Fintech 2024

Last Updated March 21, 2024

Czech Republic

Law and Practice

Authors



FINREG PARTNERS is a leading independent law firm specialising in providing legal advice within the financial sector. Established in 2018 by experts in financial services and capital markets, FINREG PARTNERS has expanded to include legal professionals from major Czech and international law firms, alongside regulatory specialists. Headquartered in Prague, the firm has a diverse clientele, ranging from innovative startups to established international groups and financial institutions. A key focus area is its fintech practice, where the dedicated team offers expert advisory services throughout all stages of fintech projects. This includes comprehensive assistance during investment financing rounds and M&A transactions, blending in-depth knowledge of financial regulation with a profound understanding of digital technologies. The firm has earned particular acclaim in the area of licensing proceedings at the Czech National Bank, aiding clients in obtaining the first licence under PSD2 of its kind and the pioneering crowdfunding licence in the Czech Republic.

Last Year’s Evolution of the Czech Fintech Market

2023 was a tough year for the Czech fintech sector, with high input prices and interest rates, little investment, and significant savings on the user side. Despite all this, Czech fintech companies managed notable achievements, from record investments in certain investment rounds to top placings in international competitions.

Moreover, towards the end of 2023, the situation for Czech fintech companies, as well as other companies, has started to improve significantly with receding inflation rates, falling interest rates and increasing investor appetite. The stronger investment activity in the last quarter of 2023 suggests that optimism is returning to the Czech market, which will hopefully continue in the coming years. Thus, 2024 could be a very interesting year for the Czech fintech scene in terms of investment.

Issues That are Likely to Affect the Czech Fintech Market Next Year

Digital finance package

Regarding the regulatory environment in the coming year, it will be crucial how the “Digital Finance Package”, consisting of the MiCA (Regulation 2023/1114), DORA (Regulation 2022/2554 and the DLT Pilot (Regulation 2022/858), will be implemented and applied in the Czech Republic.

DORA, which will come into force in January 2025, will affect the financial sector the most as it sets out various new obligations for all financial market participants such as payment institutions, investment firms or crypto-asset service providers (CASPs), most of which will find it challenging to comply. In addition, CASPs, as well as issuers of crypto-assets, will be impacted by MiCA, which will come into full force in December 2024. MiCA introduces a very complex authorisation regime for CASPs and strict transparency requirements for crypto-asset issuers. In contrast, the DLT Pilot, which is already effective, brings greater flexibility to the EU financial sector by establishing a regulatory sandbox that allows firms to experiment with trading and settlement of DLT financial instruments, provided they are properly authorised.

Other legislation

Other legislative pieces, either in force or in preparation, that are likely to affect the Czech fintech market in the coming months and years include:

  • the Crowdfunding Regulation (Regulation 2020/1503), which sets out rules for lending-based and investment-based crowdfunding platforms;
  • the ESG legislative framework, laying down extensive disclosure obligations for both financial and non-financial market participants;
  • the AI Act, which will establish obligations for providers and users of all types of AI products and services depending on the associated level of risk;
  • the revised MiFID II/MiFIR framework, which should increase the transparency and competitiveness of the EU financial sector; or
  • the PSD3/PSR/FIDA framework, which aims to address new security risks, strengthen open banking and move towards open finance, level the playing field between banks and non-banking payment services providers and improve harmonisation across the EU.

Czech fintech companies cover various business models, but the payment vertical is predominant (eg, mobile-based payment services, including payment gates or QR code payments, payment terminal solutions or payment models combining affiliate marketing with philanthropy). Personal finances (eg, income and expenses monitoring, buy-now-pay-later or pay anytime solutions) and accounting and cashflow (eg, automation and digitisation of accounting or online invoice financing) are also very popular.

Peer-to-peer investments, including lending-based and investment-based crowdfunding platforms, are also well represented in the local market. However, only three companies have so far been licensed in the lending-based model and no company in the investment-based model under the new Crowdfunding Regulation. Finally, online brokers, crypto-assets service providers and insurtech companies are well-established in the Czech fintech market too.

Although the local fintech market is dominated by start-ups, some legacy players, such as large banking or investment groups, are also active in the sector. While some of them have set up fintech companies to offer innovative solutions in-house, others provide these services by partnering with fintech players.

The regulatory regime applicable to industry participants in the Czech Republic depends on the particular business model. The main laws applicable under the existing financial services regulatory framework are as follows:

  • payment service providers and e-money institutions are regulated by the Czech Payment Services Act (PSA), which implements PSD2 (Directive 2015/2366) and EMD2 (Directive 2009/110/EC);
  • investment firms and investment intermediaries are governed by the Act on Capital Market Business (CMBA), which implements a wide range of EU legislative acts such as MiFID II (Directive 2014/65/EU), MIFIR (Regulation 600/2014), the Prospectus Regulation (Regulation 2017/1129), MAR (Regulation 596/2014), DORA, MICA, the DLT Pilot, etc;
  • investment funds and management companies are subject to the Act on Management Companies and Investment Funds (AMCIF), which implements AIFMD (Directive 2011/61/EU) and UCITS Directive (Directive 2009/65/EC);
  • lending-based and investment-based crowdfunding providers are regulated by the Crowdfunding Regulation;
  • insurance companies and insurance intermediaries are subject to the Insurance Act and the Insurance and Reinsurance Distribution Act;
  • consumer credit originators and intermediaries are subject to the Act on Consumer Credit;
  • crypto-asset service providers are regulated by the Trade Licensing Act; and
  • AML/CFT requirements are laid down in the Act on Certain Measures against the Legalization of the Proceeds of Crime and the Financing of Terrorism, which implements the fourth AML Directive (Directive 2015/849/EU), as amended, and in the Act on the implementation of international sanctions.

The types of compensation models that industry participants can use to charge customers depend on the regulatory status, the service provided and the customer type. Different types of business models are subject to different regulatory requirements, including disclosure obligations.

Compensation Models

The compensation models most commonly used by Czech industry participants in the field of investment services are the commission-based model and the fee-based model, with the main difference between the two models lying in who the industry participant receives the fee from (the product provider or the customer). In payment services, the fee-based model is the most important, where the fees are calculated either per transaction or on a recurring basis, or a combination thereof.

Disclosure and other obligations related to compensation models

In general, regulated entities (eg, payment institutions or investment firms) are subject to certain pre-contractual and ongoing information requirements, including a full disclosure of the fees that are charged by them. The disclosure obligation is stricter when the recipient of the service is a consumer, which results from local legislation implementing EU consumer protection law (eg, the Consumer Credit Directive (Directive 2008/48/EC) or the Distance Marketing of Consumer Financial Services Directive (Directive 2002/65/EC). Regulated entities are usually also subject to conflicts of interest rules, which may affect the compensation models used.

Furthermore, specific rules apply to the provision and receipt of inducements. These rules aim to ensure that the service provider acts in the best interests of the customer and to avoid conflicts of interest.

In the field of investment services, including some pension products, an inducement received from or provided to third parties other than customers is only permissible if (i) it is intended to contribute to improving the quality of the service/product provided or (ii) it facilitates the provision of the service or is necessary for that purpose, provided that it is properly disclosed and it does not conflict with the service provider’s obligation to act in the customer’s best interest. In addition, inducements shall be excluded, subject to exceptions, in the case of investment advisory services provided independently or portfolio management services.

In accordance with the principle of technological neutrality, there is no specific regulation of fintech sector in the Czech Republic. If a fintech company falls under the scope of a particular regulation, it is subject to the relevant requirements as in the case of legacy players.

In 2019, a FinTech Contact Point within the Czech National Bank (CNB) was established, which is focused on fintech regulatory matters. The aim is to promote the introduction of innovative technologies on the Czech financial market through more active communication with legacy players and fintech companies. In addition, the CNB organises regular meetings with the fintech community and the wider public, as well as roundtables on fintech-specific topics.

Furthermore, the establishment of a sandbox focused on fintech and De-Fi is currently being discussed in the Czech Republic. The aim of this sandbox will be to accelerate the launch of innovative services in regulated industries in a safe and secure manner. It should provide fintech startups with datasets on which to test their ideas, as well as close contact with public authorities and advice from independent experts. It is expected that many stakeholders will be involved, including the Czech Fintech Association, Ministry of Finance, CzechInvest agency, and others. The project is expected to be launched in 2023.

The CNB is a financial services regulator with jurisdiction over all financial industry participants. It is responsible for the authorisation and supervision of financial services providers, which it exercises both from a prudential and a conduct of business perspective. Besides the CNB, the Financial Analytical Office (FAO) is the body responsible for AML/CFT supervision. As regards financial services providers, AML/CFT supervision is divided between the CNB and the FAO.

In addition, Czech national authorities co-operate with European regulators such as the European Central Bank (ECB) the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), which have jurisdiction in their respective areas and directly supervise certain industry participants (eg, in the case of significant credit institutions, the ECB).

Outsourcing of regulated functions to external service providers is permitted provided that the relevant regulatory requirements are met.

While the specific requirements applicable to outsourcing arrangements vary depending on the regulated activity performed and its scope (eg, investment or payment services), there are several general principles that can be applied to almost any regulated financial service. These principles stem mainly from MiFID II, PSD2, relevant outsourcing guidelines adopted at EU level, such as the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02), the ESMA Guidelines on outsourcing to cloud service providers (ESMA50-157-2403) and the implementing domestic laws.

In general, the regulated entity should consider and address the risks posed by outsourcing arrangements before deciding on the outsourcing itself. Therefore, thorough due diligence should be carried out on the potential service provider to ensure that it has the appropriate skills, experience, and resources to properly perform the outsourced services.

In addition, the regulated entity must have a written outsourcing policy in place and ensure at all times that outsourcing arrangements do not affect its ability to fulfil its legal obligations nor the competent authority’s ability to supervise it, as outsourcing does not relieve it of responsibility to clients or third parties for the provision of the regulated services. Furthermore, a written outsourcing contract must be concluded between the regulated entity and the outsourced service provider, containing specific mandatory provisions (eg, on data protection and security, the right of both the regulated entity and the competent authorities to monitor and audit the outsourcing provider, or the termination rights of the regulated entity). More stringent requirements apply to the outsourcing of critical or important functions (eg, risk management, ICT or AML).

When DORA comes into force in January 2025, almost all regulated financial institutions will be subject to new, stricter requirements for outsourcing ICT services.

In general, the fintech provider’s liability for activities on its platform arises from the AML/CFT legislation as most activities carried out by fintech companies fall within its scope. In such a case, the fintech provider must comply with the requirements set forth therein, such as conducting customer identification and due diligence before entering a contractual relationship or executing a trade or actively monitoring its customer’s relationships.

In addition, a large fintech company may be subject to additional obligations if designated as a gatekeeper under the Digital Markets Act (Regulation 2022/1925).

The CNB has an extensive set of sanctioning instruments that can be imposed on entities subject to its supervision. The most significant sanction consists in the revocation of a licence, which can be imposed, for example, for inactivity for more than six months or for serious breaches of legal obligations.

In recent years, the CNB has taken enforcement actions against regulated entities, including fintech companies, for a range of breaches of the law. Recent sanctions imposed on some fintech companies include fines for failures to comply with the rules on investment funds and management companies, the provision of investment services and AML/CFT. In addition, the CNB uses the practise of “naming and shaming” by publishing all or at least parts of its decisions on its website.

Data Protection

Regardless of the sector, fintech companies that process personal data must comply with the GDPR (Regulation 2016/679) as well as the ePrivacy Directive (Directive 2002/58/EC) as implemented into national law. In addition, some fintech companies may soon be subject to the newly adopted Data Act (Regulation 2023/2854), which focuses on data sharing and compensation, the main part of which shall apply from September 2025.

Cybersecurity

Given fintech companies’ dependence on technology, cybersecurity plays a very important role in their businesses. Although there are no specific requirements for fintech companies, they must comply with the relevant requirements under applicable sectoral laws (eg, payments, investments or insurance), including having robust security measures in place to manage risks related to information and communication technologies (ICT).

In addition, from 2025, all financial service providers will have to adhere to the strict ICT security requirements imposed by DORA, including ICT risk management, ICT incident classification and reporting and third-party ICT risk monitoring). The relevant requirements will be proportionate to the potential risk posed by the respective entity.

Finally, the NIS2 Directive (Directive 2022/2555), which repeals the NIS Directive (Directive 2016/1148) as of October 2024, is also important for some larger companies in the financial sector that provide essential services in the field of cybersecurity (ie, ensuring the proper functioning of the market) as they are subject to specific obligations (eg, vulnerability detection or incident reporting).

Social Media Content

In the field of social media and advertising in general, copyright and advertising laws are particularly important. In addition, the Digital Services Act (Regulation 2022/2065) and the Digital Markets Act may apply. While the DSA regulates intermediaries offering services such as online marketplaces, cloud services or social media platforms, and its key objective is to prevent illegal and harmful activities online, the DMA sets out rules to prevent unfair practices by large online platforms (the so-called “gatekeepers”) that are deemed to be too important to be left unregulated.

Consumer Protection Legislation

Local consumer protection legislation, such as the Consumer Credit Act or the Civil Code, which implement various EU directives, are also relevant for industry players that target consumers.

Most entities with large-scale operations or regulated activities are required to have their financial statements reviewed by a qualified external auditing firm. In addition, some regulated entities such as banks, payment institutions or investment firms are required to set up compliance, internal risk control and internal audit functions. Some regulated entities are even obliged to subject some of their activities to specific external audits (eg, measures taken by an investment firm to protect customer assets).

Besides regulators and auditing firms, a wide range of authorities, such as tax authorities, the Financial Arbitrator, the Czech Trade Inspection Authority, the Personal Data Protection Office, the Office for the Protection of Competition or the National Cyber and Information Security Agency, may review the activities of industry participants throughout their life cycle.

Although not common in the Czech Republic, industry participants are, in principle, allowed to offer both regulated and unregulated products and services. However, the scope of unregulated activities that a regulated entity may undertake, and the conditions thereof, vary depending on its status.

In some cases (eg, payment institutions or investment firms), prior approval of the CNB is required. In such cases, the CNB may impose certain conditions or even require that these additional activities be performed via a separate entity if, for example, the additional activities could interfere with the effective supervision of the regulated entity.

As mentioned in 2.8 Gatekeeper Liability, most activities carried out by fintech companies, whether regulated or unregulated, are subject to Czech AML/CFT legislation. One of the reasons for such a broad scope of AML/CFT legislation is that the Czech Republic used some gold-plating when transposing the fifth AML Directive, and therefore all CASPs already fall under its scope as of 2021.

Majority of fintech providers must thus comply with the relevant requirements set forth in the Czech AML/CFT legislation. All entities that are subject to AML/CFT legislation are also required to comply with national and international sanctions legislation. In 2023, a national sanctions list was introduced in the Czech Republic, which exists in parallel with the international sanction lists such as the EU and FATF lists. All persons subject to the AML/CFT legislation are obliged to check whether any of their clients and other relevant persons (eg, beneficial owners of the client) appear on one of these lists and take adequate action (eg, report suspicious transactions) where appropriate.

In addition, because of the revision of the EU Transfer of Funds Regulation (TFR), which will enter into force in January 2025, CASPs will be required to accompany transfers of crypto-assets with specific information on originators and beneficiaries. Furthermore, the TFR introduces an obligation for CASPs to have internal procedures in place to detect suspicious crypto-assets transactions and to ensure restrictive measures are implemented.

Although provision of robo-advisory services in relation to some asset classes does not constitute a licensable activity (eg, certain crypto-assets or loans), robo-advisory activities are normally provided in relation to asset classes such as shares, bonds or units in collective investment undertakings (eg, ETFs) which qualify as “financial instruments” regulated under CMBA.

Provision of robo-advisory activities in relation to financial instruments often constitutes provision of investment services relating to financial instruments (usually investment advice and/or portfolio management), which are licensable activities under the CMBA. For the provision of portfolio management, an authorisation as an investment firm is required, unless an exemption applies, while for the provision of investment advice, a light-touch licensing regime of the so-called investment intermediary can be availed. Alternatively, a licence obtained under other sectoral legislation (eg, banking or investment funds) may be leveraged to provide robo-advisory services constituting investment services, provided that such investment services are covered by the respective licence.

There are only a few legacy players in the Czech Republic which have already implemented robo-advisers in their business. One of the largest Czech banks, Československá obchodní banka, a.s. (ČSOB), was among the first in the Czech Republic to introduce a robo-advisory service to help its clients build an investment portfolio. Some other traditional players have integrated robo-advisory into their business through start-ups from the business group. However, the Czech market for robo-advisory services is still very small.

The application of the best execution obligation to robo-advisers depends on whether they provide a regulated investment service and what role they play in executing their clients’ orders. When the robo-advisory activities constitute the provision of investment service of either execution of orders on behalf of clients, reception and transmission of orders or portfolio management, the entity providing such service is subject to the “best execution” obligation in the same way as entities using human advisers. It means that the robo-advisory firm is required to take all reasonable steps to ensure that the client’s orders are executed on terms most favourable to them. The scope of the requirements depends on the type of investment service provided. In addition, the general duty to act in the best interest of the client applies to all investment firms that provide investment services.

There are significant differences in the regulation of commercial lending, including to SMEs, and consumer lending in the Czech Republic. While commercial lending activities do not trigger a licensing requirement, consumer lending activities are highly regulated.

However, regardless of the entity to which lending activities are directed, lending as well as loan intermediation is a designated activity under the Czech AML/CTF legislation, which subjects the lender/intermediary to the requirements set out therein.

Commercial Lending

Commercial lending is not covered by any special regulatory regime in the Czech Republic, unless provided by banks or credit institutions. This area is regulated primarily by the general rules laid down in the Czech Civil Code. Although the parties to the loan contract are largely free to agree the terms they wish to include in their contracts, they must not waive/deviate from certain provisions of the law to the detriment of the “weaker party”.

Consumer Lending

Lending activities such as provision and intermediation of credit to consumers may only be provided with an appropriate licence. The Consumer Credit Act provides consumers with high levels of protection by laying down comprehensive rules for areas such as pre-contractual and ongoing information, contract form and content, and credit checks. In essence, the disclosure obligations consist in providing the consumer with the information needed to compare different offers to make an informed decision on whether to conclude a credit agreement. In addition, the law gives consumers various rights such as the right of early repayment and the right of withdrawal.

Crowdfunding

Lending-based crowdfunding services are specifically regulated in the Crowdfunding Regulation. This regulation subjects crowdfunding service providers to licensing requirements and gives investors various rights, such as pre-contractual reflection period for revoking an investment offer.

Underwriting processes used by industry participants may differ depending on the type of lender, the type of borrower and the type of credit.

AML/CFT Legislation

All financial entities, including professional lenders and loan intermediaries, are subject to the Czech AML/CFT legislation. Therefore, obligations such as customer identification and due diligence and risk assessment of the business relationship apply in the underwriting process.

Consumer Lending

As mentioned in 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities, unlike commercial lending, consumer lending activities are highly regulated. One of the key obligations in the underwriting process is to carry out a creditworthiness assessment on a potential borrower, based on sufficient reliable information. For these purposes, the consumer is obliged to provide all necessary information (eg, information on the consumer’s financial and economic situation).

Besides the information provided by the consumer, lenders/intermediaries typically rely on information available in external databases (eg, Bank Customer Information Register) to assess the creditworthiness of the borrower according to its internal risk classification procedure. In practice, use of automated profiling and decision-making tools is not uncommon.

In addition, to limit the risks of the banking business, which is important for the functioning of the whole economy, banks are obliged to comply with strict prudential rules, including on capital adequacy and exposure rules. The prudential rules are based on recommendations of the Basel Committee on Banking Supervision of the Bank for International Settlement and EU acts.

There are various sources of funds used by lenders to make loans, such as taking deposits, lender-raised capital (eg, from private investors) or peer-to-peer. Depending on the source of funds, different regulatory requirements apply. The most onerous requirements apply to deposit-taking, which triggers a requirement for credit institution licence. For public offerings of financial instruments of shares or bonds, prospectus requirements are relevant, unless an exemption applies. Raising funds via lending-based or investment-based crowdfunding platforms is subject to the Crowdfunding Regulation.

On the other hand, regulatory requirements associated with many sources of funds used for provision of loans (eg, factoring) are not very burdensome, as only registration with the relevant Czech Trade Licence Office and compliance with the applicable requirements of the AML/CFT legislation mostly suffice.

Since loan syndication is typically used to finance large projects that are not usually closed online, the process is mainly used by legacy players such as large banks. In contrast, consumer loans or loans to small businesses are generally not syndicated. However, when syndication of loans provided by fintech platforms does occur, it is usually done by transferring credit risk to third parties via sub-participation. Depending on the relevant structure, it may be subject to investment funds or investment services regulation.

In general, payment processors are free to either use existing payment rails or to implement or create new ones. However, an authorisation from the CNB would be required to process payments, unless an exemption applies.

In the Czech Republic, the only payment system that is covered by PSA, which implements the Settlement Finality Directive (Directive 98/26/EC), is the Czech Express Real Time Interbank Gross Settlement system (CERTIS), which is the only interbank payment system that processes interbank payments in Czech crowns.

Cross-border payments and remittances constitute payment services. Therefore, they are primarily regulated by PSA.

Since the Czech Republic is part of the Single Euro Payments Area (SEPA), SEPA Regulation (Regulation 260/2012) also applies. This regulation is especially relevant for cross-border payments as it seeks to ensure that cross-border cashless euro payments across the EU as well as several non-EU countries can be made in a similar way to that of domestic payments.

In addition, Regulation (EU) 2021/1230 on cross-border payments in the Union establishes the principle that charges for cross-border euro payments are the same as for corresponding national payments within the EU. For card-based payments, the Regulation (EU) 2015/751 is also relevant as it caps interchange fees for consumer debit and credit cards.

Fund administrators as well as fund management companies are regulated by the AMCIF. Different rules apply to fund administrators depending on the type of activities performed and the type of the fund they administer. Only a person with appropriate authorisation from the CNB may be a fund administrator, unless an exemption applies.

The basic (minimum) elements of the contract on administration concluded between the fund administrator and the fund manager, such as the written form, the rules for co-operation so that both can fulfil their legal obligations or the (im)possibility for the administrator to delegate (outsource) the performance of certain activities to another, are regulated directly in the AMCIF.

There are various types of marketplaces and trading platforms for the trading of different types of assets (eg, financial instruments or crypto-assets) in the Czech Republic. The applicable regulatory regime depends on the nature of the traded assets.

Exchanges for Financial Instruments

If the traded assets qualify as financial instruments under the CMBA (eg, bonds or shares), the trading platform is required to be authorised by the CNB to operate either a regulated market, a multilateral trading facility (MTF) or an organised trading facility (OTF). Regulated markets are subject to the most onerous requirements. There are only two entities authorised to operate a regulated market in the Czech Republic, Burza cenných papírů Praha, a.s. and RM-SYSTÉM, česká burza cenných papírů a.s.

With the entry into force of DLT Pilot in 2023, a special, more flexible regime for financial instruments issued through distributed ledger technology (DLT) was introduced to allow for a degree of experimentation with the issuance, trading and settlement of tokenised financial instruments.

Crowdfunding Platforms

The operation of a lending-based or investment-based crowdfunding platform is subject to authorisation under the Crowdfunding Regulation (see 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities). However, this regulation does not cover models trading assignment of receivables originally granted by the crowdfunding platform, or models where a crowdfunding platform grants loans on its own account and at its own risk. These activities may be subject to other relevant regulation, such as regulation of investment services or investment funds.

Crypto-Asset Exchanges

The provision of crypto-asset related services, including operation of a crypto-asset exchange, is subject only to a prior notification to the Czech Trade Office (this regime applies only to crypto-assets that are not financial instruments). However, this will change with MiCA, under which crypto-asset exchanges and other CASPs will have to obtain a licence. As the licensing requirements for CASPs will be quite complex, the number of CASPs is likely to decrease significantly in the Czech Republic. On the upside, the advantage will be that the CASPs licence will be valid throughout the entire EU.

Depending on the nature of the asset and its level of complexity and associated risks, different regulatory regimes apply to different asset classes. For example, platforms that trade financial instruments must be authorised under the CMBA, or the DLT Pilot in the case of financial instruments issued on DLT, whereas platforms trading other assets, such as some crypto-assets, may only be subject to the notification regime. In addition, as regards the trading of financial instruments, there are differences in terms of different categories of financial instruments (eg, only bonds, emission allowances, structured finance products and derivatives can be traded on OTFs). Furthermore, trading in contracts for difference (CFDs) was restricted in 2019 for retail clients by the CNB’s provision of general nature.

The emergence of cryptocurrency exchanges and the significance of the crypto sector has strongly influenced regulation, as it has led to the adoption of new or revision of some existing regulations.

AML

Given the very rapid development in the field of crypto-assets and their increasing use on the market, the Czech Republic decided to gold-plate some provisions of the fifth AML Directive. As a result, all CASPs fall under the scope of the Czech AML/CFT legislation as of 2021. In addition, CASPs are subject to a special requirement on the integrity of the provider, its beneficial owner and members of its statutory body.

MiCA

The most important regulatory change for the entire crypto-asset sector lies in MiCA, which will regulate almost all crypto-assets that do not fall under one of the existing asset categories regulated by EU law (eg, financial instruments or deposits). When MiCA comes into force in 2024, the provision of crypto-asset services, as well as issuance and public offering of crypto-assets, will become highly regulated.

In general, for the public offering of crypto-assets, a white paper, which is an information document similar to a prospectus, will need to be prepared and published. In addition, some crypto-assets, specifically stablecoins, will only be permitted to be issued by licensed entities.

An authorisation will also be required to provide crypto-asset related services such as operation of a crypto-asset exchange or providing advice on crypto-assets. The licensing regime will be similar to that of other financial service providers (eg, investment firms) and the scope of applicable requirements will depend on the service provided. It is worth noting that all CASPs will be obliged to have in place resilient and secure ICT systems as required by DORA.

Listing standards vary depending on the relevant trading system and the type of assets traded. While listing on unregulated exchanges, such as crypto-asset exchanges, is not subject to any specific regulatory framework, listing of financial instruments on trading venues under the CMBA is highly regulated.

The CMBA requires trading venue operators to have transparent rules for trading, admission of financial instruments to trading and access to the trading venue. The criteria used for admission of financial instruments to trade on their system, for access to the system and for execution of orders, shall be objective. Furthermore, the trading rules must ensure fair and orderly trading.

Besides the rules set out in the CMBA, each trading venue operator establishes its own, usually quite detailed, listing rules, which are published on the market operator’s website (eg, Rules and Regulations of the Prague Stock Exchange that are available here). Trading in MTFs and OTFs is generally subject to less onerous requirements than trading on regulated markets.

Entities that execute orders for financial instruments on behalf of their clients are subject to order handling rules set out in the CMBA.

In general, they must have procedures and arrangements in place to ensure the prompt, fair and expeditious execution of clients’ orders. Orders shall be executed in the order in which they are received unless an exemption applies. If any material difficulty arises which is relevant for the proper prompt execution of orders, the retail client must be informed. In addition, in the absence of any specific client instruction, entities executing clients’ orders must take all reasonable steps to achieve the best possible result for their clients. The firm’s order’s execution policy must specify how the best possible result will be achieved when executing client orders.

Furthermore, the CMBA provides for specific order handling rules for regulated markets, MTFs and OTFs.

On the contrary, entities that are not regulated by the CMBA are not subject to any specific regulatory framework as regards order handling.

Although the activity of peer-to-peer trading platforms is not very widespread on the Czech financial market, there has been a fairly significant rise of such platforms, usually operated by fintech companies, in recent years. Their major footprint can be seen in the field of lending-based and investment-based crowdfunding platforms and in the crypto sector. The proliferation of peer-to-peer platforms in the field of crypto-assets, or digital assets more generally, is one of the reasons why the DLT Pilot was introduced. However, due to their still-low transaction volumes, peer-to-peer platforms do not yet present much competition for traditional players.

One of the regulatory challenges could be to align the regime of these platforms with that of payment services, as their activities very often involve the transfer of funds on behalf of their clients. Although a licence under the PSA is required to transfer funds, this is not always the case.

Similar to robo-advisers (see 3.3 Issues Relating to Best Execution of Customer Trades), the best execution rules only apply to peer-to-peer trading platforms that provide investment services under the CMBA that are subject to this obligation.

As a result of the inconsistent regulation of payment for order flows across the EU, the EU bodies provisionally agreed in June 2023 to amend the MiFID II/MiFIR framework and to introduce a general ban on payments for order flow. However, member states that already allow payments for order flows are exempted from the ban, provided that such payments are only provided to clients in that member state. This practice must however be phased out by 30 June 2026.

In any event, any payment of this type must be assessed in the light of inducement requirements.

The basic principles of market integrity and market abuse stem from MAR, which is complemented by the MAD (Directive 2014/57/EU) and several delegated and implementing acts. Since the objective is to ensure the integrity of EU financial markets and to enhance investor protection, any unlawful behaviour in the financial markets is prohibited. The existing rules outlaw three types of market abuse: insider dealing, unlawful disclosure of inside information and market manipulation.

In order to combat market abuse, MAR contains provisions to prevent and detect these illicit practices (eg, the introduction of effective systems and procedures to detect and report suspicious orders and transactions or disclosure obligations).

In general, MAR covers financial instruments admitted to trading or traded on regulated markets, MTFs and OTFs and certain other products (eg, contracts for difference). Non-compliance may be subject to administrative and/or criminal sanctions.

The creation and use of high-frequency (HFT) and algorithmic trading (AT) is regulated under the CMBA. The regulation therefore only applies to HFT and AT in relation to financial instruments.

In principle, a person only trading for their own account (and not executing customer orders) using AT does not need an authorisation, unless HFT is applied. For HFT, an authorisation from the CNB is always required.

Investment firms and other regulated entities that engage in AT and HFT are subject to various specific requirements. They must have in place effective systems and risk controls appropriate to the business they operate to ensure resilience and sufficient capacity of the trading systems not to create or contribute to a disorderly market and to prevent market abuse. In addition, effective business continuity arrangements must be established to deal with any failure of the trading system and the system must be subject to appropriate testing and monitoring. Moreover, HFT is subject to other specific requirements (eg, on record keeping or incorporation of a “kill switch”). Finally, the relevant competent authorities must be notified of the use of such technologies.

A person that is engaged in algorithmic trading when trading for their own account is not required to be authorised as market maker, unless they are deemed to be implementing a market-making strategy. Market-making strategy consists, inter alia, of posting firm, simultaneous bid and offer prices of comparable size and at competitive prices relating to one or more financial instruments on one or more trading venues, with the result of providing liquidity on a regular and frequent basis to the overall market.

In such a case, an authorisation under the CMBA is required. Specific rules, such as carrying out the market-making continuously during a specified proportion of the trading venue’s trading hours and entering into a binding written agreement with the trading venue, apply.

Unlike dealers, investment funds are only subject to the applicable AT and HFT legislation if they are members or participants of regulated markets and MTFs. The main difference between an investment fund and a dealer is that a fund manager makes investment decisions regarding the assets of multiple investors according to a common strategy of the fund, whereas a dealer typically invests according to each customer’s individual circumstances.

Programmers who develop and create trading algorithms and other electronic trading tools are not subject to any specific regulation in the Czech Republic, unless they also engage in a regulated activity (eg, HFT).

The Czech law neither defines nor specifically regulates decentralised finance (DeFi). However, depending on factors such as the type and structuring of activities undertaken, including the associated degree of automation and decentralisation, and the type of crypto-assets used, different regulatory frameworks may apply to DeFi (eg, AML/CFT legislation, investment services legislation such as CMBA or AMCIF, or consumer protection legislation). A case-by-case basis analysis must be carried out.

In addition, MiCA will not change much as it will not apply to crypto-assets services provided in a fully decentralised manner without any intermediary and crypto-assets having no identifiable issuer. The meaning of “truly decentralised” is, however, currently unclear.

The provision of financial research is not subject to any specific registration or authorisation in the Czech Republic, unless it constitutes investment advice, as an investment service regulated under the CMBA. Production or dissemination of investment recommendations or other information recommending or suggesting an investment strategy in one or more financial instruments is regulated under MAR and other legislative pieces for protection against market abuse.

Spreading rumours and other unverified information is not regulated as such. However, if related to financial instruments that are traded on regulated markets, MTFs or OTFs, or certain other instruments, it may trigger the application of the market abuse framework. If disseminating rumours and other unverified information leads to market manipulation (eg, it is likely to give false or misleading information on, for example, the price of a financial instrument), it may constitute a breach of the MAR subject to administrative or even criminal sanctions.

Additional obligations in this respect arise from other pieces of legislation such as MiFID II and its supplementing regulations (eg, Commission Delegated Regulation (EU) 2017/565) or the Prospectus Regulation), which set further standards for the provision of fair, clear and not misleading information.

As MAR also applies to persons who act in collaboration to commit market abuse, companies operating financial research platforms should pay attention to behaviour occurring on their platform, especially behaviour related to financial instruments, and take appropriate measures to avoid being held liable for collaborating with such unlawful activities. In addition, platforms may be soon subject to obligations set forth in MICA, which addresses market abuse in relation to crypto-assets.

A possible option could be to grant the platform the right in the contractual terms to edit or delete posts or conversations that could constitute market abuse and/or to prevent persons disseminating such information from accessing the platform.

The underwriting process for insurtech companies in the Czech Republic is subject to the same regulation applicable to traditional insurance companies.

In practice, insurtech companies usually operate as independent insurance intermediaries or tied agents. While the former requires a licence from the CNB, a registration is sufficient for the latter.

Regardless of the operational structure of the insurtech company, it must comply with the rules of conduct contained in the Insurance Act, including acting in the best interest of the customer and meeting the pre-contractual and contractual information obligations. Furthermore, for online underwriting processes, which are the most used by insurtechs, where the insured person is a consumer, the consumer protection provisions containing specific information obligations apply.

In the Czech Republic, insurance undertakings may not carry on simultaneous life and non-life insurance business, except for the simultaneous provision of life insurance with accident and sickness insurance.

Furthermore, different regulatory requirements apply to distribution of life and non-life insurance products, with the most stringent requirements applying to insurance-based insurance products (eg, specific pre-contractual and contractual obligations, appropriateness tests, conflicts of interests or remuneration policy rules).

Although regtech providers are not specifically regulated in the Czech Republic, they may be subject to the existing regulatory framework depending on the services provided.

Since regtech providers typically focus on technical solutions that help regulated entities meet their legal obligations more easily and efficiently, rather than on the provision of regulated financial services, they are in most cases not regulated.

However, exceptions exist for activities such as legal services or electronic identification and trust services. In such cases, it is necessary to comply with all relevant regulations, including obtaining the appropriate authorisation.

If a regulated entity engages regtech providers for part of its functions that it would otherwise undertake itself, the relevant regulatory and soft law requirements for outsourcing must be complied with (see 2.7 Outsourcing of Regulated Functions). As noted, the extent of the applicable requirements depends on the type of regulated entity and the type of outsourced function, including whether critical or important.

Although the Czech Republic has been very active in the blockchain field, this activity has come mainly from fintech companies. Traditional players are still rather reserved in implementing blockchain into their operations or service/product offerings.

However, an interesting project developed in the field of blockchain in the Czech Republic is the ElA blockchain of the Electrotechnical Association of the Czech Republic. The EIA blockchain brings together both private entities (eg, IBM) and state institutions (eg, the Ministry of Industry and Trade of the Czech Republic). The EIA blockchain aims to serve as a trusted platform for the registration of documents or transactions as well as a public authority for the registration of digital property. The basic application is the Blockchain Notarius application used to verify the authenticity of documents (eg, business contracts or quality certificates).

In addition, it can be expected that with MiCA coming into force, the interest of traditional players will increase. One reason for this is the clear rules for crypto-related activities, and therefore the greater degree of legal certainty that MiCA brings. Another is the simplified conditions for traditional players to enter the sector.

The CNB’s main activity consists of issuing opinions to clarify existing legislation, for example, in which cases it is necessary to obtain authorisation from the CNB to carry out activities related to certain crypto-assets. It has also issued several warnings about companies that are active in the crypto-assets sector and are not properly authorised to do so.

In connection with MiCA, the CNB has recently invited entities that are considering obtaining a licence under MICA to communicate their interest to it. The objective is to use the information to organise and co-ordinate the CNB’s activities to ensure smooth implementation of MiCA in the Czech Republic, including informing entities interested in obtaining a MiCA license about the CNB’s upcoming educational activities in this area.

The Czech regulatory framework does not provide for a single legal definition or classification of blockchain assets. Instead, the terms used in this context vary. The Czech AML/CFT legislation uses the term “virtual assets” (formerly “virtual currencies”) for its purposes. The definition is very broad as it essentially covers all electronically storable or transferable units with a payment, exchange or investment function, whether or not they have an issuer, unless they fall into one of the excluded more traditional asset classes (eg, securities, financial instruments or a unit by which payment is made only in the limited network under PSA).

On the contrary, the CNB and the EU authorities work with the term “crypto-assets”. In addition, the CNB defines a specific subcategory of crypto-assets, the so-called “exchange tokens”, the defining feature of which is that they do not grant the owner any rights against another person and allow only transfers within one or more distributed registries (eg, bitcoin).

Notwithstanding the difference in terminology, whether a crypto-asset qualifies as a form of regulated financial instrument depends on the nature of the asset. Therefore, a case-by-case assessment is necessary for proper legal classification.

Any crypto-assets that meet the characteristics of a financial instrument within the meaning of the CMBA, or electronic money under PSA, will qualify and be regulated as such under the respective regulatory framework. In 2023, the definition of a financial instrument in the Czech Republic was amended to include instruments issued through DLT, following amendments to MiFID II in this regard. However, as the term financial instrument has not been implemented uniformly in the national legislation of EU member states, the classification of individual crypto-assets as financial instruments may vary across the EU.

On the other hand, if crypto-assets qualify as virtual assets, persons providing services in relation to these assets are subject to the relevant obligations set out in the AML/CFT legislation.

Furthermore, from 2024, crypto-assets that are not already subject to the existing financial regulatory framework and that meet the definition set out in MiCA will be covered by it. MiCA defines a crypto-asset as a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology. In addition, MiCA distinguishes between asset-referenced tokens, electronic money tokens and utility tokens.

As described in 12.3 Classification of Blockchain Assets, the regulation of issuers as well as initial sales of blockchain assets depends on the legal classification of blockchain assets.

If the blockchain assets qualify as virtual assets under AML/CFT legislation, the issuer of these assets is only required to notify the Czech Trade Licence Office and comply with the AML/CFT and consumer protection legislation. However, the notification regime will become obsolete with MiCA, as issuers of crypto-assets not covered by the existing financial services legislation, including virtual assets, will be subject to the obligations set out in MiCA (eg, to draft, notify and publish a white paper).

On the other hand, if the blockchain assets qualify as financial instruments, the existing financial services legislation applies (eg, MiFID II, MAR or Prospectus Regulation). The issuer of blockchain assets that qualify as transferable securities is required to prepare and publish a prospectus, which must be approved by the CNB prior to public issuance of such assets, unless an exemption applies (eg, it is addressed solely to qualified investors or to fewer than 150 non-qualified investors per member state).

In case of blockchain assets that meet the definition of electronic money, PSA applies.

As described in 12.3 Classification of Blockchain Assets, the regulation of blockchain asset trading platforms, as well as the secondary market trading of blockchain assets, depends on the legal classification of the traded blockchain assets.

In case of classification as virtual assets under AML/CFT legislation, compliance with the notification regime to the Czech Trade Licence Office and with the AML/CFT. Once MiCA enters into force, platforms trading such crypto-assets will be subject to authorisation requirements under MiCA. However, persons that will have registered as a CASP before 30 December 2024, will be allowed to benefit from the transitional regime under MiCA and thus to provide their services until mid-2026.

Instead, if blockchain assets qualify as financial instruments, the platform trading these assets must obtain an authorisation to operate either as a regulated market, a MTF or an OTF. Under the DLT Pilot, MTFs may apply for an authorisation to operate a DLT MTF and obtain temporary exemptions from certain existing requirements of EU financial services legislation to test innovative solutions based on DLT on capital markets. The DLT Pilot is only open to certain blockchain assets that qualify as financial instruments (in essence, only asset with low market value/capitalization/issue size).

However, decentralised peer-to-peer platforms trading blockchain assets might fall outside the scope of the EU regulation.

In addition, where the operation of the blockchain asset trading platform involves activities such as accepting fiat currency from buyers or transmitting fiat currency to sellers, an authorisation under PSA for provision of payment services may be required.

The activity of investment funds, including those investing in crypto-assets, is regulated under the AMCIF in the Czech Republic.

The CNB has recently issued an opinion on the possibility for investment funds to invest in crypto-assets. The opinion only discusses crypto-assets that do not qualify as financial instruments, as otherwise the standard rules governing investments in financial instruments apply.

Pursuant to the CNB position, only investment funds for qualified investors may invest in crypto-assets as their investment policy is not regulated by the legislation. On the other hand, funds that are offered to retail investors; ie, standard (UCITS) or special investment funds (AIF), cannot invest in crypto-assets due to the limited scope of permissible assets they can acquire.

Please see 12.3 Classification of Blockchain Assets.

Please see 8.5 Decentralised Finance (DeFi).

There is no specific regulation regarding non-fungible tokens (NFTs) and NFT platforms in the Czech Republic. This is mainly because NFTs have a great variety of characteristics and purposes that may require different levels of regulation. However, depending on the characteristics of the NFT, including its purpose and the rights and assets it represents, it may fall within the scope of existing financial services regulation. A case-by-case analysis is therefore necessary.

Although NFTs will generally be excluded from the scope of MiCA, there may be cases where MiCA is applicable (eg, fractional parts of NFTs or NFTs in large series) and therefore platforms offering such assets will have to obtain an authorisation as a CASP.       

As a result of the transposition of PSD2 into Czech law, credit institutions are required to allow authorised third parties to access their customers’ payment data via a secure application programming interface (API). This has opened the EU payment market to innovative payment services providers relying on access to payment accounts (payment initiation services and account information services), allowing for more competition.

However, as open banking remains limited in the Czech Republic and in the EU in general, legislative changes will be introduced under the forthcoming PSD3/PSR/FIDA framework to, inter alia, strengthen open banking and open finance more generally.

Since open banking relies on sharing customers’ personal data, it poses various data protection and security risks, including data hacking or cyber-attacks on APIs.

For this reason, both credit institutions and other payment service providers are subject to strict technical security and data protection requirements imposed by the PSD2 and GDPR. For example, the processing of personal data under PSD2 requires explicit customer consent. In addition, from 2025, DORA requirements will apply to credit institutions and payment service providers regarding the security of their ICT systems and contractual arrangements with ICT third-party service providers, including providers of payment-processing activities or operating payment infrastructures.

However, as the open banking sector in the Czech Republic is still young and small, it remains to be seen how banks and technology providers deal with the concerns that open banking raises.

The most commonly used forms of fraud in the Czech Republic are phishing (eg, in SMS messages (smishing) or e-mails that are supposed to look like legitimate communications from the respective institution/authority) and vishing (via fraudulent phone calls attacking basic emotions). In the case of phishing, the victims click through to fraudulent websites, where they most often enter their login details, thereby revealing them to the fraudsters, who then carry out fraudulent transactions themselves. In the event of vishing, the caller impersonates, for example, a police officer or a bank employee, and manipulates the victim into taking actions that enable the fraud to be carried out (eg, disclosing data or installing a spying application). In such a case, the number may mimic the number of the calling institution/authority (so-called spoofing).

The sole purpose of these scams is to obtain sensitive data and misuse it. Fraudsters’ practices are becoming more sophisticated as they use new manipulative techniques to target victims’ emotions and continually innovate their forms of attack. At the same time, victims provide unwitting co-operation (eg, through online activity that leaves a digital trail on which fraudsters can better target the attack scenario), making attacks easier.

The regulator’s main focus is on payment fraud (eg, fraud mentioned in 14.1 Elements of Fraud).

FINREG PARTNERS

Jungmannova 750/34
Nové Město
110 00 Praha 1
Czech Republic

+420 230 233 030

office@finregpartners.cz www.finreg.cz
Author Business Card

Trends and Developments


Authors



FINREG PARTNERS is a leading independent law firm specialising in providing legal advice within the financial sector. Established in 2018 by experts in financial services and capital markets, FINREG PARTNERS has expanded to include legal professionals from major Czech and international law firms, alongside regulatory specialists. Headquartered in Prague, the firm has a diverse clientele, ranging from innovative startups to established international groups and financial institutions. A key focus area is its fintech practice, where the dedicated team offers expert advisory services throughout all stages of fintech projects. This includes comprehensive assistance during investment financing rounds and M&A transactions, blending in-depth knowledge of financial regulation with a profound understanding of digital technologies. The firm has earned particular acclaim in the area of licensing proceedings at the Czech National Bank, aiding clients in obtaining the first licence under PSD2 of its kind and the pioneering crowdfunding licence in the Czech Republic.

Overview of the Czech Fintech Market in 2023 and Outlook for 2024

In recent years, the Czech fintech market has been developing rapidly and dynamically. In 2023, however, fintech firms faced a host of adversities and challenges caused by the lingering effects of the COVID-19 pandemic and, especially, the conflicts in Europe and the Middle East. High inflation, rising prices and increasing interest rates were among the most significant factors that shaped the fintech scene, as well as the entire economy last year.

The global economic crisis brought an end to cheap money and triggered caution in the investment environment. Investors began to place more emphasis on sustainability, efficient growth and profitability of the business, which forced even established firms to economise, become more efficient and streamline internal processes, including laying off staff, and postponing plans, typically expansion abroad. Investment in innovation fell significantly in the Czech Republic last year, by a total of 75.5% compared to 2022.

However, there is an opportunity in every crisis. All these headwinds have led to increased competition among start-ups, as only the best and most innovative have had a chance to get investment, which was not the norm before. As a result, some unsustainable projects gave way to those that were better prepared for complex challenges. This can be seen as a much-needed recovery of the entire start-up world, which can, at the same time, bring great potential for Central and Eastern European start-ups to compete for new opportunities. Indeed, according to feedback from some of the big Western investment funds, founders from the CEE region are typically much more effective at building start-ups than those in Western Europe or America. This is something that the Czech start-up scene can be commended for and where its huge potential for years to come can also be seen.

As for the sectors that are currently dominating the fintech world, it is generative AI based on foundation models, software development for companies, specifically data handling, digitalisation, fraud detection and prevention or healthcare technologies. The huge investment rounds that companies like Resistant AI, Keboola, IP Fabric or ThreatMark have brought in despite the current start-up downturn are clear evidence thereof.

However, the success of the Czech start-up scene can be demonstrated not only by high investments from Czech and foreign investors, including giants such as IBM and Cisco, but also by their achievements in international competitions. In the main category of the Deloitte Technology Fast 50 CE ranking, which focuses on companies with the fastest revenue growth, the Czech prop-trading platform FTMO won for the third time in a row, which is a unique phenomenon in the more than 20-year history of the competition. Moreover, thanks to company CityZen, the Czech Republic ranked second in the main ranking. A total of 18 Czech companies were ranked in the main category of the 50 fastest-growing companies, and they grew faster than companies from other countries.

The results of the 2023 ranking confirm that Czech fintechs have been among the absolute leaders in the CEE region. In addition, we believe that in 2024, the renewed growth in investment appetite will help boost Czech fintechs even further.

On the other hand, Czech start-ups are still plagued by insufficient support and communication from the state. Although the Czech Republic has presented several strategies and visions of a modern country in recent years (eg, the innovation support programme The Country for the Future), their implementation is still lagging.

However, at least some results have started to arrive. The CzechInvest agency, which focuses on strengthening the competitiveness of the Czech economy by supporting SMEs, business infrastructure and attracting foreign investments, has launched two calls under the Technology Incubation programme for innovative projects in the fields of creative industries, AI, mobility or ecology and the circular economy, and is currently preparing a third one. Almost two hundred start-ups have applied for the second call and over CZK135 million will be distributed among 55 of them.

In the future, the Czech Republic would like to run NATO’s DIANA accelerator, for which two Czech companies, Dronetag and Goldilock, have already been selected. DIANA focuses on disruptive technologies suitable for so-called dual use. The Czech Republic will also be part of NATO’s EUR1 billion start-up fund.

Regulatory Trends and Developments

From a regulatory perspective, 2023 was a significant year for the fintech sector, as well as the entire financial services industry. The effects of the Crowdfunding Regulation (Regulation 2020/1503), the DLT Pilot (Regulation 2022/858) and ESG regulatory framework began to unfold in full in 2023.

While no authorisation under the DLT pilot has been granted in the Czech Republic so far, three Czech entities have already succeeded in obtaining a licence to operate a crowdfunding platform under the Crowdfunding Regulation. All three crowdfunding licences were granted for licence-based crowdfunding.

In addition, in 2023, there were also major developments in terms of new or revision of existing financial services legislation. At the European level, MiCA (Regulation 2023/1114) and DORA (Regulation 2022/2554) entered into force. In addition, provisional agreements on the AI Act and the revised MiFID II/MIFIR regulatory framework were reached. Finally, the new PSD3/PSR/FIDA regulatory framework was proposed by the European Commission. All these legislative acts will have a major impact on the entire financial services sector in the coming years, not only in the Czech Republic but in the EU in general.

DORA

Given that provision relating to digital operational resilience of financial services providers were not fully harmonised across the EU and at the same time the financial sector has become heavily dependent on information and communication technology (ICT), DORA, which will come into force in January 2025, was introduced. It will have far-reaching consequences for the entire financial sector in the EU as it introduces a new comprehensive ICT risk-management framework for all financial market participants, including banks, insurance companies, payment institutions, investment firms or crypto-asset service providers. However, not all requirements under DORA will be new, as DORA is to some extent built on existing EU supervisory authorities’ guidelines.

The aim is to make sure that the EU financial sector stays resilient even through a severe operational disruption. For that purpose, DORA sets rules for financial entities on:

  • ICT risk management, including having in place resilient ICT systems and tools that minimise the impact of ICT risk, comprehensive business continuity policies and disaster and recovery plans and mechanisms to learn and evolve from ICT incidents;
  • incidents management, classification, and reporting both to the competent authorities and the financial entities’ clients;
  • periodical digital operational resilience testing;
  • ICT third-party risk management, including assuring that the contracts with the ICT third-party providers contain all the necessary monitoring and accessibility details (eg, service-level description); and
  • voluntary information sharing in relation to cyber threats.

In addition, it establishes an oversight framework for the critical ICT third-party service providers providing services to financial entities, which will also be subject to DORA (eg, cloud platforms or data analytics services).

In accordance with the proportionality principle, financial entities shall implement DORA proportionately to their size, risk profile, and the type, scope, and complexity of their business. Even so, it can be expected that many financial service providers, especially fintech companies, will find it very difficult to comply with all the stringent and demanding requirements of DORA.

MiCA

MiCA is the first of its kind to bring comprehensive regulation of crypto-asset related activities. It aims to consolidate the fragmented regulation of crypto-asset business across the EU, ensure consumer protection and financial stability, as well as prevent market abuse.

MiCA applies to both natural and legal persons interested in issuing, offering to the public or admitting to trading crypto-assets or providing services related to crypto-assets in the EU. In addition, it introduces rules for persons whose actions could lead to abuse in the crypto-assets market, which we have often seen in recent years. Since MiCA is largely based on existing EU financial regulation, the rules, principles and institutes contained in MICA are very similar to those known from MiFID II, as well as the Prospectus Regulation.

MiCA only covers activities related to crypto-assets that do not fall under one of the existing asset categories regulated by other EU legislative pieces (eg, investment instruments, deposits or cash). Such crypto-assets cover two types of stablecoins, electronic money tokens (EMTs) and asset-referenced tokens (ARTs), and other crypto-assets, including utility tokens. However, MiCA does not apply either to non-fungible tokens (NFTs), nor to services related to crypto-assets provided in a fully decentralised manner (DeFi).

Depending on the category of crypto-asset, different regulatory requirements apply, with stablecoins being the most strictly regulated. While stablecoins will only be issued by licensed entities (EMTs by credit institutions and electronic money institutions, ARTs by persons licensed under MiCA in addition to credit institutions), other crypto-assets can be issued without a licence. However, certain transparency requirements will have to be met. The key obligation of a crypto-asset issuer is to prepare, notify and publish a “white paper” (an information document to some extent similar to a prospectus), unless an exemption applies (eg, for limited issuances or for offerings exclusively to qualified investors). Other obligations vary greatly between stablecoins and other crypto-assets issuers/offerors. It is worth noting that as MiCA considers EMTs to be electronic money, a large part of the regulation of electronic money institutions under the EMD applies to issuers of such assets.

In addition, MiCA introduces an authorisation regime for crypto-assets service providers (CASPs). This means a huge change for all Czech CAPS, such as crypto-asset exchanges or crypto-asset trading platforms, as they have so far only been subject to a very straightforward notification regime. The new authorisation regime will be very similar to that of other financial service providers, in particular investment firms, and therefore very complex. The specific scope of requirements depends on the service provided and the associated risks. The list of crypto-asset services covered by MiCA to a large extent mirrors the one in MiFID II, however, it also includes crypto-assets specific services (eg, transfer of crypto-assets).

Only legal entities with a registered as well as a real seat in the EU and authorised as CASP by the relevant national authority (in the Czech Republic, the CNB) will be allowed to provide crypto-asset services in the EU. The big advantage of the CASP authorisation is the European “passports”, which allow for provision of services throughout the EU space.

The obligation to obtain a CASP licence does not apply to entities that will only provide services in the EU on the reverse solicitation basis, nor to certain existing financial service providers (eg, banks, investment firms or UCITS management companies or AIFMs). These already licensed entities will only have to notify the competent authority in advance of provision of crypto-related services and adapt their business model to the specificities of crypto-assets, which will greatly facilitate their entry into the sector.

MiCA will come into full force in December 2024, with a transitional period of 18 months. This means that persons who are registered as CASPs in the Czech Republic before 30 December 2024, will be allowed to provide their services until 1 July 2026.

Artificial Intelligence (AI)

In December 2023, a provisional agreement was reached on the AI Act, which shall bring the world’s first rules on AI. The objective is to ensure better conditions for the development as well as use of AI. The new rules establish obligations for providers and users of all types of AI products and services, including chatbots, depending on the level of risk associated with them. While systems that are considered a threat to citizens’ rights and democracy will be banned (eg, social scoring or biometric identification and categorisation of people), limited-risk AI systems, such as AI systems that generate or manipulate image, audio or video content, will only have to meet minimal transparency requirements. The transparency requirements imposed on generative AI (eg, ChatGPT) include disclosing that the content was generated by AI or designing the model to prevent generation of illegal content.

Revised MiFID II/MiFIR Framework

After many months of discussions, in June 2023, the Council reached a provisional agreement with the European Parliament on changes to the MiFID II and MIFIR texts. The aim of these revision is to make the EU financial sector more transparent, investor-friendly, and competitive.

The key changes that the revised framework will introduce include the following.

  • Establishment of EU-level “consolidated tapes” – market data from all EU trading platforms will be unified in consolidated tapes (unified market data sources) for different kinds of assets to simplify investors’ access to up-to-date transaction information.
  • Reform of commodity derivative market – disclosure of trading data will be improved to enhance market transparency and strengthen the regulatory oversight of commodity derivatives exchanges.
  • Ban on payments for order flow – receiving payments for forwarding client orders to specific third party for their execution will be prohibited to ensure best execution for investors. There is a discretion left to member states to allow this practice only in their territory until 2026.
  • Enhanced market transparency – trading systems will be obliged to be more transparent about costs and execution quality. In addition, systematic internalisers, with the exemption of non-equity asset classes, will be required to quote competitive prices more frequently.
  • Exemption for smaller entities – smaller market participants will be exempt from some transparency requirements to reduce compliance burdens.

We expect the revised framework to be finally adopted and take effect in the first quarter of 2024. While the revised MiFIR will be directly applicable in all member states, the revised MiFID II will have to be transposed into national legislation, and member states will have 18 months to do this.

PSD3/PSR/FIDA Framework

Since the introduction of the PSD2 in 2015, rapid progress has been made in the payments industry, accompanied by the emergence of innovative payment solutions and more sophisticated fraud techniques. In response to these developments, the European Commission has proposed targeted changes and updates to the existing regulatory framework for payment services and electronic money. This legislative package includes a proposal for a third Payment Services Directive (PSD3), a Payment Services Regulation (PSR) and Financial Data Access Regulation (FIDA).

These proposals aim to enhance user protection, strengthen open banking, increase harmonisation and improve access to payment systems and financial data. Key elements of the PSD3/PSR/FIDA package include the following main points.

  • Regulatory structure – the new PSD3 will merge the licensing and supervision of payment institutions (PIs) and electronic money institutions (EMIs) into one regime, with EMIs being a sub-category of PIs. The PSR sets out rules for the provision of payment services.
  • Exemptions – the proposals update the current exemptions. New features include, for example, an exemption for cashback without purchase, clarification of the “merchant agent” or “limited network” exemption. Within the latter exception, the term “premises used by the issuer” will not cover online commerce environment but only physical premises.
  • Access to payment systems and competition – the PSR tightens the rules on access to payment systems. Non-bank payment service providers will gain access, levelling the playing field between them and banks. Denial of access must be justified.
  • Role of Technical Service Providers (TSPs) – TSPs and PI/EMI must enter into an outsourcing agreement in a case that TSPs are providing and verifying the elements of SCA. TSPs will be liable for failure to provide SCA.
  • Liability – the PSR tightens the rules on liability for unauthorised payment transactions. For example, by limiting the ability of a payment service provider to refuse to refund the amount of an unauthorised payment transaction to cases of reasonable suspicion of fraud on the part of the payer.
  • Other changes under the PSD3/PSR proposals – these include an extension of information for users, adapted functioning of the SCA or uniform requirement for confirmation of payee details for all payments.
  • Open finance and data-driven financial services – the FIDA strengthens control over consumers’ financial data (beyond payments data) and introduces regulation of financial data sharing. It introduces a new specialised category of licensed entity – a Financial Information Service Provider (FISP), that will have access to personal and non-personal consumer data held by regulated financial institutions (such as banks, PIs or investment firms) for the purpose of providing financial products and services to consumers in the EU. FISPs will have to comply with requirements similar to AISPs.

While the PSR will become directly applicable in all member states, the transposition period for PSD3 into national law is 18 months from publication in the Official Journal of the EU. As regards FIDA, financial institutions will have 18 months to adapt to the new rules.

Other Important Trends

Although we consider the above legislative acts to be among the most important for the fintech sector, they are certainly not the only ones that fintech companies should pay attention to.

As part of the EU data strategy, which aims to build a European single market for data, two main elements of the strategy, the Data Act and the Data Governance Act, have taken effect recently. While the Data Governance Act aims to create a safe environment for sharing data across sectors and member states, the Data Act clarifies who can access and create value from data produced in different sectors of the EU economy and under which conditions. These acts are part of the broader EU Digital strategy, which also includes the AI Act, Digital Services Act and Digital Markets Act, which may also be of great importance to fintech companies.

In addition, there are significant changes in the AML/CFT area with the EU AML Package, which consist of a sixth AML Directive, two new regulations and amendments to the Transfer of Funds regulation. One of the significant changes will be the creation of a new agency, European Anti-Money Laundering Authority (AMLA), which will have supervisory and investigative powers to ensure compliance with AML/CFT requirements.

Still, there is much more to come. Fintech companies should therefore closely monitor developments in EU regulation and prepare for the necessary changes that will need to be made to their business operations to ensure regulatory compliance.

FINREG PARTNERS

Jungmannova 750/34
Nové Město
110 00 Praha 1
Czech Republic

+420 230 233 030

office@finregpartners.cz www.finreg.cz
Author Business Card

Law and Practice

Authors



FINREG PARTNERS is a leading independent law firm specialising in providing legal advice within the financial sector. Established in 2018 by experts in financial services and capital markets, FINREG PARTNERS has expanded to include legal professionals from major Czech and international law firms, alongside regulatory specialists. Headquartered in Prague, the firm has a diverse clientele, ranging from innovative startups to established international groups and financial institutions. A key focus area is its fintech practice, where the dedicated team offers expert advisory services throughout all stages of fintech projects. This includes comprehensive assistance during investment financing rounds and M&A transactions, blending in-depth knowledge of financial regulation with a profound understanding of digital technologies. The firm has earned particular acclaim in the area of licensing proceedings at the Czech National Bank, aiding clients in obtaining the first licence under PSD2 of its kind and the pioneering crowdfunding licence in the Czech Republic.

Trends and Developments

Authors



FINREG PARTNERS is a leading independent law firm specialising in providing legal advice within the financial sector. Established in 2018 by experts in financial services and capital markets, FINREG PARTNERS has expanded to include legal professionals from major Czech and international law firms, alongside regulatory specialists. Headquartered in Prague, the firm has a diverse clientele, ranging from innovative startups to established international groups and financial institutions. A key focus area is its fintech practice, where the dedicated team offers expert advisory services throughout all stages of fintech projects. This includes comprehensive assistance during investment financing rounds and M&A transactions, blending in-depth knowledge of financial regulation with a profound understanding of digital technologies. The firm has earned particular acclaim in the area of licensing proceedings at the Czech National Bank, aiding clients in obtaining the first licence under PSD2 of its kind and the pioneering crowdfunding licence in the Czech Republic.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.