The regulatory treatment of fintech-related matters in Portugal greatly depends on the legal qualification of the different types of fintech companies or the products and services being offered.

The main legal and regulatory fintech concerns are those directed at payment services and e-money related activities, as well as at crowdfunding platforms. The two current major categories of fintech companies are payment services institutions and e-money issuers, both regulated under Decree-Law No. 317/2009, of 30 October, containing the Payment Services and E-Money Legal Framework (PSEMLF), which transposed Directive 2007/64/CE (PSDI) and Directive 2009/110/CE to the Portuguese legal framework. Crowdfunding platforms, on its turn, are regulated by Law No. 102/2015, of 24 August, and Law No. 3/2018 of 9 February, as well as by Order No. 344/2015, of 12 October.

The Portuguese legislator’s and regulatory authorities’ approach to fintech has been somewhat neutral up until now, with few developments concerning regulation, aggravated by the fact that the transposition of the Payment Services Directive 2 (PSD2) is currently delayed. There is also no legal approach for testing financial technology under a sandbox regime as of now. This is also true from a tax perspective, where no specific Portuguese legal regime on tax incentives for fintech-related matters exists.

Notwithstanding this, the Bank of Portugal has been participating in fintech-related conferences and disclosing information coming out of such conferences in their website and the Portuguese Securities Market Commission (CMVM) has also recently created an informative page on their website to deal with fintech-related matters, such as ICOs and crowdfunding related matters, and has further approved Regulation 1/2016 on crowdfunding.


i Licensing and marketing

The PSEMLF sets out the applicable rules and requirements for the incorporation and licensing of payment institutions and e-money issuers, both being subject to the Bank of Portugal supervision. For that effect, certain mandatory legal documentation must be filed with the Bank of Portugal, including, inter alia, draft by-laws, business plan, share capital commitment, corporate structure and beneficial ownership, the managers’ identification and fit and proper documentation, as well as corporate governance and internal compliance models and procedures. Current minimum statutory share capital requirements applicable to payment institutions ranges from €20,000 to €125,000 and a minimum of €350,000 for e-money institutions.

All marketing and advertising carried out by these entities must abide by the general rules applicable to marketing and advertising by banks and other financial institutions. This means that, among other requirements, all marketing and advertisement products and materials must clearly identify the offering or advertising entity while also ensuring that the main features and conditions of the offered products or services are easily perceived by targeted consumers.

The PSEMLF provides for an extensive list of products and services which may only be offered or rendered by either payment or e-money institutions. In practice, considering the nature and business model of most fintech companies and the services they offer, this means that such entities can become qualified as payment institutions or e-money institutions, having thus to comply with its regulatory framework.

With regard to crowdfunding platforms, Portuguese law sets out the requirements and conditions for the corporate entities managing crowdfunding platforms, which are subject to the CMVM’s supervision when they are equity-based or loan-based. These entities are subject to prior registry and authorisation with the CMVM. The submission shall be accompanied by the relevant required documentation, which includes, inter alia, the corporate details, structure and beneficial ownership, managers’ identification and fit and proper documentation, business plan and model, indication about whether it should be considered a financial intermediary or an agent thereof, as well as evidence of compliance with the minimum financial requirements. Upon registration these minimum financial requirements must be either (1) a minimum share capital of €50,000, (2) an insurance policy covering a minimum of €1 million per claim, and a minimum of €1.5 million in aggregate claims per year, or (3) a combination of both (1) and (2) that ensures proper similar coverage.

ii Cross-border issues

Payment or e-money institutions based abroad may render their services in Portugal, subject to prior authorisation and registry with the Bank of Portugal. The applicable requirements and procedures may vary according to the origin state, as entities based in EU Member States may choose to render their services in Portugal either (1) through a branch incorporated in Portugal, (2) through authorised agents based in Portugal, or (3) under a free provision of services’ licence.

Should the applying entity be based in a third-country state, it shall incorporate a branch in Portugal.

In relation to crowdfunding platforms no cross-border regime is yet foreseen under Portuguese law; this lack of passporting regime requires foreign crowdfunding platforms to have their local registration with the CMVM, until such regime is legally provided for.


Portuguese citizens must have a citizenship card containing data relevant for their identification (such as full name, parentage, nationality, date of birth, gender, height, facial image and signature). This card also includes the civil identification number, the taxpayer number, the user number for health services and the social security number (Law No. 7/2007, which creates the citizenship card, as amended). The citizenship card proves the identity of its holder before any public and private authorities and entities, through two mechanisms: (1) by means of reading the visible elements of the card, together with the optical reading of a specific area of the card destined to such reading (its reading is, however, reserved, mainly, to entities or services of the state or public administration) and (2) by means of electronic authentication.

The citizenship card further allows its holder to unambiguously authenticate the authorship of electronic documents by means of an electronic signature. The card contains a chip where additional information is available, such as address and fingerprints – it is in this chip that the certificates for secure authentication and for the qualified electronic signature are available. Hence, the holder of a Portuguese citizenship card has two digital certificates: one for authentication and another for e-signature. Note, however, that while the authentication certificate is always activated when the card is delivered to its holder, the e-signature certificate is of optional activation, and such activation can only be done by citizens who are at least 16 years old. A citizen who wishes to use the certificates shall insert his or her PIN in the device requesting or permitting the use of such authentication (or signature) method.

Law No. 7/2007 expressly refers to Regulation 910/2014 on electronic identification and trust services for electronic transactions (eIDAS Regulation), indicating that the provisions therein established apply to the certificates. Portuguese law on the citizenship card thus already acknowledges the eIDAS Regulation. However, when it comes to trust services, especially e-signature, national law is yet to be fully adapted to the eIDAS Regulation. As of the time of writing, Decree-Law No. 290-D/99, as amended, continues to be the legislation containing the details on e-signature, and hence a new national legal framework is expected.

It is important to also note that the certificates of the citizenship card are subject to the legal and regulatory rules of the Portuguese State Electronic Certification System (approved by Decree-Law No. 116-A/2006). This system aims to guarantee the electronic security of the state and the strong digital authentication of electronic transactions among the services and bodies of the public administration, as well as between the state and the citizens and companies.

In addition, Law No. 37/2014, as amended, created the ‘digital mobile key’, which is an additional and voluntary means (1) of authentication in portals and sites of the public administration and (2) of qualified electronic signature in the terms indicated in the eIDAS Regulation. All citizens of 16 years old or more may require the association of their civil identification number to a mobile phone number or an email. Foreign citizens may also require such association, in this case with their passport number. The digital mobile key is a system for secure authentication comprising a permanent password and a numerical code issued for each use and generated by the system.

Financial service providers, including payment institutions and e-money institutions, may carry out fully digitised onboarding of clients, including, as of recently, by using videoconference procedures.

The Bank of Portugal’s Notice No. 5/2013 (as amended) allows financial institutions to make use of remote onboarding procedures while complying with the KYC requirements set out under the applicable AML framework. The Bank of Portugal recently took a step further and has deemed it admissible, under Instruction No. 9/2017, that entities remotely carry out the identification confirmation under the prescribed legal KYC procedures by means of a videoconference.


Both payment services providers (either payment institutions or e-money institutions) and crowdfunding platforms – either equity or loan based – are subject to licensing and registry requirements with the Bank of Portugal and the CMVM, respectively.

Although still in a very preliminary phase, due to the applicable framework having entered into force recently, crowdfunding schemes are gaining some traction, mostly in the loan-related field. Further developments may arise in this field as the market develops and market players become more sophisticated, in which case movements towards securitisation of loan portfolios originating from such platforms may eventually begin to be noticed in the medium to long term.

Notwithstanding this, current securitisation law (Decree Law No. 453/99, as amended) defines which entities may qualify as originators of receivables for securitisation purposes and these are limited to the Portuguese state and other public legal persons, credit institutions, financial companies, insurance firms, pension funds and pension fund management companies. However, other legal persons that have their accounts legally certified by an auditor registered with the CMVM for the previous three years may also assign loans for securitisation purposes; this may open the door to crowdfunding entities. Due to the nature of the entities resorting to crowd-lending platforms for funding, as well as those managing such platforms, we envisage that such a movement towards securitisation may still take some time.


Blockchain or distributed ledger technology is not subject to specific regulation in Portugal as a technology. Indeed, the focus of regulation brought by blockchain has pertained essentially to a specific sector: banking and finance, including cryptocurrencies and ICOs.

It so happens, however, that the approach in Portugal in this sector has been to exclude cryptocurrencies from the qualification of ‘legal currency’ and not issuing specific regulation dealing with them. Both the Bank of Portugal and the CMVM share this understanding.

The Bank of Portugal has, as far back as 2013,2 issued a clarification under which it considered that Bitcoin cannot be considered secure currency, given that its issuing is done by non-regulated and non-supervised entities. In addition, the users bear all the risks, as there is no fund for the protection of depositors or investors. This approach closely follows the position of the European Banking Authority (EBA). Note that specific regulation on cryptocurrencies is not expected soon: both the government and the Bank of Portugal have stated that they will not regulate cryptocurrencies and that the first step shall be taken by the European Commission.3 Despite the lack of regulation and supervision, the Bank of Portugal has indicated that the use of cryptocurrencies is not forbidden or an illegal act. Hence, this entity is so far more focused on a preventive and educational approach by alerting the public to the risks of cryptocurrencies.

The CMVM has also issued an alert to investors in November 2017 on ICOs indicating that most ICOs are not regulated – in which case investors are unprotected due to the high volatility or lack of funds, the potential for fraud or money laundering, inadequate documentation (most ICOs have no prospectus but only a White Paper) and risk of loss of the invested capital. Still, the CMVM opened the door for them to be subject to regulation according to their specific circumstances. This approach closely follows the ESMA alert issued on ICOs in the same month and a statement of November 2017, which indicated that where coins or tokens qualify as financial instruments, it is likely that the firms therein involved pursue regulated investment activities such as placing, dealing in or advising on financial instruments or managing marketing collective investment schemes. Note that the CMVM also advised investors interested in financial products related to virtual currency to ask for complete information on the products and specifically on the risks to the financial brokers.

Considering the above, the usual distinction between the different types of tokens underlying the transactions may prove useful, especially between crypto tokens and security tokens.4 Should crypto tokens be used mainly as a means of payment, the approach taken by the Bank of Portugal and the EBA is the one to look at. Conversely, security tokens have more similarities to securities, and hence the approach of the CMVM/ESMA is the one to take note of.

Considering Portuguese securities law, security tokens do seem to be under the legal framework for securities provided the legal requirements are met. Although not specifically developing or advancing any criteria for certain ICOs to be subject to market offering rules, the CMVM laid down a general understanding of a case-by-case basis approach, meaning that tokens that present features similar to those of securities (or for that matter, ICOs that present features similar or analogous to public market offerings) may fall under securities laws and regulations, and thus comply with its respective obligations regarding public offerings, market information, regulatory submissions, among others. Notwithstanding, we have no knowledge of any ICO-related transaction or crypto assets offering that either fell under the securities law provisions, or that voluntarily submitted itself to the CMVM’s procedure for public offerings.

Despite a lack of regulatory clarity there are two main areas where there seems to be legal guidance.

The first relates to money laundering, given that the recent proposal for amending the AML Directive (Directive 2015/849)5 extends its scope of application to virtual currencies (i.e., to exchange services between virtual currencies and fiat currencies) and to wallet providers offering custodial services of credentials necessary to access virtual currencies. Notwithstanding the proposed amendment to the European AML framework, note that the Bank of Portugal clarified that financial institutions are under the obligation to control transfers of funds coming from and going to platforms of negotiation of cryptocurrencies under AML provisions. In this respect, it has been widely reported that one of the major banks in Portugal has recently blocked any transfers having these types of entities as beneficiaries.

The second one relates to tax. The Court of Justice of the European Union (CJEU)6 already addressed the question of whether transactions, such as the exchange of Bitcoin or another cryptocurrency for traditional currency, and vice versa, in return for payment of a sum equal to the difference between the price paid by the operator to purchase Bitcoin and the price at which he or she sells that same Bitcoin to his or her clients, qualified as a supply of services for consideration for VAT purposes and, if so, whether such supply would be considered exempt from VAT.

The CJEU decided that the exchange of Bitcoin for traditional currency qualifies as a supply of services for VAT purposes. As to the question of whether these transactions should be regarded as exempt supplies, the CJEU pointed out that Bitcoin, being a contractual means of payment, cannot be regarded as a current account or a deposit account, a payment or a transfer. Moreover, unlike a debt, cheques and other negotiable instruments referred to in Article 135(1)(d) of the VAT Directive, Bitcoin is a direct means of payment between the operators that accept it. Therefore, the CJEU ruled that transactions, such as exchange of cryptocurrency for traditional currency, and vice versa, should be exempt from VAT under the provision of Article 135(1)(e) of the VAT Directive. As the question submitted to the Court concerned only the exchange of cryptocurrency for legal tender currency, the CJEU did not expressly address the subject of whether the exchange of, e.g., Bitcoin for a different cryptocurrency should also be regarded for VAT purposes as an exempt supply of services under Article 135(1)(e) of the VAT Directive. However, in our view, the same reasoning applies and the answer should therefore be the same.

The CJEU’s judgments are directly effective in all Member States and, therefore, the tax authorities in all Member States must abide by them. With this judgment, Bitcoin exchangers, start-ups and users finally know where they stand from a VAT perspective. Buying, selling, sending, receiving, accepting and spending Bitcoin will not be taxed, which allows economic agents to deal with Bitcoin as they would with legal tender currency or other types of money.

More recently, the Portuguese Tax Authority (PTA) issued binding rulings7 under which it stated that any gains derived from Bitcoin trading should not be considered income for personal income tax (PIT) purposes to the extent such activity does not constitute a business or professional activity. Indeed, the PTA concluded that gains derived from the sale of Bitcoin would not fall under the concept of capital gains or investment income as defined by the Portuguese PIT Code and, consequently, those gains are not covered by the taxable base of the Portuguese PIT.


There has recently been a substantial dynamic in the Portuguese fintech market, with the entering of new players and stakeholders offering new types of services and products. As an example, last year saw the market entry of fintech companies offering solutions to export and import finance and to exchange currency through innovative services, as well as crowdfunding platforms aimed at specific markets and business – such as the crowdfunding of real estate developments. This movement hints at the growing market that the transposition of the PSD2 shall further accelerate.

However, in the meantime, new fintech companies offering innovative services may struggle with the burdensome procedures imposed by applicable laws and regulations mentioned above (including the licence and registration or AML-related issues).

Despite the above, services resorting to smart contracts do seem to have some legal comfort. Indeed, from 2007 onwards Portugal has had a specific provision dealing with contracts executed by means of computers without human intervention in its E-Commerce Law (Decree-Law No. 7/2004). This provision applies contract law to these types of contracts and further applies to programming errors, malfunctions and distorted messages the legal regime on mistake. Though self-executing or smart contracts are a step further from contracts concluded without human intervention, it seems that they are permitted under Portuguese law – and, what is more, the above provision may be applicable to them. Indeed, there is a general principle in Portuguese law that, unless otherwise provided, contracts are not subject to a specific form. Note, however, that no specific legal framework exists on smart contracts.


Protection of fintech technology can take place by several means. The protection of software seems to be the most relevant, as fintech technology usually translates into computer systems and applications. Software is protected in Portugal as copyright (Decree-Law No. 252/94, which transposed Directive No. 91/250/CEE, later repealed by Directive No. 2009/24/CE, on computer programs, as amended). Copyright on the computer program belongs to the employer if the software is created by an employee in the execution of his duties or following the instructions given by the employer. Copyright does not require registry to exist, but this can be done in the General-Inspection for Cultural Activities (IGAC). Software can also be protected by patent in the cases where it meets the criteria to be considered a computer implemented invention, which is an invention whose implementation involves the use of a computer, computer network or other programmable apparatus. In addition, computer-implemented business models can also be patented, to the extent that they are claimed as a technical solution for a technical problem (e.g., automating a response considering the data collected) and involving technical considerations (e.g., the reading of the database). Otherwise, business models are not patentable. All in all, a case-by-case analysis is necessary to determine if protection by patent is feasible.

Technology developed in the context of a fintech business can also be protected as trade secret. Trade secrecy protects against any act of a competitor that discloses, uses or acquires, without consent, information that is secret, has commercial value due to that fact and has been subject to considerable steps to keep it secret. Note that current Portuguese provisions on trade secrecy are contained in the Industrial Property Code (approved by Decree-Law No. 36/2003, as amended), which is set to be reviewed to transpose, inter alia, Directive No. 2016/943 of 8 June 2016 on trade secrets. This revision of the Industrial Property Code, including the transposition of the mentioned Directive, is expected to be approved during 2018. The Directive brings substantial changes to the trade secrecy regime, notably on the protection criteria and the enforcement. Essentially, the enforcement of trade secrets will be much clearer and more effective, thus opening new practical opportunities for the holders of trade secrets to enforce them against infringers.

Note that a computer platform usually also comprises a set of data, as well as visual interfaces. The data may also be protected as a database if the requirements set in law (Decree-Law No. 122/2000, which transposed Directive No. 96/9/CE, as amended, on the protection of databases) are met. Interfaces can further be protected by copyright under the Copyright Code (approved by Decree-Law No. 63/85, as amended) in their look and feel, screen display and individual visual elements, if they all meet the criteria to be protected (mainly, are ‘creative’). Copyright protection, in this case, belongs to the employer or the person that orders the creation, if so established or if the name of the creator is not referred to in the work. In this case, the creator may require a special compensation if the creation exceeds the performance of the task or when the creation is used or brings benefits not included or foreseen in the creator’s remuneration.

Fintech businesses collect, control and process vast amounts of personal data (including know-your-customer data) and, as a result, they are subject to data privacy rules.

These rules are, from 25 May 2018, the ones provided in the General Data Protection Regulation (GDPR) (EU Regulation No. 2016/679, of 27 April). The GDPR applies not only to Fintech companies established in the EU but also to companies established outside the EU, in case they have European customers.

In general, the processing of personal data requires customer’s consent. Note that pre-ticked opt-in or opt-out boxes will no longer be allowed, since consent must be expressed through a statement or by a clear affirmative action. The GDPR places onerous accountability obligations on data controllers to evidence compliance, which constitutes a major paradigm shift in the data protection regime. This includes, among others, conduct data protection impact assessments for more risky processing operations, and implement data protection by design and by default.

These general data protection rules are complemented by bank secrecy and AML rules, which fintech companies will have to observe when providing services to their clients.

Bank secrecy rules determine that disclosure of clients’ personal data protected by bank secrecy (including cross-border transfers) is permitted only with prior customer consent or if the processing is necessary to obtain one of the following:

  1. compliance with a legal obligation to which the data controller is subject;
  2. the pursuit of the legitimate interests of the data controller or the third party or parties to whom the data is disclosed, except where such interests are overridden by the interests of the data subject; or
  3. the performance of a task carried out in the public interest.

In the past, the Portuguese Data Protection Authority had already ruled in a specific case that all personal data processed by a bank is subject to bank secrecy.

In the case of processing clients’ data for the purposes of anti-money laundering reporting, the disclosure of specific relevant personal data is based upon the fulfilment of a legal obligation, and there is no need to obtain data subject consent.

Another important aspect of data processing in the context of fintech business is the definition of clients’ profiles and business segmentation, as well as automated decision-making based on profiling. Automated decisions that produce effects concerning the data subject or that significantly affects him or her and are based solely on the automated processing of data intended to evaluate certain personal aspects relating to him, are not permitted.

The GDPR has introduced new provisions to address the risks arising from profiling and automated decision-making. Mainly, under the GDPR, one may only carry out this type of decision-making where the decision is either necessary for the entry into or performance of a contract or authorised by the EU or Member State law applicable to the controller, or, finally, based on the individual’s explicit consent. Where one of these grounds applies, additional safeguards must be introduced, as well as disclosure of specific information about automated individual decision-making, including profiling. Lastly, note that there are additional restrictions on using a special category of data for such data processing.

Without prejudice to the above, it is important to note that Portuguese legislation implementing or consolidating the GDPR is currently in preparation and may bring some additional adjustments or restrictions to the rules set out in the GDPR.

In light of the above, privacy and data protection issues in the financial services sector are not ‘new’, but current concerns may be exacerbated by stricter regulations – the GDPR – and by new business models in which data from external sources may be used for purposes that might not have been anticipated by the clients or consumers at the time the information was provided.


Fintech-specific regulation has seen some developments during the past 18 months, notwithstanding the still-pending transposition of the PSD2 into the Portuguese legal framework. As previously mentioned, the Bank of Portugal’s regulation of a remote onboarding procedure paves the way for a more dynamic approach to potential fintech customers and the surging of new market players. However, market data shows that this possibility of using a videoconference as a way of complying with KYC obligations is mostly being used by banks due to the technical and financial demands that such procedure implies under the applicable regulation.

The entry into force of the crowdfunding platforms framework has also provided a boost for the fintech market, with new platforms beginning to appear and new companies working to obtain the corresponding licence.

Furthermore, the transposition of the Fourth Amendment to the AML Directive, although still lacking further regulation by the Bank of Portugal, is also a landmark on what could be further expected from fintech companies trying to market their products and services to consumers while complying with AML obligations.


The mostly anticipated issue surrounding the fintech market is undoubtedly the transposition of PSD2 into Portuguese law. The legal act transposing the Directive shall approve a new and reformed legal framework for the majority of fintech companies currently operating in the Portuguese market, while simultaneously paving the way for new market players and new types of companies to enter the market and offer their products and services to both consumers and other businesses. It shall also legally recognise third-party providers, furthering the open banking ecosystem with the surging of new companies – such as payment initiation and account information services.

In parallel, crowdfunding investment schemes will also see an increase in both the number of entities operating in the market and the transaction volume associated with these types of investments, pursuing more democratic and decentralised equity and debt markets.

Regulation of the cryptocurrencies market has not yet been subject to public discussion or a more focused regulatory analysis by either the Bank of Portugal or the CMVM. Apart from some of the mentioned warnings issued by both entities, Portuguese regulators have adopted a ‘wait and see’ approach in this respect. As such, and despite the unpredictability of this issue – where opinions change and evolve at almost the same pace as the market itself – there is no envisaged change to the legal or regulatory status of cryptocurrencies other than the mentioned amendment to the AML Directive.

The Portuguese fintech market, which has observed a rather slow but steady development, shall greatly benefit from the PSD2 innovations. These may provide an incentive for regulatory and supervision authorities to look into this ever-evolving market more closely, whether by fostering innovation by means of friendlier regulation or by furthering the existing regulation into accommodating the new paradigm shift from traditional physical banking to an open and digital financial economy. Increasing the means of remote account opening, adapting the AML-related obligations to a digitalised reality, among others, may prove indispensable for the continuous evolution of the Portuguese fintech market.

1 Tiago Correia Moreira, Helena Correia Mendonça and Conceição Gamito are lawyers at Vieira de Almeida (VdA). The authors would like to thank António Andrade (a partner in the IP department), Maria de Lurdes Gonçalves (a senior associate in the privacy, data protection and cybersecurity department), Joana Branco Pires (a consultant in the tax department), José Miguel Carracho (an associate in the banking and finance department) and David Paula (an associate in the technology department).

2 Following a study by the European Central Bank on ‘Virtual Currency Schemes’, of October 2012. Note that the Bank of Portugal also reiterated, in 2014, that the use of virtual currency brings risks to consumers and, in 2015, advised banks to abstain from buying, detaining or selling virtual currencies (Circular Letter 011/2015/DPG, of 10 March 2015).

3 But, according to the EU Fintech Action Plan published on 8 March 2018, the Commission stated that ‘the case for broad legislative or regulatory action or reform at EU level’ on fintech issues is ‘limited’. Despite this assertion, the Commission is set to assess ‘the extent to which the legal framework for financial services is technology neutral and able to accommodate FinTech innovation, or whether it needs to be adapted to this end’. It further clarified, with relation to crowdfunding, that ‘The EU framework proposed in this Action Plan will offer a comprehensive European passporting regime for those market players who decide to operate as European crowdfunding service providers.

4 There are other classifications, such as asset tokens, utility tokens and equity tokens. For simplicity, however, we limit out analysis to the ones indicated in the text.

5 Proposal for a Directive of the European Parliament and of the Council amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing and amending Directive 2009/101/EC.

6 CJEU’s case law C-264/14, from 22 October 2015 (Skatteverket v. David Hedqvist).

7 Binding ruling 5717/2015, from 27 December 2016. After conclusion of this article, the PTA issued a new binding ruling (Binding Ruling 12904, from 15 February 2018) regarding the VAT treatment of cryptocurrencies, such as Bitcoin. Pursuant to the PTA, the exchange of cryptocurrencies for traditional currency is exempt from VAT as long as these cryptocurrencies are considered by the parties as a contractual means of payment.