Payments in the video game industry: Regulatory Status in Belgium

Rising importance of payments in the video game industry: Apple v. Epic Games

This summer has brought a major lawsuit in the video game industry with the “Apple v. Epic Games” case. Epic Games, the developer of the popular game Fortnite, introduced the possibility for its iOS users to buy V-Bucks (the virtual currency used in Fortnite) without using the AppStore integrated payment services. This manoeuvre allows iOS users to avoid paying Apple’s commissions on payment transactions processed through its store. Apple considered such practice to violate Epic’s contractual obligations. Consequently, Apple banned Epic Games’ products from its store. Despite a first decision in favour of Apple, the two firms are still engaged in legal proceedings before the competent US courts.

This case is a perfect illustration of the increasing importance of payments and (virtual) currency transactions in the gaming industry in general.

Payment transactions of all kinds are often channelled through so-called “stores” or “gaming platforms”.  Stores can be used to buy games, in-game items or in-game virtual currencies. They play the role of intermediaries processing the payment from the player’s store wallet to the developer’s account.

In the context of in-game payments, stores are even processing payments from players to developers as part of their professional activity. The professional activity of providing payment services in relation to fiat money or e-money is nonetheless regulated by the second Payment Services Directive (“PSD2”) and Electronic Money Directive (“EMD2”), and their respective national implementations in the EU Member States.

In addition to this first trend, developers are more and more issuing virtual currencies to be used in their games as a means of payment. With the recent development of the crypto-assets regulation at the EU level (through the so-called (draft) Markets in Crypto-assets Regulation (“MiCA”)), companies implementing these solutions into their games should be aware of the (soon-to-be) regulatory status of such virtual currencies.

Regulatory Status of In-Game Payments in Belgium

The prudential requirements of the PSD2 and the EMD2 have been transposed in Belgium by the law of 11 March 2018. This law determines a limited number of entities entitled to provide payment services in Belgium and Europe. However, payment services are defined broadly, and notably include the execution of payment transactions and money remittance.

The law also provides for a series of exemptions limiting the scope of its application. The so-called limited network exemption (“LNE”) is probably the most relevant exemption for the gaming industry.

Scope of the Limited Network Exemption (LNE) within the payment regulation

The LNE allows companies providing payment services based on payment instruments to remain outside the scope of the payment services regulation when those instruments can only be used within the scope of a limited network (e.g. only within a gaming platform).

The appreciation of the limited network is a de facto analysis left to the competent national supervisor (i.e. the National Bank of Belgium (“NBB”) in Belgium). A payment instrument is notably deemed to be used within a limited network in case it is only accepted by a limited number of services and/or goods providers or it can only be used to acquire a very limited number of goods or services.

In practice, certain gaming platforms (including important social media companies) can use this LNE exemption to escape from the qualification of regulated payment services and, therefore, also from the need to be licenced as a payment service provider or an e-money issuer. The set-ups vary in practice but a common business model for such platforms uses the following process:

  • The platform collects fiat money from users (gamers), which is then put on a gaming account held by the user on the platform (either in fiat money or converted into e-money);
  • Gamers are then allowed to use these funds to acquire a gaming-related digital content (which qualifies as “very limited goods” required for the LNE) from a series of game developers (which in turn qualify as a limited number of service providers required for the LNE) and which are also present on the same platform.

Nevertheless, even when providing these exempt payment services under the LNE, platforms are still subject to a notification obligation when the amount of the transactions processed in the last 12 months exceeds €1,000,000 per Member State. When falling within the notification threshold, the exempt set-up used by the platform (i.e. the size of the network, the range of goods or services, etc.) needs to be approved by the NBB. Such a notification duty is, however, much lighter than having to file for a licence application as a payment service institution or an e-money issuer under the PSD2 / Belgian law of 2018.

In-game “Virtual Currencies”

Independently from the payment services regulation discussed above (which is applicable when transactions are made in fiat money or its equivalent in e-money), in-game payments are more and more frequently operated by means of virtual currencies like the already mentioned V-bucks in Fortnite. Once players have acquired such a virtual currency, they are free to use it in the game.

The Belgian AML law defines virtual currencies as “a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically”.

Until the entry into force of the MiCA anticipated for 2022 and besides a few specific AML applications, the use of virtual currencies remain largely unregulated and, depending on the type of virtual currency concerned, the main attention point is to verify whether it does not (also) fall into another already existing financial regulation. Very often, the borderline between virtual currencies and e-money for example is a thin one. When talking about virtual in-game currencies such as V-bucks in Fortnite or Riot Points in League of Legends, it seems that they are often only accepted by the issuer of this currency itself (and not by third parties), which (at least for now) makes them fall outside the e-money regulation.

Without entering into too much detail at this stage, we can roughly distinguish three types of virtual currencies:

  • Closed virtual currencies: those currencies cannot be obtained with fiat money and do not interact with the “real world.” We can think of most online role-playing game’s “Gold”, which is acquired exclusively through solving quests or by eliminating enemies in a game, and cannot be obtained in exchange of fiat money;
  • Unidirectional virtual currencies: these currencies, on the contrary, are acquired with fiat money, but once obtained cannot be refunded or exchanged back into such “real world” fiat money. This is the case for well-known in-game currencies such as V-Bucks or Riot Points (see above); and
  • Bidirectional virtual currencies: those currencies can both be acquired and exchanged back into fiat money, while at the same time being used in games, and sometimes also in the real world.

The first two types of currencies are generally considered to be unregulated (for now) and are already rather common in video games. Bidirectional virtual currencies are still relatively unusual but already have some classic applications in the video game industry (e.g. Linden Dollars from Second Life which can easily be exchanged back according to a specific rate that fluctuates in time). More recent examples include (online) games allowing the use of a virtual currency which can be freely purchased and sold on virtual currency exchange platforms. Such bidirectional currencies could, in certain cases, qualify as e.g. financial instruments (making them fall into the scope of the MiFID II regulations) as it can no longer be exclusively seen as a so-called “utility token” to be exclusively used in the game, but also allows its holders to speculate and thereby show similarities with (regulated) financial instruments. Such qualification should always be assessed on a case-by-case basis using several criteria, e.g. the liquidity, the use or the purpose of the instrument concerned, etc.

Interesting times lie ahead of us at the crossroads of payments, (virtual) currencies and the video gaming industry.

Do not hesitate to get in touch with our Digital Finance Team for a chat on this exciting topic: +32 (0)2 543 70 80 or digitalfinance@simontbraun.eu

A European passport for crowdfunding

At last, a European passport for crowdfunding! As from 10 November 2021, it will be possible for both new and existing crowdfunding platforms to obtain a licence allowing them to carry out their activities in all EU countries. What does it mean in practice for SMEs, start-ups and potential investors? Catherine Houssa clarifies the main takeaways of this major step forward to (finally) boost crowdfunding in the EU.

Looking back

Without any doubt, it was crowdfunding that launched the Fintech movement. Crowdfunding facilitated access to funding for those who were excluded from the banking system via a digital platform, showing the possibility that finance could be done differently.

The Belgian legislator, like other national legislators, has taken up this new reality and transposed the requirements related to this new activity into Belgian law one step at a time (see our news published in 2016 on this subject here).

However, an inherently digital activity soon finds itself cramped when it is constrained within physical boundaries. The crowdfunding platform approved by the FSMA under the Belgian law of 18 December 2016 must limit its activities to the Belgian territory unless it meets the legal conditions applicable to crowdfunding platforms in each of the various European countries where it wishes to carry out its alternative funding activities.

After a certain enthusiasm, crowdfunding has therefore continued its national activities without going through the spectacular development one could have hoped for. One of the main reasons for this is, in particular, the lack of a European passport linked to national authorisation.

Harmonisation of participatory financing – a single European framework

From 10 November 2021 onwards, a crowdfunding platform will be able to obtain an authorisation entitling it to carry out its activities in all countries of the European Union.

On this date, Regulation (EU) 2020/1503 of the European Parliament and of the Council of 7 October 2020 on European crowdfunding service providers (ECSP) for business (the “Crowdfunding Regulation“) will become applicable.

By granting a European passport to ECSPs, the Crowdfunding Regulation makes it possible to overcome the barrier of fragmented national regulation. It undoubtedly creates a favourable environment for the emergence of new European crowdfunding players and facilitates the cross-border financing of small structures and startups. In other words, individual investors from different European countries will be able to participate in the financing of projects of companies established in other Member States.

Below, we provide a general overview of this new European regulation.

Scope of application

Actors

The project owner may be a natural person who is not a consumer. This is a first difference with the Belgian regulation which limits access to financing intermediated by platforms to legal entities. This will certainly raise questions regarding the Belgian regulation which does not allow the issuance of securities by natural persons.

On the other hand, ECSPs must be legal entities. This is also a difference from the Belgian regulation which also allows natural persons to offer alternative financing services, although it has to be acknowledged that, de facto, this possibility is not being used.

The Crowdfunding Regulation does not apply to participatory financing services provided to project owners who are consumers within the meaning of Directive 2008/48/EC, i.e. any natural person who acts for purposes not related to his commercial or professional activity.

This is a disappointment for peer-to-peer lending platforms which, provided that they are authorised to act as such by their national legislation, will have to pursue carrying out their activities exclusively within their national legal framework without benefiting from a European passport (for the lack of Belgian status of peer-to-peer lending, see our initial analysis of 2016 here).

Maximum amount collected

The Crowdfunding Regulation has opted to set a single collection threshold per project owner instead of per project. This threshold has been set at 5 million EUR over a 12-month period without the need to issue a prospectus.

This amount has been retained because this threshold is used by most Member States – as is the case in Belgium – to exempt the offers of securities to the public from the obligation to publish a prospectus. Moreover, this threshold is calculated to cover all offers made by the project owner, whether through ECSPs – in the form of loans or equity participations – or directly under the general exemptions provided for in the Prospectus Regulation.

Grant conditions

A European passport is something you have to earn! The Crowdfunding Regulation introduces extremely precise rules on transparency and investor protection. This Regulation also significantly strengthens the prudential and governance requirements with which platforms have to comply.

Investor protection and transparency

The process of a collection project always starts with the publication by the ECSPs of a Key Investment Information Sheet (KIIS) drawn up by the project owner. This document contains all the information listed in Annex I of the Crowdfunding Regulation, an exclusion of liability clause and a warning on the risks posed by the investment proposed by the platform. It must be kept up to date throughout the entire offer period. The ECSPs are closely involved. They are responsible for verifying the completeness, accuracy and clarity of the information contained in the KIIS. The KIIS must be published 7 days before the online publication of a project that coincides with the start of the collection.

The Crowdfunding Regulation also distinguishes sophisticated and non-sophisticated investors, who benefit from different levels of information and protection.

A non-sophisticated investor benefits from a higher level of information (more in-depth advice and guidance). He must take an appropriateness test to ensure that he understands the level of risk associated with a participatory investment, a test which should be renewed every two years. Unless the ECSP offers a discretionary loan portfolio management service, the non-sophisticated investor is given a withdrawal period of 4 days as from the day he makes an investment offer. If his investment exceeds 1,000 EUR per project or 5% of his assets, the ECSP is subject to additional obligations in terms of information and must obtain the explicit consent of the investor.

Prudential requirements

The Crowdfunding Regulation imposes many organisational and operational requirements on ECSPs. These include the obligation to put in place procedures to ensure the continuity of their activities. ECSPs must also ensure that they avoid any conflict of interest and, to this end, shall not participate in offers launched on their own platform, nor may their main shareholders, managers and employees act as a project owner of a project offered on the platform. When ECSPs engage in outsourcing, this must be documented and monitored at all times, with the ECSP remaining fully responsible for the outsourced activity. The custody of assets must comply with strict rules.

Evidence of compliance with these rules must be included in the application file submitted for approval to the supervisory authority of the Member State in which the applicant is established.

If the ECSP provides for payment services in relation to participatory financing services, the ECSP is logically obliged to obtain authorisation as a payment service provider within the meaning of Directive 2015/2366 (PSD II).

Gateway

Finally, it should be noted that the Crowdfunding Regulation offers crowdfunding platforms that have already been approved under their national legislation the ease of not having to provide again the information and documents they have already provided when applying for approval, on the condition, of course, that this information and these documents are up-to-date and available to the competent authority. Platforms which obtain the European passport will have to give up their initial national authorisation, while platforms which do not apply for the European passport will remain subject to their initial national authorisation.

The European authorisation as a provider of participatory finance services was long expected by the industry. Even if it imposes strict rules to ECSPs, this is a necessary evil to give them the credibility they need to finally access the “big league”.

Come and discuss this with our Digital Finance Team!

digitalfinance@simontbraun.eu
+32 (0)2 543 70 80

 

Simont Braun authors FinTech Belgian Chapter in The Legal 500

Have a look at the FinTech Belgian Chapter authored by Simont Braun in The Legal 500 Comparative Guide!

It’s a concise, pragmatic and yet comprehensive overview of FinTech in Belgium, and a must-read for all practitioners and actors of the sector.

The Belgian Chapter is available here.

Thank you, in particular, to Catherine Houssa, Philippe De Prez, Joan Carette, Thomas Derval, Jean-Christophe Vercauteren & Charlotte De Thaye for their work on this.

For any question or assistance, do not hesitate to reach out to Simont Braun’s Digital Finance Team: digitalfinance@simontbraun.eu

 

The European Commission issued its new Digital Finance Package

FLASH NEWS | Yesterday, the European Commission issued its new Digital Finance Package presenting a new digital finance strategy and new legislative proposals.

The key takeaways are:
1. Legislative proposals on crypto-assets including a regulated status for previously unregulated crypto-assets;
2. An EU regulatory framework on digital resilience;
3. A renewed strategy for retail payments to foster cross-border payment solutions (instant payments) and a proposal for “Open Finance” framework.

For more information, do not hesitate to contact our Digital Finance team: digitalfinance@simontbraun.eu

Simont Braun strengthens Financial Services and FinTech capabilities with top hires

Simont Braun boosts the capabilities of its Fintech and Financial Services practices by welcoming Partner Joan Carette and Senior Associate Jean-Christophe Vercauteren. These strong additions to the firm enhance our Digital Finance Team’s position on top of the Belgian market.

The highly respected Joan Carette joins our Fintech and Financial Services team as a partner next to Catherine Houssa and Philippe De Prez, where she will reinforce our regulation and FinTech skills and allow to improve our focus on the Tech aspect of our expertise.

Joan Carette has 20 years of experience in FinTech, payments, e-money, AML and more generally banking and financial services and the prudential supervision of financial institutions. She worked as a regulator in the prudential supervision department of the FSMA, and in Belgian and international law firms for over 15 years.

Clients admire her “very flexible, pragmatic approach,” as well as her “deep knowledge of financial regulation.” (Chambers & Partners)

FinTech, Payments and Financial Services play key roles in our economy and require to combine strong legal knowledge with tech-savviness and proactivity. In this context, I am delighted to join the strongest Digital Finance Team on the Belgian legal market. Together, we will be able to offer the best possible guidance to our clients,” says Joan Carette.

Jean-Christophe Vercauteren has solid regulatory expertise in FinTech, payment services and e-money, AML and more generally banking and financial services. He gathered experience as a lawyer in Belgian and international business law firms, and as a legal counsel in a Belgian bank.

I could not think of a more stimulating environment than Simont Braun’s Digital Finance Team to further develop my expertise. Being part of the pioneer FinTech law firm in Belgium will be a daily motivation, and I am happy to contribute to broadening its capabilities,” says Jean-Christophe.

We are proud to welcome top talents like Joan and Jean-Christophe in the team. With them on board, our Digital Finance Team strengthens both its financial services and tech capabilities,” adds Philippe De Prez, partner in FinTech and Financial Services.

***

Simont Braun’s pioneer Digital Finance Team is one of the best and most-qualified teams in Belgium. “The firm has proven itself as one of the very leading players in the market, having advised on groundbreaking projects involving areas such as alternative lending, micro-savings, robo-advisory, blockchain, ICOs and virtual currencies.” Simont Braun is the only law firm ranked in Band 1 in Belgium in FinTech by Chambers & Partners. The firm is also ranked Tier 1 in FinTech by the Legal 500, and Tier 1 in Financial Services Regulatory by IFLR 1000.

Should health and life insurers use the data collected by health-related apps?

With the generalisation of health-related apps, health and life insurers are keen to use the collected data to improve the accuracy of their insureds’ profiles. This trend raises important questions in terms of privacy but also in terms of risks mutualisation in society.

A bit of context

With the increase of technology and the ability of our smartphones or smartwatches to collect our heartbeats, count our steps, and assess our pace, developers have naturally seen an opportunity to develop health-related apps.

These apps track running performances (Runkeeper, Runtastic, Nike+, Fitbit…), monitor diet (MyFitness Pal…), analyse sleeping habits (Fitbit, Jawbone, isommeilr…), etc.

Citizens are using more and more of these health-related apps in their daily life.

Of course, health and life insurers are greatly interested in the health data collected by these apps. This is not necessarily a bad thing as this can mean that insurers can better assess the risk they insure and its evolution, and request more accurate premiums from their policyholders. Nonetheless, this trend also raises important questions in terms of privacy, but also in terms of insurance paradigm as such.

The privacy issue

The privacy issue is rather obvious. One might reasonably desire to keep certain aspects of one’s life private.

The privacy issue is not limited to the insurance world. Privacy is primarily addressed by the EU General Data Protection Regulation (GDPR). The purpose of this news is not to examine this regime in details. Let us simply remind that under Article 9 of the GDPR, health-related data are considered as “special categories of data”.

The process of this kind of data is subject to higher requirements and may only serve highly valued purposes. The data subject may, however, always give its explicit consent to the use of his/her health-related data (Art. 9, 2, (a) GDPR).

This explicit consent is rather well protected and must be free and genuine. For instance, a service provider may normally not monetise or subject the delivery of its services to the data subjects’ consent.

The segmentation issue

Where do we stand?

The insurance industry is based on the idea of risk mutualisation. This principle can be extremely useful to the operation of a society. In a nutshell, the healthy clients’ premiums pay for the insurance indemnity of the ill insured persons.

Health and life insurers have always tried to assess the risks presented by insured persons with the highest accuracy possible using statistical data. Typically, all things being equal, a young sporty person is less likely to die than and old person suffering from diabetes. This reality will normally result in the young person paying a lower insurance premium.

The division of insured persons in categories (e.g. young and healthy versus old and ill) is called “segmentation”. To each category corresponds a level or premium, certain categories of risk being simply refused by insurers (depending on their risk appetite). This is the reason why health and life insurances are almost systematically subject to a medical questionnaire and, in some cases, a medical examination.

Naturally, the more accurate and detailed the segmentation is, the less insurance services offer a mutualisation of risk to society and – arguably – the less useful become insurance services to society as a whole.

This risk has been identified by the Belgian legislator. One of the main Belgian attempts to avoid the risk of “demutualisation” is embodied in Article 44 of the law of 4 April 2014 relating to insurances. Under this provision “Any segmentation made in terms of acceptance, cost, and/or extent of the insurance cover must be objectively justified by a legitimate purpose, and the means to achieve this purpose must be appropriate and necessary”.

This provision lays down the legislator’s ideal but it is very broad and offers a lot of room for interpretation.

What’s next?

Certain members of Parliament fear that connected devices and health-related apps unduly change the paradigm of mutualisation in the insurance sector.

To prevent this potentiality, they have filed a law proposal with the intention of prohibiting the use by health and life insurers of personal data collected by connected devices. The law proposal further prohibits to subject insurance acceptance, pricing and/or extent of the insurance cover to the use by the insured person of health checkers and the sharing of data collected by such health checkers with insurers.

Practically, if enacted, the law proposal would bring a new Article 44, § 2nd, to the Law Insurances:

In derogation to Article 43, § 1st, this paragraph applies to the following insurance contracts:

1° Individual life insurance;

2° health insurance […].

No segmentation can be applied to acceptance, pricing and/or extent of the insurance cover subject to the condition that the policyholder accepts to acquire or use a health checker, accepts to share the data collected by the health checker, or subject to the condition that the insurer uses such data. The processing of the personal data collected by a health checker, relating to the way of life or health of the policyholder, is prohibited”.

The concept of “health checker” would be defined in a new Article 5, 53°, of the Law Insurances as “a device allowing the measurement of one or more variables associated to the way of life or the health of the policyholder”.

At the end of January 2020, the Belgian Data Protection Authority (“DPA”) issued an opinion on the law proposal.

The law proposal is primarily based on Article 9.4 of the GDPR, according to which “Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health”.

The proposal is further based on abovementioned Article 9, 2, (a) of the GDPR, which provides that special categories of data (such as health-related data) cannot be processed unless “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition […] may not be lifted by the data subject”.

According to the DPA, these two provisions of the GDPR effectively allow the Belgian legislator to introduce additional limitations to the processing of health data so that the law proposal is compliant with the GDPR.

Conclusion

While nothing is (yet?) cast in stone, the discussed law proposal is a perfect illustration of the difficult balance regulators need to strike between innovation and the preservation of existing paradigms.

Interestingly, it shows a strong desire of certain members of Parliament to safeguard the principle of mutualisation of risks in the insurance industry. This mutualisation is often seen as a key principle to the health system as a whole.

The DPA’s opinion is also a good reminder that the GDPR, although an EU regulation, still allows Member States to adopt stricter requirements when it comes to protecting special categories of data. In the case at hand, the law proposal somehow “protects the data subjects from themselves” by revoking their right to agree to certain use of their connected devices.

***

For any question or assistance, please contact Thomas Derval
td@simontbraun.eu  |  +32 (0)2 533 17 09

Autonomous Vehicles in Belgium. Is our legal system ready?

We have been hearing about autonomous vehicles (“AVs”) for quite a while. However, as time goes by, the use of AVs is getting closer to becoming a reality. In various countries, car manufacturers are now carrying out tests on open or closed parts of public roads. Just like engineers are facing technical challenges in this field, lawyers have to deal with questions around liability, cybersecurity, data protection, insurance, intellectual property, etc. In this framework, news about AVs accidents are getting less and less uncommon, and they lead to tricky liability questions, such as: can a car user be held liable if he or she had no direct control over the wheel?

Such questions might need a clear answer in the near future and the whole AV subject at large is gaining track. Recently, a Belgian politician launched the idea to make Belgium the first country to welcome AVs. In parallel, the European Commission issued in February 2020 a White Paper on Artificial Intelligence, referring to liabilities incurred by AI, and by extension by AVs.

What do you mean, “autonomous” vehicle (“AV”)?

AVs’ autonomy varies in degree. Subject to a specific European scale of autonomy measurement, authors generally refer to the Society of Automotive Engineering (“SAE”)’s scale. SAE is an international organisation based in US. It brings together engineers, CEOs, researchers, professors, and students who share ideas on automotive engineering. It established six levels of autonomy, ranging from a complete human intervention (level 0) to a total absence of human action (level 5).

To date, the most advanced AVs on the market are of level 3. In that case, the vehicle can handle itself all aspects of the driving tasks within a certain set of circumstances. In some instances, the human driver must be ready to take back control of the vehicle when the AV so requires, e.g. during a traffic jam. According to car manufacturers’ (enthusiastic) declarations, the next levels of autonomy should reach our market in the coming months or years.

How does Belgian law address liability issues in the case of AV accident?

At this stage, Belgian law does not have any specific liability regime addressing the risks generated by AVs.

A victim of an AV should thus find its way through the existing and non-specific Belgian liability regimes. In short, four liability regimes can be identified as potential legal basis for a claim.

1. The fault-based liability regime (Article 1382 of the Civil Code)

This requires the victim to prove three things: a wrongful behaviour from the AV user, a damage and a causal relationship between the behaviour and the damage.

The tricky question here is whether a driver can be found guilty of a wrongful behaviour if he or she was letting the AV operating itself at the time of the accident?

2. The strict liability regime for the use of defective things (Article 1384 of the civil Code)

The victim should prove its damage and a causal relationship, just like in the previous fault-based liability regime. However, in this case, the victim can limit itself to proving a malfunctioning in the AV, rather than proving a wrongful behaviour of the AV user.

This solves the question raised by the previous regime but raises a new one, e.g. how do you prove a malfunctioning when the accident is the result of an algorithmic decision, which in turn could potentially be the outcome of machine learning?

3. The product liability regime (law of 25 February 1991 on product liability)

This regime is similar to the second liability regime as the victim must prove its damage, a malfunctioning of the AV and a causal relationship between these two aspects. However, in this case, the victim will seek compensation against the manufacturer, not the driver.

Furthermore, the compensable damage will be limited to personal injuries (including moral damage) and, subject to certain conditions, damages to property. Other types of damage (e.g. loss of opportunity) are not recoverable under this specific liability regime.

4. The insurance liability (Article 29bis of the law of 28 November 1989 on compulsory motor vehicles liability insurance).

Once a vehicle is involved in an accident, “weak users” (e.g. pedestrians and cyclists) may obtain compensation from the car insurer for the damages resulting from this accident.

In this case too, recoverable types of damage are limited. They only cover personal injuries or death, as well as damage to clothing (quite oddly).

What’s next?

Vehicles are becoming more and more autonomous. Level 5 (fully autonomous) AVs are still prohibited at this stage but their eventual arrival on the market will generate liability questions for which our legal system is not well equipped.

They will change the fault-based paradigm and we anticipate that a dedicated liability regime (e.g. based on the mere use of the AV) will be needed to complement our existing legal framework. We at Simont Braun will closely follow up on this and keep you posted.

***

For any question, please contact the authors:

Thomas Dervaltd@simontbraun.eu
David-Alexandre Sauvagedas@simontbraun.eu

Covid-19 & Banks: Emergency Response and Sound Management

The health crisis caused by Covid-19 and the economic and social consequences it has for banks oblige these financial institutions to inform their regulator of the specific measures, both internal and external, that they implement to address the situation.

Business Continuity – Regulatory Context

Given their essential role in the economic and financial system, banks are legally required to pay particular attention to the risks that are associated with a potential halt or slowdown of their activities.

This is an illustration of the banks’ more general obligation to have at all times adequate measures to ensure the maintenance or rapid restoration of their critical functions (Article 21, § 1st, 9°, of the Banking Act of 24 April 2014). This requirement results from the need for credit institutions to have a sound and prudent management in place.

  1. Contingency Plan

This obligation of continuity is reflected in the contingency, business continuity and recovery plan. This plan must be established by all banks on an annual basis under the responsibility of their Board of Directors. The contingency plan must demonstrate (and convince the supervisors) that the banks have the capacity to limit the operational, financial and legal consequences that would result from a disaster (we usually think of a fire at the head office, but also a severe computer bug, a terrorist attack or, in this case, a health crisis), or result from a prolonged unavailability of its resources leading to difficulties in ensuring the institution’s operations or, in the most serious cases, forcing the institution to interrupt its activities.

As risks are likely to change and evolve, credit institutions must of course regularly test their contingency plans to be able, in a given context, to document and analyse the shortcomings or errors that emerge during testing, and then update their plans accordingly.

  1. Preliminary risk analysis

The development and drafting of this contingency plan require banks to have first carried out a detailed analysis of their exposure to serious business disruptions and to have assessed how to address them, both quantitatively and qualitatively. It is the only manner for banks to be able to define their priorities and objectives should an incident occur.

The spectrum of risks that can hinder or even prevent the continuity of an institution’s activities is obviously very broad and depends above all on the activities carried out by the bank. The risks incurred by a private bank differ, at least in part, from those incurred by a bank whose main activity consists in granting mortgage loans to private individuals or by an institution specialising in export financing.

Covid-19: Emergency and continuity measures

The Covid-19 crisis is a severe test of the banks’ obligation of continuity and the accompanying duty of vigilance.

It is the duty of each bank to urgently establish and maintain, throughout the Covid-19 crisis, the necessary measures to ensure the continuity of their activities while protecting their staff and complying with the government measures.

The scenario of a health crisis of this magnitude and its important economic consequences was unlikely to be included in the banks’ contingency plans. Nevertheless, in theory, credit institutions must have appropriate tools to face it.

In practical terms, and without going into the details of each institution’s particularities, the following emergency measures are examples of what banks can do to deal with the current crisis – from a regulatory standpoint:

  • Raising staff awareness and implementing concrete measures to avoid the spread of the virus (teleworking, shift of teams, reduced flex-office, closure of branches, etc.);
  • Implementing reliable alternatives for customer communication;
  • Increasing IT capacity to cope with remote working;
  • Coordinating critical processes, resources as well as critical staff and their back-ups;
  • Reinforced assessment by the compliance of cyber-attack scenarios and implementation by IT of the measures internally (monitoring of operations) and externally (communication to customers). Risks of fraud such as phishing, identity theft, etc. increase in times of crisis;
  • Additional requirements for subcontractors performing critical functions (outsourcing). This is the case, for example, if customer data is stored in the cloud;
  • Setting up of a crisis committee that assesses the situation on a daily basis;
  • Communication of the measures implemented to the Board of Directors and possible convening of the risk committee and/or an exceptional audit committee;
  • Regular reporting to the competent financial supervisors (e.g. the National Bank of Belgium) on the implemented measures;
  • Assessment and possible adaptation of the emergency plan. This assessment is normally made on an annual basis, but it should also be carried out when the emergency plan is to be implemented.

Conclusion

Banks are subject to very burdensome and stringent regulatory requirements. These include the detailed assessment of their risks and the implementation of necessary measures to address the risks identified. This obligation is complex because the regulator requires a risk-based approach that is both concrete and detailed. However, it is in days like these, when a concrete risk arises that the full usefulness of these regulatory requirements becomes apparent. Afterwards, useful lessons will most probably be learned as to the effectiveness of the current regulatory framework in this respect, and possible modifications can be proposed.

***

For any question or request for assistance, please contact Catherine Houssa or Philippe De Prez:
Catherine Houssacho@simontbraun.eu
Philippe De Prezphde@simontbraun.eu