Liechtenstein: FinTech Comparative Guide

1 Legal and enforcement framework

1.1 In broad terms, which legislative and regulatory provisions govern the fintech space in your jurisdiction?

Broadly speaking, the following acts and corresponding ordinances may apply:

• the Banking Act;
• the Asset Management Act;
• the Payment Services Act;
• the Electronic Money Act;
• the European Economic Area (EEA) Securities Prospectus Implementation Act;
• the Investment Undertakings Act;
• the Act regarding the Managers of Alternative Investment Funds;
• the Act on Undertakings for Collective Investment in Transferable Securities;
• the Insurance Distribution Act;
• the Law on Professional Due Diligence to Combat Money Laundering, Organised Crime and Terrorist Financing;
• the Persons and Companies Act;
• the Act on the Disclosure of Information concerning Issuers of Securities;
• the Gambling Act;
• the Consumer Protection Act;
• the Remote Financial Services Act;
• the Distance and Foreign Trade Act;
• the Financial Market Authority Act; and
• the Act on the Register of Beneficial Owners of Domestic Entities.

Additionally, European regulations and directives which have been implemented into Liechtenstein law must be applied in conformity with EU law. Not all of these European regulations and directives have been implemented into the EEA acquis communautaire through an EEA joint committee decision; however, Liechtenstein usually implements these regulations and directives into national law in advance.

1.2 Do any special regimes apply to specific areas of the fintech space?

The Tokens and Trusted Technologies Service Provider Law (TTTL), which unanimously passed through its second reading in Parliament and is expected to come into force the first of January 2020, is specifically tailored to promote regulatory certainty within a token economy. This particular law aims to provide friendly regulations for blockchain and crypto projects, designed to give entrepreneurs legal certainty and enhance consumer confidence in these technologies. The TTTL is a Liechtenstein law, which is applicable only if no other financial market law applies; the TTTL does not interfere with EU law.

1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?

The most relevant government body when it comes to fintech is the Financial Market Authority (FMA), as this is the official body that is authorised to grant financial market licences upon application, if all regulatory requirements are met. Additionally, under the so-called ‘Regulatory Lab', it is possible to obtain a ruling from the FMA stating whether a specific business model or token structure is regulated. The FMA has regulatory oversight powers, as well as the power to issue and revoke licences and to impose sanctions. Other than that, the Liechtenstein courts have jurisdiction.

1.4 What is the regulators' general approach to fintech?

In general, the regulator's attitude towards fintech is comparatively friendly. In fact, the FMA has an entire department that is wholly dedicated to fintech-related inquires. This allows innovators and entrepreneurs to obtain feedback in a timely manner from a regulator that is well informed on the issues.

1.5 Are there any trade associations for the fintech sector?

The Crypto Country Association of Liechtenstein focuses on supporting the blockchain and cryptocurrency sector within the country.

2 Fintech market

2.1 Which sub-sectors of the fintech industry have become most embedded in your jurisdiction?

The blockchain and cryptocurrency sector is the most embedded fintech sub-sector within the principality. This is apparent from the efforts made in drafting the Tokens and Trusted Technologies Service Provider Law (TTTL), as well as the fact that most of the inquiries submitted to the FMA's fintech department relate to blockchain and crypto.

2.2 What products and services are offered?

A wide range of products and services is provided, including blockchain-based platforms serving a utility function, issuance of security tokens on blockchain-based platforms and exchange service providers.

With regard to exchange service providers, some fintech players seek to operate strict utility or crypto-to-crypto exchange services, while others seek a licence that would allow for the secondary market trading of security tokens.

2.3 How are fintech players generally structured?

The most typical form of incorporation is a company limited by shares (AG), although the option of incorporation as a limited liability company (GmbH) or a form of incorporation unique to Liechtenstein known as the (private law) establishment (Anstalt) is also available.

2.4 How are they generally financed?

Financing of fintech companies varies on a case-by-case basis. For example, some companies carry out a token offering as a means to fund the build-out of a platform; whereas others already have a proven business model and are looking to expand into the fintech space.

2.5 How are they positioned within the broader financial services landscape?

Until the TTTL is enacted, some fintech companies will remain unregulated; while others have business models that require specific licences under the existing financial services regime. Therefore, some companies deliberately seek to ensure that their business model is unregulated; whereas others are actively applying for financial service provider licences, which would allow them to conduct a broader range of activities.

2.6 Do start-ups generally outsource back office functions and is there a developed market for them to access? What are the legal implications of outsourcing?

Outsourcing of back office functions is permitted. The legal implications of outsourcing back office functions in the fintech space correspond to those in the traditional business world and industry.

3 Technologies

3.1 How are the following key technologies in the fintech space regulated and what specific legal issues are associated with each? (a) Internet (e-commerce); (b) Mobile (m-commerce); (c) Big data (mining); (d) Cloud computing; (e) Artificial intelligence; and (f) Distributed ledger technology (Blockchain, cryptocurrencies)

(a) Internet (e-commerce)

As part of the European Economic Area (EEA), Liechtenstein implements EU legal acts and, with regard to e-commerce, has implemented Directive 2000/31/EC through the E-commerce Law. ‘E-commerce' involves the digital processing of transactions between businesses and consumers and also between businesses. The approach to e-commerce reflects the principality's favourable attitude towards traditional companies, albeit in the digital realm. Thus, companies that focus on e-commerce can also benefit from a favourable tax regime and free access to the EEA and the Swiss market.

In comparison to other EU member states, especially German-speaking ones, Liechtenstein is much more liberal in its approach to e-commerce and m-commerce. In particular with regard to competition law, the principality is an attractive e-commerce location. In neighbouring countries, restrictive competition laws allow companies to offer only a limited amount of services.

With regard to e-commerce payment solutions, the E-money Act and the Payment Services Act also apply. The former relates specifically to the activities of e-money institutions and the protection of those involved in the e-money business; while the latter regulates payment institutions that provide payment services on a professional basis.

M-commerce is closely related to e-commerce, as both allow individuals to conduct transactions online. M-commerce is a sub-category of e-commerce, which allows people to purchase on the go using their mobile devices. The same principles apply.

As in the rest of the EEA, the collection of big data is regulated by the General Data Protection Regulation (GDPR), which leaves some questions open to national law. In Liechtenstein, these issues are regulated by the Data Protection Law. Big data allows companies to detect patterns and trends, but this has significant implications with regard to privacy. The GDPR is thus intended to protect consumers and outline whether and how their personal data can be processed. The GDPR is discussed in further detail in question 5.1.

The same issues that arise with regard to big data are at play regarding cloud computing, as the use of cloud computing services presents the same risks with regard to data protection.

Artificial intelligence (AI) itself is not regulated. However, depending on the designated business plan, roboadvice and/or AI may be qualified as a form of asset management (eg, ancillary securities service) if financial instruments are involved.

Ultimately, the regulation surrounding any automated platform will depend on the type of token being traded. Bitcoin itself is not a security, but the Liechtenstein government is moving towards classifying tokens issued in token sales that meet certain requirements (eg, that represent a financial instrument) as transferable securities pursuant to the recast Markets in Financial Instruments Directive, thus subjecting those particular tokens to regulation (security token offering).

Therefore, any kind of AI applied to the trading of officially recognised transferable securities is thus subject to regulation by the authorities. Conversely, any AI applied to the trading of utility or commodity tokens does not require a licence from the FMA. Again, whether AI is regulated will depends on the underlying business case; AI itself is not regulated.

On the regulatory front, the new Tokens and Trusted Technologies Service Provider Law (TTTL), which will regulate certain companies based on ‘trusted technologies' such as distributed ledger technology and blockchain technology. Through the TTTL, the government aims to support and monitor the fintech sector, while also regulating it accordingly. This approach both promotes and assists the industry, while at the same time avoiding uncontrollable growth. Ultimately, this should attract new crypto companies by enhancing legal certainty.

Liechtenstein has included virtual currencies in the latest amendments to its Law on Professional Due Diligence to Combat Money Laundering, Organised Crime, and Terrorist Financing pursuant to the EU Anti-money Laundering Directives. The due diligence obligations codified in the act aim to combat money laundering, organised crime and terrorist financing, and apply to providers of exchange services, among others. An ‘exchange office' (‘bureau de change') is defined as any natural or legal person whose activities consist of the exchange of legal tender at the official exchange rate or of virtual currencies against legal tender, and vice versa. ‘Virtual currencies' are defined as "digital monetary units, which can be exchanged for legal tender, used to purchase goods or services or to preserve value and thus assume the function of legal tender". Pursuant to the report and Motion 2016/159, the most notorious example of such a virtual currency is Bitcoin.

4 Activities

4.1 How are the following key activities in the fintech space regulated and what specific legal issues are associated with each? (a) Crowdfunding, peer-to-peer lending; (b) Online lending and other forms of alternative finance; (c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb); (d) Forex; (e) Trading; (f) Investment and asset management; (g) Risk management; (h) Roboadvice; and (i) Insurtech.

(a) Crowdfunding, peer-to-peer lending

Crowdfunding can take different forms, such as investment-based or lending-based crowdfunding. No specific legislation relates to crowdfunding or peer-to-peer lending, although a legal basis may be found in the Banking Act.

According to EU law, a crowdfunding directive will be enacted in the near future. This will also have an impact on Liechtenstein jurisprudence, given the harmonisation between Liechtenstein and the European Union due to Liechtenstein's membership of the European Economic Area (EEA). In Liechtenstein, funding through initial coin offerings (ICOs) or security token offerings (STOs) is possible under the current legal framework. However, approval by the FMA may be required and in the case of STOs, a prospectus will need to be published. At it currently stands, an ICO will be regulated in Liechtenstein if security tokens are being issued. In general, there is no single act specific to ICOs that regulates crowdfunding, but several existing laws may apply. Also, anti-money laundering and know-your-customer obligations will depend on the specific design of the crowdfunding initiative.

Although no specific act currently applies directly to ICOs, the passage of the TTTL will directly apply to token generating events.

Alternative finance activities include crowdfunding, peer-to-peer lending, ICOs and STOs. As discussed in question 4.1(a), laws such as the Banking Act may apply to such activities. However, there is as yet no overarching Liechtenstein or EU law. Another alternative finance activity is peer-to-peer factoring (non-recourse factoring), which is also listed as a business model on the Financial Market Authority (FMA) website, but for which there is currently no applicable legislation. Specific models will thus be analysed on a case-by-case basis. While non-recourse factoring is not considered a banking business in Liechtenstein, recourse factoring fulfils the criteria for qualification as a crediting business reserved to banking institutions.

With regard to such lending platforms, regulation will depend on how they are structured in detail and on whether crypto-assets or fiat money is being credited. Lending business pursuant to Article 4.1(1) of the Capital Requirements Regulation is based on cash loans, which means that crediting of crypto-assets in general does not constitute a lending business which is reserved for banks. However, in the case of fiat involvement, a banking licence will be required. Providing a platform where users may offer loans in fiat currency may in fact not be possible unless the users have a banking licence. The operator of the platform may also potentially be involved in a banking business, which will require a banking licence.

The revised Payment Service Act of Liechtenstein entered into force on 1 October 2019, implementing PSD II. The E-money Act, based on the E-money Directive, is also relevant with regard to payment services.

The application of PSD2 could trigger the need for a payment services licence in the case of many payment service models.

Forex involves an over-the-counter market in which different market participants, such as banks, can buy, sell and exchange currencies. This is mentioned among the functions of a bank in the Banking Act. The regulations that may apply include the Law on Professional Due Diligence to Combat Money Laundering, Organised Crime, and Terrorist Financing. Exchange bureaux specifically fall within the scope of application of the law (Article 3, paragraph 1, letter f).

For details of cryptocurrency exchanges, which are revolutionising this area, please see question 4.1(e). However, as in the case of forex, due diligence obligations must be respected. The conversion of virtual currencies into legal tender and vice versa is specifically mentioned as falling under the Law on Professional Due Diligence to Combat Money Laundering, Organised Crime, and Terrorist Financing (Article 5, paragraph 2, letter g).

With regard to cryptocurrency exchanges in particular, as there are various forms of crypto-exchanges, the applicable regulations will vary from case to case. Exchanges which match buying and selling interests (matched principal trading; multilateral trading) with regard to utility tokens against fiat and/or crypto are currently unregulated and require only a trade licence from the Office of Economic Affairs to conduct an operating business. With the enactment of the TTTL, with regard to tokens, certain service providers will have to register with the FMA and will be subject to the due diligence regime, and will no longer have to apply for a trade licence under the Trade Act. However, the settlement in fiat is considered a regulated payment service (especially since the commercial broker exemption is no longer applicable under PSD II when acting on the buy and sell side).

However, if these tokens are traded against the exchange's own book for fiat payments, this might be deemed a so-called Wechselstube (exchange office; bilateral trading) pursuant to the Law on Professional Due Diligence to Combat Money Laundering, Organised Crime, and Terrorist Financing. This is not a licensed activity; rather, the FMA must be notified of this kind of undertaking and due diligence duties are applicable. If only crypto/crypto pairs are traded against the exchange's own order book, this is again considered unregulated business activity. However, under the TTTL, this type of exchange will be required to register with the FMA if payment tokens are being traded.

Security token exchanges are fully regulated pursuant to the recast Markets in Financial Instruments (MiFID II) and require an investment firm with a multilateral trading facility (MTF) or organised trading facility (OFT) on top. The main differences between MTFs and OTFs are that all financial instruments may be traded on an MTF, whereas only certain debt instruments may be traded on an OTF (the OTF may also act on a bilateral basis regarding government bonds). An MTF therefore has participants, while an OTF has customers (also due to the discretionary execution). The third difference between the two trading facilities is that an OTF allows discretionary trading/matching rules, as compared to the non-discretionary nature of an MTF.

Lastly, it is possible to set up interfaces or bulletin boards which merely display information of decentralised peer-to-peer exchanges; these have relatively low regulatory implications, depending on the exact business model. Where a decentralised network operates an exchange, it is not clear who may be subject to regulation; this is particularly relevant if security tokens are traded on the decentralised exchange, as such an exchange may fall under the definition of an MTF or an OTF. Depending on the services rendered in connection with a peer-to-peer exchange, certain licence requirements may apply. In any event, prospectus requirements must be adhered to. Usually both matching and settlement are carried out in a decentralised manner on such exchanges, and associated aspects such as the order book and custodial/escrow services (smart contracts) are also decentralised.

As Liechtenstein is a member of the EEA, EU regulations and directives are generally applicable (further to an EEA joint committee decision). All banking activities (deposit and loan business) as well as investment services pursuant to Annex I of MiFID II are regulated; as are payment services pursuant to PSD2 and the E-money Directive.

Risks in relation to cybercrime are discussed in question 5.2, as the FMA has issued a commentary on this matter. This provides that cybercrime must be included in the IT risk management assessment, so that such risks can be identified early on. Further risks primarily include the use of capital for money laundering or terrorist financing purposes. The Law on Professional Due Diligence to Combat Money Laundering, Organised Crime, and Terrorist Financing and the Ordinance on Professional Due Diligence to Combat Money Laundering, Organized Crime, and Terrorist Financing aim to combat this, and the risk is thus managed through anti-money laundering and know your customer requirements.

See question 3.1(e).

The Insurance Act is based on the EU Solvency II Directive and the Insurance Distribution Directive, and the distribution of insurance products is a regulated activity.

5 Data security and cybersecurity

5.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for fintech companies?

The EU General Data Protection Regulation (GDPR) – in conjunction with the Liechtenstein Data Protection Act, implementing the GDPR where necessary – also applies to Liechtenstein companies, institutions and associations within the framework of their domestic and foreign customer relations.

The GDPR also covers big companies, small and medium-sized enterprises and sole proprietorships. Whenever a company processes personal data (eg, saves such data in a client index), the GDPR is applicable.

The GDPR contains a number of provisions that can be specified in greater detail or supplemented by individual states. This means that despite the uniform GDPR provisions, there are differences in data protection regimes between individual European states. Around 70 so-called ‘opening clauses' are affected. These are governed by the national data protection regimes of individual states and may be interpreted with varying degrees of strictness. As a result of the amendments to the GDPR, the aforementioned Data Protection Act was completely revised in 2018.

The new duty of accountability under this act means that companies must be able to actively demonstrate that they are adhering to the principles of the GDPR (Article 5, paragraph 2 of the GDPR), as follows:

• The company must ensure transparency when processing personal data.
• The company:
• • must obtain approval for the data processing; and
  • must process data on the basis of a contractual relationship, to fulfil a legal obligation or for another reason specified in Article 6 of the GDPR in order to ensure the lawful and fair processing of personal data.
• The company must inform the data subject of the purpose of the data processing and the specific purpose of the processing in a precise, transparent, comprehensible and easily accessible manner.
• The company must ensure that it does not collect more data than is required for the purpose for which it is being used.
• The company may not store the data for longer than is required for the specified purpose.
• The company must ensure that the data stored is accurate and where necessary up to date, and that inaccurate personal data is erased or rectified without delay.
• The company must ensure that the data is protected from unauthorised access or misuse.

5.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for fintech companies?

Fintech companies which are regulated by or which obtain licences under the following laws are subject to regulations under the Financial Market Authority's (FMA) Communique 2018/3 on Expectations on Dealing with Cyber Risks:

• Banks according to the Law on Bank and Investment Firms (Bankengesetz, BankG)
• Investment firms according to the Law on Bank and Investment Firms
• E-money institutions according to the E-Money Act (E-Geldgesetz, EGG)
• Payment institutions according to the Payment Services Act (Zahlungsdienstegesetz, ZDG)
• Management companies according to the Actoncertain Undertakings for Collective Investment in Transferable Securities(GesetzüberbestimmteOrganismenfürgemeinsame Anlagen in Wertpapiere, UCITSG)
• Investment undertakings and management companies according to theInvestment Undertakings Act from 2015(Investmentunternehmensgesetz, IUG)
• Alternative Investment Fund Managers according to the Act on Alternative Investment Fund Managers (Gesetzüber die VerwalteralternativerInvestmentfonds, AIFMG)
• Asset managers according to the Asset Management Act (Vermögensverwaltungsgesetz, VVG)
• Trustees and trust companies according to the Law concerning Professional Trustees and Fiduciaries (Treuhändergesetz, TrHG)

The communiqué outlines specific technical and organisational requirements aimed at preventing cybercrime. Furthermore, the FMA has released non-binding Handout 2019/1 to assist companies in relation to cybersecurity, which aims to enhance awareness of how cyber risks can be identified and addressed. The handout includes indicate possible implementation measures and control mechanisms in relation to the communiqué.

The specific implications (eg, minimum requirements, risk management, identification of specific threat of cyberattacks, vulnerability analyses, information and reporting of cyberattacks, restoring measures) can be found in the handout.

6 Financial crime

6.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for fintech companies?

For years, Liechtenstein has pursued a zero-tolerance approach to anti-money laundering and counter-terrorist financing (AML/CFT).

As a member of the European Economic Area, Liechtenstein has implemented the Fourth EU Money Laundering Directive (2015/849) and the Regulation on Information Accompanying Transfers of Funds (2015/847).

The relevant implementing provisions are found in particular in the Law on Professional Due Diligence to Combat Money Laundering, Organised Crime, and Terrorist Financing; and the Ordinance on Professional Due Diligence to Combat Money Laundering, Organized Crime, and Terrorist Financing. The revised law and ordinance have been in force since 1 September 2017.

In 2002, 2007 and 2014, the International Monetary Fund (IMF) and Moneyval assessed the extent to which the Liechtenstein AML/CFT provisions meet the Financial Action Task Force (FATF) standards (the FATF 40+9 Recommendations). The IMF and Moneyval confirmed Liechtenstein's high standards in combating money laundering and terrorist financing.

Liechtenstein has been an active member of Moneyval for many years. Moneyval is the Council of Europe's Committee of Experts on the Evaluation of Anti-money Laundering Measures and the Financing of Terrorism. This FATF-style regional body has the mandate to ensure, through mutual assessment of its member states, that their AML/CFT measures meet the FATF standards. Moneyval is an associated member of the FATF and reports regularly to the FATF.

7 Competition

7.1 Does the fintech sector present any specific challenges or concerns from a competition perspective? Are there any pro-competition measures that are targeted specifically at fintech companies?

Liechtenstein's favourable, company-friendly legislation has created a flexible environment that presents companies with abundant opportunities to grow. In relation to fintech specifically, the most noteworthy recent example is the Tokens and Trusted Technologies Service Provider Law (TTTL), which will provide a clear legal framework for players in this sector. This exemplifies the principality's commitment to providing a secure and trustworthy space in which companies can thrive. Legal certainty is ‘pro-competitive' in the sense that this should attract more fintech companies to Liechtenstein; and the attendant increase in competition should lead to more optimised solutions, while also developing a space in which know-how is pooled and shared to promote further growth.

With regard to competition specifically, the EU Unfair Commercial Practices Directive applies in Liechtenstein and has been implemented in the form of the Act on Unfair Competition.

8 Innovation

8.1 How is innovation in the fintech space protected in your jurisdiction?

There is no regulatory protection specifically tailored to fintech innovation. However, the existing regulatory regime allows for the protection of innovation through instruments such as IP rights.

8.2 How is innovation in the fintech space incentivised in your jurisdiction?

Although there are no specific regulatory sandboxes, fintech innovation is incentivised by a friendly regulatory atmosphere and the regulator's extensive knowledge and willingness to provide feedback on proposed projects.

9 Talent acquisition

9.1 What is the applicable employment regime in your jurisdiction and what specific implications does this have for fintech companies?

Labour law in Liechtenstein is mainly regulated in the Civil Code (in particular Section 1173a, Articles 1 and following), as well as in the Labour Code, in addition to supplementary statutes. The specific implications for fintech companies will depend on the individual case and whether special rules apply. In particular, major considerations in this regard include the kind of business model adopted or business activities pursued, and the area in which the player is active.

9.2 How can fintech companies attract specialist talent from overseas where necessary?

As a general rule, immigration to Liechtenstein is highly restricted. It is generally possible to obtain short residence permits for a one-year stay, which can be extended in exceptional cases for a further six months. Longer residence permits are more easily obtained by Swiss/EU/European Economic Area nationals than by citizens of so-called ‘third countries'. These permits are generally reserved for specialists and/or upon showing an urgent need that cannot be satisfied by a Liechtenstein citizen or a cross-border commuter.

10 Trends and predictions

10.1 How would you describe the current fintech landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

Most fintech projects in Liechtenstein are currently blockchain related. The biggest development in this space is the anticipated passage of the Tokens and Trusted Technologies Service Provider Law, which is expected to come into force this year.

11 Tips and traps

11.1 What are your top tips for fintech players seeking to enter your jurisdiction and what potential sticking points would you highlight?

• Seek local guidance from experienced public and private stakeholders, and/or specific service providers.
• Seek advice from fintech companies that are already operating in Liechtenstein.
• Join industry associations, such as the Crypto Country Association.
• Participate in fintech events.
• Contact the University of Liechtenstein.
• Do not hesitate to talk to and with people – as the country is relatively compact, the necessary information and contacts can be found without major effort.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.