Contributed By DORDA
Austria has a vibrant and diverse Fintech start-up scene located in its capital, Vienna. It is not the largest market in the German-speaking region by transaction value (No 1 is still Berlin), but Vienna is among the top three. Some of the most successful Austrian Fintech companies include Wikifolio, Conda, Finnest, BlueCode and Kwallet, which are nationally and internationally acclaimed.
A large number of Austrian Fintech companies provide payment or investment services. The German-speaking Fintech market (including Germany and Switzerland) is reported to account for a total transaction value of about EUR100 billion and is expected to reach EUR200 billion in 2020.
The Austrian Fintech market is divided between young start-ups introducing innovative concepts and ideas and moving fast to gain market share, and established participants – mostly licensed credit institutions, investment firms and payment service providers – trying to expand their business to the online world.
Instead of displacing traditional financial service providers, new Fintech companies have regularly chosen to co-operate with established market participants. There are some sectors practically dominated by Fintech companies, but for the most part, traditional institutions still have their important place at the core of the financial system in Austria.
There have been several occasions on which Fintech start-ups have partnered with traditional financial institutions. Types of partnerships include knowledge transfer, joint ventures, acquisition and outsourcing.
In the recent past, different nationally and internationally recognised Fintech companies have started their business in Austria. The Austrian Financial Markets Authority (Finanzmarktaufsichtsbehörde, or FMA) tries to demonstrate an open and friendly approach vis-à-vis Fintech companies by publishing questions and answers addressed specifically to market participants eager to explore the online world and by establishing a designated Fintech Point of Contact to handle in a better and more efficient fashion any questions that Fintech companies might have.
Additionally, Austrian law generally does not impose special hardships with regard to foreign investments, in particular when the foreign enterprise comes from a member state of the EU or the European Economic Area. Financial market regulation is to a large extent predetermined by EU law, so there are no specific Austrian regulations that would materially affect Fintech companies from a regulatory perspective. Summarising, with mainly the same regulatory background as elsewhere in Europe, Austria – and in particular Vienna – can be characterised as open and friendly to Fintech companies, Fintech innovation and Fintech investment.
Historically, because of its location, Vienna has always been the gateway to the CEE region, which is why Austria is recognised as a leading hub for doing business in Eastern and South-East Europe. A high number of foreign businesses have set up their Eastern European headquarters in Vienna, which is – although a Western European capital – located farther east than Prague. Because of its close ties to companies in Eastern Europe, Vienna-based Fintech companies profit from the legal certainty, investor-friendly tax system and flexible company law that the Austrian legal regime provides, while having access to the up-and-coming CEE region.
Recently, legislation has entered into force that supports innovation in the Fintech area, specifically crowdfunding enterprises (see below).
Regulatory and other legal requirements, in particular civil law requirements, for Fintech companies mainly depend on the kind of enterprise (in essence, determining which regulatory regime applies) and customers (determining whether civil law consumer protection provisions apply additionally).
Enterprises in connection with payments may be subject to the Austrian Payment Services Act (Zahlungsdienstegesetz, or ZaDiG). The Austrian Payment Services Act is based on Payment Services Directive I of the EU (Directive 2007/64/EC) and covers all types of electronic and non-cash payments by payment service providers. Payment types include credit transfers, direct debits, card payments and mobile and online payments.
Additionally, the issuance and administration of payment instruments such as credit cards, bank cheques and traveller's cheques may be qualified as banking transactions and thus be subject to the Austrian Banking Act (Bankwesengesetz, or BWG) and require a licence as a credit institution. The issuance of electronic cash may also be subject to the Austrian Electronic Money Act ("E-Geldgesetz 2010"), which is based on the Electronic Money Directive of the EU (Directive 2009/110/EC).
According to the FMA's guidelines, purely technical solutions in connection with payments are not necessarily subject to any regulatory requirements. However, this may change with the upcoming Payment Services Directive II (Directive (EU) 2015/2366) and already, according to current legislation, certain payment platforms or payment service platforms may have to meet selected regulatory requirements.
Lending and Crowdfunding
Enterprises that are active in the field of lending and crowdfunding may be subject to very different regulatory regimes, depending on the kind of investments and the type of activity.
A Fintech company providing an online platform setting up potential borrowers with potential lenders (peer-to-peer lending) would be considered to engage in the brokerage of loans and thus require a banking licence according to the BWG, in particular for commercial loans, or a trade licence according to the Austrian Trade Act (Gewerbeordnung, or GewO), in particular for consumer loans. Depending on the business model, the FMA explicitly warns that such platform providers run into the risk of providing commercial lending business themselves and thus may by their activity trigger a banking licence requirement. Credit business is generally reserved to credit institutions, so the online platform provider would potentially also enable users to engage in illicit (ie, unlicensed) commercial lending activities. Thus, the FMA concludes that peer-to-peer lending platforms are difficult to implement in Austria. Nonetheless, there are a couple of established peer-to-peer lending providers in Austria. Generally, there should be no specific legal reason why such an enterprise cannot be conducted in Austria when set up properly.
If the Fintech company not only provides the platform but grants loans, it has to be a licensed credit institution. Additionally, when granting loans to consumers, it has to observe extended obligations (in particular regarding customer information), most notably according to the Austrian Consumer Loan Act (Verbraucherkreditgesetz, or VKrG) which is based on the Consumer Loan Directive of the EU (Directive 2008/48/EC).
Crowdfunding platforms are confronted with a wholly different set of rules. A major question in determining the regulatory requirements for crowdfunding platforms is whether the invested funds are considered deposits and thus whether acceptance of the funds is considered deposit business (which is a banking activity exclusively reserved to credit institutions), in which case a banking licence would be required by the person collecting the deposits, which may or may not be the platform provider itself, depending on the business model. Thus, investments need to be structured as equity or equity-like instruments. Practically, investments are commonly structured as (qualified) subordinated loans that, while relatively easy to structure, do not qualify as deposits and thus regularly avoid triggering licensing requirements under the BWG. However, other licensing requirements – for example, according to the GewO – may still apply.
Another issue central to crowdfunding projects is the question of a potential prospectus requirement. Generally, a public offering would trigger prospectus requirements according to the Austrian Capital Markets Act (Kapitalmarktgesetz, or KMG), which is based on the Prospectus Directive of the EU (Directive 2010/73/EU). Less strict requirements may, however, apply depending on the individual offer. In particular, if (i) the nominal value is less than EUR1.5 million, (ii) the issuer is a small or medium-sized enterprise and (iii) the customer only invests up to EUR5,000, depending on the individual case, the Austrian Alternative Financing Act (Alternativfinanzierungsgesetz, or AltFG) may apply instead of the KMG. The AltFG was designed specifically with crowdfunding platforms in mind and instead of the issuance of a prospectus, only requires the issuance of an information document that is far less detailed. If the nominal value is higher, but less than EUR5 million, a simplified prospectus could be required instead of a fully fledged one.
Depending on the kind of investment, the Alternative Investment Fund Managers Act (Alternative Investmentfonds Manager-Gesetz, or AIFMG), which is based on the Alternative Investment Fund Managers Directive of the EU (Directive 2011/61/EU), may apply in addition. In this case, the platform provider would potentially have to be licensed according to the Austrian Securities Supervision Act (Wertpapieraufsichtsgesetz, or WAG 2007), which is based on the Markets in Financial Instruments Directive of the EU (MiFID, Directive 2004/39/EC), in particular if the activity qualifies as reception and transmission of orders in relation to the AIF.
Generally, besides the licences according to regulatory law or according to the GewO, the platform providers brokering between issuers and investors will have to observe the additional disclosure requirements according to the AltFG. Those mostly concern additional information on the platform.
Austrian law does not specifically regulate the digital currency of Bitcoin. There are no laws or court decisions available that restrict the trading, selling or buying of Bitcoin. Unlike the German regulator, the Austrian Financial Market Authority does not deem Bitcoin to be a financial instrument and thus banking licence requirements will usually not be triggered when commercially dealing with Bitcoin. Because Bitcoins do not have a 'traditional' central issuer, the Austrian Electronic Money Act will also not apply. Therefore, commercial trading with Bitcoin does not regularly fall under any specific regulatory regime according to Austrian law at the moment. While the Austrian Financial Market Authority cautions consumers when getting involved with Bitcoin trading, the regulator agrees that currently there are generally no licensing requirements that apply. This may change soon on a European level, which would also affect the legal situation in Austria.
Trading and Investment
Enterprises in connection with tradingand investmentswill regularly be subject to the BWG and the WAG 2007. While trading in financial instruments (for someone's own account or the account of customers) will require a banking licence under the BWG, the WAG 2007 particularly sets forth that (i) the commercial provision of investment advice in relation to financial instruments, (ii) portfolio management, (iii) reception and transmission of orders in relation to financial instruments, and (iv) the operation of a multilateral trading facility require a licence as an investment firm or as an investment services provider.
According to the FMA, regulatory requirements apply regardless of whether a human or a machine (computer system, robot) does the trading and/or investing. Thus, just as when the customer is provided certain services by humans, the same requirements will apply for robo-advisory, robo-trading, automated portfolio management or other, to at least some degree, automated services.
Enterprises that offer contract insurance will be subject to the Austrian Insurance Supervision Act (Versicherungsaufsichtsgesetz2016, or VAG 2016), which is based on the Insurance and Reinsurance Directive of the EU (Solvency II, Directive 2009/138/EC). They will require a licence as an insurance undertaking. Enterprises solely brokering insurance contracts will generally only require a licence as an insurance broker pursuant to the Austrian Trade Act. It does not make a difference if such services are provided offline or online with the assistance of Fintech.
Anti-money Laundering and Terrorist Financing Provisions
Under all the abovementioned regulatory regimes, Fintech companies (just as with any other regulated companies) have to observe strict rules preventing the usage of the financial system for the purposes of money laundering and terrorist financing. The provisions are set forth in the Austrian Financial Markets Anti-Money Laundering Act (Finanzmarkt-Geldwäschegesetz, or FM-GwG), which is based on the Anti-Money Laundering Directive of the EU (Directive (EU) 2015/849). Depending on their specific licence, Fintech companies may have to observe due diligence obligations to a varying degree.
The new FM-GwG, which has only been in force since the beginning of 2017, helps to provide services online because now customer identification (that is required for anti-money laundering purposes) is possible online by using the camera of the customer's computer or mobile devices. So far, the requirement to identify customers in person or through sending passport copies or other documents by registered mail has been a considerable obstacle to services provided online and thus to Fintech enterprises.
Consumer Protection Provisions
Besides the regulatory regimes described above, laws specifically designed to facilitate consumer protection may apply, in particular according to the Austrian Consumer Protection Act (Konsumentenschutzgesetz, or KSchG) as well as the Austrian Distance Selling Act (Fern- und Auswärtsgeschäfte-Gesetz, or FAGG). Those provisions (mainly based on EU legislation) try to ensure that consumers are informed in a transparent way and not subject to unusual or unfair provisions. The Austrian courts are quite reluctant in interpreting this general transparency principle. Thus, it is especially relevant to ensure that all contractual clauses are properly drafted.
Further Austrian consumer protection laws for the financial services sector are mainly modelled after EU legislation, like the VKrG, and should not deviate too far from the legal situation in other member states of the EU.
Fintech companies – like any other companies active in the financial services sector – will have to be especially careful to provide full disclosure about the risks and fallbacks involved in the products and services they are selling. They will also have to give the consumer the possibility to make a rational decision based on a full set of facts.
Additionally, for services provided online, specific information duties and rights of customers to withdraw from contracts entered into online apply. According to the Austrian Distance Financial Services Act (Fern-Finanzdienstleistungs-Gesetz, or FernFinG), which is based on the Long Distance Marketing of Consumer Financial Services Directive of the EU (Directive 2002/65/EC), the consumer has to be provided with specific information on the company and financial service before the conclusion of the contract. After receiving the statutory information, the consumer then basically has 14 days to withdraw from the contract (subject to the individual contract).
Although these regulations are based on European law, there are some deviations regarding the underlying non-harmonised consumer protection law and best business practice. This is particularly true with regard to Germany. In combination with the quite active Consumer Protection Associations, it is thus advisable to have the business model and terms checked prior to a market entry to Austria.
If Fintech companies process personal data, they are subject to the Austrian Data Protection Act (Datenschutzgesetz 2000, or DSG). Although the Austrian privacy provisions are based on EU legislation, there are severe deviations admissible to lack of full harmonisation under the still applicable regime. Unlike most other EU data protection laws, the DSG (i) also protects the personal data of legal entities, (ii) provides a general duty to notify all data processing with the Data Protection Authority and (iii) often requires a pre-approval by the Authority for international data transfers to recipients outside the EU. Further, the Austrian Data Protection Authority is known for its strict approach so proceedings tend to be lengthy.
As of May 2018, the Austrian data protection regime will be subject to huge changes based on the EU General Data Protection Regulation (GDPR). Data protection in Austria will be less formalistic because there will be no general notification and approval duty. However, companies will have to ensure data protection compliance without the approval of the Authority so a proper data protection self-assessment will be an essential basis to avoid dramatically increased penalties.
As pointed out above, under Austrian law, a Fintech company does not necessarily have to be supervised by a regulatory authority. In the case that only technical services are provided that do not qualify as regulated financial services (which needs to be evaluated on a case-by-case basis), regularly only a trade licence under the GewO will be required. This does not result in ongoing supervision as in the case of financial services.
If regulated at all, a Fintech company will most likely be supervised by the FMA, regardless of whether the Fintech company is considered a credit institution, a payment service provider, an investment firm, (alternative) asset manager or an issuer of some kind, although certain large Austrian credit institutions are supervised by the European Central Bank (ECB) instead.
The exact rights and powers of the FMA vis-à-vis the regulated entity depend on the applicable regulatory regime and thus on the type of business. Generally, the regulator would have the right to demand certain kinds of information and documents, and make on-site visits (in the case of banks supported by the Austrian National Bank, Oesterreichische Nationalbank, or OeNB). In the case of a (suspected) breach of law, the regulator also can question employees and other witnesses, order a remedy of the (suspected) breach, stop the business altogether temporarily or permanently by withdrawing the licence or impose fines on the legal entity and the natural persons operating it. However, these provisions are not specific for Fintech companies.
If a Fintech company is not licensed and the FMA suspects that a licence would be necessary, it is also required to investigate.
The capital and liquidity requirements depend on the form of legal entity and type of business but are not different for Fintech companies. Requirements are streamlined throughout the EU. From a regulatory perspective, capital and liquidity requirements for credit institutions are the strictest and are to a large degree determined according to the Capital Requirements Regulation of the European Union (CRR, Regulation (EU) 575/2013).
Investment firms under the WAG shall have a starting capital of EUR50,000 (alternatively EUR125,000 if they provide portfolio management or EUR730,000 if they operate a Multilateral Trading Facility). The capital required will usually be higher depending on the scope of business.
Payment service providers under the Austrian Payment Services Act shall have a core capital ratio of EUR20,000 to EUR125,000 depending on their type of business. Other restrictions and requirements may apply depending on the individual case and, again, the capital required will usually be higher depending on the scope of business.
The FMA did not establish any regulatory 'neutral zones' ('sandbox environment') for Fintech companies. There also is no legal basis for such a different treatment.
However, the FMA did establish a dedicated Fintech Point of Contact, which can be reached through the online Fintech contact form. There, the regulator can be asked legal questions about (potential) Fintech models in advance. The contact form is specifically intended for persons that do not hold any licences yet, but may also be used by licensed Fintech companies. According to the regulator, it shall give Fintech companies feedback regarding supervisory law in relation to their specific intention. This is also why the regulator asks to be provided with information on the business model, including all involved co-operation partners, and the relevant documentation together with the enquiry. 'Anonymous' or 'abstract' legal enquiries will usually not be answered, which bears the risk that in a worst-case scenario, the regulator in its answer takes a strict approach, thus making changes to the business model necessary (or even making it unfeasible) before the Fintech company has started operating.
Based on the relevant EU directives, no specific rules for Fintech companies apply. If the Fintech company qualifies as a credit institution, an insurance undertaking, an investment firm or a payment services provider, regulatory change of control approval requirements will apply. In this case, anyone who intends to acquire a qualifying holding (thresholds basically are 10%, 20%, 30% and 50%) in such an enterprise in Austria, or wishes to increase an existing holding above the thresholds, shall notify the FMA in advance of this intention and the same applies for sales below the threshold. The FMA, where applicable together with the ECB, will then assess the acquisition. This requirement will be triggered for direct and indirect holdings alike.
While ownership control regarding qualifying holdings in the finance and insurance sector is in principle based on an EU-wide framework, special approvals may additionally apply only in Austria. For example, any merger or amalgamation of credit institutions or a spin-off, where at least one of the involved credit institutions is licensed under the BWG, is subject to the (potentially additional) regulator's approval.
Austrian regulatory law is largely based on an EU-wide framework and any new developments will thus usually be triggered by new EU legislation. However, without an EU prototype in 2015, the AltFG entered into force. It can be argued that the Act is targeted specifically at Fintech companies providing crowdfunding and peer-to-peer lending platforms. In particular, in case of public offers and depending on certain thresholds, the new legislation may help to avoid the strict prospectus requirements pursuant to the Austrian Capital Markets Act in favour of the requirement to issue only an information document, generally for a nominal value below EUR1.5 million. For a nominal value less than EUR5 million, generally only a simplified prospectus would be required. First reactions from the market were generally positive.
As mentioned above, since the beginning of 2017 the FM-GwG has facilitated the online identification of customers for anti-money laundering purposes, which opened a new field of activity for Fintech companies specialising in such online identification services.
As in other member states of the EU, critics in Austria argue that the banking and financial industry sector generally is highly over-regulated, leading to a standstill of innovation and general entrepreneurship. However, this is not specific for Fintech companies, while Fintech companies that specialise in assisting financial services providers in dealing with regulatory requirements by making use of innovative technical solutions even profit from the regulatory framework.
There are no specific regulatory impediments. Generally, the licence of regulated entities – in particular banks – usually would also cover the activities of Fintech companies. However, some licensed entities are limited to conducting only the licensed activities. Further, if a licensed activity conducts Fintech business that would not require a licence, the general regulatory requirements applicable to such institutions (eg, risk management) will also apply to such activities.
The regulatory regime, with a few exceptions, applies to Fintech companies (as well as any other company) providing services to consumers and business customers. However, certain regulatory provisions only apply to business with consumers (see the outline on the applicable regulatory provisions above); for instance, provisions for payment services provide some additional obligations towards consumers. Also, in credit business, specific provisions for consumers apply (the VKrG mentioned above). The WAG2007 distinguishes – in line with the definition under MifiD – between professional clients and retail clients.
Besides regulatory law, when dealing with consumers, additional consumer protection laws will have to be observed. Small business will regularly not be treated as consumers.
Specifically with regard to Fintech companies, in the past couple of months the FMA – as mentioned above – has put forth information on its website, including a Q&A section, which is also available in English. It has also established a dedicated Fintech Point of Contact that may be contacted through a Fintech contact form available on the FMA website. According to the regulator, the Fintech Point of Contact was received very favourably by the market and has led to a number of informal meetings with market participants, in which experts from various areas of competence have been available to answer questions.
Under current legislation, Fintech companies focusing only on the technical side of payment services (eg, by just providing software or technical support) may generally not be required to get a licence for financial services (however, a trade licence, which is far easier to obtain and maintain, usually will be required).
This is also confirmed by the FMA regarding payment services. It states that purely technical services are not covered by the Austrian Payment Services Act as long as the entity does not come into possession of the funds to be transferred, which means that the funds should not pass through the accounts of the Fintech company. However, this will potentially change with the introduction of Payment Services Directive II (Directive (EU) 2015/2366). The directive is planned to be transposed into national Austrian law and enter into force in 2018.
Foreign Fintech companies from member states of the EU or the European Economic Area will generally be treated the same as Austrian companies. For such companies, under the various applicable EU directives in the financial sector (eg, for banking, insurance, investment and payment services), so-called EU passports are available to provide the services that are covered by the licence they obtained in their home member state. This requires a notification to the FMA through the regulator in their home member state.
However, certain additional restrictions may apply. For example, the acquisition of, or participation in, a company with its seat in Austria and working in a field relating to public security and order – including, for example, the telecommunications sector – may require an approval by the Federal Minister of Science, Research and Economy.
The Austrian Financial Markets Authority does not focus on regulatory enforcement vis-à-vis Fintech companies any more than on enforcement vis-à-vis other enterprises. As a rule of thumb, the regulator does not intentionally distinguish between Fintech companies and non-Fintech companies but is simply determined to play an active part in Austria's financial system and to take swift measures once it suspects a breach of law, whether online or offline.
The Austrian Financial Markets Authority is obliged to investigate when it suspects that an entity that should be licensed operates without a licence, which is also true for banking activities. The Austrian Financial Market Authority has regularly fined natural and legal persons for providing banking or other financial services without being a licensed credit institution, or lacking any other form of necessary regulatory licence.
Traditionally, start-ups mostly set up their vehicle as a limited liability company (Gesellschaft mit beschränkter Haftung, or GmbH). This legal form essentially combines a limitation of liability for shareholders with tight control over business activities, in particular by way of binding instructions to the management. So-called preferential limited liability companies may start with EUR10,000 minimum share capital, of which EUR5,000 must be paid in full before registration.
Licensed credit institutions are usually established as stock corporation (Aktiengesellschaft, or AG), although alternatives are possible.
Stock corporations are usually considered less flexible than limited liability companies – among other things, a supervisory board is required – and the shareholders have less control over the business.
However, if a Fintech company wants to be listed on a stock exchange, it needs to be a stock corporation (AG), while the conversion from a limited liability company (GmbH) to an AG is possible, once the need arises.
Recently the legislator has introduced the so-called preferential limited liability company specifically designed for start-ups, which sets the starting minimum share capital at EUR10,000 (of which EUR5,000 must be paid in full before registration) instead of the usual EUR35,000.
Austrian law provides a wide range of opportunities to deal with the authorities over the internet, often resulting in less bureaucratic effort and faster response times. From submissions to the land and companies registers, over selected administrative tasks to the usage of a dedicated electronic signature pursuant to the Austrian Electronic Signatures Act (Signaturgesetz,orSigG) as a substitute for 'wet' signatures, in a variety of areas citizens or their advisers (such as lawyers) can deal with authorities online, including in particular courts and governmental agencies.
Further, the already described changes in data protection provisions (the EU General Data Protection Regulation) will have huge impacts on various businesses. The resulting new challenges and obligations should be addressed in due time before May 2018.
Fintech companies are not granted special access to real-time gross settlement systems, such as access to the systems of the Austrian stock exchange. However, if the Fintech company is a regulated entity and an eligible market participant – for example, a licensed credit institution – it may access such systems just as any other licensed entity could.
There are no insolvency regimes that apply specifically to Fintech companies. However, if the company is licensed as a credit institution, it will be subject to the Austrian Banking Recovery and Resolution Act (Sanierungs- und Abwicklungsgesetz, or BaSAG), which is based on the Banking Recovery and Resolution Directive of the EU (BRRD, Directive 2014/59/EU). Furthermore, special provisions may apply for credit institutions operating within the framework of clearing or settlement arrangements.
Austrian law demands different types of consent declarations for different types of transactions. While certain transactions – for example, the acquisition of property – may need to be notarised, most transactions will only require a signature or some other visible sign of consent. Depending on the legal regime and in particular on the purpose of the signature requirement, in most cases the submission of a fax or a scan of the signed page to the other party should be sufficient. Usually, electronic signatures pursuant to the Austrian Electronic Signatures Act are treated as equivalent to 'wet' signatures.
For the purpose of applicable anti-money laundering and terrorism financing provisions, the identity of a customer may potentially be proven by presentation in a video-based electronic procedure by way of online identification or by relying on a qualified electronic signature (see above).
The Austrian DSG sets forth a list of requirements for data controllers with respect to technical and organisational measures necessary for securing personal data against unauthorised access, accidental or unlawful destruction, manipulation, disclosure, transfer and other unlawful processing. Further, every data controller has to comply with data confidentiality as well as ensure that its personnel processing personal data are bound by respective confidentiality duties. The DSG does not expressively provide which data security measures have to be taken but requests a reflection of the level of technological possibilities and economical tenability. Thus, good industry practices have become very important in determining the required data security actions that are taken into account when assessing whether there is a breach of the DPA or internal control systems. The latter is relevant for courts in examining a potential liability of the persons responsible for such breach, eg, managing directors. Thus, there is usually no liability due to a lack of data security if good industry practices are complied with.
In addition, according to Section 24 Paragraph 2a of the DSG, the data controller is obligated immediately to inform the concerned data subjects in an appropriate manner if the controller learns that data from his data application has been systematically and seriously misused, and data subjects may suffer damages. This data breach notification duty does not exist if it would require an inappropriate effort, taking into consideration that only minor damage to the data subject is likely and the costs of the information to all persons concerned. However, telecommunication operators are additionally obliged to inform the Austrian Data Protection Authority directly in case of a breach (Section 95a Telecommunications Act – Telekommunikationsgesetz, or TKG). The new EU General Data Protection Regulation will significantly change regulation on this matter and bring obligation to report data breaches to the Data Protection Authority. Besides, the Austrian Criminal Act provides for several specific cybercrime offences (destruction of data, hacking, distributed denial of service attacks, etc).
There is no knowledge of any recent significant data privacy breaches or cybersecurity attacks involving Fintech companies.
As regards data security, Austrian law and the GDPR do not explicitly provide for any specific requirements. Instead, most data security measures result from best practices and industry standards (eg, International Organization for Standardization standards). As regards encryption systems, the required level of security will highly depend on the processed categories of personal data as well as potential risks involved for data subjects, which have to be assessed on a case-by-case basis.
As regards public key infrastructures, the first draft is still awaited of the Austrian implementation act of EU Directive 2016/1148 concerning measures for a high common level of security of network and information systems.
The DSG does not provide for any specific provisions on biometric data. However, on a case-by-case basis, biometric data might be qualified as sensitive data ("personal data relating to data subjects' health"). The GDPR, however, clearly qualifies biometric data as a "special category of data" and provides for stricter rules for its processing.
Austrian intellectual property law is to a greater extent harmonised due to EU directives and international treaties. The most important categories for Fintech companies are:
These rights can be enforced through competent courts, which may also grant preliminary injunctions upon application. Further, the Fintech company may start criminal proceedings against any infringer (a private prosecution, so no public prosecutor will intervene). If none of these regimes applies, the UWG may afford subsidiary protection if an act can also be qualified as "unfair" within the meaning of the statute. Courts are, however, reluctant to rely on this fallback option.
Under Austrian law, trade secrets are protected under the UWG, which qualifies breaches against the protection of trade secrets as criminal offences that may be prosecuted by the owner of the trade secrets. The UWG also grants claims for an injunction and damages. The rules governing trade secret protection are rather superficial; the statute essentially prohibits the breach of trade secrets by employees and any violations by third parties that include a breach of applicable laws or immoral acts.
In legal practice, trade secret protection is not a prominent area, with sparse case law, despite the vague statutory provisions. This regime may gain importance after the coming into force of the new rules under the EU Trade Secrets Directive, which has to be implemented by 9 June 2018, and due to the fact that the Austrian government might decide to waive the additional protection of data of legal entities under the data protection regime and have it covered by the implementation act of the EU Trade Secrets Directive. So far, no proposal for the Austrian implementation act has been published by the legislator.
Under Austrian law, software is protected under the CA. Thus, any reproduction of the code without permission is invalid and may give the Fintech company claims for, inter alia, an injunction and damages. Copyright protection applies automatically upon creation of the relevant work. Further, the copyright to software created by employees is automatically assigned to the employer according to Section 40b CA. In practice it is, however, regularly disputed whether such software was created in the course of the employment or outside.
Software, as such, is not subject to protection under the PA or UMA, but protection may be afforded if the computer program applies technical measures to achieve a technical purpose.
The Fintech company may further register its trade name as a trademark or acquire rights for non-registered trademarks through use.
The most basic but also most efficient way to protect intellectual property and trade secrets is by establishing a thorough contractual regime with all employees, business partners and others who may get access to such information. Particularly during the early phases of the company, it should make sure that third parties sign non-disclosure agreements before any sensitive information is disclosed. Any insufficiencies in this process may allow third parties to exploit the information independently. Some mandatory provisions will apply irrespective of any contractual provisions to the contrary, such as inventor's compensation for inventions made during the course of the employment, moral rights under the CA, etc.
If more than one person develops intellectual property, all persons will jointly own it. Thus, it is of the utmost importance that the owners of the intellectual property have set up a contractual regime covering all possible scenarios that may arise (death or withdrawal of one of the partners, upgrades to software, exit scenarios, etc). Due to the freedom of contract, there are almost no restrictions on what co-owners may agree upon, subject to any mandatory provisions such as the inventor's compensation. Contracts governing the co-ownership of intellectual property rights are thus rather must-haves than nice-to-haves to avoid disputes at further stages of such projects.
Intellectual property is regularly and willingly enforced by Austrian courts. This particularly concerns copyright and trademark claims. If applicable, companies also rely on their exclusive patent rights. So far, litigation does not, to a large extent, involve Fintech companies. However, the government is pushing the Austrian start-up scene so the number of court cases will inevitably increase.
In Austria, open-source code is treated like 'regular' source code. It is particularly important that market participants engage themselves with the applicable licences and comply with them in full. Otherwise they run the risk that an injunction is imposed and damages are awarded.
The use of open-source software may also give rise to warranty issues, if the defective part of the software was caused by the open-source code.
There are no specific tax rules for Fintech Companies.
Generally, Austrian resident corporations are subject to corporate income tax at a flat rate of 25% on worldwide income. A corporation is resident if it is incorporated in Austria or managed and controlled in Austria.
Corporation tax is imposed on a company's profits, which consist of business/trading income, passive income and capital gains. Normal business expenses may be deducted in computing taxable income.
VAT is levied on the sale of goods and the provision of services. The standard rate is 20%. A lower rate of 13% (introduced from 1 January 2016) applies to, among others, accommodations (as from 1 May 2016) and cultural services (as from 1 May 2016); a 10% rate generally applies to foodstuffs, pharmaceuticals, agricultural products, rent for residential purposes and entertainment. Banking transactions are exempt and a zero rate applies to exports.
Usually the commercial accounts are the basis for the calculation of taxable income.
Interest on debts obtained for the acquisition of a participation is not deductible if the participation is acquired within a group of companies. Interest and royalties paid to intragroup companies that are subject to an (effective) tax rate below 10% are not deductible.
Dividends received from an Austrian resident company are tax exempt. Portfolio dividends (ie, where there is a participation of less than 10%) received from a company listed in the Parent-Subsidiary Directive of the EU (Directive 2011/96/EU), or a non-resident company comparable to an Austrian company that is resident outside the EU in a case where there is a broad exchange of information clause in a tax treaty between Austria and the non-resident's country, are exempt from corporate tax.
Dividends received from a non-resident company that do not satisfy the above criteria are tax exempt if the following criteria are met (international participation exemption): (i) the non-resident is a company comparable to an Austrian company or a company listed in the Parent-Subsidiary Directive of the EU, (ii) the parent company holds directly or indirectly at least 10% of the equity capital of the subsidiary and (iii) the minimum 10% shareholding is held continuously for at least one year.
Capital gains generally are taxed at the same rate as ordinary income. Under the international participation exemption, gains from the sale of a participation in a non-resident company are exempt unless the resident company has exercised an option to have capital gains treated as taxable income.
Losses may be carried forward indefinitely, but generally may be offset against only 75% of the profits of a year. The carry-back of losses is not permitted.
The EU/non-EU portfolio dividend exemption does not apply if the foreign company is (i) not subject to a tax comparable to the Austrian corporate income tax, (ii) subject to a tax comparable to the Austrian corporate income tax at a tax rate of less than 15% or (iii) tax exempt in its state of residence.
The international participation exemption (for dividends or capital gains) does not apply if the non-resident company generates passive income and pays tax at a rate less than 15%.
The EU/non-EU portfolio dividend exemption and the international participation exemption do not apply if the dividends are tax deductible at the level of the distributing non-resident entity.
Austrian tax law provides for an attractive tax group regime.
As described above, the legal framework for Fintech companies depends on a multitude of factors, including the type of business, the type of customer and the form of legal entity. Besides the more general requirements (such as licensing and liquidity), depending on the merits of the individual case, there may be additional rules and regulations that have to be observed and that may in some cases be exclusively found in the Austrian legal system. Thus, the following should be observed, inter alia, with regard to the typical activities of Fintech companies.
Common to all Fintech companies will be that they provide their services (potentially among other channels) online using some kind of web presence. When setting up a website, according to Austrian law, several factors have to be considered in particular: the Austrian E-Commerce Act (E-Commerce-Gesetz, or ECG), the Austrian Distance Selling Act (Fern- und Auswärtsgeschäfte-Gesetz, or FAGG) and the Austria Media Act (Mediengesetz, or MedienG) provide a set of mandatory information and disclosure obligations for websites.
As soon as Fintech companies enter into a contractual relationship with consumers, the KSchG sets out strict provisions that are supplemented by the FAGG.
Fintech companies involved in lending business should be aware that Austrian law prohibits usury, which also applies to interest rates. When dealing with consumers (instead of entrepreneurs), stricter limits will apply and additional information and consent requirements will have to be observed by the lender, who will have to be a licensed credit institution, as mentioned above.
Austria may – at least currently and as long as there is no legislation on a European level – prove to be an exceptionally favourable market for Fintech companies involved with Bitcoins. As mentioned above, unlike the German regulator, the Austrian Financial Market Authority does not (yet) deem Bitcoins to be financial instruments and because Bitcoins do not have a 'traditional' central issuer, the Austrian Electronic Money Act will also not apply. Therefore, commercial trading with Bitcoins should generally not fall under any specific regulatory regime according to Austrian law at the moment. The Austrian Financial Market Authority concurs with this opinion on its website.