Fintech 2021

Last Updated March 18, 2021


Law and Practice


De Brauw Blackstone Westbroek is an international law firm offering high-end legal advice in corporate transactions, disputes and regulatory enforcement. The firm acts as lead counsel and trusted adviser to its clients and brings together specialists from various practices to ensure clients receive expert legal advice. Headquartered in the Netherlands, the firm has global coverage from its offices in Amsterdam, Brussels, London, Shanghai and Singapore.

The past 12 months have been unprecedented in many aspects. The authors discuss some of those aspects that are likely to have lasting impact.


Before COVID-19, the Netherlands, together with the Nordics, was already leading in EU and global lists of digital payments. The COVID-19 pandemic has been yet another great push towards cashless payments, online banking and more digital transactions and services in general. In fact, the shift from cash to digital is so strong in the Netherlands that the Dutch Central Bank (DNB) has been researching the possibilities of Central Bank Digital Currencies (CBDC) and is now in the forefront of EU developments in this regard.


Due to Brexit, many UK fintechs that had previously relied on the EU passport regime to conduct regulated activities across Europe have now been forced to reconsider their EU strategy. As a result, we have seen a significant increase in the number of requests for assistance with EU market access. From our discussions with fintechs seeking EU market access, we understand they are attracted to the Netherlands for the following reasons:

  • the broad and developed fintech communities in Amsterdam (financial sector); Delft and Eindhoven (technical universities); Rotterdam (international trade); and access to talent;
  • the approachable and reputable supervisory agencies that are accustomed to communicating in English, both officially and otherwise;
  • the high-quality digital infrastructure; and
  • the attractive business climate, including the availability of specific tax incentives available to fintechs.

The same trend can be seen on the stock exchange:. While London remains the number one stock exchange for tech companies in Europe, the Amsterdam Stock Exchange is gaining popularity and includes three of the largest European tech companies (Prosus, Adyen and Just Eat Takeaway). Furthermore, in January 2021 Amsterdam surpassed London as Europe's largest equity trading centre.


Due to the implementation of the revised EU Anti-money Laundering Directive (AMLD5), as of mid-2020, crypto service providers must register with the Dutch Central Bank (De Nederlandsche Bank; DNB). As a result, we see crypto becoming increasingly mainstream. This trend was further demonstrated during the pandemic, when various financial institutions announced they were taking positions in bitcoin to hedge market risks and, more recently, Tesla's announcement that it invested USD1.5 billion in BTC.

Government/Political Climate

Governing bodies devoted much time to fintech-related themes, including the digitalisation of services, artificial intelligence and blockchain. Significant government resources have been allocated towards their development, the further professionalisation of the sector, and expansion in general. For example, subsidies for training IT professionals, a free online course on AI has been made available and there have been various AI trade missions.

Longer-Term Trends

Increasingly more European supervisory rules are being introduced in the form of regulations rather than directives. These regulations have a direct effect on all member states, leaving less room for national variations in interpretation. This benefits all companies operating in multiple European jurisdictions by lowering costs for local advisors and compliance.

The Netherlands has a vibrant fintech community and experiences notable success in "traditional" fintech businesses, such as payments (Adyen), (neo)banking (Bunq), and lending (New10; an ABN AMRO spinoff). It also sees a lot of activity in alternative financing, capital markets and asset management, cybersecurity, blockchain and crypto, insurtech, regtech and pensiontech.

Legacy players such as banks, insurers and pension funds have been very active in the fintech market. For example, in developing blockchain-based solutions — often in collaboration with international consortia — for international trade purposes; developing proprietary solutions (robo advice, online near-instant lending); and in collaborating with fintechs to develop specific improvements to their product chains.

The Dutch financial regulatory framework is rooted mostly in European legislation, causing it to be similar to the frameworks of other EU member states. Regulated activities include conducting banking or insurance (intermediary) activities and providing payment services. No distinction is made between fintech businesses and incumbents.  Whether a fintech business falls within the scope of financial regulation depends on the specific activities it intends to conduct and whether those activities are regulated within the financial regulatory framework. That being said, depending on the regulated activity, exemptions and exceptions may be available for new (smaller) players.

Within the various areas covered by fintech, there are regulations covering pricing and inducements. — primarily within the consumer credit and securities markets — which include investment advice.

In principle, the same regulatory framework applies to both fintech and legacy players in the Netherlands. Whether the regulatory framework applies depends on the activities of an undertaking, not on the technology used or on the status of incumbent or fintech.

The Netherlands was one of the first EU member states to have both an innovation hub and a regulatory sandbox. These initiatives are open to all innovations by all legacy and fintech firms. The idea is that regulators can support firms by focusing more on what the rules actually try to achieve, instead of on their literal text. That being said, it is understood that the regulatory sandbox has not been very popular in practice.

The DNB and the Dutch Authority for the Financial Markets (AFM) supervise authorised financial institutions in the Netherlands in tandem. While the DNB focuses primarily on an institution's financial soundness, the AFM supervises market conduct. In addition, the European Central Bank supervises all significant banks in Europe.

In the case of cross-border provision of services from an EU member state into the Netherlands, the principle of "home state control" generally applies. This means that the regulator of an institution's home state remains the institution's main regulator. A few exceptions exist — for example, in the case of investment firm branches — in which the host state regulator supervises that branch's market conduct.

Where more than one regulator has jurisdiction over an industry participant (ie, in the case of multinational banking or insurance groups), the participant's sectoral legislation (in the case of said example: the Capital Requirements Directive, Solvency II or the Financial Conglomerates Directive) stipulates which regulator is the participant's main regulator.

While non-regulated, more operational functions (such as legal, administration and HR) can be outsourced to third parties, regulated functions (such as payments) can only be outsourced to parties which are regulated for these functions.

When outsourcing, regulated institutions are themselves subject to sector-specific rules, mainly with the aim of ensuring that institutions take appropriate measures to mitigate the inherent risks of outsourcing. Furthermore, a regulated institution always remains responsible for the outsourced activities, and outsourcing may never impede the supervision of a financial institution.

The European Banking Authority published guidelines on outsourcing arrangements which the DNB fully incorporates into its supervision. The guidelines apply to credit institutions, certain investment firms, payment institutions and electronic money institutions. They also set out a number of requirements for internal governance and risk management, as well as specific requirements for the outsourcing of contracts. These requirements include that the provider to which activities are outsourced must agree to certain audit rights, to be carried out by the regulated institution and its regulators.

Under Dutch law, "gatekeeper" obligations are laid down in the Dutch Money Laundering and Terrorism Financing (Prevention) Act (Wet ter voorkoming van witwassen en financieren van terrorisme, Wwft) and in the Dutch Sanction Act (Sanctiewet 1977).

The Wwft – which implements the AMLD5 – requires specific businesses and persons to undertake measures to prevent and mitigate risks related to money laundering and terrorism financing. This includes undertaking risk-based customer due diligence before establishing a business relationship and monitoring the relationship on an ongoing basis. The Wwft also requires relevant businesses and persons to, among other activities, report unusual transactions to the Dutch Financial Intelligence Unit.

Infringement of these requirements can result in a maximum of four years’ imprisonment or fines of up to EUR83,000. The Dutch Minister of Finance may also order incremental penalties and administrative fines of a maximum of EUR5 million per infringement. 

The Dutch Sanction Act is a framework act enabling general administrative orders to be issued in compliance with treaties or international agreements on international sanctions imposed by the UN Security Council, the EU or the national governments. The Netherlands may also independently designate natural persons or legal entities and order their assets to be frozen or the provision of financial services on their behalf to be prohibited or restricted. Such orders will be included in, for example, the Sanctions Regulations on Terrorism 2007 and 2007-II (Sanctieregelingen terrorisme 2007 en 2007-II).

Once an EU regulation or a national sanctions regulation has been imposed, it must be observed by all natural persons and legal entities resident in the Netherlands. This also applies to international corporations having an establishment in the Netherlands. Violation of sanctions legislation constitutes an economic offence and is liable to criminal prosecution. Deliberate violation is punishable with up to six years of imprisonment, a fifth category fine, or a term of community service.

Dutch regulators usually follow a pragmatic and results-driven supervisory approach, requesting information from a regulated entity and informally communicating any necessary corrective actions to be taken. Only when the corrective actions are not followed, or the observed wrongdoings warrant direct enforcement, will regulators employ heavier enforcement instruments, such as incremental or fixed administrative fines. The regulators must, in principle, publish any enforcement action taken. All enforcement actions, whether significant or not, can be found on the websites of the DNB and the Dutch AFM. Enforcement actions that have received significant media attention are those undertaken against banks for infringement of their gatekeeper obligation on the basis of the Wwft and the Dutch Sanctions Act. These enforcement actions fuelled a heightened focus on compliance with these obligations, of both supervisors and companies.

The processing of personal data in the Netherlands is regulated by the General Data Protection Regulation (GDPR), which applies in all EU member states. 

In the Netherlands, the EU Network and Information Security (NIS) Directive has been implemented by the Dutch Cybersecurity Act.  This act requires operators of essential services and digital service providers to notify serious cybersecurity breaches to the relevant Computer Security Response Team and competent authorities. This obligation applies to the following categories of financial institutions:

  • credit institutions;
  • trading venues (regulated markets, multilateral trading facilities or organised trading facilities);
  • central counterparty clearing institutions;
  • central security depositories; and
  • providers of settlement services.

Fintech businesses that provide services to consumers may be subject to, for example, the EU Consumer Directive (2011/83/EU), which has been implemented by the Dutch Civil Code. This Directive lays down requirements on, for example, the provision of information to consumers. Fintech businesses providing online services to consumers may also be subject to the EU Directive on Privacy and Electronic Communications (2002/58/EC). This Directive has been implemented into Dutch law and requires businesses to notify consumers and obtain their consent for the use of cookies.       

In addition to regulators, accounting and auditing firms review, to a certain extent, the activities of industry participants. This type of review mainly focuses on a participant's financial accounts and is of a different nature to the reviews carried out by regulators.       

With a few exceptions, regulated entities are allowed to offer products and services in addition to their regulated activities. However, we often see that such ancillary businesses are operated through a different legal entity than the regulated activity.

Positive Stance Regulators

Robo advice has caught the attention of the AFM, which demonstrated a positive stance towards it. The AFM also indicated that it believes that robo advice could improve accessibility and quality of advice. Furthermore, it expects robo advice to lead to a decrease in the execution-only channel, a development it embraces.

Legal Requirements

In principle, legal requirements for advice do not distinguish between in-person advice, robo advice or hybrid variations. However, legal requirements and supervisory expectations differ depending on the financial product. Legal requirements are more stringent for financial products with a greater impact, such as mortgages, disability insurance and certain pension products.

Robo investment advice is regulated by EU Directive MiFID II. There is a ban on commissions (MiFID II gold-plating) for robo advice given to retail clients and to some professional clients, which can impact some robo-advice business models.

Financial undertakings must have procedures and measures in place to ensure the confidentiality and integrity of information, and the continuous availability and security of automated data processing.

Legislation on Quality Requirements for Automated Advice

A new bill is expected to enter into force in 2021, introducing quality requirements for fully automated advice. The bill would ensure that automated advice complies with the same requirements as advice given by a person. Requirements include:

  • For each financial product where automated advice is given, there must be at least two designated natural persons responsible for the automated system and the automated advice. These persons must have the professional competence that allows them to give advice. In practice, this comes down to possessing a diploma.
  • Before putting an automated system into operation, the undertaking must ensure that it works properly, that all elements of advice fit the information provided by the customer, and that the advice aligns with that information. Periodic reviews must be performed to determine if the automated advice is appropriate for and aligns with the information given by the consumer or client. Once the system is in operation, periodic checks must be performed to ensure that the automated system is only available to the envisaged target group, and that the professional competence requirements have been applied and are being met.
  • The automated system must collect sufficient information and the advice must also be based on that information.

Robo advice is fairly common for various types of financial products, such as car and health insurance. Robo advice is less common for financial products that have a greater impact, such as mortgages and disability insurance.

In principle, legal requirements for advice do not distinguish between in-person advice, robo advice and any hybrid variations.

Offering Consumer Credit

Offering credit to consumers is regulated and requires a licence from the AFM. Operational or private lease to consumers is currently not regulated (unlike financial lease), but the AFM has indicated that it believes that activities in this field should be regulated. The Minister of Finance announced an investigation into the matter and the findings are expected in Q2 of 2021.

Business-to-Business Credit and Loans

Offering loans and credit to businesses is, in principle, not regulated.

This could be an interesting opportunity for new players, as a policy brief on SME financing in the Netherlands in 2009-2018 in a European perspective found that:

  • Dutch SMEs receive bank loans less often than SMEs elsewhere in the EU;
  • SMEs request fewer loans and banks reject loans more often, again as compared elsewhere in the EU;
  • interest rates for business loans are relatively high in the Netherlands; and
  • in a response to the policy brief, SME association MKB Nederland stated that there is a need for more banks and alternative financiers servicing SMEs in the Netherlands.

Crowdfunding Platforms

Crowdfunding is becoming increasingly popular in the Netherlands. Depending on the type of crowdfunding, operating a crowdfunding platform requires a licence in the Netherlands. In October 2020, the European Parliament approved an EU Crowdfunding Regulation which will have direct effect in all EU member states as of 10 November 2021. The new crowdfunding regulation harmonises requirements for the provision of crowdfunding services in the EU.


Offering credit to consumers is a regulated activity. Requirements include an obligation to obtain relevant information from a consumer (including a credit assessment) and the prohibition of entering into a credit agreement if this would grant excessive credit to the consumer. Online lenders have a relatively high level of freedom in how they set up the exact details of the underwriting process and will be found to be in compliance as long as they can demonstrate compliance with the open norms as dictated by the law.

Business-to-Business Credit and Loans

Offerors of business credit and loans typically have their own internal assessment solutions that are tailored to each type of credit and lender. Naturally, AML/CFT requirements must be taken into account.


The new EU crowdfunding regulation that enters into force on 10 November 2021 expects crowdfunding service providers to "separate the wheat from the chaff". One meaning of this is that crowdfunding service providers are expected to conduct a background check to see whether a project owner has a criminal record.

Legal and regulatory requirements vary depending on the source of funds for loans. For example, attracting redeemable funds, such as deposits requires a banking licence. In the case of attracting funds for loans on a peer-to-peer basis (for example, via a crowdfunding platform), the crowdfunding platform must obtain an exemption from the AFM for mediating in attracting redeemable funds. If consumers can invest (loan based) via a crowdfunding platform, and the platform collaborates with a payment service provider or e-money institution, the platform may also require a licence for mediation in payment accounts or e-money.

Syndication of loans is common in the Netherlands. In practice, online lending, however, usually concerns smaller amounts that are typically not syndicated.

Payment acquirers that process payments may use existing payment networks set up by network operators. There is no restriction on parties to create new infrastructures, provided they obtain all relevant regulatory authorisations.

Payments and money remittances are regulated through Directive (EU) 2015/2366  — the revised Payment Services Directive, or PSD2 — which is implemented in Dutch law by the Dutch Financial Markets Supervision Act (Wet op het financieel toezicht) and Dutch Civil Code (Burgerlijk Wetboek). The PSD2 imposes authorisation and ongoing requirements on parties providing payment services, which – as laid down in the annex of the PSD2 – consist of:

  • services enabling cash to be placed on a payment account as well as all operations required for operating a payment account;
  • services enabling cash withdrawals from a payment account as well as all operations required for operating a payment account;
  • execution of payment transactions, including transfers of funds on a payment account with the user’s payment service provider or with another payment service provider;
  • execution of payment transactions where funds are covered by a credit line for a payment service user;
  • issuing of payment instruments and/or acquiring of payment transactions;
  • money remittances;
  • payment initiation services; and
  • account information services.

With specific regards to cross-border payments, the Netherlands is part of the Single Euro Payments Area, which aims to ensure that making electronic payments throughout the entire euro area is as easy as making cash payments and that there are no extra charges when making an electronic payment in euros in another European country. For this purpose, Regulations (EC) 924/2009 and (EU) 2019/528 ensure that all cross-border payments in euro in both eurozone member states and in non-eurozone member states – ie, Bulgaria, Croatia, Czechia, Denmark, Hungary, Iceland, Liechtenstein, Norway, Poland, Romania, Sweden – are priced the same as domestic payments.

Investment funds, their managers and depositories are regulated based on the EU Alternative Investment Fund Managers (AIFM) Directive or the Undertakings for the Collective Investment in Transferable Securities (UCITS) Directive, as implemented in national law.

The provision of fund administration services (legal, accounting, compliance, etc) is not regulated, but may be subject to legal requirements. This is the case, for example, in that of an outsourcing relationship with a fund manager. Should a fund administrator receive and transmit or execute client orders, it requires a licence as an MiFID firm.

Agreements between fund managers and administrators should comply with various requirements, including rules on outsourcing.

The Dutch Financial Markets Supervision Act recognises three kinds of trading platforms:

  • regulated markets;
  • multilateral trading facilities (MTFs); and
  • organised trading facilities (OTFs).

Regulated markets are the most common type of trading platform and are subject to the authorisation of the Dutch Minister of Finance. MTFs are investment firms that have been authorised by the AFM to operate as a multilateral trading facility. The main discerning element between regulated markets and MTFs is the intended quality threshold for financial instruments traded on a regulated market. 

OTFs are trading platforms that do not qualify as a regulated market or MTF. They are mainly used for debt instrument trading, structured products and derivatives. OTFs are subject to the authorisation of the AFM. In principle, OTFs have to adhere to the same regulatory rules as regulated markets and MTFs. However, in contrast to regulated markets and MTFs, OTFs can execute client orders at their own discretion. For this reason, there are OTF-specific rules on client conduct.

Assets classes are, in principle, subject to equivalent regulatory regimes. There are, however, some differences when it comes to listing asset classes on trading platforms recognised by the Dutch Financial Markets Supervision Act:

  • any financial instrument may be listed on a regulated market or an MTF; and
  • an OTF may list debt instruments, structured finance products, greenhouse gas emission allowances and derivatives. Share instruments are excluded from the scope of OTFs.

No specific rules exist for exchanges that provide a cryptocurrency trading platform. However, Directive (EU) 2018/843, the revised Fourth AML Directive (commonly referred to as the Fifth Anti-Money Laundering Directive or AMLD5) includes rules for:

  • firms offering services for the exchange between virtual and fiat currencies; and
  • providers of custodian wallets for virtual currencies.

Exchanges offering trading facilities for cryptocurrencies often fall within the scope of one of these definitions.

Entities providing these services must register with the DNB and demonstrate their compliance with AML measures and requirements as set out in the Dutch Money Laundering and Terrorism Financing (Prevention) Act; and demonstrate that their policymakers have been assessed for fitness and propriety. Registered providers are monitored on an ongoing basis.

The obligation to register with the DNB applies to crypto service providers located or offering exchange services between virtual and fiat currencies or custodian wallets in the Netherlands. This means that crypto service providers located in other EU member states are also subject to this registration obligation if they provide their services on a cross-border basis to clients located in the Netherlands, regardless of  registration in their home state. Furthermore, crypto service providers located in a third country (non-EU Member State) are prohibited from offering exchange services between virtual and fiat currencies or custodian wallets in the Netherlands.

Issuing entities that have their financial instruments listed on a regulated market need to comply with regulations at the issuance of those instruments, as well as comply with disclosure requirements relating to control and interest. These standards generally do not apply to issuing entities with instruments listed on an MTF.

Regulated firms need to comply with the order handling rules laid down in MiFiD II and its Delegated Regulations. Investment firms must also agree to obtain the best possible result when executing client orders, taking into consideration price, cost, speed, probability of execution, size, nature and any other criteria relevant to the order (the "best execution" principle).

The rise of peer-to-peer trading has had little impact on traditional players, and we have yet to see a successful peer-to-peer trading venue emerge in the Netherlands.

Based on the best execution principle, investment firms must take adequate measures to obtain the best possible result when executing client orders, taking into consideration various criteria, including: the qualification of the client, the price of the relevant instrument, execution cost, speed and probability of execution. Investment firms must draw up a clear and sufficiently detailed policy for their order execution. In that regard, firms should be aware that the relevant criteria for determining best execution may sometimes contravene each other – for example, a trading venue offering the lowest execution costs may also be severely limiting in terms of trading volume (probability of execution).

The general inducement norms stemming from MiFID II apply, meaning that kickback fees are in principle prohibited if providing investment services to retail clients, except where it involves a justifiable non-monetary benefit or payments or benefits which are necessary for the provision of investment services, such as custody costs and settlement and exchange fees.

For professional clients, kickback fees are allowed where firms provide services other than independent investment advice or asset management services, and the following conditions apply (also referred to as the inducement norm):

  • the firm informs the client thoroughly and accurately on the existence of the received benefits;
  • the benefits enhance the quality of the service provided to the client; and
  • the benefits do not impede the general obligation of the firm to act in the client’s best interest.

When servicing professional clients and providing independent investment advice or asset management services, firms may not receive kickback fees, save for justifiable, small and non-monetary benefits.

The European Market Abuse Regulation (Regulation (EU) 596/2014, MAR) applies in the Netherlands. The aim of MAR is to ensure the integrity of European financial markets and to protect individual investors. Unlawful behaviour in financial markets is prohibited. MAR contains rules on insider trading, inside information disclosure and market manipulation.

The AFM has published best practices to assist investment firms in identifying and notifying suspicious market abuse behaviour.

Algorithmic trading (and high-frequency trading as a form of algorithmic trading) is regulated under MiFID II. The definition of algorithmic trading contained in the MiFID II is limited to trading in MiFID II financial instruments. This means that asset classes outside the scope of regulation under the MiFID Regulations are not regulated. Investment firms engaging in algorithmic trading must notify this to the AFM.

MiFID II introduced a combination of measures and specific risk controls for algorithmic trading. MiFID II aims to limit operational risks by regulating internal control and the business operations of market participants. In addition, MiFID II introduced measures on trading mechanisms that influence the nature of price formation and the behaviour of market players.

Investment firms engaging in algorithmic trading have to satisfy requirements on internal business operations and information and documentation obligations. MiFID II rules also apply to trading venues that enable algorithmic trading. This includes regulated markets, MTFs and OTFs. There rules must prevent algorithmic trading from leading to disorderly markets and from engaging in market abuse.

Investment firms engaging in algorithmic trading as market makers have to satisfy specific requirements under MiFID II. These requirements include:

  • carrying out the market making activities continuously during a specified proportion of the trading venue’s trading day;
  • entering into a written agreement with the trading venue stating their market obligations; and
  • having effective systems and controls in place to ensure the fulfilment of its obligations under the agreement.

Managers that manage or market investment funds (AIFs and UCITS) are not considered investment firms under Dutch law. As such the provisions regarding algorithmic trading following from MiFID II do not apply to these entities or persons.

Programmers are not regulated. However, internal control requirements for investment firms engaged in algorithmic trading (further set out in Delegated Regulation (EU) 2017/589) set requirements for the relevant expertise and training of employees.

Financial research platforms do not require authorisation in the Netherlands, unless they provide additional regulated services like investment advice.

Spreading false or misleading information may qualify as market manipulation, which is prohibited under the MAR.

In the Netherlands, there is no specific regulation on financial research platforms. However, the spreading of inside information is unlawful pursuant to MAR.

Insurance underwriting processes are regulated by the Dutch implementation of the EU’s Solvency II regime (Directive (EC) 2009/138). The Solvency II regime sets out detailed requirements on capital, governance and risk management in all EU-authorised insurance and re-insurance undertakings.

The AFM distinguishes four types of insurers:

  • life insurers;
  • non-life insurers;
  • funeral insurers; and
  • re-insurers.

Each type of insurer is subject to specific rules and, when seeking authorisation, insurers must indicate which insurance branch they intend to be active in. Insurers are prohibited from operating both a life and a non-life insurance company within the same legal entity. Insurers are also prohibited from operating any businesses other than the business they are authorised to operate. 

Regtech providers are not regulated. However, they may be indirectly subject to regulatory requirements via outsourcing relationships with regulated firms.

Regardless of whether they depend on regtech service providers for their regulatory compliance, regulated entities remain responsible for complying with all applicable regulations. Regulated entities can be expected to include various types of clauses, including audit clauses, in agreements concluded with these providers. We also expect regulated entities to require technological quality assurance reports from regtech providers. 

Most traditional players – banks, pension funds and insurers, for example – work on blockchain applications for their organisations, albeit at a differing pace. Notably, incumbent banks have dedicated blockchains teams and collaborate with well-known international consortiums in that space. The largest Dutch banks have launched blockchain-based solutions, alone or in collaboration with other parties. These include, in the area of international trade, trade settlement, letters of credit and trade finance.

In general, Dutch financial regulators and the Dutch government have been receptive to new, innovative technologies and developments in the financial sector, one of which is blockchain. The Netherlands was one of the first EU member states to have both an innovation hub and a regulatory sandbox.

The DNB has conducted various experiments with blockchain and cryptocurrencies and is considered a leading player in exploring the possibilities for an EU central bank digital currency.

The Dutch financial regulatory framework is rooted mostly in European legislation, making it similar to the frameworks of other EU member states.

Not all blockchain assets are considered a form of regulated financial instrument. The qualification of blockchain assets depends on the individual characteristics of an asset. For example, blockchain assets that qualify as virtual currencies are regulated based on AMLD5; blockchain assets that qualify as financial instruments are regulated based on MiFID II. That being said, the majority of blockchain assets are not currently regulated.

The European Commission has proposed a bespoke regime for all crypto-assets not covered elsewhere in EU financial services legislation (the Markets in Crypto Assets MiCA proposal). The MiCA proposal aims to regulate issuers of crypto-assets and crypto-asset service providers based on distributed ledger technology or similar, taking into account the principle of proportionality. The legislative process in this regard remains ongoing.

The regulation of issuers of blockchain assets (if any), depends on the qualification of the asset (ie, as security or another type of financial instrument). This would mean that an initial public offering of blockchain assets qualifying as securities must comply with standard  IPO regulations.

The EU MiCA proposal aims to regulate all crypto-assets that are currently not covered elsewhere in EU financial services legislation (see 12.3 Classification of Blockchain Assets).

The regulation of issuers of blockchain assets (if any) depends on the qualification of the assets admitted to trading; for example, as financial instruments or virtual currencies.

Blockchain asset trading platforms that admit blockchain assets that qualify as financial instruments are likely to qualify as a regulated market, multilateral trading facility (MTF) or organised trading facility (OTF). Such qualification results in strict EU-based regulatory requirements, including a licence obligation.

Providers engaging in exchange services between virtual currencies and fiat currencies, as well as custodian wallet providers, must register with DNB to be active in or from the Netherlands.

There is no specific legislation that specifically regulates funds that invest in blockchain assets.

The regulatory treatment of blockchain assets (if any) depends on the characteristics of a blockchain asset. Blockchain assets that qualify as virtual currencies are regulated under AMLD5, as implemented in Dutch AML/CFT legislation.

AMLD5 defines a virtual currency as “a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically”.

Providers engaged in exchange services between virtual currencies and fiat currencies, as well as custodian wallet providers, must register with DNB to be active in or from the Netherlands.

There is no specific regulation on DeFi platforms in place. That being said, the decentralised nature of these platforms may give rise to issues when applying existing regulations. For example, in relation to the governance of these platforms.

PSD2 has been implemented in the Netherlands and is a driver for the development of open banking due to the obligation of credit institutions to provide dedicated interfaces (APIs) to fintechs.

While open banking evangelists initially focused on retail banking, Dutch market players have expanded their efforts to include SME lending.

Collaboration is a prerequisite for unlocking the potential of open banking. In the Netherlands, we see both incumbent banks and neobanks collaborating increasingly more with fintech players.

It is noteworthy that in January 2021 the European Insurance and Occupational Pension Authority (EIOPA) launched a public consultation on open insurance, focused on the access to and sharing of insurance-related data.

Data privacy concerns, partly fuelled by communications from supervisory authorities and a strong media focus on GDPR, have created some scepticism in the market. Banks have also raised the issue of data security in relation to less heavily regulated third parties.

De Brauw Blackstone Westbroek

Claude Debussylaan 80
P.O. Box 75084
1070 AB Amsterdam
The Netherlands


Author Business Card

Trends and Developments


De Brauw Blackstone Westbroek is an international law firm offering high-end legal advice in corporate transactions, disputes and regulatory enforcement. The firm acts as lead counsel and trusted adviser to its clients and brings together specialists from various practices to ensure clients receive expert legal advice. Headquartered in the Netherlands, the firm has global coverage from its offices in Amsterdam, Brussels, London, Shanghai and Singapore.

The Netherlands has been leading fintech lists for years with notable hotspots in Amsterdam (financial sector), Rotterdam (trade) and Eindhoven & Delft (technical universities). In 2020, COVID-19 and Brexit further propelled Dutch fintech, resulting in a significant influx of UK fintechs into the Netherlands, and the complete digitisation of businesses and consumers.

In the Netherlands, the term "fintech" was initially used by new players in the financial sector who were starting to compete with incumbents on specific elements of, for example, the payment chain. As such, the Netherlands is home to many "traditional" fintech businesses (etc, in payments, asset management and credit provision), of which payment unicorn Adyen is a prime example. Today, the Dutch fintech market comprises a much broader field of activities including advanced analytics, blockchain and artificial intelligence-driven business models that are developed by both new and existing players.

For fintechs with business models that require a broad consumer base in order for them to be profitable, one of the main challenges is being able to reach the required masses. Incumbents, such as traditional banks, do not face this type of challenge as they can rely on a loyal customer base. This is one of the reasons for the increased emphasis on collaborations between old and new players. We also see this happening in other areas where, for example, fintechs provide AML/CFT services for financial institutions, and international banks collaborate to set up trade finance platforms.

In this Trends & Developments article, we touch upon some of the following developments and their challenges in the coming years:

  • crypto going mainstream;
  • regulatory expectations with regard to the use of AI;
  • environmental, social and governance aspects of fintech; and
  • trust and new developments around private GDPR enforcement.

A Milestone Year for Virtual Currencies

2020 was a milestone year for virtual currency service providers. In May, the revision of the Dutch Money Laundering and Terrorism Financing (Prevention) Act (Wet ter voorkoming van witwassen en financieren van terrorisme, the Wwft) entered into force, implementing the revised Fourth Anti-Money Laundering Directive (commonly referred to as the Fifth Anti-Money Laundering Directive or AMLD5). This revision includes rules for firms offering exchange services  of virtual and fiat currencies, and providers of custodian wallets for virtual currencies (crypto service providers, or CSPs). The revisions stipulate that entities providing these services must register with the Dutch Central Bank (DNB) and demonstrate their compliance with AML measures and requirements as set out in the Wwft. Pursuant to these requirements, policymakers of CSPs must be assessed and approved for fitness and propriety. The propriety assessment requirement also applies to ultimate beneficial owners of, and holders of a qualifying holding in, CSPs – meaning that investors holding an interest as low as 10% will need to be assessed by the DNB.

On a more operational level, CSPs will need to demonstrate they conduct business in a controlled and sound manner. This means a CSP must have rules, measures and procedures in place to ensure its integrity and to ensure its specific business risks are manageable and controllable. The DNB recently clarified that CSPs meet the requirements on controlled and sound business conduct when they can demonstrate compliance with the AML measures stemming from the Wwft and the rules stipulated in the Dutch Sanctions Act and its underlying regulations (Sanctiewet 1977).

The most prominent operational requirement for CSPs is the ongoing client monitoring requirement, which means a CSP has to check all transactions performed by a client. Ever since the European Commission introduced the AMLD5 proposal, there has been much uncertainty and discussion on the extent of the ongoing monitoring obligation. Due to the nature of virtual currencies, legislatures and regulators assumed that extensive ongoing monitoring would be required by CSPs – meaning that, in addition to identifying and validating the identity of their own clients, CSPs would have to gather sufficient details on the counterparties of their clients' transactions (parties from whom the clients received virtual currencies or to whom they sent virtual currencies). This was often seen as an unsurmountable obstacle in the mostly decentralised virtual currency sector, where counterparties to transactions could be located anywhere in the world.

In late 2020, the Dutch Central Bank put an end to this debate by releasing guidance on the requirement for CSPs, emphasising the importance of the Dutch Sanction Act in relation to the monitoring of transactions. In its guidance, the Dutch Central Bank indicates that CSPs should be able to determine whether a "relationship" produces a hit based on the Dutch Sanction Act and its underlying regulations. In this context, a "relationship" is defined as “anyone involved in a financial service or a financial transaction”. This includes the counterparty or other party involved in a transaction by a CSP's clients. As such, a CSP must be able to effectively:

  • establish the identity and place of residence of the counterparty and screen it against the sanctions lists; and
  • establish that this person or legal entity is actually the recipient or the sender.

This stringent requirement has undoubtedly increased the regulatory burden on CSPs in the Netherlands, demonstrated by there being to date only 16 providers which have managed to finalise their registration as a service provider for the exchange between virtual and fiat currencies. Of these 16 providers, only ten have managed to complete registration as providers of custodian wallets for virtual currencies. However, the stringent requirements for crypto currency providers have unmistakably strengthened the Netherlands' position as one of the most robust and reliable European countries when it comes to financial regulatory frameworks. Completing a registration in the Netherlands will certainly ease the regulatory market access for such parties in other European countries.

Research by the Dutch Central Bank on a Digital Euro

Inspired by the rise of virtual currencies in general, and Facebook's Libra specifically, the Dutch Central Bank and the European Central Bank have been researching the possibility of issuing a digital euro. A digital euro is a central bank digital currency – a digital form of central bank money, available for all citizens and businesses.

According to the Dutch Central Bank, a digital euro would be a reliable and stable supplement to cash. It would also support and encourage competition and the financial inclusion of vulnerable groups. A digital euro payment system would also function as a back-up payment system if regular payment systems should fail. In other words, a digital euro would help ensure that euro-area citizens retain access to a simple, universally accepted, secure and reliable public means of payment.

For now, the Dutch Central Bank and the European Central Bank are exploring the development of a digital euro. The Dutch Central Bank expects to reach a decision on entering the next phase of research into the requirements and design of a digital euro in Q2 of 2021

Regulating Algorithms/Artificial Intelligence

We see a steep growth curve in the development and use of AI applications by and within the financial sector. Fintech and incumbents alike are working hard on developing AI-driven solutions for old and new challenges. There are scores of success stories in the Netherlands, such as in AML/CFT & fraud detection, asset management, and credit scoring. The market potential seems endless, especially in combination with other relatively new developments, like open banking and the internet of things.

The use of AI, however, also brings with it new legal and ethical challenges. Some of those challenges include: avoiding hidden biases (in datasets and/or algorithms); balancing the accuracy and explainability of "blackbox" algorithms (for example, in credit scoring); and determining the tipping point of where price optimisation turns into the unfair treatment of vulnerable groups (such as in the insurance sector). This has led to scrutiny from lawmakers and regulators at the international, European and national levels.

Internationally, one of the actors working on AI is the United Nations Interregional Crime and Justice Research Institute (UNICRI). This body aims to enhance the understanding of the risk-benefit duality of AI and Robotics of policy makers and government officials from its Centre on AI and Robotics in The Hague, the Netherlands.

The EU has declared AI an area of strategic importance and aims at a human-centric approach for AI. The European Commission has proposed an outline for an EU AI regulation, but it may still be years before such regulation is adopted. EU institutions, such as the ECB, EBA, EIOPA and ESMA are also formulating their views on the use of AI in the financial sector. As an early example, EBA guidelines on loan origination and monitoring entering into force in the summer of 2021 include specific requirements for "technology-enabled innovation for credit-granting purposes".

In the Netherlands, the financial supervisory authorities — DNB and AFM — have included the use of AI and big data in their top priorities for the coming years. DNB has published its SAFEST principles on the responsible use of AI in an effort to start a dialogue with the sector. Together with the Dutch conduct authority, AFM it has published guidance for the use of AI in the insurance sector. Both the AFM and DNB underline the potential benefits of AI for the financial sector and expect market parties to use the potential of AI for the benefit of their organisations (enhanced AML/CFT efforts, more advanced internal models), and for the benefit of their customers (better service, no unfair use).

From a public policy perspective, it is noteworthy that both the EU and the Dutch government continue to invest significant resources in the development and promotion of AI. Some examples include: subsidies for the development of standards; public education efforts; and AI trade missions. At the same time, certain AI applications, such as facial recognition, are being closely monitored for safety, privacy and security concerns.

We assist our clients in navigating the legal requirements and regulatory expectations on the use of AI, while also taking into account ethical considerations and societal perception, without losing sight of the flexibility required for commercial success.

Environmental, Social and Governance Aspects of Fintech

In recent years, sustainability has become a hot topic in the financial industry. We believe financial innovation can and will play an increasing role in fulfilling the demand for ESG considerations in the business, and we expect significant growth in the ESG fintech market.

However, it is not only the heightened focus on ESG that contributes to this growth. We also expect an increase in investment capital flowing to ESG fintech firms over the coming years. We have observed an emergence of funds issuing grants, loans and investments to fintech firms that support ESG projects or sustainability.

Some examples of social and environmental fintechs include app-based investment firms that allow clients to invest in companies that have been selected as excelling in climate change, social impact or disruptive technology. Other initiatives allow customers to offset their carbon footprint through a subscription, the fees of which are then invested in ESG-oriented firms.

The Dutch government also actively stimulates sustainable innovation. Through its "Green Deals", the Dutch government supports the implementation of sustainable initiatives by removing certain barriers encountered by companies. The Green Deal approach is part of the Dutch government's green growth policy, and is a joint initiative of the Dutch Ministries of Economic Affairs and Climate Policy, Infrastructure and the Water Management and the Interior and Kingdom Relations, and aims to help sustainable initiatives get off the ground, and to accelerate this process where possible.

Data, Trust and Privacy

In business, reputation is everything. This is one of the reasons that some legacy players have been hesitant about developments such as open banking and open insurance, as they fear that their customer data will be less secure due to third parties being connected to their systems. PSD2 left banks no choice when it forced them to open up payment data to other players. So far, no such obligation exists for insurers, but EIOPA has launched a public consultation on open insurance, focused on granting access to and sharing of insurance-related data.

We see that the GDPR today is on the radar of most parties that have business models involving the use of big data. That being said, the related challenges keep evolving. In previous years, Data Protection Authorities were the key players in monitoring the use of data. But with limited resources, they can only address the "tip of the iceberg". As a result, we now see that individuals — and the non-governmental organisations that represent their interests – are increasingly taking matters into their own hands by claiming damages under the GDPR to defend their rights, including via mass claims. This will affect big tech and smaller companies with a large consumer base.


2021 promises to be another exciting year for fintech in the Netherlands and globally. We look forward to assisting clients who would like to introduce innovative solutions in the financial sector.

De Brauw Blackstone Westbroek

Claude Debussylaan 80
P.O. Box 75084
1070 AB Amsterdam
The Netherlands


Author Business Card

Law and Practice


De Brauw Blackstone Westbroek is an international law firm offering high-end legal advice in corporate transactions, disputes and regulatory enforcement. The firm acts as lead counsel and trusted adviser to its clients and brings together specialists from various practices to ensure clients receive expert legal advice. Headquartered in the Netherlands, the firm has global coverage from its offices in Amsterdam, Brussels, London, Shanghai and Singapore.

Trends and Development


De Brauw Blackstone Westbroek is an international law firm offering high-end legal advice in corporate transactions, disputes and regulatory enforcement. The firm acts as lead counsel and trusted adviser to its clients and brings together specialists from various practices to ensure clients receive expert legal advice. Headquartered in the Netherlands, the firm has global coverage from its offices in Amsterdam, Brussels, London, Shanghai and Singapore.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.