Category: blog EN

The lawyer responsible for questions relating to DORA and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London).

FIN LAW – Awarded by WiWo for the Third Time
For the third time, WirtschaftsWoche (WiWO) magazine has awarded FIN LAW and Dr. Lutz Auffenberg, LL.M. (London) as a top Law Firm and Lawyer respectively.
FIN LAW Hosts the Annual Meeting of the Fintech Legal Network
FIN LAW had the pleasure of hosting the Annual Meeting of the Fintech Legal Network and was pleased to welcome members to its offices in Senckenberganlage.
Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.

Sep 23, 2024

Getting Ready for DORA (Part IV) – Are Agreements on Audit Rights also Mandatory Outside of Outsourcing Agreements?

With the Digital Operational Resilience Act (DORA), the European Union has introduced a groundbreaking regulation that aims to standardize and strengthen digital resilience in the financial sector across the Union. From January 17, 2025, affected companies will have to meet the new requirements. DORA is intended to meet the challenges posed by advancing digitalization and increasing networking in the financial sector, which has been massively driven by the use of information and communication technologies (ICT) in recent years. DORA aims to effectively combat risks such as cyber threats and operational disruptions by requiring financial companies and specialized ICT service providers to implement comprehensive measures to improve their digital resilience. Relevant players include banks, investment firms, payment institutions, cryptocurrency providers and issuers of value-referenced tokens. These companies must analyze their internal processes and adapt them to the new regulatory requirements, which includes the introduction of contingency plans, robust security measures and regular risk analyses. The implementation of DORA requires significant investment in IT infrastructure and risk management, but at the same time offers the opportunity to strengthen the security and resilience of the financial sector in the long term. Good ICT risk management also involves companies structuring their contracts with third-party ICT service providers in such a way that the risks can be adequately countered. But what consequences does this have for future and existing contracts between financial companies and ICT third-party service providers?

Better Handling of ICT Third-Party Risk Through Minimum Contractual Content

DORA requires financial firms to manage ICT third party risk as part of the ICT risk management framework. This includes ensuring that financial businesses that have entered into contractual arrangements for the use of ICT services in the conduct of their business remain fully responsible at all times for compliance and fulfillment of all obligations under DORA and applicable financial services law. Financial companies may only conclude contractual agreements with ICT third-party service providers that comply with appropriate information security standards. To this end, the regulation sets out requirements for the essential contractual provisions, i.e. certain minimum contents that must be included in a contractual agreement with an ICT service provider. To give just one example, there is an obligation to provide a clear and complete description of all functions and ICT services to be provided by the third-party ICT service provider, indicating whether subcontracting of ICT services supporting critical or important functions or essential parts thereof is permitted. If this is the case, there is also an obligation to state which conditions apply to this subcontracting. At this point, DORA once again codifies the importance of a complete and accurate service description, which is essential for IT contracts anyway. In addition to many of the typical requirements for IT contracts, the ICT third-party service provider must, for example, also agree to cooperate fully with the authorities and resolution authorities responsible for the financial company.

Extended Scope of Application of DORA and its Impact on Contract Drafting

An important new feature of DORA, which goes beyond the requirements previously set out by BaFin in its circular, is that the scope of application of DORA is broader than the previous regulation. While the minimum content required in the previous circulars primarily relates to outsourcing relationships, DORA covers all contracts with third-party ICT service providers in its scope of application. A third-party ICT service provider is a company that provides ICT services. In this respect, ICT services are digital services and data services that are permanently provided to one or more internal or external users via ICT systems, including hardware as a service and hardware services, which also includes technical support from the hardware provider by means of software or firmware updates, with the exception of conventional analog telephone services. Thus, an outsourcing relationship does not necessarily have to exist in order to trigger DORA’s contract design requirements. In principle, DORA applies its requirements for the essential contractual provisions to all contracts with ICT third-party service providers. Nevertheless, the principle of proportionality runs throughout DORA and stricter requirements are placed on contractual arrangements for the use of ICT services to support critical or important functions. Among other things, the financial institution must contractually grant itself the right to continuously monitor the provision of services, which also includes unrestricted access, inspection and audit rights of the financial institution or a commissioned third party and the competent authority. If a critical or important function is affected, a corresponding agreement may therefore be necessary. This example shows that once DORA comes into force, it will also be necessary for existing contracts to be examined for their compatibility with the new requirements and renegotiated if necessary.

FIN LAW

The lawyer responsible for questions relating to DORA and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London).

FIN LAW – Awarded by WiWo for the Third Time
For the third time, WirtschaftsWoche (WiWO) magazine has awarded FIN LAW and Dr. Lutz Auffenberg, LL.M. (London) as a top Law Firm and Lawyer respectively.
FIN LAW Hosts the Annual Meeting of the Fintech Legal Network
FIN LAW had the pleasure of hosting the Annual Meeting of the Fintech Legal Network and was pleased to welcome members to its offices in Senckenberganlage.
Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.

Sep 16, 2024

Market Abuse and Insider Trading in Crypto Assets – Who Will be Affected By the New MiCAR Rules?

30 December 2024 marks a historic moment for the European crypto market. This is when the new EU regulation on Markets in Crypto Assets (MiCAR) will become fully legally effective. In addition to the provisions on the obligation of crypto service providers to obtain authorization from BaFin or the supervisory authority responsible for them in the individual case before commencing business and the provisions already in force with regard to the issuance of E-Money Tokens and Asset Referenced Tokens, the provisions on the prevention and prohibition of market abuse and insider trading in the European crypto market provided for in MiCAR will also apply from 30 December 2024. The introduction of regulations to prevent possible price manipulation, market abuse or the exploitation of insider information prior to public disclosure represents a very important milestone for the crypto market and makes it even easier for traditional financial players to enter the world of digital assets. But what specific obligations will MiCAR impose on market participants and who are the new rules aimed at? Which market participants will have to comply with market abuse regulation under MiCAR when trading crypto assets in future?

MiCAR Market Abuse Rules Affect All Market Participants

An effective fight against market abuse requires comprehensive, market-wide and binding rules. The scope of the new MiCAR regulations to combat market abuse is therefore comprehensive and covers actions by all persons in connection with crypto assets that are authorized for trading or for which authorization to trade has been applied for. Addressees of MiCAR’s market abuse regulation are therefore both issuers of crypto assets and crypto service providers, but also investors and even persons who may not even be involved in specific transactions relating to crypto assets, such as rating agencies, specialist media or influencers with a focus on crypto assets. The text of the MiCAR clarifies that the rules apply to all transactions, orders and actions concerning crypto assets that are authorized or to be authorized for trading. In this context, it is irrelevant whether the action in question was actually carried out or omitted on a trading platform for crypto assets. The market abuse rules under MiCAR are therefore relevant for all market participants. For professional market participants such as issuers of crypto-assets and crypto-asset service providers, but also and especially publicly communicating influencers, this means that they must be aware of their obligations and should set them out in writing in the form of carefully drafted codes of conduct and apply them in their business operations.

Obligation to Maintain Effective Arrangements, Systems and Procedures

For all persons who professionally arrange or execute transactions in crypto assets, MiCAR also provides for a specific obligation to have effective arrangements, systems and procedures in place at all times for the prevention and detection of market abuse. This group of persons includes, in particular, crypto asset service providers that arrange or execute transactions with crypto assets (PPAET), whereby the term PPAET is borrowed from the EU Market Abuse Regulation. However, according to the draft interpretative guidance and technical standards published by ESMA in March 2024 in relation to the MiCAR abuse provisions, operators of trading platforms for crypto assets should also be considered PPAETs. The aforementioned crypto service providers therefore have an explicit obligation to create and maintain effective arrangements, systems and procedures to prevent and detect market abuse. The measures must of course focus on the way in which they conduct their own business. However, it may also be necessary in individual cases for companies to monitor their own employees with regard to transactions with crypto assets in the private sphere, particularly if they have access to insider information.

The lawyer responsible for all questions relating to the regulation of market abuse and insider trading under MiCAR at our law firm is Lutz Auffenberg, LL.M. (London).

FIN LAW – Awarded by WiWo for the Third Time
For the third time, WirtschaftsWoche (WiWO) magazine has awarded FIN LAW and Dr. Lutz Auffenberg, LL.M. (London) as a top Law Firm and Lawyer respectively.
FIN LAW Hosts the Annual Meeting of the Fintech Legal Network
FIN LAW had the pleasure of hosting the Annual Meeting of the Fintech Legal Network and was pleased to welcome members to its offices in Senckenberganlage.
Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.

Sep 09, 2024

Lost in Translation Copy and Paste – The Problem with Translated Contracts

Drafting suitable contracts for own software products in Germany can be time-consuming and costly. Regardless of whether both the provider and the customer are German companies or only the customer, the latter will regularly insist on the agreement being governed by German law. Many providers of software products therefore repeatedly resort to supposedly suitable sample contracts from the Internet or translate existing contracts from other jurisdictions into German and subject them to German law. This often leads to extensive contracts – especially from Anglo-American jurisdictions – finding their way into contractual relations that are subject to German law. Caution is required here: Just because something is in the contract and sounds advantageous for the provider does not automatically mean that the contract is fully effective. The German legal practice with regard to the law of general terms and conditions is stricter than many other legal systems. In addition, problems can arise if the contract incorrectly classifies the underlying legal relationship and inappropriate provisions are made as a result. Such contracts are often largely ineffective and, in the event of a dispute, the statutory provisions must be used, which is usually not in the interests of the parties.

Typical Problem with SaaS, ASP and Cloud Computing

In today’s digital economy, business models such as Software-as-a-Service (SaaS) and Application Service Providing (ASP), in which the provider’s software applications are made available to the customer via the internet (Cloud Computing), are particularly widespread. Typically, for example, standardized software is made available to a large number of customers via the Internet. These customers usually pay a “subscription fee” and can use the software for as long as the contractual relationship exists. This offers a number of advantages for providers and customers: The provider can easily scale its software and reduce costs, while customers generally do not need any special hardware or personnel resources to use the software. As already mentioned, the contracts typological classification, i.e. the question of which of the contract types regulated in the special law of obligations of the German Civil Code (BGB) the contract is assigned to, plays a decisive role in assessing the effectiveness of the individual contract clauses. The classification has a legal impact in many respects. For example, it has an influence on the assessment of the content of general terms and conditions. It also determines which provisions must be applied if the contract is (partially) invalid. Finally, it determines which warranty rights the recipient of the service is entitled to. Even if the contracting parties have not regulated a specific issue, the statutory provisions are used to close the regulatory gap. The allocation to one of the contract types in the special law of obligations can be difficult in individual cases. These are often so-called mixed-type contracts, which can be assigned to more than one type of contract depending on the obligation to perform. Contracts that are merely translated or copied from different sources often do not take these subtleties into account, which can have disastrous consequences for the users of such contracts.

What Should be Taken Into Account and What are the Limitations in German Law?

The parties generally have an interest in agreeing on exclusions of liability and minimizing the liability risk as far as possible. In addition, indemnification clauses and contractual penalties are particularly desirable in the IT sector. As most SaaS or ASP contracts are pre-formulated contractual terms that have not been individually negotiated between the contracting parties, the limits of German law on general terms and conditions must be observed. This is particularly strict for the aforementioned agreements and exclusions of liability. Furthermore, in the case of a contract with consumers, the statutory provisions on contracts for digital products may also become relevant. In addition, it should be borne in mind that many contracts already lack an accurate description of the services owed, i.e. the main performance obligations of the contracting parties, or the description is inadequate. This is particularly disadvantageous, as the main performance obligations – apart from the transparency requirement – are generally not subject to GTC control. It is therefore possible to determine here what exactly is owed and what is not. Thus, a clear definition of the main performance obligations can also lead to indirect exclusions and limitations of liability.

FIN LAW

subscribe to Newsletter

FIN LAW – Awarded by WiWo for the Third Time
For the third time, WirtschaftsWoche (WiWO) magazine has awarded FIN LAW and Dr. Lutz Auffenberg, LL.M. (London) as a top Law Firm and Lawyer respectively.
FIN LAW Hosts the Annual Meeting of the Fintech Legal Network
FIN LAW had the pleasure of hosting the Annual Meeting of the Fintech Legal Network and was pleased to welcome members to its offices in Senckenberganlage.
Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.

Sep 02, 2024

Getting Ready for DORA (Part III) – How Do You Test the Digital Operational Resilience?

With the Digital Operational Resilience Act (DORA), the European Union has introduced a far-reaching regulation that aims to harmonize and strengthen digital resilience in the financial sector across Europe. From 17 January 2025, affected companies must comply with the obligations set out in DORA. The European legislator wants to take account of the ongoing digitalization and increasing networking, which has significantly increased the use of information and communication technologies (ICT) in the financial sector. The DORA aims to counteract the risks posed by cyber threats and operational disruptions. Financial companies and specialized ICT service providers are obliged to take comprehensive measures to strengthen their digital resilience. The affected players include banks, investment firms, payment institutions, cryptocurrency providers and issuers of value-referenced tokens. These companies must thoroughly review their internal processes and procedures and adapt them to the new regulatory requirements before the regulation comes into force. This includes the introduction of robust security precautions, regular risk analyses and the creation of emergency plans in order to be able to react appropriately to cyber-attacks or IT disruptions in the event of an emergency. The implementation of DORA represents a challenge for many companies, as it may require significant adjustments and investments in IT infrastructure and risk management. At the same time, the regulation offers the opportunity to sustainably improve the resilience and security of the entire financial sector. What tests should information and communication technology be subjected to? What do the affected companies need to be prepared for in the future?

Testing ICT Tools and Systems

The fourth chapter of DORA deals with the requirements for testing digital operational resilience. In principle, taking into account the principle of proportionality, a robust and comprehensive digital operational resilience testing program is required to assess preparedness for handling ICT-related incidents, identify weaknesses, deficiencies and gaps in digital operational resilience and implement corrective actions promptly. This is an essential part of the ICT risk management framework to be established by the organizations concerned. The content of the tests can vary in terms of type and scope. When making the selection, the size and overall risk of the financial company as well as the type, scope and complexity of the financial service must be weighed up, taking proportionality into account. Appropriate tests can therefore include vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security checks, questionnaires and scans of software solutions, source code checks (where feasible), scenario-based tests, compatibility tests, performance tests, end-to-end tests and penetration tests. In principle, the tests for all ICT systems and applications that support critical or important functions must be carried out at least once a year. For micro-enterprises, DORA provides for some simplifications in terms of both the frequency of the tests and their implementation, which are strongly characterized by the principle of proportionality.

Advanced Testing of ICT Tools, Systems and Processes Based on TLPT

Even if the above-mentioned tests required by DORA are already very extensive, DORA provides for even more extensive tests for certain companies. This so-called Threat-Led Penetration Testing (TLPT) must be carried out every three years. TLPT, also known as threat-led penetration testing, is defined by DORA as a framework that replicates the tactics, techniques and procedures of real attackers who are considered a real cyber threat and provides a controlled, tailored, intelligence-led (red team) test of the financial firm’s critical live production systems. The exact details will be specified by the ESAs in agreement with the ECB and in line with the TIBER EU framework in the form of regulatory technical standards. As a rule, TLPT will only be relevant for financial undertakings supervised by BaFin that have been identified and informed by BaFin in accordance with the requirements of DORA. The criteria for identifying affected entities are: proportionality, impact-related factors, in particular the extent to which the services provided and activities carried out by the financial undertaking have an impact on the financial sector any financial stability concerns, including the systemic nature of the financial undertaking at Union or national level, as appropriate; and the specific ICT risk profile, ICT maturity of the financial undertaking or relevant technological characteristics. The application of these selection criteria shall also be specified by the ESAs, in agreement with the ECB, in the form of regulatory technical standards in accordance with the TIBER-EU framework.

FIN LAW

The lawyer responsible for questions relating to DORA and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London).

FIN LAW – Awarded by WiWo for the Third Time
For the third time, WirtschaftsWoche (WiWO) magazine has awarded FIN LAW and Dr. Lutz Auffenberg, LL.M. (London) as a top Law Firm and Lawyer respectively.
FIN LAW Hosts the Annual Meeting of the Fintech Legal Network
FIN LAW had the pleasure of hosting the Annual Meeting of the Fintech Legal Network and was pleased to welcome members to its offices in Senckenberganlage.
Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.

Aug 26, 2024

Getting Ready for DORA (Part II) – Locational Advantage for Germany?

[et_pb_section fb_built=”1″ _builder_version=”4.27.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_row _builder_version=”4.27.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.27.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_button button_url=”/2024/08/26/getting-ready-for-dora-part-ii-standortvorteil-deutschland/” button_text=”Für deutsche Version bitte hier klicken” _builder_version=”4.27.0″ _module_preset=”default” custom_button=”on” button_text_size=”13px” button_border_width=”1px” button_border_radius=”0px” global_colors_info=”{}”][/et_pb_button][/et_pb_column][/et_pb_row][et_pb_row _builder_version=”4.27.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.27.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.27.2″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]

The European Union has adopted the Digital Operational Resilience Act (DORA) to standardize and strengthen digital resilience in the financial sector. From 17 January 2025, affected companies must comply with this regulation. The reason for this measure is the increasing digitalization and networking, which has resulted in the widespread use of information and communication technologies (ICT), including in the financial sector. DORA aims to effectively counter risks from cyber threats and operational disruptions. The regulation obliges financial companies and certain ICT service providers to take comprehensive measures to strengthen their digital resilience. Numerous players in the financial sector are affected, including credit institutions, investment firms, payment institutions, crypto service providers and issuers of value-referenced tokens. These companies must thoroughly review their internal processes and procedures and adapt them to the new legal requirements. This includes implementing robust security measures, conducting regular risk analyses and developing contingency plans in order to be able to react quickly and effectively in the event of cyber-attacks or IT disruptions. The introduction of DORA represents a challenge for many companies, as it requires significant adjustments and investments in IT infrastructure and risk management. Nevertheless, the regulation also offers opportunities, as it improves the resilience and security of the entire financial sector. What requirements are already being placed on the companies affected and will this even result in advantages for these companies in Germany?

Which Requirements Already Apply and How Do They Differ from DORA?

DORA has its sights set on the European and therefore also the German financial sector, with the aim of harmonizing the handling of ICT risks across Europe. Financial companies are to be put in a position to deal with ICT risks appropriately. The German financial supervisory authority BaFin has not been idle in the past and is already keeping an eye on ICT risks, while imposing far-reaching requirements on the German financial sector. These apply, for example, to the IT of banks, insurers, capital management companies and payment service providers. To this end, BaFin has issued a series of circulars that regulate the IT requirements for the aforementioned financial players. The circulars published under the more or less catchy names BAIT, VAIT, KAIT and ZAIT – to name just a few examples – impose comprehensive requirements on the financial players concerned with regard to the governance and organization of IT, information risk and information security management and the stability of IT operations. Some of these requirements are also reflected in DORA. Part of the information security management required by the circulars is that the management must establish the function of the Information Security Officer (ISO). The function of the ISB includes responsibility for all information security matters within the institution and vis-à-vis third parties. DORA does not recognize the function of the ISB. However, the function and independent position of the ISB is similar to the introduction of an ICT risk control function required by DORA, which is to be responsible for the management and monitoring of ICT risk. However, the different areas of responsibility make it clear that DORA places a stronger focus on the monitoring and management of ICT risk compared to the circulars. This is just one example of how BAIT, VAIT, KAIT and ZAIT in many respects already cover the basic requirements for the ICT risk management framework and the key principles for sound management of ICT third party risk under DORA. A financial company that already meets the requirements of BAIT, VAIT, KAIT or ZAIT will therefore have a good starting position for the implementation of DORA. This could be the locational advantage for such financial companies.

Is There Still a Need for Action?

However, the comparison between the ISB and the ICT control function makes it clear that the purposes of DORA differ from or go beyond those of the BaFin circulars. DORA is intended to strengthen the digital operational resilience of the financial sector. In order to achieve this goal, DORA goes beyond the requirements of BAIT, VAIT, KAIT and ZAIT in many areas. It is therefore not enough to rest on existing strategies, processes, functions, etc. BaFin is also aware of this and has already announced that it will repeal the BAIT, VAIT, KAIT and ZAIT circulars. For the financial institutions concerned, this means that an adjustment to the requirements of DORA is unavoidable and should be implemented before DORA comes into force. BaFin has already published implementation information on this topic to facilitate the transition from the circulars to DORA.

FIN LAW

The lawyer responsible for questions relating to DORA and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London).

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row _builder_version=”4.27.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.27.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_button button_url=”https://subscribe.newsletter2go.com/?n2g=bnenflo7-3kepbm9f-9g1&_ga=2.76407708.842992497.1570698390-510082309.1569668016″ url_new_window=”on” button_text=”SIGN IN FOR NEWSLETTER” _builder_version=”4.9.10″ _module_preset=”default” custom_button=”on” button_text_size=”13px” button_text_color=”#FFFFFF” button_bg_color=”#333233″ button_border_width=”10px” button_border_color=”#333233″ button_border_radius=”0px” button_letter_spacing=”2px” button_font=”|700||on|||||” button_use_icon=”off” animation_style=”zoom” global_module=”775″ global_colors_info=”{}”][/et_pb_button][/et_pb_column][/et_pb_row][/et_pb_section]

FIN LAW – Awarded by WiWo for the Third Time
For the third time, WirtschaftsWoche (WiWO) magazine has awarded FIN LAW and Dr. Lutz Auffenberg, LL.M. (London) as a top Law Firm and Lawyer respectively.
FIN LAW Hosts the Annual Meeting of the Fintech Legal Network
FIN LAW had the pleasure of hosting the Annual Meeting of the Fintech Legal Network and was pleased to welcome members to its offices in Senckenberganlage.
Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.

Aug 05, 2024

Asset Investment Under MiCAR – Is a Securities Prospectus or Crypto Whitepaper Needed for the Public Offering?

Investment products can be offered by companies seeking capital in many different legal forms. In addition to the most common form of transferable securities within the meaning of MiFID2 regulation, such as shares and debt instruments, issuers can also issue investment products as shares in investment funds or, on the basis of national regulation, as asset investments. Through the Asset Investment Act, the German legislator originally intended in particular to regulate the so-called gray capital market, on which investment products were offered that did not qualify as securities and were therefore not subject to the prospectus requirements for securities issuances. Such products include uncertificated profit participation rights, subordinated loans, profit-participating loans or participations as a silent partner. They generally lack the inherent tradability of securities on the capital markets, which distinguishes them from securities. Nevertheless, the German Investment Act obliges issuers and providers of investments in Germany to prepare and publish sales prospectuses prior to the first public offering, which must be approved by BaFin. For investments offered in the form of crypto tokens, BaFin is of the opinion that the increase in tradability achieved through tokenization means that tokenized investments are to be classified as securities of their own kind for regulatory purposes and are therefore subject to the EU Prospectus Regulation and the German Securities Prospectus Act rather than the German Asset Investment Act with regard to prospectus obligations.

Either Crypto Whitepaper According to MiCAR or Securities Prospectus According to EU Prospectus Regulation?

MiCAR clearly stipulates that tokenized investment products, which constitute financial instruments within the meaning of MiFID2, do not fall within the scope of MiCAR. In this respect, the legislator has ensured a clear competitive relationship between MiFID2 and MiCAR. The first public offering of a tokenized stock therefore obliges its issuer to prepare and publish a securities prospectus to be approved by BaFin in accordance with the EU Prospectus Regulation or the German Securities Prospectus Act. In contrast, the preparation of a crypto whitepaper is not required, as the share as such is already a financial instrument pursuant to MiFID2 and therefore cannot also be a crypto asset pursuant to MiCAR. However, this clear either-or logic does not apply to tokenized investments under the German Asset Investment Act. This is because asset investments do not constitute financial instruments within the meaning of MiFID2, but are a purely nationally regulated type of investment product. In this context, the exemption for financial instruments under MiFID2 cannot be applied to asset investments. BaFin’s administrative practice of applying the EU Prospectus Regulation to initial public offerings of tokenized investments does not help either, as securities of their own kind are not included in the MiFID2 catalog of financial instruments.

Public Offer of Securities of its Own Kind in Accordance with BaFin’s Administrative Practice Requires Securities Prospectus and Crypto Whitepaper

For tokenized asset investments, therefore, both a securities prospectus and a crypto whitepaper must be prepared and published prior to their public offering in the EU. While the securities prospectus must be approved by BaFin and subsequently published, the crypto whitepaper only needs to be published. Approval or authorization by BaFin is not required. The crypto whitepaper and securities prospectus also differ in terms of content and presentation, which is why issuers and providers of tokenized asset investments will have to pay close attention to ensuring that the information provided in the two documents is congruent. Of course, issuers of tokenized asset investments will check whether an exemption from the prospectus obligation or crypto whitepaper obligation may apply to their issuance in order to only have to prepare one document. As a rule, however, both documents will have to be prepared. Issuers should therefore check on a case-by-case basis whether their investment product can also be designed in such a way that it qualifies as a financial instrument under MiFID2. In most cases, only a securities prospectus would then have to be prepared and the obligation to publish a crypto whitepaper would not apply.

The competent lawyer for advice on the legal classification of tokens according to MiCAR in our law firm is Attorney Lutz Auffenberg, LL.M. (London).

FIN LAW – Awarded by WiWo for the Third Time
For the third time, WirtschaftsWoche (WiWO) magazine has awarded FIN LAW and Dr. Lutz Auffenberg, LL.M. (London) as a top Law Firm and Lawyer respectively.
FIN LAW Hosts the Annual Meeting of the Fintech Legal Network
FIN LAW had the pleasure of hosting the Annual Meeting of the Fintech Legal Network and was pleased to welcome members to its offices in Senckenberganlage.
Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.

Jul 15, 2024

Getting Ready for DORA (Part I) –High Impact on Small Companies in the Financial Sector?

Under the name Digital Operational Resilience Act (DORA), the EU has issued a new regulation to standardize and strengthen the digital operational resilience of the financial sector across the Union. DORA, which was adopted in December 2022, comes into force on 17 January 2025 and must be complied with by the obligated companies from this date. The regulation finds its raison d’être in the now widespread use of information and communication technologies (ICT) in the financial sector as a result of increasing digitalization and networking. DORA is intended to counteract the resulting risks of cyber threats and disruptions. The regulation obliges financial companies and certain ICT service providers to take comprehensive measures to achieve this goal. The term “financial company” covers almost all traditional players in the financial sector, such as credit institutions, investment firms, payment institutions and financial service providers, but also crypto service providers (CASPs) and issuers of asset-referenced tokens. Companies affected are faced with a range of additional legal requirements. As a result, internal processes and procedures must be reviewed and, if necessary, adapted to DORA. As the requirements of DORA are far-reaching, this could represent a considerable burden, especially for smaller companies. It is therefore of particular importance whether DORA provides for exemptions for such companies. So is there any relief for smaller companies?

Same Rules for All? Application to Smaller Companies

One of the guiding principles of DORA is the principle of proportionality. This means that the individual obligations can affect a financial company differently in individual cases depending on its size, overall risk profile, type, scope and complexity of services, activities and transactions. Basically, the requirements increase in proportion to the risk. Accordingly, DORA divides financial companies into micro, small and medium-sized enterprises and all financial companies above them. A microenterprise exists – with some exceptions, such as for trading venues, central counterparties or trade repositories – if the company employs fewer than ten people and its annual turnover or annual balance sheet total does not exceed EUR 2 million. A small enterprise is a financial company that employs between 10 and 50 people and whose annual turnover or annual balance sheet total exceeds EUR 2 million but is only up to EUR 10 million. Medium-sized enterprise employs fewer than 250 people, has an annual turnover of up to EUR 50 million and an annual balance sheet total of up to EUR 24 million. This classification into one of the size categories alone can result in a number of exemptions and simplifications from the requirements of DORA for the corresponding financial companies.

Which Specific Exceptions Could Be Considered?

DORA requires financial companies to implement appropriate ICT risk management. This includes a robust, comprehensive and well-documented ICT risk management framework that enables risks to be quickly identified and remediated. At a minimum, such a framework must include policies, guidelines, procedures, ICT protocols and tools necessary to properly protect all information and ICT assets, including software, hardware and servers. It must also protect all relevant physical components and infrastructure, such as premises, data centers and designated sensitive areas. To manage and monitor ICT risk, financial firms must also establish an independent control function and review and document the ICT risk framework on an annual and ad hoc basis. Micro-enterprises are exempt from this and can dispense with a separate control function. Furthermore, they only have to review and document the ICT risk framework regularly and on an ad hoc basis. This is just one of many exceptions that are in line with the proportionality principle of DORA. It should be examined on a case-by-case basis whether statutory exemptions are applicable. Even without a specific statutory exemption, the extent of the measures that a financial company must undertake can vary considerably depending on the risk profile. Overall, DORA is an extremely complex set of regulations that forces companies in the financial sector to further professionalize their business organization with regard to ICT risks.

FIN LAW

The lawyer responsible for questions relating to DORA and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London).

FIN LAW – Awarded by WiWo for the Third Time
For the third time, WirtschaftsWoche (WiWO) magazine has awarded FIN LAW and Dr. Lutz Auffenberg, LL.M. (London) as a top Law Firm and Lawyer respectively.
FIN LAW Hosts the Annual Meeting of the Fintech Legal Network
FIN LAW had the pleasure of hosting the Annual Meeting of the Fintech Legal Network and was pleased to welcome members to its offices in Senckenberganlage.
Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.

Jun 17, 2024

WIB or BIB – When Must Which Documentation Be Provided?

The issue of financial products is regularly accompanied by the obligation of the issuer or provider to fulfill corresponding documentation and prospectus obligations. This is certainly the case if the financial product is to be offered to the public. As a rule, a sales prospectus and/or an investment information sheet (“VIB”) must be prepared for investments in accordance with the German Investment Act. The same applies to certain forms of investment assets under the German Capital Investment Code. The MiCAR Regulation will determine what type of crypto asset whitepaper must be prepared for the various types of crypto assets in the future. In the case of securities, which include many tokenized products as sui generis securities, the interaction of the European Prospectus Regulation (EU) 2017/1129 (“Prospectus Regulation”) and the German Securities Prospectus Act (“WpPG”) regulates the prospectus and documentation obligations of providers and issuers. In this respect, the German legislator has made use of an option in the Prospectus Regulation and stipulated that no securities prospectuses need to be published in Germany for public offers of securities with a total consideration of no more than EUR 8 million in the European Economic Area, calculated over a period of twelve months. Instead, a securities information sheet (“WIB”) can be prepared, filed with BaFin and published. But when is this also not the case and what obligations do issuers and providers have instead and can this even have advantages?

When Must a BIB Be Published Instead of a WIB?

However, there is no obligation to publish a WIB if a key information document (“KID”) already has to be published for the security in question in accordance with Regulation (EU) No. 1286/2014 (Packaged Retail and Insurance-based Investment Products (PRIIPs): “PRIIPs Regulation”). For its part, the PRIIPs Regulation stipulates that a key information document must be prepared and published by manufacturers of packaged retail investment products. The issuer or provider must therefore at least also address retail investors with the product in question. Furthermore, the security must be a packaged product within the meaning of the PRIIPs Regulation. It can be difficult to determine when this is the case in individual cases. In principle, however, the PRIIPs Regulation stipulates that packaged investment products are considered to be packaged if the amount to be repaid is subject to fluctuations due to the dependence on reference values or the performance of one or more assets that are not acquired directly by investors. BaFin specifies here that the amount to be repaid must be understood to include both the interest and the repayment of the product. In accordance with the European Securities and Markets Authority (“ESMA”), BaFin also states that the type of reference value is also important. For example, the dependence of the amount to be repaid on internal benchmarks or interest rate indices such as Euribor does not lead to the existence of a packaged product in the sense required here, but the dependence on external benchmarks does.

What are the Differences Between the Different Information Sheets?

In principle, a WIB can therefore be prepared, filed with BaFin and published in Germany for public offers of securities of up to EUR 8 million. The WIB has a maximum length of 3 A4 pages and 4 A4 pages for digital and non-securitized securities. Publication must be approved by BaFin, whereby BaFin only checks the completeness of all information, notes and attachments, but not their accuracy. In comparison, the BIB, which comprises a maximum of 3 A4 pages, does not require any filing or approval by BaFin. It only needs to be prepared and published on the website of the PRIIP manufacturer, usually the issuer. In this respect, the time-consuming and costly approval and filing process with BaFin can be avoided if the terms and conditions of the securities are carefully drafted by an experienced lawyer in securities prospectus law, provided that the design of a PRIIP for which a BIB would have to be prepared is desired.

FIN LAW

FIN LAW – Awarded by WiWo for the Third Time
For the third time, WirtschaftsWoche (WiWO) magazine has awarded FIN LAW and Dr. Lutz Auffenberg, LL.M. (London) as a top Law Firm and Lawyer respectively.
FIN LAW Hosts the Annual Meeting of the Fintech Legal Network
FIN LAW had the pleasure of hosting the Annual Meeting of the Fintech Legal Network and was pleased to welcome members to its offices in Senckenberganlage.
Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.

Jun 10, 2024

MiCAR vs MiFID II – Which Tokens Are Considered Crypto Assets and Which Are Financial Instruments?

With the Markets in Crypto Assets Regulation (MiCAR), the European Union created an independent set of rules for the commercial handling of crypto assets that is directly applicable in all EU member states. The text of the regulation is already very extensive and detailed. Nevertheless, it is necessary in many places to ensure a uniform interpretation by the authorities in the member states. For this reason, the European Securities and Markets Authority (ESMA) is obliged in many provisions of MiCAR to draw up explanatory notes, consult with market participants and publish them. ESMA also has such an obligation in relation to the exemption clause which sets out the alternative relationship between MiCAR and MiFID2. The exemption stipulates that the provisions of MiCAR should not apply to a crypto asset that meets the requirements for a financial instrument within the meaning of MiFID2 regulation. In this respect, it is problematic that the member states developed and applied very different administrative practices in their interpretation of what constitutes a financial instrument under MiFID2 in the period prior to the adoption of MiCAR. The fundamental question of whether MiCAR or MiFID2 regulation should apply to a token in the future therefore requires a uniform interpretation, which is to be made possible by the guidelines to be drawn up by ESMA.

Technology- Neutral Approach and “Substance or Form” Principle for Determining the Relevant Regulatory Regime

ESMA had already published a draft of the guidelines to be drawn up in this regard in January 2024. ESMA had given market participants the opportunity to comment on its draft by the end of April. The final guidelines must be published by ESMA by December 30, 2024, i.e. by the date of full applicability of MiCAR. For the interpretation, ESMA first clarifies in its draft consultation that the question of the classification of a token as a financial instrument should in any case be technology-neutral. The method of tokenization and the technical design are therefore of secondary importance. Instead, the characteristics, design and rights associated with the token should be decisive. This “substance over form” approach, which is also reflected in recital 14 of MiCAR, makes it clear in ESMA’s view that the determination of the legal nature of a token as a MiCAR or MiFID2 product must not be based on the technical shell of the product. However, the technical design will still be relevant for legal applications. This is because it will still be relevant when assessing whether a product constitutes a crypto asset within the meaning of MiCAR. Only then it can be examined in the second step whether this crypto asset constitutes a MiFID2 product in terms of its substance.

When May Tokens Be Classified as Transferable Securities under MiFID2?

Financial instruments within the meaning of MiFID2 regulation are, in particular, transferable securities. The term primarily refers to bonds, shares and other securities, for example for embedding derivatives. To define a transferable security, MiFID2 itself sets out three criteria that a product must meet in order to be classified as a transferable security. Firstly, the product must be part of a “category”. This means that the product must be part of an overall issue, which ultimately establishes its exchangeability and thus also its tradability on the capital market. The latter is the second prerequisite for the existence of a transferable security. ESMA understands this to mean not only traditional stock exchanges and regulated markets, but also all trading venues on which corresponding products can be traded, just as BaFin does in Germany. Finally, according to the definition contained in MiFID2, the product must not be a payment instrument. If these requirements are met, tokens are to be classified as transferable securities according to ESMA and are therefore subject to MIFID2 regulation. The provisions of MiCAR are thus not applicable to such tokens, even though they also meet the definition of a crypto asset under MiCAR.

The competent lawyer for advice on the legal design and classification of tokens in our law firm is Attorney Lutz Auffenberg, LL.M. (London).

FIN LAW – Awarded by WiWo for the Third Time
For the third time, WirtschaftsWoche (WiWO) magazine has awarded FIN LAW and Dr. Lutz Auffenberg, LL.M. (London) as a top Law Firm and Lawyer respectively.
FIN LAW Hosts the Annual Meeting of the Fintech Legal Network
FIN LAW had the pleasure of hosting the Annual Meeting of the Fintech Legal Network and was pleased to welcome members to its offices in Senckenberganlage.
Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.

Jun 03, 2024

Crowdfunding – Which Options Exist?

The phenomenon of crowdfunding has become an indispensable way of raising capital on the financial markets. Crowdfunding is enjoying unbroken popularity, particularly in the area of financing real estate projects. Put simply, this involves a large group of people raising money, often small amounts, for projects or companies via an internet platform. It is not only the actual fundraising that is of interest to companies seeking financing through crowdfunding, but also the media attention that individual projects that are implemented with the help of crowdfunding repeatedly attract. In Germany, crowdfunding is regulated at national level in the German Investment Act (VermAnlG). At the European level, this has been regulated by the European Crowdfunding Service Provider Regulation (ECSPR) (EU) 2020/1503 since 10^th of November 2021. But when is which regulatory regime applicable and which products may be distributed and how?

In Principle the ECSPR Takes Precedence Over the VermAnlG

Within the VermAnlG, the German legislator has established the priority of the ECSPR for offers that do not exceed an equivalent value of EUR 5,000,000, calculated over 12 months. The ECSPR therefore always takes precedence when an offer of products covered by the Regulation is made via a crowdfunding platform authorized under the ECSPR. These products include, in particular, financial products that are predominantly not classified as asset investments. In particular, these are securities and non-subordinated loans. Subordinated loans in particular, which are popular in Germany, lack the unconditionality of the repayment claim required by the ECSPR and are therefore not suitable products for distribution under the ECSPR. This is certainly not the case for loans with a qualified subordination. These subordinated loans therefore continue to fall under the scope of application of the VermAnlG if they are to be issued by way of crowdfunding in Germany and therefore also benefit from the simplifications that the VermAnlG provides for such issues.

What Documentation Requirements Must Be Met for the Issuance of a Crowdfunding Product?

In terms of content, the ECSPR obliges the crowdfunding service provider, i.e. the operator of the internet platform through which the issue is carried out, to offer the regulated crowdfunding services only on the basis of an authorization in accordance with the ECSPR and stipulates that they are subject to ongoing supervision by BaFin. In contrast to the national provisions of the VermAnlG, the regulation therefore does not apply in relation to the issuer or provider with respect to the filing of transparency documents, but rather to the operator of the internet platform. As an authorized crowdfunding service provider under the ECSPR, the latter is obliged to check the necessary documentation for each such offering, the so-called key investment information sheet (KIIS), for completeness, accuracy and clarity and to report any deficiencies to the promoter, who is responsible for preparing the KIIS, which is a maximum of 6 DIN A4 pages long, and to work towards correcting it. In contrast, when issuing a subordinated loan in accordance with the VermAnlG, for example, the issuer or provider of such a funding must prepare an investment information sheet no longer than 3 DIN A4 pages and file it with BaFin. With the appropriate authorization, it is possible to provide both crowdfunding under ECSPR as a crowdfunding service provider and as an operator of an Internet service platform within the meaning of the VermAnlG. Of course, it is not possible to offer crowdfunding issued in accordance with the VermAnlG in other European countries. However, this possibility exists under certain conditions for crowdfunding issued under ECSPR.

FIN LAW

FIN LAW – Awarded by WiWo for the Third Time
For the third time, WirtschaftsWoche (WiWO) magazine has awarded FIN LAW and Dr. Lutz Auffenberg, LL.M. (London) as a top Law Firm and Lawyer respectively.
FIN LAW Hosts the Annual Meeting of the Fintech Legal Network
FIN LAW had the pleasure of hosting the Annual Meeting of the Fintech Legal Network and was pleased to welcome members to its offices in Senckenberganlage.
Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW.

May 27, 2024

Reverse Solicitation – Does MiCAR also Apply to Crypto Service Providers from Third Countries?

From December 30, 2024, crypto service providers in Europe will only be allowed to provide crypto services with a MiCAR license. The companies affected must already prepare now for the new rules to apply and ensure that they will be able to offer their crypto services in the future on the basis of the authorizations that will then be required and in compliance with all applicable compliance obligations. However, MiCAR will also bring advantages for European crypto service providers. In particular, the European crypto market will no longer be a regulatory patchwork under MiCAR. The standardized supervision of crypto service providers in Europe means that passporting will also be possible. Under MiCAR, crypto service providers will therefore be able to use a MiCAR license granted to them in one member state to provide services in other EU member states without having to obtain further authorization there, provided they have gone through a comparatively simple notification procedure with the supervisory authority of the target country. But what is the new regulatory situation under MiCAR for crypto service providers from third countries? Will they be able to serve European customers without MiCAR authorization as long as they do not actively solicit such customers?

Passive Freedom to Provide Services is to be Severely Restricted under MiCAR

Although MiCAR expressly allows companies from third countries without a MiCAR license to provide crypto services in cases where the service is used exclusively at the instigation of the client without any action on the part of the company, this exception is to be interpreted very restrictively. However, in its consultation paper published in January 2024, ESMA, which was tasked with specifying the provision, made it clear that this exemption should be interpreted very restrictively. ESMA emphasizes that the so-called reverse solicitation, which is an exception to the principle of the permission requirement, is actually a ban on actively approaching clients, which should only allow unlicensed companies from third countries to serve clients from Europe in individual cases within very narrow limits if the business initiation takes place on the client’s initiative. ESMA further states that, when interpreting the provision on the passive freedom to provide services, the national competent supervisory authorities should take into account that crypto service providers from third countries will attempt to systematically offer crypto services in Europe on the basis of the exception for reverse solicitation. In EMSA’s opinion, this possibility should not be granted by the interpretation of the provision.

According to EMSA, Authorized Reverse Solicitation Should Not Be a Free Pass for Unlicensed Crypto Services

ESMA therefore further restricts the possibility of reverse solicitation under MiCAR in its consultation paper by clarifying that crypto service providers from third countries may only provide their services on the basis of the exception in a very short time window. In particular, in the case of an authorized service provision, they will not be permitted to offer further crypto services to the customer acquired due to the fulfillment of all requirements of the passive freedom to provide services. This restriction is expressly provided for in the MiCAR exception to reverse solicitation itself. The opportunities for companies from third countries to serve European customers are thus limited to a minimum under MiCAR. For crypto service providers from non-EU countries, this means that they should either acquire a MiCAR license via a branch in Europe or create internal processes for handling customers from Europe. The only alternative would be to generally refuse to accept European customers without exception in order to avoid the risk of providing unauthorized crypto services.