1 Legal and enforcement framework

1.1 In broad terms, which legislative and regulatory provisions govern the fintech space in your jurisdiction?

Fintech covers a broad spectrum of technology-driven innovation in the financial services sector. Determining which regulatory framework applies to fintech companies is a complicated task. European and Dutch financial legislation will generally apply to a fintech company if the products or services it offers fall under the scope of the existing financial regulatory framework. This framework is intended to be ‘technology neutral', meaning that it applies irrespective of the underlying technology used.

Traditionally, European financial services legislation is institution driven rather than activity driven. Where incumbents such as banks typically focus on a full service approach as an institution, fintech companies aim to improve customer experience, financial inclusion and competition in respect of just part of the value chain.

A more activity-based regulatory framework would better suit fintech companies. However, due to the Europeanisation of the regulatory framework governing financial services, the Dutch legislature and the Dutch financial regulators have limited discretion to adopt a more flexible approach towards fintech companies.

The most important areas of law in the fintech space are:

  • financial regulatory laws and regulations, such as the Dutch Financial Supervision Act (in which the second Payment Services Directive, the Markets in Financial Instruments Directive, the Alternative Investment Fund Managers Directive and outsourcing rules applicable to financial institutions are implemented) and the Prospectus Regulation;
  • anti-money laundering and counter-terrorist financing laws;
  • data protection;
  • e-commerce; and
  • consumer protection (eg, the Dutch Civil Code).

Other than in respect of fintech credit platforms, there are no specific Dutch legislative and regulatory provisions that govern the fintech space or particular fintech companies.

1.2 Do any special regimes apply to specific areas of the fintech space?

With regard to fintech credit platforms (ie, crowdlending, marketplace lending, peer-to-peer lending platforms), the Dutch legislature and the Netherlands Authority for the Financial Markets (AFM) have established a specific regime. Fintech companies that operate an online credit platform match lenders with borrowers when attracting a loan. They are considered to be professional intermediaries and have a special duty of care to ensure that lenders (in particular, non-professional/retail lenders) are adequately informed to make an informed investment decision.

Operators of fintech credit platforms are often involved in the credit scoring and risk classification of the borrower, and determine the coupon (range) applicable to the loan before it is published on the online platform.

Upon a loan being financed, the services of the fintech company generally also include facilitating payment flows that relate to the loan through a separate special purpose vehicle or a third-party service provider.

Under the Dutch regime applicable to fintech credit platforms, the operator of the platform must obtain a dispensation from a Dutch law prohibition against acting as an intermediary in respect of attracting or obtaining the disposal of repayable funds from the public in the Netherlands (or from the Netherlands in another EU member state). The granting of the dispensation by the AFM is subject to the platform's compliance with minimum conditions to ensure prudent and sound business operations, adequate client handling and suitable and reliable management. Additional conditions apply if the fintech company also accepts retail clients.

1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?

The following table sets out the relevant bodies that are mainly responsible for the laws and regulations relevant to fintech companies.

Supervisory authority Primary supervisory responsibility

Dutch Central Bank (DNB)

DNB is both the central bank of the Netherlands, which aims to ensure financial stability and limit systemic risk; and the financial supervisory authority with regard to prudential supervision. With regard to its supervisory authority, DNB is part of a so-called ‘twin peak' model together with the AFM.

It has primary supervisory authority for banks, pension funds, insurers, payment services providers and electronic money institutions, among others.
Netherlands Authority for the Financial Markets (AFM) The AFM is the financial supervisory authority with regard to market conduct supervision, which aims to ensure that financial market processes are orderly and transparent and that clients are treated with due care.

It has primary supervisory authority for investment firms, crowdfunding platforms, managers of investment funds, consumer credit providers and other financial services providers, among others.
Netherlands Authority for Consumers and Markets (ACM) The ACM is the supervisory authority with responsibility for competition oversight, compliance with sector-specific regulations of several industries and enforcement of consumer protection laws (other than relating to financial services).
Netherlands Data Protection Authority (DPA) The DPA is the supervisory authority with responsibility for oversight of personal data processing.

All supervisory authorities included in this table are authorised to conduct investigations and take enforcement actions, such as imposing administrative sanctions. The supervisory authorities may also publish policy rules and help companies to comply with the statutory obligations by issuing guidelines and interpretations.

1.4 What is the regulators' general approach to fintech?

Both the Dutch government and the Dutch regulators are very positive about fintech developments. The Dutch financial market is controlled by a limited number of incumbents, resulting in a less competitive market. Fintech companies have the potential to influence the dominant position of the Dutch incumbents, albeit that the actual market share of fintech companies and solutions in the Netherlands is still small.

Although in the last coalition agreement the ruling parties agreed to introduce less stringent licensing requirements for fintech companies, this goal has not yet been achieved. The Dutch financial regulatory laws have not changed in a way that makes it easier for fintech companies to access the market. This is mainly due to the impact of the European financial regulatory framework, which generally applies in the Netherlands.

However, in 2016 the AFM and DNB jointly launched two initiatives with the aim of both facilitating fintech and gaining knowledge of fintech developments:

  • The InnovationHub is an information portal (which the ACM also supports) where new and existing market parties can raise general questions relating to the regulatory framework applicable to their fintech solutions.
  • The Regulatory Sandbox (MaatwerkvoorInnovatie) is a more extensive process of knowledge sharing between companies and regulators. The sandbox enables fintech companies to discuss a customised approach if they experience disproportionate regulatory obstacles. This is possible only if the applicable laws and regulations provide room for a more proportionate approach. In August 2019, the initiators published an evaluation report which stated that this has occurred on a few occasions since the creation of the sandbox.

1.5 Are there any trade associations for the fintech sector?

A number of associations are active in the fintech sector in the Netherlands, of which Holland Fintech is the most active and important. Holland Fintech offers an independent ecosystem aiming at sharing knowledge and connecting all stakeholders in the fintech sector. Holland Fintech does not focus on a specific type of fintech company or category of fintech activities; it aims to build an inclusive fintech ecosystem (https://hollandFintech.com).

In the field of fintech credit platforms, branch organisation Nederland Crowdfunding is worth mentioning. Despite the relatively large amount of fintech credit platforms in the Netherlands, this branch organisation has a limited number of members. Nederland Crowdfunding has drawn up a code of conduct with which its members must comply. Through this self-regulatory code, which aims to ensure more transparent business operations, member platforms can distinguish themselves from other crowdlending platforms active in the Netherlands (https://nederlandcrowdfunding.nl).

The Dutch Blockchain Coalition – a multidisciplinary group of stakeholders and blockchain believers – is also worth mentioning. It strives to "realise fully reliable and socially accepted Blockchain applications, to create the best possible conditions to allow Blockchain applications to arise, and to facilitate the use of Blockchain as a source of trust, well-being, prosperity and security for citizens, companies, institutions and government bodies" (https://dutchblockchaincoalition.org/).

2 Fintech market

2.1 Which sub-sectors of the fintech industry have become most embedded in your jurisdiction?

The Financial Stability Board divides fintech activities into five categories based on their economic functions, as follows (see www.fsb.org/wp-content/uploads/R270617.pdf):

  • payments, clearing and settlement – examples include the new payment services under the second Payment Services Directive (PSD2) (payment initiation services and account information services) and the use of APIs to achieve a more open banking environment;
  • deposits, lending and capital raising – examples include alternative financing and crowdfunding platforms, whether or not based on blockchain technology;
  • insurtech – examples include insurance policies programmed as smart contracts and Internet of Things developments and similar big data collecting wearables, sensors or software;
  • investment management – examples include robo-advisory investment services, mobile trading applications and algorithm-based trading robots; and
  • market support – examples include cloud computing solutions (software as a service, platform as a service, business process as a service, data as a service and infrastructure as a service), regtech and innovative digital and biometric ID (know your customer) services.

Due to its digital ecosystem and high connectivity, thanks to housing two of the largest internet exchange points in the world (AMS-IX and NL-IX), the Netherlands is home to many tech companies, including fintech companies. As the world's second datacentre hotspot, Amsterdam is known as the digital gateway to Europe (www.digitalgateway.eu).

Recent research conducted by EY shows that the Netherlands has the highest percentage of consumer fintech adoption in Europe (73%, compared to a global average of 64%) (EY, Global Fintech Adoption Index 2019).

The Netherlands is thus the perfect testing market for fintech start-ups. The payments (eg, Adyen, iDeal), business lending (eg, Funding Circle) and market support (eg, Ohpen) sub-sectors are the most embedded in the Netherlands.

2.2 What products and services are offered?

The main driver for Dutch fintech companies is improving user and customer experience. Although the payment sub-sector is one of the three most embedded sub-sectors in the Netherlands, this is also probably the most difficult sub-sector in which to gain a foothold. Dutch consumers have long enjoyed a safe, quick, robust and well-organised payment infrastructure.

Dutch consumers further may not feel a need for innovative competition in the online payment market thanks to the service offered by iDeal. iDeal was launched in 2005 by Currence as a joint initiative of eight Dutch banks. It has enjoyed phenomenal success: in 2018, approximately 524 million transactions were settled through iDeal, with a transaction value of approximately €43 billion. Approximately 70% of those iDeal payments were made via mobile banking applications (www.ideal.nl/actueel/kerncijfers/).

Notwithstanding this competition, payment institution Adyen (which today holds a banking licence) is one of the Netherlands' fintech unicorns. Whereas iDeal focuses on the Dutch market, Adyen is aimed at the global payments market.

Credit platforms focusing on business loans for small and medium-sized enterprises (SMEs) are also deeply embedded in the Dutch market. As of September 2019, 44 lending platforms were registered in the public register of the Netherlands Authority for the Financial Markets. Peer-to-peer and consumer credit platforms, as well as crowdinvesting / equity platforms, are less active in the Dutch market.

2.3 How are fintech players generally structured?

The most common corporate structure in the Netherlands is a private limited liability company (BV). A BV is a capital company with legal personality. With the exception of insurtech companies (if they qualify as insurance companies), the BV is an accepted legal form for all types of fintech companies that are subject to the Dutch Financial Supervision Act.

It is relatively common to set up a corporate structure with a BV as holding company and one or more BVs as operating companies. If the fintech company has patents or other IP rights, setting up a separate IP BV within the corporate structure could also be advisable.

There may be tax reasons to structure the fintech company differently, because each Dutch BV is generally independently liable to pay taxes such as Dutch corporate income tax (unless they form a tax entity, a fiscaleeenheid). However, the participation exemption (deelnemingsvrijstelling) is an interesting Dutch tax feature which is often used to set up a tax-efficient structure. It offers the possibility to exclude income from qualifying interests held by the Dutch BV from its taxable profits.

The current corporate income tax rates are between 19% (first €200,000 of taxable profits) and 25% (taxable profits over €200,000). These rates will be gradually reduced from 2021 to 15% and 20.5% respectively.

2.4 How are they generally financed?

Depending on the stage which they have reached, fintech companies are primarily financed by regular seed capital providers, such as angel investors and early-stage venture capital funds. Research conducted by KPMG (https://assets.kpmg/content/dam/kpmg/xx/pdf/2019/07/pulse-of-Fintech-h1-2019.pdf) shows that later-stage venture capital funds and private equity funds are also increasingly aware of the potential of the fintech sector. Crowdfunding is another way to fund start-ups, including fintech companies.

The Netherlands is also home to numerous start-up accelerator programmes. The Dutch government aims to make the Netherlands the best start-up ecosystem of Europe – a ‘unicorn nation'. The most important programme is TechLeap (previously called StartupDelta) (www.techleap.nl). The Dutch government has made €65 million available for start-ups and scale-ups, including €35 million in funding for TechLeap. Multiple subsidies are also available for fintech companies in the form of loans provided by the Dutch government on interesting terms. Examples include the innovation credit (https://english.rvo.nl/innovation-credit), government guarantee for SME loans (borgstellingskrediet, https://www.rvo.nl/subsidies-regelingen/borgstelling-mkb-kredieten-bmkb) and the possibility for closed-end venture capital funds to obtain a subordinated interest-free hybrid loan from the Dutch government to finance one or more investments in tech start-ups (https://english.rvo.nl/subsidies-programmes/seed-capital).

Other accelerator, incubator and scale programmes worth mentioning include:

2.5 How are they positioned within the broader financial services landscape?

Although fintech companies are not disrupting the stability of the Dutch financial system, the fintech industry is expanding and growing exponentially – both globally and in the Netherlands. Fintech companies are increasingly gaining territory in the broader financial services landscape. PSD2 is helping to promote broader acceptance of Fintech developments, while incumbents are also embracing the potential of fintech solutions.

The largest Dutch banks and insurance companies have acceleration programmes (eg, ING – www.ing.com/About-us/ING-Labs.htm), or have founded their own fintech start-ups (eg, ABN AMRO's crowdlending platform New10 and the account information service provider services provided via its Gripp app; Rabobank's investment app Peaks; Nationale Nederlanden's insurance app Gappie; and Kasbank's currency overlay platform for professional investors, KasHedge). Dutch incumbents are also investing in fintech companies and exploring other ways of collaborating with them (eg, Aegon's fintech investments – in particular, in alternative financing platforms – via its venture fund Transamerica Ventures; ABN AMRO's collaboration with Fintech Temenos and investment through its Digital Impact Fund; and ING Ventures, a fund focused on fintech investments, such as in Dutch Fintech company Cobase, which recently obtained its PSD2 licence from the Dutch Central Bank, enabling it to launch its multibank platform).

Increased disruption and competition should perhaps be expected from the tech giants – for example, ING recently announced the launch of Apple Pay as an instore payment method for its customers.

2.6 Do start-ups generally outsource back office functions and is there a developed market for them to access? What are the legal implications of outsourcing?

Given that market support and back-end tech solutions is one of the most embedded fintech sub-sectors in the Netherlands, fintech start-ups are often the entities to which services are outsourced.

As fintech start-ups generally have a strong focus on their core business, back office functions such as payroll, human resources, tax administration services and debt collection services are quite often outsourced. There is a well-developed outsourcing market in the Netherlands. The fee structures of outsourcing companies are diverse in terms of volumes, turnover and similar quantitative indicators, enabling both start-ups and multinationals to access this market.

The main legal implications are presented by privacy laws (the General Data Protection Regulation) and financial regulatory laws. Financial regulatory laws generally entail the following:

  • The outsourcing of key functions may be limited or prohibited;
  • The regulated entity remains responsible and liable for the outsourced services, and must ensure that the party to which services are outsourced is aware of and complies with applicable regulatory laws and regulations; and
  • The outsourcing cannot negatively impact the regulator's ability to supervise the regulated entity.

Another development in this field worth mentioning is the growing use of ‘white labelling' structures. White labelling is becoming increasingly common in the financial regulatory sector, where, for example, a regulated alternative financing platform or even a regulated exchange and multilateral trading facility (such as nxchange) is offered to be used by third parties under the full responsibility of the regulated holder of the licence or regulatory approval.

3 Technologies

3.1 How are the following key technologies in the fintech space regulated and what specific legal issues are associated with each? (a) Internet (e-commerce); (b) Mobile (m-commerce); (c) Big data (mining); (d) Cloud computing; (e) Artificial intelligence; and (f) Distributed ledger technology (Blockchain, cryptocurrencies)

(a) Internet (e-commerce)

Fintech companies use the Internet mainly as a channel through which innovative new financial services and/or products can be offered to their clients. In addition to IP laws, the legal framework for platform-driven business models enabled by the Internet focuses on consumer protection and privacy. Use of the Internet triggers the application of an additional set of e-commerce rules. Depending on the types of services or products offered, e-commerce platforms can be subject to financial regulatory laws (eg, the second Payment Services Directive). E-commerce has some civil law implications to mitigate the risks involved with contracting online. Examples include:

  • the applicability of additional information requirements (eg, pre and post-contractual information obligations, language requirements and an information obligation regarding the existence of the Online Dispute Resolution Platform); and
  • specific consumer rights if contracts are concluded online without physical interference (a so-called ‘distance contract', overeenkomst op afstand), such as the right to withdraw from the contract within 14 days.

If the Internet is used to provide financial services on a cross-border basis in different EU member states, the online service generally qualifies as a ‘information society service'. Irrespective of passporting rights offered under European legislation to most regulated financial companies, the local rules in respect of information society services may be a very interesting way of entering a new market within the European Union if no such passport is available.

(b) Mobile (m-commerce)

Mobile phones are becoming more multifunctional with the introduction of new apps which allow users to pay with their mobile phones, to shop on their mobile phones and/or to view their bank statements on their mobile phones, among many other things. In general, all of these apps are accessible via a mobile phone through the use of the Internet. The mere use of the mobile phone does not alter the legal framework that applies to these services. As such, the legal framework applicable to m-commerce is comparable to that applicable to e-commerce. However, the use of a certain device, such as a mobile phone, could result in increased risk with regard to cybersecurity and data privacy, for example.

M-commerce is proving popular in the Netherlands. The Dutch Payment Association regularly publishes factsheets and figures showing continued growth in mobile payments (www.betaalvereniging.nl/actueel/feiten-cijfers/). These factsheets and figures show that nine out of ten Dutch banking customers use online banking facilities(such as an app on the mobile device or an internet banking environment on a computer or laptop), and that 98% of cashless payment transactions in the Netherlands are made electronically via a computer, laptop or mobile device (www.betaalvereniging.nl/wp-content/uploads/Infographic_Betalingsverkeer_2018.pdf).

(c) Big data (mining)

The legal framework applicable to ‘big data' depends on, among other things, the type of data involved, the parties that process such data, the way in which the data is structured and, where data is stored in a database, whether a substantial investment was made to create the database.

If a Dutch fintech company processes personal data of natural persons who are residing in the European Union, the General Data Protection Regulation (GDPR) will apply. Under the GDPR, a fintech company must be transparent about, for example, the purposes for which it will use the collected data. Personal data may be collected only for specified, explicit and legitimate purposes, and may not be further processed in a manner that is incompatible with those purposes. This is one example of the requirements under the GDPR that may hinder fintech companies. Another is the requirement to provide suitable safeguards with the aim of protecting the fundamental rights of data subjects (ie, natural persons) with regard to the processing of their data. Depending on its structure and the investment made in its creation and maintenance, a ‘big data' database may be protected by copyright (auteursrecht) or the database right (databankenrecht).

Legal issues concerning big data specifically arise in the case of issues not addressed by the existing legislation, such as the transparency requirements regarding the algorithms used to analyse big data and how to prevent discrimination within big data analysis.

(d) Cloud computing

Cloud computing services support users with their core business. Examples of cloud computing services are software as a service, platform as a service and infrastructure as a service.

One of the main issues relating to cloud computing is security. The Dutch Act on Security Network and Information Systems(Wet beveiligingnetwerk- eninformatiesystemen) applies to providers of cloud computing services that offer their services in the European Union, have their main establishment in the Netherlands and have at least 50 or more employees and/or generate a revenue of at least €10 million. Based on the act, a provider of cloud computing services has a duty of care and must take adequate technical and organisational measures to control identified security risks. This includes a reporting obligation in respect of security incidents within the meaning of the act to the relevant supervisory authority. Such reporting obligation applies in addition to any reporting obligations that may already apply based on other applicable legislation, such as the GDPR.

Another important issue is the protection of personal data. For example, cloud computing infrastructure may involve the transfer of data outside the European Union. If personal data is involved, the controller of such data must take additional measures to safeguard the protection of the data subjects.

(e) Artificial intelligence

The use of artificial intelligence (AI) and machine learning as such is not regulated in the Netherlands. However, it is attracting growing interest from the Dutch regulators. Self-learning algorithms can develop continuously based on data input, resulting in output which is generated incredibly fast. Humans cannot compete with the pace of this technology. This not only offers incredible potential, but also bears risks and raises ethical questions. Data input must still be provided through human interference, which could result in biased or incorrect output. Bad input can never become good output.

The Dutch financial regulators have published initial guidelines relating to the use of AI and self-learning algorithms in the financial sector. For example, the Netherlands Authority for the Financial Markets published guidelines on the duty of care involved in semi-automated asset management and its views on roboadvice (www.afm.nl/en/nieuws/2018/mrt/doorontwikkeling-roboadvies). The Dutch Central Bank (DNB) also recently published guidelines for the use of AI (www.dnb.nl/en/news/news-and-archive/DNBulletin2019/dnb385020.jsp). The acronym of these DNB guidelines is ‘SAFEST', which hints at their main message. The guidelines urge financial undertakings to use AI responsibly. AI applications in the financial sector should be Sound; someone must be Accountable; the outcome of AI should be Fair and Ethical; only sufficiently Skilled people should be involved in developing AI applications; and the use of AI should be Transparent and explainable. Responsible use of AI is key to prevent incidents which could have a substantial impact on financial stability.

(f) Distributed ledger technology (Blockchain, cryptocurrencies)

Except for the new Fifth Anti-money Laundering Directive (2018/843) which has introduced a registration requirement for so-called ‘custodial wallet providers' and providers engaged in exchange services between virtual currencies and fiat currencies, no legal framework for distributed ledger technology (DLT), blockchain and/or cryptocurrencies exists as yet. The directive must be implemented in Dutch law by 10 January 2020. As a result, Dutch crypto exchanges and custodial wallet providers will fall under the integrity supervision of DNB. DNB has urged these ‘crypto operators' to notify it as soon as possible, to ensure timely compliance with the new law, which is still in draft form (www.dnb.nl/en/news/news-and-archive/Persberichten2019/dnb385424.jsp).

DLT can be used in many different ways and for many different purposes. The use of DLT in itself does not cause a company to fall under the scope of Dutch financial regulatory laws. However, products or services offered on the basis of DLT could fall under financial supervision. For example, the offering of security tokens or trading in securities tokens could trigger the application of Dutch securities laws and European laws such as the Prospectus Regulation and the second Markets in Financial Instruments Directive.

DLT or blockchain-based products and services present multiple potential legal implications. The existing laws do not apply neatly to innovations based on this technology. Examples include privacy-related issued such as the right to be forgotten under the GDPR, property law consequences (are tokens goods that can be pledged?) and questions regarding private international law.

4 Activities

4.1 How are the following key activities in the fintech space regulated and what specific legal issues are associated with each? (a) Crowdfunding, peer-to-peer lending; (b) Online lending and other forms of alternative finance; (c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb); (d) Forex; (e) Trading; (f) Investment and asset management; (g) Risk management; (h) Roboadvice; and (i) Insurtech.

(a) Crowdfunding, peer-to-peer lending

Generally, four types of crowdfunding platforms can be distinguished: donations, (non-financial) rewards, lending and equity based platforms. All of these platforms are subject to Dutch civil laws, in particular resulting in information requirements and pre- and post-contractual obligations. Only the financial returns-based platforms (ie, crowdlending and crowdinvesting) are subject to Dutch financial regulatory laws.

Most of the crowdfunding platforms active in the Netherlands are crowdlending platforms focused on lending to small and medium-sized enterprises (SMEs). The operator of the platform is considered an intermediary in relation to repayable funds (the loan) which the SME borrower attracts through the platform. The operator of the platform must, as an intermediary, obtain dispensation from a regulatory prohibition from the Netherlands Authority for the Financial Markets (AFM) if the loans are financed by ‘the public', including retail investors. If the borrower of the loan is a consumer rather than an SME, the operator of the platform is also required to obtain a financial services provider licence for offering consumer credit, due to its involvement in administering and managing consumer credit loans made the platform. The AFM has published crowdfunding rules with which operators of a crowdlending platform must comply. These include a requirement to conduct investor tests from retail investors and to cap the aggregate investments that a retail investor can make in crowdlending projects via the platform (the maximum is €80,000 per retail investor).

Operators of equity-based platforms generally require a Markets in Financial Instruments Directive (MiFID) licence, as they are considered to provide brokerage and placement activities in respect of financial instruments. Issuers of securities are subject to the Prospectus Regulation. An issuer of securities to the public in the Netherlands is exempt from the obligation to publish a prospectus that is approved by the regulator if the total offering size is less than €5 million per category of security (debt versus equity), taking into account all group companies affiliated to the issuer and all offerings of securities in the European Economic Area within a period of 12 months. However, any such exempt issuers must publish and submit to the AFM an information memorandum drawn up in a prescribed format.

(b) Online lending and other forms of alternative finance

Dutch civil laws apply to online lending and other forms of alternative finance.

Direct online lending from a lender to a business borrower does not trigger the application of specific financial regulatory laws, unless there are multiple lenders which are considered to be part of ‘the public'. In that case, a business borrower could be subject to the prohibition against attracting loan from the public in the Netherlands. A lender financing at least €100,000 at once is considered to be a professional market party and not part of ‘the public'. An exception to this prohibition may also be available to business borrowers that attract repayable funds from the public by means of the issuance of securities in accordance with the securities laws (as briefly described under question 4.1). A specific exemption to this prohibition was introduced for business borrowers that attract loans from the public via a crowdlending platform that has obtained the necessary dispensation (as briefly described under question 4.1).

Direct online lending to consumer borrowers is regulated, unless the lender is also a consumer. A ‘consumer' is considered to be a natural person not acting in the course of his or her business or profession. If a consumer loan is concluded between consumers via a platform or another intermediary, this platform or intermediary is subject to a licence obligation (as briefly described under question 4.1).

(c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb)

The second Payment Services Directive (PSD2), as implemented in the Dutch Financial Supervision Act and the Dutch Civil Code, regulates payment services providers. PSD2 was implemented in a harmonised manner in Dutch law. However, the Dutch Central Bank (DNB) maintains a relative narrow reading of the scope of the licence obligation, clarifying that it considers that a party pursues the business of a payment services provider only if "it provides a payment service for a payer's or payee's expense as a separately identifiable activity. This means the activity must be separate and not indissolubly linked to another activity unrelated to payment services" (www.dnb.nl/en/news/dnb-nieuwsbrieven/nieuwsbrief-betaalinstellingen/NieuwsbriefBetaalinstellingenfebruari2019/dnb382349.jsp). DNB wishes to ensure that certain entities that temporarily hold third-party funds are not considered payment services providers if this is not their core business.

In this regard, DNB has also clarified that operators of crowdlending platforms that assist (via a separate entity, for reasons relating to the segregation of assets) in the fund flows relating to loan agreements concluded via the platform are not considered payment services providers.

On the other hand, DNB has also emphasised that e-commerce platforms that facilitate payments from buyers to sellers are considered to provide payment services (https://www.toezicht.dnb.nl/en/3/51-236584.jsp). If platforms offer such services as a separate identifiable activity, such platforms shall be subject to the obligation to obtain a licence unless an exemption applies.

(d) Forex

Forex trading is one of the biggest trading markets globally. Cash currency exchange services with settlement in tangible or physical delivery of one currency against the receipt of another currency can be offered only by an exchange institution (wisselinstelling) with a licence from DNB. Banks and payment services providers are exempt from this licence obligation (and can therefore offer such exchange services under their existing banking or payment service provider licence).

Most of the large forex trading market consists of forex derivatives. These derivatives (eg, currency options, currency futures, forex swaps, forex forwards and forex spot transactions) are financial instruments within the meaning of MiFID II and trading in such derivatives is subject to MIFID II and the Markets in Financial Instruments Regulation (MiFIR). As a result, among other things, a MiFID II licence obligation and product governance requirements apply to the manufacturer and distributor(s) of forex derivatives.

In April 2019 the AFM prohibited the offering of binary options and limited the possibility to offer contracts for difference to retail investors in the Netherlands (www.afm.nl/en/nieuws/2019/apr/binaire-opties-cfds-interventies). As a consequence, the forex derivatives market in the Netherlands is generally limited to professional investors only.

Although crypto currencies generally do not (yet) qualify as (geldmiddelen) within the meaning of the Dutch Financial Supervision Act, derivatives with crypto currencies as the underlying value will qualify as derivatives, resulting in the application of the abovementioned regulatory implications to crypto-related forex transactions.

(e) Trading

Intermediaries involved in trading in financial instruments (within the meaning of MiFID II as implemented in the Dutch Financial Supervision Act) are subject to a licence obligation as an investment firm (beleggingsonderneming). Execution-only brokers generally require a licence to offer investment services of receipt and transmission of orders in financial instruments (investment service ‘A') and the execution of orders in financial instruments on behalf of their clients (investment service ‘B').

If an intermediary is involved in the initial offering and placement of financial instruments with investors, the intermediary also requires a licence for the services of underwriter and/or placement agent (investment services ‘E' and ‘F').

Offering a digital secondary trading market generally results in the AFM taking the view that the operator/offeror of such trading venue requires a licence. This is either a licence for operating a regulated market or a licence for operating a multilateral trading facility (MFT) or an organised trading facility (OFT) (which is an investment activity and regulated under MiFID II as implemented in the Dutch Financial Supervision Act). The AFM is not in favour of bulletin boards; it therefore comes to the conclusion relatively quickly that a party offering a mere bulletin board must also have a MiFID licence for operating an MTF or OTF. The AFM takes this position even though MiFIR and the proposed EU Crowdfunding Regulation allow the option of offering a secondary market via a mere bulletin board without an MTF or OTF licence being required.

Brexit has resulted in an increase in the number of trading platforms that are licensed and located in the Netherlands.

(f) Investment and asset management

Collective investment schemes and asset management activities are governed by either the Alternative Investment Fund Managers Directive (AIFMD) or the Undertakings for Collective Investment in Transferable Securities (UCITS) Directive V, while individual and portfolio management is generally governed by MiFID II. Managers of collective investment schemes are generally required to obtain a licence for managing or marketing units in investment institutions in the Netherlands. Portfolio managers are generally required to obtain a licence as an investment firm for the investment service of individual asset management.

Collective investment institutions in the Netherlands can take the form of a company either with legal personality or without legal personality. An example of the latter is a fund for joint account (fonds voorgemenerekening, an ‘FGR'). An FGR is a special agreement between the manager, the legal owner of the assets of the FGR and the participants. If properly structured, an FGR is tax transparent, meaning that no corporate income tax is levied on the FGR.

Dutch managers of AIFs (ie, not UCITS) may opt for a light registration regime instead of a full AIFM licence. Pursuant to Dutch law, this light regime is available only for Dutch AIF managers:

  • whose aggregate assets under management remain below either:
    • €100 million; or
    • €500 million on an unleveraged basis, subject to no units being redeemable within five years upon issuance; and
  • that comply with at least one additional condition by either offering the units:
    • to professional investors only;
    • to fewer than 150 investors in total; or
    • against a value of at least EUR 100,000 per investor.

(g) Risk management

Risk management as such is not a regulated activity pursuant to Dutch law. However, naturally, compliance and risk management is an imminent part of the business operations of each company – in particular, those companies that fall under the scope of financial regulatory laws and regulations. As a general rule, all financial undertakings must have controlled and sounds business operations, and must have internal procedures and processes in place to safeguard the same and mitigate operational and compliance risks as much as possible.

The Dutch regulators distinguish four elements relevant to risk management:

  • the risk management system and the risk management function;
  • the risk management policy and the risk management strategy;
  • internal procedures and processes that implement the risk management system; and
  • monitoring, reporting and evaluation of the risk management system.

Key functions, such as compliance, internal audit and risk management, must generally be fulfilled independently; however, for regulated fintech companies that are still relatively small in size, the Dutch regulators tend to accept it if some of these key functions are combined under the responsibility of one or several persons.

Given the tech basis and the platform-driven business model of fintech companies, a shift in risk strategy and risk management may be identified. Cybersecurity risks and privacy risks are graver for fintech companies than for other ‘regular' companies.

(h) Roboadvice

In mid-2016 a draft regulation was published in which requirements were introduced for automated advice, including a requirement to appoint one skilled natural person who can be held accountable. Ultimately, however, these suggested requirements were not included in the relevant Dutch decree; it was thought that it was still too early to attempt to regulate this form of innovation. This came as no surprise, given the European Supervisory Authorities have since reached a similar conclusion in a joint report on automation in financial advice (https://esas-joint-committee.europa.eu/Pages/News/European-Supervisory-Authorities-publish-conclusions-on-automation-in-financial-advice.aspx).

As briefly mentioned in question 3.5, roboadvice has attracted the interest of the Dutch financial regulators. The AFM published its views on roboadvice in March 2018. According to the AFM, this form of fintech can enhance the accessibility and quality of financial advice. However, irrespective of how advice is provided to a client, a duty of care still applies and the applicable laws and regulations must be complied with (www.afm.nl/en/nieuws/2018/mrt/doorontwikkeling-roboadvies). This results in a potential obligation to obtain a licence as a financial services provider for providing advice to consumers on financial products such as consumer credit, or a licence as an investment firm (MiFID II) for providing advice on financial instruments such as securities and derivatives.

Thus far, it is thought that the existing legal framework is sufficient to safeguard the security of the financial markets and to adequately protect consumers. However, this form of technical innovation does need to be monitored. In the meantime, roboadvice should follow the ‘SAFEST' guidelines of DNB (see question 3.5).

(i) Insurtech

As in other sub-sectors within the fintech industry, insurtech players are currently regulated in the same manner as the incumbents. The point of departure is technological neutrality. The main laws and regulations applicable to insurance companies in the Netherlands are laid down in the Dutch Civil Code and the Dutch Financial Supervision Act. In addition to the general distinction between life insurers and non-life insurers, a third, less common type of insurer is active in the Netherlands: funeral expenses and benefits in kind insurers. From a financial regulatory law perspective, a distinction is made between:

  • the larger insurers, which are subject to the Solvency II Directive;
  • smaller insurers and the aforementioned funeral insurers, which are governed by a local Solvency II Basic regime; and
  • the smallest insurers, which are exempt from financial regulation.

As insurance is a financial product, both offering insurance products and services and advising or intermediating in respect thereof are subject to financial regulatory laws.

The AFM and DNB recently published a report describing the 10 key focus areas when using artificial intelligence (AI) in the insurance sector, in which the technical aspects of the use of AI are considered (www.afm.nl/nl-nl/nieuws/2019/jul/verkenning-ai-verzekeringssector). In line with the European Insurance and Occupational Pensions Authority's recent report, the Dutch regulators emphasise the fact that the fast-evolving insurtech market should be monitored closely (https://eiopa.europa.eu/Publications/EIOPA%20Best%20practices%20on%20licencing%20March%202019.pdf). The regulators will pay special attention to the ethical aspects involved in insurtech solutions. The effects of AI (and other types of technology) on solidarity and insurability are important areas of focus.

5 Data security and cybersecurity

5.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for fintech companies?

As of 25 April 2018, the European General Data Protection Regulation (AlgemeneVerordeningGegevensbescherming – ‘GDPR') (Regulation (EU) no. 2016/679) has replaced the Dutch Data Protection Act. The applicable data protection regime in the Netherlands now follows from the GDPR and the Dutch GDPR Implementation Act (Uitvoeringswet AVG). All companies that process personal data within the meaning of the GDPR must comply with the requirements laid down in this European regulation. This regime has no specific implications for fintech companies; it applies to all companies that process personal data (practically every company today). Depending on the type of fintech company and the manner in which it uses personal data, additional requirements following from sector-specific legislation may apply, such as the explicit consent requirement under the second Payment Services Directive. If a fintech company makes use of big data and/or artificial intelligence, specific requirements following from the GDPR with regard to profiling apply. Examples of requirements that must be taken into account if the Dutch data protection regime applies include the following:

  • Personal data may be processed only if such processing is done lawfully, fairly and in a transparent manner in relation to the data subjects;
  • A record of processing activities must be maintained; and
  • Depending on the risk presented to the rights and freedoms of natural persons, a data protection impact assessment must be carried out prior to the actual processing of the personal data.

5.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for fintech companies?

The applicable cybersecurity regime in the Netherlands mainly follows from requirements included in sector-specific legislation focusing on a specific type of business or from other areas of law, such as the GDPR. For example, the GDPR requires the controller and processor of personal data to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved with the processing of the personal data. Other examples of statutory requirements relating to cybersecurity can be found in the Dutch Prudential Rules (Financial Supervision Act) Decree (Besluitprudentiële regels Wft), pursuant to which certain types of financial companies must have procedures and measures in place to ensure the integrity, continuous availability and security of automated data processing.

In 2018 the Dutch Act on Security Network and Information Systems implementing the EU Cybersecurity Directive (no. 2016/1148) entered into force. The requirements laid down in the act apply to digital service providers (eg, online marketplaces, search engines, cloud computing service providers) that have at least 50 or more employees and/or generate a revenue of at least €10 million and provide essential services (eg, energy, banking, financial markets infrastructure). Pursuant to the act, these companies have a duty of care and must take adequate technical and organisational measures to control identified security risks.

Which cybersecurity requirements apply to fintech companies primarily depends on the exact business model of the fintech company and the applicable regulatory regime.

6 Financial crime

6.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for fintech companies?

The EU Anti-money Laundering Directive was implemented in the Dutch Money Laundering and Terrorist Financing (Prevention) Act (Wet tervoorkoming van witwassenenfinancieren van terrorisme). This act requires obliged entities (instellingen) to perform customer due diligence prior to entering into business relationships with customers, to monitor customer activity and to report suspicious transactions to the national financial intelligence unit (FIU). As gatekeepers of the financial markets, all regulated financial undertakings fall under the scope of this act. Interestingly, crowdlending platforms focused on business loans do not fall under the scope of this act. Upon implementation of the Fifth Anti-money Laundering Directive (expected by 10 January 2020), custodial wallet providers and crypto exchanges will also fall under the scope of the act.

The Dutch Money Laundering and Terrorist Financing (Prevention) Act adopts a risk-based approach. Each obliged entity must conduct a risk assessment and establish an anti-money laundering policy that is appropriate to the risks involved.

Money laundering and terrorist financing are both criminal acts under the Dutch Criminal Code. A person may commit a crime if he or she accepts assets where it can reasonably be expected (reasonable suspicion) that such assets resulted from a criminal act.

Five of the main banks in the Netherlands recently announced their intention to join forces in the fight against money laundering and are considering jointly launching an organisation (Transactie Monitoring Nederland) that would monitor all payment transactions of these banks.

7 Competition

7.1 Does the fintech sector present any specific challenges or concerns from a competition perspective? Are there any pro-competition measures that are targeted specifically at fintech companies?

As a small country with a relatively limited number of incumbents, in particular banks, the Netherlands has welcomed the arrival of fintech players, as this is increasing competition in the financial sector.

In 2017 the Dutch competition authority, the Netherlands Authority for Consumers and Markets (ACM), expressed concerns about the exclusion of fintech companies from the financial markets, especially in the payment industry (www.acm.nl/en/publications/acm-study-Fintechs-payment-system-risk-foreclosure). Dutch banks enjoy a very strong position in the Netherlands. Although customers are not necessarily perfectly satisfied with the manner in which their banks provide their services, they are very loyal. The second Payment Services Directive (PSD2) is expected to transform the payments sector across Europe, including in the Netherlands. Developments such as access to the account may make the provision of services faster, more consumer friendly and less costly. However, Dutch account holders place a high level of trust in their respective banks and do not as yet have the same level of confidence in the fintech companies that are offering new PSD2 services.

While the ACM has voiced its concerns, no specific pro-competition measures have as yet been implemented at a national level. The opposite effect has resulted from recent money-laundering scandals in which some Dutch banks were involved and subsequently issued with warnings by the Dutch Central Bank. As a result of these warnings, among other things, Dutch banks generally no longer accept fintech companies that offer crypto-related services.

8 Innovation

8.1 How is innovation in the fintech space protected in your jurisdiction?

Protection of innovation in the fintech space is relatively difficult. Generally, innovative ideas can be protected by IP rights such as patents, design rights, trade secrets and copyright.

Software source code and the graphic interfaces of apps are generally protected by copyright by operation of law. Copyright need not be registered, although it is recommended to register an early-stage fintech innovation with the i-DEPOT of the Benelux IP Bureau (www.boip.int/en/entrepreneurs/ideas) in order to be able to evidence the ownership thereof. Design rights and trademarks can protect the name or logo of a fintech innovation, such as an app.

A more secure way to protect fintech innovations is to obtain a patent which protects the technical product or process. The functioning of an algorithm, for example, is not protected by copyright, but may be eligible for a patent under certain circumstances. A Dutch patent can be requested from Octrooicentrum Nederland, subject to compliance with the requirements laid down in the Dutch Patent Law.

It is also possible to obtain a European patent via the European Patent Office (EPO), if the innovation is novel, inventive and susceptible of industrial application. If the EPO approves the request, the applicant must register the patent in the European country in which it wishes to protect the innovative ideas.

It is expected that in the relatively near future, applicants will be able to opt for a unitary patent – a unilateral instrument that will be valid in almost all EU member states.

8.2 How is innovation in the fintech space incentivised in your jurisdiction?

The Netherlands Authority for the Financial Markets (AFM) and the Dutch Central Bank (DNB) jointly launched two initiatives in 2016 and 2017 with the aim of both facilitating fintech companies and gaining knowledge of and experience with their innovative business models: the Innovation Hub and the Regulatory Sandbox.

The Innovation Hub is intended to facilitate fintech start-ups by qualifying their proposed business model and assessing the applicability of financial regulatory laws to that business model. The Regulatory Sandbox goes a step further, allowing fintech companies (at least theoretically) to opt for more proportionate regulatory treatment and apply for a customised licence or partial licence. However, given that European legislation rather than national legislation generally determines which regulatory framework applies to fintech companies, and due to the limited discretionary powers granted to the Dutch regulators by the Dutch Ministry of Finance and the Dutch legislature (in contrast to the relatively broad mandate of the Financial Conduct Authority in the United Kingdom, for example), the Dutch regulators may experience difficulties in offering fintech companies different treatment from other financial undertakings.

In a recent evaluation report, the regulators concluded that "both initiatives are playing an important role in responding to innovation in the financial sector". They also acknowledge that maintaining an open dialogue with fintech companies is essential to promote continued innovation. To this end, DNB has launched iForum, through which it aims to share best practices in the fintech sector.

9 Talent acquisition

9.1 What is the applicable employment regime in your jurisdiction and what specific implications does this have for fintech companies?

The Dutch employment regime is relatively complicated. The general rules of the employment regime are set out in the Dutch Civil Code. Moreover, collective labour agreements can play an important role regarding matters such as minimum wages and maximum working hours.

Dutch law provides statutory safeguards for employees, such as the right to continued payment during sickness for up to two years and protection against dismissal. The unilateral dismissal of an employee generally requires the approval of the Dutch Employee Insurance Agency or the court.

Unlike regular employees, self-employed workers do not generally benefit from statutory protection. For this reason, fintech companies may choose to work with self-employed workers rather than hiring their own employees. However, the statutory safeguards cannot be avoided if a self-employed worker qualifies as a pseudo-employee.

In 2018, 12.3% of workers in the Netherlands were self-employed – an increase of 3.7% since 2008 (www.cbs.nl/nl-nl/dossier/dossier-zzp/hoofdcategorieen/is-elders-in-de-eu-het-aandeel-zzp-ers-zo-hoog-als-in-nederland-). This development has generated heated political and public discussion, resulting in the Balanced Labour Market Act, which will take effect on 1 January 2020. The act aims to reduce the differences between the costs and risks of regular employment compared to flexible employment.

The Dutch rules on prudent bonus policies and the cap on variable bonuses in the financial sector may also be relevant to fintech companies. These rules apply if the fintech company falls under the Dutch financial regulatory framework.

9.2 How can fintech companies attract specialist talent from overseas where necessary?

The Netherlands is generally considered the perfect pan-European hub and is known for its lenient business immigration policy. Multiple immigration schemes have been developed to attract specialist talent from abroad.

Employees from the European Union need not obtain a residence permit and a working permit. Fintech employees from outside the European Union can apply for schemes such as the Dutch highly skilled migrant programme or the EU Blue Card, which combines a residence permit with a working permit. No working permit is required for the highly skilled migrant and his or her spouse.

These immigration schemes generally require an employment contract (of at least three months and one year respectively); therefore, they are not available for self-employed workers. Both schemes have a minimum salary requirement and the EU Blue Card requires a higher education degree. Moreover, the Dutch highly skilled migrant programme can only be used by employers that are recognised by the Dutch Immigration and Naturalisation Service.

Specialist talent from abroad (who have lived more than 150 kilometres from the Netherlands for at least the preceding 16 months) can also benefit from the 30% facility offered by the Dutch tax authorities. Under this facility, an employer can pay 30% of the salary of specialist talent from abroad on a tax-free basis. Given the relatively high income tax rates in the Netherlands (36.65%–51.75%, depending on income level), this facility is a welcome bonus for talent migrants.

10 Trends and predictions

10.1 How would you describe the current fintech landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The Fintech landscape has matured in the Netherlands over the past few years. Amsterdam is the most important hub for fintech companies, followed by the technical university cities (Delft, Eindhoven and Twente), which have their own incubators.

An infographic by Holland Fintech reveals that the Netherlands is home to all sorts of fintech companies – both more traditional ones, of which Adyen is the prime example, and more specialised ones, such as Bitfury, one of the world's leading miners (https://hollandFintech.com/featured/dutch-Fintech-infographic/).

Brexit has resulted in the transfer of UK-based fintech companies to the Netherlands, and in particular to Amsterdam, attracted by its high-tech infrastructure, ease of communication, welcoming environment, historic city and canals, and longstanding financial industry (it is home to the oldest stock exchange in the world).

As regards legislative reforms, it is not expected that fintech-specific legislation will be drawn up in the near future. The existing legal framework has thus far appeared sufficient to cover fintech developments. That said, we expect that blockchain and distributed ledger technology applications, as well as the use of artificial intelligence, and the increased cyber risks involved, will receive the most attention from the Dutch legislature and regulators in the coming 12 months. To the extent that fintech solutions fall under the scope of the existing EU regulatory framework, not much is expected from Dutch policymakers: they will rather wait and see what their colleagues on a European level (such as the European Parliament, the European Commission and the Council) come up with.

11 Tips and traps

11.1 What are your top tips for fintech players seeking to enter your jurisdiction and what potential sticking points would you highlight?

The Netherlands is a welcoming country for fintech companies. The Dutch financial regulators are known for their positive attitude towards financial innovation, and are actively promoting innovation and facilitating fintech companies through initiatives such as the Regulatory Sandbox and the InnovationHub. Furthermore, the Netherlands has a healthy economy and a thriving international business community (especially in Amsterdam), and is home to some of the biggest fintech players that exist today (eg, Adyen).

On the other hand, the Dutch regulators have a reputation to protect and are not known to be the easiest or quickest regulators in the European Union. The regulatory framework will therefore remain a challenge for many fintech companies.

The Dutch minister of finance recently announced that quantitative and qualitative research on the Dutch fintech sector will be conducted by a third party, which will serve as the basis for more concrete measures to facilitate and promote fintech in the Netherlands (www.rijksoverheid.nl/documenten/kamerstukken/2019/04/09/kamerbrief-innovatie-in-de-financiele-sector).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.