Last Year’s Evolution of the Czech Fintech Market

2023 was a tough year for the Czech fintech sector, with high input prices and interest rates, little investment, and significant savings on the user side. Despite all this, Czech fintech companies managed notable achievements, from record investments in certain investment rounds to top placings in international competitions.

Moreover, towards the end of 2023, the situation for Czech fintech companies, as well as other companies, has started to improve significantly with receding inflation rates, falling interest rates and increasing investor appetite. The stronger investment activity in the last quarter of 2023 suggests that optimism is returning to the Czech market, which will hopefully continue in the coming years. Thus, 2024 could be a very interesting year for the Czech fintech scene in terms of investment.

Issues That are Likely to Affect the Czech Fintech Market Next Year

Digital finance package

Regarding the regulatory environment in the coming year, it will be crucial how the “Digital Finance Package”, consisting of the MiCA (Regulation 2023/1114), DORA (Regulation 2022/2554 and the DLT Pilot (Regulation 2022/858), will be implemented and applied in the Czech Republic.

DORA, which will come into force in January 2025, will affect the financial sector the most as it sets out various new obligations for all financial market participants such as payment institutions, investment firms or crypto-asset service providers (CASPs), most of which will find it challenging to comply. In addition, CASPs, as well as issuers of crypto-assets, will be impacted by MiCA, which will come into full force in December 2024. MiCA introduces a very complex authorisation regime for CASPs and strict transparency requirements for crypto-asset issuers. In contrast, the DLT Pilot, which is already effective, brings greater flexibility to the EU financial sector by establishing a regulatory sandbox that allows firms to experiment with trading and settlement of DLT financial instruments, provided they are properly authorised.

Other legislation

Other legislative pieces, either in force or in preparation, that are likely to affect the Czech fintech market in the coming months and years include:

• the Crowdfunding Regulation (Regulation 2020/1503), which sets out rules for lending-based and investment-based crowdfunding platforms;
• the ESG legislative framework, laying down extensive disclosure obligations for both financial and non-financial market participants;
• the AI Act, which will establish obligations for providers and users of all types of AI products and services depending on the associated level of risk;
• the revised MiFID II/MiFIR framework, which should increase the transparency and competitiveness of the EU financial sector; or
• the PSD3/PSR/FIDA framework, which aims to address new security risks, strengthen open banking and move towards open finance, level the playing field between banks and non-banking payment services providers and improve harmonisation across the EU.

Czech fintech companies cover various business models, but the payment vertical is predominant (eg, mobile-based payment services, including payment gates or QR code payments, payment terminal solutions or payment models combining affiliate marketing with philanthropy). Personal finances (eg, income and expenses monitoring, buy-now-pay-later or pay anytime solutions) and accounting and cashflow (eg, automation and digitisation of accounting or online invoice financing) are also very popular.

Peer-to-peer investments, including lending-based and investment-based crowdfunding platforms, are also well represented in the local market. However, only three companies have so far been licensed in the lending-based model and no company in the investment-based model under the new Crowdfunding Regulation. Finally, online brokers, crypto-assets service providers and insurtech companies are well-established in the Czech fintech market too.

Although the local fintech market is dominated by start-ups, some legacy players, such as large banking or investment groups, are also active in the sector. While some of them have set up fintech companies to offer innovative solutions in-house, others provide these services by partnering with fintech players.

The regulatory regime applicable to industry participants in the Czech Republic depends on the particular business model. The main laws applicable under the existing financial services regulatory framework are as follows:

• payment service providers and e-money institutions are regulated by the Czech Payment Services Act (PSA), which implements PSD2 (Directive 2015/2366) and EMD2 (Directive 2009/110/EC);
• investment firms and investment intermediaries are governed by the Act on Capital Market Business (CMBA), which implements a wide range of EU legislative acts such as MiFID II (Directive 2014/65/EU), MIFIR (Regulation 600/2014), the Prospectus Regulation (Regulation 2017/1129), MAR (Regulation 596/2014), DORA, MICA, the DLT Pilot, etc;
• investment funds and management companies are subject to the Act on Management Companies and Investment Funds (AMCIF), which implements AIFMD (Directive 2011/61/EU) and UCITS Directive (Directive 2009/65/EC);
• lending-based and investment-based crowdfunding providers are regulated by the Crowdfunding Regulation;
• insurance companies and insurance intermediaries are subject to the Insurance Act and the Insurance and Reinsurance Distribution Act;
• consumer credit originators and intermediaries are subject to the Act on Consumer Credit;
• crypto-asset service providers are regulated by the Trade Licensing Act; and
• AML/CFT requirements are laid down in the Act on Certain Measures against the Legalization of the Proceeds of Crime and the Financing of Terrorism, which implements the fourth AML Directive (Directive 2015/849/EU), as amended, and in the Act on the implementation of international sanctions.

The types of compensation models that industry participants can use to charge customers depend on the regulatory status, the service provided and the customer type. Different types of business models are subject to different regulatory requirements, including disclosure obligations.

Compensation Models

The compensation models most commonly used by Czech industry participants in the field of investment services are the commission-based model and the fee-based model, with the main difference between the two models lying in who the industry participant receives the fee from (the product provider or the customer). In payment services, the fee-based model is the most important, where the fees are calculated either per transaction or on a recurring basis, or a combination thereof.

Disclosure and other obligations related to compensation models

In general, regulated entities (eg, payment institutions or investment firms) are subject to certain pre-contractual and ongoing information requirements, including a full disclosure of the fees that are charged by them. The disclosure obligation is stricter when the recipient of the service is a consumer, which results from local legislation implementing EU consumer protection law (eg, the Consumer Credit Directive (Directive 2008/48/EC) or the Distance Marketing of Consumer Financial Services Directive (Directive 2002/65/EC). Regulated entities are usually also subject to conflicts of interest rules, which may affect the compensation models used.

Furthermore, specific rules apply to the provision and receipt of inducements. These rules aim to ensure that the service provider acts in the best interests of the customer and to avoid conflicts of interest.

In the field of investment services, including some pension products, an inducement received from or provided to third parties other than customers is only permissible if (i) it is intended to contribute to improving the quality of the service/product provided or (ii) it facilitates the provision of the service or is necessary for that purpose, provided that it is properly disclosed and it does not conflict with the service provider’s obligation to act in the customer’s best interest. In addition, inducements shall be excluded, subject to exceptions, in the case of investment advisory services provided independently or portfolio management services.

In accordance with the principle of technological neutrality, there is no specific regulation of fintech sector in the Czech Republic. If a fintech company falls under the scope of a particular regulation, it is subject to the relevant requirements as in the case of legacy players.

In 2019, a FinTech Contact Point within the Czech National Bank (CNB) was established, which is focused on fintech regulatory matters. The aim is to promote the introduction of innovative technologies on the Czech financial market through more active communication with legacy players and fintech companies. In addition, the CNB organises regular meetings with the fintech community and the wider public, as well as roundtables on fintech-specific topics.

Furthermore, the establishment of a sandbox focused on fintech and De-Fi is currently being discussed in the Czech Republic. The aim of this sandbox will be to accelerate the launch of innovative services in regulated industries in a safe and secure manner. It should provide fintech startups with datasets on which to test their ideas, as well as close contact with public authorities and advice from independent experts. It is expected that many stakeholders will be involved, including the Czech Fintech Association, Ministry of Finance, CzechInvest agency, and others. The project is expected to be launched in 2023.

The CNB is a financial services regulator with jurisdiction over all financial industry participants. It is responsible for the authorisation and supervision of financial services providers, which it exercises both from a prudential and a conduct of business perspective. Besides the CNB, the Financial Analytical Office (FAO) is the body responsible for AML/CFT supervision. As regards financial services providers, AML/CFT supervision is divided between the CNB and the FAO.

In addition, Czech national authorities co-operate with European regulators such as the European Central Bank (ECB) the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), which have jurisdiction in their respective areas and directly supervise certain industry participants (eg, in the case of significant credit institutions, the ECB).

Outsourcing of regulated functions to external service providers is permitted provided that the relevant regulatory requirements are met.

While the specific requirements applicable to outsourcing arrangements vary depending on the regulated activity performed and its scope (eg, investment or payment services), there are several general principles that can be applied to almost any regulated financial service. These principles stem mainly from MiFID II, PSD2, relevant outsourcing guidelines adopted at EU level, such as the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02), the ESMA Guidelines on outsourcing to cloud service providers (ESMA50-157-2403) and the implementing domestic laws.

In general, the regulated entity should consider and address the risks posed by outsourcing arrangements before deciding on the outsourcing itself. Therefore, thorough due diligence should be carried out on the potential service provider to ensure that it has the appropriate skills, experience, and resources to properly perform the outsourced services.

In addition, the regulated entity must have a written outsourcing policy in place and ensure at all times that outsourcing arrangements do not affect its ability to fulfil its legal obligations nor the competent authority’s ability to supervise it, as outsourcing does not relieve it of responsibility to clients or third parties for the provision of the regulated services. Furthermore, a written outsourcing contract must be concluded between the regulated entity and the outsourced service provider, containing specific mandatory provisions (eg, on data protection and security, the right of both the regulated entity and the competent authorities to monitor and audit the outsourcing provider, or the termination rights of the regulated entity). More stringent requirements apply to the outsourcing of critical or important functions (eg, risk management, ICT or AML).

When DORA comes into force in January 2025, almost all regulated financial institutions will be subject to new, stricter requirements for outsourcing ICT services.

In general, the fintech provider’s liability for activities on its platform arises from the AML/CFT legislation as most activities carried out by fintech companies fall within its scope. In such a case, the fintech provider must comply with the requirements set forth therein, such as conducting customer identification and due diligence before entering a contractual relationship or executing a trade or actively monitoring its customer’s relationships.

In addition, a large fintech company may be subject to additional obligations if designated as a gatekeeper under the Digital Markets Act (Regulation 2022/1925).

The CNB has an extensive set of sanctioning instruments that can be imposed on entities subject to its supervision. The most significant sanction consists in the revocation of a licence, which can be imposed, for example, for inactivity for more than six months or for serious breaches of legal obligations.

In recent years, the CNB has taken enforcement actions against regulated entities, including fintech companies, for a range of breaches of the law. Recent sanctions imposed on some fintech companies include fines for failures to comply with the rules on investment funds and management companies, the provision of investment services and AML/CFT. In addition, the CNB uses the practise of “naming and shaming” by publishing all or at least parts of its decisions on its website.

Data Protection

Regardless of the sector, fintech companies that process personal data must comply with the GDPR (Regulation 2016/679) as well as the ePrivacy Directive (Directive 2002/58/EC) as implemented into national law. In addition, some fintech companies may soon be subject to the newly adopted Data Act (Regulation 2023/2854), which focuses on data sharing and compensation, the main part of which shall apply from September 2025.

Cybersecurity

Given fintech companies’ dependence on technology, cybersecurity plays a very important role in their businesses. Although there are no specific requirements for fintech companies, they must comply with the relevant requirements under applicable sectoral laws (eg, payments, investments or insurance), including having robust security measures in place to manage risks related to information and communication technologies (ICT).

In addition, from 2025, all financial service providers will have to adhere to the strict ICT security requirements imposed by DORA, including ICT risk management, ICT incident classification and reporting and third-party ICT risk monitoring). The relevant requirements will be proportionate to the potential risk posed by the respective entity.

Finally, the NIS2 Directive (Directive 2022/2555), which repeals the NIS Directive (Directive 2016/1148) as of October 2024, is also important for some larger companies in the financial sector that provide essential services in the field of cybersecurity (ie, ensuring the proper functioning of the market) as they are subject to specific obligations (eg, vulnerability detection or incident reporting).

Social Media Content

In the field of social media and advertising in general, copyright and advertising laws are particularly important. In addition, the Digital Services Act (Regulation 2022/2065) and the Digital Markets Act may apply. While the DSA regulates intermediaries offering services such as online marketplaces, cloud services or social media platforms, and its key objective is to prevent illegal and harmful activities online, the DMA sets out rules to prevent unfair practices by large online platforms (the so-called “gatekeepers”) that are deemed to be too important to be left unregulated.

Consumer Protection Legislation

Local consumer protection legislation, such as the Consumer Credit Act or the Civil Code, which implement various EU directives, are also relevant for industry players that target consumers.

Most entities with large-scale operations or regulated activities are required to have their financial statements reviewed by a qualified external auditing firm. In addition, some regulated entities such as banks, payment institutions or investment firms are required to set up compliance, internal risk control and internal audit functions. Some regulated entities are even obliged to subject some of their activities to specific external audits (eg, measures taken by an investment firm to protect customer assets).

Besides regulators and auditing firms, a wide range of authorities, such as tax authorities, the Financial Arbitrator, the Czech Trade Inspection Authority, the Personal Data Protection Office, the Office for the Protection of Competition or the National Cyber and Information Security Agency, may review the activities of industry participants throughout their life cycle.

Although not common in the Czech Republic, industry participants are, in principle, allowed to offer both regulated and unregulated products and services. However, the scope of unregulated activities that a regulated entity may undertake, and the conditions thereof, vary depending on its status.

In some cases (eg, payment institutions or investment firms), prior approval of the CNB is required. In such cases, the CNB may impose certain conditions or even require that these additional activities be performed via a separate entity if, for example, the additional activities could interfere with the effective supervision of the regulated entity.

As mentioned in 2.8 Gatekeeper Liability, most activities carried out by fintech companies, whether regulated or unregulated, are subject to Czech AML/CFT legislation. One of the reasons for such a broad scope of AML/CFT legislation is that the Czech Republic used some gold-plating when transposing the fifth AML Directive, and therefore all CASPs already fall under its scope as of 2021.

Majority of fintech providers must thus comply with the relevant requirements set forth in the Czech AML/CFT legislation. All entities that are subject to AML/CFT legislation are also required to comply with national and international sanctions legislation. In 2023, a national sanctions list was introduced in the Czech Republic, which exists in parallel with the international sanction lists such as the EU and FATF lists. All persons subject to the AML/CFT legislation are obliged to check whether any of their clients and other relevant persons (eg, beneficial owners of the client) appear on one of these lists and take adequate action (eg, report suspicious transactions) where appropriate.

In addition, because of the revision of the EU Transfer of Funds Regulation (TFR), which will enter into force in January 2025, CASPs will be required to accompany transfers of crypto-assets with specific information on originators and beneficiaries. Furthermore, the TFR introduces an obligation for CASPs to have internal procedures in place to detect suspicious crypto-assets transactions and to ensure restrictive measures are implemented.

Although provision of robo-advisory services in relation to some asset classes does not constitute a licensable activity (eg, certain crypto-assets or loans), robo-advisory activities are normally provided in relation to asset classes such as shares, bonds or units in collective investment undertakings (eg, ETFs) which qualify as “financial instruments” regulated under CMBA.

Provision of robo-advisory activities in relation to financial instruments often constitutes provision of investment services relating to financial instruments (usually investment advice and/or portfolio management), which are licensable activities under the CMBA. For the provision of portfolio management, an authorisation as an investment firm is required, unless an exemption applies, while for the provision of investment advice, a light-touch licensing regime of the so-called investment intermediary can be availed. Alternatively, a licence obtained under other sectoral legislation (eg, banking or investment funds) may be leveraged to provide robo-advisory services constituting investment services, provided that such investment services are covered by the respective licence.

There are only a few legacy players in the Czech Republic which have already implemented robo-advisers in their business. One of the largest Czech banks, Československá obchodní banka, a.s. (ČSOB), was among the first in the Czech Republic to introduce a robo-advisory service to help its clients build an investment portfolio. Some other traditional players have integrated robo-advisory into their business through start-ups from the business group. However, the Czech market for robo-advisory services is still very small.

The application of the best execution obligation to robo-advisers depends on whether they provide a regulated investment service and what role they play in executing their clients’ orders. When the robo-advisory activities constitute the provision of investment service of either execution of orders on behalf of clients, reception and transmission of orders or portfolio management, the entity providing such service is subject to the “best execution” obligation in the same way as entities using human advisers. It means that the robo-advisory firm is required to take all reasonable steps to ensure that the client’s orders are executed on terms most favourable to them. The scope of the requirements depends on the type of investment service provided. In addition, the general duty to act in the best interest of the client applies to all investment firms that provide investment services.

There are significant differences in the regulation of commercial lending, including to SMEs, and consumer lending in the Czech Republic. While commercial lending activities do not trigger a licensing requirement, consumer lending activities are highly regulated.

However, regardless of the entity to which lending activities are directed, lending as well as loan intermediation is a designated activity under the Czech AML/CTF legislation, which subjects the lender/intermediary to the requirements set out therein.

Commercial Lending

Commercial lending is not covered by any special regulatory regime in the Czech Republic, unless provided by banks or credit institutions. This area is regulated primarily by the general rules laid down in the Czech Civil Code. Although the parties to the loan contract are largely free to agree the terms they wish to include in their contracts, they must not waive/deviate from certain provisions of the law to the detriment of the “weaker party”.

Consumer Lending

Lending activities such as provision and intermediation of credit to consumers may only be provided with an appropriate licence. The Consumer Credit Act provides consumers with high levels of protection by laying down comprehensive rules for areas such as pre-contractual and ongoing information, contract form and content, and credit checks. In essence, the disclosure obligations consist in providing the consumer with the information needed to compare different offers to make an informed decision on whether to conclude a credit agreement. In addition, the law gives consumers various rights such as the right of early repayment and the right of withdrawal.

Crowdfunding

Lending-based crowdfunding services are specifically regulated in the Crowdfunding Regulation. This regulation subjects crowdfunding service providers to licensing requirements and gives investors various rights, such as pre-contractual reflection period for revoking an investment offer.

Underwriting processes used by industry participants may differ depending on the type of lender, the type of borrower and the type of credit.

AML/CFT Legislation

All financial entities, including professional lenders and loan intermediaries, are subject to the Czech AML/CFT legislation. Therefore, obligations such as customer identification and due diligence and risk assessment of the business relationship apply in the underwriting process.

Consumer Lending

As mentioned in 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities, unlike commercial lending, consumer lending activities are highly regulated. One of the key obligations in the underwriting process is to carry out a creditworthiness assessment on a potential borrower, based on sufficient reliable information. For these purposes, the consumer is obliged to provide all necessary information (eg, information on the consumer’s financial and economic situation).

Besides the information provided by the consumer, lenders/intermediaries typically rely on information available in external databases (eg, Bank Customer Information Register) to assess the creditworthiness of the borrower according to its internal risk classification procedure. In practice, use of automated profiling and decision-making tools is not uncommon.

In addition, to limit the risks of the banking business, which is important for the functioning of the whole economy, banks are obliged to comply with strict prudential rules, including on capital adequacy and exposure rules. The prudential rules are based on recommendations of the Basel Committee on Banking Supervision of the Bank for International Settlement and EU acts.

There are various sources of funds used by lenders to make loans, such as taking deposits, lender-raised capital (eg, from private investors) or peer-to-peer. Depending on the source of funds, different regulatory requirements apply. The most onerous requirements apply to deposit-taking, which triggers a requirement for credit institution licence. For public offerings of financial instruments of shares or bonds, prospectus requirements are relevant, unless an exemption applies. Raising funds via lending-based or investment-based crowdfunding platforms is subject to the Crowdfunding Regulation.

On the other hand, regulatory requirements associated with many sources of funds used for provision of loans (eg, factoring) are not very burdensome, as only registration with the relevant Czech Trade Licence Office and compliance with the applicable requirements of the AML/CFT legislation mostly suffice.

Since loan syndication is typically used to finance large projects that are not usually closed online, the process is mainly used by legacy players such as large banks. In contrast, consumer loans or loans to small businesses are generally not syndicated. However, when syndication of loans provided by fintech platforms does occur, it is usually done by transferring credit risk to third parties via sub-participation. Depending on the relevant structure, it may be subject to investment funds or investment services regulation.

In general, payment processors are free to either use existing payment rails or to implement or create new ones. However, an authorisation from the CNB would be required to process payments, unless an exemption applies.

In the Czech Republic, the only payment system that is covered by PSA, which implements the Settlement Finality Directive (Directive 98/26/EC), is the Czech Express Real Time Interbank Gross Settlement system (CERTIS), which is the only interbank payment system that processes interbank payments in Czech crowns.

Cross-border payments and remittances constitute payment services. Therefore, they are primarily regulated by PSA.

Since the Czech Republic is part of the Single Euro Payments Area (SEPA), SEPA Regulation (Regulation 260/2012) also applies. This regulation is especially relevant for cross-border payments as it seeks to ensure that cross-border cashless euro payments across the EU as well as several non-EU countries can be made in a similar way to that of domestic payments.

In addition, Regulation (EU) 2021/1230 on cross-border payments in the Union establishes the principle that charges for cross-border euro payments are the same as for corresponding national payments within the EU. For card-based payments, the Regulation (EU) 2015/751 is also relevant as it caps interchange fees for consumer debit and credit cards.

Fund administrators as well as fund management companies are regulated by the AMCIF. Different rules apply to fund administrators depending on the type of activities performed and the type of the fund they administer. Only a person with appropriate authorisation from the CNB may be a fund administrator, unless an exemption applies.

The basic (minimum) elements of the contract on administration concluded between the fund administrator and the fund manager, such as the written form, the rules for co-operation so that both can fulfil their legal obligations or the (im)possibility for the administrator to delegate (outsource) the performance of certain activities to another, are regulated directly in the AMCIF.

There are various types of marketplaces and trading platforms for the trading of different types of assets (eg, financial instruments or crypto-assets) in the Czech Republic. The applicable regulatory regime depends on the nature of the traded assets.

Exchanges for Financial Instruments

If the traded assets qualify as financial instruments under the CMBA (eg, bonds or shares), the trading platform is required to be authorised by the CNB to operate either a regulated market, a multilateral trading facility (MTF) or an organised trading facility (OTF). Regulated markets are subject to the most onerous requirements. There are only two entities authorised to operate a regulated market in the Czech Republic, Burza cenných papírů Praha, a.s. and RM-SYSTÉM, česká burza cenných papírů a.s.

With the entry into force of DLT Pilot in 2023, a special, more flexible regime for financial instruments issued through distributed ledger technology (DLT) was introduced to allow for a degree of experimentation with the issuance, trading and settlement of tokenised financial instruments.

Crowdfunding Platforms

The operation of a lending-based or investment-based crowdfunding platform is subject to authorisation under the Crowdfunding Regulation (see 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities). However, this regulation does not cover models trading assignment of receivables originally granted by the crowdfunding platform, or models where a crowdfunding platform grants loans on its own account and at its own risk. These activities may be subject to other relevant regulation, such as regulation of investment services or investment funds.

Crypto-Asset Exchanges

The provision of crypto-asset related services, including operation of a crypto-asset exchange, is subject only to a prior notification to the Czech Trade Office (this regime applies only to crypto-assets that are not financial instruments). However, this will change with MiCA, under which crypto-asset exchanges and other CASPs will have to obtain a licence. As the licensing requirements for CASPs will be quite complex, the number of CASPs is likely to decrease significantly in the Czech Republic. On the upside, the advantage will be that the CASPs licence will be valid throughout the entire EU.

Depending on the nature of the asset and its level of complexity and associated risks, different regulatory regimes apply to different asset classes. For example, platforms that trade financial instruments must be authorised under the CMBA, or the DLT Pilot in the case of financial instruments issued on DLT, whereas platforms trading other assets, such as some crypto-assets, may only be subject to the notification regime. In addition, as regards the trading of financial instruments, there are differences in terms of different categories of financial instruments (eg, only bonds, emission allowances, structured finance products and derivatives can be traded on OTFs). Furthermore, trading in contracts for difference (CFDs) was restricted in 2019 for retail clients by the CNB’s provision of general nature.

The emergence of cryptocurrency exchanges and the significance of the crypto sector has strongly influenced regulation, as it has led to the adoption of new or revision of some existing regulations.

AML

Given the very rapid development in the field of crypto-assets and their increasing use on the market, the Czech Republic decided to gold-plate some provisions of the fifth AML Directive. As a result, all CASPs fall under the scope of the Czech AML/CFT legislation as of 2021. In addition, CASPs are subject to a special requirement on the integrity of the provider, its beneficial owner and members of its statutory body.

MiCA

The most important regulatory change for the entire crypto-asset sector lies in MiCA, which will regulate almost all crypto-assets that do not fall under one of the existing asset categories regulated by EU law (eg, financial instruments or deposits). When MiCA comes into force in 2024, the provision of crypto-asset services, as well as issuance and public offering of crypto-assets, will become highly regulated.

In general, for the public offering of crypto-assets, a white paper, which is an information document similar to a prospectus, will need to be prepared and published. In addition, some crypto-assets, specifically stablecoins, will only be permitted to be issued by licensed entities.

An authorisation will also be required to provide crypto-asset related services such as operation of a crypto-asset exchange or providing advice on crypto-assets. The licensing regime will be similar to that of other financial service providers (eg, investment firms) and the scope of applicable requirements will depend on the service provided. It is worth noting that all CASPs will be obliged to have in place resilient and secure ICT systems as required by DORA.

Listing standards vary depending on the relevant trading system and the type of assets traded. While listing on unregulated exchanges, such as crypto-asset exchanges, is not subject to any specific regulatory framework, listing of financial instruments on trading venues under the CMBA is highly regulated.

The CMBA requires trading venue operators to have transparent rules for trading, admission of financial instruments to trading and access to the trading venue. The criteria used for admission of financial instruments to trade on their system, for access to the system and for execution of orders, shall be objective. Furthermore, the trading rules must ensure fair and orderly trading.

Besides the rules set out in the CMBA, each trading venue operator establishes its own, usually quite detailed, listing rules, which are published on the market operator’s website (eg, Rules and Regulations of the Prague Stock Exchange that are available here). Trading in MTFs and OTFs is generally subject to less onerous requirements than trading on regulated markets.

Entities that execute orders for financial instruments on behalf of their clients are subject to order handling rules set out in the CMBA.

In general, they must have procedures and arrangements in place to ensure the prompt, fair and expeditious execution of clients’ orders. Orders shall be executed in the order in which they are received unless an exemption applies. If any material difficulty arises which is relevant for the proper prompt execution of orders, the retail client must be informed. In addition, in the absence of any specific client instruction, entities executing clients’ orders must take all reasonable steps to achieve the best possible result for their clients. The firm’s order’s execution policy must specify how the best possible result will be achieved when executing client orders.

Furthermore, the CMBA provides for specific order handling rules for regulated markets, MTFs and OTFs.

On the contrary, entities that are not regulated by the CMBA are not subject to any specific regulatory framework as regards order handling.

Although the activity of peer-to-peer trading platforms is not very widespread on the Czech financial market, there has been a fairly significant rise of such platforms, usually operated by fintech companies, in recent years. Their major footprint can be seen in the field of lending-based and investment-based crowdfunding platforms and in the crypto sector. The proliferation of peer-to-peer platforms in the field of crypto-assets, or digital assets more generally, is one of the reasons why the DLT Pilot was introduced. However, due to their still-low transaction volumes, peer-to-peer platforms do not yet present much competition for traditional players.

One of the regulatory challenges could be to align the regime of these platforms with that of payment services, as their activities very often involve the transfer of funds on behalf of their clients. Although a licence under the PSA is required to transfer funds, this is not always the case.

Similar to robo-advisers (see 3.3 Issues Relating to Best Execution of Customer Trades), the best execution rules only apply to peer-to-peer trading platforms that provide investment services under the CMBA that are subject to this obligation.

As a result of the inconsistent regulation of payment for order flows across the EU, the EU bodies provisionally agreed in June 2023 to amend the MiFID II/MiFIR framework and to introduce a general ban on payments for order flow. However, member states that already allow payments for order flows are exempted from the ban, provided that such payments are only provided to clients in that member state. This practice must however be phased out by 30 June 2026.

In any event, any payment of this type must be assessed in the light of inducement requirements.

The basic principles of market integrity and market abuse stem from MAR, which is complemented by the MAD (Directive 2014/57/EU) and several delegated and implementing acts. Since the objective is to ensure the integrity of EU financial markets and to enhance investor protection, any unlawful behaviour in the financial markets is prohibited. The existing rules outlaw three types of market abuse: insider dealing, unlawful disclosure of inside information and market manipulation.

In order to combat market abuse, MAR contains provisions to prevent and detect these illicit practices (eg, the introduction of effective systems and procedures to detect and report suspicious orders and transactions or disclosure obligations).

In general, MAR covers financial instruments admitted to trading or traded on regulated markets, MTFs and OTFs and certain other products (eg, contracts for difference). Non-compliance may be subject to administrative and/or criminal sanctions.

The creation and use of high-frequency (HFT) and algorithmic trading (AT) is regulated under the CMBA. The regulation therefore only applies to HFT and AT in relation to financial instruments.

In principle, a person only trading for their own account (and not executing customer orders) using AT does not need an authorisation, unless HFT is applied. For HFT, an authorisation from the CNB is always required.

Investment firms and other regulated entities that engage in AT and HFT are subject to various specific requirements. They must have in place effective systems and risk controls appropriate to the business they operate to ensure resilience and sufficient capacity of the trading systems not to create or contribute to a disorderly market and to prevent market abuse. In addition, effective business continuity arrangements must be established to deal with any failure of the trading system and the system must be subject to appropriate testing and monitoring. Moreover, HFT is subject to other specific requirements (eg, on record keeping or incorporation of a “kill switch”). Finally, the relevant competent authorities must be notified of the use of such technologies.

A person that is engaged in algorithmic trading when trading for their own account is not required to be authorised as market maker, unless they are deemed to be implementing a market-making strategy. Market-making strategy consists, inter alia, of posting firm, simultaneous bid and offer prices of comparable size and at competitive prices relating to one or more financial instruments on one or more trading venues, with the result of providing liquidity on a regular and frequent basis to the overall market.

In such a case, an authorisation under the CMBA is required. Specific rules, such as carrying out the market-making continuously during a specified proportion of the trading venue’s trading hours and entering into a binding written agreement with the trading venue, apply.

Unlike dealers, investment funds are only subject to the applicable AT and HFT legislation if they are members or participants of regulated markets and MTFs. The main difference between an investment fund and a dealer is that a fund manager makes investment decisions regarding the assets of multiple investors according to a common strategy of the fund, whereas a dealer typically invests according to each customer’s individual circumstances.

Programmers who develop and create trading algorithms and other electronic trading tools are not subject to any specific regulation in the Czech Republic, unless they also engage in a regulated activity (eg, HFT).

The Czech law neither defines nor specifically regulates decentralised finance (DeFi). However, depending on factors such as the type and structuring of activities undertaken, including the associated degree of automation and decentralisation, and the type of crypto-assets used, different regulatory frameworks may apply to DeFi (eg, AML/CFT legislation, investment services legislation such as CMBA or AMCIF, or consumer protection legislation). A case-by-case basis analysis must be carried out.

In addition, MiCA will not change much as it will not apply to crypto-assets services provided in a fully decentralised manner without any intermediary and crypto-assets having no identifiable issuer. The meaning of “truly decentralised” is, however, currently unclear.

The provision of financial research is not subject to any specific registration or authorisation in the Czech Republic, unless it constitutes investment advice, as an investment service regulated under the CMBA. Production or dissemination of investment recommendations or other information recommending or suggesting an investment strategy in one or more financial instruments is regulated under MAR and other legislative pieces for protection against market abuse.

Spreading rumours and other unverified information is not regulated as such. However, if related to financial instruments that are traded on regulated markets, MTFs or OTFs, or certain other instruments, it may trigger the application of the market abuse framework. If disseminating rumours and other unverified information leads to market manipulation (eg, it is likely to give false or misleading information on, for example, the price of a financial instrument), it may constitute a breach of the MAR subject to administrative or even criminal sanctions.

Additional obligations in this respect arise from other pieces of legislation such as MiFID II and its supplementing regulations (eg, Commission Delegated Regulation (EU) 2017/565) or the Prospectus Regulation), which set further standards for the provision of fair, clear and not misleading information.

As MAR also applies to persons who act in collaboration to commit market abuse, companies operating financial research platforms should pay attention to behaviour occurring on their platform, especially behaviour related to financial instruments, and take appropriate measures to avoid being held liable for collaborating with such unlawful activities. In addition, platforms may be soon subject to obligations set forth in MICA, which addresses market abuse in relation to crypto-assets.

A possible option could be to grant the platform the right in the contractual terms to edit or delete posts or conversations that could constitute market abuse and/or to prevent persons disseminating such information from accessing the platform.

The underwriting process for insurtech companies in the Czech Republic is subject to the same regulation applicable to traditional insurance companies.

In practice, insurtech companies usually operate as independent insurance intermediaries or tied agents. While the former requires a licence from the CNB, a registration is sufficient for the latter.

Regardless of the operational structure of the insurtech company, it must comply with the rules of conduct contained in the Insurance Act, including acting in the best interest of the customer and meeting the pre-contractual and contractual information obligations. Furthermore, for online underwriting processes, which are the most used by insurtechs, where the insured person is a consumer, the consumer protection provisions containing specific information obligations apply.

In the Czech Republic, insurance undertakings may not carry on simultaneous life and non-life insurance business, except for the simultaneous provision of life insurance with accident and sickness insurance.

Furthermore, different regulatory requirements apply to distribution of life and non-life insurance products, with the most stringent requirements applying to insurance-based insurance products (eg, specific pre-contractual and contractual obligations, appropriateness tests, conflicts of interests or remuneration policy rules).

Although regtech providers are not specifically regulated in the Czech Republic, they may be subject to the existing regulatory framework depending on the services provided.

Since regtech providers typically focus on technical solutions that help regulated entities meet their legal obligations more easily and efficiently, rather than on the provision of regulated financial services, they are in most cases not regulated.

However, exceptions exist for activities such as legal services or electronic identification and trust services. In such cases, it is necessary to comply with all relevant regulations, including obtaining the appropriate authorisation.

If a regulated entity engages regtech providers for part of its functions that it would otherwise undertake itself, the relevant regulatory and soft law requirements for outsourcing must be complied with (see 2.7 Outsourcing of Regulated Functions). As noted, the extent of the applicable requirements depends on the type of regulated entity and the type of outsourced function, including whether critical or important.

Although the Czech Republic has been very active in the blockchain field, this activity has come mainly from fintech companies. Traditional players are still rather reserved in implementing blockchain into their operations or service/product offerings.

However, an interesting project developed in the field of blockchain in the Czech Republic is the ElA blockchain of the Electrotechnical Association of the Czech Republic. The EIA blockchain brings together both private entities (eg, IBM) and state institutions (eg, the Ministry of Industry and Trade of the Czech Republic). The EIA blockchain aims to serve as a trusted platform for the registration of documents or transactions as well as a public authority for the registration of digital property. The basic application is the Blockchain Notarius application used to verify the authenticity of documents (eg, business contracts or quality certificates).

In addition, it can be expected that with MiCA coming into force, the interest of traditional players will increase. One reason for this is the clear rules for crypto-related activities, and therefore the greater degree of legal certainty that MiCA brings. Another is the simplified conditions for traditional players to enter the sector.

The CNB’s main activity consists of issuing opinions to clarify existing legislation, for example, in which cases it is necessary to obtain authorisation from the CNB to carry out activities related to certain crypto-assets. It has also issued several warnings about companies that are active in the crypto-assets sector and are not properly authorised to do so.

In connection with MiCA, the CNB has recently invited entities that are considering obtaining a licence under MICA to communicate their interest to it. The objective is to use the information to organise and co-ordinate the CNB’s activities to ensure smooth implementation of MiCA in the Czech Republic, including informing entities interested in obtaining a MiCA license about the CNB’s upcoming educational activities in this area.

The Czech regulatory framework does not provide for a single legal definition or classification of blockchain assets. Instead, the terms used in this context vary. The Czech AML/CFT legislation uses the term “virtual assets” (formerly “virtual currencies”) for its purposes. The definition is very broad as it essentially covers all electronically storable or transferable units with a payment, exchange or investment function, whether or not they have an issuer, unless they fall into one of the excluded more traditional asset classes (eg, securities, financial instruments or a unit by which payment is made only in the limited network under PSA).

On the contrary, the CNB and the EU authorities work with the term “crypto-assets”. In addition, the CNB defines a specific subcategory of crypto-assets, the so-called “exchange tokens”, the defining feature of which is that they do not grant the owner any rights against another person and allow only transfers within one or more distributed registries (eg, bitcoin).

Notwithstanding the difference in terminology, whether a crypto-asset qualifies as a form of regulated financial instrument depends on the nature of the asset. Therefore, a case-by-case assessment is necessary for proper legal classification.

Any crypto-assets that meet the characteristics of a financial instrument within the meaning of the CMBA, or electronic money under PSA, will qualify and be regulated as such under the respective regulatory framework. In 2023, the definition of a financial instrument in the Czech Republic was amended to include instruments issued through DLT, following amendments to MiFID II in this regard. However, as the term financial instrument has not been implemented uniformly in the national legislation of EU member states, the classification of individual crypto-assets as financial instruments may vary across the EU.

On the other hand, if crypto-assets qualify as virtual assets, persons providing services in relation to these assets are subject to the relevant obligations set out in the AML/CFT legislation.

Furthermore, from 2024, crypto-assets that are not already subject to the existing financial regulatory framework and that meet the definition set out in MiCA will be covered by it. MiCA defines a crypto-asset as a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology. In addition, MiCA distinguishes between asset-referenced tokens, electronic money tokens and utility tokens.

As described in 12.3 Classification of Blockchain Assets, the regulation of issuers as well as initial sales of blockchain assets depends on the legal classification of blockchain assets.

If the blockchain assets qualify as virtual assets under AML/CFT legislation, the issuer of these assets is only required to notify the Czech Trade Licence Office and comply with the AML/CFT and consumer protection legislation. However, the notification regime will become obsolete with MiCA, as issuers of crypto-assets not covered by the existing financial services legislation, including virtual assets, will be subject to the obligations set out in MiCA (eg, to draft, notify and publish a white paper).

On the other hand, if the blockchain assets qualify as financial instruments, the existing financial services legislation applies (eg, MiFID II, MAR or Prospectus Regulation). The issuer of blockchain assets that qualify as transferable securities is required to prepare and publish a prospectus, which must be approved by the CNB prior to public issuance of such assets, unless an exemption applies (eg, it is addressed solely to qualified investors or to fewer than 150 non-qualified investors per member state).

In case of blockchain assets that meet the definition of electronic money, PSA applies.

As described in 12.3 Classification of Blockchain Assets, the regulation of blockchain asset trading platforms, as well as the secondary market trading of blockchain assets, depends on the legal classification of the traded blockchain assets.

In case of classification as virtual assets under AML/CFT legislation, compliance with the notification regime to the Czech Trade Licence Office and with the AML/CFT. Once MiCA enters into force, platforms trading such crypto-assets will be subject to authorisation requirements under MiCA. However, persons that will have registered as a CASP before 30 December 2024, will be allowed to benefit from the transitional regime under MiCA and thus to provide their services until mid-2026.

Instead, if blockchain assets qualify as financial instruments, the platform trading these assets must obtain an authorisation to operate either as a regulated market, a MTF or an OTF. Under the DLT Pilot, MTFs may apply for an authorisation to operate a DLT MTF and obtain temporary exemptions from certain existing requirements of EU financial services legislation to test innovative solutions based on DLT on capital markets. The DLT Pilot is only open to certain blockchain assets that qualify as financial instruments (in essence, only asset with low market value/capitalization/issue size).

However, decentralised peer-to-peer platforms trading blockchain assets might fall outside the scope of the EU regulation.

In addition, where the operation of the blockchain asset trading platform involves activities such as accepting fiat currency from buyers or transmitting fiat currency to sellers, an authorisation under PSA for provision of payment services may be required.

The activity of investment funds, including those investing in crypto-assets, is regulated under the AMCIF in the Czech Republic.

The CNB has recently issued an opinion on the possibility for investment funds to invest in crypto-assets. The opinion only discusses crypto-assets that do not qualify as financial instruments, as otherwise the standard rules governing investments in financial instruments apply.

Pursuant to the CNB position, only investment funds for qualified investors may invest in crypto-assets as their investment policy is not regulated by the legislation. On the other hand, funds that are offered to retail investors; ie, standard (UCITS) or special investment funds (AIF), cannot invest in crypto-assets due to the limited scope of permissible assets they can acquire.

Please see 12.3 Classification of Blockchain Assets.

Please see 8.5 Decentralised Finance (DeFi).

There is no specific regulation regarding non-fungible tokens (NFTs) and NFT platforms in the Czech Republic. This is mainly because NFTs have a great variety of characteristics and purposes that may require different levels of regulation. However, depending on the characteristics of the NFT, including its purpose and the rights and assets it represents, it may fall within the scope of existing financial services regulation. A case-by-case analysis is therefore necessary.

Although NFTs will generally be excluded from the scope of MiCA, there may be cases where MiCA is applicable (eg, fractional parts of NFTs or NFTs in large series) and therefore platforms offering such assets will have to obtain an authorisation as a CASP.       

As a result of the transposition of PSD2 into Czech law, credit institutions are required to allow authorised third parties to access their customers’ payment data via a secure application programming interface (API). This has opened the EU payment market to innovative payment services providers relying on access to payment accounts (payment initiation services and account information services), allowing for more competition.

However, as open banking remains limited in the Czech Republic and in the EU in general, legislative changes will be introduced under the forthcoming PSD3/PSR/FIDA framework to, inter alia, strengthen open banking and open finance more generally.

Since open banking relies on sharing customers’ personal data, it poses various data protection and security risks, including data hacking or cyber-attacks on APIs.

For this reason, both credit institutions and other payment service providers are subject to strict technical security and data protection requirements imposed by the PSD2 and GDPR. For example, the processing of personal data under PSD2 requires explicit customer consent. In addition, from 2025, DORA requirements will apply to credit institutions and payment service providers regarding the security of their ICT systems and contractual arrangements with ICT third-party service providers, including providers of payment-processing activities or operating payment infrastructures.

However, as the open banking sector in the Czech Republic is still young and small, it remains to be seen how banks and technology providers deal with the concerns that open banking raises.

The most commonly used forms of fraud in the Czech Republic are phishing (eg, in SMS messages (smishing) or e-mails that are supposed to look like legitimate communications from the respective institution/authority) and vishing (via fraudulent phone calls attacking basic emotions). In the case of phishing, the victims click through to fraudulent websites, where they most often enter their login details, thereby revealing them to the fraudsters, who then carry out fraudulent transactions themselves. In the event of vishing, the caller impersonates, for example, a police officer or a bank employee, and manipulates the victim into taking actions that enable the fraud to be carried out (eg, disclosing data or installing a spying application). In such a case, the number may mimic the number of the calling institution/authority (so-called spoofing).

The sole purpose of these scams is to obtain sensitive data and misuse it. Fraudsters’ practices are becoming more sophisticated as they use new manipulative techniques to target victims’ emotions and continually innovate their forms of attack. At the same time, victims provide unwitting co-operation (eg, through online activity that leaves a digital trail on which fraudsters can better target the attack scenario), making attacks easier.

The regulator’s main focus is on payment fraud (eg, fraud mentioned in 14.1 Elements of Fraud).