Fintech in Luxembourg 2024

Fintech in Luxembourg 2024

Fintech in Luxembourg 2024

FINTECH 2024

LUXEMBOURG

Cathrine Foldberg Møller, Julie Carbiener, Camille Saettel, Camille Bénézet, Maya Coumes

(Simmons & Simmons)

FINTECH LANDSCAPE AND INITIATIVES

General innovation climate

  1. What is the general state of fintech innovation in your jurisdiction?

Luxembourg has a vibrant and rapidly growing fintech scene. The Grand Duchy hosts a large number of financial service providers, including a growing number of virtual asset service providers (currently there are 10 virtual asset service providers registered in Luxembourg). Several payment institutions and electronic money institutions have established their European financial hub in Luxembourg. An innovative local fintech start-up scene is developing digital tools to help companies and financial institutions. With Luxembourg being one of the leading investment fund centers in the world, the accumulation of fundtech providers comes as no surprise and the technology provided is being rapidly adopted by established institutions. Additionally, especially in the areas of payments, platforms, blockchain and related ancillary services, the regulatory landscape is rapidly growing and evolving and a vast number of fintech and fundtech providers are already active in the country.

The current boom shows no signs of slowing down as the Luxembourg government remains committed to attracting new start-ups and scaling up entrepreneurs and investors.

Government and regulatory support

  1. Do government bodies or regulators provide any support specific to financial innovation? If so, what are the key benefits of such support?

Overall, the Luxembourg financial sector is robust, largely thanks to its community of financial institutions and agile public institutions that have always been resilient in withstanding different crises.

The three official languages (Luxembourgish, French and German) make Luxembourg a diverse and dynamic global financial center, where English is commonly used in the workplace. The Luxembourg Financial Sector Regulator (CSSF), is also able to work in English and also provides most of its publications, legislation and its guidelines in English.

To help fintech initiatives, the CSSF has created a dedicated innovation hub that intends to help with the regulatory challenges surrounding financial innovation and to foster a constructive dialogue between the regulator and actors of the financial sector. To do so, the CSSF has created a dedicated contact form for the innovation hub available in French and in English on the CSSF website.

To provide an agile and efficient regulatory environment for fintech companies, Luxembourg has been modernizing its legislative framework since 2014 when crypto exchanges or platforms and the provision of payment services using virtual or other currencies were recognized as financial service providers and able to obtain a license. Further in 2019, the possibility to issue dematerialized securities on distributed ledger technology was introduced by law. In 2021, the CSSF also published its guidance on virtual assets along with two frequently asked questions for undertakings for collective investments and credit institutions. A Luxembourg law implementing the EU’s Distributed Ledger Technology (DLT) Pilot Regime in Luxembourg has been voted on and further strengthens the already advanced and robust Luxembourg DLT legal framework.

The Luxembourg House of Financial Technology (LHoFT) is a public-private initiative driving technological innovation for Luxembourg’s financial service industry. It acts as an incubator for fintech initiatives and acts as a hub for the fintech ecosystem in Luxembourg. The LHoFT also offers additional support by connecting fintech initiatives with local service providers, investors, the University of Luxembourg and other associations.

A fintech company can also take advantage of the Luxembourg government’s wider initiatives to help start-ups.

The Luxembourg legislator has decided not to create a regulatory sandbox for fintech start-ups, believing that it is important for new initiatives to incorporate regulatory requirements into the design phase of a product. The absence of a sandbox also gives start-ups greater credibility as it shows that they are mature enough to comply with comprehensive regulatory requirements.

FINANCIAL REGULATION

Regulatory bodies

  1. Which bodies regulate the provision of fintech products and services?

In Luxembourg, the main regulator in charge of supervising fintech products and services is the Luxembourg Financial Sector Regulator (CSSF), which is the main regulator of the financial sector. Where insurance products are involved, this falls within the remit of the supervision of the Commissariat aux Assurances (CAA).

Alongside these regulators, are the Ministry of Finance and the Ministry of Justice, which are in charge of the development and implementation of new laws and initiatives in the fintech space.

Regulated activities

  1. Which activities trigger a licensing requirement in your jurisdiction?

Depending on the nature and scope of services, licensing requirements may be triggered in Luxembourg under the law of 5 April 1993 on the financial sector (the Financial Sector Law) and the law of 10 November 2009 on payment services (the Payment Services Law). The following activities are regulated activities as a matter of Luxembourg law:

  • acceptance of deposits and other repayable funds;
  • lending, including, inter alia, consumer credit, mortgage credit, factoring, with or without recourse, financing of commercial transactions;
  • financial leasing;
  • payment services as described in Annex I of Directive 2015/2366/EU (Payment Services Directive II) (PSD2), which has been replicated in Payment Services Law;
  • issuing and administering other means of payment (e.g, travelers’ cheques and bankers’ drafts) insofar as this activity does not constitute payment services under PSD2;
  • guarantees and commitments; and
  • trading for own account or account of customers in:
  • money-market instruments (cheques, bills, certificates of deposit, et cetera);
  • foreign exchange;
  • financial futures and options;
  • exchange and interest-rate instruments; and
  • transferable securities; and
  • participation in securities issues and the provision of services related to such issues;
  • advice to undertakings on capital structure, industrial strategy and related questions and advice as well as services relating to mergers and the purchase of undertakings;
  • money broking;
  • portfolio management and advice;
  • safekeeping and administration of securities;
  • credit reference services;
  • safe-custody services;
  • issuance of electronic money; and
  • investment services in the sense of Directive 2014/65/EU (Markets in Financial instruments Directive II) (MiFID II), including:
  • reception and transmission of orders in relation to one or more financial instruments;
  • execution of orders on behalf of clients;
  • dealing on own account;
  • portfolio management;
  • investment advice;
  • underwriting of financial instruments and/or placing of financial instruments on a firm commitment basis; and
  • operation of an MTF.

Luxembourg has introduced a specific national equivalence regime with respect to investment services and activities whereby the CSSF has recognized a number of jurisdictions as ‘equivalent’. This means that third-country firms (namely, a firm or a credit institution with its head office outside of the European Union) can under certain circumstances provide investment services or activities to professional clients or eligible counterparties (as defined in MiFID II) in Luxembourg without having to establish a branch or obtain any other authorization from the CSSF. An application form needs to be completed and submitted to the CSSF and the procedure is described in more detail in CSSF Circular 19/716 (as amended).

Currently, the following jurisdictions are deemed ‘equivalent’ by the CSSF: Australia, Canada, China, Hong Kong, Japan, Singapore, Switzerland, the United Kingdom and the United States according to CSSF Regulation 20/02 dated 29 June 2020, as amended from time to time.

Consumer lending

  1. Is consumer lending regulated in your jurisdiction?

Consumer lending is regulated in Luxembourg and requires a license. Consumers are protected by the provisions of the Consumer Code.

For consumer lending, a number of formalities, such as the mandatory provision of information, have to be accomplished before a loan can be issued to a consumer.

Lending as a credit institution is also regulated in Luxembourg although certain exemptions apply:

  • loans not made ‘to the public’. The CSSF has clarified that this is where loans are granted:
  • to a limited circle of previously determined persons; or
  • the nominal value of a loan amount to €3 million at least (or the equivalent amount in another currency) and the loans are granted exclusively to professionals (as defined in the Consumer Code); and
  • a lending activity that does not have a professional character, meaning that unique or one-off credit operations do not fall within scope; and
  • loans between €200 and €75,000 do not fall within the scope of the Consumer Code.

Secondary market loan trading

  1. Are there restrictions on trading loans in the secondary market in your jurisdiction?

The trading of fully drawn loans does generally not trigger any licensing requirements in Luxembourg. There may be restrictions as well as licensing requirements for the trading of undrawn or partially drawn loans where the acquirer becomes the lender of record.

Collective investment schemes

  1. Describe the regulatory regime for collective investment schemes and whether fintech companies providing alternative finance products or services would fall within its scope.

Undertakings for collective investments (UCIs) are governed by the law of 17 December 2010 and can take various legal forms. In general, to qualify as a UCI and fall within the scope of the legislation there needs to be a raising or injection of capital coupled with the issuance of units and a management of assets according to the principle of risk-spreading. Alternative finance products such as peer-to-peer lending may fall within the scope of this legal framework depending on the nature of the business. Where the fintech company manages assets on a pooled basis on behalf of investors, this legislation will need to be carefully considered. Additionally, fintech companies whose business involves managing one or more alternative investment funds (AIF) would need to consider the potential implications of Directive 2011/61/EU (Alternative Investment Fund Managers Directive) and the implementing Luxembourg law of 12 July 2013. An AIF is defined as a collective investment vehicle that raises capital from a number of investors, with a view to investing it in accordance with a defined investment policy for the benefit of those investors.

Alternative investment funds

  1. Are managers of alternative investment funds regulated?

Alternative investment fund managers are regulated in Luxembourg and require a license from the competent authority pursuant to the Luxembourg law of 12 July 2013 on alternative investment fund managers.

Peer-to-peer and marketplace lending

  1. Describe any specific regulation of peer-to-peer or marketplace lending in your jurisdiction.

There is currently no specific legal framework for peer-to-peer or marketplace lending in Luxembourg. Nevertheless, these activities could fall within the scope of the law of 5 April 1993 on the financial sector.

Crowdfunding

  1. Describe any specific regulation of crowdfunding in your jurisdiction.

Regulation (EU) 2020/1503on European crowdfunding service providers for business is directly applicable in Luxembourg since 10 November 2021 and implies specific licensing requirements in Luxembourg.

The Regulation applies to crowdfunding services provided to project owners that are not consumers or crowdfunding offers with a consideration of more than €5 million per annum per project owner. The Regulation creates the new legal status of European crowdfunding service provider, benefiting from an EU passport after obtaining a license in one member state. Licensing and supervision are carried out by the CSSF in Luxembourg.

Investor protection measures are also included in the Regulation, including mandatory information disclosures for project owners in the form of a key investment information sheet.

Crowdfunding service providers that also wish to provide payment services will need to obtain a separate license.

According to Commission Delegated Regulation (EU) 2022/1988 of 12 July 2022, the transitional period (namely, according to which existing crowdfunding service providers, operating under national law, may continue to provide services within the meaning of the Regulation) is extended until 10 November 2023.

Invoice trading

  1. Describe any specific regulation of invoice trading in your jurisdiction.

Factoring operations consisting in the acquisition of commercial debts and in its recovery for own account is regulated by the law of 5 April 1993 on the financial sector and is considered as a lending operation. However, factoring operations that do not have credit elements are considered to fall outside of scope.

Payment services

  1. Are payment services regulated in your jurisdiction?

Yes, payment institutions are governed by the law of 10 November 2009 on payment services, which transposed PSD2. No person established in Luxembourg may provide payment services without holding a written authorization from the CSSF. The regulated payment services follow those listed in Annex I of PSD2 and include:

  • services enabling cash to be placed on a payment account as well as all the operations required for operating a payment account;
  • services enabling cash withdrawals from a payment account as well as all the operations required for operating a payment account;
  • execution of payment transactions, including transfers of funds on a payment account with the user’s payment service provider or with another payment service provider:
  • execution of direct debits, including one-off direct debits;
  • execution of payment transactions through a payment card or a similar device; and
  • execution of credit transfers, including standing orders; and
  • execution of payment transactions where the funds are covered by a credit line for a payment service user:
  • execution of direct debits, including one-off direct debits;
  • execution of payment transactions through a payment card or a similar device; and
  • execution of credit transfers, including standing orders; and
  • issuing of payment instruments and (or) acquiring of payment transactions;
  • money remittance;
  • payment initiation services (namely, a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider); and
  • account information services (namely, an online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider).

Open banking

  1. Are there any laws or regulations introduced to promote competition that require financial institutions to make customer or product data available to third parties?

Yes, in Luxembourg account information service providers are governed by the law of 10 November 2009 on payment services. This activity is characterized as an online service consisting of providing consolidated information regarding one or more payment accounts held by the user of payment services either with another payment service provider or with more than one payment service provider and is a regulated activity requiring a license from the CSSF. Such service enables customers to access the information by online login on the account information service provider website. Like in the rest of the European Union, the drive for open banking was driven by PSD2 to optimize the customer’s experience and increase competition and product innovation.

Robo-advice

  1. Describe any specific regulation of robo-advisers or other companies that provide retail customers with automated access to investment products in your jurisdiction.

Robo-advisers that provide investment advice or execute orders have to be registered with the CSSF in the same manner as traditional providers of investment services. The exact type of licensing required depends on the services provided by the robo-adviser. There is currently no dedicated legal framework on automated advice for retail customers.

Insurance products

  1. Do fintech companies that sell or market insurance products in your jurisdiction need to be regulated?

Yes, selling or marketing insurance products is regulated by the CAA and is governed by the law of 7 December 2015 on the insurance sector. In terms of insurance intermediation, Luxembourg regulations distinguish several categories such as agents, brokers and insurance intermediaries. Insurance intermediaries are subject to strict regulatory requirements, including having to evidence to the CAA their professional knowledge and experience. Depending on the type of product, Regulation (EU) No. 1286/2014 on packaged retail and insurance-based investment products may also be relevant.

Credit references

  1. Are there any restrictions on providing credit references or credit information services in your jurisdiction?

Should a credit information service qualify as a credit-rating agency, Regulation (EC) No. 1060/2009 on credit rating agencies applies. Under this Regulation, a credit rating agency has to be registered if it is established in an EU member state.

Agencies have to adopt measures to prevent conflicts of interest and ensure that its credit ratings are based on a thorough methodological analysis of information.

There are currently no rules on providing consumer credit scores in Luxembourg.

CROSS-BORDER REGULATION

Passporting

  1. Can regulated activities be passported into your jurisdiction?

Credit institutions and investment firms authorized in an EU member state under one of the EU Single Market’s Directives may be able to benefit from EU passporting and provide certain regulated activities in Luxembourg, either by way of freedom to provide services or by establishing a branch. Other EU financial institutions may also be able to benefit from EU passporting on the condition that they meet certain requirements, in particular, that it is a subsidiary of a credit institution. These regulated activities cover in particular those of credit institutions, Directive 2014/65/EU (Markets in Financial instruments Directive II) (MiFID 2) investment services and activities as well as the activities of payment service providers and electronic money institutions.

Firms will be able to passport and provide only those activities for which they are authorized in their home member state and there is a regulatory process with the home member state that needs to be followed.

Requirement for a local presence

  1. Can fintech companies obtain a license to provide financial services in your jurisdiction without establishing a local presence?

To obtain a license for the services or activities regulated pursuant to the financial sector law or the law on payment services, a local presence is a prerequisite. Certain services can still be provided in or into Luxembourg, either under EU passporting or on a cross-border basis from a third country provided that certain criteria are respected and depending on the type of clients.

In accordance with Circular CSSF 20/743, fintech companies can rely on the reverse enquiry to avoid the licensing requirements when providing MiFID 2 services.

SALES AND MARKETING

Restrictions

  1. What restrictions apply to the sales and marketing of financial services and products in your jurisdiction?

Depending on the regulatory status of the entities, different sales and marketing rules may apply. The consumer law framework contains provisions on information requirements, advertising and unfair contract terms. Consumer protection includes requirements to act fairly and honestly and to not mislead the customer and abide by minimum standards of market behavior when dealing with consumers as well as general restrictions on the recording of telephone conversations, electronic commercial communications, conclusion of contracts by electronic means and doorstep selling.

Marketing materials for credit offerings must refer to the expected cost of the credit for the consumer and contain specific information depending on the type of credit and the purpose of the loan.

Marketing materials for investment services and complex products include all provisions related to European rules (e.g, Directive 2014/65/EU (Markets in Financial instruments Directive II) and the Packaged retail investment and insurance-based products). The identification of marketing communications should be prominent and should include the appropriate disclaimer. Excessive cross-references to legal or regulatory provisions should be avoided unless this is appropriate. The suitability of the marketing communication must be considered taking into account the target retail investors and firms should avoid using technical wording. The information must be up-to-date, proportionate and sufficient for the customer to understand the key elements.

Where the products are funds, additional restrictions apply to the sale and marketing thereof.

CRYPTOASSETS AND TOKENS

Distributed ledger technology

  1. Are there rules or regulations governing the use of distributed ledger technology or blockchains?

Luxembourg has implemented a law to allow for the possibility of using secure electronic recording systems, including Distributed Ledger Technology (DLT), for dematerialized securities.

In January 2022, the Luxembourg Financial Sector Regulator (CSSF) published a white paper on DLT and blockchain focusing on the risks and recommendations for the financial sector acknowledging that innovative processes and technologies can contribute to the improvement of the provision of financial services.

Cryptoassets

  1. Are there rules or regulations governing the promotion or use of cryptoassets, including digital currencies, stablecoins, utility tokens and non-fungible tokens (NFTs)?

The CSSF has adopted a tech-neutral approach, which means that it tries to regulate the output and risks of a system rather than the technology that a system is based on. Therefore, while there are no specific rules on cryptoassets, entities have to abide by the regulations that apply to traditional service providers in the same sector.

From a Luxembourg regulatory framework perspective, there is a specific regime for virtual asset service providers, which are rules with an anti-money laundering angle and in 2021, the CSSF also published its guidance on virtual assets along with two frequently asked questions for undertakings for collective investments and credit institutions.

The CSSF has issued several warnings advising retail clients against investing in this type of asset flagging that there are significant risks associated with them.

Token issuance

  1. Are there rules or regulations governing the issuance of tokens, including security token offerings (STOs), initial coin offerings (ICOs) and other token generation events?

There are currently no specific regulations in place for ICOs, but some general laws, such as the rules around the publication of a prospectus may apply to the issuance of tokens. The CSSF has published guidance and communication for consumers in the context of virtual assets including tokens.

ARTIFICIAL INTELLIGENCE

Artificial intelligence

  1. Are there rules or regulations governing the use of artificial intelligence, including in relation to robo-advice?

There is no specific regulatory framework for the use of artificial intelligence (AI). The Luxembourg Financial Sector Regulator (CSSF) has, however, adopted a soft-law instrument in the form of a white paper to help actors navigate the challenges of AI. Some forms of artificial intelligence utilizing personal data are partially regulated by Regulation (EU) 2016/679 (General Data Protection Regulation). As the CSSF has adopted a tech-neutral approach, there is no legal distinction between robo-advice and traditional investment advice in Luxembourg and robo-advisers are therefore subject to the same licensing requirements as traditional investment advisers. On 3 May 2023, the CSSF, jointly with the Banque Centrale du Luxembourg, published a thematic review on the use of artificial intelligence in the Luxembourg financial sector.

CHANGE OF CONTROL

Notification and consent

  1. Describe any rules relating to notification or consent requirements if a regulated business changes control.

If an investor intends to acquire or increase a qualifying holding in a regulated company, this acquisition has to be notified to the Luxembourg Financial Sector Regulator (CSSF) and is subject to approval by the CSSF.

A qualifying holding is defined as any direct or indirect holding that represents 10 percent or more of the capital, the voting rights (or both) or that makes it possible to exercise a significant influence over the management of the entity. Additionally, there are thresholds at 20, 33.3, 50 and 100 percent that trigger a notification requirement if an existing shareholder increases (or decreases) its stake in a regulated entity. Where the entity is a credit institution the prior approval of the European Central Bank is required.

FINANCIAL CRIME

Anti-bribery and anti-money laundering procedures

  1. Are fintech companies required by law or regulation to have procedures to combat bribery or money laundering?

There is no specific framework under which fintech companies are required to put in place procedures to combat bribery and money laundering. However, Luxembourg has introduced a specific regime of virtual asset service providers (VASPs). Luxembourg has implemented the Financial Action Task Force guidelines for ‘virtual asset service providers’ to register with the Luxembourg Financial Sector Regulator (CSSF) for anti-money laundering (AML) and combating financing terrorism purposes if they provide one or more of the following services on behalf of their clients or for their own account:

  • exchange between virtual assets and fiat currencies, including the exchange between virtual currencies and fiat currencies;
  • exchange between one or more forms of virtual assets;
  • transfer of virtual assets;
  • safekeeping or administration, or both, of virtual assets or instruments enabling control over virtual assets, including custodian wallet services; or
  • participation in and provision of financial services related to an issuer’s offer or sale of virtual assets, or both.

Virtual assets are defined as a digital representation of value, including a virtual currency, that can be digitally traded, or transferred, and can be used for payment or investment purposes and excludes financial instruments (as defined by Directive 2014/65/EU (Markets in Financial instruments Directive II)) and electronic money (as defined by Directive 2015/2366/EU (Payment Services Directive II)).

Therefore, these fintech companies are regulated by the CSSF, fall within the scope of the consolidated Luxembourg AML Law of 2004 and are required to implement the appropriate internal procedures and policies.

Guidance

  1. Is there regulatory or industry anti-financial crime guidance for fintech companies?

Yes, with the VASP regime, the CSSF has published dedicated guidance with the aim of providing professionals with concise answers to the main practical issues they are facing. The CSSF has published guidelines in the form of a white paper aimed at helping interested professionals in the conduct of their due diligence process related to distributed ledger technology and its use in the provision of services in the Luxembourg financial sector. Finally, the Association of Luxembourg Banks and Bankers has developed AML solutions and services for fintech players.

DATA PROTECTION AND CYBERSECURITY

Data protection

  1. What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?

There are no legal requirements or regulatory guidance relating to personal data specifically aimed at fintech companies. The processing and transfer of personal data relating to fintech products and services are governed by Regulation (EU) 2016/679 (General Data Protection Regulation) (GDPR). The GDPR requires that controllers (the natural or legal person that determines the purpose and means of the processing of personal data) may only process personal data where that processing is done in a lawful, fair and transparent manner, as further described in the GDPR. In particular, the processing of personal data must be done pursuant to one of six lawful bases for processing. The GDPR also places a significant burden on business, including, for example, mandatory requirements to notify regulators of data breaches, obligations to keep detailed records on processing and requirements for most entities to appoint a data protection officer.

GDPR rules only apply to information concerning an identified or identifiable natural person and do not apply to data that has been truly anonymized. Recital 26 gives limited guidance to determine whether a natural person is identifiable, requiring data controllers to take into account a number of factors, including the costs and time required to de-anonymization taking into consideration the available technology at the time of the processing and technological developments.

When it comes to international data transfer, the GDPR sets up the rules to ensure that the level of protection of natural persons is not undermined by the fact that personal data are transferred to a third country. These rules aim to ensure that the country to which data is to be transferred provides a reasonable level of data protection.

In summary, a three-step test shall be carried out. First, the transfer shall be adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed. Second, control of the basis of a tool on which the transfer relies shall be performed. Among the tools listed under Chapter V of the GDPR, the transfer may rely on an adequacy decision, issued by the European Commission, deciding that a third country ensures an adequate level of data protection. In the absence of a decision of adequacy, the transfer shall rely on one of the transfer tools listed under article 46 of the GDPR, such as the use of one of the model contracts approved by the European Commission (standard contractual clauses), binding corporate rules, codes of conduct, certification mechanism. Third, following the Court of Justice of the European Union Schrems II judgment (CJEU, 16 July 2020, Case C-311/18), issued in the context of the transfer of personal data to the United States, an additional step shall consist in assessing, on a case-by-case basis, if the legislation of the third country offers an adequate level of protection, taking into account the possible access to the personal data by public authorities. If the level of protection in the third country is not adequate, the adoption of supplementary measures is necessary to bring the level of protection of the data transferred up to the EU standard or essential equivalence. The European Data Protection Board issued recommendations containing concrete examples of supplementary measures.

Finally, a transfer to a third country or an international organization can, in ‘specific situations’ take place on the grounds of the derogations set out in article 49 of the GDPR.

In Luxembourg, the law of 1 August 2018 contains additional provisions, and notably provides for the establishment of the National Commission for Data Protection, the Luxembourg Data Protection Authority, in charge of controlling compliance with the GDPR by businesses.

Cybersecurity

  1. What cybersecurity regulations or standards apply to fintech businesses?

As of 18 October 2024, Directive 2016/1148/EU (Network and Information Systems) (NIS) will be repealed by Directive 2022/2555/EU (NIS2), dated 14 December 2022, which shall be implemented by the member states by 17 October 2024. Entities of the banking and financial sector fall within the scope of application of the NIS2 Directive. However, with regard to financial entities, this Directive shall be read in conjunction with Regulation 2022/2554/EU on digital operational resilience for the financial sector (DORA), which will be applicable as of 17 January 2025, with a direct effect in all member states.

DORA aims to consolidate all provisions addressing digital risk in the financial sector in one single act. The Regulation introduces more stringent requirements on information and communications technology (ICT) risk management and ICT-related incident reporting, including mandatory contractual provisions to be included in the contracts with ICT third-party providers.

Directive 2015/2366/EU (Payment Services Directive II) (PSD2), provides for, among others, rules concerning strict security requirements for electronic payments and the protection of consumer’s financial data, guaranteeing safe authentication and reducing the risk of fraud. Luxembourg implemented the provisions of PSD2 by way of the law of 20 July 2018.

Further, the GDPR includes a few provisions relating to the security of the processing of personal data.

OUTSOURCING AND CLOUD COMPUTING

Outsourcing

  1. Are there legal requirements or regulatory guidance with respect to the outsourcing by a financial services company of a material aspect of its business?

Yes, the Luxembourg Financial Sector Regulator (CSSF) Circular 22/806 on outsourcing arrangements consolidates the supervisory requirements for outsourcing by financial services companies. The CSSF complements the European Banking Authority Guidelines on the topic with detailed requirements applicable in Luxembourg and extends the scope of application to a wider range of financial institutions:

  • credit institutions and their branches;
  • investment firms and their branches;
  • payment institutions and electronic money institutions and their branches; and
  • other professionals in the financial sector and their branches.

This Circular describes internal governance requirements for planning, implementing, monitoring and managing outsourced activities and imposes requirements relating to governance, risk management, conflicts of interest, internal controls, professional secrecy and business continuity.

The Circular also contains detailed requirements on ITC outsourcing the provisions of which also apply to other financial market players, including, for example, investment fund managers.

Cloud computing

  1. Are there legal requirements or regulatory guidance with respect to the use of cloud computing in the financial services industry?

Yes, CSSF Circular 22/806 specifies the regulatory framework for cloud computing infrastructure supplied by an external service provider. The CSSF considers that cloud computing is a form of outsourcing. The outsourcing to a cloud computing service provider by a regulated entity requires prior notification to the CSSF as well as internal governance and policies. The service contract between the financial institution and cloud computing service provider must, in principle, be subject to the laws of an EU member state and shall provide for the resiliency of cloud computing services. The regulated entity is also required to appoint a cloud officer who is responsible for the use of cloud services.

INTELLECTUAL PROPERTY RIGHTS

IP protection for software

  1. Which intellectual property rights are available to protect software, and how do you obtain those rights?

Computer programs (software) are protected by copyright (article 31 of the law of 18 April 2001 on copyright, related rights and databases). Copyright arises automatically as soon as the computer program is completed, provided that it is original. No further registration is required.

Databases underlying software programs may also be protected by copyright and, in certain circumstances, by database right (sui generis rights).

Software as well as business methods as such are expressly excluded from patentability. Software-implemented solutions may be protected by a patent if they show an ‘additional technical effect’. The European Patent Office provides useful guidance in this respect.

IP developed by employees and contractors

  1. Who owns new intellectual property developed by an employee during the course of employment? Do the same rules apply to new intellectual property developed by contractors or consultants?

As a general principle, any assignment of copyright shall be made in writing (article 12 of the law of 18 April 2001). This requirement applies to intellectual property developed by contractors or consultants. As a consequence, the author of the software owns the rights unless the contract provides for the contrary. The same goes for other intellectual property rights developed by a contractor or consultant.

An exception, however, exists in the case where software is developed by an employee during the course of their employment or pursuant to the employer’s instructions. In this case, in the absence of a contractual agreement stating the contrary, the employer is exclusively entitled to exercise all economic rights on the software (article 32 of the law of 18 April 2001). The same goes for other intellectual property rights such as designs (article 3.29 of the Benelux Convention on intellectual property rights) or patents (article 13 of the law of 20 July 1992 amending the patent’s legal framework).

Joint ownership

  1. Are there any restrictions on a joint owner of intellectual property’s right to use, license, charge or assign its right in intellectual property?

An agreement is generally required between the joint owners of copyrights regarding their respective rights. In the absence of agreement, the rights must be exercised jointly.

However, unless otherwise provided by contract, each owner whose contribution to the work can be individualized, is entitled to individually exercise their rights, provided that:

  • the exploitation is separate from the other joint owners’ exploitation; and
  • this individual exploitation will not harm the work (article 5 of the law of 18 April 2001).

Trade secrets

  1. How are trade secrets protected? Are trade secrets kept confidential during court proceedings?

Trade secrets are protected by the law of 26 June 2019 on the protection of undisclosed know-how and business information (implementing Directive 2016/943/EU (Protection of Trade Secrets). This law defines trade secrets as information that:

  • is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question;
  • has commercial value because it is secret; and
  • has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret.

Trade secrets may be kept confidential during court proceedings relating to the unlawful obtaining, use or disclosure of a trade secret, under the conditions set out in article 14 of the law of 26 June 2019. The protection may be granted ex officio by the judge or at the request of a disputing party.

Branding

  1. What intellectual property rights are available to protect branding and how do you obtain those rights? How can fintech businesses ensure they do not infringe existing brands?

Brands can be protected by a Benelux trademark (covering Belgium, the Netherlands and Luxembourg) or by EU trademark (covering EU territory). A Benelux trademark shall be registered with the Benelux Office for Intellectual Property (BOIP), and the EU trademark shall be registered with the European Union Intellectual Property Office (EUIPO). Both BOIP and EUIPO hold public databases where it is possible to control the availability of a trademark.

A preliminary search in the Luxembourg Business Register and on the internet is also advised to check the availability of any trade or company name.

Remedies for infringement of IP

  1. What remedies are available to individuals or companies whose intellectual property rights have been infringed?

In the case of infringement, interim measures (such as immediate cessation of the breach and seizure of goods) can be ordered by a court on the basis of the law of 22 May 2009 on the enforcement of intellectual property rights. Damages can also be claimed pursuant to the Benelux Convention for intellectual property.

COMPETITION 

Sector-specific issues

  1. Are there any specific competition issues that exist with respect to fintech companies in your jurisdiction?

General competition law applies to fintech companies (law of 23 October 2011 regarding competition, prohibiting anti-competitive agreements and the abuse of dominance) as well as EU competition rules. On 24 November 2022, the Chamber of Deputies adopted draft law 7479A on competition, which aims to transpose Directive 2019/1/EU (European Competition Network Plus) (ECN+). With the entry into force of the law, the Competition Council, an independent administrative authority, is transformed into a public establishment now called the Competition Authority of the Grand Duchy of Luxembourg, notably to meet the independence requirements imposed by ECN+.

TAX

Incentives

  1. Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the fintech sector in your jurisdiction?

Luxembourg did not introduce, as such, specific tax incentives for fintech companies only. This can be explained by the fact that Luxembourg already offers a very favorable tax framework for the development of the financial sector.

Luxembourg benefits from one of the lowest value added tax rates within the European Union (16 percent for 2023) and moderated corporate income tax rate (namely, an overall rate of 24.94 percent including municipal business tax and solidarity surcharge). One of the huge strengths of the country resides in its extended network of double tax treaties which guarantees the absence of situations of double taxation, for instance, on cash repatriation mechanisms.

Luxembourg also offers an attractive environment for intellectual property investments with an 80 percent exemption from corporate tax on income and gains derived from eligible rights. In addition, there is no withholding tax on royalty and assimilated payments made by a Luxembourg capital company.

Luxembourg entities involved more specifically in innovative research and development activities can benefit from financial support in addition to the specific intellectual property regime.

On top of these advantages, formation expenses of start-ups can be subject to depreciation. Certain investments can benefit from a tax credit of up to 13 percent (for investments in tangible depreciable assets).

Finally, Luxembourg is an attractive country for new talents. With the specific tax regime applicable to inpatriates, foreign talents coming to Luxembourg may, subject to certain conditions, benefit from a tax exemption for certain costs borne by their employer and from certain benefits granted by the latter in the context of the relocation of the employee to Luxembourg. It applies during a period of several years.

Increased tax burden

  1. Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for fintech companies in your jurisdiction?

To date, the Luxembourg tax framework is not extensive with respect to the regulation of the fintech sector. There are, for instance, no specific tax laws regulating cryptocurrencies or cryptoassets. The only relevant regulation is the administrative circular issued by Luxembourg tax authorities back in 2018, where they stated in summary that cryptocurrencies were not to be considered functional currencies for tax purposes and that the taxpayer should qualify the cryptoasset according to general tax principles and apply the related tax treatment to the income derived from said asset.

However, the fintech sector has significantly evolved since 2018 and more specific guidelines would be welcomed. Regulation is not always synonymous with administrative burden or increase of costs and we believe that such an effort from the legislator could help even further in the development of the fintech sector.

Financial intermediaries of the fintech sector are not, for the time being, concerned by the obligations related to the exchange of information between EU tax authorities. However, with the proposed extension of Council Directive 2011/16/EU(Directive on Administrative Cooperation VIII) (DAC8), it is expected that reporting obligations and subsequent obligations of exchange of information would be imposed on cryptoasset service providers and issuers. The introduction of DAC8 is still at the very beginning of the EU legislative process but there is no doubt that this new set of obligations would go ahead and become a reality for all concerned EU taxpayers.

IMMIGRATION

Sector-specific schemes

  1. What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there any special regimes specific to the technology or financial sectors?

There are no fintech-specific immigration schemes in Luxembourg. The usual regime will apply and will depend on the nationality and residence of the staff that the Luxembourg entity would wish to employ. Visa requirements may be applicable.

UPDATE AND TRENDS IN FINTECH IN LUXEMBOURG

Current developments

  1. Are there any other current developments or emerging trends to note?

Luxembourg has an innovative local fintech start-up scene, which is developing digital tools to help companies and financial institutions.

The adoption of the EU Markets in Crypto-assets Regulation at the EU level on 20 April 2023 is a game-changer for the fintech space. The Regulation proposes harmonization of the requirements across the European Union and authorized service providers are now able to benefit from EU passporting to provide regulated services on a cross-border basis, as we know for many other regulated financial services.

* The information in this chapter was accurate as of July 2023.

If you need more consulting, please Contact Us at TNHH NT International Law Firm (ntpartnerlawfirm.com)

You can also download the .docx version here.

Rate this post

“The article’s content refers to the regulations that were applicable at the time of its creation and is intended solely for reference purposes. To obtain accurate information, it is advisable to seek the guidance of a consulting lawyer.”

NT INTERNATIONAL LAW FIRM