The digitisation of the financial markets is currently accompanied by exciting and rapid developments in the industry. Austria is following this trend and is establishing itself as a regional driver for innovation in the financial sector.
Financial technologies, or fintechs, are quickly changing the finance and banking sectors, with the result that sometimes even entire markets are being moved to the internet. Fintechs make it possible to trade, invest or borrow money without ever having to deal with a traditional bank.
In general, the diversity of fintech start-ups is increasingly on the upswing in Austria. From innovations in card payments, smart payment options to quick and easy granting of small loans, the number of people and companies with new ideas for the financial industry is constantly increasing.
According to a previous study of the Austrian central bank (OeNB) there are more than 100 companies that qualify as fintechs according to their business models. Most Austrian fintechs are start-ups and SMEs. Three quarters of them are located in Vienna.
The COVID-19 pandemic led to an exceptional situation with profound consequences for Austrian society and its economy. However, while investors have held back on funding in financial start-ups, Austrian fintechs have generally been able to assert their position in the market. This is due to increased co-operation between incumbents and fintechs as third-party providers. In addition, some established banks have developed innovative products, mostly in co-operation with fintech companies.
The Austrian Financial Market Authority (FMA) has been dealing with the subject of fintech in Austria for some time, in particular with the questions of what a fintech is and what challenges it faces.
Fintechs are financial innovations based on information technology that:
From a new payment app to automated consulting systems, the term is broad and encompasses a variety of different models that affect numerous supervisory areas.
In Austria, fintech companies operate in all various subsectors, such as alternative lending platforms, automated banking advice tools, insurtechs, digital payment operators, crowd investing platforms, online prepaid payment providers, robo-advice and alternative platforms for investment strategies, traders for crypto-assets, and technical service providers for fintechs.
The Austrian fintech industry is most active in providing interfaces and technical support for financial service providers, followed by the business areas of crowdfunding and crowd investing, virtual currencies and alternative payment methods, automated advisory methods such as robo-advisers and, finally yet importantly, mirror trading. "Virtual currency" and – associated with this – blockchain software are becoming increasingly important. However, the payment sector remains the most important fintech sector.
Due to the fact that there are no fintech-specific laws in Austria, fintech companies may be subject to various regulatory licensing requirements depending on the particular business model:
In addition, public offers of securities or investments might trigger a prospectus requirement pursuant to Regulation (EU) 2017/1129 (the "Prospectus Regulation") or the Capital Markets Act 2019 (KMG 2019).
This is especially important in the crypto sector. Here, initial coin offerings or initial token offerings can trigger a prospectus requirement. This, however, depends on the features of the coin or token and requires careful examination of the case at hand.
Special compensation models to charge customers do not exist under Austrian law. One possibility is to charge fees for the services provided.
Currently, there are no regulations that are specifically tailored to the fintech industry. As a result, the fintech sector often applies laws and standards that were tailored to the non-digitised old economy.
However, there are efforts by the legislator to change this. In this context it is worth mentioning the Crowdfunding Enforcement Act, which entered into force at the beginning of 2022 and serves to make the EU Crowdfunding Regulation applicable with a Union-wide harmonised legal framework for the provision of crowdfunding services.
Based on the amendment of the Financial Market Authority Act (FMaG 2016), the FMA opened a regulatory sandbox programme for fintech models in September 2020. It aims to pave the way into supervision for young fintechs or their co-operation with incumbents regarding fintech business models.
The process can be divided into four phases.
The first phase clarifies whether the business model to be examined by the FMA is subject to its supervision. It considers whether a threat to financial market stability or consumer protection is to be expected, or whether a licensing obligation exists.
The next phase is the pre-support phase. Here, the FMA works closely with the sandbox participants and offers legal support in the context of a possible licensing procedure.
This is followed by the third phase, the "test phase". In this phase, the company is allowed to carry out activities requiring a licence under the supervision of the FMA.
After the test phase, the business model is evaluated and released from the sandbox and transferred to regular supervision. If the requirements are met, a decision is made to lift the restrictions in the licence/registration notice.
As explained in 2.2 Regulatory Regime, a large number of regulatory provisions apply to fintechs. The regulatory conditions are defined especially: (i) by the requirements of the European legislator, and (ii) by the national legislator, whereby European law generally takes precedence over national law. In practice, an exact demarcation is only possible to a very limited extent, since both areas of regulation interlock and have a large number of interrelationships.
As a rule, transactions are not only offered by one provider, so that all steps require a separate examination of whether and which regulatory provisions apply. As different providers, all actors handling a transaction come into consideration. An examination must be carried out from the point of view of whether purely technical services or services subject to a licence are provided.
Thus, all actors have to comply with general Austrian provisions, such as the protection of banking secrecy. In Austria, a violation of banking secrecy has significant civil and criminal law implications. The provision of payment services, for example, may lead to the applicability of the Payment Services Act 2018 (ZaDiG 2018). Due to the considerable legal consequences of a violation of regulatory provisions, these must be taken into account when drafting the contract.
With the large number of applicable regulations, there are provisions that apply in any case and thus cannot be circumvented by outsourcing. However, as far as possible, regulated areas should be passed onto regulated market participants, as the capacities of a fintech are not sufficient for this.
Providers of financial services must comply with the provisions on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing. Both participants in the financial market, such as credit institutions, and other traders are subject to certain obligations. The necessity of complying with such obligations is first and foremost the provision of regulated activities. All relevant provisions, as set out in 2.2 Regulatory Regime, contain a reference to the provisions on the prevention of money laundering and terrorist financing. In addition to the regulatory provisions, the Industrial Code can also be the basis for the necessity of compliance with these legal framework conditions. As well as direct applicability, there may also be indirect applicability of the provisions, provided that services are provided to regulated market participants.
There are no specific enforcement actions tailored to fintechs in Austrian legislation. Nevertheless, the FMA has addressed the issue from the point of view of which regulatory environment is applicable. It remains unclear whether the general provisions will also cover the area of "fintech" in the future or whether this intensified discussion of the topic will lead to a more specific regulatory approach to fintechs.
From a data protection point of view, fintechs, just like any other company, must comply with the applicable provisions, in particular the EU General Data Protection Regulation (GDPR) as well as the Austrian Data Protection Act. The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form a part of a filing system. Therefore, a data protection declaration is required that regulates the processing and use of customers' data. In addition to the data protection declaration, precautions must also be taken for the exercise of the rights of the data subjects, in particular the right to rectification, the right to erasure ("right to be forgotten") and the right to restriction of processing.
Cybersecurity is a decisive aspect for fintechs due to the nature of the activity as well as the usually large amount of data processed. In this area, it can be assumed that the fintech has a large number of obligations to ensure a sufficiently high level of protection for customers. The importance of this aspect is also reflected in the fact that a separate sub-area has now been established, specialising in cybersecurity solutions for fintechs. Parallel to the growth of the fintech market, this area has also grown steadily.
Social Media Content
The presence of fintechs on social media channels entails the need to observe the legal framework in this area. In this area, competition law, copyright and data protection framework conditions are particularly relevant.
In software development, for fintechs as well as other companies, legal framework conditions must be observed from the outset, which are necessary for successful development and later probation in the application. The software development can initially be done by the company itself, but also by way of a contract with a third party. In development, copyrights of third parties must be observed, in which no intervention may be made, otherwise the further development and market launch may fail as a result. Once the development has been completed and the software is offered to the individual customers, warranty and compensation claims can be asserted if the software is defective.
All these aspects, as well as regulatory framework conditions, should be considered at an early stage in order to avoid later negative effects in the ordinary business operations.
The expertise of auditing firms is an important factor in the establishment of fintechs. Auditing firms accompany the companies economically under the given legal framework conditions. From a legal point of view, the entrepreneur has the obligation to run the company with the care of a prudent businessman. In order to comply with this standard, the entrepreneur must make a sufficiently detailed plan with regard to the entrepreneurial activity. This plan must consist of short-, medium- and long-term objectives. The liquidity of the company, the planned income and the asset situation of the company must be presented. The presentation should not be limited to a mere representation of numbers, but should provide a comprehensive description from which these numbers can be derived. The auditing firms support the preparation of the business plan with an analysis of the strengths and weaknesses of the business case including an assessment of the market. As a result, the company is continuously accompanied and, if necessary, supported in the individual aspects mentioned.
Further, the market is increasingly showing that companies specialising in fintechs and their foundation and management are also establishing themselves. Here, too, the constant growth of the fintech market has led to the emergence of advice that is increasingly specialised in sub-areas.
It can be seen that primarily regulated entities are expanding their business area with the involvement of fintechs. In addition, new fintechs are coming onto the market that have a focus on the banking business. A third category combines different business models, regulated as well as unregulated. In this way, the banking business can be linked to a wide variety of other business models. Various business cases are combined, whereby in addition to well-known business models, emerging areas such as e-sports are also included. However, in the case of start-ups, it is clear that the regulatory requirements are one of the biggest hurdles.
Fintechs have to comply with AML requirements if they provide activities that require a licence and are therefore subject to the FMA’s supervision. This applies to credit and insurance institutions, securities companies, alternative investment funds, payment service providers and e-money institutes. In addition, the AML requirements are also applicable for service providers of certain business models based on virtual currency.
Different asset classes initially require different business models, but the advice itself increases in quality with the most comprehensive data processing possible.
Legacy players are able to develop their own robo-advisers and implement them in their business model; this also enables them to operate their business independently of external factors. So far, however, this approach does not seem to have caught on. Strategic partnerships in this area will therefore remain important for the time being.
The best execution of customer trades will ultimately depend on the programmes being integrated into the business model in the best possible way in order to make the best possible use of the advantage of this technology on the basis of a proven system.
However, the principle of best execution as a benchmark for possible liability must be observed when using robo-advisers. Due to a lack of sufficient empirical values, it is no known to what extent this standard of liability can be applied directly or requires appropriate modifications. However, there is no justification as to why the standard of liability should be lower. Due to the amount of data that can potentially be processed, it is likely that new standards will be set in this area.
There are differences between lending to private individuals and companies. There are structural differences in the financing itself as well as different economic and legal framework conditions. For example, if an entrepreneur grants a loan to a costumer, the Austrian Consumer Loan Act applies. The Consumer Credit Act provides for comprehensive information obligations on the part of the lender to protect the borrower, and grants the borrower various rights, such as the right to early repayment of the loan.
Industry participants use underwriting processes to conduct research on customers and their creditworthiness as well as insurability. There are no special regulations for this area, but due to automated data processing (sensitive data), data protection barriers, in particular the rights of those affected, must be observed.
The most common sources of funds for loans are classic lines of credit, peer-to-peer, taking deposits and lender raised capital. In Austria, the central source of law is the Banking Act (BWG).
Syndications of loans only occur in rare cases.
Payment processors can use existing payment rails or may they create or implement new ones.
Cross-border payments and remittances are primarily regulated by the Payment Service Act 2018 (ZaDiG 2018).
Fund administrators are regulated by the Alternative Investment Fund Manager Act (Alternative Investmentfonds Manager-Gesetz – AIFMG) depending on the specific activity.
Fund advisers can contractually adjust the provisions that apply under the specific legislation for fund administrators and general civil law to the extent permitted by law in order to achieve a higher level of protection, although the specific results can vary greatly in individual cases.
The permissible forms are derived from the legal environment, whereby basically any type of fintech is available. The legal environment of trading platforms is largely defined by the Banking Act (BWG) and Securities Supervision Act 2018 (WAG 2018). The relevant legal regulations are therefore dependent on the specific service offered. Regulatory provisions come into consideration. Irrespective of this, general provisions under civil law, public law and criminal law must always be taken into account.
Different regulatory framework conditions only exist in so far as the regulatory requirements applicable to all are applied in different forms.
So far, cryptocurrencies have not yet led to a significant change in regulation. To date, an attempt has been made to integrate this new technology into the existing legal framework.
Cryptocurrencies are not subject to the control of the FMA. However, this supervisory authority can become relevant if individual services fall within a regulated area.
The Securities Supervision Act 2018 (WAG 2018) is particularly relevant in connection with order handling. The forwarding of orders to banks, brokers or issuers falls within the scope of the acceptance and transmission of orders under the WAG 2018.
The emergence of peer-to-peer trading platforms is changing market conditions for both traditional and fintech players. However, peer-to-peer trading platforms also have to observe all regulatory framework conditions, if applicable.
According to the FMA, the Securities Supervision Act (WAG 2018) is applicable at least in some areas. The authority assumes that investment advice in accordance with WAG 2018 is applicable for investment strategies tailored to the customer with entry and exit scenarios. The principle of "best execution" also applies to WAG 2018. In particular, claims for damages by the customer can be derived from this principle in the event of a violation.
The business model "payment for order flow" is currently under investigation by the European legislator. It is assumed that conflicts of interest may arise. It is currently being checked whether there is compliance with the existing legal framework specified by the European legislator. There is no regulation tailored to this area yet.
The basic principles of market integrity and market abuse are essentially derived from the regulatory environment and any civil law claims, in particular claims for damages.
Within the scope of the Banking Act (BWG), it is irrelevant whether trading is based on an algorithm or not. In principle, the use of a trading algorithm does not require a licence. However, the bank or broker must have a licence. Depending on the specific structure of the service relationship, other provisions of the Securities Supervision Act (WAG 2018) may also be applicable.
When functioning in a principal capacity, the players have to observe the provisions of the Stock Exchange Act (BörseG) and the Transparency Ordinance 2018 (Transparenz-Verordnung 2018).
Funds and dealers have a different structure and are therefore covered by regulatory provisions to varying degrees.
Programmers are not regulated, apart from general restrictions (civil law, public law and criminal law). The prerequisite for this, however, is that the algorithms are only used by the users themselves.
Financial research platforms are not subject to restrictions.
The spreading of rumours and other unverified information is not regulated. Such information can only be relevant in relation to a possible claim for damages, if the action is culpable; criminal law provisions can also be relevant if damage is intended by the actor.
Such behaviour can, as mentioned under 9.2 Regulation of Unverified Information, only be relevant in relation to a possible claim for damages, if the action is culpable; criminal law provisions can also be relevant if damage is intended by the actor.
The acquisition of information is also crucial in the insurtech area. The possibilities for collecting information and evaluating it vary. The approaches differ from well-established systems that are based on personal contacts to systems that use technical data collected in a variety of ways (eg, smartphones, sensors). Aspects of data protection law must always be observed in all areas in which automated data is collected and evaluated.
In the area of insurtech, the Austrian trade regulations must be observed in addition to other regulations. For example, Section 137 of the Austrian Trade Act deals with brokering insurance. Insurance mediation is defined, among other things, as offering, proposing or carrying out preparatory work for the conclusion of insurance contracts or the conclusion of insurance contracts.
Compared to the more established categories of fintechs, regtech still receives comparatively little attention from a regulatory perspective. However, due to the close proximity in terms of content, it can be assumed that the general regulatory provisions are decisive.
In the absence of explicit regulatory provisions, it is possible in this area to contractually write down stricter standards in individual cases in addition to the general standards that must be met to ensure performance and accuracy.
While the implementation of blockchain is always discussed and thought about, as far as can be seen there is still a certain scepticism from the traditional players. In addition to the traditional players, start-ups coming onto the market are still trying to combine proven structures with this new technology. However, it can be assumed that at least most of the traditional players will quickly adapt their concepts once the individual technologies are ready for the market; an ongoing partial implementation is already underway.
The approach of the national legislator and the FMA is essentially based on the question of how to deal with coins such as Bitcoin, Ethereum and Litecoin. This approach is primarily at the regulatory level, whereby there is an attempt to clarify the applicability of existing regulatory provisions on the basis of a missing general definition of the term “coin”.
The current approach and status, as stated under 12.2 Local Regulators' Approach to Blockchain, means that other types of blockchain assets still receive little attention. In practice, there are considerations and efforts to make a classification based on the general provisions, whereby in various areas – already with respect to the transfer of ownership – different questions arise that cannot really be satisfactorily solved with the existing legal framework.
According to the interpretation of the FMA, blockchain assets, such as coins, are not subject to their supervision. However, regulatory provisions may still be applicable depending on the specific activity being performed.
Platforms that trade blockchain assets are required to take a large number of legal provisions into account due to the previously vague legal classification of this activity. A precise definition of the activity performed is of central importance in order to identify and comply with any interactions with legal provisions from a wide range of legal areas. Platforms that trade blockchain assets such as cryptocurrencies and at the same time process payments can fall within the scope of the Payment Services Act 2018 (ZaDiG 2018).
In the case of investments based on capital collected from a number of investors with a corresponding investment strategy, there is the possibility that a licence is required under the Alternative Investment Fund Manager Act. A prospectus requirement according to the Prospectus Regulation is possible, the prerequisite being that it is a public offer.
As shown in 12.2 Local Regulators' Approach to Blockchain, virtual currencies are the area that has received the most attention so far, and in which the financial market supervisory authority has dealt with the subject in detail.
There is no definition of “decentralised finance” in Austrian regulation.
Non-fungible tokens (NFTs) are not regulated in detail. However, practice has shown that there is a fundamental need for regulation, since questions such as the pledging of NFTs have arisen that cannot be clearly resolved.
The Second Payment Services Directive (PSD2) sets the requirements for payment service providers. In the current version, this Directive also affects open banking by granting access to payment systems and accounts. Access is provided to third-party services to access account information or initiate transactions on their behalf.
Open banking in accordance with the regulatory requirements always requires the consent of the customer with regard to the transfer of data. In order to meet the legal requirements in this area, the general data protection regulations as well as specific regulatory provisions, such as banking secrecy, must be taken into account. The data protection declarations, the declarations of release from banking secrecy – and, if necessary, a justification for breaching banking secrecy for other reasons – must be precisely adapted in individual cases and, if necessary, sufficiently justified.
The Evolution of the Fintech Market in Austria
The status quo
Fintechs have steadily gained importance in recent years. The fintech sector has experienced enormous growth and there is increasing specialisation in individual areas. This growth and increasing specialisation constantly poses new challenges for both legislators and companies, as well as for traditional providers (banks) and start-ups.
Austria offers an ever-improving environment for the establishment of fintechs. In general, the diversity of fintech start-ups is on the rise in Austria. Regardless of whether the fintech concerns innovations in card payments, smart payment options, or quick and easy granting of small loans, the number of people and companies with new ideas for the financial industry is consistently evolving.
In Austria, fintech companies operate in all the various sub-sectors, which include alternative lending platforms, automated banking advice tools, insurtechs, digital payment operators, crowd investing platforms, online prepaid payment providers, robo-advice and alternative platforms for investment strategies, traders for crypto-assets, and technical service providers for fintechs. The Austrian fintech industry is most active in providing interfaces and technical support for financial service providers, followed by the business areas of crowdfunding and crowd investing, virtual currencies and alternative payment methods, automated advisory methods such as robo-advisors and, finally yet importantly, mirror trading. The area of "virtual currency" and – associated with this – blockchain software is becoming increasingly important. On the whole, however, the payment sector remains the most important fintech sector.
Even if the legislator has not yet reacted explicitly to these developments in the finance and banking sector, the financial market supervisory authority has been dealing with developments in detail, particularly from a regulatory point of view. The fact that the financial market supervisory authority has taken a pro-active approach is positive as this makes it easier for traditional providers and start-ups to enter the market. The elimination of barriers to market entry is particularly important given that fintechs are rapidly changing the finance and banking sector. Fintechs make it possible to trade, invest or borrow money without involving a traditional bank. The aim of regulation should be to create a stable environment that facilitates the founding and establishment of fintechs from a legal and economic point of view.
A study conducted by the Austrian Central Bank (OeNB) shows a positive trend of more than 100 companies qualifying as fintechs according to their business models. The study also shows that a majority of Austrian fintechs are start-ups and SMEs. However, this does not mean that the traditional banks have not recognised the potential of this development. Traditional banks have two possible approaches to fintechs: on the one hand, they can establish fintechs themselves and, on the other, they can also purchase the services of fintechs, especially in a market that is becoming increasingly specialised.
If a fintech is to be established, a large number of legal questions arise regarding the applicable regulatory framework and other legal provisions.
As noted above, the Austrian legislator has not yet reacted to the developments in the fintech sector. Although this is surprising because a large number of different regulatory provisions apply to fintechs, this may also be the reason why the legislator has not yet acted. Even coming up with an exact legal definition of the term “fintech” causes difficulties. The next question that arises, particularly given the large number of areas of law involved, is whether uniform regulation of fintechs makes sense at all.
Fintech companies, depending on their specific business model, may be subject to the regulatory licensing requirements set out below. It must be noted that the current developments regarding the following provisions are still largely limited to interpreting the individual laws and not changing them. The regulatory licensing requirements are as follows:
In addition, public offers of securities or investments might trigger a prospectus requirement pursuant to Regulation (EU) 2017/1129 (the “Prospectus Regulation”) or the Capital Markets Act 2019 (KMG 2019). This is especially important in the crypto sector. Here, initial coin offerings or initial token offerings can trigger a prospectus requirement. This is, however, dependent on the features of the coin or token and requires careful examination on a case-by-case basis.
Due to the fact that there are no regulations that are specifically tailored to the fintech industry, the fintech sector often applies laws and standards that were tailored to the former non-digitised economy. It should be noted that the legislator has undertaken certain efforts to change this. In this context the Crowdfunding Enforcement Act is worth mentioning. This Act entered into force at the beginning of 2022 and serves to make the EU Crowdfunding Regulation applicable with a Union-wide harmonised legal framework for the provision of crowdfunding services.
Other legal provisions
Provisions on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing
Participants in the financial market, such as credit institutions, as well as other traders, are subject to the provisions on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing. These regulations are continually updated due to changing external factors that are not directly attributable to threats associated with fintechs. In this context, there were some legislative proposals by the European Commission in mid-2021 to amend the provisions on combating money laundering.
From a data protection point of view, fintechs, just like any other company, must comply with the applicable provisions, in particular the EU General Data Protection Regulation (GDPR) as well as the Austrian Data Protection Act. The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing – other than by automated means – of personal data which form part of a filing system or are intended to form a part of a filing system. Due to the topicality of "data protection", the GDPR is constantly under discussion with regard to possible reforms and a large number of implementation steps in various laws are required at the national level.
Cybersecurity is a decisive aspect for fintechs due to the nature of the activity as well as the typically large amount of data processed. In this area, it can be assumed that the fintech has a large number of obligations to ensure a sufficiently high level of protection for customers. The importance of this aspect is also reflected in the fact that a separate sub-area has now been established that specialises in cybersecurity solutions for fintechs. Parallel to the growth of the fintech market, this area has also grown steadily. Developments in the field of cybersecurity must also be observed on an ongoing basis, since this also affects many different areas of law, not least the aspects of data protection law.
Social media content
The presence of fintechs on social media channels entails the need to observe the legal framework in this area. Competition law, copyright and data protection framework conditions are particularly relevant and reforms are constantly being made that must be taken into account. The need for reform arises from the growing awareness of the need for detailed social media regulations.
In software development, for fintechs as well as other companies, legal framework conditions must be observed from the outset as they are necessary for successful development. The software development can initially be done by the company itself, but also by way of a contract with a third party. In developing software, copyrights of third parties must be observed, in which no intervention may be made, otherwise the further development and market launch may fail as a result. Once the development has been completed and the software is offered to individual customers, warranty and compensation claims can be asserted if the software is defective. On 1 January 2022, a reform of the Austrian Consumer Warranty Act came into force, which makes it easier for consumers to exercise warranty rights.
All these aspects, as well as regulatory framework conditions and possible reforms in these areas, should be considered at an early stage in order to avoid later negative effects in the ordinary course of business.
Fintechs on the rise
Developments in recent years suggest that fintechs will continue to play an increasingly important role in the coming years. From the perspective of the legislator, there is still some catching up to do. Until then, however, the existing legal regulations would appear to be sufficient, though individual companies have to pay close attention to which regulations apply to their business model. In addition to the large number of provisions that may be applicable, developments in the individual areas must also be carefully observed. This can involve considerable effort, especially for start-ups, which makes founding and establishing a fintech more difficult. Nevertheless, given the significance of the industry it can be assumed that more and more fintechs will enter the market in the coming years.
With the increasing number of fintechs, it may well become common for individual sub-areas to be covered by specialised companies. If this occurs, this will change the market and the corresponding legal and business advice that will be necessary.