New Developments in Financial Services in Europe and Austria – A Roadmap

Introduction

Fintechs are increasing in number - likely a permanent development that cannot be stopped by temporarily negative external conditions. While 2022 was a mixed year for fintechs (with both positive and negative developments), 2023, at least towards the end of the year, showed positive trends, also accompanied by positive economic developments, in particular through further progress at the level of the legal framework.

However, constant progress is confronted with many specific aspects of fintechs that need to be solved, taking into account the interests of all stakeholders:

• founding of fintechs;
• fintech operations; and
• resolution of fintechs.

These individual aspects must be examined under the respective type of fintech.

From a legal point of view in particular, it is now necessary to clarify which existing (regulatory) provisions are applicable and what conclusions can be drawn and lessons learned. Even if the developments of the last year are to be viewed critically, problems in the wider global economy, which have no connection to the fintech sector per se, should not be misunderstood as specific to fintech.

European framework

The European Commission proposed its Digital Finance Strategy on 24 September 2020, which should introduce a regulatory framework for Markets in crypto-assets (MiCA), a pilot regime for trading and settling in crypto-asset market infrastructures (DLT-Pilot) and a framework on digital operational resilience to prevent and mitigate cyber threats (DORA).

MiCA (Regulation (EU) 2023/1114 on markets in crypto-assets) entered into force in June 2023, and will become applicable in mid 2024. The DLT pilot regime (Regulation (EU) 2022/858 on a pilot regime for market infrastructures based on distributed ledger technology) entered into force in June 2022, became applicable in March 2023 for three years, with the option of extension for another three years. DORA (Regulation (EU) 2022/2554 on digital operational resilience for the financial sector) shall apply from 17 January 2025.

This new regulatory framework will have a significant impact on the development of fintechs over the next few years, which is why this newly introduced framework should be examined in more detail and compared with the current legal situation in Austria.

MiCA

MiCA is part of the European Digital Finance Strategy. The intention of the legislature is to harmonise rules for crypto-assets at EU level by (i) providing legal certainty for crypto-assets not covered by existing EU legislation, (ii) enhancing the protection of consumers and investors, and (iii) ensuring financial stability. The regulation seeks to promote innovation and the use of crypto-assets.

MiCA therefore lays down uniform rules for the offer to the public and admission to trading on a trading platform of crypto-assets other than asset-referenced tokens and e-money tokens, of asset-referenced tokens and of e-money tokens, as well as requirements for crypto-asset service providers, especially for the following (Article 1 MiCA):

• transparency and disclosure requirements for the issuance and admission to trading of crypto-assets;
• the authorisation and supervision of crypto-asset service providers, issuers of asset-referenced tokens and issuers of electronic money tokens;
• the operation, organisation and governance of issuers of asset-referenced tokens, issuers of electronic money tokens and crypto-asset service providers;
• consumer protection rules for the issuance, trading, exchange and custody of crypto-assets; and
• measures to prevent market abuse to ensure the integrity of crypto-asset markets.

The scope of regulation covers asset-referenced tokens (ART), electronic money tokens (EMT), and other crypto-assets not covered by existing EU law. ART are defined as a type of crypto-asset that purports to maintain a stable value by referring to the value of several fiat currencies that are legal tender, one or several commodities or one or several crypto-assets, or a combination of such assets (Article 3 paragraph 1 subparagraph 6 of MiCA). EMT are, pursuant to Article 3 paragraph 1 subparagraph 7 of MiCA, a type of crypto-asset, the main purpose of which is to be used as a means of exchange and that purport to maintain a stable value by referring to the value of a fiat currency that is legal tender.

The personal scope of MiCA, pursuant to Article 2 of the MiCA, covers issuers of crypto-assets or those that provide services related to crypto-assets in the European Union.

In a nutshell, the following steps have to be taken by an issuer of crypto-assets, other than ART or EMT:

• it must be established in the form of a legal person;
• it must provide a white paper setting out the information requirements according to Article 6 of MiCA;
• a notification and publishing of the crypto-asset white paper according to Article 8 and 9 of MiCA must be made; and
• it must comply, in particular, with the following requirements (laid down in Article 14 of MiCA): act honestly, fairly and professionally and communicate in a fair, clear and not misleading manner.

As set out in Article 6 of the MiCA, which contains in detail the content of the crypto-asset white paper, the issuer of crypto-assets has to provide certain information about the crypto-asset to enable consumers and investors to make an informed decision. The information to be provided comprises:

• the issuer itself;
• the main participants;
• the design of the project’s crypto-asset;
• the crypto-asset itself (its type, the characteristics of the offer to the public with the number of crypto-assets offered, its issue price, and the terms and conditions of subscription including the attached rights and obligations of the crypto-asset); and
• a structured summary.

The European Parliament takes the approach of protecting consumers and investors by ensuring that information is provided about the product itself, enabling consumers and investors to make an informed decision.

It is true that more available information about crypto-assets will enable market participants to make better-informed decisions. Thus, the violation of Article 6 of MiCA will qualify for a special liability clause under Article 15 of MiCA. Information as the sole determinant to protect market participants from a default of the legal entity that has issued the crypto-asset, however, will not be sufficient.

If trading of the crypto-asset is permissible, but the legal entity that has provided the crypto-asset suffers from financial distress for any reason, then there will be a high risk of default if the legal entity is not equipped with sufficient liquidity to mitigate the distress scenario. Certainly, the provision of sufficient information is important, but legal entities should also be equipped with sufficient liquidity to mitigate financial distress.

The issuing of ART requires that the competent authority (Article 20 of MiCA) authorise the issuance, because the issuer is (i) a legal entity established in the European Union and received authorisation to issue ART and (ii) an approved crypto-asset white paper of the competent authority has been published (Article 18 and Article 25 of MiCA). Thus, the issuer of ART has to provide sufficient own funds exceeding EUR350,000 and 2% of the average amount of the reserve assets referred to in Article 36 and a quarter of the fixed overheads of the preceding year according to Article 37 of MiCA.

In contrast to issuers of crypto-assets that are not ART or EMT, issuers of ART have to be authorised by the competent authorities and should have a compliant governance arrangement according to Article 34 of MiCA in place. The legal basis for this different treatment of ART is that ART provide a crypto-asset that purports to maintain a stable value by referring to the value of several fiat currencies that are legal tender. Therefore, it is more likely that these types of crypto-assets will be traded more compared to non-ART crypto-assets. Similar to the treatment of issuers of ART, issuers of EMT have to observe stricter rules, because of the intended trading of the EMT and potential risks to consumers.

An issuer of EMT should observe Article 48 of MiCA as it states that the issuer of such EMT must be authorised as a credit institution or as an “electronic money institution”, has to comply with requirements applying to electronic money institutions and has to publish a crypto-asset white paper notified to the competent authority (Article 51 of MiCA).

The European Banking Authority (EBA) will be involved in the classification of ART (Article 43 of MiCA) and EMT (Article 56 of MiCA) as significant on the basis of the following criteria:

• size of the customer base of the promoters, shareholders of the issuer or any of the third-party entities;
• value of the ART (or EMT) or their market capitalisation;
• number and value of transactions in those ART or EMT;
• size of the reserve of assets of the issuer of the ART or EMT;
• significance of the cross-border activities of the issuer, including the number of member states where the ART are used, the use of the ART for cross-border payments and remittances and the number of member states where the third-party entities are established; and
• interconnectedness with the financial system.

In addition, a voluntary classification of ART (Article 44 of MiCA) or EMT (Article 57 of MiCA) as significant is possible. Per Article 45 and 58 of MiCA, the consequence of classification as significant results in specific additional obligations for issuers such as:

• a remuneration policy for sound and effective risk management;
• crypto-asset service providers being permitted to hold tokens in custody;
• the monitoring of liquidity needs to meet redemption requests or the exercise of rights; and
• establishing a liquidity management policy and procedures.

DLT-Pilot

By introducing the DLT-Pilot regime, the European Parliament aims to ensure that EU financial services legislation will be fit for the digital age and contribute to a future-ready economy that works for the people, including by enabling the use of innovative technologies. The aim of the DLT-Pilot is to temporarily exempt certain distributed ledger technology (DLT) market infrastructures from some of the specific requirements of EU financial services legislation in connection with trading and settlement of transactions in crypto-assets, which would otherwise qualify as financial instruments.

The DLT-Pilot regulates the requirements of DLT market infrastructures and their operators such as granting and withdrawing specific permissions to operate DLT market infrastructures (Article 1 of the DLT-Pilot). A DLT market infrastructure could be either a DLT multilateral trading facility, a DLT settlement system or a DLT trading and settlement system.

Article 3 of the DLT-Pilot sets out that DLT financial instruments shall only be admitted to trading on a DLT market infrastructure or be recorded on a DLT market infrastructure under certain conditions. These conditions are:

• shares, the issuer of which has a market capitalisation, or a tentative market capitalisation, of less than EUR500 million; or
• bonds, other forms of securitised debt, including depositary receipts in respect of such securities, or money market instruments, with an issue size of less than EUR1 billion, or units in collective investment undertakings covered by Article 25(4), point (a) (iv), of Directive 2014/65/EU, the market value of the assets under management of which is less than EUR500 million.

Thus, the aggregate market value of all the DLT financial instruments shall not exceed EUR6 billion.

Specific regulation (requirements and exemptions) exists in the DLT-Pilot for DLT multilateral trading facilities (Article 4, DLT-Pilot), DLT settlement systems (Article 5, DLT-Pilot) and DLT trading and settlement systems (Article 6, DLT-Pilot).

By excluding certain DLT market infrastructures from current financial regulation, the DLT-Pilot creates a test environment for new developments in the financial sector. Through its limited application (Article 3 of the DLT-Pilot), the regulation provides that only specific instruments may be tested under the new regime; other instruments must follow the current legislation. The new approach certainly enhances the appeal of technological developments in the financial sector and encourages businesses to test their technical developments under real conditions in a financial market.

DORA

The European Parliament aims to raise the level of harmonisation on digital resilience components, by introducing requirements on information and communication technology (ICT) risk management and ICT-related incident reporting that are more stringent than those laid down in current European Union financial services legislation. The framework aims at establishing uniform requirements in relation to the security of network and information systems with regard to:

• financial entities and their ICT risk management, major incident reporting, digital operational resilience testing, information and intelligence sharing of cyber threats and vulnerabilities;
• contractual arrangements between ICT third-party service providers and financial entities;
• an oversight framework for critical ICT third-party service providers when providing services to financial entities; and
• rules on co-operation among competent authorities and rules on supervision and enforcement by competent authorities (Article 1 of DORA).

The regulation defines digital operational resilience as the ability of a financial entity to build, assure and review its operational integrity from a technological perspective (Article 3 paragraph 1 of DORA) and requires financial entities to have in place internal governance and control frameworks that ensure an effective and prudent management of all ICT risks (Article 5 and 6 of DORA). Financial entities should be able to identify all ICT-related business functions (Article 8 of DORA), protect their ICT systems and – in particular – prevent a leakage of information (Article 9 of DORA), detect anomalous activities (Article 10 of DORA) and establish suitable ICT-related governance (Articles 12 to 16 of DORA).

The regulatory framework establishes a comprehensive and detailed system for financial entities to mitigate digital operational risk. The framework prescribes adequate ICT risk management tools, methods, processes and policies. The regulation clearly suggests that the management of financial entities invest in operational resilience and increase the size of their risk management divisions to comply with the act. In addition, there is a comprehensive reporting, information-sharing and supervision requirement vis-à-vis the competent authorities in place. Whether such detailed rules will be sufficient to mitigate ICT risks shall be seen.

Current legislative framework in Austria

The Austrian Financial Market Authority (FMA) established, in September 2020, a regulatory sandbox for fintech models. Through this, the FMA is attempting to simplify the pathway to becoming a supervised entity for young fintechs as well as incumbent players that, together with an unlicensed entity, operate fintech business models and co-operations. This is to be achieved by supporting the business model in question with close supervision and allowing its operation in a test phase. However, there is currently no specific regulation with regard to DLT or crypto-assets in place; these are now part of the new regulatory approach of the European Parliament with MiCA, DORA and the DLT-Pilot regime.

Conclusion

The European Parliament is attempting to tackle possible risks of digital innovation with a comprehensive and detailed set of rules. In alignment with previous European legislation, the acts provide a detailed set of governance and supervision rules. Instead of creating a minimum standard to protect consumers and other market participants and allow business opportunities to thrive, regulatory authorities are prescribing in detail the requirements on specific topics, and monitor and supervise the activities of supervised entities.

From a supervisory perspective, MiCA and DORA will be powerful tools for supervisors to cope with the risks of the upcoming challenges in the financial sector. From the perspective of financial entities, the acts set comprehensive and detailed rules with which to comply but will allow financial entities to operate in a fair and equal market across the EU.