FINTECH 2024
GERMANY
Christopher Götz, Daniel Kendziur, Jochen Kindermann, Sascha Kuhn, Sascha Morgenroth
FINTECH LANDSCAPE AND INITIATIVES
General innovation climate
- What is the general state of fintech innovation in your jurisdiction?
The fintech landscape has developed further during the past year. The high speed of regulatory changes requires firms to adjust to this developing landscape. They have to evaluate whether to deal with the demanding regulatory hurdles and with this get access to the whole German market including institutional investors or to stay outside of Germany.
Several market participants have already achieved the goal of becoming authorized in Germany and there are still a substantial number of applications pending with the German Federal Financial Regulatory Authority (BaFin). The high number of applications underlines the strength and relevance of the German market.
It is also interesting to note that in particular in the cryptosphere many of the traditional players now jump on this trend as well. The gap between traditional and new players in this respect became smaller, which is in line with the approach that BaFin always took (namely, that new fintech players should not be treated differently from existing market participants if they offer the same product).
Government and regulatory support
- Do government bodies or regulators provide any support specific to financial innovation? If so, what are the key benefits of such support?
The German government and municipalities support fintech companies in various ways. BaFin is the financial regulatory authority in Germany. BaFin set up a dedicated team to support fintech companies in relation to their market entry, and it also organizes events (e.g, the annual BaFin-Tech conference) to discuss regulatory developments with market participants. Although fintech companies do not benefit from special treatment, BaFin supports fintech companies in relation to evaluating licensing requirements and clarifying ongoing regulatory aspects. The German Ministry of Finance has appointed experts to a special FinTech counsel, the FinTechRat, which offers support and counsel to the legislator when further working on a suitable regulatory framework. On a municipality level, all German cities that consider themselves hubs for fintech (e.g, Berlin, Frankfurt, Munich and Hamburg) offer additional support through fintech centers. In addition, universities in or around fintech centers tend to support and dedicate resources to the development of an effective fintech ecosystem, as do institutions like the Leibniz Institute for Financial Research. However, there are no regulatory sandboxes available in Germany.
FINANCIAL REGULATION
Regulatory bodies
- Which bodies regulate the provision of fintech products and services?
The German Federal Financial Regulatory Authority (BaFin) is responsible for regulating fintech products and services in Germany if they fall under the scope of regulated activities or products.
Regulated activities
- Which activities trigger a licensing requirement in your jurisdiction?
According to German law, anyone wishing to conduct banking business or to provide financial services or investment services in Germany commercially or on a scale that requires a commercially organized business undertaking requires a written license from BaFin. What constitutes banking business, financial services or investments services is set out in the Banking Act and the Securities Institutions Act and includes, among other things:
- deposit business;
- debenture business;
- lending business;
- discount business;
- principal broking business);
- security deposit business;
- activities of a central securities depositor;
- the obligation to repurchase previously sold loan receivables prior to their maturity;
- guarantee business;
- cheque collection business;
- underwriting business;
- business of a central counterparty;
- investment brokerage;
- investment advice;
- operation of a multilateral trading facility;
- placement business;
- operation of an organized trading facility;
- contract broking;
- financial portfolio management;
- trading on own account;
- non-EEA deposit brokerage;
- crypto custody business;
- foreign currency dealing;
- factoring;
- financial leasing;
- investment management;
- limited custody business; and
- proprietary trading.
Since the beginning of 2020, the crypto-custody business has been added to the list of licensable activities. Crypto-custody business is defined as the safekeeping, administration and storage of cryptoassets or private cryptographic keys used to hold, store and transfer cryptoassets for others (cryptoassets custody services).
In general, a license is required for any investment services and activities listed in section A of Annex I of Directive 2014/65/EU (Markets in Financial Instruments Directive II) or Annex I of Directive 2013/36/EU (Capital Requirements Directive). The provision of payment services is licensable based on the provisions of the German Act on the Supervision of Payment Services, which implements Directive 2007/64/EC (Payment Services Directive) and
Directive (EU) 2015/2366 (revised Payment Services Directive) (PSD2) into German law.
The trading of claims deriving from fully drawn loan agreements does not trigger a license requirement, provided that the claim is not amended. However, amendments requiring a new credit decision (e.g, prolongation) can constitute a licensable lending business.
Consumer lending
- Is consumer lending regulated in your jurisdiction?
The contractual basis for consumer lending contracts can be found in the German Civil Code. The civil law provisions contain an elaborate protection regime and require the borrower to comply with, among other things, certain disclosure obligations and walk-away rights for the borrowers. In particular, the license requirement is triggered if the repayment obligation is in cash. Where the repayment obligation takes the form of financial instruments or other goods or rights, other licensing requirements may apply (e.g, investment services).
Secondary market loan trading
- Are there restrictions on trading loans in the secondary market in your jurisdiction?
In general, the trading of fully drawn loans does not trigger a licensing requirement in Germany. Restrictions on the trading of loans may apply under the terms of the respective contract or as a result of data protection rules.
Collective investment schemes
- Describe the regulatory regime for collective investment schemes and whether fintech companies providing alternative finance products or services would fall within its scope.
The German Capital Investment Code (KAGB) provides the licensing and supervision regime for investment management companies and investment funds in Germany. In addition, the marketing of investment funds to investors in Germany is also regulated under the KAGB. The KAGB takes a holistic approach and provides the legal regime for all collective investment schemes (e.g, alternative investment funds and undertakings for collective investments in transferable securities). The aim of the KAGB is to ensure an adequate supervision of collective investments, including the administration, marketing and compliance with investment rules. However, crowdfunding platforms and peer-to-peer (P2P) lending platforms are generally not viewed as collective investment schemes by BaFin. BaFin focuses on the lending aspect and indicates in several guidance notes that, depending on the actual nature of the services provided, licensable lending business may be conducted. Further, the brokerage of loans requires a license under the German Industrial Code and, therefore, the operation of a P2P lending platform could trigger the requirement for a loan broker license. Further, Regulation (EU) 2020/1503 (Crowdfunding Regulation) is directly applicable law in Germany.
Alternative investment funds
- Are managers of alternative investment funds regulated?
Managers of alternative investment funds (AIFs) located in Germany are regulated under the KAGB. The same also applies to a certain extent to German branches of non-German managers of AIFs. AIFs may only be marketed in Germany once they are registered or passported for distribution to investors in Germany. Germany has implemented Directive 2011/61/EU (Alternative Investment Fund Managers Directive).
Depending on the nature of their actual activities, fintech companies are generally outside the scope of the KAGB if their activities do not constitute the structuring and managing of an investment fund. An investment fund is, pursuant to section 1(1), sentence 1 of the KAGB, any collective investment scheme that raises capital from a number of investors, with a view to investing in accordance with a defined investment policy for the benefit of those investors and that does not constitute an undertaking operating outside of the financial sector. Such a number of investors will be deemed to exist if the fund rules or the articles of association of the collective investment fund do not limit the number of potential investors to a single investor.
However, since 3 June 2023, the new German Regulation on Crypto Fund Units allows the distribution of fund units or shares on a tokenized basis. This is a significant step and opens new distribution channels for fund managers as well as fintech companies.
Further, the KAGB has been amended and allows German special AIFs (broadly a fund whose investors must be legal persons) to invest up to 20 percent of the total assets of the special AIF to be invested in cryptoassets. This also provides new investment opportunities for investment managers who are interested in investing in cryptoassets.
Peer-to-peer and marketplace lending
- Describe any specific regulation of peer-to-peer or marketplace lending in your jurisdiction.
Lenders and borrowers
BaFin has published guidance on the question of when the participants of a P2P marketplace typically conduct lending or deposit business on a scale that triggers a licensing requirement. According to this guidance, BaFin assesses potential license requirements on a case-by-case basis, taking into account the activities of every single investor. It is particularly important that investors do not invest on a commercial scale or in a manner that would require a commercially organized business undertaking, because otherwise a banking license requirement is triggered. BaFin suggests that a commercially organized business undertaking is required if more than €500,000 is invested or more than 100 loans are granted. An investor invests on a commercial scale if he or she undertakes the investments for a certain time and with a view to making a profit. In addition, under certain circumstances, crowd-lending models are subject to the Act on Capital Investments, so that several investor protection rules apply, such as the requirement to produce a sales prospectus, which must be approved by BaFin. However, exemptions may apply.
P2P or platform operators
Whether the operation of a crowd-lending platform requires a license (and which kind of license) depends on the actual services that are provided. Generally, it depends on the way the contracting is designed on the platform. In cases where the operator of the platform merely provides the infrastructure, the licensable activities are more likely to be conducted by the users of the platform. If, on the other hand, the operator of the platform steps into each transaction and takes on its own credit risk, it is likely that the licensable activity will be conducted by the platform operator. However, the pure brokerage of loans would generally not be considered as banking, financial or payment services, so ‘only’ an authorization under the German Industrial Code may be required. It should, however, be kept in mind that the EU Crowdfunding Regulation is directly applicable law in Germany, hence, operators of crowdfunding platforms may require a license. BaFin has created a task force for crowdfunding providers that can be contacted if there are uncertainties with regard to possible license requirements.
Crowdfunding
- Describe any specific regulation of crowdfunding in your jurisdiction.
There are several different kinds of crowdfunding platforms available in Germany. In a guidance note, BaFin sets out four main crowdfunding models:
- donation-based crowdfunding;
- rewards-based crowdfunding;
- loan-based crowdfunding (crowd lending or lending-based crowdfunding); and
- crowd investing (equity-based crowdfunding).
In the latter two types, the aim is to generate a financial return. BaFin does not apply specific regulatory regimes to different business models per se. BaFin instead focuses on the nature of the activities undertaken by the users and the operators of the crowdfunding platforms and decides on a case-by-case basis whether licensable activities are being conducted and by whom. It should, however, be kept in mind that the EU Crowdfunding Regulation is directly applicable law in Germany, hence, operators of crowdfunding platforms may require a license. BaFin has created a task force for crowdfunding providers that can be contacted if there are uncertainties with regard to possible license requirements.
Invoice trading
- Describe any specific regulation of invoice trading in your jurisdiction.
Invoice trading is generally not a regulated activity. However, if the actual activities constitute a financial service (eg, factoring, which means the ongoing purchase of receivables on the basis of standard agreements, with or without recourse) this activity is regulated and requires a financial services license.
Payment services
- Are payment services regulated in your jurisdiction?
Germany has implemented PSD2 and, thus, anyone wishing to conduct payment services as a payment institution commercially or on a scale that requires commercially organized business operations needs written authorization from BaFin. What constitutes payment services is set out in the German Act on the Supervision of Payment Services and comprises the same activities set out in PSD2.
Open banking
- Are there any laws or regulations introduced to promote competition that require financial institutions to make customer or product data available to third parties?
No, we are not aware of any such laws or regulations.
Robo-advice
- Describe any specific regulation of robo-advisers or other companies that provide retail customers with automated access to investment products in your jurisdiction.
Robo-advice is any form of customer support on investment decisions by making use of partially or fully automated IT systems. There are several different kinds of automated investment advice platforms that are active in Germany. BaFin has issued guidance on robo-advice, indicating that these services can be qualified as (and regulated as) investment advice, financial portfolio management, acquisition brokerage and investment brokerage (each depending on its individual features), and, thus, offering respective services regularly requires licensing under German regulatory and commercial law. Most offerings currently available on the German market constitute investment advice or financial portfolio management.
In terms of their supervision and regulation, robo-advising businesses are generally subject to the same rules as if such services were rendered manually. Thus, automated investment advice will need to comply with the applicable licensing requirements and conduct of business rules. BaFin’s guidance sets out that the provision of robo-advice could fall under a number of regulated services, including investment advice and contract brokering. Additionally, providers often offer portfolio management services under the label of robo-advice. Depending on the actual structure of the business, additional conduct of business rules may apply. For example, where the provider uses an advisory model and gives personalized recommendations to its investors, certain documentation obligations apply. In addition, the provider may need to determine the suitability and appropriateness of the financial products that it recommends.
Insurance products
- Do fintech companies that sell or market insurance products in your jurisdiction need to be regulated?
Fintech companies selling or marketing insurance products in Germany are likely to be regulated by BaFin if they conduct insurance business in Germany and by the local chamber of industry and commerce if they act as insurance brokers in Germany.
Credit references
- Are there any restrictions on providing credit references or credit information services in your jurisdiction?
Should a credit information service qualify as a credit-rating agency, the rules of Regulation (EC) No. 1060/2009 (Credit Rating Agency) apply.
CROSS-BORDER REGULATION
Passporting
- Can regulated activities be passported into your jurisdiction?
As Germany is a member of the European Union, institutions holding a license to conduct regulated activities in any EEA country can apply for a passport. The passport is a notification procedure to the home state regulator. Such a passport would enable the license holder to establish a physical presence in the form of a branch in the host country or to provide services on a cross-border basis without a physical presence. The passport avoids a complete authorization procedure if a party intends to carry out a regulated activity in another EU country. Not all services can be passported. Cryptoassets custody services and asset management services are, for example, services that are not harmonized and will trigger a license requirement when carried out in Germany.
Requirement for a local presence
- Can fintech companies obtain a license to provide financial services in your jurisdiction without establishing a local presence?
A German financial services license will only be granted to a fintech company that has established a physical presence in Germany. However, a fintech company with a financial services license in another EEA country can apply for a passport to Germany and, thus, would be able to provide financial services in Germany through a branch or without a physical presence on a purely cross-border basis.
SALES AND MARKETING
Restrictions
- What restrictions apply to the sales and marketing of financial services and products in your jurisdiction?
There are various restrictions regarding the sales and marketing of financial services and products in Germany. The marketing of a regulated activity in Germany constitutes a licensable activity and providing those services without the necessary license constitutes a criminal offence. The marketing of financial instruments is subject to a detailed regulatory framework set out in Directive 2014/65/EU (Markets in Financial Instruments Directive II). Providing false or misleading information is generally prohibited. Further rules apply for specific types of financial instruments like investment funds or publicly offered securities.
CRYPTOASSETS AND TOKENS
Distributed ledger technology
- Are there rules or regulations governing the use of distributed ledger technology or blockchains?
No, there is no single regulation specifically addressing distributed ledger technology (DLT). However, the approach to regulatory requirements is technology agnostic. The use cases deploying DLT or blockchain technology in regulated markets (e.g, securities markets) must comply with the existing legal framework applicable to the specific service and its providers. European requirements such as Regulation (EU) No. 648/2012 (European Market Infrastructure Regulation) (EMIR), Regulation (EU) No. 600/2014 (Markets in Financial Instruments Regulation) (MiFIR), Regulation (EU) No. 909/2014 (Central Securities Depositaries Regulation), Directive 2014/65/EU (Markets in Financial Instruments Directive II) (MiFID 2), Directive 2011/61/EU (Alternative Investment Fund Managers Directive) and Regulation (EU) 2015/2365 (Securities Financing Transactions Regulation) as well as the national implementation thereto must be regarded provided the relevant product qualifies as a financial instrument. For instance, a case of use involving the clearing of assets by deploying DLT would have to fulfil the requirements of EMIR and MiFIR regarding authorization and regulated entities. The German Federal Financial Regulatory Authority (BaFin) has the power to prohibit unauthorized businesses. In addition, smart contracts and initial coin offerings are currently under close scrutiny by the supervisory authorities. Other rules apply with regard to products that do not qualify as financial instruments within the MiFID II definition (e.g, cryptocurrencies), here the Regulation on Markets in Cryptoassets (MiCA) provides the legal framework.
Cryptoassets
- Are there rules or regulations governing the promotion or use of cryptoassets, including digital currencies, stablecoins, utility tokens and non-fungible tokens (NFTs)?
Germany has implemented national regulations regarding cryptoassets that are not specifically focused on digital currencies. In particular, Germany has implemented crypto-custody business as a new financial service and added cryptoassets to the list of financial instruments.
Crypto-custody business is defined as the custody, management and protection of cryptoassets or private cryptographic keys used to keep, store or transfer cryptoassets for others.
- Custody in this context means taking care of cryptoassets as a service for third parties. This includes, in particular, service providers that hold cryptoassets of their customers collectively, without their customers being familiar with the cryptographic keys used. The intention here is primarily to protect clients against the risk the provision of wallets may create (e.g, loss of keys, fraudulent behaviour, et cetera). Management broadly means ongoing fulfillment of the rights resulting from the cryptoassets.
- Protection means both the digital storage of third parties’ private cryptographic keys, which are provided as a service, and the safekeeping of physical data media (e.g, a USB stick or a piece of paper) on which such keys are stored. The mere provision of storage space, for example, by web hosting or cloud storage providers, do not fulfil the definition unless these providers expressly offer their services for the storage of private cryptographic keys.
The distribution of cryptoassets requires authorization by BaFin if the distribution is performed on a commercial basis or requires a commercially organized business operation. If virtual currencies are bought and sold for third parties, this could be classified as ‘proprietary trading’ under the German Banking Act, depending on the specific arrangements deployed, which requires a BaFin authorization as well. In addition, e-money institutions must be authorized and subject to supervision by BaFin. Offering digital wallets online may require BaFin authorization depending on the tokens and the wallet services being provided. BaFin has the power to prohibit any unauthorized business activities with immediate effect. MiCA will provide the legal framework for such activities as directly applicable law in Germany.
Token issuance
- Are there rules or regulations governing the issuance of tokens, including security token offerings (STOs), initial coin offerings (ICOs) and other token generation events?
Yes. As set out above, Germany has implemented national regulations regarding cryptoassets that are not specifically focused on digital currencies.
ARTIFICIAL INTELLIGENCE
Artificial intelligence
- Are there rules or regulations governing the use of artificial intelligence, including in relation to robo-advice?
In Germany, there is no specific AI Act. Once the EU AI Act comes into force (draft proposal published in 2021), it will be directly applicable in Germany and will potentially have an impact on robo-advice services. Until then, robo-advice is governed by specific applicable rules in other legislation. There is also some guidance from authorities. In particular, the Federal Financial Supervisory Authority (BaFin) has actively addressed these regulatory aspects in the past; however, currently, this is an ongoing process. Starting in 2018, BaFin conducted a comprehensive study on the challenges and implications for supervision and regulation of AI-based and big data-based services, concluding that the proliferation of these technologies will increasingly challenge current regulatory frameworks. Besides ascertaining the need to adapt the supervisory framework accordingly, regulated companies remain accountable for regulatory compliance in AI-based and big data-based products. While management boards remain fully accountable for any results automatically produced or used within their company (section 25a of the German Banking Act), these results must also remain transparent and explainable to ensure persisting human control. Thus, BaFin considers the use of black-box algorithms an indicator of dysfunctional (unlawful) business organization. In addition, the accuracy and reliability of AI-based and big data-based products must be ensured. This, again, requires robust data quality, thorough testing and continuous supervision of algorithmic decision models, as well as technical safeguards against maldevelopment (e.g, automated shutdown procedures).
Since late 2019, there has been increasing demand by various stakeholders in the German financial market for BaFin to engage in authorizing the use of algorithms for automated decision-making. To date, this request remains unheard. BaFin announced that, apart from existing authorization of individual scenarios (e.g, article 142 et seq and article 362 et seq of Regulation (EU) No. 575/2013 (Capital Requirements Regulation), high-frequency trading), there is no legal basis for requiring or granting such authorization on a general basis. BaFin has reaffirmed this in its 2021 publication ‘Big data and artificial intelligence – use of algorithms for automated decision-making’.
Robo-advice is any form of customer support on investment decisions by making use of partially or fully automated IT systems. There are several different kinds of automated investment advice platforms that are active in Germany. BaFin has issued guidance on robo-advice, indicating that these services can be qualified as (and regulated as) investment advice, financial portfolio management, acquisition brokerage and investment brokerage (each depending on its individual features), and, thus, offering respective services regularly requires licensing under German banking (e.g, the Banking Act and the German Securities Trading Act) and commercial law (e.g, the German Industrial Code). Most offerings currently available on the German market constitute investment advice or financial portfolio management.
In terms of their supervision and regulation, robo-advising businesses are generally subject to the same rules as if such service was rendered manually. Thus, automated investment advice will need to comply with the applicable licensing requirements and conduct of business rules. BaFin’s guidance sets out that the provision of robo-advice could fall under a number of regulated services, including investment advice and contract brokering. Additionally, providers often offer portfolio management services under the label of robo-advice. Depending on the actual structure of the business, additional conduct of business rules may apply. For example, where the provider uses an advisory model and gives personalized recommendations to its investors, certain documentation obligations apply. In addition, the provider may need to determine the suitability and appropriateness of the financial products that it recommends.
CHANGE OF CONTROL
Notification and consent
- Describe any rules relating to notification or consent requirements if a regulated business changes control.
Investors that intend to acquire 10 percent or more of the capital or the voting rights of a regulated entity are required to file a disclosure as holders of a significant holding. These investors must provide detailed information regarding their background, the origin of their funding, the CVs of relevant persons and the details of their group structure. The Federal Financial Supervisory Authority then generally has 60 days to approve or oppose the acquisition and may make approval subject to certain actions being taken.
In addition, notification requirements under securities trading or stock corporation laws may apply, depending on the legal nature of the target.
FINANCIAL CRIME
Anti-bribery and anti-money laundering procedures
- Are fintech companies required by law or regulation to have procedures to combat bribery or money laundering?
First, a distinction must be made between anti-bribery and corruption (ABC) regulations and anti-money laundering (AML) rules.
As taking and giving bribes are criminal offenses under the German Criminal Code, only individuals can be held criminally liable. Corporations and legal entities as such can solely be subject to regulatory investigations and sanctions. However, if the individual acts on behalf of a corporate body, the corporation may be subject to additional fines and confiscation of assets gained because of criminal conduct or forfeiture of other assets. All relevant administrative offenses committed in Germany are mainly covered under the provisions of the Act on Regulatory Offenses.
Thus, German regulatory offenses law allows legal entities to be fined for bribery offenses that have been committed by their legal representatives or by any other senior management employee, the conduct of whom can be associated with the legal entity. Fines of up to €600 million have been imposed for bribery offenses in the past.
In contrast to this, all companies in Germany must generally comply with national AML regulations. In addition, where an institution is an obliged entity under section 2 of the German Money Laundering Act, it is under numerous additional obligations (e.g, to set up a specific AML compliance system). This means that it is not – as with the ABC regulations – a matter of breach of criminal provisions by natural persons (e.g, employees), but that the entity itself may violate the rules under the Money Laundering Act. For this reason, the corresponding sanctions also result directly from the law itself.
There have been some changes to the Money Laundering Act in the past including obligations especially for fintech companies. Institutions in the field of cryptoassets (e.g, virtual currency exchange platforms and custodian wallet providers) are explicitly included in the group of obliged entities.
Generally, entities subject to German AML laws are, or will be required to, among other things:
- implement preventive policies, controls and procedures;
- identify and assess the firm’s exposure to money laundering risk by, for example, undertaking a risk assessment;
- perform customer due diligence to an adequate standard depending on the risk profile of that client;
- keep appropriate records;
- monitor compliance with the AML regulations, including internal communication of policies and procedures; and
- report suspicious transactions.
Further, the Money Laundering Act requires an enhanced due diligence for transactions with high-risk countries. In addition, digital companies are required to provide payment service providers with access to infrastructure services. These include, for example, interfaces for near-field communication, which is required for cashless payments by mobile phone at physical points of sale.
Violations of anti-money laundering regulations are administrative offenses and will result in fines of up to €5 million or 10 percent of the institution’s total revenue.
According to recent federal jurisdiction plans, fines of up to 10 percent of a corporation’s annual turnover for regulatory offenses may be imposed. Further, corporations are to be excluded from public tenders for a term of five years if they have been fined for bribery or if a member of the executive board has been convicted of bribery. At the state level, some German federal states have already adopted an act that allows their authorities to exclude companies from public tenders if the company or its employees are associated with ABC-related behavior.
In addition, Germany has debated for years on whether companies should be held liable under a kind of criminal law (namely, corporate sanctions law) if entities’ responsible persons commit crimes or regulatory offenses. The previous federal government was working on such an act but ultimately could not agree on a joint draft within the coalition. Therefore, the new law could not be passed in the German parliament during the last legislative period. Although the current (new) coalition has put the bill back on the agenda, it has once again been postponed due to its political divisiveness.
In summary, despite some differences in the material scope, it is important for fintech companies to adhere to the legal requirements of ABC and AML regulations and to create a corresponding compliance structure because the risk for the company is always the same in the event of infringement as very high fines are threatened.
Guidance
- Is there regulatory or industry anti-financial crime guidance for fintech companies?
There is no specific anti-financial crime guidance for fintech companies apart from the general advice that companies should always be compliant with relevant regulations. Therefore, it is essential to have an adequate compliance system in place.
The design of the compliance system and the compliance organization is fundamentally subject to the business judgement rule as an entrepreneurial decision. The management has to make decisions based on appropriate information, acting for the benefit of the entity. Above all, in terms of compliance, this means analyzing the risks to which the company is exposed as part of its business activities and repeating that continuously and regularly. Based on the risk analysis, the management must make appropriate organizational arrangements for compliance in the company, such as:
- use of increased compliance resources in countries with a high risk of corruption;
- stricter compliance checks on public contracts;
- ongoing due diligence and monitoring;
- ongoing internal training;
- separate rules for dealing with certain occupational groups;
- clear rules; and
- where appropriate, controls for contacts with competitors.
However, institutions that are regulated by the Federal Financial Supervisory Authority should comply with all applicable anti-financial crime guidance for the financial sector.
DATA PROTECTION AND CYBERSECURITY
Data protection
- What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?
In 2018, Regulation (EU) 2016/679 (General Data Protection Regulation) (GDPR) came into force with direct effect across the European Union. The GDPR governs the storage, viewing, use of, manipulation and other processing by businesses of data that relates to a living individual. In summary, the GDPR requires that businesses only process personal data where that processing is done in a lawful, fair and transparent manner, as further described in the GDPR.
The GDPR requires that any processing of personal data be done pursuant to one of six lawful bases for processing. The most commonly used lawful basis for processing is to obtain the consent of the data subject to that processing – in relying on this lawful basis, the business must ensure that the consent is freely given, specific, informed and unambiguous, and capable of being withdrawn as easily as it is given. This places a significant burden on businesses to ensure that their customers are fully informed as to what their personal data is being used for, which is a crucial change to the previous regime under which disclosure did not need to be so transparent. Other lawful bases for processing data include where that processing is necessary for the business to perform a contract it has with the data subject, or where required to comply with an obligation the business has at law (not a contractual obligation).
The GDPR further differs from the previous regime in that it places a significantly increased compliance burden on businesses, including, for example, mandatory requirements to notify regulators of data breaches, obligations to keep detailed records on processing, and requirements for most entities to appoint a data protection officer.
The GDPR does not apply to personal data that has been truly anonymized – as anonymized data cannot, by definition, be personal data. However, to ensure that GDPR does not apply to a certain data set, that data set must be truly anonymized. The GDPR itself gives limited guidance on anonymization in Recital 26, requiring data controllers to consider a number of factors in deciding if personal data has been truly anonymized, including the costs and time required to de-anonymize, the technology available at the time to attempt de-anonymization and further developments in technology.
When it comes to international data transfers, a two-step test must be carried out. First, the legitimacy of an international data transfer has the same requirements as a national data transfer. An international data transfer can only be legitimate if an analogous transfer within Germany was legitimate. Second, an international data transfer is only legitimate if the country to which data is to be transferred provides for reasonable data protection legislation. The transfer of data to other EEA members is permitted because those countries provide for an adequate level of data protection. In the case of a data transfer to a country outside the European Economic Area, it must be ensured that the country of destination also provides for an adequate level of protection. With regard to certain jurisdictions, the European Commission has provided decisions on the adequacy of data protection. Another way of ensuring that adequate safeguards are provided is the use of one of the model contracts approved by the European Commission (standard contractual clauses (SCCs)). Effective from 27 June 2021, the European Commission has adopted a new version of SCCs, covering various modules, taking into account the Court of Justice of the European Union decision in Schrems II. In addition, there is theoretically another solution that renders an assessment of the second step (legality of a data transfer to an entity in a country without an adequate level of data protection) unnecessary, namely, corporate binding rules (CBRs). CBRs are codes of conduct and a set of rules a company can draft to allow data transfer outside the European Economic Area and to overcome some practical problems with SCCs. From an EU perspective, the United States does not provide for adequate protection of personal data. If personal data is to be transferred to the United States, a Transfer Impact Assessment is required in addition to the use of the SCCs or CBRs. Depending on the risk identified, additional contractual, organizational and technical measures must be taken to establish an adequate level of data protection.
Businesses that infringe the GDPR may be subject to administrative fines of an amount up to €20 million or 4 percent of global turnover, whichever is higher.
In Germany, the new Federal Data Protection Act came into force at the same time as the GDPR. The Federal Data Protection Act makes use of opening clauses, such as for the processing of personal data in the context of employment and for the appointment of data protection officers. The oversight of the GDPR, including compliance and enforcement, is carried out in Germany by 16 data protection supervisory authorities (one supervisory authority based in each federal state). German data protection authorities have not issued any specific guidance for fintech companies.
Cybersecurity
- What cybersecurity regulations or standards apply to fintech businesses?
‘Fintech’ is understood in Germany as technology-enabled innovation in financial services often resulting in new business models, applications, processes or products each materially affecting the traditional provision of financial services. Owing to the technology-neutral regulation of financial markets in Germany, there are no cybersecurity standards specifically addressing fintech companies.
The Federal Financial Supervisory Authority’s (BaFin) standards on cybersecurity reflect the traditional demarcations of regulatory frameworks in Germany: the German Banking Act (namely, BaFin Circular 10/2017 on Banking Supervisory Requirements for IT), the Insurance Supervision Act (namely, BaFin Circular 10/2018 on Insurance Supervisory Requirements for IT/Supervisory Requirements for IT in Insurance Undertakings) and the German Capital Investment Code (namely, BaFin Circular 11/2019 on Capital Management Supervisory Requirements for IT/Supervisory Requirements for IT in German Asset Managers).
Regarding obligations to report serious payment security incidents under Directive (EU) 2015/2366 (revised Payment Services Directive), implemented in Germany by the German Act on the Supervision of Payment Services, BaFin has set out guidance in Circular 08/2018 (BA) for reporting serious payment security incidents (effective until 30 September 2022) and in Circular 03/2022 for reporting serious payment security incidents (effective from 1 October 2022).
According to BaFin, compliance with its sector-specific standards on IT security and cybersecurity does not relieve any regulated entity from complying with other (general) standards in this field. For Germany, this refers to standards issued by the Federal Office for Information Security (BSI), including the IT-Basic Protection Compendium, the Standards 200-1 to 200-3 (security and risk management) and the Technical Guidelines. Fintech businesses must also comply with IT and data security requirements stipulated in other applicable laws (such as the GDPR).
Certain stakeholders in the financial markets are, thus, also regulated as operators of a critical infrastructure or digital service, or both, under the German IT Security Act. Briefly, any facility or installation (or parts thereof) in the finance and insurance sectors is considered a critical infrastructure if their failure or impairment would lead to considerable supply bottlenecks or threats to public safety. Digital services are electronically provided services relating to online marketplaces, search engines and cloud-computing applications; these are likewise regulated if they qualify as ‘critical’ in the aforesaid meaning and provide the public with finance or insurance products. Specific guidance on identifying critical infrastructure and services in practice is provided in the form of legislative decrees of the German Federal Ministry of the Interior. Operators of critical infrastructure are, inter alia, obliged to take appropriate organizational and technical precautions to avoid disruptions to the availability, integrity, authenticity and confidentiality of their IT systems, components or processes, as far as these are essential for the functionality of their critical infrastructure (see section 8a, paragraph 1 of the BSI Act). The same accounts for critical service providers in terms of IT security and network security (see section 8c of the BSI Act). As detailed by the BSI, both obligations require regulated entities to implement various measures to ensure network security.
BaFin is conducting regular checks relating to the IT infrastructure of regulated entities. These aspects are likewise covered in audits performed by data protection supervisory authorities. Resulting from the latest amendments of the German IT Security Act, the BSI is furnished with information and audit rights. Further, fintech businesses must comply with the IT security requirements that are stipulated in any other applicable law, such as the GDPR.
OUTSOURCING AND CLOUD COMPUTING
Outsourcing
- Are there legal requirements or regulatory guidance with respect to the outsourcing by a financial services company of a material aspect of its business?
There is a legal regime for outsourcing by financial service providers or investment firms. The Banking Act and the Securities Institutions Act set the framework and the German Federal Financial Regulatory Authority’s (BaFin) Circular on Minimum Requirements for Risk Management (MaRisk) further details the requirements for outsourcing in chapter AT9. Further, BaFin indicates that the European Banking Authority’s Guidelines on Outsourcing Arrangements are also relevant to BaFin’s administrative practice.
In broad terms, it can be said that the outsourcer needs to ensure that its risk profile does not change owing to the outsourcing and that the outsourced services must be in compliance with the applicable legal requirements. The outsourcing of services must not lead to outsourcing of the management’s responsibilities and the regulator must not be hindered in its supervisory activities owing to the outsourcing. Further, the outsourcing agreement must meet certain criteria, if material parts of the business are outsourced. Controlling and audit functions may only be outsourced to an extent that it does not bias the capability of the outsourcing entity to monitor, understand and manage the risks it incurs during its business operations.
Cloud computing
- Are there legal requirements or regulatory guidance with respect to the use of cloud computing in the financial services industry?
German regulatory law stipulates specific legal requirements relating to IT outsourcing and, as such, cloud computing in the financial services industry. Regulatory guidance is given in this context by MaRisk. According to MaRisk, any material outsourcing requires an outsourcing agreement in writing that fulfils minimum requirements, such as stipulating audit rights (in favor of the financial services provider as well as the supervisory authority), data protection and exit management. In addition, BaFin published a Circular on ‘Bank regulatory requirements relating to IT’. This guidance specifies MaRisk requirements relating to IT risk and information security management as well as the concrete IT operation, and, therefore, is also relevant to cloud computing in the financial services industry. With particular regard to the procurement of cloud services, BaFin and Deutsche Bundesbank – the German central bank – have also published ‘Guidance on outsourcing to cloud service providers‘. The Guidance does not contain any new requirements; the existing requirements for outsourcing, therefore, remain unchanged.
INTELLECTUAL PROPERTY RIGHTS
IP protection for software
- Which intellectual property rights are available to protect software, and how do you obtain those rights?
According to German copyright law, computer programs shall be protected if they represent individual works in the sense that they are the result of the author’s own intellectual creation. No other criteria, especially qualitative or aesthetic criteria, shall be applied. The protection granted shall apply to the expression in any form of a computer program. Ideas and principles underlying any element of a computer program, including the ideas and principles underlying its interfaces, shall not be protected. A copyrightable work is protected as of the moment of creation, so no further administrative measures are needed. The German Act on Copyright and Related Rights comprises specific stipulations concerning various uses of software, including decompilation and rearrangement of software. While software as such is not patent-protectable, computer-implemented inventions may be if they show a technical effect.
Business methods and software as such are not patent-eligible; both the German Patent Act and the European Patent Convention say so explicitly. However, for practical purposes, the patent eligibility of software very much depends on the claim drafting: if the invention can be presented as having a technical effect, patent protection may be available. The case law of both the Federal Court of Justice and the European Patent Office boards of appeal provide useful guidance in this respect.
IP developed by employees and contractors
- Who owns new intellectual property developed by an employee during the course of employment? Do the same rules apply to new intellectual property developed by contractors or consultants?
In Germany, the intellectual property generated by an employee will, generally, not automatically become the gratuitous property of the employer as in most other jurisdictions. Rather, the German Act on Employees’ Inventions provides a complex system according to which the employer merely has a right to claim an employee invention. In this case, the employer must pay a certain amount that is calculated in a complex manner based on a number of factors and parameters.
These rules do not apply to independent contractors or consultants. If the intellectual property is based on true cooperation, this can lead to complex legal situations, including the factual foundation of a private partnership. Accordingly, any such potential issues should be dealt with in a contract, clearly allocating the rights and obligations of all parties arising under such a cooperation or research and development project.
With respect to software developed by an employee, the German Act on Copyright and Related Rights contains a different set of rules. Generally, the employer will automatically gain the exclusive usage rights on software developed during employment. Only the German equivalent of moral rights will remain with the creator of such software.
Joint ownership
- Are there any restrictions on a joint owner of intellectual property’s right to use, license, charge or assign its right in intellectual property?
Subject to contractual stipulations, co-ownership of inventions and patents as well as other intellectual property rights is considered a simple company-like structure (Gemeinschaft). This legal form is dealt with in the German Civil Code, though only in rudimentary form. Each owner may use the invention (as a rule, without having to pay a license fee to the others) or may sell its share in the invention. However, a license may only be granted with the consent of all co-owners. Each co-owner can request that the Gemeinschaft be dissolved, which typically happens by way of selling the intellectual property asset. This is one reason why co-owners should devise a contract early on rather than relying on statutory rights.
In addition, the German trade secret law, unlike patent and copyright law, does not regulate the legal relationship between joint owners and can, therefore, cause difficulties if no contractual provisions are established.
Trade secrets
- How are trade secrets protected? Are trade secrets kept confidential during court proceedings?
Germany implemented the German Trade Secrets Act almost four years ago, which chiefly protects trade secrets. In addition, trade secrets are secondarily protected under criminal law as well as through general civil law, civil procedure law and unfair competition law (against general passing-off). In addition, contracting parties are free to protect individually defined trade secrets.
The most debated criterion for gaining trade secret protection are the trade secret measures that have to be implemented by the trade secret owner. Even years after the Act came into force, there is still little clarification as to what is meant by this. There is, however, consensus that adequate protection does not require the best possible protection not to restrict the concept of secrecy too severely. The type and scope of the measures ultimately depend on the importance of the information for the company. For the sake of clarity, a three-level classification is used. A distinction can be made between top secret (the crown jewels information, the disclosure of which would threaten the existence of the company), important (information, the disclosure of which could cause a permanent economic disadvantage) and sensitive information (information, the disclosure of which could cause a short-term economic disadvantage) (see OLG Schleswig, 28 August 2022, 6 U 39/21).
Further, it is important to know that the law protects trade secrets against direct unlawful attainment, use and disclosure, as well as against indirect infringement, but generally not against reverse engineering. In the event of an unlawful action, the owner of a trade secret generally has the same legal remedies available to him or her as would be the case for other intellectual property (namely, cease and desist, destruction, disclosure, damages). A special feature of the German Trade Secrets Act is a specific right to information about infringing products. Thus, it can prove a powerful tool to protect confidential information when other intellectual property rights might not be applicable.
The German Trade Secrets Act does not contain any provision as regards former employees in relation to the protection of trade secrets. Therefore, contractual provisions are advisable. Nevertheless, they must be carefully worded to be effective and not unduly limit employees’ basic rights under the German Constitution.
It is at the discretion of the court to decide which orders are necessary for adequate trade secret protection during legal proceedings. The German Trade Secrets Act stipulates special regulations that apply to trade secret litigation proceedings only and prevails through execution proceedings. At the request of a party, contentious information can be fully or partly classified as a trade secret. Parties to the proceedings and individuals with access to procedural documents can neither use nor disclose trade secrets. There is no in-camera proceeding, but the number of individuals gaining access to procedural documents can be limited to one natural person from each party and their respective litigant or legal representative. In such a case the public would be excluded from the hearing when and as long as such information is discussed. The court may, at the request of one of the parties, impose a – relatively low – fine of up to €100,000 or imprisonment for up to six months for failure to comply with the obligations. The German Courts Constitution Act can also be applied as it contains, inter alia, a confidentiality obligation subject to criminal prosecution for the hearing itself.
After the proceedings, it is relevant to know that the prevailing party can request to (partly) publish the decision when it is legally binding and cannot be subject to appeals anymore. Court proceedings in trade secret cases are becoming increasingly popular. As a result, the respective German federal states have recently established special court chambers for trade secrets to facilitate the enforcement of trade secret rights.
Nevertheless, a key takeaway is that trade secrets should first be categorized and documented as such and secondly, kept secret by adequate trade secret measures so that confidential treatment is ensured and accidental disclosure is avoided.
Branding
- What intellectual property rights are available to protect branding and how do you obtain those rights? How can fintech businesses ensure they do not infringe existing brands?
The most obvious way to protect branding under German law would be to register either a German trademark or an EU trademark. Further, some similar rights also exist, for example, for designs, as well as to some extent usage rights and name rights specifically for a company’s trade name.
Before entering a market with a designation (importantly including a trade or company name), each new market entrant should conduct due diligence on its brand. As a first step, this would include an internet search for identical designations. In a second step, the trademark registers and possibly commercial registers should be reviewed with regard to the designation, at the very least as far as identical applications are concerned. This can be done in-house but also via experienced search companies and law firms.
Remedies for infringement of IP
- What remedies are available to individuals or companies whose intellectual property rights have been infringed?
There are various measures against infringements of intellectual property (IP) rights. The main goal of any action, including by way of preliminary injunction, is to stop the infringer from continuing to infringe. An injunction or preliminary injunction will achieve this aim. Apart from this, all the established IP remedies are available, including claims for damages (computed by lost profits, infringer’s profits or license analogy) and for rendering account.
COMPETITION
Sector-specific issues
- Are there any specific competition issues that exist with respect to fintech companies in your jurisdiction?
Fintech companies and the fintech sector are subject to the general competition law rules in Germany. There are no specific rules in competition law targeting the fintech sector. This means that the provisions prohibiting cartels, abuse of dominance and the merger control rules, and the general principles developed in other industries, are applied.
In January 2021, the German Act against Restraints of Competition saw a major overhaul that introduced new tools to apply competition law in digital markets. The amendment focuses on rules for Big Tech companies and therefore amends rules for the abusive behavior of strong market players primarily directed at Google, Amazon, Facebook and Apple (GAFA). In this regard, special rules have been introduced for companies of paramount significance for competition across markets. The German Federal Cartel Office (FCO) has already used these powers in proceedings against GAFA. The FCO has the ability to intervene at an early stage and can introduce preventive measures against strong companies in strategic positions, such as the operation of platforms, including the prohibition of self-preference of own services or impeding third companies from entering the market by processing data relevant for competition. However, depending on the market definition, these powers are not limited to the digital space but may also apply to other markets such as financial services or payment solutions. There are additional rules for relative or superior market power where a ‘dependent’ company can claim access to data from a company in a strong market position, which must be granted in return for adequate compensation even if such data is not otherwise marketed.
Together with the new rules on abuse of a dominant market position, the rules on merger control were updated and the national filing thresholds have been increased. Transactions are now subject to merger control if:
- the parties to the transaction achieved a combined worldwide turnover of more than€500 million;
- one of the companies concerned achieved an annual turnover of at least €50 million (previously €25 million) in Germany; and
- if another company achieved an annual turnover amounting to at least €17.5 million (previously €5 million) in Germany.
Germany has an additional merger control threshold based on the value of the consideration, which remains in place. Transactions must be notified in Germany if:
- the parties to the transaction achieved a combined worldwide turnover of more than€500 million;
- one company concerned had a turnover of more than €50 million in Germany but one of the other companies concerned, including the target, did not achieve a turnover of more than €17.5 million in Germany;
- the consideration is more than €400 million; and
- the target has been active in Germany to a significant extent.
This threshold is intended to catch highly valued start-up fintech companies even if the target company does not yet have high turnover levels. A merger case that may fall into this category was the acquisition of Tink by Visa valued at €1.8 billion. The overall increase in the thresholds will mean that fewer transactions are subject to merger control proceedings.
The financial sector has also seen enforcement actions in the past. The FCO used its competition law powers in relation to payment services. The FCO found provisions in general banking terms and conditions introduced by the banking association that prevented customers from using their personal identification numbers and account numbers in independent online payment procedures to infringe competition law to cause revisions to these general terms and also enhance new (technological) developments. This decision was upheld by the Federal Supreme Court in 2020, ruling that the restrictions on third-party payment providers were an unlawful restriction on competition. The immediate effect of the judgment is limited as Directive (EU) 2015/2366) (revised Payment Services Directive) (PSD2) requires banks to grant online financial service providers (fintech companies) access to payment and account information if the customer allows it. However, some commentators think that the judgment heralds a broader payment service liberalization as its reasoning can be applied to other services such as savings, investment and insurance accounts.
The FCO reviewed plans of Deutsche Kreditwirtschaft to set up a joint payment system for all payment channels and decided not to raise objections for the first stage of implementation. The project, named Xpay or DK, shall combine the current e-commerce payment methods paydirekt and giropay as well as the customer-to-customer payment system Kwitt into one system. The aim of the initiative is to offer a standard product covering various payment channels in brick-and-mortar retail (point of sale), online sales (e-commerce) and payments between private persons via apps (peer-to-peer payments). In the meantime, the FCO has also not raised objections against the further development of the giropay system in standardizing the payment solution of Deutsche Kreditwirtschaft after plans for an exclusivity agreement were given up. The FCO did not challenge the centralized structure of giropay as it faces powerful competitors such as PayPal, VISA and MasterCard.
One issue that has arisen across sectors is the assessment of digital pricing tools, especially in the form of pricing algorithms, which are able to observe and evaluate a large amount of market-relevant information from competitors, customers and suppliers as well as other market conditions, thus enabling their users to react quickly with solutions adapted to each individual case to these observations (dynamic algorithm pricing). A potential competition concern that has been voiced is that pricing software may help to implement and increase the reliability of cartel agreements or that pricing software can implement hub-and-spoke practices. Innovation in the fintech field remains at the forefront of interest of regulators and the competition authority of Luxembourg initiated a market study into blockchain and economics in June 2023.
In the merger space, the FCO cleared the acquisition of ControlExpert by Allianz after an in-depth review. ControlExpert provides vehicle insurance providers, leasing companies and fleet operators with automated IT-based services to settle motor vehicle damages. In light of ControlExpert’s strong market position, the FCO nevertheless examined whether its range of services would become indispensable for other vehicle insurance providers as a result of the transaction and whether, as a consequence, ControlExpert’s competitors would have to expect a significant loss of customers. The FCO found that a number of competitors with strong innovative power will remain in the market and are able to offer comparable services even after Allianz has entered the market. Competitors are also increasingly using artificial intelligence to automate the process of settling car insurance claims. In such a market environment, sufficient competition is also ensured in the future and the transaction could be cleared. In 2022, the FCO cleared competing merger plans by EQT to acquire Schufa and by TeamBank to increase its shareholding in Schufa, which were procedural interesting cases as transactions which could not be completed at the same time were notified by different parties. According to public sources, EQT ultimately abandoned its acquisition plans.
The value of the consideration test has been applied to the acquisition of Honey Science Corporation by PayPal Inc. The FCO found that the transaction was notifiable as Honey Science Corporation had a significant local activity owing to its active user base despite not having turnover in excess of the then applicable threshold of €5 million. Ultimately, the transaction was cleared as the FCO found no competition concern. In particular, in relation to online payment services, various operators such as Klarna, Google Pay and Apple Pay are active on the market.
Section 57 of the Act on the Supervision of Payment Services, which is based on section 35 of PSD2, provides for a specific legal instrument similar to competition law that requires payment systems not to impose on payment service providers, payment service users or other payment systems any of the following: restrictive rules on the effective participation in other payment systems; rules that discriminate between authorized payment service providers or between registered payment service providers in relation to the rights, obligations and entitlements of participants; or restrictions on the basis of institutional status.
Last, the German Federal Government revised its foreign direct investment regime several times in reaction to the covid-19 pandemic. However, the overall investment regime has been amended, which applies to a variety of sectors. One particular issue is that the acquisition of companies operating a ‘critical infrastructure’ or a ‘critical technology’ is subject to a notification requirement. Acquisitions of fintech companies may become subject to a notification requirement and foreign investment if they have certain artificial intelligence capabilities or if they meet the thresholds laid down in the Regulation on Critical Infrastructure as regards payment systems.
TAX
Incentives
- Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the fintech sector in your jurisdiction?
Since 1 January 2020, research and development activities are supported by a tax-exempt research and development allowance that will be available for all companies regardless of their size and business purposes, provided they are subject to German income tax. According to this law, in general, research and development projects are supported to the extent they can be assigned to the categories:
- basic research;
- industrial research; or
- experimental development.
According to the official reasoning of this law, the administrative practices of the European Commission regarding Regulation (EU) No. 651/2014 (General Block Exemption Regulation) as well as the Frascati Manual of the Organization for Economic Cooperation and Development have to be considered when describing these terms.
The assessment basis for the allowance is the eligible expenses. Eligible expenses are labor costs for employees and the employer’s expenditure to secure the employee’s future who is entrusted with these research and development projects, including expenses for services rendered by a shareholder on the basis of an employment agreement that are subject to wage withholding tax. Further, eligible expenses are also personal contributions of an individual entrepreneur regarding these research and development projects. In this case, each labor hour is valued at €40 up to a maximum of 40 hours per week.
The assessment basis for the allowance are the eligible expenses. However, the assessment basis for the allowance is generally capped at €2 million. The research and development allowance would be 25 percent of this assessment basis (namely, the maximum allowance is capped at €500,000 per annum). However, the assessment base for eligible expenses incurred after 30 June 2020 and before 1 July 2026 shall be a maximum of €4 million (namely, a maximum allowance of €1 million per annum applies for eligible expenses incurred after 30 June 2020 and before 1 July 2026). For contract research rendered by contractors established in an EU or EEA state, 60 percent of the remuneration paid to the contractor is taken into account. The amount of state aid granted for a research and development project, including research allowances under this law, must not exceed €15 million per enterprise and research and development project. The allowance shall be granted on application. The application must be accompanied by an official certificate stating that research and development projects are eligible in the meaning of this law. The research and development allowance is not paid out immediately after it has been determined, but is taken into account in the next income or corporate income tax assessment by offsetting it against the determined income or corporate income tax. If the research allowance exceeds the established income or corporate income tax, the excess amount will be paid out.
Apart from this, there have, until now, been no specific tax incentives available regarding the fintech environment. However, the following should be noted.
The German Income Tax Act allows small and medium-sized businesses (namely, taxpayers with profits of not more than €200,000 (before considering an investment deduction amount according to section 7g(1), sentence 1 of the German Income Tax Act) to deduct up to 50 percent of the anticipated costs for future acquisitions or productions of depreciable movable fixed assets from their taxable income up to three fiscal periods before the capital asset is actually purchased. The maximum investment deduction amount is €200,000.
Further, the German Corporate Income Tax Act, in principle, foresees that the transfer of more than 50 percent of the shares in a German company results in an entire forfeiture of tax loss carryforwards. However, tax loss carryforwards (as well as interest carryforwards) will not be forfeited in the event of a transfer of shares beyond these thresholds if the business operation is maintained unchanged by the seller since the establishment of the company (or at least from the beginning of the third fiscal period preceding the year of the transfer) and also by the acquirer until the end of the transfer year. Even though companies in all industries are entitled to benefit from such rule according to the official reasoning of the law, this rule should serve in particular to increase the chances of IT start-ups attracting capital.
Increased tax burden
- Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for fintech companies in your jurisdiction?
No.
IMMIGRATION
Sector-specific schemes
- What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there any special regimes specific to the technology or financial sectors?
Citizens of the European Union and the European Economic Area have unrestricted access to the German labor market. Swiss nationals also enjoy free movement within the European Union but must apply for a special declaratory Swiss residence permit.
Third-country nationals who wish to work in Germany need a residence permit that includes a work permit. There are no specific immigration schemes for fintech businesses.
However, special regulations for highly qualified employees and job positions in ‘shortage occupations’ apply.
A privileged residence permit exists for highly qualified persons: the EU Blue Card. The Blue Card is limited to a maximum term of four years when issued for the first time. Third-country nationals who are entitled to hold a Blue Card can obtain a national visa for entry in advance at the relevant German diplomatic mission. Only nationals of a few exempted third-country states are allowed to enter Germany without a visa for a maximum duration of three months and have the opportunity to apply for a Blue Card in Germany directly. The national visa can be replaced by a Blue Card after entry and filing a Blue Card application by the relevant immigration authority.
To obtain a Blue Card, no priority examination (no preferential workers available for the job) and no examination of working conditions are necessary (which would normally be required). The applicant needs to provide evidence of his or her qualifications, meet the labor market requirements in Germany and provide a German employment agreement with a German employer. In general, a university degree from a German university, a recognized degree from a foreign university or at least a foreign university degree comparable to a German university degree is required. A minimum salary of €58,400 gross per year (for 2023; the threshold differs annually) is required. For shortage occupations, the minimum annual gross salary is €45,552 (for 2023). Shortage occupations are, inter alia, natural scientists, mathematicians, medical doctors, engineers, engineering scientists and academic specialists in information and communication technology. If those requirements are met, no approval from the employment agency is necessary.
After a residence of 33 months in Germany, holders of a Blue Card can apply for an indefinite settlement permit. If sufficient knowledge of the German language can be proven (at least level B1), an indefinite settlement permit can already be applied for after 21 months of residence in Germany.
Skilled workers have advantages concerning their access to the German labor market. By definition of the law, skilled workers are university graduates as well as qualified workers from non-EU member countries. IT professionals who can demonstrate at least three years of professional experience do not need a formal vocational qualification. As of 1 March 2020, all skilled workers are on an equal footing with university graduates. It is now also irrelevant whether Germans or EU citizens are available for the vacant position. This was only applicable to ‘shortage professions’ in the past.
In comparison to the Blue Card, the Skilled Worker Act specifies that an employment contract does not have to be issued upon arrival. Instead, one can apply for a visa for up to six months to seek a job according to one’s qualifications, provided that one’s foreign qualifications have been recognized and the applicant has sufficient language skills to perform the desired activity.
For applicants without a university degree who have completed professional training, a temporary residence permit can be applied for. Applicants are hereby no longer limited to positions in a shortage occupation. The applicant must provide a specific job offer, which corresponds to his or her completed training, a German qualification or a qualification recognized as equivalent, a completed professional training (of at least two years) and the applicant must provide sufficient language skills to perform the desired activity. A priority examination is not required.
Third-country citizens who come to Germany to take on a job within the same group of companies have the option to apply for an Intra-Corporate Transfer Card (ICT Card). This option includes employees working in a position as manager, specialist or trainee. To apply, a specific employment contract for the intra-corporate transfer and previous employment in the group of companies of at least six months are required. The length of stay in Germany depends on the particular type of ICT Card.
After five years of holding a preliminary residence permit, it is possible to obtain an indefinite residence permit. Proof is required that:
- the living costs can be covered without using statutory benefits;
- at least 60 months of compulsory contributions to the statutory pension insurance have been made;
- the applicant has sufficient German language skills;
- he or she has basic knowledge of the legal and social order as well as living conditions in Germany;
- a permit for employment is available;
- no threat to public safety and order by the residence; and
- sufficient housing space is available for the applicant and, as the case may be, for family members.
UPDATE AND TRENDS IN FINTECH IN GERMANY
Current developments
- Are there any other current developments or emerging trends to note?
The legislature and the regulatory authorities have taken unprecedented measures to address the risks deriving from the covid-19 pandemic. These measures include, inter alia, those that are specifically targeted at start-up companies and the fintech sector.
* The authors wish to thank Martin Gramsch, Janine Marinello, Lena Schäfer, Elmar Weinand, Kilian Wolf and Jan Zücker for their assistance in the preparation of this chapter.
* The information in this chapter was accurate as of June 2023.
If you need more consulting, please Contact Us at TNHH NT International Law Firm (ntpartnerlawfirm.com)
You can also download the .docx version here.
“The article’s content refers to the regulations that were applicable at the time of its creation and is intended solely for reference purposes. To obtain accurate information, it is advisable to seek the guidance of a consulting lawyer.”
LEGAL CONSULTING SERVICES
090.252.4567NT INTERNATIONAL LAW FIRM
- Email: info@ntpartnerlawfirm.com – luatsu.toannguyen@gmail.com
- Phone: 090 252 4567
- Address: B23 Nam Long Residential Area, Phu Thuan Ward, District 7, Ho Chi Minh City, Vietnam