There is currently no specific regulatory framework in Spain or the European Union governing fintech. However, both the European and the Spanish supervisory authorities are conscious of the increasing importance of this sector and they are currently analysing it with a view to eventually regulating it.
There are various electronic sources providing information on fintech. For instance, the Spanish Fintech and Insurtech Association has its own website and the National Securities Market Commission (CNMV) has created a section on its website aimed at establishing an informal communication space with fintech.
The main tax incentive schemes for investment in tech or fintech businesses generally applicable in Spain are: (1) the Spanish ‘patent box’ regime and the research, development, and innovation tax credit potentially applicable to Spanish-resident companies engaged in tech and fintech activities (generally only in those cases in which the technology qualifies, e.g., as a patent), and (2) the corporate income tax benefits for start-ups (e.g., a 15 per cent rate for the start-up’s first two fiscal years, instead of the 25 per cent rate) and Spanish-resident venture-capital entities, along with (3) tax credits for ‘business angels’ in specific start-ups (under specific conditions) represent. Proper structuring is essential for investors in these companies to mitigate any Spanish tax leakage applicable to investments in tech and fintech companies.
In general terms, and until further regulations are passed, Spain should be considered as a relatively fintech-friendly jurisdiction. By way of example, in 2013 it was estimated that there were 50 fintech companies in Spain; this number has increased to 295 as of February 2018.2
i Licensing and marketing
As stated in Section I, there is no specific regulatory framework in Spain governing fintech. As a result, there is no specific fintech licence nor are there any specific marketing rules that are applicable to fintech. This is mainly due to the fact that fintech businesses in Spain provide a variety of financial services. In general, leaving aside third-party providers (TPPs) regulated under Directive (EU) 2015/2366 of the European Parliament and of the Council, of 25 November, on payment services in the internal market (PSD2) and crowdfunding and crowd-lending platforms, which are subject to Law 5/2015 of 27 April on the promotion of business financing (Law 5/2015), fintech business focused only on developing IT solutions to support the provision of services by financial entities are not currently subject to any financial regulatory regime.
However, fintech that engage in financial activities such as deposit-taking, investment services (such as automated digital advice and the management of collective investments), payment services and insurance, are subject to the general regulatory regime that applies to any company operating in those sectors (including marketing rules), and, thus, have to obtain authorisation from the relevant authorities depending on the service rendered. For banking services, the competent authority would be the Bank of Spain (BoS) or the European Central Bank. In the case of investment services the competent authority would be the CNMV and for services or products that relate to insurance, reinsurance and pension funds it would be the General Directorate of Insurance and Pension Funds (DGSFP).
As stated above, Law 5/2015 regulates crowdfunding and crowd-lending platforms and the provision of their services. The performance of these activities is subject to obtaining an authorisation which is granted by the CNMV (with the intervention of the BoS). Unlike other financial regulations in Spain, which are transpositions of European financial directives, Law 5/2015 is purely domestic. However, this will probably change since in March 2018 the European Commission published a proposal for a regulation of the European Parliament and of the European Council on European crowdfunding service providers for business (the Proposal). Although the Proposal will not apply to crowdfunding services that are provided by natural or legal persons in accordance with national law (such as those provided under Law 5/2015), the Proposal establishes that a legal person that intends to provide crowdfunding services shall apply to the European Securities and Markets Authority (ESMA) for authorisation as a crowdfunding service provider. The Proposal is unique since it is the first time that one of the European Supervisory Authorities is allowed to grant an authorisation for the provision of a financial service within the European Union.
Since there is no specific regulatory framework in Spain governing the marketing of fintech products and services (except for Law 5/2015), these entities must observe the marketing legislation applicable to any other company. Apart from the Spanish law on the protection of consumers, which establishes certain principles on marketing, and the general law on publicity, other applicable publicity provisions are included within the Spanish laws on electronic commerce and distance marketing of financial services.
In Spain, there are negative credit information registries that may be accessed by any natural or legal person in accordance with certain rules. The BoS handles the Risk Information Centre (CIR), which contains information on loans, credits, bank endorsements and general risks regarding customers, provided by the reporting institutions (such as credit entities) and which may only be accessed by natural or legal persons who are holders of risks declared to the CIR in accordance with certain rules.
ii Cross-border issues
There are no particular passporting procedures available for fintech. Only fintech set out as regulated financial services providers would have access to the cross-border provisions under Spanish laws implementing the European directives that allow for specific types of regulated entities to operate in another country without having to be authorised by their local regulators.
Accordingly, EU-regulated financial services providers benefit from the ‘passporting procedure’ which enables them to provide services in Spain on a freedom-to-provide-services basis or by establishing a branch. It is a simple notification procedure set out under the main EU financial directives (such as CRD IV, MiFID II, UCITS, AIFMD or PSD2) which involves the home Member State notifying the host Member State that the relevant entity intends to provide services in its territory. A fintech authorised as an EU financial service provider under those directives would also have access to the passporting procedure.
For non-EU financial services providers, however, their provision of services in Spain is subject to an authorisation procedure before the BoS, the CNMV or the DGSFP, even if they intend to provide services by means of a branch or from the territory of their home state. A non-EU fintech authorised as a financial services provider would also have access to the same authorisation procedure.
A local licence is not necessary if the entity is passported or authorised to provide its services from its home state into Spain. Additionally, a branch is not strictly necessary as the freedom-to-provide services option is also possible. The marketing of certain services and products in Spain will be subject to Spanish law and may trigger licensing requirements depending on the circumstances. The unsolicited provision of services does not trigger licensing requirements if no actual services are provided in Spanish territory.
In case of crowdfunding platforms and in accordance with the Proposal, the authorisation to be granted by the ESMA to a crowdfunding service provider shall be effective for the entire territory of the European Union. Thus, there will be no need to passport a local licence to other Member States in order for those companies to provide their services in the host Member State. Additionally, the Proposal states that host Member States shall not require crowdfunding service providers to have a physical presence in their territory in order for them to provide their services on a cross-border basis.
The ownership of non-regulated fintech is not restricted in Spain. Regulated fintech (such as credit institutions, investment institutions and insurance companies) are subject to a significant holdings regime that requires a purchaser of a stake of more than 10 per cent to obtain prior authorisation from the relevant supervisory authority.
iii DIGITAL IDENTITY AND ONBOARDING
Yes, digital identity is recognised in our jurisdiction. Different types of digital identities are regulated under (1) Spanish Law 59/2003, of 19 December, on electronic signatures, as it was amended by Regulation 910/2014 (the Spanish Electronic Signature Law) and (2) Regulation (EU) No. 910/2014 of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (Regulation 910/2014) – jointly known as the Electronic Signature Laws.
Digital identity certificates can be issued by any state or private entity that complies with the regime established in the Electronic Signature Laws. However, the most widely recognised certificates are issued by public institutions (the Spanish National Mint and the Tax Authority). Electronic identity is accessible to all national and non-national persons.
The Electronic Signature Laws set out the different categories of electronic signatures depending mainly on their security features as well as the probative effects corresponding to each category, as well as regulating the characteristics and effects of each of them in Spain. In particular, there are three categories: simple electronic signature, advanced electronic signature and qualified electronic signature, in order of the simplest (with fewer security features) to the most complex, based on a recognised certificate and created by a trustworthy signature creation device, which will entail the use of the highest security features.
The three categories of electronic signature are recognised in Spain as being valid to enter into any contractual relationship or transaction. However, the Electronic Signature Laws only recognise the ‘qualified electronic signature’ as having the same value before a court as a handwritten signature on paper. This does not mean that other types of electronic signature do not have any legal effect. Indeed, an electronic signature may not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures. However, the evidential value of each signature will depend on the strength of the different steps of the contracting process and the security measures that have been used to ensure the identification of the signatory throughout the contracting process.
Fintech companies established as financial services providers are subject to anti-money laundering requirements that establish rules for the identification of clients. Such rules enable a digitised onboarding of the clients in certain cases (for instance, when the client’s identity is certified in accordance with applicable regulations on electronic signatures), and subject to certain requirements.
IV DIGITAL MARKETS, FUNDING AND PAYMENT SERVICES
Collective investment vehicles are mainly regulated under Law 35/2003 of 4 November on collective investment schemes and Law 22/2014 of 12 November on venture capital and other closed-ended investment schemes and management companies of the closed-ended investment schemes. There is no specific law for fintech collective investment vehicles.
As opposed to the rest of fintech, and as indicated in Section II, crowdfunding and crowd-lending platforms are subject to Law 5/2015, which, for the first time in Spain, regulates the activities of these platforms. These activities are currently subject to obtaining an authorisation that is granted by the CNMV (with the intervention of the BoS), but this authorisation regime will probably change as a result of the implementation of the Proposal. In this regard, the ESMA will be the relevant supervisory authority which may grant the authorisations for the provision of crowdfunding and crowd-lending services. Peer-to-peer lending which is not performed through a crowd-lending platform is not regulated in Spain.
Spanish consumer lending regulations are applicable when a fintech is engaged in a credit transaction with a consumer. Loans and financings may be assigned by way of an assignment contract and it is very common to assign entire portfolios of loans. Such loans and financings may only be traded if they are converted into a security, which is assigned to a special purpose vehicle (SPV). Such SPV may then issue securities backed by the credit rights arising from loans. The above is the typical structure in securitisations.
The Spanish legal regime on securitisation was recently amended by Law 5/2015. The assignment of assets to a securitisation fund should comply with the following requirements: (1) the transferor and, as the case may be, the issuer of the securities assigned to a securitisation fund must have audited their annual accounts for the last two financial years prior to the incorporation of the fund, except in certain cases, (2) the transferor must disclose in its annual reports the current and future assignment of credit rights that impact each year, (3) the assignment of the assets to the fund should be formalised in a contract, and (4) the management company of the securitisation fund should submit a document to the CNMV for each asset assignment containing certain information on the assets.
Under Spanish law the rendering of payment services on a professional basis may only be conducted by entities authorised for such purposes. As indicated in Section II, the BoS is the competent authority to grant this authorisation.
V CRYPTOCURRENCIES AND INITIAL COIN OFFERINGS (ICO)
There is no Spanish regulation on blockchain technology, cryptocurrencies or the issue of tokens. The European and Spanish regulators are starting to review these activities although there are no legal developments as of today with respect to the qualification of tokens as securities.
ESMA published two statements in November 2017 concerning ICOs. The first one contained certain alerts to firms involved in ICOs. ESMA outlines that it is the duty of the firms themselves to consider the regulatory framework applicable to them and meet the relevant regulatory requirements, even if they are from outside the European Union. In this regard, although ESMA did not conclude that the Propectus Directive, the MiFID, the AIFMD and the Fourth AMLD are directly applicable to ICOs, cryptocurrencies and tokens, these may fall inside the scope of such regulations. The second statement was related to the warnings that may be considered by the investors when investing in ICOs, cryptocurrencies and tokens. In February 2018, the European Supervisory Authorities also issued a notice warning investors and consumers about the risks associated with buying cryptocurrencies.
The current European and Spanish legislation on anti-money laundering is not directly applicable to ICOs, cryptocurrencies and tokens. However, the proposal for a directive of the European Parliament and of the Council amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (AMLD), issued by the Council of the European Union on 19 December 2017, contains a provision by virtue of which the AMLD will be applicable to natural or legal persons that are engaged in exchange services between virtual currencies and fiat currencies.
In light of ESMA’s statements, the CNMV and the BoS have also warned firms and investors regarding the regulations and risks inherent to ICOs, cryptocurrencies and tokens.
As concerns the tax treatment of cryptocurrencies and tokens in Spain, the matter is not a clear-cut issue although the European Court of Justice (ECJ) and the Spanish tax authorities have provided specific guidelines.
Regarding Spanish value added tax (VAT), the judgment of 22 October 2015, case C-264/14, ruled that transactions involving non-traditional currencies, such as cryptocurrencies, are exempt from VAT pursuant to Article 135(1)(e) of the Council Directive 2006/112/EC, of 28 November 2006, on the common system of VAT. Therefore, in accordance with the ECJ’s considerations, sale and purchase transactions over cryptocurrencies should be exempt from Spanish VAT. This criterion has also been shared by the Spanish tax authorities in specific binding tax rulings.
For Spanish resident taxpayers holding cryptocurrencies, although we are not aware of any specific criterion confirming the Spanish income tax treatment of transaction over these assets, income triggered upon the sale or transfer of cryptocurrencies should be deemed as capital gains from a Spanish tax standpoint, and should be taxed accordingly. Specific activities concerning cryptocurrencies (e.g., mining) may have a different tax treatment and, potentially, be deemed as business activities for Spanish tax purposes (income tax, business tax, etc.).
VI OTHER NEW BUSINESS MODELS
Similarly to ICOs, cryptocurrencies and tokens, self-executing contracts are not specifically regulated in Spain and so are permitted and subject to Spanish contract law like any other contract. There are no particular arbitration or mediation schemes for self-contracts. These mechanisms are available in the same terms as for any other contract. Although self-executing contracts lack legislation of their own, we believe the below rules should be taken into account:
- should the self-executing contract consist of pre-established clauses imposed by one of the parties for a generality of contracts, Law 7/1998 of 13 April on General Contracting Conditions will apply, which imposes certain conditions and interpretation rules, as well as a public registry for general conditions;
- in the event that a self-executing contract is entered into with consumers, Royal Legislative Decree 1/2007 of 16 November approving the revised text of the general law on the protection of consumers and users, would also be applicable. This regulation establishes guiding principles applicable to relationships between consumers and users (understood as legal or natural persons acting in a context that falls outside of their entrepreneurial or professional activities) and entrepreneurs;
- also of note is Law 34/2002, of 11 July, on services of the information society and electronic commerce, which would apply in the event that the contract is entered into by electronic means. It establishes a regulatory regime for electronic agreements (e.g., the information to be provided to the contracting parties prior to and after the execution of the relevant agreements, the conditions applicable for the validity of electronic agreements, other obligations applicable to the electronic providers); and
- in the event that the contract falls into the definition of a financial service, Law 22/2007 on the distance marketing of financial services addressed to consumers, setting out the rules for electronic agreements and electronic marketing communications, would also be applicable.
Fully automated investment processes are not are not regulated as such under Spanish law. However, there are provisions within Regulation (EU) No. 595/2014 of the European Parliament and of the Council of 16 April on market abuse (MAR) and Directive 2014/65/EU of the European Parliament and of the Council of 15 May on markets in financial instruments (MiFID II) that refer to algorithmic trading and high-frequency trading strategies.
In addition, third-party websites comparing products or providing information about financial products are subject to general data protection rules, in the same way as other service providers. They are also subject to competition rules, although they are generally not an area of concern for competition authorities to the extent that they favour free competition among the players in the market. However, concerns may be raised in the event that these websites impose most-favoured-nation clauses on any of the players.
From a pure regulatory perspective, the provision of information about financial products is not subject to authorisation provided that this information does not involve the provision of any other regulated services (for instance, investment advice).
In recent years the financial industry has seen a fast-growing adaption of the economy to fintech. The most important sectoral innovations are those related to credit, payment and investment management services. Crowdfunding, crowd lending and TPPs are good examples of new businesses models.
Another new business model that has recently emerged is based on the commercialisation of big data regarding consumer trends based on clients’ data. This model has been already questioned by the Spanish data protection authority, which imposes restrictions on the validity of customers’ consent for their data to be used in an aggregated manner for its commercialisation.
Generally, the main legal and regulatory issues for fintech in Spain are the obstacles resulting from the provision of financial services that trigger licensing requirements. As stated in Section I, the current legal regime for the authorisation of financial entities, which is established by reference to EU law, does not provide for a simplified procedure for businesses that only provide a limited range of services, as is the case of many fintech. Hence, as of today, fintech providing regulated services such as payment or investments services must navigate complex and burdensome procedures in Spain or in their country of establishment before having access to customers.
VII INTELLECTUAL PROPERTY AND DATA PROTECTION
i Intellectual property
Fintech businesses models and related software may be protected by the rules applicable to the ownership of inventions and of works, which should be analysed separately.
Fintech business models may be classed as inventions, which are typically the result of research. That result may essentially be protected by patents, utility models or, if such protection is not available or the parties do not wish to request it, inventions can also enjoy a certain degree of protection as know-how or as trade secrets:
- Spanish patents provide protection for inventions for 20 years as of the filing date.
- Utility models protect inventions of lower inventive rank than patents, and are granted for a period of 10 years.
- Once the referred protection periods have expired, the invention will enter the public domain and may be freely used by any person.
- Know-how and trade secrets have value as long as they are kept confidential, as opposed to patents, and therefore it is a matter of contract (confidentiality agreements) and of fact (other protective measures adopted) that the invention remains valuable.
On a separate note, software would not be deemed an invention but would be protected by copyright from the very moment of its creation. Registration is not necessary for the protection of software. The exploitation rights for the work will run for the life of the author and survive 70 years after the author’s actual or declared death.
Regarding the ownership of IP rights, the ownership of inventions and works should again be analysed separately. These are default rules under Spanish law to attribute ownership of inventions:
Absent other applicable rules, the natural person who creates the invention (i.e., the inventor) is the owner.
If the inventor is an employee (private or public):
- If the invention is a result of his or her work for a company, pursuant to the terms of his or her employment agreement or to the instructions received from the company, then the owner of the rights to the invention will be the company.
- If the invention is a result of his or her independent work but relevant knowledge obtained from a company or the company’s facilities was used, then the company can claim ownership rights to the invention or a right to use the invention, subject to the payment of fair compensation.
The rule in connection with works is that the original owner of the rights to the work is the author or co-authors (or, in very specific and limited cases, an individual or a legal private or public entity who leads and coordinates personal contributions and publishes the result under its own name – usually in the case of software). The general rule is that the author is the owner of all moral and exploitation rights to the work. However, some specific legal presumptions as well as some important exceptions exist:
- Regarding copyrightable work created by an employee under his or her employment agreement, Spanish law presumes that, unless otherwise agreed, all exploitation rights of the work have been assigned, on an exclusive basis, to the company for the purposes of its ordinary course of business. This assumption applies in particular, but is not limited to, the creation of software.
- In the event of joint co-authors, either:
- all co-authors have equal exploitation rights, unless otherwise agreed; or
- the exploitation rights to the work correspond to the (legal or natural) person that assumes responsibility for the creation of the work and publishes it under the person’s own name.
ii Data protection.
Fintech businesses located in Spain or addressing the Spanish market are subject to data protection rules to the extent that they access and process personal data, either as data controllers or as service providers (i.e., data processors processing the data on behalf of their clients). From 25 May 2018 onwards, the main data protection rule applicable in Spain will be the General Data Protection Regulation (Regulation (UE) 2016/679) (GDPR) that is directly applicable to all EU Member States. This new legal framework provides some benefits, such as the homogenisation of data protection rules within the EU, which can help local fintech businesses to expand to other EU Member States and may make it easier for fintech businesses from territories outside Spain that are GDPR-compliant to launch their services in the Spanish market.
Notwithstanding the above, certain local data protection rules remain applicable in Spain, which may impose local requirements applicable to certain fintech business models. Also, the criteria of the Spanish Data Protection Agency, which is one of the most active data protection authorities within the EU, must also be taken into account. Also, there is a draft new Spanish Data Protection Law that will replace the current one and will be compatible with the GDPR. This draft new Spanish Data Protection Law, which not only adapts Spanish law to GDPR standards but also further develops some data protection matters not specifically addressed in the GDPR (e.g., creditworthiness bureaus) is currently being discussed by the Spanish parliament and its current drafting may be subject to changes before it is finally passed. It is expected that the approval of the new Spanish Data Protection Law will still take some months and will not be ready by 25 May 2018.
As regards the possibilities of fintech companies carrying out profiling activities (i.e., the processing of personal data involving the profiling and, in some cases, the adoption of automated decisions with an impact on individuals), such activities are subject to the GDPR rules and to certain guidelines of the Spanish Data Protection Agency. In general terms, the profiling activities under the GDPR need to be based on lawful legitimate grounds, mainly the existence of a legal duty (e.g., scoring or fraud prevention), the unambiguous or explicit consent of individuals or the existence of a legitimate interest. The interpretation of the Spanish Data Protection Agency of the legitimate interest as a lawful ground for companies to carry out profiling activities has been quite restrictive in the past. Also, additional information and transparency duties must be complied with by fintech companies when carrying out profiling activities. Other additional guarantees, such as reinforced objection rights or the need to carry out privacy impact assessments are imposed. Finally, some of these profiling activities may be carried out with anonymised or pseudo-anonymised data. If this were the case, fintech business must take into account that the Spanish Data Protection Agency has issued specific guidelines for carrying out anonymisation processes (available in Spanish at https://www.agpd.es/portalwebAGPD/canaldocumentacion/publicaciones/common/Guias/2016/Orientaciones_y_garantias_Anonimizacion.pdf).
VIII YEAR IN REVIEW
No specific regulation on fintech was published in the past 18 months except for PSD2, which has come to regulate the activity of TPPs. TPPs are an example of fintech companies that provide payment initiation services or account information services. TPPs must adopt certain security measures when providing their services. Among other obligations, TPPs must ensure that the personalised security credentials of the payment service user are not, with the exception of the user and the issuer of the personalised security credentials, accessible to other parties and that they are transferred through safe and efficient channels. Additionally, TPPs must not use, access or store any data for purposes other than for the provision of the payment initiation service. The incorporation of TPPs is subject to the authorisation of the BoS. The initial capital of those TTPs that provide payment initiation services must at no time be less than €50,000. However, if the TPPs only provide account information services, they will not be subject to the initial capital requirement.
IX OUTLOOK AND CONCLUSIONS
The fintech sector in Spain is still in the process of significant expansion mainly in sectors where intermediation between parties is fundamental (lending, FX, brokerage and investment services such as investment advice and portfolio management) and in the payments sector. Overall, the development of online payment platforms and big data, robotics and artificial intelligence (AI) tools represent the most recent trends in innovation (to date, mainly crowdfunding and crowd-lending platforms and robo-advisers).
This expansion process is expected to continue in the coming years. This, combined with the increasing interest expressed by the European and Spanish regulators in the sector means that it is likely that fintech will be regulated in the short or medium term. In this regard, the European Commission issued a public consultation on fintech in March 2017 addressed to all citizens and organisations. The consultation period finalised in June 2017. After the analysis of the responses given, the European Commission has issued an action plan on fintech in March 2018 (the Action Plan).
The Action Plan sets out some steps to enable innovative business models to scale up, support the uptake of new technologies, increase cybersecurity and the integrity of the financial system. In accordance with the Action Plan, the European Commission will, among other things: (1) host an EU FinTech Laboratory where European and national authorities will engage with tech providers in a neutral, non-commercial space, (2) present a blueprint with best practices on regulatory sandboxes, based on guidance from European Supervisory Authorities, and (3) report on the challenges and opportunities of crypto assets later in 2018 in the framework of its EU Blockchain Observatory and Forum, which was launched in February 2018 for a period of two years.
Apart from that, further regulatory changes will come with the entry into force of the General Data Protection Regulation (EU Regulation 2016/679) as from May 2018 and with the transposition into Spanish law. Although there is no certainty about when the Proposal could be passed by the European Parliament and the Council, it should be taken into consideration due to its impact on the current Spanish crowdfunding and crowd-lending regulation.
Apart from the above, the main disruption in the global financial sector is still expected to result from ledger technologies such as blockchain. Although the use of this type of technology is not yet widespread, it is expected to emerge in Spain in many areas and will not just be limited to cybersecurity and cryptocurrencies.