Contributed By Simont Braun
The Belgian FinTech market has been on the rise since 2015, and while the first FinTech initiatives focused on alternative financing solutions such as crowdfunding platforms, recently more and more FinTech companies are turning their attention towards payment solutions. These solutions include retail payment platforms, but an important part of the market is working on B2B payment services such as, for example, professional FX payments for small- and medium-sized enterprises (SMEs). As a result of Brexit, a few very high-profile UK payment service-providers have selected Brussels as their output to continue serving the continent. The arrival of these players adds a lot of maturity to this sector in Belgium.
Next to alternative financing solutions and payment platforms, we also see in Belgium several automated investments solutions (robo-advisers) and an important number of infrastructure and enabling technology service-providers offering RegTech, data and accounting solutions. Although Belgium counts a few local champions developing well internationally, InsurTech, blockchain and crypto initiatives remain rarer phenomena; initial coin offerings (ICOs) are not yet very common on the Belgian market, mainly due to a rather hostile attitude from the relevant regulator (see further below).
The most recent trend is the choice by international entities (outside a Brexit context) to launch their FinTech initiatives and to conquer the European continent from Belgium. Most of these projects are still in the pipeline but, if concretised, this will certainly have an important impact over the next 12 months. We feel that international investors are attracted by a professional, tech-savvy regulator, accepting licence applications in English (mainly the National Bank of Belgium), the central location of Belgium in Europe, a highly skilled and multilingual workforce and the fact that Belgium, being at the crossroads of different cultures and with a very international population, is an interesting test market for their products and services.
As indicated above, the payment vertical is dominant in the Belgian FinTech industry and populated by both incumbents and FinTech entities.
The Belgian regulator is quite extensive in its interpretation of payment services, and therefore regulated payment service institutions also include business models such as electronic invoicing platforms and invoice trading platforms. The retail client acquisition cost remains high for most entities and therefore we see an important activity on the B2B side, notably in the field of professional FX payments and acquiring services to merchants. Also on the retail side, there is a small concentration of high-profile FX payment service providers, making it safe to say that this has become a market particularity.
Finally, it is also worth mentioning that most Belgian banks have seen PSD2 as an opportunity rather than a threat. More and more major retail credit institutions have started offering account information services and it can be expected that payment initiation services will follow. The four biggest Belgian retail banks have also joined forces through the Payconiq by Bancontact application, allowing clients to perform easy peer-to-peer payments and pay with their smartphone in stores and online.
The payment vertical is obviously dominated by the Belgian transposition of the PSD2. This transposition has been very straightforward under Belgian law and does not contain any significant gold plating. An interesting fact to mention is that the Belgian relevant regulator (the National Bank of Belgium) has a very narrow interpretation of the concept of e-money, reserving it mostly for a few specific prepaid products. However, the regulator has a broad interpretation of the payment account concept and therefore does not automatically qualify all solutions which provide for wallets/accounts as e-money.
The specific approach of the Belgian regulator becomes even clearer in a Brexit context, whereby UK entities which are regulated as e-money institutions by the Financial Conduct Authority (FCA) receive a payment institutions licence by the National Bank of Belgium, allowing them to provide the same services as in the UK under an e-money licence.
Belgium only counts a handful of e-money institutions, compared to 20 payment institutions and several licence applications in the pipeline.
The Belgian regulator applies a 'same business, same risks, same rules' principle in this respect, although it will sometimes apply ‘proportionality’ if needed. Conversely, more specific FinTech-oriented local regulation – such as the Belgian crowdfunding law – also allows legacy players to offer these services. In 2018 the European Central Bank (ECB) introduced FinTech-specific rules by publishing its guide on FinTech credit institution licence applications. From this document, adapted local regulators are now allowed to have different expectations towards FinTech banks on the one hand and ordinary banks on the other hand, when it comes to their prudential requirements
In Belgium, there is no regulatory sandbox. The National Bank of Belgium and the Financial Services and Markets Authority (FSMA) have set up a unique FinTech portal allowing FinTech entrepreneurs, unaware of the difference in competences, to enter into contact with the different regulators through one entry point. Representatives of the Belgian regulators have stated in the past that this approach should be seen as a sound box (ie, nothing more than a possibility to speak with the regulator outside any concrete licence application), rather than an actual sandbox.
There are three relevant regulators in Belgium in the financial services industry at large which are relevant for FinTech companies in particular.
The National Bank of Belgium (NBB) is the competent supervisor when it comes to the prudential regime applicable on credit institutions (banks), e-money institutions, payment institutions and large stockbroker companies (next to more general central bank macro-economic responsibilities).
The Financial Services and Markets Authority (FSMA) is the competent supervisor when it comes to the prudential regime applicable on smaller investment companies, regulated credit-providers, insurance companies, crowdfunding platforms and intermediaries. The FSMA is also in charge of the oversight on the conduct of business rules on insurance and investment services (next to more general authority over public offers, listed companies and the financial markets). Although unregulated at this stage, it is also the FSMA (in its role of surveillance of the financial markets and supervision of the financial information) that closely follows evolutions such as crypto-currency and ICOs, mostly by issuing very general warnings on the dangers attached to them. They also follow up on local initiatives in this field, analysing them to make sure that they do not fall within existing regulation under their supervision (such as, for example, public offerings).
The Federal Public Service Economy (FPS Economy) has very specific powers over the conduct of business rules of regulated credits and payment services.
Regulated functions can only be outsourced to parties which are regulated for these functions. Also, non-regulated, more operational functions can be outsourced to third parties. The National Bank of Belgium has put in place a circular letter containing sound principles of outsourcing. Among these principles, we identify the mandatory process to conduct a due diligence exercise before choosing the third party providing the outsourced activities, the need for a written service level agreement, the fact that the outsourcing party always remains liable towards its own clients, the need to have an outsourcing policy in place, the obligation to make a thorough assessment of the candidate vendors and the necessity to negotiate a right to audit the institution and the regulator in the contract with the vendor.
The Belgian regulator mostly opts for a soft approach whereby it will enter into contact with unregulated entities providing services that it deems regulated. It will mostly work together with the entity concerned to make sure they either become regulated or adapt/terminate their activities. When it comes to the payment vertical, the National Bank of Belgium is known to use a high-quality and pragmatic team that is close to its industry. We are not aware of any recent significant enforcement actions in relation to the payment vertical.
With regard to privacy laws, the most important regulations are Regulation 2016/679 of 27 April 2016 (GDPR) and Directive 2002/58/EC of 12 July 2002 (ePrivacy Directive) and the provisions transposing this Directive into Belgian law. The Belgian legislator also adopted the Belgian law of 30 July 2018 on data protection, partially containing an incorporation of the generally applicable GDPR provisions as well as providing for complementary provisions. None of these privacy regulations makes a distinction between legacy players and FinTech companies as to the applicable regime. However, by their digital nature, FinTech initiatives are very often exposed to data protection issues.
Belgian anti-money laundering laws, transposing Directive 2015/849 of 20 May 2015, are applicable to FinTech companies that carry out regulated activities (such as banks, e-money institutions and payment institutions). There are no notable differences between the application of these rules on incumbents and FinTech companies.
As to cybersecurity, the transposition of Directive 2016/1148 of 6 July 2016 (the Networks and Information Security Directive) into national law is still a work in progress. Therefore, the main legislation in place with regard to cybersecurity is the (slightly outdated) law of 28 November 2000 on computer-related crime and the international conventions of 23 November 2001 (the Budapest Convention, including its Protocol) and 25 October 2007 (the Lanzarote Convention) to which Belgium is a party. These regulations do not make a distinction between FinTech companies and legacy players. However, again, the digital environment of FinTechs goes hand in hand with increased risks of cybersecurity
Advertising, documents and any other type of communication (including verbal communication) distributed within the context of professional marketing of financial products (eg, relating to all types of savings, insurance and investment products) to retail clients on Belgian territory, is regulated by Royal Decree of 25 April 2014, regardless of the media through which these communications happen. These are subject to information requirements relating, on the one hand, to the provision of an information sheet (a concise, standardised and easily understandable document containing a number of mandatory information items for the purpose of describing the product) and, on the other hand, to the advertising of financial products (general requirements, minimum information, rules for the indication of historical returns, etc).
The general information requirements (“correct, easily understandable and in clear, concise and comprehensible terms”) apply as well to all communications, whether through social media or other media. These requirements are stricter with regard to highly regulated products and services (eg, consumer credit).
Accounting and audit firms mostly come into the picture in relation to the obligation of regulated entities to have internal and external auditors in place. They have well-aligned tasks set out in the prudential framework of each of the regulated entities and the auditors in question need to be certified by the competent regulator prior to being able to service regulated companies.
There is no general prohibition under Belgian law for financial regulated entities to provide unregulated products and services. In certain specific cases, the Belgian regulator will, however, assess the impact of these unregulated services on the regulated activity and may impose certain requirements, or even demand these services or products are offered through a separate legal entity. This is notably the case for payment institutions and e-money institutions.
Furthermore, it is to be noted that the bundling products (with at least one financial product) is a prohibited market practice in Belgium in a retail environment. Certain exemptions apply, but in general this prohibition is strictly interpreted.
In the Belgian financial sector, robo-advisers are often used for order execution, automated portfolio management services on behalf of the investors and investment advice. With regard to investment decisions and portfolio management, effects on business models are mostly due to the ability of robo-advisers to provide a transparent decision process or a discretionary management service, with the ability to offer a range of managed portfolios with different risk profiles and all of this at a low cost for the financial service provider.
Depending on the specific circumstances, the services provided through robo-advice will qualify as order execution, investment advice or portfolio management within the meaning of MiFID regulation and the Belgian transposing law of 2 August 2002 on the supervision of the financial sector and financial services. Therefore, and if these robo-advisers offer these services directly to the investors, they should be licensed by the Financial Services and Markets Authority as investment firms. All the MiFID requirements have therefore to be met by these robo-advisers.
Nevertheless, robo-advisers are also often used as pure IT technology tools (under a user licence agreement) by regulated firms legally able to provide investment services. In such case the IT tool itself does not need to be regulated – the regulatory licence of the professional user suffices.
There is no further specific influence from the asset class on the business model.
Robo-advisers have put pressure on legacy players, as it was expected to soon become a core product for a lot of investors. Therefore, we see that multiple legacy players internally manage their own robo-advisers (eg, BNP Paribas Fortis, Keytrade Bank), outsource totally or partially their investment services to a robo-adviser (which in this case has to be regulated), or enter in a licence agreement in order to use the robo-adviser as a purely technical tool.
The best execution rule of the MiFID and its transposing regulations applies equally to robo-advisers as the services provided by these are to be qualified as investment services (see above, 3.1 Requirement for Different Business Models). An issue that can arise with regard to the fulfilment of best execution by robo-advisers advising consumers and business may be the malfunctioning of the automated tool (eg, through manipulation or mistakes resulting from being too fast or too focused on some aspects). For consumers in particular, issues may arise as to the processing of (personal) information and the (mis)understanding of the advice by the consumer.
Schematically, there are four different legal regimes applicable to loans/credits in Belgium.
Mortgage Credits Offered to Consumers by Credit Institutions or Other Licensed Lenders
These credits are subject to a highly regulated regime in Book VII of the Code of Economic Law. See Article VII 64122 (rules of conduct) and VII 148–216 (prudential requirements) of the Code of Economic Law.
This legal regime sets out compulsory rules for aspects of the contractual relationship such as:
Lenders are subject to an obligation to obtain a prior validation by the FPS Economy of the model contracts that will be used.
Consumer Credits Offered to Consumers by Credit Institutions, Other Licensed Lenders or Indirect Peer-to-peer Consumer Lending Platforms
In this regime, the platform acts as the lender and not the crowd; direct P2P consumer lending platforms are not authorised in Belgium due to certain legal provisions. These credits are subject to a highly regulated regime in Book VII of the Code of Economic Law. See Article VII 123–147/38 (rules of conduct) and VII 148–216 (prudential requirements) of the Code of Economic Law.
This regime sets out compulsory rules for aspects of the contractual relationship such as:
Lenders are subject to an obligation to obtain a prior validation by the FPS Economy of the model contracts that will be used.
SME Credits Offered by Credit Institutions, Other Lenders or Licensed Crowdfunding Platforms
In this instance, technically, the lender is not the platform but the crowd. These credits are regulated either by the Law of 21 December 2013 on the financing of SMEs or, as the case may be, by the Law of 18 December 2016 on crowdfunding.
The regime applicable to SMEs is less regulated than the one applicable to consumers. Most Belgian companies, organisations and individuals who do not act for private purposes qualify as SMEs in the meaning of the law.
The Law of 21 December 2013 on the financing of SMEs notably sets out:
It must be noted that the Law of 21 December 2013 on the financing of SMEs is not applicable to loans granted through crowdfunding platforms.
However, the Law of 18 December 2016 on crowdfunding provides for specific obligations. Crowdfunding platforms must be licensed in order to operate (ie, providing online matchmaking services between companies and investors) in Belgium.
Other Loans and Credits Offered by Credit Institutions or Other Lenders to Other Enterprises than SMEs
Usually these loans/credits are not offered online.
If a credit/loan does not fall in the first three categories above, the applicable regime is very unregulated (normal contract rules apply). Only a few specific provisions (Articles 1905–1914) of the Belgian Civil Code must be taken into account.
The most important of these provisions is Article 1907 bis of the Belgian Civil Code which provides for a limitation of funding loss for loan contracts.
The underwriting processes will mainly depend on the type of credit and customer.
The common feature of all underwriting processes is that all lenders (or crowdfunding platforms) are subject to the Belgian AML Law (which transposes AMLD4).
Classical AML (anti-money laundering) obligations are therefore applicable (ie, identification and verification of the identity of the borrower/beneficial owners, risk-based assessment, ongoing surveillance, reporting of suspicious transactions). More and more market participants make use of innovative means for identification in a remote environment (eg, video-conference or other biometric data, Belgian eID (electronic identity card) or other qualified signature in the meaning of the eIDAS Regulation).
Besides the AML obligations, the online onboarding of clients must also respect the specific obligations laid down in the Economic Law Code, the Law of 21 December 2013 on the financing of SMEs and the Law of 18 December 2016 on crowdfunding.
These pieces of legislation usually impose that specific information about the lender and the credit be provided to the customer (usually on a 'durable medium'). These obligations have an important impact on the onboarding of clients, especially in a B2C context.
Lastly, it must be noted that credit contracts concluded with consumers require a written or a qualified electronic signature. This obligation also has a significant impact on the conclusion of online credits with consumers.
Certain credit providers propose a mixed process (part of the process is online but the documents are sent by mail). Nevertheless, the Belgian market experiences increased digitalisation. This is all the more so because all Belgians can easily sign electronic contracts with their Belgian eID. The signature with the eID qualifies as a qualified electronic signature under eIDAS Regulation.
The source of funds for loans will depend mainly on the nature of the lender rather than on the nature of the credit:
Syndication of online loans is not a current market practice in Belgium. This is mainly because loan syndication is reserved to the biggest borrowers. The largest financing contracts are generally not concluded online.
There is no specific regulation in this respect, only a set of market practice documentation.
That being said, the crowdfunding process presents similarities to the syndication mechanism.
In Belgium, there are two main payments systems: (i) CEC (Centre for Exchange and Clearing), a retail payment system for retail payment instruments, based on multilateral netting and settlement, and (ii) TARGET2-BE, the Belgian component of TARGET2 for real-time gross settlement. Both systems are operated by the National Bank of Belgium. These two payment systems are currently the only ones covered by the Belgian Law of 28 April 1999 which implements the Settlement Finality Directive 98/26/CE of 19 May 1998. The Belgian Government can extend the list.
Payment processors can in principle create new private payment systems which do not fall under this law.
Fund administrators do not have a legal definition as such under Belgian law. Traditional actors of the investment funds business include the management company and the depositary, which are both highly regulated.
However, traditional fund administration services such as legal services, accounting management, compliance, etc, are listed by both AIF and UCITS Belgian regulations and can only be provided subject to the compliance of several requirements.
The provision of these services is generally shared between the management company and the depositary bank. As the case may be, these services may be outsourced (often within the same group) subject to strict requirements, which can include (depending on the delegated service) the need for a licence as an investment firm or a credit institution.
We are not aware of any specific terms between fund administrators and fund advisers. Obviously, liability clauses are often a key point in the negotiations.
Under Belgian law, the depositary bank plays an important role of 'gatekeeper' and must typically control the deposited assets, ensure the shares in circulation are duly reflected in the fund’s accounts, that the net asset value is calculated and the shares transferred in accordance with the applicable regulations, etc.
In addition, both fund management companies and depositary banks are subject to AML regulations which implies a duty of identification and disclosure of suspicious activities.
There are essentially three different kind of trading platforms: regulated markets, multilateral trading facilities (MTFs), and organised trading facilities (OTFs).
MiFID II provisions pertain to trading platforms that have been implemented in Belgian law mainly through the law of 21 November 2017 on the infrastructures of markets for financial instruments (Law on Trading Platforms). The Law on Trading Platforms is divided into two sections, the first one covering regulated markets and the second being dedicated to MTFs and OTFs.
Regulated markets must obtain a licence from the Minister of Finance, assisted by the Financial Services and Markets Authority (FSMA). This agreement is subject to many prudential requirements such as the fitness and properness of the management and the shareholding, and the implementation of adequate organisation and control processes.
OTFs and MTFs can only be exploited by specific licensed entities – ie, credit institutions, brokerage firms, and market operators. In addition to the requirements applicable to their existing licence, these entities are subject to an extra layer of requirements set out in the Law on Trading Platforms. It is also worth noting that OTFs only admit transactions pertaining to bonds, structured financial instruments, emission quotas and derivatives. We are not aware of any specific OTF or MTF-based FinTech initiatives in Belgium at the moment.
Generally speaking, assets are subject to equivalent regulatory regimes.
However, the FSMA has adopted two regulations limiting and/or prohibiting the marketing of certain categories of investments
The regulation of 3 April 2014 prohibits the professional marketing of so-called 'non-conventional assets' to retail clients. Prohibited non-conventional assets include financial products, the return of which depends directly or indirectly on cryptocurrencies.
Furthermore, the regulation of 21 July 2016 also prohibits certain forms of professional marketing of derivatives on electronic trading venues. For instance, it is prohibited to award gifts to clients for transactions made on derivatives. However, these prohibitions do not apply to derivatives traded on regulated markets or MTFs exploited by market companies.
The rise of crypto-currencies has not affected the regulation on trading platforms at this stage.
However, it is worth noting that the FSMA regulation of 3 April 2014 prohibits the professional marketing of financial products, the return of which depends directly or indirectly on crypto-currencies. This regulation seriously limits the distribution schemes and structuration of crypto-assets. It also has to be noted that the FSMA regularly issues warnings concerning crypto-currencies trading platforms for which it has identified signs of fraud.
Article 30 of the Law on Trading Platforms require regulated markets to adopt clear, non-discriminating, objective and transparent listing standards. The listing standards must also allow the markets to ensure that the issues comply with EU-based information requirements (initial, periodic, and occasional information).
With respect to derivatives, these listing standards must ensure that the characteristics of the derivatives allow for an orderly rating and efficient settlement.
Regulated market rules are subject to the prior approval of the FSMA and must be published on the market operator’s website.
OTFs and MTFs are also required to adopt transparent and non-discriminating listing standards. Generally speaking, OTFs and MTFs are subject to softer requirements than regulated markets.
Market rules must allow for the efficient handling of orders.
In addition, MiFID II rules of conduct and their delegated regulations apply in Belgium.
Articles 27 quater and 28 of the law of 2 August 2002 on the supervision of the financial sector and financial services further specifies that regulated entities executing clients’ orders must ensure that these are handled quickly, fairly, and efficiently. They must also take sufficient measures to make sure the best possible result is achieved, taking into consideration the price, cost, speed, probability of the execution, the size, nature and any other relevant criteria pertaining to the order (the 'best execution' principle).
Taking into account some legal obstacles, the Belgium market is not yet mature in respect of peer-to-peer trading platforms – therefore, at this stage, no impact can truly be observed.
Article 27 MiFID has been almost literally transposed into Article 28 of the law of 2 August 2002 on the supervision of the financial sector and financial services.
Generally speaking, the Belgian legislator and regulators follow EU recommendations on the matter and has not adopted Belgian-specific recommendations. Again, since no specific FinTech initiatives exist in this field, there are no concrete elements of interest for FinTech companies to add.
We are not aware of any Belgian specificity in this matter. The FSMA has not issued any specific guidelines on the matter and it can be anticipated that it would follow ESMA’s position.
In the absence of any specific regulation, payment for order flow would be assessed in the light of the inducement requirements, which prevent regulated entities from paying or receiving benefits from third parties unless (i) it enhances the quality of the service, (ii) it does not affect the general duty of acting honestly, fairly, professionally and in the client’s best interest, and (iii) the client is adequately informed.
Regulated firms engaged in algorithmic trading should have in place adequate and effective internal controls appropriate to their business activity to ensure that trading systems cannot be used for any purpose contrary to the EU Market Abuse Regulation or a connected trading venue, to ensure that their trading systems are resilient and have sufficient capacity, are subject to appropriate trading thresholds and limits, and prevent erroneous orders from being sent or otherwise operated in such a way that they could lead or contribute to the creation of a disorderly market. Furthermore, they are expected to have effective arrangements to deal with business continuity and should ensure that their systems are fully tested and properly supervised.
The regulation does not make a distinction based on different underlying asset classes.
In general, the FSMA is wary of algorithmic and high-frequency trading entities and there is no tendency to encourage this sector from the regulator’s perspective.
There are no specific FinTech initiatives in this field in Belgium, but, in our view, entities using algorithmic trading will probably act as members of trading platforms sending orders on their own behalf or on behalf of their clients, rather than act as exchange-like platforms.
A regulated company that is engaged in algorithmic trading, as a member of/participant in one or more trading platforms when trading for its own account, should be deemed to be implementing a market-making strategy if its strategy consists, among other things, in simultaneously publishing a firm bid and offer prices of a comparable size and at competitive prices for one or more financial instruments on one or more trading platforms, with the result that the entire market is regularly and freely advertised on one or more trading platforms.
There is a prior notification duty to the FSMA and the NBB, as well as to the competent authorities of the trading venue where they engage in algorithmic trading as a member/participant of the trading venue. The FSMA may require these regulated firms engaged in algorithmic trading to provide, on a regular or ad hoc basis, sufficient information on the nature of their algorithmic trading strategies, the trading parameters or limits applicable to the systems, the main compliance and risk controls put in place and information on testing their systems, as well as accurate and timed data on all their orders placed, including cancellations of orders, orders executed and quotations on trading platforms.
Regulated firms engaged in algorithmic trading are equally subject to the MiFID best-execution rules. One of the preventive measures to be able to verify the best execution later on is the firms’ obligation to maintain accurate and timed data on all orders placed, including cancellations of orders, orders executed and quotations on trading platforms.
Up until now, only regulated companies engaged in algorithmic trading are targeted by Belgian regulation. No further rules or distinctions are made.
RTO (reception and transmission of orders related to financial instruments) always qualifies as an investment service in the meaning of MiFID II and is therefore a regulated activity reserved for investment firms or banks in Belgium.
The provision of an investment research service or a financial analysis service is considered as an ancillary service (to other investment services) in MiFID II and in Article 2, 2° of the Belgian transposition Law of 25 October 2016.
Platforms which provide ancillary services only are not subject to any registration duty, except if they also provide other investment services (Article 6, §4, of the Belgian Law of 25 October 2016 on investment firms).
Investment firms which provide investment research services or financial analysis services are subject to the 'rules of conduct' in accordance with the delegated Regulation 2017/565 (see Recital 17). In particular, they must ensure the public is at all times provided with clear, accurate, and non-misleading information.
Irrespective of the regulatory status, spreading unverified information is prohibited pursuant to the Market Abuse Regulation, and may lead to administrative or criminal sanctions.
To the best of our knowledge, there is currently no institutional platform active in Belgium allowing users to post any kind of financial content or information qualifying as investment research service or financial analysis service.
As mentioned above, the spreading of rumours and unverified information is forbidden under the Market Abuse Regulation.
Providers of investment research services or financial analysis services are not linked to the execution of a transaction, and therefore they are not subject to disclosure duties as such (Article 16.2 of the Market Abuse Regulation).
Numerous underwriting processes are available to industry participants and each comes with a different set of regulations.
Actors creating their own insurance products will most likely need a full insurance company licence from the National Bank of Belgium (NBB), which is governed by the law of 13 March 2016 on the status and control of insurance and reinsurance companies (the Law of Control).
In practice, Insurtechs most often act as distributors or business introducers. In the first instance, they need to obtain a registration as insurance intermediary with the Financial Markets and Services Authority (FSMA). The applicable regulations are mainly centralised in the law of 4 April 2014 relating to insurances (the Insurance Law).
Mere business introducers do not need any licence or registration but must carefully design their business model as they can provide only strictly limited services, thereby reducing their potential added value.
Whichever distribution and operation structure they opt for, Insurtechs will need to comply with the rules of conduct gathered in the Insurance Law as well as the circulars and recommendations issued by the NBB and the FSMA.
Furthermore, the provision of online services, as well as B2C provision of services, lead to the application of additional obligations, mostly organised by the Economic Law Code.
In addition to general common principles, each type of insurance (life, annuities, property, etc) is subject to its own set of regulation under the Insurance Law.
Industry players often tend to specialise in one or more specific markets. At the very least, they tend to focus either on life or non-life products. As a matter of fact, the Law of Control prohibits the provision of both life and non-life services to insurance companies (Article 222).
Investment and savings life insurance products are amongst the most regulated products. Their distribution leads to the application of strict diligence obligation (appropriateness and suitability tests).
What we observe on the market is that most Insurtech focus on non-life products. Our understanding is that this choice is motivated by several factors – not only regulation but also the product life cycle, since life insurance products are long-term and expensive products and consumers may find it harder to subscribe online.
RegTechs operate under existing regulations. They serve the industry players with products facilitating compliance with either prudential regulations (eg, Solvency II, Banking Law, etc) or rules of conduct (eg, MiFID II, IDD, AML). As such, RegTechs are not specifically regulated and tend to avoid the need for any specific licence.
The general principle is that regulated entities remain responsible for compliance with applicable regulations, irrespective of outsourcing. By the same token, customers will only enter into a contractual relationship with the regulated entities and will often not even be aware of the RegTech provider’s existence. In light of this responsibility, regulated entities almost always impose an audit clause in their service agreements with RegTechs. This clause allows them, as well as their regulator(s), to control or request key information from their provider. By the same token, they also tend to require the insertion of a business continuity clause. Though their scope and wording may vary, these clauses organise the steps to follow in the case where a RegTech can no longer provide its services (bankruptcy, etc). In fact, the insertion of audit and continuity clauses is considered good practice and is very strongly recommended by the regulators.
Finally, though this is more subject to the parties’ negotiations, regulated entities often try to obtain a back-to-back liability clause, allowing them to trigger the provider’s liability if they suffer any damage (including from a regulator’s or a client’s claim) due to the unsatisfactory performance of the RegTech services.
RegTechs do usually not fall within the scope of application of the Belgian AML regulations. They are therefore not subject to any disclosure duty.
Crypto-currencies, based on the underlying blockchain technology, were initially thought of as one of the biggest threats to the banking sector. Contrary to banks’ rather negative feelings towards these crypto-currencies, they considered blockchain as an opportunity to change the banking world completely, for the better. Therefore, some major banks (on a global level) are members of a global collective, the R3 platform, which researches the possibilities of blockchain technology for the financial sector and develops interbank standards for the use of blockchain. A lot of the blockchain initiatives are coming from FinTech start-ups looking for solutions in the FinTech domain. Examples are Intellect EU (financial integration and middleware solutions), Finoryx (blockchain solutions applied to capital markets) and Orillia (bitcoin ATM machines).
However, established players are also increasing their initiatives with regard to the development of blockchain projects on a Belgian level. The major banks BNP Paribas Fortis, KBC and Belfius, together with Bank Degroof Petercam, AG Insurance (belonging to Ageas) and the financial transaction houses Swift and Euroclear joined forces to create the blockchain-powered platform TrustHive to simplify customer onboarding for individuals and legal entities. Another initiative concerns We.Trade, founded by IBM and seven major banks including KBC.
Legacy players are enthusiastic about and willing to implement further other blockchain applications, developing their ideas in relation to a whole range of activities and services (from the internal administrative organisation of the bank to client onboarding processes, crowdfunding set-ups and even broader market-integration).
The NBB has stated that although the technology looks promising, actual use cases for distributed ledger technologies (of which blockchain is only one particular type) are still relatively limited in number and in scope. According to them, attention is particularly required concerning the use of distributed-ledger technology or blockchain technology, as institutions should be aware of the legal value of smart contracts or the information contained in the distributed ledger, the possible governance complications and the security or resilience threats that may exist at different nodes in the network.
The FSMA has warned several times about practices involving virtual currencies, publishing an official communication at the end of 2017; the FSMA believe that the hype concerning ICOs, virtual currencies and blockchain technology can lead to speculative behaviour with only very limited attention to the underlying project and the risks associated with it. However, particularly in relation to the underlying technology of blockchain, they have not taken a clear for-or-against position yet.
Thus far, no concrete legislative initiatives have been taken on the national level. Furthermore, neither the NBB nor the FSMA has come up with new proposals or interpretations. However, given the importance of these evolutions, the NBB has taken various steps to enter into a dialogue with both new and established players in the market. In this context, it has set up a central contact point ('FinTech single point of contact') in co-operation with the FSMA, that deals with Finech-related questions.
There are currently no regulations or other authoritative documents in place which incorporate rules on blockchain assets. The regulated financial instruments are to be found in Article 2, 1° of the Law of 2 August 2002 on the supervision of the financial sector and the financial services. We may assume that if (and in as far as) a certain blockchain asset disposes of the same characteristics as one of the financial instruments from the list of Article 2, 1° of the aforementioned law on financial supervision, this certain asset may be considered a regulated financial instrument.
In its 2017 communication on the risks of ICOs, the FSMA made the following distinction between the tokens that are created and offered via distributed ledger technology, based on their characteristics which are similar to:
As the opinions remain divided on the matter of qualification of crypto-currencies as a financial instrument, the legal doctrine seems to prefer the legal qualification as a financial instrument as regards the investment tokens, at least in as far as a right is obtained by the issuer.
Based on the aforementioned 2017 FSMA communication on ICOs, the following (unlimited) overview of possibly applicable regulations should be taken into account by issuers of ICOs.
As regards European regulations: the Prospectus Directive, Markets in Financial Instruments Directive (MiFID), Alternative Investment Fund Managers Directive (AIFMD), Market Abuse Regulation (MAR), Fourth Anti-Money Laundering Directive (AMLD4), Fifth Anti-Money Laundering Directive (AMLD5). Belgian regulations which may apply are the FSMA Regulation of 3 April 2014 on the ban on distribution of certain financial products to retail clients, the Law of 16 June 2006 on public offers of investment instruments and on the admission of investment instruments to trading on regulated markets and the Law of 18 December 2016 regulating the recognition and definition of crowdfunding and containing various provisions on finance.
This list in no way constitutes the full legal framework on blockchain assets and should be seen in light of the specific circumstances at hand. Also, the applicability of, for example, governing accounting standards, tax obligations, rules on electronic money and prudential regulations should be considered.
As the issuance, as well as the initial sale of blockchain assets, remains currently unregulated by the Belgian legislator and the FSMA, its communications and Regulations are not legally binding. This list serves as provisional guidance.
Blockchain asset-trading platforms, as well as secondary market trading in blockchain assets, currently remain unregulated.
Funds investing in blockchain technology (such as Amplify Transformational Data Sharing ETF and Reality Shares Nasdaq NextGen Economy ETF) currently remain unregulated.
Article 1, 6° of the FSMA Regulation of 3 April 2014 on the ban on distribution of certain financial products to retail clients defines virtual currency as “any kind of digital currency which is not regulated and is not a legal tender”. Blockchain assets are not defined in Belgian regulation or regulators’ instruments, though they seem to contain a broader scope of assets.
The aim of both blockchain and the GDPR consists of increasing individuals’ control over their data and securing data exchange. In practice, however, and in particular concerning blockchains of a public and permissionless nature, certain issues arise with regard to the application of the GDPR.
As one of the main advantages of a blockchain is its transparent nature and the ability to see all actions and changes that happened on the blockchain, this characteristic is inherently incompatible with the GDPR’s data processing principles of data-minimisation and storage-limitation as well as with the individual’s right to rectification and the right to be forgotten. Furthermore, the designation of one responsible data controller within a non-private blockchain system is close to impossible as either all parties to the blockchain will be determining the purpose and means of processing, or none of them.
Fewer problems on GDPR application arise in relation to private blockchains. The Belgian Data Protection Authority did not issue any publication or opinion on the coexistence of these two instruments yet. However, in the meantime, it is recommended that issues of GDPR compliance be prevented by developing or participating in private blockchains, where personal data is stored in a secured off-chain database.
PSD2 has been transposed into Belgian law by two different acts. The prudential regime is incorporated in the law of 11 March 2018, while the conduct of business rules has been inserted in the Code of Economic Law. The open banking aspect of PSD2 has, however, not yet entered into force in Belgium, since this aspect will only go live with the entry into force of the Regulated Technical Standards 2018/389 of 27 November 2017 on Strong Customer Authentication (RTS SCA), scheduled for 14 September 2019.
These RTS SCA impose the need to develop and implement technical solutions that will allow this open banking (ie, forced sharing of data by banks) to take place in a secure and controlled manner. According to the RTS SCA, this should be done by putting in place a so-called ‘dedicated interface’ (which is, in practice, an Application Programming Interface or API), although a fall-back solution (or ‘contingency mechanism’) must also be provided, whereby the third-party payment service-providers (TPPs) can access the data through the interface used for the authentication of and the communication with the bank’s payment service users. In other words: in the event that the API provided by a bank does not work properly, the TPPs could still access the data through the web-banking service this bank uses itself with its customers. This last technique is often referred to as ‘screen-scraping’ which is controversial since many banks claim this screen-scraping poses significant security risks, as it implies that their clients need to share their security credentials (log in and password) with third parties (TPPs).
However, if banks only want to provide an API and not a fall-back solution, their API should be available for testing by TPPs no later than six months before the entry into force of the RTS SCA; this means that banks should have their API ready for testing by 14 March 2019.
Most banks (in Belgium and Europe in general) will not have this API ready for testing by the 14 March, so the ultimate deadline of 14 September 2019 will be difficult to achieve. The real problem is that the RTS only impose certain requirements and finalities on the dedicated interface and the contingency matters without indicating how these results should be obtained. Although it is logical for a legislator not to impose industry standards, this could in practice, without further guidance, lead to as many different interfaces and systems as there are banks in Europe. Certain organisations – such as Open Banking in the UK and the Berlin Group on the continent – are trying to work out some sort of harmonisation throughout the sector, but do not involve all market participants. Many banks are thus left on their own and so find it difficult to implement the proper solutions.
For the processing of data within the context of open banking, it is generally agreed that the PSD2 and the GDPR are jointly applicable regulations.
According to the Belgian transposition of the PSD2, the processing and storage of personal data necessary for the provision of payment services by the payment service-provider can only take place with the explicit consent of the payment service user. It is assumed that the explicit consent under the transposition of the PSD2 is a mere contractual consent and does not have to comply with the conditions of the explicit consent under the GDPR, as this would impose considerable additional (practical and financial) responsibility on the bank. Parties to a framework agreement may agree that the explicit consent of the payment service user to the access, processing and storage of personal data – this being necessary for the provision of payment services, and falling within the scope of the framework agreement concerned – is effectively given through the consent to the execution of the payment transactions.
However, as the GDPR applies to these processing activities, the bank should always process the personal data on a legitimate basis, which is a necessity for the performance of a contract, and should at all times respect all principles of legitimate processing. Therefore, the bank should ensure that the personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (eg, through pseudonymisation or encryption of personal data).