AUSTRIA Law and Practice Contributed by: Oliver Völkel and Philipp Ley, CERHA HEMPEL
ensure that the outsourced function meets the same regulatory standards as if it were performed internally. Outsourcing agreements must explicitly reflect regula - tory obligations, which have been outlined in guide - lines by the EBA. These guidelines apply to credit institutions and CASPs who must also adhere to its principles. An agreement must contain at least the following: • a clear description of the outsourced services; Outsourcing of regulated services is only permitted to vendors who are authorised themselves. For example, a third party entrusted with the custody of crypto- assets must hold a valid CASP licence. This is not just preferable but mandatory, as regulated (ie, authorised) status is a precondition when outsourcing any regu - lated services. 2.9 Gatekeeper Liability The Digital Markets Act (DMA) defines gatekeepers as large digital platforms that control access to core plat - form services, such as online search engines, social networks, app stores or messaging services. These companies occupy a central position between busi - nesses and end users, giving them the power to set the rules for access and competition. To prevent unfair practices and ensure a level playing field, the DMA imposes specific obligations and pro - hibitions on gatekeepers. These include: • prohibiting self-preferencing (eg, ranking own ser - vices higher); • ensuring interoperability with third-party services; and • allowing users to uninstall preinstalled apps or change defaults. • oversight, control and audit rights; • the conditions for sub-outsourcing; • termination clauses; and • reversibility of the outsourcing. Gatekeepers are designated by the European Com - mission based on quantitative thresholds (eg, annual turnover, number of users) and qualitative criteria. Once designated, they must comply with the rules
under the DMA or face significant fines and enforce - ment actions. CASPs under MiCA act as gatekeepers and bear reg - ulatory responsibility for activities conducted on their website or through their platform. Among other things, only authorised crypto-asset services are provided. Where services are provided which do not require a licence, these must have been described to the FMA during the licensing procedure. White papers are pub - lished for each crypto-asset (if applicable), and anti- market abuse measures are implemented. 2.10 Significant Enforcement Actions The FMA actively monitors the financial market to identify and pursue instances of unauthorised busi - ness activities. In these cases, the FMA is authorised to take enforcement action. These measures may include: • the issuance of cease and desist orders; • administrative penalties; • the publication of warnings to the public; and • where appropriate, the referral of matters to the competent criminal authorities. To support these efforts, the FMA maintains a public warning list and encourages the reporting of suspi - cious or potentially unauthorised financial services. 2.11 Implications of Additional, Non- Financial Services Regulations Fintech firms, including robo-advisers and crypto- service providers, must not only comply with financial regulation but also with a range of non-financial rules, particularly in the areas of data protection (eg, the General Data Protection Regulation – GDPR), cyber - security (eg, DORA and the Network and Information Security 2 – NIS2), marketing and software develop - ment. These regulations impose strict requirements on data use, IT security, algorithm governance and advertising practices. Unlike legacy financial institutions, fintechs often face greater compliance challenges because of their reli - ance on automated processes, development of com - plex software and digital marketing strategies. While
37 CHAMBERS.COM
Powered by FlippingBook