1 Legal and enforcement framework

1.1 In broad terms, which legislative and regulatory provisions govern the fintech space in your jurisdiction?

Luxembourg is regarded as one of Europe's pioneering financial centres and as such presents significant opportunities for fintech companies.

Fintech companies are subject to the following main regulations:

  • the regulations and circulars of the Luxembourg competent authority for the financial sector, the Commission de Surveillance du Secteur Financier (CSSF), where their activities fall within the scope of these instruments.
  • CSSF publications include for example:
  • CSSF warning of 14 March 2018 on initial coin offerings (ICOs) and tokens;
  • CSSF warning of 14 March 2018 on virtual currencies; and
  • CSSF Circular 17/654 on IT outsourcing relying on a cloud computing infrastructure;
  • the Law of 5 April 1993 on the Financial Sector, as amended;
  • the Law of 14 August 2000 on Electronic Commerce, as amended;
  • the Law of 10 November 2009 on Payment Services, as amended;
  • the Law of 7 December 2015 on the Insurance Sector;
  • the Law of 3 May 2018 on Markets in Financial Instruments, implementing Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments;
  • the Consumer Code and;
  • the Law of 1 March 2019 on the Circulation of Securities, which extends the scope of the Law of 1 August 2001 on the Circulation of Securities to allow account holders to book and transfer securities through secure electronic recording devices, including distributed electronic registers and databases such as blockchain.

1.2 Do any special regimes apply to specific areas of the fintech space?

No special fintech licence exists in Luxembourg. However, activities performed by fintech companies may be subject to licensing requirements pursuant to the Law on Payment Services, the Law on the Financial Sector or the Law on the Insurance Sector.

Law on the Financial Sector: The CSSF must notify an applicant for authorisation to perform activities regulated under this law of its decision on whether to grant such authorisation within six months of receipt of the application or, if the application was incomplete, within six months of receipt of the information needed to adopt a decision. A decision must in any event be adopted within 12 months of receipt of the application, failing which the absence of a decision shall be deemed to constitute notification of refusal.

Law on Payment Services: The CSSF must notify an applicant for authorisation to perform payment institution or e-money institution activities of its decision on whether to grant such authorisation within three months of receipt of the application or, if the application was incomplete, within three months of receipt of the information needed to adopt a decision. A decision must in any event be adopted within 12 months of receipt of the application, failing which the absence of a decision shall be deemed to constitute notification of refusal.

Law on the Insurance Sector: While there is no specific deadline within which the Luxembourg insurance competent authority – the Commissariat aux Assurances (CAA) – must issue an approval decision, it usually takes three months to review an application to establish a new insurance or reinsurance undertaking in Luxembourg.

In addition, since activities performed by fintech companies may qualify as ‘economic activities', they may be subject to the prior grant of a business licence (known as an ‘autorisation de commerce').

1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?

Various bodies in Luxembourg are responsible for enforcing laws and regulations and overseeing entities and their activities in the relevant sector.

The most relevant sectors for fintech companies are banking (which includes payment activities) and insurance.

The CSSF is responsible for the prudential supervision of credit institutions, professionals of the financial sector (PFSs) (eg, investment firms, specialised PFSs, support PFSs), as well as payment institutions and e-money institutions.

For the purposes of the Law on the Financial Sector, EU banking and financial regulations such as the Regulation (EU 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms (CRR) and their implementing measures, the CSSF has all necessary supervisory and investigatory powers to exercise its functions, such as the power:

  • to access any document in any form and obtain a copy thereof;
  • to request information from any person and, where necessary, to summon any such person in order to obtain information;
  • to carry out on-site inspections or investigations with regard to persons that are subject to its prudential supervision;
  • to require telephone and data traffic records;
  • to request the cessation of any practice that is contrary to the CRR or the Law on the Financial Sector and their implementing measures;
  • to submit a request for the freezing and/or sequestration of assets to the president of the district court of Luxembourg; and
  • to impose a temporary ban on professional activity on persons that are subject to its prudential supervision, as well as members of the management body, employees and agents thereof.

When authorised entities do not comply with EU or Luxembourg banking and financial regulations, the CSSF may impose administrative penalties and other administrative measures (eg, warning, reprimand, administrative fines, temporary or permanent ban on conducting financial activities, publication of sanctions).

Activities involving insurance and reinsurance are subject to prior authorisation, which must be granted by the minister with responsibility for the insurance sector through the CAA, which is in charge of supervising licensed insurance and reinsurance undertakings.

The CAA has a full range of powers with regard to entities under its supervision, including the power:

  • to issue instructions;
  • to request the provision of all information and documentation deemed useful or necessary for the exercise of its supervision;
  • to carry out on-site inspections at the premises of authorised persons; and
  • to interview natural persons under its supervision, as well as company employees and other associated persons.

The CAA may also impose sanctions and coercive measures where insurance or reinsurance undertakings do not comply with EU and Luxembourg insurance regulations (eg, warning, reprimand, ban on carrying out certain transactions and any other limitation on the conduct of business, temporary suspension of one or more executives, administrative fines, withdrawal of authorisation).

Finally, it is the responsibility of the General Directorate for Small and Medium-Sized Enterprises to grant a business licence on request if all necessary criteria are satisfied.

1.4 What is the regulators' general approach to fintech?

Luxembourg is a leading financial centre, which aims to promote entrepreneurship initiatives and support fintech companies' efforts to grow.

Luxembourg is particularly interested in fintech companies which have a robust business plan and are involved in projects associated with infrastructure.

The CSSF has granted licences to key innovative fintech players such as the following, which has enhanced the visibility of Luxembourg as a fintech hub:

  • Bitstamp has been registered as a payment service institution since 5 May 2015. A European-based cryptocurrency marketplace, Bitstamp is one of the longest-standing bitcoin exchanges and the leading European bitcoin exchange. Having been around since the first generation of exchanges went online, it is now uniquely positioned to serve as a stepping stone between the traditional financial and digital currency worlds. With Bitcoin, Ethereum, Litecoin, Bitcoin Cash and XRP (Ripple) trading now available, along with US dollars and euros, it provides individual and institutional clients with an intuitive, engaging trading platform. Bitstamp has gained the stamp of approval of more than 3 million traders worldwide.
  • SnapSwap was originally registered as payment service institution on 6 October 2015 and has been registered as an e-money institution since 23 August 2016. SnapSwap provides services including customer onboarding, know-your-customer solutions and digital payment services. SnapSwap is the first and only regulated e-money institution in Europe that can issue payment instruments denominated in euros and other fiat currencies to distributed ledgers in full compliance with EU payment services regulations. An important advantage is legal compliance with current and upcoming European regulations on payment services, investment, data protection and electronic signatures. SnapSwap's unique position as a licenced financial institution allows it to design, analyse and verify the whole process and obtain approval from European competent authority (the CSSF) under an e-money licence that is passported to 28 EU member states.
  • PingPong has been registered as a payment service institution since 3 August 2017. PingPong specialises in cross-border payments for Chinese e-commerce sellers; it is the first Chinese fintech company to establish its European offices in Luxembourg. PingPong aims to connect Luxembourg and China and to facilitate e-commerce activities between China and Europe.

The Luxembourg competent authority is approachable and responsive, but will also require a robust business plan. It is both business oriented and protective of the reputation of the Luxembourg market – an attitude which is particularly relevant in the fintech sector.

1.5 Are there any trade associations for the fintech sector?

Several trade associations play a major role in Luxembourg's financial industry and support fintech companies and their development in Luxembourg.

Luxembourg for Finance (LFF): This association was jointly created in 2008 by the state and key private players in the financial sector. Its goal is to promote the development of the financial sector, including by enhancing the visibility and communication of developments in the sector both in Luxembourg and abroad.

Luxembourg Financial Industry Federation (PROFIL): This was established by the professional associations that are active in Luxembourg's financial sector and focuses on promoting Luxembourg's image as a financial centre.

Luxembourg Bankers' Association (ABBL): This association represents most of Luxembourg's bank and financial sector professionals, and aims to represent their interests.

Luxembourg House of Financial Technology (LHoFT): This is Luxembourg's dedicated fintech centre, where finance and technology interact to promote innovation and develop solutions to shape the future of financial services. Offering fintech incubation, co-working facilities and a soft landing platform, it also connects, engages with and creates value for the broader ecosystem: financial institutions, the IT industry, investors, research and academia, as well as regulatory and public authorities.

2 Fintech market

2.1 Which sub-sectors of the fintech industry have become most embedded in your jurisdiction?

  • Payments (SnapSwap International, Emergent Payments, Luxhub);
  • Trusted cloud services (Luxtrust);
  • Crypto assets and crowdfunding (Blockpulse);
  • Blockchain (Tokeny solutions, Peer Mountain);
  • Mobile payments (Satispay, Payconiq International SA);
  • Insurtech (AssurBox, BIT Valley, Earthlab Luxembourg);
  • Regtech (Finologee, Fundsquare, Governance.com); and
  • Roboadvice (Fair Invest Trading, HighWave Capital).

2.2 What products and services are offered?

  • Digital services aggregation platforms, which allow regulated entities to outsource their customer onboarding process to a fully compliant platform;
  • Multi-channel messaging gateways, which power one-time password/token issuing processes, and optimisation of bill payment and recovery via smart messaging strategies;
  • International platforms connecting transfer agents, payment systems and investors using distributed ledger technology and smart contracts (ie, blockchain-based platforms for fund distribution); and
  • Platforms aimed at standardising communications between insurance back offices and insurance partners.

3 Technologies

3.1 How are the following key technologies in the fintech space regulated and what specific legal issues are associated with each? (a) Internet (e-commerce); (b) Mobile (m-commerce); (c) Big data (mining); (d) Cloud computing; (e) Artificial intelligence; and (f) Distributed ledger technology (Blockchain, cryptocurrencies)

(f) Distributed ledger technology (Blockchain, cryptocurrencies)

Close attention is being paid to these new technologies across Europe and Luxembourg is no exception. On 14 February 2019 a new law was passed which aims to provide clarification on the proper use of distributed ledger technology by enhancing transparency and legal certainty for all financial market participants, as well as to allow for the transfer of securities using blockchain technology.

As yet there is no Luxembourg legislation on cryptocurrencies. However, the CSSF has issued guidelines in this regard, as follows:

  • A CSSF press release on virtual currencies, published on 14 February 2014, defines ‘virtual currencies' and clarifies the authorisation requirements when carrying out activities in the financial sector); and
  • A CSSF warning on virtual currencies, published on 14 March 2018, highlights the risks associated with virtual currencies, sets out its recommendations for investors in acquiring virtual currencies, provides information for entities under its prudential supervision that use virtual currencies or provide services relating to virtual currencies, and includes warnings issued by the European supervisory authorities (i.e. European Banking Authority (EBA) and European Securities and Markets Authority (ESMA)).

Thus, cryptocurrencies as yet have no specific legal status under Luxembourg law. However, the CSSF and the government have both shown great interest in interacting with companies that have crypto-asset linked businesses to discuss their activities and help them to communicate effectively their legal concerns and potential opportunities.

4 Activities

4.1 How are the following key activities in the fintech space regulated and what specific legal issues are associated with each? (a) Crowdfunding, peer-to-peer lending; (b) Online lending and other forms of alternative finance; (c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb); (d) Forex; (e) Trading; (f) Investment and asset management; (g) Risk management; (h) Roboadvice; and (i) Insurtech.

(a) Crowdfunding, peer-to-peer lending

Crowdfunding is not specifically regulated under Luxembourg law. The applicable regulatory regime will depend on the platform's characteristics. Among other things, this includes how it is structured; if the platform collects the money before distributing it to borrowers, a licence may be required.

Peer-to-peer lending between individuals is not specifically regulated. The role of the platform will then need to be assessed to understand what it actually does. If it is essentially a credit broker which is not linked to a specific credit institution, no particular regulatory requirements apply, other than the potential need to obtain a business licence.

(b) Online lending and other forms of alternative finance

(Online) lending: In Luxembourg, (online) lending is subject to the following licensing requirements:

  • A banking licence (Article 2 of the Law on the Financial Sector) is required by credit institutions which grant loans for their own account to the public; or
  • A specialised PFS licence (Article 28-4 of the Law on the Financial Sector) is required by entities that perform lending operations (eg, engaging in the business of granting loans to the public for their own account). Unlike credit institutions, which can also receive deposits and other repayable funds from the public, such entities must refinance themselves exclusively through other means (shareholders, intra-group loans).

Alternative finance: As credit activities evolve outside traditional banking circles (shadow banking), the competent authorities are required to monitor such activities – notably, where they involve a maturity transformation risk or where the entity uses leverage.

If the applicability of Article 28-4 of the Law on the Financial Sector cannot be excluded, an entity that is considering granting loans is invited to submit to the CSSF a detailed description of the activities envisaged, so that the CSSF can determine whether such activities are subject to authorisation (CSSF Q&A on the statuses of "PFS"- Part II, Page 29) .

(c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and Airbnb)

The provision of payment services (ie, the execution of payment transactions, the issue and/or acquisition of payment instruments, money remittance) requires the prior authorisation of the CSSF in accordance with the Law on Payment Services.

Since 2015, the CSSF has dealt with a great number of requests from companies wondering whether their business is subject to the existing regulations – in particular, in relation to payment institutions and e-money institutions.

Bitcoin exchange and transfer platforms have recently been established in Luxembourg; and major regtech players, which are using new technologies in regulations and financial reporting, have also shown particular interest in establishing themselves in Luxembourg.

On 19 April 2016 the minister of finance authorised Bitstamp Europe SA, a platform that allows clients to exchange Bitcoins, euros and US dollars. If the issue of virtual currencies as such is not subject to authorisation, the services provided by intermediaries – that is, the receipt of funds from a buyer of Bitcoin in order to transfer them on to the seller – is covered by the authorisation as payment institution. This authorisation echoed the opinion of the CSSF, which in 2014 became the first competent authority of the financial sector to advocate the regulation of platforms for the exchange of virtual currencies when conducting activities in the financial sector (2016 CSSF Annual report, page 41).

(f) Investment and asset management

The following laws and regulations apply to collective investment schemes:

  • the Law of 15 June 2004 on Investment Companies in Risk Capital, as amended;
  • the Law of 13 February 2007 on Specialised Investment Funds, as amended;
  • the Law of 17 December 2010 on Undertakings for Collective Investment, as amended;
  • EU Regulation 648/2012 of the European Parliament and of the Council of 4 July 2012 on over-the-counter derivatives, central counterparties and trade repositories;
  • the Law of 12 July 2013 on Alternative Investment Fund Managers, as amended;
  • EU Regulation 2015/2365 of the European Parliament and of the Council of 25 November 2015 on transparency of securities financing transactions and of reuse; and
  • the Law of 23 July 2016 on Reserved Alternative Investment Funds.

(h) Roboadvice

Digital financial advisory services are treated in exactly the same manner as traditional financial advisory services. Due to the specific nature of roboadvice, the relevant licence needed depends on the types of transactions performed, the type and structure of the platform, the contractual arrangements, the services provided and the operating model. In general, the following roboadvisers must obtain authorisation:

  • investment advisers that resemble traditional, non-automated financial advisers, which limit themselves to advisory services and do not assist with the implementation of the advice they provide;
  • brokers in financial instruments, which play the role of an intermediary by either helping to bring parties together with a view to concluding a transaction or passing on clients' purchase or sale orders without holding their investments;
  • commission agents, where roboadvisers execute orders on behalf of clients and in relation to one or more financial instruments; and
  • private portfolio managers, where roboadvisers use technology to manage portfolios as per clients' mandates on a discretionary client-by-client basis.

(i) Insurtech

Insurtech companies are supervised by the insurance competent authority, the Commissariat aux Assurances (CAA). Insurance and reinsurance-related activities may be subject to licensing requirements and are generally regulated by the Law on the Insurance Sector, as amended, and the applicable CAA regulations.

5 Data security and cybersecurity

5.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for fintech companies?

Fintech companies must comply with the following legislation when they process personal data:

  • EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR); and
  • the Law of 1 August 2018 on the Organisation of the National Commission for Data Protection and Implementing the GDPR.

Processing of payment service users' personal data by payment service providers is subject to the GDPR requirements. Amongst others requirements, this processing must be based on at least one of the legal grounds as provided by the GDPR (i.e. payment service users' consent, performance of a contract, compliance with a legal obligation to which the payment service providers is subject…).

The first piece of EU-wide legislation on cybersecurity, Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive), has been recently implemented in Luxembourg by the law of 28 May 2019 implementing the NIS Directive.

Today, boards of directors are expected to be increasingly aware of cybersecurity issues and actively involved in such matters.

6 Financial crime

6.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for fintech companies?

With regard to money-laundering rules in relation to fintech companies, as well as tokens and cryptocurrencies in particular, intense efforts are being made towards the adoption of an efficient regime. The Fifth Anti-money Laundering Directive provides the relevant legal tools to combat any form of financial crime. The directive has extended the regulatory regime to providers that are actively engaged in relevant exchange services between fiat and virtual currencies, as well as all types of custodian wallet providers. This directive is currently being in the process of implementation in Luxembourg. Draft Bill n°7467 implementing certain provisions of the Fifth Anti-money Laundering Directive has been filed with the Luxembourg Parliament on 8 August 2019 and we are still waiting for advices to be issued by the different bodies ( Council of State, Chamber of Commerce….).

Other types of financial crime include corporate fraud, bribery and corruption. These activities are regulated by the Modified Law on Commercial Companies and the Luxembourg Criminal Code.

7 Competition

7.1 Does the fintech sector present any specific challenges or concerns from a competition perspective? Are there any pro-competition measures that are targeted specifically at fintech companies?

No, there is no fintech-specific competition legislation.

8 Innovation

8.1 How is innovation in the fintech space protected in your jurisdiction?

Innovation in the fintech space may be protected by IP rights in Luxembourg.

For instance, a company whose products will be sold, promoted and registered within the European Union can register its trademark with the EU Intellectual Property Office.

A software program can also be registered with the iDEPOT, which is operated by the Benelux Office for Intellectual Property (BOIP). This procedure is a reliable way of ratifying that an idea has been tangibly performed at a specific date, before any IP rights are acquired. The fintech company submits to BOIP the source code for the program, which will be kept in the iDEPOT for a period of five to 10 years. However, registration in the iDEPOT in no circumstances constitutes an IP right; its use is solely administrative.

The Law of 20 July 1992 on Patents, as amended, does not protect software programs as such.

8.2 How is innovation in the fintech space incentivised in your jurisdiction?

Luxembourg was one of the first European countries to introduce a form of electronic ID (eID), which is issued by the state to Luxembourg nationals only. However, non-nationals may make use of other forms of e-signing techniques (eg, smartcards, tokens).

Luxembourg has also incorporated distributed ledger technology into its legal system, allowing for securities to be transferred on platforms using such technology.

Other examples of the country's dedication to promoting innovation include:

  • the multiple publicly backed incubators and accelerators that are present in the country;
  • the diverse public grants that are available to fintech companies for research and development; and
  • the fintech programmes and support offered by the University of Luxembourg.

The CSSF has also incentivised innovation – for example, by allowing financial service providers, under certain conditions, to verify or identify clients through the use of video identification. The CSSF uses this process in order to execute and support the completion of clients' identification, and thus satisfy all necessary identification obligations pursuant to the Law of 12 November 2004 on the Fight against Money Laundering and Terrorist Financing, as amended.

9 Talent acquisition

9.1 What is the applicable employment regime in your jurisdiction and what specific implications does this have for fintech companies?

Luxembourg's labour law governs all employee-employer relationships, regardless of whether employees are residents, EU nationals or third-country nationals. Employment agreements can be for a fixed term or an indefinite period. In comparison with other EU countries, labour law in Luxembourg offers a fair amount of protection to employees and salaries are relatively high. Fintech companies that are willing to move to or set up their business in Luxembourg should take this into account – even in the preliminary phase of the set-up or move, although the competent authority is often inclined to allow some flexibility with regard to the residence of employees during this preliminary phase.

9.2 How can fintech companies attract specialist talent from overseas where necessary?

Several government-backed initiatives, such as the LHoFT, aim to support the creation of a talent pool to meet the Grand Duchy's future needs for financial services, particularly in the fields of technology and innovation. Fintech companies can benefit from these initiatives upon request.

The University of Luxembourg also offers several fintech-related modules and specific programmes for students and researchers with expertise linked to the fintech industry.

10 Trends and predictions

10.1 How would you describe the current fintech landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

Luxembourg's economy continues to boom and the same trend is expected to characterise the fintech sector. It is anticipated that an increasing number of fintech companies will set up shop in the country, thanks to its favourable financial system. Many e-payment and e-commerce giants – such as Amazon, Rakuten and PayPal, as well as EU-licensed crypto platform Bitstamp – have already gained a foothold in the Luxembourg market; others with similar business models are soon expected to follow suit. In addition, Luxembourg's cloud-friendly regulatory framework and density of Tier 4 data centres – the highest in Europe – further attest to its efforts to attract more fintech companies.

The prevailing trends and predictions may be summarised as follows:

  • More token offerings – in particular, security token offerings – are expected.
  • The evolution of crypto-funds will present new economic and business opportunities that complement well-established fund activity.
  • New platforms dealing with tokens and tokenisation will be established.
  • Players are generally becoming more mature and specialised.

Circulation of securities: The Law of 1 March 2019 on the Circulation of Securities extends the scope of the Law of 1 August 2001 on the Circulation of Securities to allow account holders to book and transfer securities through secure electronic recording devices, including distributed electronic registers and databases such as blockchain.

CSSF initiatives: The CSSF has established and chairs a working group that brings together market participants with the aim of assessing the need to regulate certain activities.

A sub-working group was created to analyse the potential risks and challenges of blockchain technology and distributed ledger technology (DLT), and publish them in a white paper which will have no binding force on supervised entities. This white paper will also aim to highlight the elements to be taken into account in the due diligence process by fintech companies that intend to use these technologies, regardless of application. The white paper will therefore focus not on the use made of the technology from the point of view of services, but only on the generic technical aspects of these platforms, which are often poorly controlled by fintech companies.

Finally, now that DLT has been recognised in the legal framework, it is expected that further local legislative initiatives will follow, which should hopefully clarify the uncertainty that still surrounds issues of tokenisation.

11 Tips and traps

11.1 What are your top tips for fintech players seeking to enter your jurisdiction and what potential sticking points would you highlight?

Luxembourg has a well-established and well-recognised fintech industry, with a favourable licensing framework and a very approachable competent authority, as well as reputable fintech players. However, the legal and regulatory framework is complex to navigate, necessitating the involvement of specialists. Attention should also be paid to the substance requirement for employees and the associated costs. Finally, it is paramount to obtain legal and regulatory clearance before starting to operate in the fintech industry in Luxembourg.

Co-authored by Sandy Brumberg, Professional Support Lawyer

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.