The digitisation of the financial markets is currently accompanied by exciting and rapid developments in the industry. Austria is following this trend and is establishing itself as a regional driver for innovation in the financial sector.

Financial technologies, or fintechs, are quickly changing the finance and banking sectors, with the result that sometimes even entire markets are being moved to the internet. Fintechs make it possible to trade, invest or borrow money without ever having to deal with a traditional bank.

In general, the diversity of fintech start-ups is increasingly on the upswing in Austria. From innovations in card payments, smart payment options to quick and easy granting of small loans, the number of people and companies with new ideas for the financial industry is constantly increasing. 

According to a previous study of the Austrian central bank (OeNB) there are more than 100 companies that qualify as fintechs according to their business models. Most Austrian fintechs are start-ups and SMEs. Three quarters of them are located in Vienna. 

The COVID-19 pandemic led to an exceptional situation with profound consequences for Austrian society and its economy. However, while investors have held back on funding in financial start-ups, Austrian fintechs have generally been able to assert their position in the market. This is due to increased co-operation between incumbents and fintechs as third-party providers. In addition, some established banks have developed innovative products, mostly in co-operation with fintech companies. 

The Austrian Financial Market Authority (FMA) has been dealing with the subject of fintech in Austria for some time, in particular with the questions of what a fintech is and what challenges it faces. 

Fintechs are financial innovations based on information technology that:

• often, but not necessarily, is developed by unlicensed companies;
• typically includes interfaces to licensed companies; and 
• can bring about lasting changes in the way the financial sector functions.

From a new payment app to automated consulting systems, the term is broad and encompasses a variety of different models that affect numerous supervisory areas.

In Austria, fintech companies operate in all various subsectors, such as alternative lending platforms, automated banking advice tools, insurtechs, digital payment operators, crowd investing platforms, online prepaid payment providers, robo-advice and alternative platforms for investment strategies, traders for crypto-assets, and technical service providers for fintechs. 

The Austrian fintech industry is most active in providing interfaces and technical support for financial service providers, followed by the business areas of crowdfunding and crowd investing, virtual currencies and alternative payment methods, automated advisory methods such as robo-advisers and, finally yet importantly, mirror trading. "Virtual currency" and – associated with this – blockchain software are becoming increasingly important. However, the payment sector remains the most important fintech sector.

Due to the fact that there are no fintech-specific laws in Austria, fintech companies may be subject to various regulatory licensing requirements depending on the particular business model:

• the Banking Act (BWG) – for example, if a business involves activities such as accepting third-party funds for management or granting loans;
• the Payment Services Act 2018 (ZaDiG 2018) – for example, when money is transferred to third parties, an account information or payment initiation service is involved;
• the Electronic Money Act 2010 (E-GeldG 2010) – if the company issues electronic money;
• the Securities Supervision Act 2018 (WAG 2018) – if the company provides investment advice or portfolio management, receives or transmits orders or operates a multilateral trading facility (MTF);
• the Act on Alternative Investment Fund Managers (AIFMG 2020) – if the start-up collects investors’ capital to invest in certain assets, including virtual currencies, based on a pre-defined investment strategy;
• the Insurance Supervision Act 2016 (VAG 2016) – if the company offers insurance contracts; and
• the Financial Markets Anti-Money Laundering Act (FM-GwG 2016) regarding certain virtual asset service providers.

In addition, public offers of securities or investments might trigger a prospectus requirement pursuant to Regulation (EU) 2017/1129 (the "Prospectus Regulation") or the Capital Markets Act 2019 (KMG 2019). 

This is especially important in the crypto sector. Here, initial coin offerings or initial token offerings can trigger a prospectus requirement. This, however, depends on the features of the coin or token and requires careful examination of the case at hand. 

Special compensation models to charge customers do not exist under Austrian law. One possibility is to charge fees for the services provided.

Currently, there are no regulations that are specifically tailored to the fintech industry. As a result, the fintech sector often applies laws and standards that were tailored to the non-digitised old economy.

However, there are efforts by the legislator to change this. In this context it is worth mentioning the Crowdfunding Enforcement Act, which entered into force at the beginning of 2022 and serves to make the EU Crowdfunding Regulation applicable with a Union-wide harmonised legal framework for the provision of crowdfunding services.

Based on the amendment of the Financial Market Authority Act (FMaG 2016), the FMA opened a regulatory sandbox programme for fintech models in September 2020. It aims to pave the way into supervision for young fintechs or their co-operation with incumbents regarding fintech business models.

The process can be divided into four phases. 

The first phase clarifies whether the business model to be examined by the FMA is subject to its supervision. It considers whether a threat to financial market stability or consumer protection is to be expected, or whether a licensing obligation exists.

The next phase is the pre-support phase. Here, the FMA works closely with the sandbox participants and offers legal support in the context of a possible licensing procedure.

This is followed by the third phase, the "test phase". In this phase, the company is allowed to carry out activities requiring a licence under the supervision of the FMA.

After the test phase, the business model is evaluated and released from the sandbox and transferred to regular supervision. If the requirements are met, a decision is made to lift the restrictions in the licence/registration notice.

As explained in 2.2 Regulatory Regime, a large number of regulatory provisions apply to fintechs. The regulatory conditions are defined especially: (i) by the requirements of the European legislator, and (ii) by the national legislator, whereby European law generally takes precedence over national law. In practice, an exact demarcation is only possible to a very limited extent, since both areas of regulation interlock and have a large number of interrelationships.

As a rule, transactions are not only offered by one provider, so that all steps require a separate examination of whether and which regulatory provisions apply. As different providers, all actors handling a transaction come into consideration. An examination must be carried out from the point of view of whether purely technical services or services subject to a licence are provided.

Thus, all actors have to comply with general Austrian provisions, such as the protection of banking secrecy. In Austria, a violation of banking secrecy has significant civil and criminal law implications. The provision of payment services, for example, may lead to the applicability of the Payment Services Act 2018 (ZaDiG 2018). Due to the considerable legal consequences of a violation of regulatory provisions, these must be taken into account when drafting the contract.

With the large number of applicable regulations, there are provisions that apply in any case and thus cannot be circumvented by outsourcing. However, as far as possible, regulated areas should be passed onto regulated market participants, as the capacities of a fintech are not sufficient for this.

Providers of financial services must comply with the provisions on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing. Both participants in the financial market, such as credit institutions, and other traders are subject to certain obligations. The necessity of complying with such obligations is first and foremost the provision of regulated activities. All relevant provisions, as set out in 2.2 Regulatory Regime, contain a reference to the provisions on the prevention of money laundering and terrorist financing. In addition to the regulatory provisions, the Industrial Code can also be the basis for the necessity of compliance with these legal framework conditions. As well as direct applicability, there may also be indirect applicability of the provisions, provided that services are provided to regulated market participants.

There are no specific enforcement actions tailored to fintechs in Austrian legislation. Nevertheless, the FMA has addressed the issue from the point of view of which regulatory environment is applicable. It remains unclear whether the general provisions will also cover the area of "fintech" in the future or whether this intensified discussion of the topic will lead to a more specific regulatory approach to fintechs.

Privacy

From a data protection point of view, fintechs, just like any other company, must comply with the applicable provisions, in particular the EU General Data Protection Regulation (GDPR) as well as the Austrian Data Protection Act. The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form a part of a filing system. Therefore, a data protection declaration is required that regulates the processing and use of customers' data. In addition to the data protection declaration, precautions must also be taken for the exercise of the rights of the data subjects, in particular the right to rectification, the right to erasure ("right to be forgotten") and the right to restriction of processing.

Cybersecurity

Cybersecurity is a decisive aspect for fintechs due to the nature of the activity as well as the usually large amount of data processed. In this area, it can be assumed that the fintech has a large number of obligations to ensure a sufficiently high level of protection for customers. The importance of this aspect is also reflected in the fact that a separate sub-area has now been established, specialising in cybersecurity solutions for fintechs. Parallel to the growth of the fintech market, this area has also grown steadily.

Social Media Content

The presence of fintechs on social media channels entails the need to observe the legal framework in this area. In this area, competition law, copyright and data protection framework conditions are particularly relevant.

Software Development

In software development, for fintechs as well as other companies, legal framework conditions must be observed from the outset, which are necessary for successful development and later probation in the application. The software development can initially be done by the company itself, but also by way of a contract with a third party. In development, copyrights of third parties must be observed, in which no intervention may be made, otherwise the further development and market launch may fail as a result. Once the development has been completed and the software is offered to the individual customers, warranty and compensation claims can be asserted if the software is defective.

All these aspects, as well as regulatory framework conditions, should be considered at an early stage in order to avoid later negative effects in the ordinary business operations.

The expertise of auditing firms is an important factor in the establishment of fintechs. Auditing firms accompany the companies economically under the given legal framework conditions. From a legal point of view, the entrepreneur has the obligation to run the company with the care of a prudent businessman. In order to comply with this standard, the entrepreneur must make a sufficiently detailed plan with regard to the entrepreneurial activity. This plan must consist of short-, medium- and long-term objectives. The liquidity of the company, the planned income and the asset situation of the company must be presented. The presentation should not be limited to a mere representation of numbers, but should provide a comprehensive description from which these numbers can be derived. The auditing firms support the preparation of the business plan with an analysis of the strengths and weaknesses of the business case including an assessment of the market. As a result, the company is continuously accompanied and, if necessary, supported in the individual aspects mentioned.

Further, the market is increasingly showing that companies specialising in fintechs and their foundation and management are also establishing themselves. Here, too, the constant growth of the fintech market has led to the emergence of advice that is increasingly specialised in sub-areas.

It can be seen that primarily regulated entities are expanding their business area with the involvement of fintechs. In addition, new fintechs are coming onto the market that have a focus on the banking business. A third category combines different business models, regulated as well as unregulated. In this way, the banking business can be linked to a wide variety of other business models. Various business cases are combined, whereby in addition to well-known business models, emerging areas such as e-sports are also included. However, in the case of start-ups, it is clear that the regulatory requirements are one of the biggest hurdles.

Fintechs have to comply with AML requirements if they provide activities that require a licence and are therefore subject to the FMA’s supervision. This applies to credit and insurance institutions, securities companies, alternative investment funds, payment service providers and e-money institutes. In addition, the AML requirements are also applicable for service providers of certain business models based on virtual currency.

Different asset classes initially require different business models, but the advice itself increases in quality with the most comprehensive data processing possible.

Legacy players are able to develop their own robo-advisers and implement them in their business model; this also enables them to operate their business independently of external factors. So far, however, this approach does not seem to have caught on. Strategic partnerships in this area will therefore remain important for the time being.

The best execution of customer trades will ultimately depend on the programmes being integrated into the business model in the best possible way in order to make the best possible use of the advantage of this technology on the basis of a proven system.

However, the principle of best execution as a benchmark for possible liability must be observed when using robo-advisers. Due to a lack of sufficient empirical values, it is no known to what extent this standard of liability can be applied directly or requires appropriate modifications. However, there is no justification as to why the standard of liability should be lower. Due to the amount of data that can potentially be processed, it is likely that new standards will be set in this area.

There are differences between lending to private individuals and companies. There are structural differences in the financing itself as well as different economic and legal framework conditions. For example, if an entrepreneur grants a loan to a costumer, the Austrian Consumer Loan Act applies. The Consumer Credit Act provides for comprehensive information obligations on the part of the lender to protect the borrower, and grants the borrower various rights, such as the right to early repayment of the loan.

Industry participants use underwriting processes to conduct research on customers and their creditworthiness as well as insurability. There are no special regulations for this area, but due to automated data processing (sensitive data), data protection barriers, in particular the rights of those affected, must be observed.

The most common sources of funds for loans are classic lines of credit, peer-to-peer, taking deposits and lender raised capital. In Austria, the central source of law is the Banking Act (BWG).

Syndications of loans only occur in rare cases.

Payment processors can use existing payment rails or may they create or implement new ones.

Cross-border payments and remittances are primarily regulated by the Payment Service Act 2018 (ZaDiG 2018).

Fund administrators are regulated by the Alternative Investment Fund Manager Act (Alternative Investmentfonds Manager-Gesetz – AIFMG) depending on the specific activity.

Fund advisers can contractually adjust the provisions that apply under the specific legislation for fund administrators and general civil law to the extent permitted by law in order to achieve a higher level of protection, although the specific results can vary greatly in individual cases.

The permissible forms are derived from the legal environment, whereby basically any type of fintech is available. The legal environment of trading platforms is largely defined by the Banking Act (BWG) and Securities Supervision Act 2018 (WAG 2018). The relevant legal regulations are therefore dependent on the specific service offered. Regulatory provisions come into consideration. Irrespective of this, general provisions under civil law, public law and criminal law must always be taken into account.

Different regulatory framework conditions only exist in so far as the regulatory requirements applicable to all are applied in different forms.

So far, cryptocurrencies have not yet led to a significant change in regulation. To date, an attempt has been made to integrate this new technology into the existing legal framework.

Cryptocurrencies are not subject to the control of the FMA. However, this supervisory authority can become relevant if individual services fall within a regulated area.

The Securities Supervision Act 2018 (WAG 2018) is particularly relevant in connection with order handling. The forwarding of orders to banks, brokers or issuers falls within the scope of the acceptance and transmission of orders under the WAG 2018.

The emergence of peer-to-peer trading platforms is changing market conditions for both traditional and fintech players. However, peer-to-peer trading platforms also have to observe all regulatory framework conditions, if applicable.

According to the FMA, the Securities Supervision Act (WAG 2018) is applicable at least in some areas. The authority assumes that investment advice in accordance with WAG 2018 is applicable for investment strategies tailored to the customer with entry and exit scenarios. The principle of "best execution" also applies to WAG 2018. In particular, claims for damages by the customer can be derived from this principle in the event of a violation.

The business model "payment for order flow" is currently under investigation by the European legislator. It is assumed that conflicts of interest may arise. It is currently being checked whether there is compliance with the existing legal framework specified by the European legislator. There is no regulation tailored to this area yet.

The basic principles of market integrity and market abuse are essentially derived from the regulatory environment and any civil law claims, in particular claims for damages.

Within the scope of the Banking Act (BWG), it is irrelevant whether trading is based on an algorithm or not. In principle, the use of a trading algorithm does not require a licence. However, the bank or broker must have a licence. Depending on the specific structure of the service relationship, other provisions of the Securities Supervision Act (WAG 2018) may also be applicable.

When functioning in a principal capacity, the players have to observe the provisions of the Stock Exchange Act (BörseG) and the Transparency Ordinance 2018 (Transparenz-Verordnung 2018).

Funds and dealers have a different structure and are therefore covered by regulatory provisions to varying degrees.

Programmers are not regulated, apart from general restrictions (civil law, public law and criminal law). The prerequisite for this, however, is that the algorithms are only used by the users themselves.

Financial research platforms are not subject to restrictions.

The spreading of rumours and other unverified information is not regulated. Such information can only be relevant in relation to a possible claim for damages, if the action is culpable; criminal law provisions can also be relevant if damage is intended by the actor.

Such behaviour can, as mentioned under 9.2 Regulation of Unverified Information, only be relevant in relation to a possible claim for damages, if the action is culpable; criminal law provisions can also be relevant if damage is intended by the actor.

The acquisition of information is also crucial in the insurtech area. The possibilities for collecting information and evaluating it vary. The approaches differ from well-established systems that are based on personal contacts to systems that use technical data collected in a variety of ways (eg, smartphones, sensors). Aspects of data protection law must always be observed in all areas in which automated data is collected and evaluated.

In the area of insurtech, the Austrian trade regulations must be observed in addition to other regulations. For example, Section 137 of the Austrian Trade Act deals with brokering insurance. Insurance mediation is defined, among other things, as offering, proposing or carrying out preparatory work for the conclusion of insurance contracts or the conclusion of insurance contracts.

Compared to the more established categories of fintechs, regtech still receives comparatively little attention from a regulatory perspective. However, due to the close proximity in terms of content, it can be assumed that the general regulatory provisions are decisive.

In the absence of explicit regulatory provisions, it is possible in this area to contractually write down stricter standards in individual cases in addition to the general standards that must be met to ensure performance and accuracy.

While the implementation of blockchain is always discussed and thought about, as far as can be seen there is still a certain scepticism from the traditional players. In addition to the traditional players, start-ups coming onto the market are still trying to combine proven structures with this new technology. However, it can be assumed that at least most of the traditional players will quickly adapt their concepts once the individual technologies are ready for the market; an ongoing partial implementation is already underway.

The approach of the national legislator and the FMA is essentially based on the question of how to deal with coins such as Bitcoin, Ethereum and Litecoin. This approach is primarily at the regulatory level, whereby there is an attempt to clarify the applicability of existing regulatory provisions on the basis of a missing general definition of the term “coin”.

The current approach and status, as stated under 12.2 Local Regulators' Approach to Blockchain, means that other types of blockchain assets still receive little attention. In practice, there are considerations and efforts to make a classification based on the general provisions, whereby in various areas – already with respect to the transfer of ownership – different questions arise that cannot really be satisfactorily solved with the existing legal framework.

According to the interpretation of the FMA, blockchain assets, such as coins, are not subject to their supervision. However, regulatory provisions may still be applicable depending on the specific activity being performed.

Platforms that trade blockchain assets are required to take a large number of legal provisions into account due to the previously vague legal classification of this activity. A precise definition of the activity performed is of central importance in order to identify and comply with any interactions with legal provisions from a wide range of legal areas. Platforms that trade blockchain assets such as cryptocurrencies and at the same time process payments can fall within the scope of the Payment Services Act 2018 (ZaDiG 2018).

In the case of investments based on capital collected from a number of investors with a corresponding investment strategy, there is the possibility that a licence is required under the Alternative Investment Fund Manager Act. A prospectus requirement according to the Prospectus Regulation is possible, the prerequisite being that it is a public offer.

As shown in 12.2 Local Regulators' Approach to Blockchain, virtual currencies are the area that has received the most attention so far, and in which the financial market supervisory authority has dealt with the subject in detail.

There is no definition of “decentralised finance” in Austrian regulation.

Non-fungible tokens (NFTs) are not regulated in detail. However, practice has shown that there is a fundamental need for regulation, since questions such as the pledging of NFTs have arisen that cannot be clearly resolved.

The Second Payment Services Directive (PSD2) sets the requirements for payment service providers. In the current version, this Directive also affects open banking by granting access to payment systems and accounts. Access is provided to third-party services to access account information or initiate transactions on their behalf.

Open banking in accordance with the regulatory requirements always requires the consent of the customer with regard to the transfer of data. In order to meet the legal requirements in this area, the general data protection regulations as well as specific regulatory provisions, such as banking secrecy, must be taken into account. The data protection declarations,  the declarations of release from banking secrecy – and, if necessary, a justification for breaching banking secrecy for other reasons – must be precisely adapted in individual cases and, if necessary, sufficiently justified.