Answer ... (a) Crowdfunding, peer-to-peer lending
Crowdfunding can be structured in different ways and is subject to different regulation depending on its form. Usually, fintechs choose a structure which has reduced regulatory requirements, as their activity is limited to the brokering of loans, which are technically capital investments under German regulatory law. One fintech obtained a licence as a financial institution, but returned the licence to work on a less regulated basis.
Several crowdfunding and peer-to-peer lending platforms cooperate with fully licensed fronting banks which issue the loan and thereafter sell portions of the loan to investors.
Loans made via crowdfunding platforms may be subject to prospectus and publication requirements under the Capital Investment Act, to be fulfilled by the respective borrower.
These requirements are reduced if the capital investments of the same issuer:
do not exceed €6 million;
are brokered via an online platform as investment broker or investment adviser and
each investor can invest only:
€10,000 if the investor holds bank deposit and financial instruments of at least €100,000; or
twice of their average net income, to a maximum of €25,000.
Additional exemptions can reduce the burdens of the Capital Investment Act.
(b) Online lending and other forms of alternative finance
Online lending to both consumers and businesses may be considered as a banking business that is subject to authorisation, particularly as credit business on the part of the lender and as deposit business on the part of the borrower. Banking business is subject to authorisation pursuant to the Banking Act if it is conducted commercially or on a scale which requires commercially organised business operations.
Depending on the structure of the alternative finance an authorisation may be required pursuant to the Banking Act, the Payment Services Supervision Act, the Capital Investment Act or the Industrial Ordinance.
(c) Payment services (including marketplaces that route payments from customers to suppliers (e. g., Uber and AirBnb)
In Germany, payment services are regulated by the Payment Services Supervision Act, which implemented the Second Payment Services Directive into German law. Anybody that wants to provide payment services requires authorisation from the Federal Financial Supervisory Authority.
Payment services include:
operation of a payment account;
the issue of payment instruments;
acquiring payment transactions;
payment initiation services; and
account information services.
Marketplaces that route payments from customers to suppliers usually provide payment services requiring authorisation. However, there are different ways to avoid this requirement (eg, making use of exemptions under the Payment Services Supervision Act or cooperation with a licensed payment service provider) if such exemption fits the business model of the marketplace.
Foreign exchange trade is a financial instrument pursuant to the Banking Act. It is thus subject to approval by the Federal Financial Supervisory Authority (BaFin). The requirement to obtain a licence pursuant to the Banking Act is accompanied by numerous obligations under supervisory law, including liquidity requirements.
If a forex broker based in another member state of the European Economic Area (EEA) holds a licence from the competent authority, a separate licence from BaFin is not required. The same exemptions can apply with regard to forex brokers in a non-EEA state by way of a statutory order of the Federal Ministry of Finance. It may be issued if reciprocity is assured and if:
the undertakings are supervised in the country of domicile in the areas covered by the exemption in accordance with internationally recognised principles;
branches of corresponding undertakings domiciled in Germany are afforded comparable exemptions in that state; and
the competent authorities of the country of domicile are willing to cooperate satisfactorily with BaFin and this is guaranteed by means of an international agreement.
Anyone wishing to provide financial services in Germany on a commercial basis or on a scale that requires a commercially oriented business operation requires written authorisation from the Federal Financial Supervisory Authority pursuant to the Banking Act. Exceptions apply to entities domiciled in another EEA member state. As crypto assets are financial instruments, authorisation from BaFin is required for the operation of a crypto exchange. Crypto exchanges through which tokens can be purchased, sold or exchanged may require a licence from BaFin because, depending on the structure of the crypto exchange, proprietary trading, the operation of a multilateral trading system, investment brokering or deposit business and, in some cases, a crypto depository service may be conducted. The operator of a crypto exchange may also be subject to anti-money laundering obligations if financial services are provided.
(f) Investment and asset management
There are two types of investment funds: undertakings for collective investment in transferable securities (UCITs) and alternative investment funds (AIFs). UCITs are investment funds that meet the requirements of Directive 2009/65/EC. Any investment fund that is not a UCIT is an AIF. There are also several types of management companies: German UCITs management companies, AIF management companies and German asset management companies that manage both types of investment funds.
If a company wishes to manage an investment fund as German asset management company with its registered office and head office in Germany, it needs written authorisation from, or must register with, BaFin.
Registration with BaFin is sufficient for German AIF management companies if:
they exclusively manage special AIFs and the managed assets do not exceed the value of €100 million with the use of leverage or €500 million without the use of leverage, where in the latter case, investors cannot exercise redemption rights within five years of the first investment;
they manage closed-ended retail AIFs in Germany whose units are held by not more than five natural persons and whose assets do not exceed the sum of €5 million with leverage; or
they manage directly or indirectly closed-ended AIFs issued in Germany, including retail AIFs, and their assets do not exceed the sum of €100 million with leverage.
(g) Risk management
Depending on their structure, companies may have to ensure that they have in place an adequate and effective risk management system that includes outsourced activities and processes. This goes hand in hand with, and is part of, proper business organisation. If facts are doubtful or unusual, based on experience and knowledge of the methods of money laundering and terrorist financing, the company must investigate them in light of the ongoing business relationship and individual transactions.
What constitutes ‘proper business organisation’ depends on the nature, scope, complexity and risk level of the company’s business activities. The company must take measures proportional to its business risk, which are appropriate to the nature and circumstances of the respective activities.
Special attention must be paid to counterparty default risks and market price risks, as well as to operational risks and related risk concentrations.
Proper business organisation includes, in particular:
appropriate measures of corporate management, control mechanisms and procedures, which ensure that the company meets its obligations;
the maintenance and updating of a loss database and complete documentation of the business activity, which ensures that BaFin can fully monitor its activities;
appropriate emergency measures for IT systems; and
data processing systems that ensure compliance with the requirements of the Anti-money Laundering Act.
The outsourcing of risk management (eg, to fintechs) is permissible only to a limited extent. For example, the management tasks of the executive management of a bank or financial services institution may not be outsourced, as the responsibility of the executive management cannot be delegated under the Minimum Requirements for Risk Management (MaRisk). MaRisk does not apply directly to payment service providers; however, according to BaFin, it provides indications of the requirements that are to be met in the course of proper business organisation. It is possible to outsource the risk control function, the compliance function or internal auditing if proper business organisation is ensured.
Complete outsourcing of the compliance function and internal auditing is possible only for small institutions, where the establishment of their own compliance function and internal auditing does not appear appropriate due to their size and the nature, scope, complexity and risk content of their business activities. Safeguard measures with regard to the prevention of money laundering or terrorist financing may be outsourced to third parties, but BaFin may require that they be transferred back to the institution if necessary. With regard to insurance companies, it is possible to outsource certain parts of the risk management system or the internal control system. AIF capital management companies may outsource risk management to companies that are authorised or registered for the purpose of asset management or financial portfolio management and are subject to supervision. Alternatively, BaFin can also approve the outsourcing. In addition, the general requirements for outsourcing must be observed. Please see questions 2.6 and 3.4.
Depending on the type and scope of the financial services offered, providers of automated distribution of financial instruments (roboadvice) can be financial service providers subject to the supervision of BaFin or financial investment brokers which are supervised by the Chamber of Commerce and Industry. The regulatory assessment depends greatly on how the platform is designed and on the contractual arrangements with users. Roboadvice can be provided in numerous ways, including in the form of regulated financial services such as investment advice, investment or contract brokerage or financial portfolio management. Therefore, roboadvice usually requires a licence under banking or industrial law. Providing roboadvice without obtaining prior authorisation pursuant to the Banking Act or the Industrial Ordinance (as applicable) is prohibited. The information that is provided through roboadvice might constitute investment advice if the result generated by the roboadviser has the character of a personal recommendation. Portfolio management, however, includes the management of the portfolio on an ongoing basis.
German law does not define the term ‘insurtech’. However, the term is generally used to refer to all new technology-based companies focusing on insurance. There are many different business models of insurtech companies. Common areas in which insurtechs operate are distribution and contract management. If insurtech companies assume the role of insurance intermediaries, they fall within the scope of the Industrial Ordinance.
In this case, the risk inherent in an insurance contract is assumed not by the insurtech, but by an insurance company, which must have a licence from BaFin under the Insurance Supervision Act to operate the insurance business. Insurance intermediaries may obtain a licence from their local chamber of industry and commerce. In the course of its ongoing supervision, BaFin does not distinguish between traditional insurance companies and insurtechs. If insurtechs domiciled in Germany conduct insurance business, they are subject to insurance supervision and therefore require authorisation from the competent German supervisory authority. The competent German supervisory authority is usually BaFin. However, authorisations may be granted only to public limited companies, mutual societies, public corporate bodies and institutions under public law. Different authorisation requirements apply depending on the pursued line of business.