In this chapter, we use “blockchain” as a generic term for all distributed ledger technology-based solutions. Likewise, we use the generic term “crypto” for all cryptocurrencies, tokens, etc. that are based on some sort of cryptography in relation to a blockchain.
Blockchain and distributed ledger technology
Dutch legislation is technology-neutral as a matter of principle. That being said, the Dutch government and the Dutch financial regulators – the Dutch Central Bank and the Authority for the Financial Markets (“DNB” and the “AFM”, respectively) – have, in general, a positive attitude towards blockchain technology. The Dutch government has budgeted EUR 2.8 million for further research into blockchain technology in which it is also actively involved. Research into the practical application of blockchain technology is also a central part of the Digitalisation Strategy adopted by the Dutch Government in June 2018.
It follows from the Strategy that the Dutch Government wishes to encourage experiments in this area and for this purpose it has founded (together with others) the Dutch Blockchain Coalition. In 2019, this Coalition received the assignment to do further research into a regulatory governance framework for blockchain and smart governance for smart contracts.
Furthermore, the Dutch government is exploring whether current legal frameworks are sufficiently flexible to allow companies to make use of the opportunities provided by blockchain technology and whether it enables sufficient mitigation of relevant risks and issues. The Dutch government is exploring the following five use cases: (i) registration of ships (the register is managed by the government); (ii) automating administrative and compliance processes in relation to public grants for social use; (iii) use of smart contracts by private parties; (iv) tracking waste transport on the basis of the European Waste Shipment Regulation; and (v) the recording and sharing of sensitive personal data by the government within the framework of the Social Support Act (Wet maatschappelijke ondersteuning 2015).
In addition, and specifically in relation to the financial sector, DNB and the AFM took the initiative to support market parties with their innovations, by setting up an InnovationHub and a Regulatory Sandbox (see the section titled ‘Promotion and testing’ below). According to DNB and the AFM, they regularly receive questions from market parties related to blockchain technology, which they are happy to answer. Furthermore, together with the Ministry of Finance, DNB is looking into whether blockchain solutions can increase efficiency in payments and securities transactions.
Cryptos and Initial Coin Offerings
The focus of the Dutch government and the financial regulators with regard to cryptos and Initial Coin Offerings (“ICOs”) is two-pronged. On the one hand, it is eager to mitigate risks associated with cryptos and ICOs, such as the use of cryptos for criminal purposes, such as fraud and money laundering, and the lack of proper protection afforded to consumers who want to invest in cryptos.
An example of this stance is a report published by DNB and the AFM in December 2018, in which the financial regulators pleaded for the introduction of a licensing regime for providers offering crypto-to-fiat exchange services and custodian wallet providers, much like that which exists for financial undertakings (see the section titled ‘Money transmission laws and anti-money laundering requirements’ below).
On the other hand, the Dutch government and financial regulators acknowledge the potential of specific functionalities of cryptos. As an example, they have indicated potential in cryptos for the funding of small and medium-sized enterprises (“SMEs”) – a condition to which being that investors receive clear and enforceable rights in return, as is the case with, e.g., shares and bonds. To this end, DNB and the AFM have recommended an amendment of the European regulatory framework to enable blockchain-based development of SME funding, and to reconcile the national and the European regulatory definitions of security (see the sections titled ‘Crypto regulation’ and ‘Sales regulation’ below).
Crypto is not considered to be money or fiat by the Dutch government or financial regulators. To reach that conclusion, DNB has applied the common economic theory of the uses of money, meaning that money should be a unit of account, a store of value and a medium of exchange. DNB has stated multiple times that cryptos fulfil these requirements poorly, due to their high volatility and their relative lack of adoption.
Regarding financial regulation, the Dutch financial regulatory framework is laid down in the Dutch Financial Markets Supervision Act (“FMSA”). The FMSA is, in principle, built upon the Dutch national regulatory framework, but has, over the years, been significantly influenced by European legislation.
The FMSA regulates activities and services pertaining to financial products. Whether cryptos or activities or services in relation to cryptos fall within the scope of financial regulation therefore depends on whether cryptos fall within the definition of a financial product. The most relevant financial products in the context of defining cryptos are crypto investment objects, electronic money and financial instruments such as shares and bonds.
No specific law, regulation or guidance exists that designates cryptos by definition as any of these products. However, cryptos might still fall within the scope of these definitions based on its specific traits and characteristics. For example, cryptos that are pegged to a fiat currency (stable coins) and that are accepted as a means of payment by other persons than the issuer, might well fall in the scope of electronic money. Similarly, cryptos qualify as securities and (therefore) as financial instruments under Dutch law if they are transferable (i.e. negotiable on the financial markets) and represent either (i) a share or equivalent right or instrument, (ii) a bond or other debt instrument, or (iii) any other instrument that can be converted into a share, bond or equivalent or that can be settled in cash (discussed further in the section titled ‘Sales regulation’ below).
Furthermore, certain financial products that use crypto as the underlying value – such as shares in crypto investment funds and derivative products – fall within the definition of a financial product. This is due to the fact that shares in investment funds and derivative products are by themselves considered financial instruments, regardless of the type of asset used as underlying value. Any person wishing to offer these types of products is required to obtain prior authorisation from the AFM (see also the section titled ‘Sales regulation’ below).
Finally, it is possible for activities and services related to cryptos to be offered in tandem with other activities and services that do fall within the scope of financial supervision. The AFM has provided an example of a crypto services provider that enables its retail clients to exchange their crypto to fiat which is subsequently held by that provider in name of the clients, resulting in the provider providing the regulated activity of attracting redeemable funds from the public.
As such, for the time being, cryptos and activities and services relating to cryptos, other than described above, fall outside the scope of financial regulation. However, at the time of writing, the Dutch government has published its legislative proposal to implement the amendment of the Fourth Anti-Money Laundering Directive (commonly referred to as the Fifth Anti-Money Laundering Directive, the “AMLD5”). Although the provisions of the AMLD5 are in principle exclusively aimed at mitigating risks pertaining to money laundering and terrorist financing (discussed in further detail in the section titled ‘Money transmission laws and anti-money laundering requirements’ below), the AMLD5 does include some provisions that are clearly meant to subject crypto services providers to some form of general financial regulation. For example, policy-makers for these providers will need to be assessed for suitability and integrity. They are deemed suitable if they possess sufficient relevant knowledge and skills to be able to adequately perform their duties as a policy-maker for a crypto services provider. This includes an assessment of the adequacy of the composition of the managing body as a whole, focusing inter alia on the division of tasks and the specific role of the relevant policy-maker. Furthermore, in assessing suitability of a policy-maker, consideration is given to the function, nature, size and the risk profile of the relevant crypto services provider.
Furthermore, the Dutch legislative proposal includes additional provisions, which require these providers to have in place sound and prudent business operations. In the explanatory notes to the legislative proposal, the Dutch legislature has indicated that these requirements are similar to the requirements of sound and prudent business operation stipulated by the FMSA for financial undertakings.
Finally, holders of 10% or more of the issued capital (or a comparable financial interest or a comparable controlling interest) in a crypto services provider will need to be assessed for suitability and integrity by DNB.
Therefore, and despite the fact that cryptos and crypto services providers do not fall within the scope of the Dutch financial regulatory framework, the era in which cryptos could be considered ‘unregulated’ is definitely over and it should only be a matter of time before more extensive legislation – pertaining to, for example, consumer protection – is developed.
The sale of cryptos as such is not regulated in the Netherlands. However, an entity issuing or selling cryptos in the Netherlands may fall within the scope of the Dutch financial regulatory framework depending on the characteristics of the crypto that is offered (e.g. in case the crypto qualifies as security or investment object), and the manner in which the cryptos are offered (e.g. indirectly through an investment fund, or directly through payment in fiat currency).
The regulatory qualification of cryptos is therefore of great importance, as the consequences of both compliance with regulations (e.g. governance & transparency requirements) and non-compliance (fines and prosecution) can have a significant impact. Cryptos are assessed based on their characteristics – regulators look at the actual characteristics, not the name given to it by the issuer. If a crypto qualifies as a security, its issuer, the involved brokers, and the exchanges where it has been listed, will generally have to comply with financial markets regulations. Like the qualification of the crypto, the impact of these regulations and the applicability of possible exemptions depends on the specific characteristics of the crypto.
In previous years, issuers of cryptos tended to avoid all types of regulations – with varying degrees of success. We now see the market is starting to embrace the advantages of clarity and certainty that come with regulation (e.g. the rise of security token offerings), including making use of legal exceptions and exemptions. In our opinion, this marks the next phase for cryptos in becoming mature market instruments.
Issuers of security cryptos
As a general rule, offering cryptos that qualify as securities (e.g. bonds and shares) to the public is not allowed in the Netherlands without prior publication of a prospectus that has been approved by the AFM. However, several exemptions from the obligation to issue a prospectus exist, depending on the type of investment (e.g. whether the total consideration of the offer exceeds EUR 5 million or if the denomination per unit exceeds EUR 100,000) and the type of investor (e.g. whether the offer is made to consumers or qualified investors). Most of these exemptions stem from European legislation and can be utilised in multiple jurisdictions in the EU.
Service providers and exchanges
As security cryptos fall within the definition of financial instrument, parties rendering financial services in relation to security cryptos (e.g. executing orders on behalf of clients or receiving and transmitting orders) qualify as investment firms and must comply with specific ongoing regulations, including those related to governance (e.g. the suitability and integrity assessment for prospective board members), market conduct rules (e.g. best execution, know-your-customer requirements, informing consumers about the risk of the products and a sound and proper business operation) and prudential rules (e.g.
The Legal and Regulatory Environment of Cryptocurrencies
minimum capital requirements).
For the same reasons, crypto exchanges that allow listings of security cryptos on their platform that target the European market will also be subject to regulation. The regulatory burden as a result of accepting security cryptos is often the reason that exchanges exclude such cryptos in their listing requirements.
Selling cryptos as investment objects
Cryptos may also qualify as investment objects, the selling of which is a regulated service requiring a licence from the AFM. The entity selling the crypto would need to comply with ongoing regulations on governance (e.g. fitness of board of directors and supervisory board) and market conduct rules (e.g. information requirements and a sound and proper business operation).
Selling cryptos through fund structures
If cryptos are offered through a fund structure, the manager of this fund requires a licence from the AFM as an alternative investment fund manager (“AIFM”). For small funds (with assets under management below EUR 100 million or, if no leverage is used and the fund is closed-end for a period of at least five years, with assets under management below EUR 500 million) which are offered only to professional investors, there is an exemption to the licence requirement and to certain ongoing requirements applicable to AIFMs.
The Dutch Secretary of State of the Ministry of Finance has indicated that it is unlikely that earnings from mining or trading cryptocurrencies by individual tax residents in the Netherlands not acting in a business or professional capacity will be qualified – for taxing purposes – as (taxable) income. This is, of course, different in cases where a natural person receives salary in the form of cryptocurrencies. In such cases, the cryptocurrencies’ value in euro at the moment of payout is taxable as income.
Consequently, cryptocurrencies held by an individual tax resident in the Netherlands will generally be taxed under the regime for savings and investments (inkomen uit sparen en beleggen). Irrespective of the actual income and capital gains realised, the annual taxable benefit of all the assets and liabilities of such an individual that are taxed under this regime, including cryptocurrencies, is set at a percentage of the positive balance of the fair market value of these assets, including cryptocurrencies, and the fair market value of these liabilities. The percentage (2019), which is subject to an annual indexation, increases from approximately 1.9% to a maximum of 5.6%. No taxation occurs if this positive balance does not exceed a threshold of EUR 30,360 (heffingvrij vermogen). The fair market value of assets, including the cryptocurrencies, and liabilities that are taxed under this regime is measured exclusively on 1 January of every calendar year. The tax rate under the regime for savings and investments is a flat rate of 30%.
A corporate entity tax resident in the Netherlands is generally subject to corporate income tax at the statutory rate of 25% (20% up to EUR 200,000) with respect to any benefits, including any capital gains realised on the disposal thereof, derived or deemed to be derived from dealings involving cryptocurrencies, including mining and trading.
The business of money transmission is regulated as ‘money remittance services’ under the FMSA. Providing money remittance services requires a licence from DNB (based on the European payment services directive; PSD2).
A money remittance service is defined as a service where funds are received from a payer, without any payment accounts being created in the name of the payer or the payee, for the sole purpose of transferring a corresponding amount to a payee or to another payment service provider acting on behalf of the payee, and/or where such funds are received on behalf of and made available to the payee. It is relevant to note that for the purpose of this definition, ‘funds’ are defined as banknotes and coins, scriptural money or electronic money. By definition, cryptos are not banknotes and coins and, as indicated under the section titled ‘Crypto regulation’ above, crypto is not considered to be (scriptural) money. Finally, only in specific cases are cryptos considered to be electronic money. As a result, money remittance laws are only applicable to a very limited number of crypto use cases.
As mentioned under the section titled ‘Crypto regulation’ above, the Dutch government has published its legislative proposal to implement the AMLD5. The provisions of the AMLD5 are aimed at mitigating risks pertaining to money laundering and terrorist financing. For this purpose, providers offering crypto-to-fiat exchange services and custodian wallet providers will be required to be registered at DNB. In order to be registered at DNB, these crypto services providers will need to demonstrate that they are able to comply with the provisions of the Dutch Money Laundering and Terrorist Financing (Prevention) Act (Wet ter voorkoming van witwassen en financiering van terrorisme). This means that these providers will need to apply risk-based client due diligence measures.
Client due diligence measures consist of (i) identifying the customer and verifying that identity on the basis of documents, data or information obtained from a reliable and independent source, (ii) identifying the ultimate beneficial owner of the customer, if any, (iii) assessing the business relationship with the customer and obtaining information on the purpose and intended nature of that relationship, and (iv) conducting ongoing monitoring of the business relationship, including scrutinising transactions undertaken throughout the course of the relationship.
Crypto services providers will need to apply these client due diligence measures when (a) establishing a business relationship, (b) there is an indication of involvement of the client with money laundering or terrorist financing activities regardless of any derogation, exemption or threshold, (c) there are doubts about the veracity or adequacy of previously obtained customer identification data, (d) there is reason to do so based on the risk of involvement of a current client with money laundering or terrorist financing, (e) the client has its residence, principal place of business or statutory seat in a country that represents a higher risk of money laundering or terrorist financing, or (f) carrying out an occasional transaction above EUR 15,000. If, in the future, crypto transfers will come to be qualified as a transfers of funds (meaning (i) a credit transfer, direct debit, money remittance or a transfer carried out using a payment card, an electronic money instrument, a mobile phone or any other digital or IT prepaid or post-paid device with similar characteristics, that is (ii) carried out through a payment services provider), the threshold amount under (f) will be reduced to EUR 1,000.
Note that a business relationship is assumed to be present fairly quickly. As such, a business relationship between a services provider and a client is considered to exist not only where a provider provides continuous services to a client, but also where a client engages the services provider for a second time. This includes situations in which a services provider, upon first engagement, has reasons to presume the client will make use of its services again and even those situations in which the services provider is unable to ensure that the client will not use its services for a second time. If the services provider is unable to ascertain whether a client engaging the services provider is, in fact, a new client, the services provider will have to assume it is a returning client – thus creating a business relationship and obligating the services provider to perform client due diligence measures. Crypto services providers should have in place procedures to assess and demonstrate whether a service provided to a client is incidental or whether it constitutes a business relationship.
The client due diligence measures will have to be applied to an extent that is adequate in relation to the services provider’s exposure to money laundering or terrorist financing risks considering the type of client, business relationship, product or specific transaction. Factors to be considered when determining this exposure are factors and types of evidence stipulated by the AMLD5 or identified by Member States or other relevant bodies – the FATF and the G20, for example. The exposure assessment should furthermore take into account the results of a self-assessment of the crypto services provider, which focuses on, inter alia, the specific services provided, the distribution channels and the transaction size. Crypto services providers are required to have measures and policies in place to ensure that the exposure identified in this way is sufficiently mitigated and controlled.
In all cases, the transaction monitoring process, as part of the client due diligence measures, has to enable the crypto services provider to identify and report suspicious transactions of the client to the Dutch Financial Intelligence Unit. A suspicious transaction is any transaction that defers from the client’s regular use and profile. This means that the services provider will need to apply know-your-customer measures to such an extent as to be able to create a profile of the relevant client. For this purpose, the services provider can make use of, for example, the amount of funds usually used by the client in a single transaction or the devices usually used by the client (e.g. a mobile phone).
If, following any of the above assessments, a crypto services provider concludes that it is not able to sufficiently mitigate and control the associated money laundering and terrorist financing risks, the relevant transaction may not be executed or the business relationship may not be established or, as the case may be, the existing business relationship will have to be terminated. Risks that cannot be sufficiently mitigated and controlled may exist where, for example, the identity of the client is not verifiable, where the source of funds and source of wealth of the client cannot be ascertained, or where the services provider is unable to discover the reasons for an intended or performed transaction.
As mentioned, the provisions discussed here apply to providers offering crypto-to-fiat exchange services and custodian wallet providers. Note, however, that in a recent publication on anti-money laundering measures, the Dutch government has made public plans to request the European Commission to propose further amendments to the European anti-money laundering legal framework, in order to extend the scope of the AMLD5 to providers of ICO services and to providers offering crypto-to-crypto exchange services. At the time of writing, these plans have not yet been followed up on.
Implementation of crypto products and, to a lesser extent, blockchain solutions, is sometimes impeded by the current financial regulatory framework. However, within the limits of their mandate, DNB and the AFM play an active and facilitating role through the InnovationHub, Regulatory Sandbox and the facilitation of partial authorisations.
The InnovationHub supports market parties that seek to implement innovative financial business models, services or products to the market. In addition to offering a single point of access to the regulators, the InnovationHub enables market parties to understand the relevant regulatory framework.
The Regulatory Sandbox provides a ‘safe environment’ in which tailor-made solutions can be created. This enables market parties to safely test innovative products and business models, without fear of regulatory enforcement measures, such as fines. In the context of the Regulatory Sandbox, the relevant regulators (DNB, the AFM and the Data Protection Authority) will assess whether the applicants and their innovative concepts comply with the underlying purposes of applicable regulations, rather than the strict letter of the law.
Market parties that, through their services, qualify as financial undertakings but do not wish to engage in all operations governed by a full authorisation, or are not yet able to meet all eligibility requirements for such an authorisation, have the possibility to obtain a partial authorisation from the regulators. Such authorisations may be granted on a temporary basis, but may also have a more permanent nature. It allows businesses that are testing innovative services and products to develop a fully-fledged financial undertaking step-by-step.
In addition to the aforementioned facilities, and as mentioned in the first section ‘Government attitude’, the Dutch government is also very receptive to fintech. Innovation is a key topic on the Minister of Finance’s agenda for the financial sector. Priorities include measures to facilitate market access for fintechs, proportionality of regulations and research on the possibilities of blockchain for payments and securities.
In the Netherlands, there are no restrictions on fund managers owning crypto. However, fund managers must be authorised to operate as an AIFM (by the AFM) if they manage an investment fund with assets under management above certain thresholds or if they offer participation rights to retail investors. This applies to managers of ‘regular’ investment funds and crypto investment funds alike (see also ‘Sales regulation’ above). In June 2018, the AFM issued a communication on the management of crypto investment funds specifically, in which it highlights a number of requirements (based on European regulations) for authorisation and ongoing supervision that may present compliance difficulties for crypto fund managers; these requirements concern liquidity management, valuation, depositary, product approval and review processes, and anti-money laundering. When considering a licence application, the AFM is expected to pay special attention to these elements.
With regard to providing investment advice on crypto, it depends on the qualification of the crypto in which advice is provided, whether the person providing such as advice is regulated. Due to the fact that – currently – cryptos do not qualify as financial products as defined in the FMSA, advising investors on buying or selling cryptos as such does not fall within the scope of the Dutch financial regulatory framework. However, if the investment advisor advises on cryptos that qualify as financial instruments (securities), that advisor will fall within the scope of the definition of an investment firm and will need to be authorised as such by the AFM (see sections ‘Crypto regulation’ and ‘Sales regulation’ above).
A licence is also required when advising on cryptos that qualify as investment objects (see also ‘Sales regulation’). In addition, if the investment advisor holds retail client funds (fiat currency) in order for this retail client to exchange the purchased crypto, the advisor will again fall under the scope of another regulatory rule, as it is prohibited under the Dutch FMSA to attract, obtain or hold repayable funds from the public. There are several exceptions and exemptions to this prohibition, as well as the possibility of obtaining a dispensation, but these typically do not apply to an investment advisor that holds retail client funds.
Compliance with the European Union’s General Data Protection Regulation (“GDPR”) can be challenging for companies operating blockchains. The GDPR applies to organisations which process personal data. Processing is defined widely and includes collecting, storing and destroying data. The GDPR poses several challenges for blockchain solutions, most notably assigning the obligations of data controllers and processors to particular actors in blockchain systems and compliance with the individuals’ rights to have personal data deleted or corrected. These GDPR requirements are at odds with a decentralised blockchain-based data governance model and the concept of immutability of data stored on a blockchain.
Minimising the risks of collision with the GDPR
If no personal data is processed on a blockchain, the GDPR does not pose a problem for its operator. However, personal data is a broad term that, under certain circumstances, can even include the colour of a car or a public key to a crypto wallet. To minimise GDPR compliance risks, blockchain operators should apply robust anonymisation techniques (e.g. by storing an encrypted anonymous hash of the personal data on-chain, with the underlying and identifying personal data being kept off-chain). Although the application of such technical solutions may not exclude the applicability of the GDPR altogether, it may substantially enhance the blockchain operator’s means to meet the GDPR requirements. In practice, complete anonymisation is very difficult to achieve, especially in a public, permission-less blockchain, as its operator may not be able to control all data uploaded by the users of its blockchain.
Stay in control
The use of private, permissioned blockchains increases the chances of GDPR compliance because the operator can impose and enforce a governance framework for users via contracts setting out each actor’s rights and obligations.
It is worth noting that ensuring GDPR compliance is specific to a particular use of blockchain, not the technology as such. Therefore, obtaining legal advice tailored to a particular use of blockchain is recommended, as the consequences of a GDPR violation can be severe, with fines of up to 4% of annual worldwide turnover or EUR 20 million (whichever is greater), criminal liability and damage claims by individuals or via class actions.
Mining of Bitcoin and other cryptos is unregulated and permitted in the Netherlands. Certain members of Parliament continue to share their concerns with regard to the electricity consumption related to crypto mining activities. However, at the time of writing, it seems unlikely that the Netherlands will prohibit or regulate mining of cryptos in the near future.
If liquid assets with a value equivalent to an amount of EUR 10,000 are brought into the European Union through the Netherlands, the bearer of those liquid assets is required to file a declaration with Dutch Customs. However, cryptos do not currently qualify as liquid assets as referred to in the Liquid Assets Regulation (i.e. (foreign) banknotes or coins that are in circulation as a means of payment, securities to bearer, not registered by name, such as shares and bonds and travellers cheques that are not registered by name). Therefore, bringing crypto into the Netherlands does not trigger any filing obligation for the bearer, regardless of whether the crypto is held by the bearer through online storage or is brought into the Netherlands ‘physically’ using cold storage devices or facilities.
Please refer to‘Money transmission laws and anti-money laundering requirements’ above.