on Trade in Financial Instruments.
Furthermore, as FinTech products may be offered by regulated entities, certain legislation regarding the provision of services by such entities should also be taken into consideration, eg the Banking Law, the Act on Insurance and Reinsurance Activity, and the Act on Investment Funds and Alternative Investment Funds Management.
The recommendations of the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego) constitute an important soft law complement to Polish legal regulations and in many cases will be applicable to the providers of FinTech products.
Electronic payments platforms and regulation of peer-to-peer lenders
Electronic payment platforms
The main piece of legislation that regulates electronic payment platforms is the Payment Services Act. The act lays down rules governing the provision of payment services, including the acquisition of payments carried out over the Internet using electronic payment platforms. The scope of the act encompasses:
- the conditions for the provision of payment services, in particular regarding the transparency of contractual provisions and information obligations with respect to the payment services;
- the rights and obligations of the parties resulting from the contracts on performance of payment services as well as the liability of providers of payment services;
- the principles governing the operation of payment institutions; and
- the basis of operation of the market of domestic payment transactions via payment cards and payment schemes.
Peer-to-peer lenders
Despite the fact that peer-to-peer lending systems exist in Poland, no specific legal regulations covering this type of business have been implemented. Accordingly, provisions of the Civil Code relating to loan agreement and contracts in general will be applicable to these types of services.
Regulation of payment services
The Payment Services Act is also the main piece of legislation regulating the provision of payment services. As noted above the provisions of the act include:
- the conditions for the provision of payment services, in particular regarding the transparency of contractual provisions and information obligations with respect to the payment services;
- the rights and obligations of the parties resulting from the contracts on performance of payment services as well as the liability of providers of payment services;
- the principles governing the operation of payment institutions; and
- the basis of operation of the market of domestic payment transactions via payment cards and payment schemes.
It should also be mentioned that a draft amendment to the Payment Services Act is currently in the legislative process. It is aimed at implementing Directive (EU) 2015/2366 (the Second Payment Services Directive). The purpose of the Second Payment Services Directive is to create uniform legal provisions in European Union member states concerning:
- reinforcement of consumer rights in the payment services area;
- reinforcement of the supervisory role of the European Banking Authority;
- promotion of the newest mobile and internet payment services; and
- enhancement of the security of payment services.
In addition, the role of Regulation (EU) 2015/751 of the European Parliament and of the Council of 29 April 2015 on interchange fees for card-based payment transactions should also be mentioned. Together with the Second Payment Services Directive, it includes provisions that limit fees in relation to consumer credit and debit cards and it also forbids retailers from imposing extra charges for the use of cards.
Application of data protection and consumer laws
The REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and Act on the Protection of Personal Data of 10 May 2018 is the generally applicable act in Poland, which has to be observed by FinTech businesses. It regulates the principles of data processing, the security of personal data, the registration of data files, and the transfer of personal data to a third country.
The Consumer Rights Act of 30 May 2014 regulates the obligations of the trader when contracting with the consumer, the procedure for the consumer to exercise his/her consumer rights, and the rules for concluding remote contracts with consumers (e-commerce).
The Consumer Credit Act of 12 May 2011 includes regulations and procedures for concluding consumer loan agreements, the lender's and credit intermediary's obligations in relation to pre-contractual information and the obligations of the consumer, lender and credit intermediary in connection with the executed consumer loan agreement as well as the sanctions for the failure to meet the lender's obligations.
The Polish Civil Code includes general principles for executing agreements with consumers, which are also applicable to FinTech businesses.
Money laundering regulations
The money laundering regulations which are applicable to FinTech businesses are included in the Act on Anti-Money Laundering and Counter Terrorism Financing; it lays down principles and procedures for counteracting money laundering and the financing of terrorism. It provides for the application of specific restrictive measures against natural and legal persons, as well as the obligations of entities involved in financial transactions connected to the collection and transmission of information related to such transactions.
Portugal
General financial regulatory regime
The Portuguese Securities Market Commission (Comissão do Mercado de Valores Mobiliários or CMVM) and the Bank of Portugal (Banco de Portugal or BdP) are the regulatory authorities for firms providing financial and banking products and services, respectively.
General
Regulated activities must not be carried out in Portugal without a previous authorization.
Electronic payments platforms and regulation of peer-to-peer lenders
Electronic payment platforms
The Bank of Portugal promotes the compliant operation of payment systems through the operation, regulation, oversight and development of payment systems and instruments. It currently operates four payment systems in Portugal:
- SICOI – the retail payment system that processes day-to-day payments by checks, bills of exchange, direct debits, credit transfers and bank cards;
- TARGET2-PT – the Portuguese component of TARGET2 (which is the Eurosystem’s large value payment system);
- AGIL – which is the Bank of Portugal’s deposit account management system and allows institutions not participating in TARGET2 to conduct specific transactions with Bank of Portugal, namely cash deposits and withdrawals; and
- TARGET2-Securities – which links the Portuguese community to the Eurosystem’s securities settlement system where securities transactions are settled, notably shares and bonds against the central bank’s money.
Decree Law no. 317/2009, of 30 October and Decree-Law no 298/92, of 31 December (as amended) contain the rules applicable to payment and e-money institutions. Payment institutions and e-money institutions must obtain the Bank of Portugal’s authorization prior to incorporation.
Peer-to-peer lenders
According to the Portuguese Banking Act only institutions authorized by the Bank of Portugal may carry out lending activities as a regulated activity. Peer-to-peer (P2P) lending would only be permitted if not carried out on a professional basis. Although P2P lending implies that a platform provides lending on behalf of others (investors) it is not clear if the Bank of Portugal accepts that this should not be a lending activity on the basis that P2P lenders are not carrying out such activity by themselves, but on behalf of such investors.
Regulation of payment services
Where a Portuguese business provides payment services as a regular occupation or business activity in Portugal, it will require authorization by the Bank of Portugal to become an authorized payment institution under Decree-Law No 91/2018 of 12 November 2018. Failure to obtain such authorization is a criminal offence. This Decree-Law implements Payment Services Directive II.
In order to become authorized by the Bank of Portugal, a payment services business will need to meet certain criteria, including, in relation to initial capital, processes and procedures in place for safeguarding relevant funds, sensitive payment data and money laundering and other financial crime controls.
Application of data protection and consumer laws
The General Data Protection Regulation (GDPR) is the legal regime applicable to the protection of individuals with regard to the processing of personal data and the free movement of such data. The GDPR implements Regulation (EU) 2016/679 (General Data Protection Regulation). Whenever a business is required to process personal data in order to operate, a significant set of rules pertaining to notification and compliance obligations must be complied with.
Law no. 41/2004, of 18 August (as amended) regulates the processing of personal data and the protection of privacy in the electronic communications sector, including unsolicited direct marketing by electronic means.
The Portuguese Consumer Protection Act (CPA) was approved by Law no. 24/96, of 31 July (as amended) and provides for wide ranging protections in respect of consumers’ rights, notably information rights.
Money laundering regulations
Law no. 83/2017, of 18 August gives the Bank of Portugal responsibility for supervising the anti-money laundering controls of businesses that offer certain services, such as lending, providing payment services and issuing other means of payment. This Law implements the European Union’s Fourth Money Laundering Directive.
Where a firm is authorized and supervised by the Bank of Portugal, it will generally also be supervised for compliance with anti-money laundering requirements, particularly since electronic currencies tend to represent a higher money-laundering risk.
Puerto Rico
General financial regulatory regime
As the FinTech sector in Puerto Rico is still in its early stages, there are no specific laws, regulations or procedures applicable to these products or sectors.
The Office of the Commissioner of Financial Institutions is the main regulator of the financial sector in Puerto Rico. Other financial institutions, such as insurance companies, are regulated by the Office of the Commissioner of Insurance. The credit unions are regulated by the Public Corporation for the Regulation and Insurance of Cooperatives.
Commercial banks in Puerto Rico are also part of the US banking regulatory system inasmuch as the deposits of all such institutions are insured by the Federal Deposit Insurance Corporation. As a result, commercial banks in Puerto Rico are subject to laws and regulations applicable to banks in the US and are supervised by the applicable US supervisory agency, as well as by the local regulator. Therefore, it is anticipated that the local regulatory environment in Puerto Rico will be developed in line with the US regulatory system as financial innovation continues its dynamic growth.
FinTech companies looking to conduct business in Puerto Rico, must ensure compliance with the applicable local laws including licensing requirements for the conduct of banking business, as well as with any consumer lending, securities and insurance laws and regulations applicable to any such activities.
Electronic payments platforms and regulation of peer-to-peer lenders
There are no specific laws or regulations in Puerto Rico that regulate electronic payment platforms or peer-to-peer lending.
Regulation of payment services
Payment services in Puerto Rico are generally controlled by commercial banks and credit unions. There are other important players in this market such as the money services businesses. Under the Money Services Business Regulatory Act (MSBRA) any entity that proposes to conduct a money services business in Puerto Rico must obtain a license from the Office of the Commissioner of Financial Institutions. The MSBRA covers entities that provide money transfer services, check cashing services and money order services, as a regular business in Puerto Rico. The MSBRA provides certain minimum capital and liquid assets requirements and incorporates by reference all US federal anti-money laundering laws and regulations.
Application of data protection and consumer laws
There is no single law in Puerto Rico that provides a comprehensive treatment of data protection or privacy issues. There are, however, several applicable local and US federal laws and regulations related to the protection of consumer information, including privacy and security, most of which are focused on the protection of non-public information about consumers by financial institutions.
The Citizens Information of Data Banks Security Act (DBSA) makes it mandatory to notify the Puerto Rico Consumers Affairs Department (DACO) in the event of a data breach within ten days of detection. Upon receiving notice, DACO may make the breach public within 24 hours.
A data breach is defined in the DBSA as any incident in which personal information is accessed in such a way that the security or confidentiality of the data is compromised, regardless of whether the personal information is accessed with or without permission, or under false pretenses. If a breach is suspected to involve criminal activity, the DBSA recognizes the need to delay notification and allow for enforcement agencies to conduct an investigation and prevent evidence from being destroyed, lost or altered.
There are two exceptions for providing a data breach notification under the DBSA. The first is where the data is protected by encrypted or other technical controls (in that case, the incident might not be considered a data breach). Second, if the breached entity already provides for a data breach notification procedure as a part of its own information security policies, that affords individuals equal or greater protection. The DBSA provides various options for the notification and also sets forth certain basic information that must be included.
The Consumer Personal Information Destruction Act (CPIDA) requires commercial entities to securely destroy any data or records that contain personally identifying information. All documents must be shredded, or the information must be suppressed or modified so as to render it illegible or unidentifiable. The CPIDA does not address or specify what reasonable safeguards or appropriate security measures should be employed in order to properly dispose of electronic material. The destruction of information must be documented via a notarial act and preserved for a period of ten years.
Title V of the federal Gramm-Leach Bliley Act and regulations issued thereunder, require financial institutions, generally defined as companies that offer consumer financial products or services, to:
- explain to their customers their information sharing practices;
- safeguard customers' sensitive data; and
- give consumers the option to opt-out of some sharing of personal financial institutions (in this respect, customers must be notified, on a periodic basis, of the financial institution’s Privacy Policy and must be given the option to opt-out of the customer’s personal information sharing).
The Notification of Privacy Policies Act (NPPA) imposes on every website operator and any person who collects personal information, the duty to notify its users of its information sharing policies and practices in a clear, concise and conspicuous manner. Furthermore, the NPPA requires that website operators inform individuals of their rights, if any, to access or rectify their personal information and the procedures for obtaining notice when the privacy notice is revised.
Money laundering regulations
The US federal anti-money laundering (AML) laws and regulations are applicable in Puerto Rico to the same extent as they apply to any state of the US. Specifically, the Bank Secrecy Act (BSA) provides a comprehensive set of rules that must be complied with by financial institutions that conduct business in the US and its territories (such as Puerto Rico), designed to assist the US government agencies in detecting and preventing money laundering. Generally, the BSA and its implementing regulations require, among others, the establishment by covered financial institutions of specific AML programs as well as know-your-customer programs. Under such programs, covered financial institutions are generally required to identify and report transactions of a suspicious nature to the Financial Institutions Crime Enforcement Network and the Office of Foreign Asset Control, agencies of the US Treasury Department. Further, financial institutions are required to verify customer identity and understand the kinds of transactions in which the customer is likely to engage. Moreover, there are reporting obligations regarding cash transactions in excess of USD10,000 received by covered transactions.
In addition to the BSA, Section 60501(a) of Title 26 of the US Internal Revenue Code (the Code) generally provides that any person engaged in trade or business who receives more than USD10,000 in cash in a single transaction or in related transactions must file a report with the US Internal Revenue Service. The Code provides certain exceptions to the general rule stated above, such as:
- cash received by a financial institution; and
- transactions occurring outside of the US (which includes Puerto Rico).
Finally, Act No. 131 of July 23, 1974, as amended (Act 131) is the most relevant locally enacted AML statute. Act 131 requires domestic financial institutions covered to report to the local Treasury Department any wire transfer of funds in excess of USD5,000 that is initiated to or received from a foreign country.
Romania
General financial regulatory regime
As a general rule, performing any activities or operations for which the laws regulating the financial sector require authorization, is prohibited without the appropriate authorization and, in most cases, doing so gives rise to criminal liability.
Under Romanian law, it is generally prohibited for any individual or legal entity (other than an appropriately licensed credit institution) to pursue activities such as deposit-taking (or holding other repayable funds from the public). Furthermore, professional lending is a regulated activity, which may only be undertaken by regulated entities, such as licensed credit institutions, non-banking financial institutions or payment services providers that perform lending activities in relation to payment services.
Payment services can only be performed either by an authorized payment institution (together with credit institutions, e-money institutions) or authorized agents of one of the above.
Money remittance services are similarly regulated and all such credit institutions, payments services institutions and e-money institutions must be authorized by and registered with the National Bank of Romania.
The offering of investment services and managing investment vehicles are also comprehensively regulated activities, and require authorization by the regulator.
Electronic payments platforms and regulation of peer to peer lenders
Electronic payment platforms
A number of FinTech businesses are offering electronic payment platforms to rival the traditional payment systems. These are mostly payment services institutions authorized in another European Union member state which provide payment services in Romania by passporting their home license (either directly or via local branches).
Peer to peer lenders
Peer-to-peer (P2P) lending is not yet regulated in Romania. The local market remains undeveloped, however, lending via crowdfunding platforms has begun to develop in recent years and draft legislation has been produced but is not yet implemented. It is expected that P2P lending platforms will grow alongside this sector.
Regulation of payment services
Where an entity provides payment services on a professional basis in Romania, it will require authorization by the National Bank of Romania to become an authorized payment institution under the Payment Services Ordinance No 113/2009 implementing the European Union Payment Services Directive I. Failure to obtain the required authorization is a criminal offence. Furthermore, payment services may also be performed by authorized credit institutions as well as by other authorized institutions, such as credit institutions or e-money institutions.
In order to become authorized by the National Bank of Romania, a payment services business will need to meet certain criteria, including in relation to its business plan, regulatory capital, requirements, processes and procedures in place for safeguarding relevant funds and money laundering controls.
Application of data protection and consumer laws
Law No. 677/2001 ‘on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data’ (Law 677/2001) regulates the processing of personal data in Romania. Law 677/2001 implements the European Data Protection Directive. Where a business determines the purposes and manner in which any personal data is processed, it will be regulated by Law 677/2001 and have certain notification and compliance obligations.
In addition, the European General Data Protection Regulation (GDPR) will replace the existing law with effect from 25 May 2018. The GDPR is more prescriptive and restrictive and includes mandatory notification requirements where a breach occurs, together with severe monetary sanctions for breach.
Money laundering regulations
Law No 656/2002 ‘on the Prevention and Sanctioning of Money Laundering and Countering the Financing of Terrorism’ gives the National Bank of Romania responsibility for supervising the anti-money laundering obligations of entities that offer certain services, such as lending, providing payment services and issuing and administering other means of payment.
Generally, where a legal entity is supervised by the National Bank of Romania, it will also be supervised by the same authority for compliance with anti-money laundering requirements. The same is provided in the draft law for the implementation of the European Union's Fourth Money Laundering Directive, not yet implemented in Romania.
Russia
General financial regulatory regime
The Central Bank of the Russian Federation (CBR) is the main regulator of the financial and investment market. Its functions, among others, include:
- banking supervision;
- regulating activities of non-banking credit organizations and some non-credit financial organizations;
- regulation and supervision of the securities market and activities of the professional participants on the securities market;
- regulation of payment services;
- organization and performance of currency regulation and control; and
- protection of rights and legitimate interests of investors on the financial markets.
General
A person must not carry on a regulated activity in the Russian Federation unless authorized. Where FinTech products or applications involve financial activity which requires regulatory authorization, the firms providing such products or applications must be authorized by the CBR.
Undertaking regulated activities without appropriate authorization can lead to an administrative fine for individuals or legal entities. It can also constitute a criminal offence resulting in liability ranging from a criminal fine, to imprisonment for up to five years. In addition, a legal entity acting without authorization may be liquidated by the court or have the proceeds of its activities confiscated by the state.
Innovations
In 2016 the CBR set its course on embracing the recent trends in the financial market, starting with the launch of association 'FinTech' (a collaboration of the regulator and major finance and technology players) and creation of the Financial Technologies Department. The purpose of both projects is to encourage further development of the market's technological segment and to monitor significant developments in the sector.
In 2018 the CBR made further steps to embrace FinTech: its "Main Directions of Development of Financial Technologies for 2018 – 2020" envisaged a number of strategies for development of FinTech, RegTech and development of financial infrastructure. The CBR also launched a "regulatory platform" (or "regulatory sandbox") where innovative FinTech projects may be tested and implemented under the CBR's control.
Regulation of peer-to-peer lenders
GENERAL
A business carries out a regulated activity (requiring authorization by the CBR) if they provide funding for either individuals or businesses, where the total amount of indebtedness of a borrower does not exceed RUB 1 million and RUB 5 million, respectively (microloans). Such businesses have to be recognized by the CBR as either a microfinance company (an entity allowed to raise funds from high-net worth individuals and companies and through the offering of certain qualifying bonds) or a microcredit company (an entity only allowed to attract the assets of its shareholders or companies). The more detailed regulatory requirements are provided by the Federal Law 'On Microfinance and Microfinance Organizations'.
Any lending activity exceeding the abovementioned thresholds for microloans would require a regular credit institution license.
CROWDFUNDING LAW
The Crowdfunding Law which came into force on 1 January 2020 established a legal framework for peer-to-peer lending via online "investment platforms". An operator of such a platform needs to be incorporated in Russia and be included in the register of investment platform operators maintained by the CBR.
Subject to certain exceptions, companies are allowed to raise investments through investment platforms in the total amount not exceeding RUB 1 billion in a calendar year. The investments may be raised through borrowing funds, issuing tokens or "digital utility rights" and offering securities.
Certain limitations apply to investors acting on investment platforms: an individual may not make investments in the amount exceeding RUB 600,000 in a calendar year. Certain exemptions apply to this rule: for example, this limit is not applicable to sole entrepreneurs and qualified investors.
Regulation of payment services
The payment systems (including electronic payment platforms) operating in the Russian Federation have to comply with the provisions of the Federal Law 'On National Payment System'. At present, more than 30 payment systems are functioning in Russia. All participants in a designated payment system will fall under the supervision of the Payment Systems Regulator (CBR), including, amongst others:
- operators that manage or operate the systems;
- the payment service providers using the system; and
- the infrastructure providers to the payment system.
Where a business enterprise provides payment services as a regular occupation or business activity in the Russian Federation, it will have to be recognized as either a bank or an authorized non-banking credit organization, thus requiring the license of the CBR.
Electronic payment platforms
Electronic money (e-money) is defined as 'monetary funds which are advanced by one person (provider of funds) to another person that records the information on the amount of advanced funds without opening a bank account for the purpose of discharge of payment obligations of the provider of funds to third parties and in respect of which the provider of funds is entitled to give instructions only with the use of electronic means of payments'. Generally, the firms issuing e-money must be licensed by the CBR.
Application of data protection and consumer laws
Data protection
The Federal Law ‘On Personal Data Protection’ regulates the processing of personal data within the Russian Federation. Where a business determines the purposes and manner in which any personal data is collected, processed and stored, it will be regulated by the law and will be subject to certain notification and compliance obligations. Among other things, the businesses are required to localize the personal data in Russia and obtain consent for transfer of personal data abroad. The CBR Regulation ‘On Data Protection in the course of Money Transfers’ and the Government Decree ‘On Data Protection in a Payment System’ provide more detailed rules on data protection in the financial and investment market.
Consumer regulation
Professional consumer lending is only allowed for credit organizations and a number of non-credit financial organizations specified in the law (microfinance organizations, credit cooperatives and pawnshops) and included in a relevant list by the CBR. There are also regulatory requirements stated in the Federal Law ‘On Consumer Credit (Loan)’ that apply to such professional consumer lenders.
Money laundering regulations
The Federal Law ‘On Countering the Legalization of Illegal Earnings (Money Laundering) and the Financing of Terrorism’ give the Federal Service of Financial Monitoring (RosFinMonitoring) responsibility for supervising the anti-money laundering controls of businesses that offer certain services, such as lending, providing payment services and issuing and administering other means of payment.
Generally, where a firm is authorized and supervised by the CBR it will also be supervised by the RosFinMonitoring for complying with anti-money laundering requirements. Electronic currencies such as bitcoin and cryptocurrencies are yet to fall within the legal framework of money-laundering legislation, however, they are already considered by the Russian regulators to represent a higher risk, mostly due to the anonymous nature of transactions and lack of central control (decentralization).
Senegal
General financial regulatory regime
The Regional council for public savings and financial market (CREPMF) is the regulator for the provision of financial products and services.
General
The conduct of regulated financial activities requires prior authorizations, approvals, generally, from the CREPMF and the BCEAO.
Some restrictions, specific laws, regulations and procedures may apply to fintech products.
Entities providing fintech products and services with regulated financial activity components are required to be authorized and comply with different laws, rules and regulations such as data protection and consumer protection Laws.
Electronic payments platforms and regulation of peer-to-peer lenders
Electronic payments platforms are governed through BCEAO Instructions, mainly Instruction N° 008-05-2015 governing the terms and conditions for the exercise of the activities of issuers of electronic money in the member states of the West African Monetary Union (WAMU).
E-money transactions done through cards, internet and telephone are regulated under said Instruction.
The definition of e-money has been made taking into account “good international practice” and is characterized by a monetary value electronically stored, issued against funds provided in at least an equal amount and that has been accepted as a means of payment by both individual and corporate third parties.
Banks, payment services companies and microfinance institutions (MFIs) are allowed to issue e-money and can conduct e-money transactions.
Banks and payment services companies holding existing BCEAO licenses along with e-money authorizations, as FI issuers, must notify BCEAO (two months) in advance of any deployment, while microfinance institutions (MFIs) must get prior authorization from the Minister of Finances following consent from BCEAO.
Nonfinancial entities may also issue e-money after obtaining a license. These issuers are called Etablissements de Monnaie Electronique (EMEs or non-FI issuers). They must meet separate standards on corporate governance and related matters to obtain a license. These EME companies must be solely dedicated to e-money issuance, (i.e. providing payment, transfer, and cash-in/out services). They cannot provide savings or credit services. EMEs can own shares only in other entities involved in e-money issuance.
Peer-to-peer lenders
It is important to mention that there is no specific regulation on this matter.
However, the need to regulate this type of product in order to protect consumers has been noted in some countries. The Regional Council and BCEAO are conducting reflections in this direction, in order to propose protection mechanisms for consumers.
Regulation of payment services
Entities intending to exercise payment services are required to be duly approved or authorized, beforehand, by the Central bank. Banks and financial payment institutions, authorized by laws regulating banking, are allowed to conduct transactions related to payment services.
However, they are required to inform BCEAO, at least two months before the start of their electronic money issuance activities or the marketing to the general public, of any new money-related electronic service.
Electronic money institutions must be approved by the Central Bank before starting their electronic money issuing activities.
The exercise, by decentralized financial systems, of activities linked to electronic money, is subject to the prior authorization of BCEAO. (Article 8 of the Instruction).
Electronic money institutions must have a specific legal form and corporate purpose. They must be constituted in the form of Joint Stock Companies or Companies with Limited Pluripersonal Liability, Mutuals, Cooperatives or Economic interest Groups.
With the exception of banks, financial payment institutions and decentralized financial systems, the issuance of electronic money can only be carried out by a legal person whose corporate object relates exclusively to this activity.
Diverse forms of electronic payment are available in Senegal. These include the use of credit and debit cards, mobile phones, online payment services such as Paypal, Alipay or Apple using the iTunes card, bank transfers and payment upon delivery.
Application of data protection and consumer laws
Data Protection in Senegal is regulated under Law No. 2008-12 on the protection of personal data. The Law provides for the collection, registration, processing, storage and transmission of personal data. An independent authority, the Commission of Personal Data (CDP) was established to ensure that personal data related activities are done in accordance and compliance with the Law.
Senegal ratified the convention on Cyber Security and Personal Data Protection adopted by the African Union in 2014. In addition to this text, the “Strategy Senegal Digital 2025” was launched in 2016 with the ambition to achieve emergence through digital technology, strategy the cost of which is estimated at XOF1,361 billion mainly allocated as follows: 73% for the private sector, 17%, for the public sector.
To fill in the gaps partly caused by an increased digitalization and update the legislation on the technology and telecommunications sectors, a bill has been circulated in 2019 for comments and recommendations.
The transfer of personal date to third countries are allowed subject to sufficient protection guarantees.
Sensitive data collection, processing and related activities are subject to prior authorization from the CDP).
The 2008 Law on electronic transactions regulates, among others, direct solicitation marketing by electronic means. It provides for commercial solicitations by prohibiting unsolicited advertising by electronic message, without having obtained prior consent from recipients.
The General Regulation of the CREPMF also regulates solicitation of the WAMU public under Article 176 of the General Regulation of the CREPMF.
Money laundering regulations
An anti-money laundering/countering the financing of terrorism (AML/CFT) framework is used by member states of the West African Economic and Monetary Union (WAEMU). Senegal was the first country to implement it, domestically, through the adoption of a terrorist financing law, Uniform Law n° 2009-16 of March 2, 2009, relating to the fight against the financing of terrorism.
A 2015 WAEMU directive provides for safeguards for the financial sector.
Involved entities include banks, MFIs, e-money issuers, payments and transfers companies, commercial and consumer credit providers, insurance providers and agents that provide financial services.
Know your customer (KYC) procedures are specified in the directive and before any transaction, all involved entities must identify their clients – both individuals and organizations by obtaining the client’s full name, place and date of birth, primary address and verifying these by checking a valid “official document” with a photograph (to be copied) and documentary proof of address.
The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2015 give the National Financial Intelligence Processing Unit CENTIF responsibility for supervising the anti-money laundering control of businesses that offer certain services, such as lending, provision of payment services, issuance and administration of other means of payment.
Generally, where a firm is authorized and supervised by the CENTIF, it will also be authorized and supervised by the CENTIF as far as compliance with anti-money laundering requirements is concerned. Electronic currencies and other cryptocurrencies tend to represent a higher money-laundering risk.
Singapore
General financial regulatory regime
General
Singapore has recently announced plans to become a 'Smart Nation' and it has recognized that the financial sector is ideally placed to play a leading role since the financial services industry offers vast scope for innovation and the application of technology. The government aims to work towards a 'Smart Financial Centre' where technological innovation is pervasive.
The Securities and Futures Act (SFA) is the main legislation regulating capital markets and the financial investments sector. Section 82 of the SFA provides that no person shall, whether as principal or agent, carry on business in any prescribed regulated activity or hold himself out as carrying on such business unless it holds a capital markets services license (CMSL) issued by the Monetary Authority of Singapore (MAS) in respect of that prescribed regulated activity. Regulated activities include dealing in securities, fund management, advising on corporate finance, providing custodial services for securities and securities financing, amongst others. Therefore, generally, unless a licensing exemption is invoked, all financial institutions would be required to obtain a CMSL. In some instances, the Financial Advisers Act may also be applicable.
The MAS is the main financial services regulator in Singapore. Generally, the MAS's regulatory approach towards FinTech can be described as activity-based regulation to keep pace with innovations. MAS believes that regulation must not front-run innovation since this may stifle or potentially derail innovation or the adoption of useful technology. However, it puts equal emphasis on keeping pace with innovation in order to assess what the risks might be and continually evaluates whether it is necessary to regulate or leave technologies and industries to evolve further. The MAS will only bring regulation in when the risk posed by new technology becomes material or crosses a threshold. Any regulation ought to be proportionate to the risk posed.
In order to provide a safer, less expensive and more controlled environment within which FinTechs can innovate, the MAS has set up a regulatory sandbox framework for financial institutions to test their innovations. This will provide FinTech firms with a space within which to experiment with their technology, even if they are not able to anticipate every risk or meet every regulatory requirement.
To enter the regulatory sandbox, the relevant FinTech must apply to the MAS. The MAS and the applicant will then define the boundaries within which the experiment will take place. The MAS will also determine the specific legal and regulatory requirements, which it is prepared to relax for the duration of the experiment within these boundaries. The sandbox has been a huge success, attracting proposals that leverage on a range of technologies, including blockchain, machine learning and big data analytics. PolicyPal, an insurance technology startup which allows customers to buy and manage insurance policies through a mobile application, is the first 'graduate' of the sandbox.
Regulation of peer-to-peer funding and marketplace lending
The MAS announced initiatives in June 2016 to improve small and medium-sized enterprises' access to equity and lending-based crowdfunding from accredited and institutional investors by relaxing certain financial requirements for capital markets intermediaries that deal in securities and clarifying the application of certain exemptions from prospectus requirements. Its approach is to regulate equity and lending-based crowdfunding platforms within the existing regulatory framework and accept lower regulatory requirements in accordance with the risks and characteristics of the business model (eg serving only accredited investors and institutional investors, and not handling clients’ monies) of the relevant entity. The MAS does not see a need to create a new investor class for equity or lending based crowdfunding since the framework is already calibrated to treat retail and non-retail investors differently. As at June 2016, in light of the high risks inherent in equity crowdfunding, the MAS does not intend to remove the regulatory safeguards such as prospectuses that apply where securities are offered to retail investors but is working to refine its guidelines to facilitate the intermediation of offers to investors (including retail investors) under the existing framework and continues to monitor developments and may make adjustments to the approach in the future, if warranted.
CMSL requirement
Generally, an equity and lending based crowdfunding platform operator will require a CMSL since it will be dealing in securities (ie by facilitating the offer of debentures even if the platform operator does not itself offer the debentures) or advising on corporate finance (as defined in the Securities and Futures Act) unless it qualifies under one of the prescribed exemptions from the requirement to hold a CMSL. Requirements under the Financial Advisers Act may also apply where financial advisory services are provided by the platform operator to investors who wish to invest in the securities.
Following a public consultation held in 2015, the MAS has simplified the financial pre-qualifications to be met by platform operators to allow them to obtain a CMSL for dealing in securities. Therefore, if the platform operators only serve accredited and institutional investors, do not hold or handle customer money, assets or positions and do not act as principal against customers, the base capital requirement for dealing licensees will be reduced from S$250,000 to S$50,000 and the requirement to maintain a security deposit of S$100,000 with the MAS will be removed.
In assessing corporate license applications, where an applicant platform operator does not possess the requisite five years' corporate track record (as set out in the Guidelines on Criteria for the Grant of a CMSL other than for Fund Management), the MAS will consider other factors in place of the corporate track record, such as the experience and track record of the shareholders and the key officers of the applicant.
Offer of securities
In addition to the requirement to have the appropriate CMSL, under section 239(3) of the SFA, any invitation to lend money to an entity (eg a company) is deemed to be an offer of debentures, which is a type of security. The entity offering debentures is required to prepare and register a prospectus with the MAS in accordance with the SFA unless it falls within one of the several prospectus exemptions. Currently, securities-based crowdfunding (SCF) can be carried out, albeit in a limited way, without the need to register a prospectus if it is done in reliance on existing prospectus exemptions, such as the small offer exemption under the SFA.
Under section 272A of the SFA, crowdfunding platform operators may make personal offers of securities, up to S$5 million within any 12 month period, without a prospectus (referred to as the small offers exemption), subject to certain conditions. As of June 2016, the MAS has amended the investor pre-qualification process found in the MAS’s Guidelines on Personal Offers made regarding the Exemption for Small Offers in order to make it easier for SCF platform operators to rely on the existing regulatory framework for small offers, to raise funds through SCF including from retail investors. However, to ensure investors (including retail) are fully aware of the risks and deterred from investing if they are unable to accept the potential losses, the MAS has concurrently strengthened the existing risk disclosures to require any licensed crowd-funding platform operator appointed by an offeror to intermediate the offeror’s small offers online; and such an offeror is to provide, at the minimum, a prescribed risk disclosure statement to each potential investor and obtain the investor’s acknowledgement that he is fully aware of and accepts the risks. The MAS has also advised however that in appointing a licensed SCF platform operator to intermediate the offeror’s small offers, the offeror should satisfy itself that the SCF platform operator has the necessary procedures to ensure that the revised pre-qualification process, as well as the revised risk disclosure and acknowledgement requirements, are complied with.
Offerors can also rely on prospectus exemptions under sections 274 and 275 of the SFA to make offers of securities to accredited investors and institutional investors through SCF without a prospectus. To ensure that offers made in reliance of the abovementioned prospectus exemptions are limited in scope and reach, and are not subject to mass solicitation, offers to accredited investors are subject to specified conditions, including a restriction on any advertisement on the offer (Advertising Restriction). Although the MAS has clarified the scope of the advertising restriction for offers made pursuant to the prospectus exemptions, the bottom line remains that as exempted offers are intended to be offers that are restricted in scope, these offers should not be subject to any mass solicitation, advertising or canvassing. If the platform operator of a ‘restricted access platform’ (as opposed to an ‘unrestricted access platform’) has conducted due diligence to confirm that investors who have access to the platform are within the scope of the prospectus exemption (eg accredited investors), the publication of statements containing information on the offeror and the terms of the offer on the platform would not be regarded as a breach of the Advertising Restriction.
Licensed platform operators may still offer equity securities to retail investors by registering and providing a prospectus or by utilizing some of the other statutory exemptions (such as the small offers exemption described above) to issuing a prospectus.
Regulation of payment services
Payment services are currently governed by two separate pieces of legislation: the Money Changing and Remittance Businesses Act (MCRBA) which governs stored value and the Payment Systems (Oversight) Act (PS(O)A) which governs remittance businesses. With the advent of FinTech, payments and remittances and the providers of these services can no longer be easily classified and differentiated.
In August 2016, the MAS released a consultation paper on the proposed changes to the payments regulatory framework and the establishment of a National Payments Council to drive innovation, as well as to create a more efficient and competitive business environment. The proposals bring payment services regulations under a single framework that will provide for the licensing, regulation and supervision of all payments services including stored value facility holders, remittance companies and virtual currency intermediaries. Regulation will be applied on the basis of the activity carried out by the service provider and entities will only be required to apply for a single license to undertake several payment activities. The proposed regulation also aims to strengthen standards of consumer protection, anti-money laundering and cybersecurity related to payment activities.
The consultation was the first in a series of consultations on the proposed governance model for Singapore. The proposals from these consultations do not yet appear to have been implemented.
Regulation of Initial Coin Offerings (ICOs), cryptocurrencies and token based products
In light of the booming ICO market in Singapore, the MAS clarified in August 2017 that the offer/issue of digital tokens which constitute 'products' regulated under the SFA will be regulated by the MAS. Where tokens fall within the definition of securities in the SFA, the issuer is subject to licensing requirements under the SFA (unless exempt) and is required to lodge and register a prospectus with the MAS prior to the offer of such tokens (unless exempted). Any platform facilitating the secondary trading of these tokens would also have to be approved or recognized as an approved exchange or recognized market operator under the SFA.
In line with other countries, the MAS has previously confirmed that virtual currencies are not specifically regulated but that intermediaries in virtual currencies would be regulated for money laundering/terrorist financing risks. It is considering introducing regulations to prevent money laundering/terrorist financing risks involving digital tokens which are not virtual currencies, in the near future.
Application of data protection and consumer laws
The increasing sophistication and use of technology within FinTech, data analysis tools and the applications of big data means that more data than ever is being collected and stored. Data protection in Singapore is governed by the Personal Data Protection Act 2012 which fully came into effect in 2014. It governs the collection, use, disclosure and care of personal data (whether electronic or non-electronic) and recognizes individuals' rights to protect their personal data and their rights of access and correction.
Money laundering regulations
In order to be compliant with anti-money laundering regulations, companies operating in the FinTech sector must collect the right information to conduct appropriate 'know your customer' procedures. This includes determining the business model's risk of money laundering and carrying out enhanced due diligence if the model is high risk. FinTech companies dealing with online payments and internet-based stored value facility holders are two sub-categories which have been identified as high risk. The MAS has issued guidance papers and 'Notices on the Prevention of Money Laundering and Countering the Financing of Terrorism' for different types of FinTech business models. These outline the specific requirements and standards to be met by each type of institution.
Slovak Republic
General financial regulatory regime
National Bank of Slovakia is the main regulatory body for the financial market as a whole, including both retail and wholesale markets.
General
In general, a person cannot carry on a regulated activity in the Slovak financial sector without being regulated by the National Bank of Slovakia. Therefore, there is a need for specific authorization where a particular activity carried out as a business in Slovakia may or may not fall under the regulation. This mostly applies to activities of traditional financial market institutions, as most FinTech services and innovations currently do not fall under the regulatory power of the National Bank of Slovakia.
Statement of the National Bank of Slovakia on FinTech services
On 27 April 2016, the National Bank of Slovakia warned against the use of peer-to-peer (P2P) or crowdfunding methods for providing loans, as these types of contracts, as well the entities providing them, currently do not fall under its regulatory competence.
On 8 April 2019, the National Bank of Slovakia, in cooperation with the Ministry of Finance of the Slovak Republic launched, an innovative hub. It aims to support the implementation of modern technologies in the Slovak financial market and to improve the rules of their functioning.
The innovative hub is designed for those, with a real business plan, interested in the FinTech area. Thanks to the innovative hub, interested parties can have a dialogue with National Bank of Slovakia experts who will help them understand the details of business requirements in the financial market. In order to establish communication with the National Bank of Slovakia, a contact form has been created to enable the National Bank of Slovakia to obtain a basic overview of the intention of the FinTech applicant. "The innovation hub will provide those interested in doing business in this area with information about the ecosystem of innovative business models and help them navigate the relevant regulatory requirements," explained the Executive Director for Financial Consumer Regulation and Protection from National Bank of Slovakia.
Electronic payments platforms and regulation of peer-to-peer lenders
Electronic payments platforms
In recent years, many innovative payment solutions have been introduced to the Slovak market, such as contactless payments (introduced by VISA and MasterCard in alliance with the mainstream banks) and increasingly popular mobile payments. One of the most used and popular applications for mobile payments in Slovakia is VIAMO, which enables money transfers to a mobile phone number, without knowing the actual account details of the receiver.
With respect to the electronic money (e-money) institutions, such institutions need to be granted authorization by the National Bank of Slovakia in order to handle e-money and perform payment transactions related thereto. E-money is money that is exchanged exclusively electronically. E-money transfers (EFT), credit or debit cards are all examples of e-money.
Peer-to-peer lending regulation
Currently, P2P lending is not regulated in Slovakia and therefore does not fall within the regulatory competence of the National Bank of Slovakia.
Regulation of payment services
In order to provide payment services and to issue and manage e-money in Slovakia, it is necessary to obtain an authorization which is granted by the National Bank of Slovakia pursuant to Act No. 492/2009 Coll. on payment services. Failure to provide services without a respective license is a criminal offence.
To become authorized by the National Bank of Slovakia, a payment services business or business wishing to issue and manage e-money will need to meet certain criteria, including initial capital, functional procedures for safeguarding of the financial funds, adequate, appropriate organizational prerequisites for conducting the services, etc. One notable provider of payment services in the Slovak FinTech sector is a payment gateway called TrustPay.
Application of data protection and consumer laws
Slovak Republic reflected adoption of the European General Data Protection Regulation (GDPR) in Act No. 18/2018 Coll. on Protection of Personal Data and on amending and supplementing of certain acts (Data Protection Act). The Data Protection Act became effective as of 25 May 2018. The Data Protection Act repealed the previous Act No. 122/2013 Coll. on protection of personal data. The Data Protection Act) regulates the processing of personal data within Slovakia. Where a business determines the purposes and manner in which any personal data is processed, it will be regulated by the Data Protection Act and certain notification and compliance obligations will apply. In addition to the above, Act No. 351/2011 Coll. on electronic communications, as amended regulates unsolicited direct marketing by electronic means. Furthermore, Act No. 250/2007 Coll. on consumer protection , as amended and Act No. 266/2005 Coll. on the consumer protection at distance financial services, as amended shall apply as well, as they provide general legislative regulations relating to consumer protection.
Nowadays, GDPR alongside with the Data Protection Act are regulating processing of personal data in Slovak Republic.
Money laundering regulations
The basic legislative framework is primarily determined by Act No. 297/2008 Coll. on protection against legalization of proceeds from crime and on protection against financing of terrorism, as amended (AML Act). The AML Act empowers the National Bank of Slovakia to supervise and control fulfilment of anti-money laundering obligations by the entities that fall into its regulatory competence (i.e. in particular, businesses offering services such as lending, payment services and issuing and administering other means of payment). The National Bank of Slovakia also actively cooperates with the Financial Intelligence Unit (a central national police unit specializing in the prevention and detection of money laundering and terrorist financing), in order to enforce the AML Act.
South Africa
General financial regulatory regime
Although banking and financial services are tightly regulated industries in South Africa, there is currently no FinTech specific regulatory regime. FinTech activity is therefore regulated by legislation which governs lending, deposit taking, investments and electronic communications and transactions. Broadly, these laws have onerous requirements and have a focus on protecting consumers.
Electronic payments platforms and regulation of peer-to-peer lenders
Electronic payment platforms
In South Africa, there is no specific legislation that regulates electronic payment platforms and peer-to-peer (P2P) lending. However, some of the provisions contained in the National Payment Systems Act 78 of 1998 relating to payment services can have application in the context of electronic payment platforms.
Peer-to-peer lenders
P2P or marketplace lenders are largely constrained by the National Credit Act, 34 of 2005 (NCA), which subject to certain exceptions, requires all lenders to register as credit providers. The NCA also regulates fees, interest and other charges that lenders may levy. P2P lending for project development purposes may also fall within financial intermediary services within the Financial Advisory and Intermediary Services Act, 37 of 2002 (FAIS), and as a result, lending through an online platform may trigger the requirement to obtain a license as a financial services provider under sections 7 and 8 of FAIS.
There are certain exemptions in sections 44(1) and (2) of FAIS, where the registrar of financial services providers may, based on a list of factors set out in section 44(1), exempt persons or categories of persons from the section 7 authorization requirements. It may be argued that a P2P platform could be exempted under one of these headings; however, there is no regulator approved route for these businesses and currently no specific regulations addressing the P2P space.
Regulation of payment services
The National Payment Systems Act 78 of 1998 (the NPS Act) identifies and regulates two kinds of persons in the market who are non-banks.
- A 'systems operator' is non-bank authorized to provide services in respect of payment instructions. In essence, a systems operator provides the electronic means to two or more persons to make payments and/or to receive the proceeds of payment instructions. A systems operator is required to be authorized by the Payments Association of South Africa, on behalf of the South African Reserve Bank. Any entity which effectively facilitates the transfer of information between a payment portal and a payment provider or acquiring bank will be authorized as a systems operator in terms of the NPS Act.
- A 'third-party payment provider' accepts money or payment instructions from other persons for the purpose of making payments on behalf of those other persons to third parties to whom those payments are due. A third-party payment provider may hold funds in its own bank account for a short period of time prior to paying those funds over to the third party concerned. This differs from systems operators, which provide the technology for the payments but typically do not receive money or the proceeds of payment instructions.
Application of data protection and consumer laws
In South Africa, the Protection Personal Information Act 4 of 2013 (POPI), is the proposed legislative framework for the protection of personal information. POPI will only come into effect in its entirety, by presidential proclamation, on a date which is still to be determined. In the interim, the laws relating to data protection and consumer protection can be found in several pieces of legislation, with the most pertinent being the Electronic Communications and Transactions Act 25 of 2002 (ECTA) and the Consumer Protections Act 68 of 2008 (CPA). Briefly, the CPA aims to create certain protections for consumers in the marketplace and to protect consumers' rights to privacy, particularly in the context of direct marketing. ECTA also aims to provide consumer protection in the context of unsolicited goods, services and communications. In relation to the protection of personal information, ECTA merely sets out the principles to be used, when a data controller collects personal information electronically.
Money laundering regulations
In South Africa, the primary statute governing anti-money laundering is the Financial Intelligence Centre Act, 39 of 2001, as amended (FICA). FICA established a Financial Intelligence Centre and a Counter-Money Laundering Advisory Council in order to combat money laundering activities and the financing of terrorist and related activities; and it imposes certain duties on institutions and other persons who might be used for money laundering purposes and the financing of terrorist and related activities. FICA imposes obligations on accountable institutions to conduct customer due diligence and where the institution is unable to satisfactorily verify the identity of the customer, it is precluded from entering into a business relationship with the customer, may not conclude a transaction with the customer or must terminate the relationship in line with its risk and compliance procedures. However these provisions are only applicable to accountable institutions which include financial instrument traders, persons carrying on the 'business of a bank', or persons carrying on the business of lending money against the security of securities. A number of FinTech companies may not fall within the definition of an accountable institution but may elect to comply with these provisions to manage their risk.
Spain
General financial regulatory regime
The Bank of Spain (Banco de España) and the Comisión Nacional del Mercado de Valores (CNMV) are the conduct regulators for firms providing financial products and services in both retail and wholesale markets.
The Bank of Spain is responsible for firms providing banking services, payment services and e-money services.
The CNMV is responsible for firms providing investment services and for regulated crowdfunding/crowdlending platforms.
General
A person must not carry on a regulated activity in Spain unless authorized or exempt. A financial activity requires regulatory authorization when: it is identified as a specified activity in relation to a specified investment, it is carried on by way of business in Spain and it does not fall within any of the available exemptions. Where FinTech products and/or applications involve financial activity which require regulatory authorization, the firms providing such products and/or applications must be authorized by the Bank of Spain or the CNMV, as applicable.
Fintech/Innovation Portal and Regulatory Sandbox
In December 2016, the CNMV launched the Fintech/Innovation Portal.
The CNMV has made available a space on its website (called the FinTech Portal) in order to receive information and requests of any kind related to the FinTech phenomenon. It provides an informal channel of communication for the CNMV to exchange information with promoters and financial institutions on their initiatives in this area.
The philosophy of this portal or FinTech space is to provide quality customer service and supervision, as the CNMV's aims with respect to Fintech are to be receptive, respond to queries and help where possible so that projects can be authorized.
In short, the aim is to enable the FinTech aspect of any project, to the extent that it conforms to the legal requirements, so that it does not hinder its success.
The CNMV has created a multidisciplinary internal group, made up of technicians from all of the CNMV departments that relate to Fintech, in order to assist the Portal, improve internal coordination and thus provide an agile response to the requests that are sent to the CNMV.
Of the enquiries received to date by the CNMV, most relate to crowdfunding and the digitization of financial services. There have also been a significant number of queries relating to automated advice or robo advisors and various enquiries about social trading, big data and Distributed Ledger Technology or blockchain.
The CNMV has issued Q&A documents on these FinTech topics.
The Ministry of Economy is currently working on the launch of a regulatory sandbox. This would be a 'testing space', governed by a set of rules previously determined by the regulator, which would allow companies to test new technology or innovative products and services in a secure environment.
A fundamental requirement of the sandbox is that tests would only be performed on a certain number of people, previously defined and agreed with a supervisor.
In addition, companies that participate in the sandbox will have the certainty that if they work during the tests as agreed with the regulator, they will not be sanctioned for carrying out a regulated activity without a license.
The role of the supervisor in a sandbox is to evaluate the legal framework of the products, services or innovative business models being tested.
Regulatory developments on crowdfunding/crowdlending platforms
Crowdfunding/crowdlending is regulated in Spain in Law 5/2015 on the Promotion of Business Financing.
Crowdfunding/crowdlending in Law 5/2015 is known as Participative Financing Platforms (PFP) and these are based on the principle of neutrality in the coming together of investors and promoters.
PFPs are companies authorized by CNMV, whose activity consists of contacting, through websites or other electronic means, natural or legal persons offering financing, with natural or legal persons who request funding in their own name, to use it for a project.
The projects financed are related to business, training or consumer affairs.
Up to November 2019, 29 PFPs have been authorized; many of them are generic (that is, they are set up for any type of project), other projects are focused on real estate, corporate social responsibility, technological sectors and training courses. The Ministry of Economy and CNMV are currently carrying out a review of Law 5/2015 to strengthen this industry and investor protection.
PFPs are intended to be an alternative channel to bank financing. It is also reasonable to expect that many of the companies financed through them will be able to move to the stock markets more easily, either directly or through venture capital, generating a larger capital market in Spain.
Electronic payments platforms and regulation of peer-to-peer lenders
Electronic payment platforms
A number of FinTech businesses are offering electronic payment platforms to rival traditional payment systems and the future implementation of the European Union Payment Services Directive II in Spain will recognize the rise in such business, with the aim of creating a more level playing field for payment services providers, while addressing the need for enhanced security and customer protection.
Spanish law also regulates the issuance of electronic money (e-money). E-money is defined as electronically (including magnetically) stored monetary value, represented by a claim on the issuer, which is issued on receipt of funds for the purpose of making payment transactions. E-money must be accepted by a person other than the electronic money issuer and includes pre-paid cards and electronic pre-paid accounts for use online. Generally, firms issuing e-money must be authorized and registered with the Bank of Spain.
Peer-to-peer lenders
Generally, lending in Spain is not a regulated activity which requires the authorization of the Bank of Spain. However, the granting of mortgage loans to consumers and individuals requires the prior registration of the mortgage loan provider in a designated register in the event that such mortgage provider is not a credit institution.
In addition, the granting of consumer credit in Spain is subject to complying with the requirements under Law 16/2011, dated 24 June, on credit agreements for consumers.
Therefore, unless caught by the above mentioned requirements or by the fact that the peer-to-peer (P2P) lender meets the requirements of PFPs (crowdlending platforms), there are no specific regulations for P2P lenders.
Regulation of payment services
Where a Spanish business provides payment services as a regular occupation or business activity in Spain, it will require authorization by the Bank of Spain to become an authorized payment institution under the Spanish Payment Services Royal Decree-Law 19/2018. Failure to obtain the required authorization is a very serious administrative breach. Please note that Spain has not yet implemented partially the European Union Payment Services Directive II.
In order to become authorized by the Bank of Spain, a payment services business will need to meet certain criteria, including, in relation to its business plan: initial capital, processes and procedures for safeguarding relevant funds, sensitive payment data and money laundering, along with other controls.
Application of data protection and consumer laws
EU General Data Protection Regulation 2016/679 (“GDPR”) and Spain's Data Protection and Digital Rights Guarantee Fundamental Act 3/2018/1999 (“NLOPD”) regulate the processing of personal data within Spain. The NLOPD develops and completes the GDPR, which is directly applicable all across the European Union. The new regulatory framework for privacy reinforces the information duties of data controllers (the entities or individuals deciding on how the personal data shall be processed). It also replaces the prior pre-eminence of consent by a more diverse scenario, in which compliance with contractual and legal obligations and even the legitimate interest of controllers may be preferable as legal basis for processing. Fines are much higher than before, reaching 20 million euros or the 4% of the global turnover of the controller in most serious cases.
Spanish Act 34/1988 on advertising, Spanish Unfair Competition Act 3/1991, Spanish Act on the General Defense of Consumers and Users RDL 1/2007 and Spanish Act 22/2007 on distance marketing of financial services to consumers, do contain some of the main provisions to be taken into account, from the perspective of consumer laws applicable in Spain.
Money laundering regulations
The Anti-Money Laundering and Terrorist Financing Law 10/2010 gives the Executive Service for Anti-Money Laundering (SEPBLAC) responsibility for supervising the anti-money laundering controls of businesses that offer certain services, such as lending, providing payment services and issuing and administering other means of payment. This law and its implementing regulations have partially implemented the European Union's Fourth Money Laundering Directive.
Generally, where a firm is authorized and supervised by the Bank of Spain or CNMV, it will also be authorized and supervised by the SEPBLAC for compliance with anti-money laundering requirements. Electronic currencies such as bitcoin and cryptocurrencies tend to represent a high money-laundering risk.
Sweden
General financial regulatory regime
The Swedish Financial Supervisory Authority (Finansinspektionen or SFSA) is the regulator of conduct for firms providing financial products and services in both retail and wholesale markets.
General
A person must not carry on a regulated activity in Sweden unless authorized or exempt (known as the general prohibition). A financial activity requires regulatory authorization when it:
- is specified by law as a regulated activity;
- is carried on by way of business in/to Sweden; and
- does not fall within any of the available exemptions.
Where FinTech products and/or applications involve financial activity which require regulatory authorization, the firms providing such products and/or applications must be authorized by the SFSA.
The SFSA's monitoring of the FinTech sector
In March 2017, the Swedish government instructed the SFSA to draft a report including:
- a survey of the players offering new innovative financial services in the Swedish financial market;
- a statement of the issues and needs that exist among their businesses;
- an explanation of what measures the SFSA can take to meet the needs of the businesses; and
- an identification of new regulation that might be required for businesses operating in this sector.
Regulatory developments
The SFSA hosted a number of round table discussions with the FinTech sector in June 2017 and published a report on 1 December 2017 named "FI's role regarding innovation" (Sw. Myndighetens roll kring innovationer), at the request of the Swedish government. The European Banking Authority published a FinTech Roadmap for the years 2018-2019 which the SFSA participated in.
Electronic payment platforms and regulation of peer-to-peer lenders
Electronic payment platforms
Sweden does not have specific regulations for payment systems, as is the case in certain other jurisdictions. Electronic payments are governed by the Swedish Payment Services Act (Lag (2010:751) om betaltjänster), which is based on Directive (EU) 2015/2366 on payment services in the internal market (PSD II). Pursuant to the PSD I)II, the SFSA has issued Ordinance FFFS 2018:4.
A number of FinTech businesses are offering electronic payment platforms to rival traditional payment systems and the Swedish transposition of PSD II recognizes the increase of such business, and has been implemented in order to create a more level playing field for payment services providers, while addressing the need for enhanced security and customer protection.
The Swedish Act on Electronic Money (Lag (2011:755) om elektroniska pengar) and Ordinance FFFS 2011:49 on Electronic Money Institutions and Registered Issuers, contains a number of electronic money-related rules, directions and guidance aimed at businesses that are issuing or are considering issuing electronic money (e-money). E-money is defined as electronically stored monetary value, represented by a claim on the issuer, which is issued on receipt of funds for the purpose of making payment transactions. E-money must be accepted by a person, other than the electronic money issuer. E-money includes pre-paid cards and electronic pre-paid accounts for use online. Generally, firms issuing e-money must be authorized or registered with the SFSA.
Peer-to-peer lenders
The act of offering or providing credit to consumers is a regulated activity (requiring authorization by the SFSA). The major peer-to-peer (P2P) lending businesses in Sweden are regulated as Consumer Credit Institutions under the Swedish Act on Certain Activities with Consumer Credits (Lag (2014:275) om viss verksamhet med konsumentkrediter) or as Payment Institutions under the Swedish Payment Services Act (Lag (2010:751) om betaltjänster).
Regulation of payment services
Where a Swedish business provides payment services in Sweden, it will require authorization by the SFSA to become an authorized payment institution under the Payment Services Act (Lag (2010:751) om betaltjänster). The regulations implement PSD II on payment services in the internal market.
In order to become authorized, a payment services provider will have to meet certain criteria related to: its business plan, initial capital, having processes and procedures in place for safeguarding relevant funds and sensitive payment data as well as money laundering and other financial crime controls.
Application of data protection and consumer laws
The European General Data Protection Regulation (GDPR) replaced the Data Protection Act from 25 May 2018. The GDPR is more prescriptive and restrictive compared to the Data Protection Act, including mandatory notifications where a breach occurs and provide for severe monetary sanctions for breach.
The Swedish Marketing Act (Marknadsföringslagen (2008:486)) also regulates unsolicited direct marketing by electronic means, in addition to sector specific regulations, such as Ordinances issued by the SFSA.
Money laundering regulations
Financial institutions providing services in Sweden are obligated to comply with the Swedish Act on Measures Against Money Laundering and Terrorism Financing (Lag (2017:630) om åtgärder mot penningtvätt och finansiering av terrorism), the Act on Registration of Beneficial owners (Lag (2017:631) om registrering av verkliga huvudmän) and Ordinance FFFS 2017:11 (issued by the SFSA). These regulations implement the European Union's Fourth Money Laundering Directive. The SFSA has responsibility for supervising the anti-money laundering controls of businesses that offer certain services, such as P2P lending, providing payment services and issuing and administering other means of payment.
The SFSA supervises the firms it authorizes (including anti-money laundering requirements). Electronic currencies such as Bitcoin and cryptocurrencies tend to represent a higher money-laundering risk.
Thailand
General financial regulatory regime
Due to the wide range of FinTech products in the market, the regulatory authorities with responsibility will depend on the type of FinTech products involved. Currently, there are four main supervisory authorities under which FinTech activities or products may be caught:
- the Bank of Thailand (BOT);
- the Securities and Exchange Commission of Thailand (SEC);
- the Stock Exchange of Thailand (SET); and
- the Office of Insurance Commission (OIC); and
- the Board of Investment of Thailand (BOI).
General
A person cannot carry on a restricted / regulated activity in Thailand unless authorization or exemption is granted (known as the general prohibition). Most financial activity requires regulatory authorization when:
- it is identified as a specified activity in relation to a specified investment;
- it is carried on by way of business in Thailand; and
- it does not fall within any of the available exemptions.
Where FinTech products or applications involve financial activities which require regulatory authorization, the firms providing such products or applications must be authorized by the relevant supervisory authority.
FinTech regulatory sandbox
Please see FinTech products and uses – common technology products for the FinTech Regulatory Sandbox offered by the Bank of Thailand.
The SEC set up the FinTech Department and Data Management and Analytics Department (effective from 1 January 2017) to work on a strategic plan concerning innovation in capital markets.
Regulatory developments on investment platforms
A draft FinTech Act is currently under review by the relevant authorities and stakeholders. On 4 September 2017, the public hearing of the draft FinTech Act emphasized its importance and revised it to reflect comments raised by parties who may be affected by its enactment.
Electronic payments platforms and regulation of peer-to-peer lenders
Electronic payment platforms
The Payment System Act B.E. 2560 (2017) (PSA) has been enacted to regulate electronic payment businesses in Thailand. The PSA has categorised three types of payment-related businesses under the supervision of the BOT as follows:
- Highly Important Payment Systems: These are payment systems that are a principal infrastructure of the country whose problems or disruptions would be likely to affect members systemically, and handle large value fund transfers or used for clearing or settlement between members; including the payment systems operated by the BOT which are the inter-bank large value funds transfer systems (BAHTNET) and Imaged Cheque Clearing and Archive System (ICAS). In addition, the Minister of Finance is empowered to designate other payment systems to be the highly important payment systems.
- Designated Payment Systems: These are payment systems that (i) are the center or network between system users for handling funds transfer, clearing or settlement eg retail funds transfer systems, payment card network, settlement system, etc, and or (ii) may affect public interests, public confidence or stability and security of the payment systems.
- Designated Payment Services: The regualted payment services are (i) credit card, debit card, or ATM card services, (ii) electronic money services, (iii) acceptance of electronic payment for and on behalf of others, (iv) electronic money transfer services, and (v) other payment services which may affect payment systems or public interests.
In order to legally operate an electronic payment business in Thailand, prospective operators (either natural or juristic persons) need to comply with applicable requirements before operating permitted electronic payment activities. The applicable requirements depend on the types of electronic payment activities to be conducted but would be either to register or to obtain a license from the BOT. Further details regarding regulation of electronic payment platforms can be found on the BOT website.
Peer-to-peer lenders
Due to the enactment of the MOF Notification re Business Subject to Approval to Clause 5 of the Revolutionary Council Decree 58 (Regulated Peer-to-Peer Lending Platform Business) and the BOT Notification No. SorNorSor. 4/2562 re Regulations, Procedures and Conditions for Conducting Peer-to-Peer Lending Business through Electronic System/Platform (BOT Notification re Peer-to-Peer Lending), the peer-to-peer lending is a regulated activity in Thailand.
The BOT has been authorised to be an in-charge authority for:
- receiving an application form;
- specifying applicable regulations; and
- requiring a business operator to apply for an application to the BOT's Regulatory Sandbox.
According to the BOT Notification re Peer-to-Peer Lending, the BOT requires an operator who wishes to conduct the peer-to-peer lending business through electronic system/platform to:
- make an individual consultation to the BOT;
- participate in the BOT's Regulatory Sandbox until reaching successful outcome; and
- apply for the application of the peer-to-peer lending business through electronic system/platform prior to legally operate the peer-to-peer lending business through electronic system/platform in Thailand.
Please note the operator must be a company incorporated in Thailand with the registered and paid-up capital of at least THB5 million (including shareholder's equity) and have a Thai shareholder holding not less than 75% of total shares with the right to vote.
Scope of business activity of peer-to-peer lending business through electronic system/platform is being an online market place or matchmaker whereby a loan agreement between a lender and a natural person borrower will be made through electronic system/platform and the loan must be granted in THB currency.
The maximum of the total amount of loan granted by each lender through any peer-to-peer ending operators is not exceeding THB500,000 per lender within any 12-month period unless such lender that is a qualified institutional investor, a private equity, a venture capital or a specific investor. The interest chargeable is not exceeding 15% per annum.
Apart from the above, the general principle for monetary lending under the Civil and Commercial Code of Thailand (CCC) is that borrowing of money in amounts above THB2,000 must be evidenced in writing and signed by the borrower. If such formalities are not complied with, a claim cannot be made against the other party to the transaction. According to the Electronic Transaction Act B.E. 2544, such evidence can be in an electronic form, since electronic data and signatures are enforceable if such electronic data is accessible and usable for subsequent reference without its meaning being altered and if the electronic signatures are made using a reliable method to identify the signatories.
Regulation of payment services
Please see Electronic payments platforms and regulation of peer-to-peer lenders above.
Application of data protection and consumer laws
Data protection law
The Personal Data Protection Act B.E. 2562 (2019) (PDPA) has recently been enacted on 28 May 2019. Due to the one-year grace period, the PDPA will fully be enforceable on 28 May 2020. The PDPA signals a new dawn in the handling of personal data in Thailand because prior to the PDPA, Thailand did not have an overarching law governing the protection of personally identifiable information. The collection, use and disclosure of personal data in Thailand were regulated to an extent by a patchwork of laws including the Constitution, sector-specific legislation and various self-regulatory codes. The PDPA is mainly similar to the EU General Data Protection Regulation regime, bringing personal data protection law in Thailand in line with other jurisdictions.
The PDPA introduces two key roles in collecting, processing and transfer of personal data. The Personal Data Administrator (Data Administrator) will have overall responsibility to determine and control the use of personal data. The Personal Data Processor (Data Processor) will be responsible for using, disclosing or processing the data on behalf of, or in accordance with, the instructions of a Data Administrator.
Affirmative consent must be obtained from the data subject in order for Data Administrators to legitimately collect personal data. Data Administrators must obtain consent for any use or disclosure of data that is beyond the original collection request. There are however limited circumstances in which Data Administrators may be exempt from obtaining the data subject’s consent.
The PDPA applies to all organisations that collect, use or disclose personal data in Thailand. This is regardless of whether they are formed or recognised under Thai law; and whether they have residence, office or place of business in Thailand. Cross-border transfer of personal data outside of Thailand is prohibited, unless the recipient country’s data protection standard is equivalent or higher than the PDPA but limited exceptions are available.
Consumer law
The Consumer Protection Act B.E. 2522 (CPA) has been enforced with an aim to provide protection for consumers who buy or obtain services or are offered goods or services. The CPA applies to business operators who are:
- sellers, manufacturers or importers of goods or are purchasers of such goods for re-sale; and
- service providers, including those who operate an advertising business.
The CPA provides protection for consumers in several aspects eg advertisement, unsafe goods, labelling and contractual requirements etc. To ensure the consumer protection, the Consumer Case Procedure Act B.E. 2551 (2008) has been enacted to provide specific procedural requirements in relation to a consumer litigation.
Money laundering regulations
In addition to commercial banks and other governmental authorities, certain other business operators are subject to anti-money laundering laws in Thailand. According to the Anti-Money Laundering Act B.E. 2542 (1999) (AMLA) and subordinated regulations, certain business operators are subject to the requirements under AMLA to:
- report required transactions (e.g. cash transactions with amounts exceeding specified thresholds);
- procure know-your-customer (KYC) checks; and
- arrange customer due diligence.
Apart from financial institutions (eg commercial banks, finance companies, credit foncier companies, securities companies, insurance companies and operators of regulated payment systems or services, etc.), certain non-financial institution business operators covered by the AMLA include:
- non-financial institutions providing advice or acting as advisors in transactions relating to the investment or movement of funds under the law governing securities and the stock exchange;
- operators trading precious stones, diamonds, gems, gold, or ornaments decorated with precious stones, diamonds, gems or gold;
- operators trading in or providing the hire-purchase of cars;
- operators acting as brokers or agents in respect of the purchase or sale of immovable property;
- operators trading antiques under laws governing the sale by auction and trading of antiques;
- operators providing personal loans under the supervision of businesses that are not financial institutions or who are not caught by the Ministry of Finance's notification requirements in respect of personal loan businesses or who do not otherwise fall under the supervision of the laws governing financial institution businesses;
- operators transacting in electronic money that are not financial institutions caught by the Ministry of Finance's notification requirements in respect of electronic money or that are not otherwise subject to the laws governing financial institution businesses;
- non-financial institution operators conducting credit card business;
- electronic payment operators governed by laws relating to the supervision of electronic payment service business; and
- non-financial institution operators carrying out currency exchange activities as specified in the relevant ministerial regulation.
The Anti-Money Laundering Office is the supervisory authority of the AMLA.
Ukraine
General financial regulatory regime
The National Commission for Regulation of Financial Services Market (NCRFSM) is the conduct regulator for firms providing financial products and services in both retail and wholesale markets. In order to operate, the firms have to be incorporated as a non-banking financial institution under Ukrainian law.
General
A person must not carry on a regulated activity in Ukraine unless authorized or exempt. A financial activity requires regulatory authorization when it:
- is identified as a specified activity in relation to a specified investment;
- is carried on by way of business in Ukraine; and
- does not fall within any of the available exemptions.
Where FinTech products and applications involve financial activity which requires regulatory authorization, the firms providing such products and applications must be authorized by the NCRFSM.
Innovation
In the past few years, Ukraine has been actively demonstrated its focus on promoting a blockchain system.
On 13 April 2017, the state agency for e-governance of Ukraine partnered with Bitfury Group, a US-based global technology company, to launch what is probably the largest project on transferring government data on a blockchain platform. This technology initiative was launched to increase the transparency of government data and efficiency of its use by both local and global customers.
The project has three blockchain initiatives:
- State Register of Proprietary Rights to Immovable Property – This involves putting data on all ownership, lease titles and other in-rem rights including encumbrances records on blockchain platforms to improve data protection, transparency and security.
- State Land Cadastre – This is a pilot blockchain-based project aimed at improving data storage on legal titles to land in Ukraine. This technology will phase in a web-based auction platform whereby local and international customers will be able to lease Ukrainian state-owned land plots.
- SETAM – This provides businesses with access to the public auction platform built on blockchain technology, enabling users to buy assets of the Ukrainian distressed and insolvent entities.
In 2018 the Blockchain Association of Ukraine was established. It is a non-profit organisation which unites blockchain and crypto industry specialists and promotes the integration of blockchain technology into the economy of Ukraine. The Association launched BlockchainHub Academy, a free course for preparation of specialists for the blockchain industry, and practical course for developers. Members of the Association are also working on elaboration of the necessary regulatory basis for the industry and lobby its implementation in Ukraine.
Furthermore, there is an inter-factional association called “blockchain4Ukraine” in the Ukrainian Parliament which is working on blockchain related draft laws.
Regulatory developments on investment platforms
In September 2017, the payment systems regulator (NBU) published an initiative to support FinTech development in Ukraine, recognizing the increasingly important role of investment platforms in the retail distribution landscape. This initiative will focus on the impact of investment platforms providing digital lending (both peer-to-peer (P2P) and business-to-peer (B2P)) as well as non-banking lending to small and medium-sized enterprises.
In January 2020, the Strategy of Ukrainian Financial Sector Development until 2025 approved by the National Bank of Ukraine and all other financial market regulators was presented. The Strategy is aimed at reforming and development of Ukraine’s financial sector in line with international best practices and the EU-Ukraine Association Agreement. Among the major priories are introducing innovations in the financial sector and development of financial markets.
Electronic payments platforms and regulation of peer-to-peer lenders
Electronic payment platforms
The NBU is the payment systems regulator and it currently regulates 78 payment systems, including MasterCard, Visa, American Express and PivatMoney. All participants in a designated payment system will fall under the remit of the payment systems regulator, including operators that manage or operate the systems, the payment service providers using the system and the infrastructure providers to the payment system.
The NBU Regulation No. 481 'On Amendments to Certain Legislative Acts of the National Bank of Ukraine in respect of the E-Money Issuance and Circulation' dated 4 November 2010, contains a number of electronic money-related rules, directions and guidance aimed at businesses that are issuing or considering the issuing of electronic money (e-money). E-money is defined as electronically (including magnetically) stored monetary value, represented by a claim on the issuer, which is issued on receipt of funds for the purpose of making payment transactions. E-money must be accepted by a person other than the electronic money issuer and include pre-paid cards and electronic pre-paid accounts for use online. Generally, an issuer of e-money must be registered as a bank under Ukrainian law and must have a banking license granted by the NBU.
Peer-to-peer lenders
A person carries out a regulated activity (requiring authorization by the NCRFSM) if they facilitate lending and borrowing between two individuals or between individuals and businesses. According to NBU P2P activity is not a banking activity under Ukrainian banking law, and that P2P lenders are to be notified in advance by marketplaces that they are not eligible for any deposit protection scheme. In light of this, all P2P marketplaces require authorization from the NCRFSM and are subject to supervision of the NCRFSM as non-banking financial institutions.
Regulation of payment services
Where a Ukrainian business provides payment services as a regular occupation or business activity in Ukraine, it will require authorization by the NBU to become an authorized payment institution under Ukrainian law ‘On Financial Services and State Regulation of Financial Services Markets’. Under Ukrainian law, an authorized payment institution may be incorporated only in a form of either a bank or a financial institution. Failure to obtain the required authorization is an administrative offence.
In order to become authorized by the NBU, a payment services business will need to meet certain criteria, including in relation to its business plan, initial capital, processes and procedures in place for safeguarding relevant funds, sensitive payment data and money laundering and other financial crime controls.
Application of data protection and consumer laws
The Personal Data Protection Law (PDPL) regulates the processing of personal data in Ukraine. Where a business determines the purposes and manner in which any personal data is processed, it will be regulated by the PDPL and have certain notification and compliance obligations. The PDPA implements the European Data Protection Directive 95/46/EC.
The Ukrainian law ‘On Electronic Commerce’ 2015, regulates unsolicited direct marketing by electronic means, in addition to sector specific regulations, for instance, financial promotion rules established by the Ukrainian law ‘On Advertising’ 1996.
Finally, the Ukrainian law ‘On Consumer Lending’ 2015, sets out certain provisions and procedures to protect consumers. A lender must follow and comply with these statutory requirements while making available loans to consumers.
Money laundering regulations
The Ukrainian law 'On Prevention and Counteraction to Legalization (Laundering) of the Proceeds from Crime or Terrorism Financing, and Financing Proliferation of Weapons of Mass Destruction' 2014 gives the NCRFSM responsibility for supervising the anti-money laundering controls of businesses that offer certain services, such as non-banking lending, providing payment services and issuing and administering other means of payment.
Generally, the NSRFSM authorizes and supervises a company for complying with anti-money laundering requirements. Electronic currencies such as bitcoin and other cryptocurrencies tend to represent a higher money-laundering risk. It is worth noting that in those cases where Ukrainian banks issue e-money, the NBU may also supervise them for compliance with anti-money laundering requirements.
UK - England and Wales
General financial regulatory regime
The Financial Conduct Authority (FCA) is the conduct regulator for firms providing financial products and services in both retail and wholesale markets.
General
A person must not carry on a regulated activity in the UK unless authorized or exempt (known as the general prohibition). A financial activity requires regulatory authorization when it is identified as a specified activity in relation to a specified investment, it is carried on by way of business in the UK and it does not fall within any of the available exemptions. Where FinTech products and/or applications involve financial activity which requires regulatory authorization, the firms providing such products and/or applications must be authorized by the FCA.
Project Innovate
In October 2014, the FCA launched an initiative known as Project Innovate with a view to encouraging innovation in the interest of consumers. Project Innovate has five initiatives:
- regulatory sandbox – providing businesses with access to the real market to test innovative products, services, business models and delivery mechanisms;
- direct support – providing a dedicated contact for innovator businesses that are considering an application for authorization or a variation to their permission;
- advice unit – providing regulatory feedback to firms developing automated models to deliver lower-cost advice and guidance to consumers;
- reg tech – encouraging technologies that may facilitate the delivery of regulatory requirements more efficiently and effectively; and
- engagement – providing FCA engagement with a wide variety of businesses in the UK regions and internationally.
Regulatory developments on investment platforms
In March 2019, the FCA published the final report of its Investment Platforms Market Study, in response to the increasingly important role of investment platforms in the retail distribution landscape. In December 2019, the FCA published final rules for platforms to make it easier for consumers to move from one platform to another without liquidating their assets. The new rules ensure that consumers moving onto a new platform are given the option to convert to discounted units, where these are available for them to invest in. These new rules come into force on 31 July 2020.
Electronic payments platforms and regulation of peer-to-peer lenders
Electronic payment platforms
Since April 2014, a subsidiary of the FCA, the Payment Systems Regulator has regulated eight payment systems designated by HM Treasury, namely Bacs, Cheque & Credit, CHAPS, Faster Payment Scheme, LINK, Northern Ireland Cheque Clearing, MasterCard and Visa Europe. All participants in a designated payment system will fall under the remit of the Payment Systems Regulator, including operators that manage or operate the systems, the payment service providers using the system and the infrastructure providers to the payment system.
There are an increasing number of FinTech businesses joining these electronic payment platforms. Rules governing access to or participation in a payment system are required to be objective, proportionate and non-discriminatory. The Payment Systems Regulator is responsible for upholding the prohibition against restrictive rules on access to payment systems. Enhanced competition is one of the objectives of the second Payment Services Directive (EU) 2015/2366 (PSD 2) which has been implemented in the UK via the Payment Services Regulations 2017.
ELECTRONIC MONEY ISSUERS
The FCA Handbook contains a number of electronic money-related rules, directions and guidance aimed at businesses that are issuing or considering the issuing of electronic money (e-money). In addition to the FCA Handbook, the law governing the issuance of electronic money is the Electronic Money Regulations 2011. E-money is defined as electronically (including magnetically) stored monetary value, represented by a claim on the issuer, which is issued on receipt of funds for the purpose of making payment transactions. E-money must be accepted by a person other than the electronic money issuer and include pre-paid cards and electronic pre-paid accounts for use online. Generally, firms issuing e-money must be authorized or registered with the FCA.
Peer-to-peer lenders
A person carries out a regulated activity (requiring authorization by the FCA) if they facilitate lending and borrowing between two individuals or between individuals and businesses of less than £25,000 in circumstances where the borrower does not enter into the agreement wholly or predominantly for business purposes. Such agreements are known as Article 36H Agreements and will only be caught by the regulations where either the lender or the borrower is an individual or a partnership with two or three persons or an unincorporated body.
Regulation of payment services
Where a UK business provides payment services as a regular occupation or business activity in the UK, it will require authorization by the FCA to become an authorized payment institution under the Payment Services Regulations 2017. Failure to obtain the required authorization is a criminal offence. The regulations implement the European Union Payment Services Directive II.
In order to become authorized by the FCA as a Payment Institution, a payment services business will need to meet certain criteria, including in relation to its business plan, initial capital, processes and procedures in place for safeguarding relevant funds, sensitive payment data and money laundering and other financial crime controls.
The FCA has published an Approach Document on the FCA’s role under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011. It gives readers a comprehensive picture of the payment services and electronic money regulatory regime in the UK. It also provides guidance for a practical understanding of the requirements, the FCA’s regulatory approach and how businesses will experience regulatory supervision.
Application of data protection and consumer laws
The UK's Data Protection Act 1998 (DPA) regulates the processing of personal data within the UK. The DPA implements the European Data Protection Directive. Where a business determines the purposes and manner in which any personal data is processed, it will be regulated by the DPA and have certain notification and compliance obligations.
The European General Data Protection Regulation (EU) 2016/679 (GDPR) came into effect on 25 May 2018. As a result of GDPR, the DPA has been amended and replaced with the Data Protection Act 2018. The GDPR is more prescriptive and restrictive, compared to the principles-based DPA, including mandatory notifications where a breach occurs and provide for severe monetary sanctions for breach. GDPR sets the key principles, rights and obligations for most processing of personal data. As a European Regulation, it has direct effect in UK law and automatically applies in the UK until the UK leaves the EU. After this date (Brexit), GDPR will continue to apply in the UK as a result of the European Union (Withdrawal) Act 2018, with some technical changes to make it work effectively in a UK context.
The UK's Privacy and Electronic Communications Regulations 2003 (PECR) regulate unsolicited direct marketing by electronic means, in addition to sector specific regulations, such as the FCA's financial promotions regime. PECR has been updated in light of GDPR and uses a new standard of GDPR consent.
Money laundering regulations
The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 give the FCA responsibility for supervising the anti-money laundering controls of businesses that offer certain services, such as lending, providing payment services and issuing and administering other means of payment.
Generally, where a firm is authorized and supervised by the FCA it will also be authorized and supervised by the FCA for complying with anti-money laundering requirements.
The MLRs have been updated to implement the Fifth Anti-Money Laundering Directive (EU) 2018/843. These changes include bringing into scope of the MLRs the following firms:
- cryptoasset exchange providers (including Cryptoasset Automated Teller Machine (ATM), Peer to Peer Providers, Issuing new cryptoassets, e.g Initial Coin Offering (ICO) or Initial Exchange Offerings); and
- custodian wallet providers.
Electronic currencies such as bitcoin and other cryptocurrencies tend to represent a higher money-laundering risk. Cryptoasset exchange providers and custodian wallet providers are required to register with the FCA and comply with the MLRs.
UK - Scotland
General financial regulatory regime
The Financial Conduct Authority (FCA) is the conduct regulator for firms providing financial products and services in both retail and wholesale markets.
General
A person must not carry on a regulated activity in the UK unless authorized or exempt (known as the general prohibition). A financial activity requires regulatory authorization when it is identified as a specified activity in relation to a specified investment, it is carried on by way of business in the UK and it does not fall within any of the available exemptions. Where FinTech products and/or applications involve financial activity which requires regulatory authorization, the firms providing such products and/or applications must be authorized by the FCA.
Project Innovate
In October 2014, the FCA launched an initiative known as Project Innovate with a view to encouraging innovation in the interest of consumers. Project Innovate has five initiatives:
- regulatory sandbox – providing businesses with access to the real market to test innovative products, services, business models and delivery mechanisms;
- direct support – providing a dedicated contact for innovator businesses that are considering an application for authorization or a variation to their permission;
- advice unit – providing regulatory feedback to firms developing automated models to deliver lower-cost advice and guidance to consumers;
- reg tech – encouraging technologies that may facilitate the delivery of regulatory requirements more efficiently and effectively; and
- engagement – providing FCA engagement with a wide variety of businesses in the UK regions and internationally.
Regulatory developments on investment platforms
In July 2017, the FCA published an Investment Platforms Market Study Terms of Reference, recognizing the increasingly important role of investment platforms in the retail distribution landscape. The market study is to focus on the impact of investment platforms on retail consumers and financial advisors, being platform services which involve arranging, safeguarding, administering investments and distributing retail investment products which are offered to retail clients by more than one product provider and which is neither solely paid for by advisor charges, nor ancillary to the activity of managing investments for the retail client.
Electronic payments platforms and regulation of peer-to-peer lenders
Electronic payment platforms
Since April 2014, a subsidiary of the FCA, the Payment Systems Regulator has regulated eight payment systems designated by HM Treasury, namely Bacs, Cheque & Credit, CHAPS, Faster Payment Scheme, LINK, Northern Ireland Cheque Clearing, MasterCard and Visa Europe. All participants in a designated payment system will fall under the remit of the Payment Systems Regulator, including operators that manage or operate the systems, the payment service providers using the system and the infrastructure providers to the payment system. A number of FinTech businesses are offering electronic payment platforms to rival the traditional payment systems; and the introduction of the Payment Services Regulations 2017 recognizes the rise in such business with the aim of creating a more level playing field for payment services providers while addressing the need for enhanced security and customer protection.
The FCA Handbook contains a number of electronic money-related rules, directions and guidance aimed at businesses that are issuing or considering the issuing of electronic money (e-money). E-money is defined as electronically (including magnetically) stored monetary value, represented by a claim on the issuer, which is issued on receipt of funds for the purpose of making payment transactions. E-money must be accepted by a person other than the electronic money issuer and include pre-paid cards and electronic pre-paid accounts for use online. Generally, firms issuing e-money must be authorized or registered with the FCA.
Peer-to-peer lenders
A person carries out a regulated activity (requiring authorization by the FCA) if they facilitate lending and borrowing between two individuals or between individuals and businesses of less than £25,000 in circumstances where the borrower does not enter into the agreement wholly or predominantly for business purposes. Such agreements are known as Article 36H Agreements and will only be caught by the regulations where either the lender or the borrower is an individual or a partnership with two or three persons or an unincorporated body.
Regulation of payment services
Where a UK business provides payment services as a regular occupation or business activity in the UK, it will require authorization by the FCA to become an authorized payment institution under the Payment Services Regulations 2017. Failure to obtain the required authorization is a criminal offence. The regulations implement the European Union Payment Services Directive II.
In order to become authorized by the FCA, a payment services business will need to meet certain criteria, including in relation to its business plan, initial capital, processes and procedures in place for safeguarding relevant funds, sensitive payment data and money laundering and other financial crime controls.
Application of data protection and consumer laws
The UK's Data Protection Act 1998 (DPA) regulates the processing of personal data within the UK. The DPA implements the European Data Protection Directive. Where a business determines the purposes and manner in which any personal data is processed, it will be regulated by the DPA and have certain notification and compliance obligations.
The European General Data Protection Regulation (GDPR) is due to replace the DPA from 25 May 2018. The GDPR is more prescriptive and restrictive, compared to the principles-based DPA, including mandatory notifications where a breach occurs and provide for severe monetary sanctions for breach.
The UK's Privacy and Electronic Communications Regulations 2003 (PECR) regulate unsolicited direct marketing by electronic means, in addition to sector specific regulations, such as the FCA's financial promotions regime.
Money laundering regulations
The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 give the FCA responsibility for supervising the anti-money laundering controls of businesses that offer certain services, such as lending, providing payment services and issuing and administering other means of payment. These regulations implement the European Union's Fourth Money Laundering Directive.
Generally, where a firm is authorized and supervised by the FCA it will also be authorized and supervised by the FCA for complying with anti-money laundering requirements. Electronic currencies such as bitcoin and other cryptocurrencies tend to represent a higher money-laundering risk.
United Arab Emirates
General financial regulatory regime
The relevant regulation and regulator will depend on where an entity is operating in the UAE.
The UAE is a federation of seven independent emirates:
- Abu Dhabi;
- Ajman;
- Fujairah;
- Sharjah;
- Umm Al Quwain;
- Dubai; and
- Ras Al Khaimah.
The majority of regulation relevant to FinTech companies operating in onshore UAE will derive from federal laws.
The Central Bank of the UAE (Central Bank) and the Securities and Commodities Authority (SCA) are the main regulatory bodies for financial services in the UAE. Pursuant to Federal Law No. 14 of 2018 (Banking Law), the Central Bank regulates financial institutions, including those who wish to provide financing in or from the UAE. A FinTech company operating in onshore UAE conducting, for instance, peer-to-peer (P2P) lending-type activities, would require a license under the Banking Law in order to legally operate.
In addition, through changes to the UAE Constitution pursuant to Federal Law No. 8 of 2004, two 'Financial Free Zones' have been created:
- Abu Dhabi Global Market (ADGM); and
- Dubai International Financial Centre (DIFC).
These two financial free zones are entitled to make their own financial regulations and are consequently regulated separately from onshore UAE, certainly in respect of financial activities. The regulators are the Financial Services Regulatory Authority (FSRA) for ADGM and the Dubai Financial Services Authority (DFSA) for DIFC.
Both of these financial free zones have specific licensing regimes for companies wishing to operate in the financial services sector. Interestingly, however, both ADGM and DIFC have created sandbox-type regimes for FinTech companies specifically, namely: the ADGM RegLab and the DIFC's Innovation Testing License.
Although FinTech is at an early stage of development in the UAE, the UAE is promoting a number of initiatives to be at the forefront of FinTech developments, such as:
- FinTech Hive at the DIFC (see here);
- Dubai Future Accelerators (see here);
- Dubai Blockchain Strategy (see here); and
- the UAE's National Innovation Strategy (see here).
Electronic payments platforms and regulation of peer-to-peer lenders
UAE
The Regulatory Framework for Stored Values and Electronic Payment Systems (Payment Systems Regulations) issued by the UAE's Central Bank came into effect on 1 January 2017. The Payment Systems Regulations apply to Payment Service Providers (PSPs), which are effectively any entity that provides digital payment services (including using electronic, mobile or magnetic means but excluding credit and debit card payments) within the UAE.
The Payment Systems Regulations further define the concept of a PSP into four distinct sub-categories:
- Retail PSP – authorized commercial banks and other licensed PSPs offering retail, government and P2P digital payment services as well as money remittances;
- Micropayments PSP – PSPs offering micropayments solutions facilitating digital payments targeting the unbanked and under-banked segments in the UAE;
- Government PSP – federal and local government statutory bodies offering government digital payment services; and
- Non-issuing PSP – non-deposit taking and non-issuing institutions that offer retail, government and P2P digital payment services.
The Payment Systems Regulations also apply to so-called 'Stored Value Facilities', defined as non-cash facilities, whether in electronic or magnetic form, that are purchased and used by an individual or legal person to pay for goods or services. The Payment Systems Regulations provide that these services include:
- cash-in services (the exchange of cash for digital money, which is placed in a payment account);
- cash-out services (the exchange of digital money for cash, which is taken out of the payment account);
- retail credit/debit digital payment transactions;
- government credit/debit digital payment transactions;
- P2P digital payment transactions; and
- money remittances.
The Payment Systems Regulations also provide a list of services excluded from the Payment Systems Regulations as follows:
- payment transactions in cash without any involvement from an intermediary;
- payment transactions using a credit card/debit card;
- payment transactions using paper checks;
- payment instruments accepted as a means of payment only to make purchases of goods/services provided from an issuer/any of its subsidiaries (ie closed-loop payment instruments);
- payment transactions within a payment/settlement system between settlement institutions, clearing houses, central banks, and PSPs;
- payment transactions related to transfer of securities/assets (including dividends, income, and investment services);
- payment transactions carried out between PSPs (including their agents/branches) for their own accounts; and
- 'Technical Service Providers'.
In the above exclusions, 'Technical Service Providers' is perhaps the least apparent but these are effectively defined in the Payment Systems Regulations as an entity that 'facilitates the provision of payment services to PSPs', without at any time being in possession of or transferring any funds. Examples cited include data processors, authentication service providers, payment terminal maintenance companies and network providers.
DIFC
The DIFC Innovation Testing License provides a controlled environment for a firm to develop and test FinTech ideas without being subject to all the requirements that would otherwise apply to it as an 'Authorized Firm' under the DIFC rules and regulations. To be considered for this type of license, a firm must:
- involve innovation and the use of FinTech (ie have a business model, product or service that uses new, emerging or existing technology in an innovative way, and in a way that brings a new benefit to consumers or industry);
- involve an activity that, if carried on in the DIFC, would amount to a 'Financial Service' (or combination of 'Financial Services') within the scope of the DFSA’s regulatory regime, for example, arranging deals in investments or advising on financial products;
- be ready (or soon be ready) to start testing with customers or industry; and
- intend to roll out its business on a broader scale in or from the DIFC after it has successfully completed testing.
The testing period will be for a finite period of time, normally six to 12 months. In exceptional cases, the DFSA will consider extending that period.
Beehive was the first P2P lending platform to receive a license from the DFSA to operate in the DIFC.
ADGM
According to the ADGM RegLab brochure ('The Regime For FinTech Innovation'), the ADGM RegLab is for all participants active in the FinTech space, from startups to existing, regulated companies. To qualify, the participant must be able to demonstrate that it has an innovative technological solution that is at the stage of development ready for testing. The solution should contribute to the development of the financial sector in UAE. In particular, it should:
- promote growth, efficiency or competition;
- promote risk management and better regulatory outcomes; or
- improve consumer choices.
The first five FinTech companies to be admitted to the ADGM RegLab were announced in May 2017 (see here).
Regulation of payment services
UAE
Organizations that wish to commence and maintain digital payment services must comply with the Payment Services Regulations.
If such a service falls within the Payment Services Regulations, a company needs to make sure that they (among other things):
- apply for and obtain the requisite licenses/approvals from the Central Bank, before commencing new digital payment services;
- have the facility to store and retain all user and transaction data exclusively within the borders of the UAE (excluding the UAE financial free zones) for a period of five years from the date of the original transaction;
- three months before the implementation of any outsourcing of an operational function, have written approval from the Central Bank and ensure such services are provided onshore in the UAE under a contract which satisfies the relevant safeguard requirements;
- prepare customer service agreements which meet the required standards of the regulation and ensure those agreements are put in place with all users; and
- do not use or process any form or type of virtual currency.
Application of data protection and consumer laws
At a UAE federal law level, there is no specific federal data protection or privacy law, although there are several laws which relate to data protection and privacy. Within each UAE emirate, the applicable law is a combination of:
- federal law, which applies, in the main, across the UAE;
- the law of the emirate in which business is being undertaken (to the extent that this law is different to, but not inconsistent with, the federal law); and
- free zone legislation (such as ADGM and DIFC legislation).
The Federal Law No. 24 of 2006 on Consumer Protection defines consumer's rights and obligations and outlines certain protection measures to fight monopoly, overpricing and fraudulent commercial activities against consumers.
Money laundering regulations
The UAE Decree-law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations provides a list of criminal offences and penalties, as well as the institutional arrangements regarding anti-money laundering and combating terrorism financing. Both DIFC and ADGM have their own anti-money laundering regimes as well.
United States
General financial regulatory regime
In the US, financial services related activities are regulated under a variety of federal and state laws.
Federal
At the federal level, the key banking regulators are the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Board (FRB), and the Office of Comptroller of the Currency (OCC), with the National Credit Union Administration (NCUA) regulating credit unions.
The Securities and Exchange (SEC) commission regulates securities issuers, investment companies, broker-dealers, investment advisors, and certain others involved in the securities industry.
The Commodity Futures Trading Commission (CFTC) regulates swap execution facilities, derivatives clearing organizations, designated contract markets, swap data repositories, swap dealers, futures commission merchants, commodity pool operators, and other entities.
The Financial Crimes Enforcement Network (FinCEN) of the US Department of the Treasury regulates money services businesses, including currency dealers, check cashers, money transmitters, and others.
State
In addition, most US states have separate laws that regulate these industries, as well as other ancillary financial services such as various types of consumer lending or loan brokering activities. Notably, the insurance industry is regulated at the state level.
Regulation of online lenders
Online lenders
Online lenders are regulated by all 50 states and, in some capacities, at the federal level. Depending on the state and the asset class, licenses could be required for lending, collection/servicing or money transmission services.
Startup online lenders should consider the cost of these compliance activities as they conduct their initial equity raise(s), as the ability to raise subsequent debt financing will depend upon the prospective lenders being reasonably satisfied that the originator is in compliance with all applicable lending and other laws and has all necessary licenses.
Regulation of money service businesses
A ‘money services business’ (MSB) generally includes any person doing business, whether or not on a regular basis or as an organized business concern, in one or more of the following capacities in the US:
- currency dealer or exchanger;
- check casher;
- issuer of traveler’s checks, money orders or stored value;
- seller or redeemer of traveler’s checks, money orders or stored value; or
- money transmitter.
At the federal level, an activity threshold of greater than USD1,000 per person per day applies to the first four categories, but no activity threshold applies to money transmitters. Activities performed by banks or SEC or CFTC registrants are excluded from MSB registration. In addition, there is a limited exemption for persons that sell goods or provide services (other than money transmission services) and only transmit funds as an integral part of that sale of goods or provision of services.
An MSB must register with FinCEN. Among other things, MSBs must also implement a risk-based compliance program designed to detect and prevent money laundering, terrorist financing, and other illicit activities. In addition, most US states require licenses to perform these activities in their state, which can take more time and entail more resources to obtain. Notably, exemptions available at the federal level do not always translate to exemptions from state licensure.
FinCEN has stated that certain virtual currencies may trigger money transmission regulation. While users of virtual currencies are not money transmitters, those who issue virtual currency or put it into circulation and have the authority to redeem or withdraw it from circulation may be regulated as an 'administrator'. In addition, if a business exchanges virtual currency for fiat currency or other virtual currency, the business may be regulated as an 'exchanger'.
Application of data protection and consumer laws
US privacy law is a complex patchwork of privacy laws and regulations addressing specific industries, communications media, or marketing methods, supplemented by a backdrop of federal and state prohibitions against unfair or deceptive business practices and state laws that specifically address privacy and security of personal information.
The US has not adopted a comprehensive federal privacy and data security law akin to the UK Data Protection Act of 1998 and related laws. Instead, the US has implemented a sectoral approach to data privacy, promulgating regulations in areas that it deems to be of specific concern, including:
- financial data;
- credit data;
- background checks;
- health information;
- telecommunications companies;
- video rental records (which may include certain video streaming services);
- driver's license information and history;
- children's information; and
- marketing.
Outside of sector-specific laws, certain privacy protections are afforded by the general prohibition against unfair and deceptive trade practices, which has been interpreted to require appropriate notice to consumers about privacy or other practices, including the information collected, obtaining consent to sharing of sensitive data, or the failure to abide by representations made in privacy policies (including those about information security).
In addition, each state has its own consumer privacy and protection framework. Many state laws address privacy-related issues, such as requirements for data security, compliance with the Payment Card Industry Data Security Standard (PCI-DSS), storage of data, privacy of health data, disposal of data, privacy policies, appropriate use of social security numbers and data breach notification, among other things. States also have consumer protection laws that seek to protect consumers against unfair and deceptive trade practices, and state attorneys general typically enforce these laws against businesses (though, in some states a private right of action is available against companies that violate state consumer protection laws). State privacy laws typically track the location of the data subject or the consumer, regardless of where the business is located.
In the US, companies should generally:
- develop, implement and follow a privacy policy;
- implement appropriate security measures; and
- in the event of a breach of any unencrypted personal data, comply with US data breach notification laws.
Money laundering and regulated regulations
Money laundering generally refers to concealing or disguising the existence, illegal origins, or illegal application of criminally derived income so that such income appears to have legitimate origins or constitute legitimate assets. Money laundering is typically associated with funds or proceeds derived from illegal activities, such as tax violations, environmental crimes, foreign corruption, healthcare offenses, fraud, drug trafficking, arms smuggling, prostitution, racketeering, or terrorism.
There are numerous federal anti-money laundering (AML) and combating the financing of terrorism (CFT) laws in the US, including the Money Laundering Control Act of 1986, criminal money laundering statutes contained in 18 U.S.C. §§ 1956 and 1957, the amendment to the Bank Secrecy Act (BSA), and certain provisions of the Uniting and Strengthening America by Providing Appropriate Tools to Restrict, Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act).
Individuals convicted of AML/CFT offenses can face imprisonment, as well as criminal and/or civil penalties. Companies that violate AML/CFT laws can face administrative, criminal, and civil penalties depending on the circumstances. Enforcement agencies may also seize and forfeit funds and property tainted by AML/CFT violations.
FinCEN is responsible for administering the BSA and also is empowered to bring civil enforcement actions for BSA violations. In addition to the federal regime, several US states have promulgated their own AML/CFT laws and regulations.
All US persons are prohibited from engaging in AML/CFT violations and transactions involving sanctioned jurisdictions or persons. In addition, US 'financial institutions' – which include not only traditional banks but also other organizations such as MSBs, casinos, pawn shops and many state-regulated financial institutions – must take additional steps such as:
- filing currency transaction and suspicious activity reports; and
- establishing and implementing written AML/CFT programs.
Luís Filipe Carvalho
Partner
DLA Piper Africa, Angola (ADCA)
[email protected]
T +244 926 612 525
View bio
and then 