German Federal Financial Supervisory Authority shines spotlight on social media and reverse solicitation breaches
RegCORE Client Alert | German Regulatory Developments
The use of social media by financial services firms in the context of marketing has long been in the supervisory spotlight of both EU level supervisory authorities but equally national competent authorities (NCAs). The same is true of strict supervisory expectations on the permitted use of “reverse solicitation”. Reverse solicitation refers to situations where a client initiates contact with a service provider for a transaction, rather than the other way around. In the context of financial services, reverse solicitation typically arises when a client contacts a firm or individual to request investment advice or services. There has been significant debate in recent years regarding the permissibility of using social media for reverse solicitation.Show Footnote When the two issues come together, in particular in the context of an alleged breach of applicable standards, then supervisory action is likely to follow. This is especially the case if a financial services firms’ app is available (even in beta testing format) in a respective jurisdiction where that financial services firm has no permission from the regulator to conduct business and is thus engaged in “unauthorised business”.
Precisely all of these concerns crossed the desk of Germany’s NCA, the Federal Financial Supervisory Authority (BaFin) following an unsuspecting - yet in the eyes of the BaFin quite troublesome - Tweet posted by Uniswap, a decentralised cryptoasset exchange. This is not the first and certainly not the last time the BaFin has focused on similar issues involving other non-licensed cryptoasset service providers allegedly breaching Germany’s regulatory perimeter when it comes to (a) active marketing; and (b) in respect of regulated activity.
Importantly, while the BaFin has decided to take preliminary action to investigate. The principles discussed herein and actions taken by BaFin are also applied by NCAs across the EU-27 in much the same way. This is the case as even though there are (currently) not definitive harmonised EU rules on social media use and to a lesser extent on permitted reverse solicitation, there are common principles. These are set by EU authorities and law, which NCAs in turn have to apply.
On 5 March 2023, Uniswap tweeted (in German) Which at the time of writing was still available to access – hereShow Footnote from its official Twitter account, “Good morning Germany! Are you still in line? Maybe you should leave your phone in your pocket. However, we have an early access link for our mobile wallet for you, download it here:” followed by a link stating “Join the Uniswap Wallet: DeFi & NFTs beta” available on ioS” directing prospective users i.e., clients (in Germany...) to a “testflight” environment for what is, in Germany, a regulated activity – in particular trading but also custody of cryptoassets. See coverage from our EU RegCORE on “German Regulatory Developments” including specifically on cryptoassets more generally as well as our Client Alert, from March 2022, on BaFin’s warnings to the market (available here) as well as our Client Alert, equally from March 2022, on BaFin’s warnings on the use of social media and the regulated activity of investment advice (available here). The BaFin had, at the start of March 2023, also released supervisory expectations on the classification of NFTs (see our standalone coverage on that), so the Uniswap tweet was also quite unfortunate timing.Show Footnote
BaFin has long been unequivocally clear that any person who “actively targets the German market” in respect of a regulatory activity that would require a license or respective permission to do so must have one unless a permitted exemption (such as reverse solicitation) exists. If no such exemption can be relied upon then this may constitute unauthorised business. Consequently, BaFin has decided to investigate Uniswap on the basis of this troublesome Tweet suggesting active market and alleged conduct of unauthorised business.
Moreover, BaFin has been repeatedly clear that firms and individuals must ensure that any communication via social media is fair, clear, and not misleading. They must also ensure that they have appropriate policies and procedures in place to manage the risks associated with using social media, such as data security and privacy concerns. BaFin has also issued national guidance (see footnote 3) on the use of social media by financial services providers. This guidance includes requirements related to recordkeeping, supervision, and the protection of customer information. While such guidance is primarily directed to firms operating (and licensed to do so) in Germany, it is also noteworthy for those conducting business that could have a nexus to Germany. Other NCAs have similar such types of guidance although the detail and standards may vary.
As at the date of this Client Alert, BaFin’s investigations were underway and no comment can be provided on the state nor outcome of those investigations and its consequences. Nevertheless, as explored herein, there are a number of lessons to be learned to ensure similar situations do not lead to adverse supervisory interest for alleged non-compliance elsewhere.
Early access beta testing offers no escape from BaFin scrutiny
What further compounds the problem of the troublesome Tweet is the “early access” nature of Uniswap’s iOS app in Apple’s App Store. Uniswap’s mobile wallet was launched in early access mode on 3 March 2023. Uniswap was reported to have stated that: “We would love to release the Uniswap mobile wallet to everyone in the App Store, but the best we can offer is early access," Uniswap writes. Apple did approve an initial build in October 2022, but rejected the final one in December 2022, according to Uniswap. Since then, they have responded to all of Apple's concerns "and reiterated that we are 100 per cent compliant with their policies". The question for BaFin (as would be the case for other NCAs), putting aside the point on whether unpermitted marketing was conducted, is whether a beta testing environment is sufficiently developed to allow an actual regulated activity to be considered to be taking place.
More pressingly, for BaFin, as in any current investigations focused on cryptoasset service providers, (in particular prior to the entry into force of the EU’s Markets in Crypto Assets Regulation – MiCA) is the decentralised nature of the cryptoasset exchange and applying that to whether there is actually reverse solicitation.
What however is clear, is that EU legislative policymakers will need to redress the location issue in the context not only of its Digital Finance Package (work in progress), the EU’s Retail Investment Strategy (updates pending) but also the finalisation of delivery of MiCA (delayed for a number of “technical reasons”). If the EU fails to get that right and done in a timely manner, in particular that looks at substance over form, then this risks derailing all the good efforts to date plus driving forward fragmentation further where EU efforts on harmonisation were supposed to replace confusion and complexity with clarity and (legal/regulatory) certainty.
BaFin’s supervisory and enforcement tools to prevent unauthorized business
In the actions it takes against unauthorised business, BaFin works together with the supervisory and prosecuting authorities of other countries. At the request of foreign authorities, it also applies its powers of investigation for their investigations concerning unauthorised business in other countries and to enforce respective sanctions issued in other countries as it concerns activity in Germany.
BaFin has a range of supervisory and enforcement tools that it can, keeping the principle of proportionality in mind, apply to prevent actual or deter future unauthorised business in Germany or with a nexus to Germany. Typically, BaFin will initially use its considerable powers to investigate the facts and attempt to explain the issues raised by the allegedly illegal activity. It may hold an informal hearing with the party in question and obtain information and documentation. If a party refuses to comply or their statements are insufficient or false, BaFin may initiate formal clarification actions.
Requests for information and documentation are the first measure BaFin will apply. Such inquiries are the most mild form of formal clarification, requiring the party in question to disclose information and submit proof to BaFin. When a party argues or fails to recognise their authorisation requirement and, as a result, refuses to meet their commitment to give information and cooperate, BaFin frequently considers making such a request. A prerequisite for issuing a request for information and documentation is the existence of facts that provide reasonable grounds to believe that the party concerned, or an involved undertaking, is engaging in business operations subject to authorisation under the relevant supervisory laws without the necessary authorisation. A request for information and documentation can result in a fine of up to 2.5 million euros.
Following the request for information and documentation stage, the BaFin may, at its discretion, issue an audit order. This is particularly the case if the BaFin has concerns on whether the information provided by a party is complete. An audit order authorises BaFin officials to enter a firm’s premises even without the approval of the entity in question. However, BaFin is not permitted to inspect business records without the approval of the relevant party. In comparison to a search order, an audit order is used where the person concerned maintains their readiness to submit information but there are concerns about whether the information provided is complete. Penalty payments can also be used to enforce the audit order.
If, at this point, BaFin has not been successful in clarifying the matter of the suspected illegal business activities, the next option to consider is a search. A search is the most stringent method of determining the truth. BaFin employees may access and search a party's commercial and residential properties to secure evidence, even if the party does not consent. They may also search people, for example, to secure any mobile data carriers. Given the infringement on basic rights, a search, in general, requires a judicial order issued by a local court of competent jurisdiction. Only in cases of extreme danger may a judicial order be waived.
Following the above, if it is determined that illegal or other unauthorised business operations are being carried out, BaFin is authorised by the applicable supervisory laws to take the following actions against the relevant operators and the associated undertakings:
- Issue a Prohibitive Order: If there is a risk of unauthorised business activities being done or continued by the same supplier in the future, BaFin may prevent such business operations from being performed.
- Publish a Resolution Order: If the unauthorised business operation has not been directly halted by the Prohibitive Order, BaFin may issue a Resolution Order as a more stringent measure. Such precautions are used, in particular, when the operator collects and perhaps invests consumer monies (for example deposit business, portfolio management, principal broking services, investment business). The unauthorised business activity is judged to be resolved only if the money have been returned to the investors in whole and no new business transactions have been undertaken.
- Appoint a Liquidator: If the operator of an unlicensed enterprise cannot ensure that the ordered resolution is carried out appropriately, BaFin may appoint a suitable person as liquidator. The operator of the unauthorised business operations must therefore bear the liquidator's costs. If the estate assets are insufficient to satisfy the liquidator's priority-ranking charges, it is conceivable to avoid appointing a liquidator in order to avoid further depletion of the assets to the detriment of the investors. The liquidator may also initiate insolvency proceedings against the operator's assets.
At the latest after BaFin has ordered formal measures, it also informs the relevant public prosecutor's office, which, as the prosecuting authority, can take action in its own right against the respective conductor of the business and related parties. Whether or not the public prosecutor's office works parallel to BaFin, however, does not affect BaFin's duties and powers. If the public prosecutor's office intervenes, BaFin coordinates the further steps to be taken with the prosecutor.
BaFin’s website regularly publishes (predominantly in German) details of sanctions See general information available here.Show Footnote that the BaFin has taken in respect of “unauthorised business” (Unerlaubte Geschäfte) against a range of persons both in Germany and further afield. This may involve a number of civil penalties and administrative sanctions or even criminal sanctions (including leading to custodial sentences following conviction) as well as, regardless of sanction taken, public censure or warning against dealings with the unauthorised business. That approach is not limited to BaFin but one that all EU-27 NCAs may apply in respect of the markets and activity that they supervise.
In the BaFin’s own words, the NCA states that: “BaFin uses supervisory measures to compel companies to observe the authorisation requirement, i.e., not to engage in gainful activities for which they would actually need authorisation from BaFin. If business is transacted without the required authorisation, BaFin may order it to be prohibited and wound up – regardless of whether a case has to be pursued under criminal law and the criminal prosecution authorities also take action. In the event of criminal prosecution, the BaFin Directorate for the Integrity of the Financial System (IF) works together closely with the criminal prosecution authorities. Both sides then also coordinate with each other in deciding who takes what step and when. In some cases, it is sensible for BaFin to take the first step in an investigation, whereas in other cases the public prosecutor’s office is the first to take action.”
It goes on to state that: “In the vast majority of cases, the operators failed to recognise the authorisation requirement and discontinue their unauthorised business activity when BaFin intervenes without any formal orders and coercive measures becoming necessary.”
As summarised by BaFin “Anyone who is involved in the initiation, conclusion or settlement of unauthorised or prohibited business can expect measures to be taken by BaFin as well as, potentially, criminal prosecution. This applies not only to the conductor of the business but also to all those knowingly or unknowingly involved in the business – either as employees, as self-employed staff, as members of governing bodies or as service providers.”
While social media can be a valuable tool for facilitating communication between clients and financial services firms, it is important to (1) be aware of the legal and regulatory framework governing its use and to (2) draw defined boundaries of where permitted use of reverse solicitation ends as well as (3) where triggering the regulatory perimeter of where likely recipients or readers of a social media post starts.
Given the wider-reaching focus by EU authorities and NCAs in this area it is very conceivable that a number of firms may want to revisit their marketing and client facing communications policies, in particular where communications are facilitated by third parties or even AI-powered tools. Some firms may also wish to revisit their reverse solicitation policies, in particular given that at the time of writing, there is still no harmonised definition or rule set that is applicable across the EU-27 of what is permitted reverse solicitation versus non- permitted. As a result, rather frustratingly, supervisory expectations amongst NCAs may differ both in what is tolerated and what is not tolerated.
Despite such fragmentation in the details, the common understanding is clear that the EU authorities and NCAs expect that firms should not be over reliant on reverse solicitation. This should be viewed as more the exception rather than the rule for how firms attract, retain and service clients and in particular retail customers on the basis of reverse solicitation. This latter point applies to both cryptoasset and FinTech focused firms inasmuch as it does to traditional financial services firms and very much regardless of what forms of marketing channels they use i.e., social or traditional media.
PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from these developments.
One of the focal points of PwC Legal's Dispute Resolution practice is the representation of companies in the defence against class and mass actions, also using state-of-the-art legal tech solutions. In particular, the dispute team has extensive practical experience with the instrument of collective legal protection already provided for in German law - the model declaratory action. The same applies to the defence of representative actions under Germany’s Injunctions Act (UKlaG).
If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via email@example.com or our website.