This country-specific Q&A provides an overview of the legal framework and key issues surrounding fintech law in Germany.
This Q&A is part of the global guide to Fintech.
For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/fintech-2nd-edition
What are the sources of payments law in your jurisdiction?
Payment services are mainly regulated by the Act on the Prudential Supervision of Payment Services - Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ‘ZAG’) and by the Civil Law Code (Bürgerliches Gesetzbuch – ‘BGB’), which implemented the European Payment Services Directives 1 and 2 (‘PSD1’ and ‘PSD2’), in Germany. Other important sources of law directly applicable to (regulated) payment service providers in Germany are i.a. the various delegated regulations adopted under the PSD2, the Capital Requirements Regulation (CRR), the EU Funds Transfer Regulation, the SEPA-related EU Regulation 260/2012 and the EU Interchange regulation. Additionally, the German Anti-Money Laundering Act (Geldwäschegesetz – ‘GwG’), transposing the European Anti-Money Laundering Directives in Germany, the German Federal Data Protection Act (‘BDSG’) and the European General Data Protection Regulation (‘GDPR’) need to be complied with.
Can payment services be provided by non-banks, and if so on what conditions?
Yes, pursuant to German Supervisory law, not only banks, having a license as a deposit-taking credit institution, but also non-banks are allowed to provide payment services in Germany. The latter, however, either need to have a license as a payment institution under the PSD2 or as a e-money institution under the Second EU E-Money-Directive.
Payment institutions are subject to an independent supervisory regime under the ZAG which stipulates that non-bank payment service providers that are planning to provide payment services in Germany, in general must be authorised by or – in case they only provide account information services – registered with the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht - ‘BaFin’). Payment institutions must comply with a number of ongoing regulatory requirements, i.a. with regard to their internal governance, shareholder control, specific notification duties, and specific organizational duties relating to IT-risk and fit and proper rules for the senior management.
There are some exceptions to the authorisation requirement based on the waiver provisions laid down in the PSD2, but BaFin tends to apply a narrow interpretation of those waiver provisions and thus, there generally is only little leeway for the provision of ‘non-regulated’ payment services in Germany.
What are the most popular payment methods and payment instruments in your jurisdiction?
The latest study by Deutsche Bundesbank ‘Payment behaviour in Germany in 2017 – Fourth study of the utilisation of cash and cashless payment instruments’ showed that the most popular means of payment of private persons at the Point of Sale (POS) in Germany continues to be cash (74% of all transactions). The proportion of cash in relation to overall turnover was below 50%. Of electronic means of payments, the most often used is the debit card (predominantly the girocard with PIN, signature or contactless) (35% share of turnover, 19% number of transactions). The corresponding share of turnover with credit cards was up slightly to just under 5%. The corresponding share of turnover with contactless card payments was above 1%. Rather few payment transactions are made via smartphone and with customer or prepaid cards. The use of e-payment schemes for online shopping has since become established. Their share of overall turnover and in relation to the total number of payment transactions continued to rise to just under 4% and 2%, respectively.
What is the status of open banking in your jurisdiction (i.e. access to banks’ transaction data and push-payment functionality by third party service providers)? Is it mandated by law, if so to which entities, and what is state of implementation in practice?
By outlining the access for new market entrants, such as payment initiation service providers (‘PISPs’) or payment account information service providers (‘AISPs’) (together referred to as ‘third party providers’ or ‘TPPs’), the PSD2 is likely to make fundamental changes to the value chain of payments and redefine the current market of online banking and cashless payment in Europe.
In Germany, the ZAG transposes the respective PSD2 provisions (see answers to questions 1 und 2 above for more detail) regarding the right of access to the customers’ payment account (data) for PISPs and AISPs and related duties of banks / account servicing payment service providers as well as PISPs and AISPs. The – directly applicable – Delegated Regulation on strong customer authentication and common and secure communication under PSD2 (Delegated Regulation (EU) 2018/389 – ‘SCA-RTS’) contains further details in this regard.
Service providers that are planning to provide payment initiation services in Germany must obtain a respective authorisation or, respectively, – in case they only provide account information services – registration by the BaFin. Although PISPs and AISPs are subject to lower licensing requirements than (deposit-taking) credit institutions are, they must comply with a number of on-going regulatory requirements (see answers to questions 1 und 2 above for more detail).
How does the regulation of data in your jurisdiction impact on the provision of financial services to consumers and businesses?
Since the GDPR came into force in May 2018, the sufficient protection of Consumer’s personal data, which are processed by financial service providers, are of even more importance. The GDPR itself did not create any new obstacles concerning the collection, use or transfer of personal data by financial service providers as such. This is at least the fact if any processing of personal data takes place within a contractual relationship with the consumer or the consumer has otherwise given its informed consent to the provider. Still, the financial services industry has to put more attention to the diligent and lawful handling of personal data, as non-compliance with the GDPR can lead to severe fines. German data protection authorities have already initiated a number of proceedings in cases of GDPR breaches, with threatened fines up to the range of two figure million EUR amounts.
What are regulators in your jurisdiction doing to encourage innovation in the financial sector? Are there any initiatives such as sandboxes, or special regulatory conditions for fintechs?
The German supervisory authority BaFin implements a digitization strategy, following market developments rather closely, communicating intensively with new players and adjusting its regulatory practice to new technological developments. BaFin states to pursue a technology-neutral, principle-based, risk-oriented and proportionate regulatory approach. While regulatory sandboxes do not exist in Germany, BaFin states that it will adjust the intensity of the supervision depending on the risk associated with a given business model, taking into account the principle of proportionality: While for identical risks and identical business models identical regulatory standards should apply, BaFin at the same time wants to give new players the room to grow into their regulatory status.
Do you foresee any imminent risks to the growth of the fintech market in your jurisdiction?
The German regulatory environment entails rather detailed and strict requirements. Consumer protection is an important issue. While certain fintech business models suffer from the persistent low interest rate environment, other areas, such as crowdfunding, have been subject to frequent changes in the regulatory framework (with more changes anticipated to arrive with the proposed European Crowdfunding Service Providers (ECSP) regulation). DLT applications are in Germany still confronted with a relatively high level of legal uncertainty, also regarding data protection aspects. Nevertheless, the fintech market is growing very dynamically.
What tax incentives exist in your jurisdiction to encourage fintech investment?
There are no specific tax incentives for fintech. If, however, a fintech is involved in R&D, a recent bill of law provides for an income tax credit of up to EUR 500,000 per fiscal year on R&D related salaries and wages.
Which areas of fintech are attracting investment in your jurisdiction, and at what level (Series A, Series B etc)?
The FinTech sector in Germany is attracting ever more venture capital investments. Total investments in German FinTech companies reached over EUR 700m in the first three months of 2019, equivalent to 96% of last year’s total. The current strong year 2019 can be attributed so far to some large transactions involving e.g. Raisin, wefox Group, N26, bitwala, FRIDAY. On the basis of these landmark transactions payment services and investment marketplaces (N26, bitwala, Raisin) are still the most attractive FinTechs, but InsurTech (FRIDAY and wefox) is also getting more and more attractive. The rising number of larger deals has pushed the average deal size up from EUR 2.7m in 2014 to about EUR 34m in the first quarter of 2019. The trend looks set to continue as the FinTech landscape in Germany matures further and more key players establish themselves.
If a fintech entrepreneur was looking for a jurisdiction in which to begin operations, why would it choose yours?
The German market for financial services is large and well developed. There are many skilled specialists for both financial and technology topics. In addition, companies that master the German regulatory framework are well positioned for EU-wide scaling.
Access to talent is often cited as a key issue for fintechs – are there any immigration rules in your jurisdiction which would help or hinder that access, whether in force now or imminently? For instance, are quotas systems/immigration caps in place in your jurisdiction and how are they determined?
In Germany, there are no quotas systems with regard to immigration of fintech-employees. However, there are immigration rules to observe. The rules to observe differ according to citizenship.
Citizens of a member state of the European Union or from Iceland, Norway and Liechtenstein neither need a residence permit nor a work permit (§§ 2, 12 FreizügG/EU).
Employees from Switzerland (§ 28 AufenthV) and some other countries such as Australia, Canada, and the US (§ 41 I AufenthV) can enter without a visa, but need to apply for a residence permit including a work permit in Germany. All citizens from other countries, besides a residence permit, also need a visa for work purposes.
Highly qualified employees from all countries can apply for an EU Blue Card (§ 19a AufenthG), in case they have a (foreign) university degree or at least 5 years' relevant professional experience.
If there are gaps in access to talent, are regulators looking to fill these and if so how? How much impact does the fintech industry have on influencing immigration policy in your jurisdiction?
The German legislator has indeed seen gaps in access to talent and therefore has recently passed a law that widens the access to the German labour market and will come into force on 1st of March 2020. It abolishes the priority review, which states the obligation to check for so-called preferred individuals for a vacancy.
What protections can a fintech use in your jurisdiction to protect its intellectual property?
With regard to registered intellectual property rights (IPR) the most relevant are trademark registrations, to secure brands or the labelling of products, websites, apps etc. Trademark rights are granted on a ‚first come first serve‘ basis and they protect the owner against the identical or very similar use of its trademark by a competitor.
Patent registrations would not very likely be in the focus of a fintech. Under the German Patent Act (Patentgesetz), software programs as such are expressly excluded from patent protection. Also, processes and business models as such are not patentable in Germany.
Fintechs may rely on copyright protection under the German Copyright Act (Urheberrechtsgesetz) as an unregistered IPR. It protects intellectual creativity, e.g. source code of software or – to certain extent – also the way graphics, images or texts are designed and displayed to a consumer.
A database can obtain copyright protection if it is original with a certain level of intellectual creativity. Non-original databases as an organized collection of data, generally stored and accessed electronically from a computer system can also be protected if the investment in obtaining, verifying and presenting the data was substantial. This protection is known as the ‘sui generis’ right, i.e. a specific property right for databases that is unrelated to other forms of IPRs.
Otherwise, the protection of business and trade secrets as well as know-how until recently had been only barely and fragmentarily regulated in the three different areas of torts, unfair competition and criminal law in Germany, each area only covering its respective specific scope while lacking a comprehensive protection. This has changed to a significant extent when the new Trade Secrets Act (Gesetz zum Schutz von Geschäftsgeheimnissen) came into effect in April 2019. This law now provides a universal approach on the protection of know-how and business information (trade secrets) against unlawful acquisition, use and disclosure.
How are cryptocurrencies treated under the regulatory framework in your jurisdiction?
As of today, cryptocurrencies are not explicitly regulated in German supervisory law. Nevertheless, the German supervisory authority BaFin qualifies cryptocurrencies as financial instruments in the form of an accounting unit within the meaning of section 1 (11) 1 No. 7 Banking Act (Kreditwesengesetz – ‘KWG’). This legal classification applies in general to all virtual currencies irrespective of the software they are based on or which encryption technologies they use. Despite the fact that this legal qualification was challenged by the Higher Regional Court of Berlin (Kammergericht Berlin) in a criminal law proceeding in 2018, BaFin has already announced that this has no consequence for the administrative practice and it will stick to the former interpretation.
However, just using (i.e. paying with or accepting) cryptocurrencies as a substitute for cash or deposit money does not require authorisation. Equally, mining cryptocurrencies in and of itself does not trigger an authorisation requirement. The same applies to the sale of either self-mined or purchased cryptocurrencies, or their acquisition. However, any commercial handling of cryptocurrencies such as brokerage services, trading for the account of others or exchange activities may trigger an authorisation requirement under the KWG.
According to a draft bill on the implementation of the 5th EU AML Directive, crypto assets will in future explicitly qualify as financial instruments within the meaning of section 1 (11) 1 No. 10 KWG (as amended). The definition of crypto assets in the draft bill is wider than the term covered by the 5th EU AML Directive and will also cover security tokens, if these are not already classified as financial instruments for another reason. Further, the draft bill introduces a new regulated financial service called ‘crypto depository business’ (Kryptoverwahrgeschäft). The crypto depository business shall encompass any service provider who offers to store, retain or manage for others either crypto assets or cryptographic private keys that can hold, save or transfer crypto assets. This broad definition also triggers a BaFin license requirement for certain wallet providers. As a consequence the provider of crypto depository business will also have to comply with applicable anti-money laundering rules in Germany, in particular with the KYC identification obligation with regard to the customers.
How are initial coin offerings treated in your jurisdiction? Do you foresee any change in this over the next 12-24 months?
At present ICOs are not subject to any specific regulation. However, in February 2018, BaFin has published an advisory letter regarding the regulatory classification of tokens in the area of securities supervision. BaFin has pointed out that it has to be determined on a case-by-case basis whether a specific token constitutes a financial instrument within the meaning of the German Securities Trading Act (Wertpapierhandelsgesetz – ‘WpHG’) or the Markets in Financial Instruments Directive (MiFID II), a security within the meaning of the German Securities Prospectus Act (Wertpapierprospektgesetz – ‘WpPG’), or a capital investment within the meaning of the German Capital Investment Act (Vermögensanlagengesetz – ‘VermAnlG’).
Such supervisory classification has an impact on the potential obligations at issuance (e.g. prospectus obligation) as well as potential obligations for third parties participating in the issue and in secondary market trading (e.g. license requirement for investment brokerage).
If, for example, ownership of a token entitles to profit distributions, interest payments or the exercise of participation rights, the token may constitute a security or a capital investment. In Germany, the public offering of such tokens that are classifiable as securities or capital investments requires the preparation of a prospectus that needs to be approved by BaFin.
Conversely, the usage, issuance or trading of pure utility tokens (e.g. app tokens, product use tokens, consumption tokens) shall in most cases not trigger any authorisation or prospectus requirements under German supervisory law.
Are you aware of any live blockchain projects (beyond proof of concept) in your jurisdiction and if so in what areas?
In 2019 there has been a number of considerable blockchain pilot projects.
Substantial attention has been devoted to two issuances of commercial papers issued and settled on a DLT basis. In these cases, the issuance was structured as primary securities issue directly between the issuer and the investor via the blockchain and the German banks involved did not act in their traditional role as broker but as arranger and blockchain operator. Admittedly, these pilot projects may be classified as test cases.
Furthermore, at the beginning of the year BaFin has approved the first securities prospectus for the issue of so-called security tokens (STOs) by the Berlin based company Bitbond Finance GmbH. This was followed by a number of similar prospectuses by various issuers, some of which used the proceeds from the issuance for financing real estate projects. However, these instruments are not securities in the sense of German civil law.
Another pilot project initiated by Commerzbank AG in the field of payments involved the exchange and settlement of payments between an electronic charging point and a Daimler Truck system without any human intervention (so called machine-to-machine payments).
To what extent are you aware of artificial intelligence already being used in the financial sector in your jurisdiction, and do you think regulation will impede or encourage its further use?
According to the results of a recent BaFin consultation, main areas of AI use in the financial sector so far are the analysis of financial and alternative data for trading; product and services pricing; risk modelling; anti-money laundering; and the emergence of platform-based business models. Co-operations between existing businesses and new specialised big data providers/BigTechs are on the rise, resulting in an increased use of outsourcing systems/APIs and a growing fragmentation of value chains.
The existing financial market regulatory framework aims to be principle-based and technology-neutral and should therefore by definition not hamper the use of AI. However, certain AI-related aspects are perceived as regulatory challenges, such as a lack of explainability and traceability of AI-based decisions. BaFin states it will not accept any risk assessment models presented as an unexplainable black box. Further, it discusses new regulatory approaches such as the appointment of algorithm officers (similar to data protection officers), the establishment of data ethics commissions, code review processes, simulation and penetration tests and reviewing sample profiles.
Insurtech is generally thought to be developing but some way behind other areas of fintech such as payments. Is there much insurtech business in your jurisdiction and if so what form does it generally take?
Especially with regard to insurance brokerage, insurtech-based online platforms are already very popular and widely used. Beside this, recently tech-based tools to analyse potential risks and to avoid damages as well as to advise on helpful or necessary insurances or to analyse any gaps in the personal insurance situation or existing double insurances are entering the market and becoming more and more popular.
Are there any areas of fintech that are particularly strong in your jurisdiction?
In our perception the strongest and most dynamic fintech areas in Germany are payments, banking-as-a-service, crowdfunding/investment marketplaces, robo advice and DLT applications.
What is the status of collaboration vs disruption in your jurisdiction as between fintechs and incumbent financial institutions?
The answer to this question depends very much on the area of activity in question. In areas with high market entry barriers, such as in particular traditional banking and payment business, the focus is on cooperation models and outsourcing (with the exception of individual fintech banks with high disruptive potential). Disruption has so far taken place primarily in areas where the implementation of business models is less dependent on obtaining complex and expensive regulatory permits, such as crowdfunding/crowdlending and – arguably – DLT.
To what extent are the banks and other incumbent financial institutions in your jurisdiction carrying out their own fintech development / innovation programmes?
Most major private banks pursue their own digitization strategies and R&D and also either maintain their own incubators or corporate VCs or otherwise strive for external growth in the fintech area. The decentralized Volksbanken and cooperative banks also frequently acquire participations in fintechs or enter into cooperations with them.
Are there any strong examples of disruption through fintech in your jurisdiction?
There are many examples of successful disruption in the German market. These include, for example, the business models of Sofortüberweisung (online payments), Scalable Capital (robo-advisor), N26 (direct banking) and Raisin (deposit marketplace).