Today the entire financial sector runs on ICT: payments, trading, lending, and investment services are fully dependent on stable digital systems. Because of the strong interconnectedness of more than 22,000 financial entities, local incidents can spread across borders at lightning speed, leading to large-scale disruptions and loss of confidence in the system. After the 2008 economic crisis, the focus was mainly on capital and solvency, while the digital infrastructure received relatively little attention.

That changed when the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) advised to create a single, sector-specific European framework for digital operational resilience. The previous patchwork of national rules caused fragmentation within the EU, higher compliance costs for all involved, and above all: inconsistent requirements for testing resilience and monitoring third-party ICT providers.

DORA aims to change that with a single common rulebook that places stability, market integrity, and consumer protection at its core. In this article, we guide you through the regulation’s main building blocks, its impact on different types of institutions, and the new reality for critical ICT service providers such as Amazon Web Services, Google Cloud, Microsoft, and Equinix.

What is DORA?

DORA (the Digital Operational Resilience Act) is an EU regulation that has been in force since January 2025 and is directly applicable in all Member States. The rules apply to a broad range of financial entities, including banks, insurers, payment institutions, investment firms, and crypto service providers. Instead of having scattered rules on ICT risks, DORA consolidates all requirements into a single, integrated framework for digital operational resilience.

DORA was deliberately designed as a regulation rather than a directive to promote harmonization and limit national divergences. In the Netherlands, DORA also acts as a lex specialis in relation to the Network and Information Security 2 Directive (NIS2 Directive): for financial entities, the DORA rules on ICT risk take precedence over the general Cybersecurity Act and other laws, regulations, or decisions that overlap with it. This prevents institutions from facing conflicting requirements regarding cybersecurity and incident reporting.

The five pillars of DORA

DORA is built on five interrelated pillars that together are designed to ensure digital resilience. These pillars are further elaborated in the regulation through technical regulatory and implementing standards. So far, seven such technical standards have been issued, the list below reflects the current state of play. As things stand now, the framework looks as follows:

1. An integrated ICT risk management framework
   Financial entities are required to have a solid, comprehensive, and well-documented framework for ICT risk management.
   
   • RTS on Risk management: these technical standards specify how institutions must structure, monitor, and control their ICT risks, with a simplified regime for smaller entities.
   • RTS on ICT services performed by ICT third-party providers: Specifies the detailed content of policy requirements for contractual arrangements regarding ICT services supporting critical or important functions provided by ICT third-party service providers.
2. Incident detection and reporting obligations
   Financial entities must establish processes to detect, manage, and record ICT-related incidents. Major incidents must be mandatorily reported to the competent authorities within strict deadlines using harmonised templates.
   • RTS on Classification of ICT incidents: these technical standards define when an ICT incident qualifies as “major” and must therefore be formally reported to the supervisor.
   • RTS on Incident reporting: these technical standards set out which information institutions must provide at each stage of a major ICT incident and how voluntary threat notifications are handled.
3. Testing digital resilience
   To identify vulnerabilities in security, entities must regularly test their systems and personnel. The testing level depends on the size and importance of the institution and the associated risk profile.
   • RTS on TLPT testing: these technical standards establish rules for the design, execution, and follow‑up of threat‑led penetration testing at significant institutions.
4. Managing third‑party and outsourcing risks
   Strict rules apply to managing risks arising from reliance on external ICT providers. Contractual agreements must include requirements such as audit rights and exit strategies. Additionally, a specific oversight framework is established for providers designated as "critical".
   • RTS on Outsourcing: these technical standards prescribe the minimum policies and contractual terms required when outsourcing critical or important ICT services.
   • RTS on Critical ICT service providers: these technical standards harmonize how European supervisory authorities jointly exercise oversight over ICT service providers designated as “critical.”
5. Information sharing
   Financial entities are encouraged to voluntarily exchange information and intelligence on cyber threats within trust communities. By sharing tactics, techniques, and warnings, institutions can limit the spread of threats and strengthen their collective defense capabilities.

ICT risk management framework and inventory

Under DORA, the management body bears full responsibility for managing ICT risks. Board members must approve policies for ICT business continuity, response, and recovery plans, ensure they are periodically evaluated, and actively oversee their implementation. They must also demonstrate that sufficient budget and skilled personnel are available to meet all requirements.

In addition, board members have a legal obligation to maintain their knowledge of ICT risks through specific training programmes. This makes digital resilience an explicit board‑level responsibility rather than a purely IT matter. In practice, this means that, for example, a medium‑sized bank cannot rely solely on an annual report from the Chief Information Security Officer (CISO); board members should be able to ask and answer concrete questions about patch management, IT backup strategies, and dependencies on potential cloud providers. DORA does not specify what the minimum level of this knowledge should be, or how often “regular” means. Must a board member be able to discuss encryption in technical detail, or is a general understanding of cyber risks sufficient? These open standards will need to be defined in practice over time.

Every financial institution must have a sound, comprehensive, and documented ICT risk management framework. A person responsible for managing and overseeing the ICT risk policy must be designated, with sufficient independence to avoid conflicts of interest. This framework is subject to periodic internal audits, with the frequency and depth aligned to the institution’s risk profile.

An important step within this framework is the inventory of functions and assets. Institutions must map all ICT‑supported functions, processes, information, and ICT assets, including interdependencies. This explicitly includes identifying critical or important functions and the third parties on which they depend. A function is critical if a disruption would cause material prejudice to the institution’s financial performance or continuity. Institutions must determine for themselves the threshold at which a process becomes “critical,” or what constitutes “material prejudice.” For a payment service provider that processes transactions via a data centre, it can be said that a disruption in that data centre could cause material prejudice to a critical process of that financial institution. Whether this also applies to data analyses running on Google’s cloud services remains to be seen. Institutions will always need to assess what is critical and what is not. Both types of dependencies will ultimately be clearly documented and categorized.

Security, continuity, incidents, and testing

DORA requires a consistent information security policy that ensures the availability, integrity, and confidentiality of data. This includes preventive measures (logical and physical security, access controls, patch management policies), detection mechanisms for anomalies and incidents, and a detailed ICT continuity policy with concrete response and recovery plans. Financial institutions must establish processes to classify and log ICT incidents. Major ICT‑related incidents must be reported to the competent authorities according to a prescribed process. For certain entities (e.g., credit institutions, payment institutions), payment‑related operational or security incidents also fall under this reporting obligation, even if they are not directly ICT‑related.

In addition, DORA mandates periodic testing of digital operational resilience, at minimum for all critical and important ICT systems. For most institutions, regular tests such as vulnerability scans, scenario tests, and failover tests are sufficient. Institutions that are considered to be systemically important or highly ICT‑intensive must conduct advanced threat‑led penetration tests (Threat‑Led Penetration Testing, TLPT) at least every three years. This could mean, for example, that a major bank has its cloud environment at Microsoft or Amazon tested through a simulated attack, including the response capacity of internal teams.

Third parties, outsourcing, and CTPPs

Third parties and outsourcing in general

Institutions must have a clear strategy and policy for engaging external ICT providers, especially for critical or important functions. All such contracts must be recorded in an internal register, including whether the service supports a critical or important function.

An ICT service provider cannot simply subcontract to anyone. Contracts must include several minimum requirements enabling the ICT service provider to demonstrate that the subcontracted party has sufficient expertise and capability. For example, when outsourcing ICT functionalities that may be considered critical or important, the ICT service provider must contractually ensure unrestricted access for inspection by both the service provider itself, the financial entity, and the competent authority. This may even involve on‑site visits to verify the outsourced services. This naturally raises questions about the negotiating power of financial institutions vis‑à‑vis major players. It remains unclear how an institution can meet this strict legal requirement if the provider refuses to deviate from its standard contracts.

What is a CTPP?

A Critical Third‑Party Provider (CTPP) is an external ICT service provider designated as critical by the European supervisory authorities. This designation is based on criteria such as the potential systemic impact of a disruption, the degree of dependency of financial institutions on the provider, and the substitutability of the service provided. The more difficult it is to switch to an alternative, the more likely a provider is to be considered critical.

The first designations took place on 18 November 2025. This list of CTPPs includes, among others, Accenture, Amazon Web Services, Google Cloud, Microsoft Ireland Operations, SAP SE, Equinix B.V., and Kyndryl Inc. In practice, this means that a large part of the European financial sector relies on a limited number of players for cloud services, data analysis, core banking systems, and infrastructure. A disruption or security incident at, for example, Microsoft or Amazon could therefore immediately affect thousands of banks, insurers, and payment institutions simultaneously.

CTPPs feel the regulatory pressure

CTPPs face regulatory pressure under DORA for several reasons. First, they concentrate the risks of the entire sector: as cloud platforms or data centre providers for many systemically important institutions, they bear a disproportionate share of operational risk. An incident at a CTPP such as Google Cloud, Microsoft, or Equinix immediately affects hundreds or thousands of customers, increasing the likelihood of intervention by the Lead Overseer (a European supervisor) and national authorities.

Second, CTPPs are not only addressed through contractual requirements from their financial clients but also directly by European supervisors. They must provide intensive reporting, extensive documentation, cooperate with on‑site inspections, disclose sub‑outsourcing structures, and follow recommendations that may deeply impact their technical architecture and business model.

Third, these are often global players with uniform infrastructure; measures needed to comply with DORA can have domino effects on services in other regions and lead to significant costs. This creates ongoing tension for CTPPs between economies of scale, commercial interests, and compliance with European oversight that has designated them as systemically critical.

Oversight framework, obligations, and sanctions

CTPPs are subject to a specific European oversight framework. One of the three European supervisors (EBA, EIOPA, or ESMA) acts as the Lead Overseer and exercises direct supervision over the CTPP. The CTPP must provide all requested information and cooperate with inspections, including on‑site investigations at offices and data centres, even outside the EU if local authority’s consent.

A CTPP established outside the EU must establish an EU subsidiary within twelve months of designation to continue providing services to EU institutions. If the CTPP is part of a group, one legal entity must be designated as the central point of contact for the Lead Overseer. The CTPP must pay a fee to cover supervision costs and cooperate in good faith with all investigations and requests.

In cases of serious or persistent non‑compliance, the Lead Overseer may impose stringent measures. Options include periodic penalty payments of up to 1% of global average daily turnover, public disclosure of the breach and the provider’s identity, and as a last resort: requiring national supervisors to terminate or temporarily suspend contracts. Imagine structural shortcomings at a global cloud provider like Amazon or Microsoft are not resolved in time; in that scenario, a supervisor could compel financial institutions to rapidly reduce their dependency or even force them to terminate contracts, temporarily or otherwise.

The first round of reporting on critical third parties will take place in the first months of 2026. If this reveals that other ICT providers are responsible for a significant portion of critical systems for EU firms, those parties are also likely to be designated as Critical Third‑Party Providers in the future, with all the consequences that entails.

Information sharing

DORA encourages financial entities to voluntarily share cyber threat intelligence, such as IOCs (Indicators of Compromise), tactics, techniques, procedures, warnings, and configuration tools. This strengthens digital operational resilience by enabling faster threat detection, limiting their spread, and enhancing defence capabilities. The exchange takes place within trust communities of financial entities, with strict safeguards for confidentiality, data protection in accordance with the General Data Protection Regulation (GDPR), and compliance with competition rules.

Participating financial entities jointly establish voluntary arrangements, protocols, or agreements that set out the participation conditions, including any roles for government authorities or ICT service providers. Financial entities must promptly notify their competent supervisors, such as the AFM or DNB, once a trust community has approved their participation application following an internal assessment procedure. This notification obligation also applies upon termination of participation.

What does DORA mean for micro-enterprises?

DORA provides an explicitly simplified framework for micro enterprises. These are financial entities with fewer than 10 employees and annual turnover or total assets of no more than €2 million. The principle remains that the management body is ultimately responsible for ICT risks.

Micro‑enterprises must have an ICT risk management framework but do not need to evaluate it annually, a periodic review is sufficient. They are exempt from comprehensive internal audits of the framework and do not need to designate a separate function to oversee third‑party contracts. Incident reporting obligations remain, but thresholds and information requirements must be proportionate. Micro‑enterprises are also fully exempt from TLPT-testing. They are required to conduct regular tests (such as scans or questionnaires) but may determine the frequency and type of test themselves based on their risk profile and available resources. They must therefore make a “reasonable judgment” between achieving high resilience and their available resources when testing. This is a highly subjective balance that will only be assessed by a supervisor retrospectively.

In practice, this  could mean that a small FinTech start‑up using cloud services from Google or Microsoft, must be able to demonstrate a basic ICT risk management framework from day one during a licence application. At the same time, they are given breathing room through lighter audit and testing requirements, provided they properly understand and manage their dependency on major CTPPs.

Cybersecurity Act for non-DORA companies

For organisations not covered by DORA, the Dutch Cybersecurity Act (Cbw), the implementation of the NIS2 Directive—provides the general framework for digital security. The Act applies to medium‑sized and large enterprises in vital sectors such as energy, transport, healthcare, drinking water, digital infrastructure (including data centres and cloud providers), wastewater, postal and courier services, chemicals, food supply chains, space, research, and various manufacturing industries. Generally, this concerns enterprises with more than 50 employees and annual turnover or total assets exceeding €10 million, although certain entities always fall under the Act regardless of size.

The Cybersecurity Act imposes three key obligations: a duty of care for appropriate security measures, a strict reporting obligation for significant incidents, and explicit management responsibility. Incidents must be reported to the supervisor and the Computer Security Incident Response Team (CSIRT), with deadlines of 24 hours for an early warning, 72 hours for a full notification, and a final report within one month. Board members must receive training on cyber risks and may be held personally liable in cases of serious negligence. Non‑compliance can result in fines of up to €10 million or 2% of global annual turnover for essential entities, and €7 million or 1.4% for important entities. A data centre operator that is not a financial entity but provides critical infrastructure to banks and insurers may therefore fall under the Cybersecurity Act, while its clients fall under DORA.

Conclusion

DORA and the Cyber Security Act together form the new digital foundation of the European financial system: continuity, resilience to incidents, and managing dependencies on third parties have become integral parts of prudent business governance. For financial entities, this means that governance, ICT risk management, processes of incidents, testing of ICT resilience, and handling critical third-party ICT providers are no longer standalone technical topics, but closely interwoven pillars that must demonstrably be in order. DORA promotes voluntary information sharing on cyber threats within trust communities to strengthen sector-wide digital resilience, with strict safeguards for confidentiality, GDPR, and competition rules; participating entities establish participation conditions in joint agreements and must promptly report approval or termination to supervisors such as the AFM or DNB.

Micro-enterprises receive a simplified framework but remain bound by the same core principles: the board is ultimately responsible, they must be a basic ICT risk framework is, and incidents must be reported accordingly. Thus, DORA is not only intended for large systemically important banks but is a framework that affects the entire breadth of the financial sector, from fintech startups to established institutions.

Critical Third-Party Providers are in a unique position, as they simultaneously form the digital backbone of the sector, are directly subject to European supervision, and are often globally active. Measures needed to comply with DORA can have a domino effect on their services in other regions and lead to significant costs increases. They will also encounter DORA through various contractual relationships, as financial institutions are required to make their contracts DORA-compliant. These major players an enormous regulatory pressure.

Ultimately, DORA is best read as a principles-based framework rather than a rigidly detailed handbook. The regulation provides structure and minima but remains unclear on key points and uses many subjective concepts, such as "critical or important functions", "appropriate" measures, and "proportional" requirements. Even after the introduction of technical standards some ambiguity remains. Organisations will need to give meaning these open norms. Practical experience and dialogue with supervisors will determine what is considered sufficient. Entities engaging in serious governance and risk management in collaboration with ICT providers are unlikely to face issues from supervisors. Moreover, they build a robust foundation for the institution's operational resilience. In conclusion: operational resilience is not just another IT issue but forms the core of sound entrepreneurship and system protection within the EU.

Most payment traffic in the Netherlands now takes place electronically. Virtually every resident has a bank account and uses a debit card, mobile banking app, or internet banking on a daily basis. Dependence on banking services is therefore great. Without access to payment traffic, full participation in social and economic life is practically impossible.

Against this background, the legislature has required financial institutions to take active measures against conduct that may undermine the integrity and security of the financial sector. Safeguarding that integrity and combating sector-related crime are among the core responsibilities of banks, insurers, and other financial undertakings. In this article, the term financial institution means: a bank, insurer, mortgage institution, or financing company.

An important instrument within this integrity policy is the Incident Warning System for Financial Institutions (IFI). [1] This system consists of the Internal Referral Register (IVR) and the External Referral Register (EVR). The IFI aims to prevent and combat crime within the financial sector and to limit risks of fraud and other integrity breaches. The processing and exchange of personal data within the IFI are regulated by the Protocol Incident Warning System for Financial Institutions (PIFI), for which the Dutch Data Protection Authority has granted permission.[2] A registration in the IVR or EVR can have far-reaching consequences for those concerned, such as the refusal or termination of a payment account. This article discusses the legal framework for IVR and EVR registrations, their consequences for those concerned, and the available possibilities for legal protection.

Legal framework IVR and EVR registration

Internal Referral Register (IVR)

If a (legal) person is involved or has been involved in an incident at a financial institution, the financial institution may include the relevant data of that (legal) person in its own IVR. Central here is the concept of incident, which is defined in the PIFI as:

“an event that has as a result, could have, or has had the effect that the interests, integrity or security of the clients or employees of a Financial Institution, the Financial Institution itself or the financial sector as a whole are or may be at risk, such as falsifying invoices, identity fraud, skimming, embezzlement in employment, phishing and intentional deception”[3]

The IVR is an internal register that is accessible only to authorised employees of the relevant financial institution. No substantive information about the incident is included in the register.[4] The IVR contains only identifying data: for natural persons this is the name and date of birth, and for legal persons the Chamber of Commerce number, possibly supplemented by the trade name and postcode.

Case law shows that strict requirements apply to an IVR registration.[5] The processing of personal data must comply with the General Data Protection Regulation (GDPR) and the PIFI. The lawfulness of the processing is in principle based on Article 6(1)(f) GDPR: the processing must be necessary for the legitimate interests of the financial institution. This requires a concrete and careful balancing of interests.

External Referral Register (EVR)

If there is a serious incident, the financial institution is obliged to include the personal data of the relevant (legal) person in the EVR. According to the PIFI, this is the case if the following conditions are cumulatively met:

the conduct forms, has formed, or may form a threat to (i) the (financial) interests of clients and/or employees of a financial institution, or the organisation of the financial institution itself, or (ii) the continuity and/or integrity of the financial sector;
it is sufficiently established that the relevant (legal) person was involved in that conduct (in principle, a report or complaint is then made to an investigating officer); and
the principle of proportionality is observed.[6]

According to settled case law, for an EVR registration it is required that there are such concrete facts and circumstances that they could support a conviction in the sense of Article 350 of the Dutch Code of Criminal Procedure. The suspicion must be stronger than a reasonable suspicion of guilt. A criminal conviction is, however, not required. It is up to the financial institution to substantiate and concretise the registration decision properly.[7]

Access, duration, and consequences of registration

Personal data included in the EVR are accessible to all financial institutions affiliated with the IFI.[8] Consultation takes place through the External Referral Application (EVA), which works with a so-called hit/no-hit system. In the event of a hit, it becomes visible that a person is listed in a register, without direct access to substantive information about the incident.[9]

Registrations in both the IVR and the EVR have a maximum duration of eight years, counted from the date of registration. Financial institutions must, with due regard to the principle of proportionality, explain why a particular registration period was chosen. The registration must also be terminated as soon as the conditions justifying it are no longer met.[10]

The practical consequences of a registration are considerable. Financial institutions may decide not to provide new services, such as opening a payment account, granting credit, or concluding insurance, or may terminate existing customer relationships. This directly affects the ability of the person concerned to participate fully in social life.

Legal protection of the registered person

Right of access, rectification, and deletion

A registered person has the right to access the personal data processed about them.[11] The financial institution may only grant access after the person concerned has identified themselves.[12] Within one month after receipt of the request, the institution must indicate whether personal data are being processed and, if so, which data. This period may be extended by up to two months in the case of complex or extensive requests, provided that the person concerned is informed in time. [13]

If the data provided prove to be inaccurate or incomplete, the person concerned has the right to rectification. In addition, a request for deletion of personal data may be made under Article 17 GDPR. Access may be refused in exceptional cases, for example if this is necessary to prevent, investigate, or prosecute criminal offences or to protect the rights and freedoms of third parties.[14]

Right of objection

In addition to access and rectification, the person concerned may at any time object to the processing of their personal data in the IVR or EVR on the basis of special personal circumstances.[15] This may arise, for example, in cases of identity fraud or where the factual basis for the registration is absent or insufficient. The financial institution must in principle respond to the objection within one month.[16] This period may, if the complexity of the case justifies it, be extended by up to two months, provided that the person concerned is informed within the original period.[17]

If the person concerned cannot agree with the outcome, they may submit the matter to the board or management of the financial institution.[18] If no solution is reached, the matter may be submitted to the Financial Services Complaints Institute, the Foundation for Complaints and Disputes in Health Care, the Dutch Data Protection Authority, or the civil court.

Opening an account with Dutch and foreign banks

EVR registration and banks within the EU

The IFI is a national registration system that applies only to financial institutions affiliated in the Netherlands.[19] Banks established outside the Netherlands, including within the European Union, are in principle not affiliated. This means that a (legal) person registered in the EVR in the Netherlands can, in theory, still open a payment account with a bank in another EU Member State.

Right to a basic payment account

The right to a basic payment account is regulated in the Financial Supervision Act (Wft). Under Article 4:71f Wft, every bank that offers payment accounts to consumers in the Netherlands is obliged to offer a basic payment account to anyone lawfully residing in the European Union. A bank must refuse an application if, when opening the account, it cannot comply with the obligations under the Anti-Money Laundering and Anti-Terrorist Financing Act (Wwft).[20] A bank may refuse a basic payment account if the applicant:

cannot demonstrate a genuine interest in opening a basic payment account in the Netherlands;
has an application pending for a basic payment account with a bank established in the Netherlands or already maintains a payment account with another bank established in the Netherlands (unless that account will be closed);
was convicted less than eight years ago by a final judgment for an offence such as forgery, knowingly providing false information, embezzlement, bankruptcy fraud, or money laundering;
had a basic payment account terminated less than two years ago because the applicant knowingly used it to commit criminal offences; or
refuses, if asked, to sign the declaration referred to in paragraph 3.[21]

The bank may check in advance with other banks whether the applicant already has a payment account and may ask the applicant to sign a declaration that they do not have, or have not applied for, an account elsewhere.[22] A registration in the EVR does not constitute an independent statutory ground for refusal, but in practice it will weigh heavily in the assessment of whether the Wwft obligations can be met.

Basic Bank Account Convention

For persons who no longer have access to a regular payment account, such as EVR-registered persons, the Basic Bank Account Convention provides an additional safety net. With the implementation of Directive 2014/92/EU, the basic payment account was indeed legally anchored at EU level, but the Convention remains socially relevant because it offers a second chance to persons who would otherwise fall through the cracks.[23]

The Convention provides for a private payment account package that in any case includes:

• holding and using a payment account;
• access via internet banking and/or a mobile banking app;
• the ability to receive incoming transfers;
• having a debit card;
• consulting and storing statements digitally; and
• the ability to give direct debit authorisations.

Conditions are attached to opening and maintaining a basic bank account. The applicant must, among other things, not have another payment account in the Netherlands, must fully inform the bank, and must grant permission to obtain information from other banks.[24] In addition, obligations apply such as preventing unauthorised overdrafts, complying with the applicable bank conditions, and timely reporting of changes of address and contact details; where accompanied by a social support institution, the applicant must also be accompanied by an employee of that institution for certain banking matters.

The bank may refuse an application for a basic bank account if the applicant is or has been involved in fraud, abuse of trust, fraudulent bankruptcy, forgery, money laundering, and/or fraud.[25] These are often persons who are listed in the IVR or EVR.

An exception to this rule applies when the request is made through a recognised social support institution.[26] In that case, the payment account must be managed by the social support institution.[27]

The bank may also terminate the basic bank account for compelling reasons, such as misuse. In principle, a notice period of 30 days applies so that the account holder can find an alternative bank, unless there are such serious facts or such gross negligence or intent that immediate termination is justified.[28] Misuse of an account opened under the Convention leads to termination, after which the person concerned can no longer claim a new account under the same Convention.[29]

Banks' duty of care

Although banks in principle enjoy contractual freedom, their special social position entails a far-reaching duty of care. Without a bank account, participation in economic and social life is hardly possible. The European legislature expressly recognised this interest when implementing Directive 2014/92/EU.[30]

For consumers, access to a basic payment account is legally guaranteed. For legal persons, this obligation does not apply directly. This does not mean, however, that the contractual freedom of banks in relation to legal persons is unlimited. Case law has accepted that, in special circumstances, banks may be obliged to enter into a contractual relationship, partly in view of their social function and duty of care.[31]

Conclusion

IVR and EVR registrations are an essential, but intrusive, instrument within the integrity policy of the financial sector. Strict requirements apply to registration: it requires a concrete factual basis and compliance with the principles of necessity and proportionality under the GDPR, the PIFI, and the applicable case law.

By contrast, the consequences for those concerned are far-reaching, such as long-term registration, refusal of banking services, and the risk of social exclusion. This makes carefully reasoned decision-making and periodic reassessment indispensable. The available legal remedies, as well as the statutory basic payment account and the Basic Bank Account Convention, serve as necessary safeguards for minimum access to payment services. In this tension, the special duty of care of banks becomes clear: with every registration decision, the interest in protecting integrity must be carefully balanced against the fundamental interest in financial inclusion.

[1] Art. 3.1.1 & art. 3.1.3 PIFI.

[2] Art. 1.3 PIFI.

[3] Art. 2 PIFI.

[4] Hof Leeuwarden 7 november 2023, ECLI:NL:GHARL:2023:9394, r.o. 3.19.

[5] Gerechtshof Amsterdam 13 juni 2017, ECLI:NL:GHAMS:2017:2284.

[6] Art. 5.2.1 PIFI.

[7] Rechtbank Rotterdam 25 januari 2021, ECLI:NL:RBROT:2021:1518, r.o. 4.6.

[8] Art. 4.3.3 & 5.3.2 PIFI.

[9] Art. 4.3.3 & 5.3.2 PIFI.

[10] Art. 4.3.1 & 5.3.1 PIFI.

[11] Art 9.3.1 PIFI.

[12] Art 9.3.2 PIFI.

[13] Art 9.3.3 PIFI.

[14] Art. 9.3.4 PIFI.

[15] Art. 9.5.1 PIFI.

[16] Rechtbank Rotterdam 25 januari 2021, ECLI:NL:RBROT:2021:1518, r.o. 4.10 & 4.11.

[17] Art. 9.5.2 PIFI.

[18] Art. 10.1 PIFI.

[19] Art 1.2 PIFI.

[20] Art. 4:71f lid 1 Wft.

[21] Art. 4:71g lid 2 Wft.

[22] Art. 4:71g lid 3 Wft.

[23] Het Convenant verwijst naar het Convenant inzake primaire betaaldiensten. De betaalvereniging Nederland is de beheerder van dit Convenant.

[24] Art. 3 Convenant.

[25] Art. 4.1 Convenant.

[26] Art. 4.1 Convenant.

[27] Art. 4.1 Convenant.

[28] Art. 12 Uitvoeringsinstructie convenant.

[29] Art. 12 Uitvoeringsinstructie convenant.

[30] Kamerstukken II, 34480, nr. 3, p. 2.

[31] Hoge Raad 5 november 2021, r.o. 3.2.

In the dynamic world of financial technologies (FinTech), digital payment services have become a daily occurrence. Paying online via, for example, iDeal, Tikkie or Paypal. These services, ranging from digital wallets to entire online payment platforms, have dramatically changed the way people manage money and make payments. Although this makes online payments easier, it has actually only become more complicated from a legal point of view.

In this blog, we will take a closer look at the legal framework behind these digital payment services. What are digital payment services? How can you differentiate between the different institutions? And how strict is its financial supervision?

The Payment Chain

To get a better idea of the different payment services out there, it is useful to first get an overview of the payment chain. Below is a typical SEPA payment[1] :

• Step 1: The payment starts with the initiation. To do this, the payer needs a payment instrument. This can be pretty much anything you can use to initiate a payment order, such as a mobile banking app or a debit card. The payment order itself contains all the relevant information, such as the amount and the beneficiary's bank account.
  
  
• Step 1a: This first step is also where many FinTech companies are active. Companies such as iDeal and Payconiq make it very easy to initiate payment orders. For example, the correct amount and bank account of the beneficiary are automatically entered when paying on a webshop. In this way, sending the payment order is made increasingly easy.
  
  
• Step 2: The payment order is then received by the payer's payment service provider. This is often the bank where the payer holds its payment account. This payment service provider then carries out a number of checks. For example, it checks whether the payment order also contains all the necessary information and whether there are enough funds in the account. If all checks are successful, the amount will be deducted from the payer's payment account.
  
  
• Step 3: Payment service providers of both the payer and the recipient are affiliated with a so-called settlement system. These are systems that settle payment transactions between payment service providers (often banks). The settlement system is managed by an independent organisation in which the banks themselves, in turn, hold an account. This organization is called a 'Payment Processing Service Provider', such as VISA or Mastercard. All the different transactions come in here and are settled with each other. Thus, the payer's payment service provider, after carrying out its own checks, sends a message to a payment processing service provider, which then enters into the settlement system that a payment is being made from one payment service provider to another.
  
  
• Step 4: The recipient's payment service provider will then receive a message from the settlement company, containing the details of the payment that has been made. The latter will then credit money to the recipient's payment account based on the information it has received from the settlement company.
  
  

What are Digital Payment Services?

Digital Payment Services is actually a collective term for payment related services that a company could offer (online/digitally), such as online payments and a digital wallet. Previously, many of these services were provided by a bank, but with the rise of 'open banking', these services have become more disaggregated and can be more easily provided by (third-party) FinTech companies. A "Payment Service" is legally defined in the Payment Services Directive 2, or "PSD2".[2] It also makes it clear what different payment services there may be. This includes:

• Managing a payment account: Managing a payment account is generally associated with a traditional bank, but with the rise of open banking and new FinTech companies like Monese, it no longer has to be that way. FinTech companies are constantly looking for ways to modernize payment account management.
• Carrying out payment transactions on a payment account: This involves transferring money to a payment account. This is not about initiating the payment order, but about its actual execution. These types of transactions are also associated with the traditional bank.
• Account information services: these are services that only provide information about the underlying account. For example, CashFlow, a product from Inverse that focuses on providing automated financial planning and cash flow management. It uses account information to provide insight into the financial situation of businesses and individuals.
• Withdrawing and depositing cash: in order to be able to put cash in a payment account, one will have to go to a physical location. FinTech companies like Monese therefore enter into contracts with local offices that receive the money for them, offering the services of traditional banks in a modern and cost-efficient way.
• Initiation of (internet) payments: think of iDeal or Payconiq (now both part of the European Payments Initiative), which ensure that consumers can easily pay in (web) shops. The bank account itself is not held with iDeal or Payconiq. These companies only work as intermediaries and initiate the payment order, as shown above in Step (1a). Of course, you can also initiate the payment order yourself by filling in a form in your online banking environment, but these types of FinTech companies make the initiation a lot faster and easier.
• Issuance of payment instruments: where the payment instrument used to be mainly the debit card, nowadays it is increasingly an app or digital wallet. These apps and wallets are payment instruments issued by companies such as Payconiq, SumUp and Tikkie.
• Acceptance of payment transactions: especially with webshops, it is important to be able to easily accept and process payment transactions, so that a smooth transfer of funds to the beneficiary occurs. If, for example, you can pay with Payconiq on a webshop, Payconiq will provide the service of acceptance and processing of the payment transaction for the webshop.
• Money remittances: this is a payment service that allows you to transfer money directly to a beneficiary, provided by companies such as MoneyGram and Western Union. This is often used to transfer money to someone where a regular bank transfer is not easy. Normally, therefore, money remittances are used to transfer money to a beneficiary abroad. This may be because there is a long processing time between banks that cannot be waited for or because the beneficiary does not have their own bank account at all. Payment institutions providing money remittances also don't open a payment account for you. The payment institution only receives the money (by bank transfer or cash) and passes it on to the beneficiary (again by bank transfer or in cash at its office in the beneficiary's country).
  
  

What is Open Banking?

Open banking is a concept that revolves around sharing financial data from bank accounts with third-party financial service providers via APIs (Application Programming Interfaces). This principle is embedded in PSD2[3] and allows consumers to give third parties access to their financial data, with their explicit consent of course.

The idea behind open banking is to encourage more competition and innovation in the financial sector by making it easier for new players to access financial data. This allows consumers to benefit from a wider choice of products and services that better meet their needs. This has led to an explosion of new players in the market, such as Fintech companies offering payment initiation and account information services. As a result, the work of one all-encompassing institution (a bank) has been divided into smaller services that can now be carried out by specialised FinTech companies.

Payment Institution or Credit Institution?

At both the national and European level, various terms are used to describe payment service providers, such as electronic money institution, payment institutions and credit institutions. These different designations can be confusing even for professionals, let alone outsiders to the financial world. At the same time, understanding these definitions is essential for financial supervision, as they determine which supervisory regime applies to a company. This is important to ensure the security of financial transactions. In particular, due to the rise of FinTech companies in recent years, which often offer different financial services, it is becoming increasingly difficult to place these companies in clear categories. It therefore remains a challenge for legislators and regulators to ensure that legislation is kept up-to-date and enforcement is effectively implemented. In this blog, I won't go into detail about the differences between these terms, but I will try to give a sketchy summary of them.

Let's start with the biggest player – a bank, also known as a credit institution. If it is possible to deposit or withdraw money to and from a payment account where you can get interest or credit, then we are dealing with a bank. This forms the basis for executing transactions. Once you have a payment account, you can put money into it, but the transaction itself is made up of several components. If a company only wants to perform one of these components, without actually keeping money for you in a bank account, then we are dealing with a payment institution. These are companies that offer payment services, as described earlier. This includes services for providing account information and initiating payments. So, a payment institution is not always a bank, but a bank is always a payment institution. Accordingly, a banking license encompasses a wide range of activities. The license of a payment institution, on the other hand, is 'smaller', because it encompasses less than a banking license. The financial supervision of payment institutions is therefore logically less demanding. However, it is more difficult to distinguish between a bank and an electronic money institution.

The Electronic Money Institution

Now let's look at another player: the Electronic Money Institution (or 'EMI'). Although both a bank and an EMI were previously included in the definition of 'credit institution', the European legislator has revised the rules for EMIs in order to facilitate market entry and promote innovation. As a result, EMIs have become a type of institution in their own right. This type of institution issues electronic money in exchange for scriptural money, which can then be used for payments to various parties. Unlike a bank, an EMI does not (or no longer) keep the deposited money under the same strict regulation as a bank. EMIs, like payment institutions, are no longer subject to liquidity requirements. However, they still need to comply with specific regulations and need a license to offer these services. The conditions for such a licence have also largely been brought in line with those of a payment institution. An exception to this licensing requirement is electronic funds with limited uses (such as a gift card to shop at one particular store),[4] or if no more than 3 million euros in transactions are made annually.[5]

Similar to a payment institution, EMIs can offer a variety of services, including the provision of payment cards or the facilitation of digital payments through mobile apps or online platforms. These institutions often play an important role in facilitating electronic transactions and can be attractive to consumers and businesses looking for alternatives to traditional bank accounts. This often does not require a separate permit, as this will be included in the existing permit of the EMI.[6] Ultimately, the European Commission's aim is to integrate the payment institution and the EMI into a single institution in the longer term.

What is Electronic Money? And is it safe?

An important question that arises is what exactly is meant by 'electronic money'? Isn't the scriptural money that is at the bank and visible online also just 'electronic money'? So what is the difference with an EMI?

The definition of electronic money has been revised in the E-money Directive (EC) 2009/110 (E-money Directive) and is now quite broad. This means that both money on a plastic card (such as a gift card) and electronic money stored on a central server fall within the scope of the definition. As a result, scriptural money could perhaps also be seen as electronic money, but the law makes a distinction between them. The distinction is mainly in the order and use of it. With cash or scriptural money, electronic money can be purchased as a means of payment. This purchased electronic money has a limited function. It can only be used as a means of payment for products or services. An EMI will therefore not be able to give you interest or credit, as a bank can.[7] The electronic money will therefore also always have to be paid in advance (otherwise it will become a credit). There can't even be a direct debit afterwards. So you can think of it as a kind of prepaid credit, which you can spend in many places.

However, an important difference is that because money issued by an EMI is not classified as scriptural money, it is also not considered a deposit. As a result, an  electronic money wallet with an EMI is not covered by the deposit guarantee scheme, while this does apply to bank accounts in the EU. The deposit guarantee scheme is a scheme designed to protect account holders' money if a bank fails (up to a certain amount). Therefore, if an EMI goes bankrupt, account holders are not entitled to compensation from the deposit guarantee scheme for the money they have stored in their wallets. However, there is another form of protection. An EMI must secure the money they hold in these wallets (also known as the 'float'). They do this by not mixing these funds with the funds of other creditors, such as financiers of the EMI. In the Netherlands, this practically means that the money is held in a bank account that is in the name of an independent third-party funds foundation (stichting derdengelden).

EMIs are also currently outside the resolution regime that has been put in place to bail out banks (and insurers) in the event of imminent failure. This means that there will be no bail-outs for EMIs. The reasoning behind this is that banks play an essential role in the stability of the economy, while EMIs do not. They are not so closely intertwined with the economy that they are indispensable. Nevertheless, bank accounts are essential for numerous economic activities in our society. Even an EMI, or its third-party funds foundation, needs a bank account to secure its money.

Emerging changes

Although many new laws and regulations have been introduced in the field of (digital) payment services in recent years, there seems to be no end in sight. A lot of harmonisation (and simplification) is needed to ensure that legislation is as modern and clear as the FinTech it regulates. In 2023, the European Commission made a proposal to merge PSD2, the Electronic Money Directive and the Settlement Finality Directive 98/26/EC into one new directive, the 'Directive on Payment Services and Electronic Money Services in the Internal Market' or PSD3.[8] The Commission's proposal focuses on the provision of payment services and e-money services, with a specific focus on the authorisation and supervision of payment institutions. It comes after a thorough review of PSD2 in 2022, which found that adjustments were needed to improve the effectiveness of the directive.

This initiative is in line with broader EU strategies, such as the EU Digital Finance Strategy, which aim to promote digital innovation in the financial sector and strengthen the internal market for financial services. The proposal is also supported by other relevant legislation, such as the Single Euro Payments Area (SEPA) Regulation and the General Data Protection Regulation (GDPR). The proposal for a revision of PSD2 is expected to generate debate within the EU institutions and stakeholders in the financial sector.

Conclusion

Offering digital payment services is an exciting yet challenging field for FinTech companies. In addition to developing innovative technologies and attracting customers, these companies must also comply with a complex web of laws and regulations. By working closely with legal experts and remaining proactive in monitoring changing regulations, FinTech companies can operate successfully within this legal landscape and continue to contribute to the growth of the digital economy.

[1] SEPA stands for 'Single Euro Payments Area' and is a European project that has generated many laws and regulations in order to harmonise and facilitate payments between banks in Europe.

[2] Directive EU/2015/2366. For more information on PSD2, see https://www.dnb.nl/voor-de-sector/open-boek-toezicht/wet-regelgeving/psd2/

[3] Art. 35 en 36 PSD2.

[4] Art. 1:5 Financial Supervision Act (Wet op het financieel toezicht - 'Wft').

[5] Art. 1a Exemption Scheme under the Financial Supervision Act (Vrijstellingsregeling Wft).

[6] Art. 2:3a sub 2 Wft.

[7] Art. 4:31 Wft.

[8] https://eur-lex.europa.eu/legal-content/NL/TXT/?uri=CELEX:52023PC0366

As an entrepreneur or small business owner in the Netherlands, understanding business law is essential to establishing and growing your business on a solid legal footing. While the law can seem intimidating at times, it doesn't have to be. In this knowledge blog, we will explore the basics of business law and discuss some key considerations to keep in mind. 

Forms of business

One of the first decisions you have to make when starting a business is choosing the right business form. The most common forms of small business are sole proprietorships, limited liability companies (BVs), and limited liability companies (NVs). Each form of business has its own legal implications regarding liability, taxation, and operational responsibilities. Make sure you're making the right choice based on your business goals and needs.

Sole proprietorship (eenmanszaak)

A sole proprietorship is the simplest form of business structure and is often chosen by solo entrepreneurs. You are personally responsible for all business debts and legal liability. This means that your personal belongings could be at risk in the event of business problems. However, it also offers easy administration and tax benefits.

Limited Liability Company (BV)

The B.V. (besloten vennootschap) is a separate legal entity from the owner(s). As a result, you are usually not personally liable for the company's debts. However, setting up a BV may entail administrative and financial obligations. It is important to carefully weigh the pros and cons and seek professional advice when choosing the business form.

Public Liability Company (NV)

A public limited company N.V. (naamloze vennootschap) is suitable for larger companies and can be publicly traded on the stock exchange. This involves more complex regulations and reporting obligations than a private limited company. However, attracting investors and raising capital is easier.

Contracts

Contracts are the backbone of business transactions. They cover various business activities, such as procurement, collaborations, human resources, and intellectual property. Well-drafted contracts prevent misunderstandings, disputes, and protect the company's interests. It is therefore good to know the basic principles of contract law. Here are some tips:

• Clear language: Use understandable language in your contracts to avoid misunderstandings. Avoid legal jargon if you don't need to. Don't just copy text from an internet format. Sometimes there is old or confusing language in this.
• Include all terms and conditions: Make sure to include all important terms, such as applicable terms, warranties, and what to do if things go wrong. Be specific.
• Context: At the beginning of the contract, also provide a brief description of the context. This will be able to help with the interpretation of the contract later on.
• Legal requirements: Certain contracts have legal requirements that they must comply with. Think of loans, real estate contracts, rental contracts or, for example, shareholders' agreements.
• Consult a lawyer: For complex contracts, it is wise to consult a lawyer to ensure that your interests are properly protected.

Financing

Corporate law also deals with the financing of a company, including the issuance of shares and the attraction of investors. As an entrepreneur, it is good to be aware of the various financing options and the legal requirements for raising capital, including the protection of investors' rights and compliance with financial regulations. Here are some tips:

• Diversify funding sources: Don't just rely on one funding source. Consider different options, such as loans, venture capital, crowdfunding, or angel investors, to diversify your funding mix
• Due diligence: Conduct thorough due diligence when attracting investors and be discerning when selecting potential partners. Read more about doing thorough due diligence in this knowledge blog.
• Work with legal counsel: Consult with legal professionals who have experience in financial transactions and business law. They can help you draft watertight agreements and ensure regulatory compliance.

Liability

Liability is an important point of attention for entrepreneurs. The right business form can limit your personal liability, but it's important to understand how this works. For example, if you have a sole proprietorship, you are personally liable for your company's debts. On the other hand, if you have a limited liability company or public limited company, your personal liability is usually limited to your investment in the company. Managing liability is critical:

• Business form: Entrepreneurs with a sole proprietorship can be held personally responsible for business debts. Consider setting up a BV or NV to protect your personal assets. However, as a director of a BV or NV, you are also personally liable in some cases, for example due to improper management.
• Business liability insurance: Taking out business liability insurance can protect you against liability claims. Don't forget to take out legal expenses insurance, as the legal costs can be high in business disputes.
• Terms and conditions: Good terms and conditions can protect an entrepreneur's liability by including clauses that limit liability. By ensuring compliance with laws and regulations and enabling clear communication with customers, well-drafted terms and conditions help avoid potential liability issues. However, it is essential that these terms are legally valid and enforceable in order to be effective.

Intellectual property

Intellectual property (IP) is an important aspect of business law that protects valuable ideas, inventions, designs, trademarks, and artistic works. This can strengthen the market position, attract investment and gain competitive advantage. Entrepreneurs need to be aware of IP protections, such as patents, trademarks, copyrights and design rights, and the applicable laws and regulations to protect business assets and ideas and to take into account other people's IP rights. Due to the complexity of IP law, it is recommended that you seek legal advice from an IP lawyer or specialist who will assist with identification, registration, protection, and navigating conflicts and disputes. Intellectual property can be the lifeblood of your business:

• Copyright: Understand how copyrights work to protect your creative works. Registering copyrights can give you extra protection.
• Trademarks: Register your business name, logo, and other brand identifier to prevent others from using your brand without permission.
• Patents: Patents protect inventions and innovations. They give you the exclusive right to make, sell, or use a particular invention for a certain period of time. Start thinking about patents early and keep innovations secret until you've filed a patent application.
• Design rights: Design rights protect the appearance and shape of a product. For example, if your company makes designer products, protecting their design can be important. Registering design rights can prevent others from copying and marketing your designs.

Compliance

Finally, compliance with laws and regulations is critical. This includes tax laws, labor laws, environmental regulations, and other legal requirements that may apply to your industry. Make sure you stay up-to-date with the latest developments and that your business complies with legal requirements at all times.

• Taxes: Stay up-to-date on tax laws and obligations. Consider consulting with a tax advisor to ensure compliance and optimization of your tax position.
• Labor laws: Make sure you're compliant with labor laws and regulations, including minimum wage, working hours, and working conditions.
• Environmental regulations: If your business has an impact on the environment, you may need to comply with environmental regulations and apply for permits

Understanding corporate law is an ongoing process. Benefit from legal advice when needed and stay up-to-date on legislative changes that may affect your business. By understanding and applying these basic principles, you can build a strong legal foundation for your business and face the challenges of entrepreneurship with confidence.

Contract negotiations are critical when drafting an agreement between two parties. An agreement should clearly set out the mutual obligations and rights of the parties and should form the basis for cooperation. Below are some of the reasons why contract negotiations are important and what role a lawyer plays in this.

• Clarity and precision: Contract negotiations allow both parties to elaborate and clarify the details of the agreement, leaving less room for interpretation disputes. However, this requires clear and precise formulations, which emphasizes the role of the lawyer. An experienced lawyer knows which wording will have to be used to avoid disputes of interpretation afterwards ("the devil is in the details").
• Protection of interests: The lawyer represents the interests of his client and ensures that the agreement is beneficial to his client. By negotiating and drafting the agreement, the lawyer ensures that their client's rights and obligations are protected. Many of these interests are easily overlooked, such as proper risk allocation, exit strategies, future changes and confidentiality.
• Risk management: Contract negotiations are also a means of mitigating risk and addressing unforeseen circumstances. The lawyer assists his client in identifying potential risks and proposes clauses to limit or manage them. This is often business-specific and case-dependent. It also requires some tactical insight to get such wording into the agreement, without the other party tripping over it.
• Negotiation strategies: The lawyer plays an important role in determining the negotiation strategies and in preparing counterarguments and counter-offers. Don't give something away without getting anything in return, but always put the ultimate satisfaction of parties first. For this, it is important that you know how to articulate what you want and why this is reasonable for everyone. This contributes to a more effective negotiation, giving both parties a better chance of reaching an appropriate agreement.
• Legal compliance: Finally, the lawyer ensures that the agreement complies with the relevant laws and regulations, including contract law and other regulations applicable to the subject matter of the agreement. This way you can be sure that the agreement is legally valid and sufficiently enforceable.
  
  

In conclusion, contract negotiations are important to ensure that an agreement is clear, precise, and mutually beneficial. The lawyer plays an important role in this by guiding his client, protecting his interests, managing risks and ensuring legal compliance.

The path to a successful business acquisition is littered with opportunities and risks. One of the most important steps in this process is to conduct a thorough due diligence investigation. Conducting due diligence on a business acquisition is essential to identify risks and establish the value of the company. To do this, an experienced lawyer or due diligence team should take a structured approach and conduct a thorough analysis of the various aspects of the business, including: the financials, contracts, properties, employees, and compliance.

This legal knowledge blog provides valuable introduction with insights and tips for business owners to understand how to approach this research to minimize potential legal issues and achieve business success.

1. Preparation: Begin the due diligence process early in the acquisition negotiations to enable timely decisions. Assemble a multidisciplinary team with legal, financial, and operational expertise to conduct the research. Also discuss the specific goals and scope of the due diligence investigation. This helps to focus on the most relevant aspects of the acquisition and prevents important issues from being overlooked.
   
   
2. Financial data: The company's financials are analyzed to assess the company's profitability, solvency, and liquidity. This may include examining the financial statements, tax returns, and other financial reports. It's important to look into any tax liabilities, such as outstanding taxes or penalties, that could affect the value of the business. Hire an expert to assess the value of the business to be acquired and its assets. This will help to determine whether the asking price is reasonable and to provide a solid foundation for negotiations on the final acquisition price.
   
   
3. Contracts: All of the company's contracts should be analyzed, such as: service agreements, customer contracts, supplier contracts, distribution agreements, maintenance contracts, employment contracts, and rental or lease agreements. This can help to identify risks that may arise from the transfer of these contracts to a new owner. A good relationship and possible new negotiations with existing contracting parties is important for a smooth transfer. Pay attention to any clauses regarding change of control, confidentiality, non-competition, and warranties to understand potential limitations and obligations.
   
   
4. Properties: It is important to research the company's properties, such as real estate, intellectual property, property, and inventory. It is also important to check who exactly owns these assets (e.g. within a group structure) and whether there are any obligations on these assets, such as a mortgage or pledge.
   
   
5. Employees: the relationships with the company's employees will have to be examined, such as the employment contracts and terms of employment. It is important to identify any risks that may arise from taking on these employees, such as employee claims.
   
   
6. Compliance: It is important to examine the company's compliance with applicable laws and regulations, including environmental, labor, privacy, tax, and competition laws. Regulations depend on the country and industry in which the company operates. Failure to comply with these rules can result in significant fines and damage to the company's reputation.
   
   
7. Legal disputes and claims: identify all potential risks and liabilities, such as disputes, uncertain contracts, liabilities and ongoing obligations. Evaluate the impact of these risks on the acquisition and determine whether measures are needed to manage these risks or to factor them into the purchase price.
   
   
8. Warranties and indemnities: After identifying risks and obligations, negotiate warranties and indemnities with the seller to protect yourself from future claims and losses arising from these risks. Make sure that these warranties and indemnities are clearly set out in the acquisition agreement.
   
   

Thorough due diligence is an indispensable step in the business acquisition process. It helps business owners to discover hidden risks and make well-informed decisions. By taking the above aspects into account, you can conduct a thorough due diligence on a business acquisition and be better prepared to make an informed decision about the acquisition. Remember, engaging an experienced attorney and a multidisciplinary team of experts can be invaluable in navigating the complex process of a business acquisition.

Companies in the modern business world must constantly adapt and transform to remain relevant. One of the most powerful strategic moves by enterprises is corporate reorganizations and restructuring. However, these initiatives are not merely business decisions; they are infused with complex legal implications that require attention and understanding. In this knowledge blog, we delve deeper into the legal world of restructuring.

Mergers and Acquisitions: A Complex Legal Dance

Mergers and acquisitions (M&A) are among the most common types of restructuring. In a merger, two separate companies come together to form one new legal entity, while in an acquisition, one company acquires control of another company. However, these terms are often confused in the media. See also this article about the 'rescue' of Credit Suisse by UBS where this merger was called a takeover (by the Swiss government itself, no less).
When we talk about M&A within one group of companies, we are actually talking about a restructuring. The term restructuring implies that a move is made within the same company (group) in order to achieve a certain result. For example, the goal may be to work more efficiently or to prepare for a future transaction. The legal aspects of this are in-depth and include:

• Due Diligence: Before considering a merger or acquisition, a thorough due diligence is crucial. This goes beyond financial analysis; It involves understanding the legal status of the target company, including contracts, lawsuits, and regulatory compliance. This will ensure that you don't encounter any unpleasant surprises. This process identifies potential risks and can be crucial to a successful transaction. Also read this knowledge blog for more information on how to conduct a thorough due diligence investigation.

• Acquisition Agreements: The core of the restructuring consists of drafting sometimes complex and elaborate acquisition agreements that govern the terms of the transaction and the responsibilities of the parties. This is a process that will need to be led by an M&A lawyer who will keep an overview, warn you of potential risks and ensure that no legal matters are overlooked.

• Competition Law: Competition law may apply to the merger or acquisition. Make sure you comply with antitrust rules and get the approval of competition authorities so as not to restrict competition.

Restructuring: Times of Challenge

Sometimes companies find themselves in financial crisis and need to restructure in order to continue their operations. This can be done by entering into an agreement between creditors. However, in order to be able to bind these creditors to this, it is necessary that they agree to the proposed debt restructuring. If that does not work, it is also possible in the Netherlands to request a so-called homolagia (homologatie) of a private agreement (onderhands akkoord). If this composition is approved by the court, creditors are bound by it, even if they do not agree to it.

In the Netherlands this is a fairly new process, but in other countries (e.g. England) such a 'cramdown' of creditors has existed for a very long time. The idea behind this is that if the outcome of the composition is in favour of a creditor, this creditor should not reasonably be allowed to block the restructuring. By having a judge assess this, the company can be saved in these situations, while the creditors are also better off. These are complex processes with different legal aspects:

• Bankruptcy Law: A thorough knowledge of bankruptcy law, both domestic and foreign, is essential. This involves managing creditors' rights, debt restructuring, and the distribution of assets.

• Protection of Creditors and Shareholders: Safeguarding the rights of creditors and shareholders during restructuring is an ongoing theme. This is because the proposed plan is seen differently from the point of view of each creditor. It is difficult to take everyone into account, and then there are often creditors whose rights are overlooked. Good legal representation is therefore important in order to be alert to the changes and to protect creditors at all times.

• Liabilities: In the event of a restructuring, liabilities may arise for directors and supervisors within the company. Of course, a financial crisis can be caused by external factors, but this is not always self-evident. It is therefore important to identify potential liability risks and take the necessary measures to limit these risks. Directors' and officers' liability is also an area of law that is constantly changing. It is therefore a good idea to seek advice from a specialised lawyer, so that you are aware of the latest state of affairs.

• Taxes: Restructurings can also have tax implications, such as in the sale of assets and transfer of debt. It is important to be aware of the tax consequences of a business reorganisation and to seek tax advice in a timely manner. This prevents unnecessary taxes and creates more value from your company.

Contracts: legal beacons

In the event of a company reorganisation, existing contracts may be jeopardised or even terminated. This has consequences for business operations, but can also create a risk of lawsuits. It is therefore important to carefully review the terms of existing contracts and to take existing contractual obligations into account when drafting new contracts. Negotiations by an experienced lawyer can be of great value in this regard. The legal considerations here are numerous:

• Legal compliance: Ensure that all new contracts and agreements comply with applicable laws and regulations, both at the national and international levels. In international restructurings and mergers and acquisitions, companies must consider the complexity of several overlapping jurisdictions and regulations.

• Employment law: Company reorganisations and restructurings can lead to redundancies and changes in terms of employment. This can lead to liability risks and legal obligations towards the employees, such as a redundancy plan. It is therefore important to do good research on this in advance and to communicate clearly, so that the transition to a new structure can run smoothly.

• Intellectual Property: Intellectual property (IP) can be a central concern in corporate reorganizations, especially for tech companies and creative enterprises. IP includes patents, trademarks, copyrights, and other rights that protect a company's creative and innovative output. During a reorganisation, companies must ensure that their IP rights are safeguarded. This includes transferring IP rights according to applicable laws and agreements, revising licensing agreements, and protecting confidential information. For companies that rely on patents and technological innovation, it is necessary to review the validity and coverage of existing patents and ensure that any transfers or licenses are carried out seamlessly.

Conclusion: manage the process

The legal world of restructuring can sometimes be profound and complex. This knowledge blog provides only an introduction to this extensive topic, and the specific legal considerations can vary greatly depending on the nature of the corporate reorganization. It is an evolving field that requires attention in an ever-changing business environment. Understanding and managing the implications is important to minimize risk and achieve business objectives. Partnering with qualified legal professionals is a wise step to effectively manage these complex processes and ensure business success.

THE RESOLUTION FRAMEWORK

After the credit crisis of 2007/2008, a lot of new legislation was created to ensure that financial institutions are less likely to be put at risk and can be rescued if things go wrong. This is not so much about saving the financial institution itself, but about the critical services that this institution provides (such as payment services by banks).

If a bank in the Netherlands fails, the main rule is that it will go bankrupt, but in some cases it is in the public interest (for customers, other financial institutions and our economy) that a bank is resolved in a controlled manner. This prevents the sudden loss of many critical services, resulting in (again) a heavy impact on the economy. Especially if the institution is highly intertwined in the European or global economy. It is therefore said that the institutions are 'too big to fail'.

The legislation that deals with the controlled resolution of these types of systemically important financial institutions is also known as 'resolution' legislation. It is the task of the resolution authority to enforce this legislation and to intervene if things threaten to go wrong. This task is also known as the 'resolution task'.

Resolution legislation differs from ordinary bankruptcy law. For example, the resolution authority has many far-reaching powers, such as the conversion or depreciation of capital, which can be used to protect the aforementioned public interest. The resolution authority also takes the decision to resolve a financial institution in resolution. This does not require a court ruling.

In the Netherlands, the central bank (De Nederlandsche Bank – 'DNB') is also the resolution authority. In Switzerland, the central bank (the Swiss National Bank – 'SNB') and the resolution authority (the Swiss Financial Market Supervisory Authority – 'FINMA') are separate.

An important starting point of the resolution on legislation for banks in Europe is the BRRD I and II.[1] With these European directives, an attempt has been made to harmonise the resolution of banks within the EU. These directives will then have to be implemented by Member States in national legislation. In the Netherlands, this has been done by means of two implementing laws that have amended, among other things, the Financial Supervision Act.[2] However, Switzerland is not a member of the European Union and is therefore not bound by the BRRD I and II. Nevertheless, Switzerland has chosen to introduce a resolution regime for banks in its national legislation that is very much in line with the BRRD.[3]

The process of resolution begins in both Europe and Switzerland with a decision taken by the resolution authority to wind up the institution.[4] This decision stipulates that the financial institution in question meets the conditions for resolution and will therefore not be settled in a lawful manner in bankruptcy proceedings. Instead, the resolution authority will intervene and take certain resolution measures. There are many different measures that a resolution authority can take, including writing off capital instruments/ownership instruments and effecting a takeover. The purpose of this is to ensure the stability of the financial market and also to offer a better (or at least equivalent) result for creditors compared to a regular bankruptcy process (the so-called 'no creditor worse off' principle).[5]

CREDIT SUISSE RESOLUTION PLANNING

An important part of resolution is preparation. After all, you want to be able to intervene quickly if things go wrong. For systemically important banks, plans are therefore being drawn up that describe what measures will be needed in the event of a financial stress scenario to stabilise the bank and ensure that its critical services can continue. This preparation is also called 'resolution planning' and consists of, among other things, a recovery plan and a resolution plan.[6]

The recovery plan elaborates on how the institution could stabilize itself in the event of a financial stress scenario. These are therefore measures that the institution could take itself and are intended for the period before the deployment of resolution measures. Recovery plans for systemically important banks in both the EU and Switzerland are drawn up by the institution itself and then approved by the resolution authority.[7]

The resolution plan sets out how best to wind up the institution if it fails or is likely to fail. This plan is therefore about the execution of the resolution task and is therefore drawn up by the resolution authority. Resolution plans for systemically important banks in Europe are drawn up by the Single Resolution Board ('SRB') and the national resolution authorities.[8] In Switzerland, it is drawn up by FINMA.[9]

According to the FINMA, Credit Suisse's (hereafter 'CS') resolution schedule was well on track at the beginning of 2022. CS's recovery plan had been approved for a number of years and steps were taken every year to ensure that CS could be handled in a more controlled manner, should it come to that.[10]

However, following this statement by FINMA, CS's financial position has changed significantly. More and more assets flowed out of the bank and it also made more and more losses.[11] At the start of 2023, CS's share price was about 69% lower than a year earlier.

When Silicon Valley Bank collapsed in March 2023, the FINMA and the SNB jointly published a statement on March 15, 2023 indicating that there is no immediate risk of contagion for Swiss institutions as a result of the turmoil in the U.S. banking market.[12] They referred to the minimum capital requirements for banks in Switzerland. The FINMA even explicitly named CS and indicated that CS met these capital requirements. On 16 March 2023, CS also indicated that it wanted to (preventively) borrow CHF 50 billion from the SNB to strengthen its liquidity.[13]

When CS, as a systemically important bank, is in dire financial straits, the rule is that the recovery plan that has been drawn up is first examined. This should allow CS to take measures to recover financially (even before resolution).[14] Although it is not immediately clear from the outside whether the CHF 50 billion loan that CS wanted to take out was a measure from the recovery plan, it did not come to that in the end. Three days later (March 19, 2023), FINMA announced that it had approved the merger of CS and UBS.[15]

As usual with financial stress scenarios of banks, a lot has happened in a short period of time. In the case of CS, it makes sense to use the resolution plan of the FINMA (the Abwicklungsplan). After all, that is what the resolution legislation is written for. This is because capital instruments (AT1 bonds) were written off from CS and ownership instruments (shares) were transferred at a reduced value. However, FINMA never took the decision to make a resolution. Such a decision must also be made public, and that has never happened.[16]

Although an extensive resolution framework has been established and years have been prepared for it, the entire resolution framework has not been used in the end. Perhaps it's a shame about all that work, but according to certain sources within UBS, resolution would have been a disaster for the (global) financial system anyway.[17] So what did happen?

EMERGENCY LEGISLATION

So there has been no resolution. Instead, the Swiss government has taken a series of exceptional measures to rescue CS out of resolution and get it out of its tailspin.

On 19 March 2023, the Swiss Federal Council published a regulation, which entered into force retroactively from 16 March 2023, for the granting of liquidity support and guarantees to systemically important banks (the 'Liquidity Assistance Regulation').[18] This regulation was subsequently amended again immediately (with effect from 19 March 2023) to provide for the special situation of CS (the 'Amended Liquidity Support Regulation').[19] The two regulations were also used immediately after publication. The Swiss Federal Council announced that they support the takeover by UBS and that the federal government (on the basis of the Amended Liquidity Support Regulation) provides a guarantee for additional liquidity support for CS from the SNB.[20] The Swiss Federal Council indicated that these regulations are emergency laws, created under the Swiss Constitution to protect financial stability and the Swiss economy.[21]

In the following sections, I will first discuss the M&A transaction between UBS and CS, in order to get an idea of the effects of this change in the law. Finally, I will discuss its specifics, such as the depreciation of the AT1 capital, and reflect on the impact that these emergency laws may have on legal certainty.

THE TRANSACTION

Although not all the details of the transaction are yet known (not even for the parties to the transaction), it does not appear to be an acquisition, but a merger (more specifically, an Absorptionsfusion).[22] This is because no public offer has been made for the shares in CS. Instead, a merger agreement has been entered into under which every 22.48 CS shares will be exchanged for one share in UBS.[23]

To my knowledge, the exact entities involved have not yet been publicly confirmed, but the target company is most likely Credit Suisse Group AG, the parent company of the CS group. It is also likely that the acquiring entity will be UBS Group AG, the parent company of the UBS group.

This will mean that all assets and liabilities of Credit Suisse Group AG will automatically transfer to UBS Group AG under the Swiss Merger Act (Fusionsgesetz) upon entry into force of the merger and that Credit Suisse Group AG will cease to exist.[24] As a result, Credit Suisse AG, the group's intermediate holding company and currently subsidiary of Credit Suisse Group AG, would become a direct subsidiary of UBS Group AG.

What is confusing is the statement from the Swiss government in which it spoke of a 'takeover' of CS by UBS.[25] This seems to suggest that there is an acquisition rather than a merger. The UBS website also refers to an 'acquisition' instead of a 'merger', but in the presentation that UBS gave about this, it was clearly stated that it was an 'exchange' of CS shares in UBS shares.[26]

So, although a merger agreement (Fusionsvertrags) has already been concluded, it has not yet been completed. Under Swiss law, a merger also requires shareholder approval from both the acquired entity and the acquiring entity.[27] In this case, however, the Swiss Federal Council used its emergency powers (through the Amended Liquidity Support Regulation) and shareholder approval was not required.[28] In accordance with these new (temporary) regulations, a merger report (Mergers Notice) and an audit of the merger agreement and the balance sheets of the entities involved are also no longer required.[29]

These last-minute changes to the law have caused a lot of commotion, but who initiated this rescue? The Swiss Federal Council describes the transaction in such a way that it appears to have been proposed by UBS and they "welcome" it, but UBS has indicated that regulators around the world have urged them to consider a takeover of CS.[30] Also according to certain internal sources within CS, there would have been a lot of pressure from the government, to the point that it can actually be called an order.[31] However, the reluctance from the CS board is understandable. While this may be a favorable deal for UBS, it is the shareholders of CS, among others, who have had to give up for it. They have therefore put up a lot of resistance to a deal with UBS because of the unfavorable exchange ratio. They would even have proposed USD 5 billion as an investment, which would not have been approved by the Swiss government.[32] The creditors of the AT1 bonds are not happy either. Their claim was written off in full by CS as a result of an order from FINMA under the Amended Liquidity Regulation.[33]

In the next section, I will elaborate on this write-off and on the intervention of the Swiss government as a whole. In doing so, I look not only at the interests of creditors and shareholders, but also at the consequences for legal certainty and resolution.

DEPRECIATION OF AT1 CAPITAL

It is common for a shareholder in bankruptcy to receive nothing from the estate because they are generally the lowest in rank within the bankruptcy process. In the Netherlands, distributions are only made to shareholders (other than on the basis of a shareholder loan or other right of claim) in the event of a liquidation surplus after the bankruptcy proceedings.[34] The order of precedence in bankruptcy is also used within the European resolution regime when the resolution authority decides to write off claims (a so-called 'bail-in').[35] The reference point in resolution is the bankruptcy scenario. It should not be the case that, as a result of the application of resolution, creditors receive less than they would have received under a regular bankruptcy process (the 'no creditor worse off' principle).[36] Moreover, the European resolution regime for banks explicitly states that shareholders will bear the first losses in the application of resolution instruments.[37] This rule also applies to the resolution of Swiss banks.[38]

The idea behind this seems to me to be that the shareholder receives the profits from the company when things are going well, but also suffers the losses when things are going badly. This also creates trust towards third parties who want to do business with the company. People are very critical of it if this relationship is distorted and shareholders are given a higher rank, for example by providing shareholder loans with security.[39] If shareholders were to be paid with priority, a skewed ratio would arise. The shareholders receive the profits, but do not (entirely) suffer the losses.

It is therefore very unusual that the merger of CS decided to write off no less than CHF 16 billion in AT1 bonds (tier 1 loans), while the shareholders received a total of about CHF 3 billion (CHF 0.76 per share) in value in UBS shares. It had been expected (and perhaps should have expected) that the shareholders would first be written off in full before the creditors under the AT1 bonds would be written off. Due to the rapid pace at which everything happened in a short period of time, it may not have been immediately clear on what legal basis the write-off of the AT1 bonds took place. Was it a resolution measure of the FINMA? Was it the aim of Article 5a of the Amended Liquidity Regulation? Or was there perhaps another legal basis?

Due to the many questions that arose in this regard, the FINMA decided to issue a statement to further explain the basis for the write-off of the AT1 bonds.[40] In it, the FINMA indicated that a clause has been included in the underlying agreement of the AT1 bonds that makes it possible to write them off in full if special state aid is provided. According to the FINMA, this also happened when the Swiss government and the SNB left liquidity support and guarantees to CS on March 19, 2023. This created a contractual ground for the write-off of the AT1 bonds.

At the same time, FINMA indicates that on the basis of Article 5a of the Amended Liquidity Regulation, it is authorised to issue an order to CS to write off its AT1 bonds.[41] Because of that power and the contractual power to write off, FINMA also issued that order to CS. However, Article 5a of the amended Liquidity Regulation does not seem to require any further contractual basis. It seems sufficient that there is a guarantee provided under the Amended Liquidity Regulation that has been approved. In my view, therefore, the order to write off the AT1 bonds could (strictly speaking) have been issued even if there was no contractual basis for the write-off. The new Article 5a of the Amended Liquidity Regulation is therefore a far-reaching article that can infringe on the rights of all AT1 bonds of systemically important banks in Switzerland (including those of UBS), while it says nothing about the write-down of shareholders. Perhaps even more important is the fact that this law was introduced very suddenly, whereas the legislative resolution was written for precisely such scenarios. 

To find out more about the contractual basis for the depreciation, one would have to look at the underlying documentation of the AT1 bonds. Although those details are not known to me, I can understand that it is enough to stir up the AT1 creditors to consider a lawsuit.[42] It is not so much that the AT1 bonds have been written off, but the fact that the shareholders have not first been fully written off.

The SRB wanted to prevent investors from getting the signal that even under the European regime there is a possibility that such AT1 bonds will be the first to be written off. That is why Dominique Laboureix, president of the SRB, has clearly indicated in an interview that he will always apply the hierarchy of the European resolution regime for banks.[43] The Bank of England has also distanced itself from FINMA's decision that in this way it seems to circumvent the creditor hierarchy.[44]

LEGAL CERTAINTY

Legal certainty is of great importance in the financial sector. Large investments are only made if one can trust that their money will not just disappear, but that there is a well-thought-out legal system that is predictable and adhered to. Before the failure of a systemically important bank like CS, that was the resolution regime, but there seems to be less confidence in that than expected. Why was it decided to save CS out of resolution? In resolution, no shareholder approval is required and AT1 bonds can also be written off (after writing off the claims of shareholders).

Although the situation around CS now seems to have stabilized, this abrupt change has made the legal system unpredictable.[45] Last-minute legislation has created a scenario in which the central systems of governance and creditor hierarchy are circumvented. Perhaps the Swiss government has managed to prevent a much worse scenario with this, but at what cost?

[1] Directive 2014/59/EU ('BRRD I'); Directive (EU) 2019/879 ('BRRD II').

[2] Stb. 2015, 431; Stb. 2021 632.

[3] 'ISDA BRRD Implementation Monitor (5th edition) – status of national implementation as of 1 December 2016', isda.org, 2 December 2016 (link).

[4] Art. 16 Regulation (EU) No 806/2014 ('Single Resolution Mechanism Regulation'). The SRB has a leading role in banks directly supervised by the European Central Bank and banks operating in several countries within the EU. The SRB adopts the resolution plan for these institutions and determines whether a bank will go into resolution. The implementation of the resolution is carried out by DNB. In the case of banks that DNB supervises and that are only active in the Netherlands, the powers lie with DNB. In Switzerland, all this is done by FINMA, which can independently decide to proceed with a resolution on the basis of Article 41 (1) of the Bankeninsolvenzverordnung-FINMA.

[5] For banks in the EU under para. 78 and Articles 15(1)(g), 18(5) and 22(2) of the Single Resolution Mechanism Regulation. Under the Swiss regime pursuant to Art. 40 para. 1 sub (a) Bankeninsolvenzverordnung-FINMA.

[6] See also the SRB's 'Introduction to resolution planning' (link).

[7] Par. 21 and Articles 5 and 7 BRRD I; Art. 64 (1) Banking Ordinance.

[8] Par. 28, 33 and 44 and Articles 7(2), 8 and 9 of the Single Resolution Mechanism Regulation.

[9] Art. 64 (2) Banking Ordinance.

[10] 'FINMA considers recovery and resolution planning by the "too big to fail" institutions to be well on track –

but there are still gaps', finma.ch, 24 March 2022 (link).

[11] Some examples: 'Exclusive: Credit Suisse sounds out investors about capital hike', reuters.com, 23 September 2022, (link); 'Credit Suisse Shares Tank As Capital Concerns Spark Reminders Of Lehman Brothers Failure: Here's What We Know', forbes.com, 3 October 2022 (link); 'Credit Suisse Saw $88 Billion Outflows as Confidence Slumped', bloomberg.com, 23 November 2022 (link).

[12] 'FINMA and the SNB issue statement on market uncertainty', finma.ch, 15 March 2023 (link).

[13] 'Credit Suisse Group takes decisive action to pre-emptively strengthen liquidity and announces public tender offers for debt securities', credit-suisse.com, 16 March 2023 (link).

[14] Art. 64 of the Bankenverordnung.

[15] 'FINMA approves merger of UBS and Credit Suisse', finma.ch, 19 March 2023 (link).

[16] Art. 41 para. 2 Bankeninsolvenzverordnung-FINMA. See also the website of FINMA where resolution decisions are announced: (link).

[17] 'How the Swiss 'trinity' forced UBS to save Credit Suisse', ft.com, 20 March 2023 (link).

[18] Verordnung über zusätzliche Liquiditätshilfe-Darlehen und die Gewährung von Ausfallgarantien des Bundes für Liquiditätshilfe-Darlehen der Schweizerischen Nationalbank an systemrelevante Banken (Ordinance on Additional Liquidity Assistance Loans and the Granting of Federal Default Guarantees for Liquidity Assistance Loans from the Swiss National Bank to Systemically Important Banks), 16 March 2023, AS 2023 135 (link original  ) (link translation).

[19] Verordnung über zusätzliche Liquiditätshilfe-Darlehen und die Gewährung von Ausfallgarantien des Bundes für Liquiditätshilfe-Darlehen der Schweizerischen Nationalbank an systemrelevante Banken (Ordinance on Additional Liquidity Assistance Loans and the Granting of Federal Default Guarantees for Liquidity Assistance Loans from the Swiss National Bank to Systemically Important Banks), 19 March 2023, AS 2023 136 (original link ) ( link translation).

[20] 'Safeguarding financial market stability: Federal Council welcomes and supports UBS takeover of Credit Suisse', admin.ch, 19 March 2023 (link).

[21] Art. 184 jo. 185 Bundesverfassung der Schweizerischen Eidgenossenschaft.

[22] Under Swiss law, there may be an Absorptionsfusion or Kombinationsfusion. Whereas in a Kombinationsfusion all entities participating in the merger are dissolved and their business operations are transferred to a new company, in an Absorptionsfusion the business operations are transferred to an already existing entity that continues to exist as a surviving entity. In the case of the merger of CS and UBS, therefore, there seems to be an Absorptionsfusion. See also Art. 3 Fusionsgesetz; Begg Peter F.C. (ed.), International Handbook - Corporate Acquisitions and Mergers: Switzerland, Wolters Kluwer 2022, par. Sec. 72.

[23] 'Credit Suisse and UBS to Merge', credit-suisse.com, 19 March 2023 (link).

[24] Art. 3 (2) and 22 Fusionsgesetz; Begg Peter F.C. (ed.), International Handbook - Corporate Acquisitions and Mergers: Switzerland, Wolters Kluwer 2022, par. 73 et seq. ; 'Acquisition of Credit Suisse by UBS', lexology.com, 19 March 2023 (link).

[25] 'Safeguarding financial market stability: Federal Council welcomes and supports UBS takeover of Credit Suisse', admin.ch, 19 March 2023 (link).

[26]  "UBS acquiring Credit Suisse – Transcript," ubs.com, March 19, 2023 (link), p. 2.

[27] Art. 12 para. 2 and 18 Fusionsgesetz.

[28] Art. 10a (a) Amended Liquidity Support Regulation.

[29] Art. 10a (b) Amended Liquidity Support Regulation; Articles 14, 15 and 16 of the Fusions Law.

[30] 'Safeguarding financial market stability: Federal Council welcomes and supports UBS takeover of Credit Suisse', admin.ch, 19 March 2023 (link); 'UBS acquisition of Credit Suisse – transcript', ubs.com, 19 March 2023 (link).

[31] 'How the Swiss 'trinity' forced UBS to save Credit Suisse', ft.com, 20 March 2023 (link).

[32] 'Credit Suisse Collapse Burns Saudi Investors', wsj.com, March 21, 2023 (link).

[33] Article 5a of the Amended Liquidity Support Regulation; 'FINMA approves merger of UBS and Credit Suisse', finma.ch, 19 March 2023 (link); 'FINMA provides information about the basis for writing down AT1 capital instruments', finma.ch, 23 March 2023 (link).

[34] Art. 2:23b paragraph 1 of the Dutch Civil Code; n.b. Pannevis, Subordinated claims (Company and law no. 114), Deventer: Wolters Kluwer 2019, para. 61 - 62.

[35] Art. 17(1) Single Resolution Mechanism Regulation.

[36] Art. 15(1)(g) Single Resolution Mechanism Regulation; L. Janssen, 'The EU bank resolution rules and national insolvency law', in: M. Haentjens et al. (eds.), Research handbook on cross-border bank resolution, Cheltenham: Edward Elgar Publishing 2019, p. 112.

[37] Article 34(1)(a) BRRD I and Article 15(1)(a) Single Resolution Mechanism Regulation.

[38] Art. 47 para. 1 sub (a) Bankeninsolvenzverordnung-FINMA.

[39] For example, in a research report on private equity investments in the Netherlands, it was recommended that the law should provide that shareholder loans are regarded as equity capital in the event of bankruptcy, as a result of which they would be subordinated to claims from other creditors, see Kamerstukken II 2017/18, 34 267, no. 11. This advice will also be included in the programme for the reassessment of bankruptcy law, see Kamerstukken II 2017/18, 33 695, no. 17. Critical questions have also been asked about this in the House of Representatives, see, for example, Aanhangsel Handelingen II 2018/19, no. 2273; Aanhangsel Handelingen II 2016/17, no. 565 and 815.

[40] 'FINMA provides information about the basis for writing down AT1 capital instruments', finma.ch, 23 March 2023 (link).

[41] 'FINMA provides information about the basis for writing down AT1 capital instruments', finma.ch, 23 March 2023 (link).

[42] 'Credit Suisse AT1 bondholders consider possible legal action -law firm', reuters.com, 20 March 2023 (link).

[43] 'EU regulators distance themselves from Credit Suisse bond writedowns', srb.europa.eu, 30 March 2023 (link)

[44] 'Bank of England Statement: UK creditor hierarchy', bankofengland.co.uk, 20 March 2023 (link).

[45] See 'How the Swiss 'trinity' forced UBS to save Credit Suisse', ft.com, 20 March 2023 (link), which compares Swiss jurisdiction to a (more) dictatorial state.