Fintech 2021

Last Updated March 18, 2021


Law and Practice


GRAD Legal & Financial Advisory Services has offices in Moscow and Geneva, and can provide services in English, German, French, Italian, Ukrainian, Spanish and Georgian. The firm works with major Russian and foreign banks, venture capital funds, financial institutions and innovative companies and start-ups by advising on different aspects of applicable laws and regulations. It provides a range of legal services to clients, from standard corporate matters to the most complex issues. Major practices are investments, regulation of digital technologies, IP, corporate structuring, M&A, financial activities licensing, international taxation, corporate law, venture capital, international and Russian commercial arbitration, litigation and private wealth. Sectors covered include fintech, new technologies, banking and finance, media and communications, pharmaceuticals and medicine, e-commerce and retail, real estate and construction, agriculture, sports and tourism.

The legal norms affecting fintech have recently been, and continue to be, updated with substantially important new norms. The overall digitalisation trend was set by President Decree No 204 of 7 May 2018 “On the National Goals and Strategic Tasks of the Russian Federation Development for the Period until 2024”. The National Digital Economy Programme (NDE Programme) was adopted on 4 July 2019, and includes the current Normative Regulation of Digital Sphere project.

The Central Bank of Russia (CBR) issued “The Main Directions of Financial Technology Development for the Period 2018-2020” (the Main Directions) and the road map naming the key technologies (within the NDE Programme). The Main Directions together with the NDE Programme having been partly realised. In particular, a blockchain-based platform is envisaged with the corresponding marketplace having been set up. Various projects have been launched, and several documents enacted accordingly. For example, the Presidential Decree of 10 October 2019 No 490 "On the development of artificial intelligence in the Russian Federation" was adopted — including the National Strategy for the Development of Artificial Intelligence until 2030), as well as Federal Law of 24 April 2020 N 123-FZ "On conducting an experiment to establish special regulation in order to create the necessary conditions for the development and implementation of artificial intelligence technologies in Moscow and amending Articles 6 and 10 of the Federal Law "On Personal Data".

The localisation of foreign services for GDPR reasons remain a difficult issue (not all providers may extend their services to Russia properly — eg, PayPal).

The regulation of payment systems has been updated (eg, Federal Law of 30 December 2020 No 499-FZ “On Amendments to Article 12 of the Federal Law "On Currency Regulation and Currency Control" and Article 8 of the Federal Law "On National Payment System (the NPS Law)". According to the amendments which will enter into force from 1 July 2021, a money transfer operator has the right to engage third parties (namely, suppliers of the payment application), subject to the compliance of the payment application with the information protection requirements established by the Central Bank of the Russian Federation.

The progress has been significant, though the legislation level is uneven. Some areas remain blank whereas others have been elaborated in detail. The amendment of legal acts is a slow process with regulators often taking a conservative approach and hesitating to support proper dialogue with businesses.

Regions are participating in regulatory development and adopting new acts within the scope of competence. Here, again, the development is uneven. Some regions are progressive (eg, Tatarstan, the Moscow Oblast (Region), Kaliningrad), while others are less so.

Digital Assets, Blockchain

There are three main blockchain acts regulating this new technology application and use in the financial sector: Federal Law No 34-FZ of 18 March 2019 “On Amendments to Parts One, Two and Article 1124 of Part Three of the Civil Code of the Russian Federation” (the “Digital Rights Law” in force as of 01 October 2019); Federal Law No 259-FZ of 02 August 2019 “On Raising Investments Using Investment Platforms and Amendments to Certain Legislative Acts of the Russian Federation” (the “Crowdfunding Law”, in force as of 1 January 2020); and Federal Law No 259-FZ of 31 July 2020 “On Digital Financial Assets, Digital Currency and on Amendments to Certain Legislative Acts of the Russian Federation" (the DFA Law).

Russia remains surprisingly far behind regarding cryptocurrency and digital assets regulation. The last one of three mentioned acts has finally entered into force but the DFA Law has so far failed to fulfill its role as a unifying act by laying out principles for the industry area. It was supposed to unite and unify the existing practice and norms and create the basis for blockchain-based crowdfunding (ICO), cryptocurrency mining and trading, security tokens, the difference between various tokens, trading, and the relevant terminology. Instead, it relates to the digital financial assets issued in Russia and provides for a very vague definition of digital currency. The latter creates confusion with digital certificates and bonuses, such as air miles or bonuses from SBER bank. Cryptomining and trading, especially as regards foreign origin assets, remain out of governance and no licence is available.

A legal prohibition has been imposed on any exchange of crypto for goods and services. Persons may potentially hold and exchange crypto for fiat, but no rules currently exist. They may be deprived of legal protection if they fail to declare cryptocurrency, but there are no rules yet on this would happen. Digital assets have been recognised as “property”.

Taxation issues are being discussed in the State Duma and the Ministry of Finance of the Russian Federation (eg, Letter from the Department of Tax Policy of the Ministry of Finance of Russia No 03-11-11/99914 of 17 November 2020 “On the taxation of digital financial assets”) but further developments are anticipated this year.

“Digital rights” have been legalised with amendments made to the Civil Code of Russia by the Digital Rights Law. This legalisation was progressive recognition of digital rights as civil rights, although the definition was confusing because of its association with non-documentary securities. Electronic and technical means can be considered the proper written form of an agreement, subject to certain conditions.

A new version of the Federal Law “On Electronic Signature” No 63-FZ of 06 April 2011 (the ES Law) came into force on 1 July 2020. Private verifying centres now may only issue “strengthened” signatures, subject to additional accreditation. Court practice has already been developed. 

The above digital instruments are offered by a blockchain platform launched by the Fintech Association (which includes the leading banks, payment systems and other players).

Another blockchain act, the Crowdfunding Law, came into force on 1 January 2020. The CBR has issued several instructions to develop the provisions of the mentioned Crowdfunding Law, namely:

  • Instruction No 5337-U of 02 December 2019 “On Requirements for the Internal Document(s) for Managing Conflicts of Interest of the Investment Platform Operator”;
  • Instruction No 5342-U of 04 December 2019 “On the Way of Record Keeping for the Investment Platforms Operators”;
  • Instruction No 5395-U of 29 January 2020 “On the procedure and timeframes for drafting and submitting reports by operators of investment platforms to the Bank of Russia, the form of reports of operators of investment platforms and on the information to be included into such reports”.

The theoretical base of this law is partly there, but many definitions and explanations are absent. No efficient dialogue has been organised as regards clarification of legal uncertainty for the business and individuals from the side of the CBR or tax authorities (as compared with, for example, Switzerland or Singapore). 

Remote Identification System

The Road Map and Main Directions provide for the launch of a client identification system, including the United Biometric System (UBS) and the United Identification and Authentication System (ESIA). The main idea is to allow access to bank services anytime and anywhere for free at the client's discretion. First, banks check the client’s data at a personal visit to one of the banks accredited for registration in the above systems. Second, registered persons may obtain services remotely, including credits, account opening, etc. The system was launched on 30 June 2018 and as of today 333 banks are in the list of organisations where registration with the ESIA and UBS is possible.

Rapid Payments System (RPS)

Another development has been the announcement made by the CBR and National Payment Cards System (NPCS) on 28 January 2019 of the RPS launch for transfers between business or individual accounts (also with QR codes). Several acts have been issued on the subject and the majority of banks are involved.

Payment Systems and Services

Various aspects of payment processing and transfers were affected by amendments in 2020. According to the CBR, the share of cashless payments in total retail turnover exceeded 64%. As of 1 January 2021, 210 banks were participants in the RPS. More than 118 million transactions worth almost RUB855 rubles were processed by the system.

The systems not yet registered with the CBR but still willing to work with individuals shall set up a branch or subsidiary in Russia and be registered accordingly, prior to the above date. Joint ventures may be a solution (as AliPay has been allegedly planning to do).

Information rights and information as content, big data and the regulation of commercial turnover of depersonalised data are matters of increased scrutiny.

The use of robots and AI in financial services (the legitimate source of information, its status, cybersecurity, know your customer/anti-money laundering (KYC/AML), algorithmic trade, the use of bots, sources of information for AI, etc) became the subject of regulators' attention following the last President Decree No 490 of 10 October 2019 “On the Development of Artificial Intelligence in the Russian Federation” (the “Decree on AI” together with the National Strategy of AI Development for the Period until 2030).

In this area, little has been done regarding fintech regulation. It would be important to consider the human factor as well as the elaboration of new official standards for drones and robots.

Legislative initiatives of certain leading market player associations — the Media & Communication Alliance and FinTech Association, for example — must be respectfully acknowledged,  such as the Data Use Ethics Code; the regulatory foundational initiative basis for big data. Also, a draft of the Unified Information Code has been in discussion since 2019 which should systemise legislative acts in the areas of telecom and information, as well as integrate numerous acts on information, information technology, data protection, etc.

Experimental Regimes

An important new act has entered in force: “On Experimental Legal Regimes in the Digital Innovation Field in Russia” (the ELR Law). It shall allow legal sandbox-like exceptions for the new digital technology projects. In addition to the mentioned act the following regulations were adopted: Government Decree No 1979 of 1 December 2020 “On approval of the Rules for maintenance of and access to the register of experimental legal regimes in the field of digital innovation”; and Government Decree No 2011 of 3 December 2020 “On Approval of the Rules for Monitoring the Experimental Legal Regime in Digital Innovation, Evaluation of the Efficiency and Effectiveness of the Experimental Legal Regime in Digital Innovation, Public Discussion of the Efficiency and Effectiveness of the Experimental Legal Regime in Digital Innovation”.

Banks are active in implementing new technology and setting up accelerators (eg, Sberbank, Tinkoff, VTB). As the regulator, the CBR may be somewhat conservative, but is proactive as the promoter of new technology.

The example set buy the Swiss FINMA,of forming the new legitimate field and attracting investments by reviewing projects on a case-by-case basis, could be much more successful for Russia than vertically governed and lengthy legislative processes and subsequent implementation. This is especially the case when aiming to cope with the rapidly changing technology. The regulator is still not very active in Russia compared to those in Switzerland, Liechtenstein, Singapore, Malta and other countries.

Funds and family offices investing in local startups are mostly structured via other jurisdictions and use English or other foreign law. This is also traditional for tax planning in other jurisdictions. New initiatives of the Russian President may terminate several iron connections with former holding places, leading to serious restructuring and the set-up of new business models .

New accelerators are being formed, mostly by banks and technology companies, for startup support CBR, Tinkoff, Sberbank, VTB). Western-oriented models of co-operation (eg, Accenture, PWC) are sometimes used. Skolkovo has introduced a special regime (with tax benefits, foreign employees' formalities release, grants) and its Technopark attracts technology project initiators.

Most new fintech technology startups tend to collaborate with banks, accelerators and some big industry leaders (Gazprom, Yandex, etc). Examples of smaller, but no less successfully developed, startups include Ubank, Dbrain and Moe Delo.

Big companies are consumers of and investors in new technologies, although they are mostly taking over startups for integration. Big players try to create alliances and accelerators, as well as joint educational programmes.

The FinTech Association was established in 2016 and unites major banks, telecoms players, insurance companies, and payment systems. It has launched the national blockchain platform (in close collaboration with the owners of Qiwi, the leading payment system).

The main regulators involved in technology integration in fintech, regtech and suptech collaborate with local and international technology providers. PravoTech, for example, is an ecosystem for legal process automation and is used by Rostelecom, MegaFon, Skolkovo, AlfaBank, Gazprombank, Sberbank, HeadHunter, etc.

Crowdfunding could be an effective tool to encourage startups to remain in Russia, wherefrom Cryptocurrency-related projects mostly emigrate due to the absence of clearly structured legislation. This situation may change in 2021.

The NDE Programme has set targets for federal and regional regulation development, and has determined the main bodies responsible for the legal initiative and technology development.

Regions are enacting local documents within the scope of competence – eg, the Tomsk Oblast (Region) Law No 25-OZ of 12 March 2015 “On Innovation Activity in the Tomsk Oblast”, and the Republic of Tatarstan Law No 40-ZRT of 17 June 2015 “On the Strategy of Social and Economic Development of the Republic of Tatarstan until 2030”. Regions develop international relations with investors, convene forums, build up accelerators, etc.

The regulation of new technologies (referred to as “digital” in the NDE Programme) requires a vertical approach “from general to detail” – from the adoption and amendment of federal laws through to implementation. This process is inefficient considering the tempo and challenges of technology development. Working via existing sandbox regime(s) would considerably move said process forward (as in Singapore, Switzerland, the UK, etc).

The existing laws have gaps and, where new acts often require commentary for implementation, law-implementing and enforcement bodies and courts currently lack knowledge.

Legal uncertainty creates problems for investors coming to the market. This uncertainty is predominantly regarding terminology, the officials' limited understanding of blockchain technology itself, and the nature of digital financial assets. Some technologies (eg, drones and robots) need specific standard updates. Taxation, accounting and the evaluation of new assets also raise many questions.

Banks and payment systems may charge customers commissions or credit terms under the supervision of the CBR, but they must be disclosed and reflected in the terms and conditions. Consumer protection laws are being developed regarding the use of bots, automated profile analysis by AI, and other matters. The terms that infringe customer rights as compared to the terms in the legal acts are void. The main legal acts that may be applicable are Law of the Russian Federation No 2300-1 of 7 February 1992 “On Consumer Rights Protection” (the CPR Law), Federal Law No 353-FZ of 21 December 2013 “On Consumer Credit (Loan)” (the Consumer Credit Law), the Civil Code of the Russian Federation, Federal Law No 395-1of 02 December 1990 “On Banks and Banking Activities” (the Banks Law), etc. The main supervisory body is Rospotrebnadzor (Federal Customers’ Protection and Human Wealth Service).

Specific regulation of technologies in the financial sector is sporadic and not yet fully developed. Unlike some countries where there are new fintech regulation blocks (ie, blockchain, Swiss fintech licences, Maltese or Gibraltar new Distributed Ledger Technology (DLT) licences), in Russia the activity of the main players is regulated by existing laws. Some parts of their activity are not yet covered by regulation.

The lack of regulation and the conservative attitude of the CBR prevent some of the areas from being developed or imply technology implementation or sector investment barriers. Most cryptocurrency and token issuing activity has been negatively approached by the CBR. Some exceptions now exist as regards local DFA and turnover due to the application of the DFA Law which entered into force on January 2021. Fintech itself, however, is supported as a priority by the CBR and government, and the relevant area of regulation is starting to form.

The CBR launched a sandbox in April 2018, in accordance with the Main Directions, for piloting and modelling processes for new financial services and technologies in case the regulation needs amendment.

The ELR Law may become a good basis for further development (see 1.1 Evolution of the Fintech Market: "Experimental Regimes" for more detail). The CBR remains the regulatory power for financial innovation.

The sandbox shall facilitate risk analysis, the expediency of launching a project, elaboration of the requisite regulation if needed and the supervision of projects. To address this, the special CBR Expert Market Participants Council (including associations of technology and financial markets) and the Interdepartmental Expert Council (government bodies) have been organised.

An applicant can be any entity with an innovative financial project. The CBR analyses the need for implementation via its council with additional questions and technological tests. Priority is given to digital technologies.

DLT itself and the crowdfunding platforms under control of the CBR are welcomed by the regulator, while foreign cryptocurrency and tokens issued abroad are not.

CBR sandbox and the ELR Law procedures differ. Practice will show how efficient the ELR Law application would be.

The CBR is the main regulator, with jurisdiction over the regulation and supervision of the financial markets, and over the registration, licensing and supervision of financial activities. The CBR is a very influential and active legislative initiative promoter and technology innovation trigger. See 1.1 Evolution of the Fintech Market regarding its innovative projects.

Any and all acts relating to financial markets and fintech shall be approved and agreed upon by the CBR.

As mentioned above, Rospotrebnadzor is collaborating with the CBR or acting separately in the area of consumer protection ― particularly in the financial sector. Rospotrebnadzor annually publishes its reports “On the Status of Financial Consumer Protection”, in which main recommendations and commentaries on different financial issues are given.

The Ministry of Economics and the Ministry of Finance are other important regulators. The President and the government are the general supervisors, and determine key digitalisation directions.

Regulated functions can be outsourced if the licensed vendor is responsible for any non-compliance with licence requirements and user rights. If a new technology company is using outsourced channels and opportunities, the regulated player shall ensure that the latter complies with all regulations.

Platform operators as service aggregators are responsible for the activity conveyed on the platforms accordingly (eg, the new digital crowdfunding investment platforms).

The main enforcement actions relating to fintech have no doubt been taken against some cryptocurrency-related activities (mining, trading, OTC, token issues and money raising).

The CBR has issued several information notices with warnings, and its position is that no money surrogates shall be allowed and admitted in Russia and crypto may not be used as consideration against goods, works and services payment. No Russian legal entities, Russia-based subdivisions of foreign companies or international organisations or individuals spending at least 183 days in Russia within a year may accept cryptocurrency in consideration for goods, works or services.

The courts’ practice has been very different and there is no unified position, even in the Supreme Court.

The General Prosecutor’s office has initiated several cases against token issues for fiat (cash) or cryptotrade, even when such activity is not prohibited but is still mostly out of the scope of regulation. One of the most noticeable cases was a criminal prosecution case in which several entrepreneurs were accused of acting without a banking licence and taking deposits for further crypto-investment.

Potential risks for projects working with cryptocurrencies may be tax evasion, money surrogates trade, activity without a financial licence (if they take fiat), market manipulation, consumer rights infringement and general fraud, as well as AML issues.

Other areas of fintech-related enforcement may result from the general licence and market organisation, as well as consumer protection requirements for legacy players (breach of licence rules, AML or local GDPR regulations, etc).

New amendments are in progress that may impose strict penalties in the Administrative and the Criminal Codes of Russia for illegal trade of crypto and its use as means of payment or tax evasion.

Fintech-related activities that involve collection of Russian citizens' data are subject to the Federal Law No 152-FZ of 27 July 2006 “On Personal Data” (the PD Law). This is the central act governing these matters, defining what refers to personal data and shall thus be protected and the rules of the game. The localisation of such activities and a requirement to install Russian-based and controlled servers have been the subject of hot discussions. Penalties were tightened in 2019 and new initiatives are now in progress.

Limitations on control over the key internet resources were the subject of a draft act that has not yet been passed (Draft Law No 763517-7) – otherwise, foreign companies would not be allowed to hold more than 20% of such resource shares (meaning the automatic unlisting of Russian internet resources at foreign exchanges, in particular).

Cybersecurity requirements are not regulated in detail, though the CBR and the Federal Security Service are paying attention to the matter.  No special protection procedure with respect to information on digital rights or such "property" is expressly set forth in the legislation. However, special regulation may be required for information containing cryptography, including licensing by the Federal Security Service of the Russian Federation.

Credit institutions can convey simplified identification of customers using ESIA and now also biometrics. The Marketplace, for market participants’ retail services and rapid payments, is a progressive step supported by the CBR.

AML laws apply to all regulated participants in the market, but the regulation is not yet sufficiently technology-specific apart from certain amendments. Federal Law “On Prevention of Legalisation (Laundering) of Criminal Activity Proceeds” No 115-FZ of 7 August 2001 (the AML Law) is the central act, followed by the CBR regulations (eg, Instruction No 181-I of 16 August 2017 “On the Procedure of Submission by Residents and Non-Residents of Confirming Documents to Authorised Banks and Information when Conducting Currency Operations, on Unified Forms of Accounting and Reporting on Currency Operations, Procedure and Terms of Their Submission”).

The active development of payment processing businesses resulted in a legal update on 3 July 2019: Federal Law “On Amendment of the Federal Law “On the National Payment System” and Separate Legal Acts of the Russian Federation” No 173-FZ in force as of 31 December 2019. Please see 5 Payment Processors regarding the major amendments.

An argument with Roskomnadzor and Facebook and Twitter regarding Russian citizens’ data localisation has resulted in penalties of approximately USD300,000 (Federal Law No 405-FZ of 02 December 2019). The handling and storage of data are subject to a very low penalty (about USD1,000).

LinkedIn has been blocked by the local Russian regulator. New acts are also being introduced that affect information, the internet, messengers, news aggregators, VPN and other related matters (eg. amendments to the Federal Law "On Information, Information Technologies and Information Protection" No 149-FZ of 27 July 2006).

Social networks are considered information dissemination organisers that operate information systems and/or computer programs intended or used for the receipt, transmission, delivery and processing of electronic communications from users of the internet (information services). To provide services to Russian citizens, such networks shall register with Roskomnadzor. To collect personal data from Russians, a special server shall be kept locally. Certain information posted by users on social networks shall be retained and the Russian enforcement bodies shall be granted access to such data upon request in certain cases.

The Federal Law “On Information, Information Technology and Information Protection” No 149-FZ of 27 July 2006 (the “Information Law”) introduced important rules for social media and information platforms.

Roskomnadzor has powers to demand that social networks delete “unverified publicly significant information presented as reliable”. Social networks shall refrain from publishing information infringing third party rights, promoting pornography and similar things.

The Civil Code protects registered trademarks from use by unauthorised persons on sites or in names or publications, including social networks.

Audit and accounting are required for most regulated players. There are self-regulatory organisations for various groups of market participants, from funds to microfinance organisations. Associations of market players have been involved in the legislative process with no supervision functions. The FinTech Association has been designed as a platform for the CBR, major banks and other players to facilitate dialogue, the co-ordination of work for the development of standards and platforms, the implementation of chosen projects, and legislative initiative assistance.

Several committees are involved in legislation development with the State Duma, including the Expert Council on Legislative Support for the Development of Financial Technologies in Russia.

Some technology services and products remain unregulated in the absence of specific norms, and this results in the negative attitude of the regulators (cryptocurrencies, mining and trading, ICOs). DFA Law has provided for the opportunity to get a DFA issue or exchange licence (that is available, for example, to classical financial market players like banks or regulated brokers, dealers and stock exchanges). 

Others can be used within the frames of existing laws (eg, bots or algorithms, AI for big data analysis). For example, using customer profile information from social networks is not prohibited if it is obtained legally, but the information cannot be sold or misused. Bots can be used but must not infringe third party rights or be abusive.

Regulators are concerned about compliance with the major legal requirements. New fintech-related rules are only just emerging – as are the related services (the CBR Marketplace or the new biometrics system). Existing rules apply regardless, and this may occasionally cause conflicts.

The CBR has developed regulations concerning investment advisers. Automatic consultations and follow-ups shall be accredited by the CBR or a self-regulatory organisation (if it is vested with the power to do so). Mandatory accreditation is for programmes that do not involve a human factor, and allow the formation of individual investment recommendations for users by parameters given in advance, and robo-advisers allow the automatic transformation of an investment recommendation in a broker instruction into a transaction with a derivative without the customer’s approval. The programme verification and accreditation shall occur within 20 days of an application. In case of disfunction, the CBR (SRO) may cancel the accreditation (see Instruction of the CBR No 4980-U of 27 November 2018 with further amendments).

Legacy players offering either their own or third-party investment products are now trying AI for automated consulting. The market is in development and FinEx has been working on this with some local banks. Several investment funds are also developing new products, but the practice is not yet widely popular.

The development may depend on the upcoming regulation of the CBR and the promotion of such services by major banks.

Providing advice based on pre-determined limited information, despite any technology, may render such methods inefficient. Thus, success depends on the information available for AI and used for portfolio formation, and the frequency of any updates. Robo-advisory services would be more useful for smaller clients.

Business lending business or loans are regulated by Part Two of the Civil Code of the Russian Federation No 14-FZ of 26 January 1996, Federal Law No 151-FZ of 2 July 2010 “On Microfinance Activities and Microfinance Organisations” (the “Microfinance Law”), Consumer Credit Law, Federal Law No 486-FZ of 31 December 2017 “On Syndicated Credit (Loan) and Amendments to Certain Legislative Acts of the Russian Federation” (the “Syndicated Credit Law”), the Bank Law, Federal Law No 102-FZ of 16 July 1998 “On Mortgages (Real Estate Collateral)”, Federal Law No 259-FZ of 2 August 2019 “On attracting investments using investment platforms and on amendments to certain legislative acts of the Russian Federation" and the CBR instructions.

With the development of new technologies, more banks and microfinance organisations are giving loans on different terms. Differences in regulation mostly concern AML/KYC, contract form, and compliance requirements.

As of today, certain acts stipulate the operation of marketplaces for the organisation of remote retail distribution of financial products (services), including loans and the registration of financial transactions. These acts are the following: Federal Law No 211-FZ of 20 July 2020 “On the execution of financial transactions using a financial platform” and Federal Law No 212-FZ of 20 July 2020 “On Amendments to Certain Legislative Acts of the Russian Federation Regarding the Performance of Financial Transactions Using a Financial Platform”.

Although there is no special regulation concerning underwriting used by industry participants, some aspects related to underwriting issues were mentioned in several acts, such as: Government Decree No 28 of 11 January 2000 “On Measures to Develop the System of Housing Mortgage in the Russian Federation (with further amendments); Letter of the CBR No IN-015-53/64 of 8 September 2016 “On Directive 2009/138/EC of the European Parliament and the Council of the European Union of 25 November 2009 "On the Organisation and Operation of Insurance and Reinsurance Organisations (Solvency II)”. Please see 10 Insurtech for more information.

The source of funds is generally that of an investor or a syndicate of investors. For more information as regards regulation, please see 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities.

The syndication of loans is regulated by the Syndicated Credit Law, which defines the rights of the borrower under a syndicated loan agreement, the essential terms, the procedure for assignment of claims by a lender, etc.

The borrower can be a legal entity or an individual entrepreneur. Creditors can be credit organisations, State Corporation “VEB.RF”, foreign banks, international financial organisations, foreign legal entities that are entitled to enter into credit agreements in accordance with applicable law, non-state pension funds, management companies and specialised depositories of investments, mutual funds, private pension funds, development institutes of the Far East, specialised societies for project financing, or state funds for industrial development.

Payment processing is a highly regulated part of the market. Certain changes to the NPS Law and other acts were brought in during 2020 (draft laws are to be introduced in 2021).

New technology is introduced actively by most of the local players – from Rostelecom to mobile operators – and payment processing systems that participate in the FinTech Association and its initiatives with the support of the CBR (as mentioned above), including instant payments, the Marketplace and remote identification.

Predominant money transfer operators include the CBR, VEB.RF, and regulated credit institutions, and non-bank credit organisations (NCOs). E-money transfers are conveyed by operators subject to increased regulatory requirements. There is a limited payment NCOs licence allowing only funds transfers.

Cross-border operations are regulated by a complex set of acts, primarily the NPS Law and those acts regulating banking activity, the international treaties of Russia and the CBR bilateral treaties.

The CBR is publishing surveys on foreign system operations that are worth addressing – eg, a comparison of the Federal NPS Law with the international experience, based on the examples of US legislation and Directive 2007/64/EC, including its implementation in the UK.

Some important limitations may apply to foreign payment systems with regard to their localisation and server placement in Russia.

Sanctions obviously affect Russian banks' operations abroad.

Fund legislation in Russia is less developed than that of Luxembourg or the Cayman Islands for investment vehicles. Nevertheless, such activity is highly regulated. The main act is the Federal Law “On Investment Funds” No 156-FZ of 29 November 2001 (the IF Law). Based on said law, it can be concluded that an investment fund is a form of collective investment. The main principles regulating its work can subsequently be characterised as follows: availability of state protection of interests of shareholders; striving to stimulate investment activity; combination of state and independent control, and disclosure of information.

Good faith, arm’s length and other standard practices apply although no code of ethics or any similar document exists. The CBR regulates and supervises market manipulation, insider trading and general compliance. Specific contract terms combine the legal requirements and general practice.

For detail on the Marketplace and crowdfunding investment platforms, please see 1.1 Evolution of the Fintech Market.

Cryptocurrency or token-trading (with some exceptions) is not yet fully within the legal field; the practice is rather negative. The classic trading activities are covered by the Federal Law “On Organised Trades” No 325-FZ of 21 November 2011 (with further amendments), and are organised via special regulated entities conveying organised trading services in commodities and financial instruments (exchanges, trading systems). They can be the first applicants for the new licences for DFA trade and exchange, accordingly.

The main players with regard to marketplaces and trading platforms are the Moscow and St. Petersburg Stock Exchanges, and the St. Petersburg International Mercantile Exchange.

Forex dealers are subject to the Federal Law “On the Securities Market” No 39-FZ of 22 April 1996 (the SM Law) and may only convey trades in foreign currencies.

Trade in various asset classes is subject to general rules (market manipulation, activities regulation and codes of conduct, requirements for participants in the various CBR regulations) and special rules (based on the applicable asset-related norms like the Civil Code and the Federal Law “On Companies Limited by Shares” No 208-FZ of 26 December 1995 for shares and bonds, the SM Law, Regulation of the CBR No 534-P of 24 February 2016 (Regulation 534), and specific financial market regulations for other instruments).

The exchanges establish different rules and limitations for different classes of traded instruments, as well as for for each type of market participant.

DFA is a new asset class. Cryptocurrency is defined as “digital currency” (DC) but any digital asset or code contained in an information system based in Russia may be held a DC. This creates dangerous confusion.

There is yet to be any regulation on cryptocurrency trade or exchange, apart from DFA exchange (see 12 Blockchain and 7.1 Permissible Trading Platforms).

The CBR regards cryptocurrencies as money surrogates. Russian customers register at exchanges abroad. ICOs with Russian routes are structured outside of Russia, except for the DFAs issued locally and their exchanges. Crowdfunding Law also provides for a digital asset that can be legally issued at regulated platforms, but its application is limited.

Cryptocurrency exchanges operating with foreign crypto and tokens cannot obtain a licence in Russia so far. 

New amendments in the legislation offer poor explanations of the secondary market rules after the digital assets issue at the new crowdfunding platforms (unlike Belarus, which has given a home to three Russian-rooted exchanges under local Decree No 8 “On the Digital Economy Development”). Together with that, several players have already obtained regulation under the new digital assets related acts.

Listing is governed by the SM Law and Regulation 534 including the recent amendments, as well as other CBR acts and rules of exchanges.

Securities may be included in the lists of securities admitted to organised trades in the process of placement and turnover. The listing record  is made by the regulated trade organiser. The exchange may include securities in quotation lists of the first and second levels, except for certain securities (in particular, for qualified investors). The listing is based on the contract with the issuer or a person with obligations deriving from the securities.

The listing of issued securities, bonds, state and municipal securities for a limited number of subscribers, investment fund shares, mortgage certificates and foreign issuers' shares are subject to respective specific terms and conditions. The rules differ slightly for foreign issuers, ensuring the protection of the local subscribers' rights.

The principles of order handling are governed by the SM Law and applicable regulations. The general good faith principle applies to brokers, whereby client orders shall be processed equally in the order of receipt. Client transactions shall have priority if the broker carries out the activities of a broker-dealer. Conflict of interest rules apply, and there is compensation liability for the broker under the general civil law if said broker fails to inform its client of said conflict before the order receipt and any losses arise for the client.

General requirements are mentioned in the CBR Regulation No 577-P “On the Rules for Maintaining Internal Accounting by Professional Participants of the Securities Market Carrying Out Broker, Dealer Activities and Securities Management Activities” of 31 January 2017 and resemble the EU and UK norms. Any changes shall be noted in the internal accounting accordingly.

Professional market participants shall be members of the corresponding self-regulated organisations, which elaborate the professional ethical standards and codes of conduct (eg, NAUFOR – the National Association of Stock Market Participants). The standards refer also to the internal documents with procedures preventing conflicts of interest. The CBR issued draft recommendations regarding insider information access and confidentiality procedures back in 2016.

Consumer rights protection was improved in 2018 regarding investment advisory services, particularly for robo-advisory services. New technologies affect investment portfolio formation and transactions handling for clients. Investment advisers are subject to the KYC and AML obligations, and must be members of the self-regulatory organisation and registered with the CBR, and comply with its requirements. Roskomnadzor ensures the protection of general customers' rights.

No special regulations have been imposed in this sector.Cryptocurrency platforms operate in a grey zone, if not illegally. Foreign crypto-exchanges operate with Rubles – eg,the Binance P2P platform has added Rubles support, but no activity is conveyed officially from Russia and there is no local entity.

Please see 7.5 Order Handling Rules.

Brokers are subject to general good faith and other principles, and no specific order flow payment rules have been introduced. They are not prohibited, but hidden rewards for the execution of clients' orders (OTC, in particular) may be in breach of the current regulations.

No response has been provided in this jurisdiction.

No specific regulation has yet been implemented on the use of new technologies in trading, nor on algorithmic trading or high frequency trading (unlike in the EU or the USA). As the regulator, the CBR is monitoring trade activity in organised trades, and controls unfair trading and other aspects of compliance. In 2019, the СИК identified 237 organisations with signs of financial pyramids. The СИК is actively engaged in regulation high-frequency and algo-trading area and annually issues instructions and recommendations (eg. Instruction No 201-I of 13.01.2020 “On the procedure for the Bank of Russia to check compliance with Federal Law No 224-FZ of July 27, 2010 "On Combating Illegal Use of Insider Information and Market Manipulation and on Amendments to Certain Legislative Acts of the Russian Federation" and the regulations of the Bank of Russia adopted in accordance with the mentioned act”.

General regulatory requirements apply to market participants, whether they are using technology or not.

No distinction is made regarding specifically high frequency and algorithmic trade.

No response has been provided in this jurisdiction.

Such platforms are not subject to specific regulation (licence).

The spreading or dissemination of information may be subject to prosecution and damages claims and regulated players may be in breach of licensing requirements for spreading untrue and misleading information. Customer protection regulations also apply.

Insider dealing is a different matter, regulated by Federal Law “On Countering Illegal Use of Insider Information and Market Manipulation and on Amendments to Certain Legislative Acts of the Russian Federation” No 224-FZ of 27 July 2010 (with further amendments). Regulated market participants shall keep lists of insiders and insider information (ie, any precise information not in the public domain, the disclosure of which may substantially affect the price of a financial instrument, currency or commodity). Public distribution of false or misleading information resulting in a substantial deviation in trading volume, prices, supply or demand may be treated as market manipulation and may result in penalties and the deprivation of a licence.

There are no special rules, but the above-mentioned general rules of business conduct and best practices apply in the cases of both social and legal conversation.

The main trends that determine the development of the insurance technology market in Russia are:

  • the distribution of electronic policies of compulsory civil liability insurance for vehicle owners (OSAGO);
  • the application of telematics and monitoring technologies, including embedded and wearable devices (fitness trackers, etc) for life and health insurance; and
  • the use of smart contracts, big data analysis technologies and robotising routine operations for tracking customers.

The Marketplace also covers some insurance services. Successful insurtech examples include Adaperio and MEDO. Several leading insurance companies (AlfaStrakhovanie, Ingosstrakh, Rosgosstrakh) are developing online platforms.

Federal Law “On Compulsory Insurance of Civil Liability of Vehicle Owners” No 40-FZ of 25 April 2002 (as of 9 January 2018) has marked the beginning of tariff liberalisation. The insurers can now offer clients individualised prices by using neural networks.

According to the Order of the Government of Russia No 1797-p of 14 August 2019 “On Approval of the Service Export Development Strategy until 2025”, the projected average annual growth rate in 2018–2025 is 9.7% for financial services and 10% for insurance services. This would require an update of the existing insurance ecosystem regulation. At the moment, insurance activity is regulated by Law of the Russian Federation No 4015-1 of 27 November 1992 “On the Organisation of Insurance Business in the Russian Federation” (the “Insurance Law”), the Civil Code, Federal Law No 40-FZ of 25 April 2002 “On Compulsory Insurance of Civil Liability of Vehicle Owners”, Federal Law No 177-FZ of 23 December 2003 “On Insurance of Deposits at the Banks of the Russian Federation” and several other acts governing specific areas of insurance.

Life, pension, health, transportation, agriculture, property and civil liability insurance may be provided in Russia, as well as insurance for business and financial risks, and other specific types of compulsory insurance.

Any insurance services provider shall be licensed by the CBR and have the corresponding minimum share capital.

Since 2020 the State Corporation “Deposit Insurance Agency” should insure deposits opened at financial organisations via an electronic platform.

Regtech and suptech are the key development directions in the NDE Programme and the CBR Main Directions. Other state and municipal bodies are highly involved in this process together with the FinTech Association, special autonomous NCOs, competence centres, research institutes and commercial technology developers and accelerators.

The CBR Road Map includes the implementation of projects and initiatives of financial market participants to reduce the regulatory burden, improve the quality of supervision, optimise compliance and increase efficiency.The CBR sandbox priority areas include piloting digital technologies.

The government is actively working on the public services unification and access for citizens, facilitation of the state-business-citizens interaction and costs reduction.

General matters are applied in contracts (personal data protection, liability, etc). No specific regulation has yet been provided regarding regtech technology providers' agreements.

Financial firms would include terms ensuring compliance with the regulations upon the integration of a service or product, covering cybersecurity.

Automated contract execution is being implemented. The first securities transactions with smart contracts have been conveyed by the National Settlement Depository executing an order from Raiffeisenbank to buy MegaFon bonds.

Blockchain is one of the main technologies to be implemented according to the NDE Programme and Main Directions. Rostech (the Russian Technologies State Corporation) is the organisation in charge of its implementation in the public sector.

The CBR is one of the active supporters of blockchain, together with Sberbank (which has its own blockchain laboratory) and other key FinTech Association players. Regions are also elaborating local blockchain-based products.

Most players implement DLT products for various purposes, including Rostelecom, MegaFon (Cometrica), MTS, M.Video, Eldorado with Sberbank and Alfa-Bank, Raiffeisenbank, the State Corporation VEB.RF (with Ethereum), Sberbank, Alfa-Bank (with X5 Retail Group) and Norilsk Nickel.

Blockchain is widely used in regtech (eg, collaboration with Waves platform for government services, Bitfury Group products use and more) – see 11 Regtech.

Unfortunately, many Russian projects have had to find other jurisdictions for the launch of new cryptocurrency and asset digitalisation businesses. Three blockchain acts (see 1.1 Evolution of the Fintech Market) have taken and reached the end of a difficult path. The CBR, the Ministry of Economics and the Ministry of Finance have major discrepancies in their approach to overall regulation. The CBR has taken a restrictive position on crypto as a Ruble competitor or potential threat.

The Russian Civil Code now establishes the concept of “digital rights” that can be fixed using electronic or other technical means if said rights can be identified on a tangible medium.

The Crowdfunding Law regulates relations arising in connection with investments using digital investment platforms. It defines the legal basis for blockchain activities of investment platform operators and regulates the issue and circulation of digital utility rights, as well as the offering and circulation of securities certifying such digital utility rights.

As of 1 January 2021, the DFA Law regulates relations that arise in the process of creating, issuing, storing and circulating digital financial assets, as well as exercising rights and fulfilling obligations under smart contracts. Despite being the most desired update for the crypto market, it has not yet become a breakthrough.

Nevertheless, Russia enters 2021 with three main acts in force. Without clear legal norms (regulation) and CBR support on crypto-assets trading and digital tokens classification, especially of foreign origin, as well as no regulations from the Ministry of Finance as regards declaration of such assets, it is difficult to talk about proper regulation of this market. Great progress has been achieved but a lot is yet to be done.

A complex series of other legal acts influencing the financial aspect of this technology may also apply to its implementation.According to the Resolution of the Supreme Eurasian Economic Council of 1 October 2019 No 20 “On the Concept of Forming a Common Financial Market of the Eurasian Economic Union”, part of the common payments area development is the development of financial technologies. These include DLT, digital identification (biometrics) and open APIs, with the idea that Russia and other member states should have harmonised blockchain regulation.

The NDE Programme provides for the gradual automatisation of certain rulemaking and law enforcement practice processes, including blockchain.

Recent amendments to the Information Law have added the distributed ledger (DL) definition as a set of databases where specified algorithms provide for the identity of the information contained. An information system (IS) can be created and operated at a DL. An IS operator shall establish an algorithm for creating, storing and updating information contained in the DL, as well as an algorithm that ensures the specified information identity in all databases of the DL and ensures the validation of their implementation in the IS. An operator of an IS at a DL must ensure that it is not possible for other people to make changes to the algorithms. Such DL definition seems incomplete and can cause confusion with algorithmic trading, for example. Terminology should be unified in all acts that may refer to DL technology implementation.

The new ELR Law should facilitate technologies testing in a sandbox regime.

The blockchain assets classification in Russia differs from that known in of, for example, Switzerland and Malta. DFA are recognised and shall be issued locally via regulated players. They are digital shares or investment instruments mostly. Utility tokens under the Crowdfunding Law are not the same as in the above countries, but are special tokens issued via the regulated local platform in compliance with this Law. Cryptocurrencies may be confused with air miles or certificates and require additional qualification. Practice is also ambiguous. The CBR acts and comments of the Ministry of Finance are highly required for clarity and proper market functioning.

The CBR has defined cryptocurrency as a decentralised virtual currency based on mathematical algorithms and protected by cryptography methods.

As per the DFA Law, digital financial assets (DFA) are digital rights including but not limited to: monetary claims; the ability to exercise the rights to equity securities; the right to participate in the capital of a non-public joint-stock company (JSC) that may only be issued, accounted for and transferred by making (amending) records in distributed ledger-based and other IS. Digital Currencies (DCs) may be qualified as DFAs but, according to the above definitions and the CBR’s position, the legal status of DC and the limitations of their turnover would differ. DC and DFAs are two different terms and concepts. At the same time, as previously mentioned, the definition of DC as well as its understanding by the Russian lawmakers is uncertain. On the one hand, this uncertainty creates problems for practitioners and raises reasonable doubt. On the other hand, it is an opportunity.

There is a lack of clarity in argumentation and a high level of inconsistency in judicial and enforcement practice. Practice based on these new acts has not yet been formed.

The DFA Law states that an operator of an IS where DFA are issued may be a legal entity in the register of IS operators whose lex personalis is Russian law. This includes a credit institution, a person who has the right to carry out depository activities and a person who has the right to carry out the activities of a market operator.

The issue, record and circulation of DFA that certify the rights to participate in a share capital of a non-public joint-stock company that issues such assets should be regulated by Federal Law No 39-FZ of 22 April 1996 “On the Securities Market”, with the specifics provided for by this draft law.

The rights certified by DFA arise for their owner as soon as they are registered in the IS.  Issuance of a DFA occurs when there is a record of crediting DFA to a specified person. In cases provided for by the CBR, DFA may be credited to a nominee holder. Such nominee holder cannot be an operator of an IS that issues such DFA.

How to work with foreign tokens, and cryptocurrencies, and foreign-regulated cryptomarket players remains unclear.

There is no possibility of regulation for blockchain asset trading platforms, except for in the case of DFAs which are crypto-related assets and not the technology itself. Many companies are structured through other jurisdictions.

According to the DFA Law, all exchange, purchase and sale operations of DFA on the secondary market are conveyed exclusively through the licensed operator. No foreign assets trading can yet be regulated, and secondary trading of utility assets issued under the Crowdfunding Law remains an ambiguous area with limited application and no access to foreign markets.

In Russia there is no current regulation of funds invested in blockchain assets. At the moment, many investment funds with Russian beneficiaries or roots are structured through the Cayman Islands or other jurisdictions while waiting for proper legislation in Russia.

As mentioned above, the DFA Law “digital currencies” definition is very inefficient and blockchain assets and virtual currencies are not clearly distinguished. Nevertheless, the new acts give a general understanding of virtual assets and the protection of digital assets as property. It should be noted that the CBR has published a report for public discussions and consultations regarding the Digital Ruble (whose counterparts we have seen in China and Sweden). This has been at the centre of discussions since autumn 2020.

GDPR rules, in their current state, do indeed create conflict with the blockchain technology implication whereby data cannot be deleted. New amendments should be introduced to address this problem accordingly. Data protection and customer protection regulations require updates or rather regulators' comments to avoid any potential unintended breach of the current regulations. As far as is known, no practice has yet resulted from such potential breach.

The PD Law applies to persons who use personal data within their blockchain projects. This federal law regulates relations connected with the processing of personal data carried out by legal entities and individuals via information and telecommunications networks.

Federal law No 519-FZ of 30 December 2020 “On Amendments to the Federal Law “On Personal Data”" has been adopted (in force as of 1 March 2021), and shall introduce new regulation regarding personal data storing and processing (the rules of processing and storing are explained).

The Russian banking sector is well regulated but there is not yet specific regulation regarding open banking. Russian regulators, on one hand, are closely watching EU payments reforms amid pressure from domestic providers to open Russia's vast banking sector and mandate third-party access. On the other hand, non-bank fintech firms (such as Yandex.Money) are highly interested in the development of regulations similar to PSD2 regulations in Russia.

Banks are actively integrating technology solutions for clients to keep up with competition, and are looking at optimal ways for the integration of the open banking concept and APIs.

To the extent that open banking generally is not regulated and may not be fully in line with the existing rules, it cannot be used in full without the development of new legislation and changes to the current acts. The CBR is working on this, together with the FinTech Association, by elaborating ways to implement the PSD2 principles in Russia and developing open API solutions. The British experience has been taken into account.

Rapid payments are an important project of the CBR and the FinTech Association and have resulted in the Rapid Payments System using the open API. The ESIA and remote identification developments are also important parts of the whole system's development.

On 15 August 2019, the Supervisory Committee of the FinTech Association approved the Open API Concepts. It is expected that the interfaces will be the standard by which to increase the speed and quality of services. Now the Association, that shall become the open API piloting platform, is elaborating recommendation principles for the CBR.

More pilot projects are currently under development.

Players must comply with the current applicable norms, including the PD Law, the various regulatory acts implementing it,  and the Information Law, with basic rules as to the data and its protection. The Russian Labour Code provides for the protection of employees’ personal data, and other acts may also contain relevant provisions in relation to specific areas of state services or industries.

Cybersecurity standards and related issues are causing problems and are the subject of CBR concern.; Work on this continues to progress.

GRAD Legal & Financial Advisory Services

105064 Russia
19 Gorokhovsky Lane

+7 903 969 62 11
Author Business Card

Law and Practice


GRAD Legal & Financial Advisory Services has offices in Moscow and Geneva, and can provide services in English, German, French, Italian, Ukrainian, Spanish and Georgian. The firm works with major Russian and foreign banks, venture capital funds, financial institutions and innovative companies and start-ups by advising on different aspects of applicable laws and regulations. It provides a range of legal services to clients, from standard corporate matters to the most complex issues. Major practices are investments, regulation of digital technologies, IP, corporate structuring, M&A, financial activities licensing, international taxation, corporate law, venture capital, international and Russian commercial arbitration, litigation and private wealth. Sectors covered include fintech, new technologies, banking and finance, media and communications, pharmaceuticals and medicine, e-commerce and retail, real estate and construction, agriculture, sports and tourism.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.