Regulation (EU) 2020/1503 of the European Parliament and of the Council of 7 October 2020 on European Crowdfunding Service Providers (ECSPR) has been directly applicable since November 2021. However, the transition period now runs until 10 November 2023 (instead of 10 November 2022 as originally contemplated) after the European Commission made use of its one-time extension option. The requirements of the ECSPR therefore only have to be met on a mandatory basis from 10 November 2023.
Despite this delay, it is worth keeping an eye on the harmonisation of the authorisation requirement for crowdfunding service providers (CSPs) – especially for those already active in the crowdfunding sector. At the end of the transitional period, it will be important not to be without a European (ECSP) authorisation, if one is required. Without the necessary ECSP authorisation, crowdfunding platforms with local authorisations will no longer be allowed to publish new crowdfunding offers after 10 November 2023.
At the same time, an application for an ECSP authorisation involves quite a bit of preparatory work and should therefore be dealt with as early as possible. Given the recent nature of the issue, the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin) is also likely to lack established routines, which is why a certain period of lead time should be scheduled for a successful application procedure. This article provides an initial overview of the requirements to be fulfilled in order to obtain authorisation as a European CSP (in time). For a more detailed insight, we also recommend a look at the newly published Elgar Commentary on the European Crowdfunding Service Providers Regulation (for the authorisation procedure, see Aschenbeck/Engler in chapter 13).
All CSPs that fall within the scope of the ECSPR are subject to authorisation. Read more about who and what is covered by the ECSPR (in German).
However, a European authorisation requirement applies regardless of whether CSPs want to operate Europe-wide (keyword: EU passporting) or (continue to) address the national market exclusively. It would be incorrect to assume that a national player is not affected by the ECSP issue simply because it operates purely nationally.
To determine whether a CSP falls within the scope of the ECSPR and requires an ECSP authorisation, it is necessary to consider the specific business model on a case-by-case basis. A brief analysis of the typical business models of crowdfunding platforms in Germany can be found here (in German), although this cannot replace a case-by-case analysis.
If an authorisation is required according to Art. 12 ECSPR, a corresponding application must be submitted. The following gives an overview of the application process and the content of the application.
Submission of the application
Although the ESCP authorisation is a European authorisation, its granting (as well as its withdrawal) is the responsibility of BaFin in Germany. BaFin is obliged to acknowledge receipt of the application in electronic or paper form to the applicant within ten working days of receipt of the application, without prejudice to the deadline for assessing the completeness of the application. This acknowledgement of receipt must contain the contact details of the people processing the application for authorisation.
Content of the authorisation application
Potential crowdfunding service providers submit their application for authorisation using a standard form provided by the EU Commission in the Annex to Delegated Regulation (EU) 2022/2112 of 13 July 2022. The application form is likely to serve primarily as a kind of cover sheet for the application, referring to a variety of annexes.
The application for an authorisation shall contain all information and documents which are mandatory under the ECSPR for each subject area of the application form. These requirements are specified by regulatory technical standards of the European Securities and Markets Authority (ESMA).
Overview of the required information
In the application form, the CSP has to provide some information about itself, its offer and its internal structures.
First of all, some information on the applicant itself must be provided, such as its name, website and address as well as the names and contact details of the responsible contact persons for the authorisation application. In addition, the legal form of the CSP must be indicated and the articles of association must be submitted.
In addition, a business planmust be submitted, which must meet certain requirements of the ECSPR. This plan must include information on the types of crowdfunding services, information on the crowdfunding platform and marketing strategies.
Among other things, it must be clear which concrete crowdfunding services the CSP intends to offer. These can be as follows:
In addition, the business plan must also indicate which other services and activities the CSP intends to provide, whereby the standard form provides a catalogue from which the applicant must choose (for example, custody of client assets, payment services or the use of special purpose vehicles for the provision of crowdfunding services).
The business plan must also include information on the crowdfunding platform. For example, the following must be shown:
In relation to the distribution of the crowdfunding offers, the CSP shall also set out its European marketing strategy (that is, a description of the marketing strategy that the potential crowdfunding service provider intends to use in the Union is required) including the languages of the marketing communications, disclosure of the Member States where most media advertising is carried out and the means of communication likely to be used.
Description of the governance arrangements and internal control mechanisms
The core of the application is the information on the internal structures of the CSP. This section must describe how the governance arrangements and internal control mechanisms of the CSP are designed. This also includes its risk management and accounting procedures. For this purpose, an organisational chart must be drawn up, showing the distribution of tasks and powers, and information on staff development must be provided. Risk management includes strategies and procedures for the identification, control and monitoring of risks – these must also be presented.
Description of the systems, means and procedures for controlling and securing the data processing systems
The CSP must name and describe in the application its systems, resources and procedures for controlling and securing the data processing system, as well as provide information on operational risks.
Description of operational risks
In addition, the CSP must describe in the application, among other things, risks related to the IT infrastructure and procedures as well as the risk related to the determination of the offer, if applicable; risks related to the custody of client assets and the payment services; risks related to the outsourcing of operational tasks and other operational risks.
Description of the regulatory collateral
The application form also provides for a description of the regulatory collateral, which includes, for example, own funds and insurance policies – evidence of which must be provided. At this point, the individual items and the total amount of the regulatory collateral must be named and set in relation to the fixed overhead costs. In addition, a forecast of the required regulatory collateral for the first three business years is prepared.
Description of the business continuity plan
In addition, information is required on a so-called business continuity plan, that is, a plan for the continuation of critical services in the event of a crisis – the failure of the (potential) CSP.
Holder control procedure
With regard to shareholders who directly or indirectly hold at least 20 % of the capital shares or voting rights, the application provides for a bearer control procedure. This means that the CSP must provide proof of reliability for each person.
While a holder control procedure is not a novelty in itself, experience in other licensing procedures has shown that it can be a time-consuming point in terms of preparation.
Procedure for the key investment information document Finally, the process by which the key investment information sheet (Anlagebasisinformationsblatts – ABIB) is reviewed for completeness, accuracy and clarity shall be described, as well as the process for assessing the appropriateness of the crowdfunding services offered to investors. This shall include, in particular, the description of the information to be provided to non-sophisticated investors regarding their experience, investment objectives, financial situation, general understanding of the risks associated with financial investments and understanding of the risks associated with the investments offered on the crowdfunding platform.
Information must be provided on conflict-of-interest procedures, outsourcing arrangements, complaints management, outsourcing arrangements and whether it is intended to provide payment services (itself) (and if so, which ones).
Additional information and evidence regarding management
Further documents concerning the natural persons responsible for the management of the potential crowdfunding service provider must be submitted. Specifically, proof of reliability must be provided as well as proof that they have sufficient knowledge, skills, and professional experience for the management of the potential swarm financing service provider.
For this purpose, criminal records should usually be requested. In addition, both management experience and theoretical knowledge should be demonstrated.
The other activities of the directors must be disclosed to demonstrate that the directors are able and willing to devote the necessary time to their duties.
In practice – in the context of other BaFin authorisation procedures (such as MiFID II) – it has been seen that this is not a mere formality. Rather, BaFin has quite high expectations of both reliability and professional suitability. Therefore, this requirement should not be underestimated when applying.
Once authorisation has been granted, it extends to the crowdfunding services specified in the application. If a CSP wishes to expand its range of services, it must go through a new procedure. In this procedure, however, the entire application for authorisation does not have to be resubmitted. The procedure merely serves to supplement and update the information already provided.
If a CSP authorised under the ECSPR wishes to provide its crowdfunding services in a Member State other than the one in which it is licensed (EU passporting), this is not directly covered by the authorisation. The CSP must provide the competent supervisory authority for the project further information specified in the ECSPR – which can also be done at the time of application.
If a CSP already held an authorisation under other laws applicable to CSPs before the ECSPR came into force, certain privileges apply to it when applying for ECSP authorisation. This is intended to facilitate the application procedure for CSPs with an existing authorisation (for example under PSD II or MiFID II).
A CSP that requires an ECSP authorisation – at the latest from 10 November 2023 – must provide BaFin with a whole range of information and evidence. The authorisation procedure is therefore a very demanding and time-consuming process which, due to the topicality of the issue, still involves some unanswered questions.
The authors of this article deal extensively with the process of obtaining authorisation in Chapter 13 of the first commentary on the ECSPR (Elgar Commentary on the European Crowdfunding Service Providers Regulation). This innovative commentary contains contributions from internationally recognised experts with extensive and diverse backgrounds and provides a comprehensive, critical and thematic analysis of the ECSPR. Chapter 13 deals with the authorisation procedure, the scope of authorisation and the ESMA register for CSP. In addition to a comparison of the ECSPR with other European regulatory frameworks (MiFID II, PSD II), the chapter focuses on providing an overview of who must apply for authorisation as a CSP, where and how. In particular, the chapter analyses the required content of the application letter and the related requirements to obtain the permission. The chapter also addresses cases where CSPs wish to extend their crowdfunding authorisation to other crowdfunding services and/or CSPs also wish to provide other services requiring authorisation (MiFID II or PSD II) for which they may or may not already have authorisation. In addition, the application process itself is outlined. The commentary is available in print as well as online.