I OVERVIEW

The regulatory treatment of fintech-related matters in Portugal greatly depends on the legal qualification of the different types of fintech companies or the products and services being offered.

The main legal and regulatory fintech concerns are those directed at payment services and e-money related activities, as well as at crowdfunding platforms. The two current major categories of fintech companies are payment services institutions and e-money issuers, both regulated under Decree-Law No. 91/2018, of 12 November, containing the Payment Services and E-Money Legal Framework (PSEMLF), which transposed Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 (the PSD2) to the Portuguese legal framework. The PSEMLF, in light of the PSD2 transposition, also created the necessary regulation for the Payment Initiation Service Providers (PISP) and the Account Information Service Providers (AISP) to enter the Portuguese market. Crowdfunding platforms, in turn, are regulated by Law No. 102/2015 of 24 August and Law No. 3/2018 of 9 February, as well as by Portuguese Securities Market Commission (CMVM) Regulation 1/2016 and Ministerial Order No. 344/2015 of 12 October.

The Portuguese legislator and regulatory authorities' approach to fintech has been somewhat neutral up until now, which resulted in the late transposition of Payment Services Directive 2 (PSD2) (a delay of almost a year from the deadline of 13 January 2018). There is also no legal approach for testing financial technology under a sandbox regime as of now. This is also true from a tax perspective, where no specific Portuguese legal regime exists on tax incentives for fintech-related matters.

Notwithstanding, the Portuguese financial regulators (i.e., the Bank of Portugal, the CMVM and the Insurance and Pension Funds Authority) have recently implemented the Portugal FinLab programme, in partnership with Portugal Fintech (a Portuguese association supporting the emerging fintech ecosystem) with the purpose of establishing an easily accessible communication channel between entrepreneurs and emerging companies and the regulators, aimed at supporting the development of fintech businesses and companies in navigating the legal and regulatory challenges and concerns posed by the regulators. Additionally, we have also noticed an increased interest by the regulators in these matters, having been actively engaged in participating in fintech-related conferences and disclosing information coming out of such conferences in their respective websites.

ii REGULATION PSEMLF

i Licensing and marketing

The PSEMLF sets out the applicable rules and requirements for the incorporation and licensing of payment institutions and e-money issuers as well as PISPs and AISPs, all being subject to the Bank of Portugal supervision. For that effect, certain mandatory legal documentation must be filed with the Bank of Portugal, including, inter alia, draft by-laws, business plan, share capital commitment, corporate structure and beneficial ownership, the managers' identification and fit and proper documentation, as well as corporate governance and internal compliance models and procedures. Current minimum statutory share capital requirements applicable to payment institutions range from a minimum of €20,000 to €125,000 (depending on the type of services provided) and a minimum of €350,000 for e-money institutions. PISPs are required a minimum statutory share capital €50,000 and AISPs are required to hire an insurance policy or another similar guarantee covering their activity in Portuguese territory in the case of breach or unauthorised access to data.

All marketing and advertising carried out by these entities must abide by the general rules applicable to marketing and advertising by banks and other financial institutions. This means that, among other requirements, all marketing and advertisement products and materials must clearly identify the offering or advertising entity while ensuring that the main features and conditions of the offered products or services are easily perceived by targeted consumers.

The PSEMLF provides for an extensive list of products and services that may only be offered or rendered by either payment or e-money institutions, as well as PISPs or AISPs. This means that, in practice, considering the nature and business model of most fintech companies and the services they offer, such entities will have to qualify under Portuguese law as one of these entities (being that an entity securing an e-money licence ensures that it can render all services regulated under the PSEMLF), having thus to comply with its regulatory framework.

In what concerns crowdfunding platforms, Portuguese law sets out the requirements and conditions for the corporate entities managing crowdfunding platforms, which are subject to the CMVM's supervision when they are either collaborative equity-based or loan-based platforms. These entities are subject to prior registry and authorisation with the CMVM. The submission shall be accompanied by the relevant required documentation, which includes, inter alia, the corporate details, structure and beneficial ownership, managers' identification and fit and proper documentation, business plan and model, indication about whether it should be considered a financial intermediary or an agent thereof, as well as evidence of compliance with the minimum financial requirements. Upon registration these minimum financial requirements must be either (1) a minimum share capital of €50,000; (2) an insurance policy covering a minimum of €1 million per claim, and a minimum of €1.5 million in aggregate claims per year; or (3) a combination of both (1) and (2) that ensures proper similar coverage.

ii Cross-border issues

Payment or e-money institutions based abroad may render their services in Portugal, subject to prior authorisation and registry with the Bank of Portugal. The applicable requirements and procedures may vary according to the origin state, as entities based in EU Member States may choose to render their services in Portugal either through a branch incorporated in Portugal, through authorised agents based in Portugal or under a free provision of services' licence.

Should the applying entity be based in a third-country state, it shall incorporate a branch or, alternatively, incorporate a legal entity subsidiary in Portuguese territory (following the relevant, more demanding procedure).

In relation to crowdfunding platforms, no cross-border regime is yet foreseen under Portuguese law; this lack of passporting regime requires foreign crowdfunding platforms to have their local registration with the CMVM on standby, until such regime is legally provided for. The latest news in this respect indicates that the CMVM will likely wait for the next developments in the proposed European regulation on crowdfunding service providers, which, among other matters, envisages a more harmonised and standard approach to cross-border activities by these entities.

iii DIGITAL IDENTITY AND ONBOARDING

Portuguese citizens must have a citizenship card containing data relevant for their identification (such as full name, parentage, nationality, date of birth, gender, height, facial image and signature). This card also includes the civil identification number, the taxpayer number, the user number for health services and the social security number (Law No. 7/2007, which creates the citizenship card, as amended). The citizenship card proves the identity of its holder before any public and private authorities and entities, through two mechanisms:

  1. by means of reading the visible elements of the card, together with the optical reading of a specific area of the card destined to such reading (its reading is, however, reserved, mainly, to entities or services of the state or public administration); and
  2. by means of electronic authentication.

The citizenship card further allows its holder to unambiguously authenticate the authorship of electronic documents by means of an electronic signature. The card contains a chip where additional information is available, such as address and fingerprints – it is in this chip that the certificates for secure authentication and for the qualified electronic signature are available. Hence, the holder of a Portuguese citizenship card has two digital certificates: one for authentication and another for e-signature. However, while the authentication certificate is always activated when the card is delivered to its holder, the e-signature certificate is of optional activation, and such activation can only be done by citizens who are at least 16 years old. A citizen who wishes to use the certificates shall insert his or her PIN in the device requesting or permitting the use of such authentication (or signature) method.

Law No. 7/2007 expressly refers to Regulation 910/2014 on electronic identification and trust services for electronic transactions (the eIDAS Regulation), indicating that the provisions therein established apply to the certificates. Portuguese law on the citizenship card thus already acknowledges the eIDAS Regulation. However, when it comes to trust services, especially e-signature, Decree-Law No. 290-D/99, as amended, continues to be the legislation containing the details on e-signature.

It is important to also note that the certificates of the citizenship card are subject to the legal and regulatory rules of the Portuguese State Electronic Certification System (approved by Decree-Law No. 116-A/2006). This system aims to guarantee the electronic security of the state and the strong digital authentication of electronic transactions among the services and bodies of the public administration, as well as between the state and the citizens and companies.

In addition, Law No. 37/2014, as amended, created the 'digital mobile key', which is an additional and voluntary means (1) of authentication in portals and sites of the public administration and (2) of qualified electronic signature in the terms indicated in the eIDAS Regulation. All citizens may require the association of their civil identification number to a mobile phone number or an email. Foreign citizens without a civil identification number may also require such association, which is done with their passport number, their tax identification on residence permits (or other documents as indicated in the regime for entry, stay, exit and expulsion of foreigners from the national territory) or their residence card. The digital mobile key is a system for secure authentication comprising a permanent password and a numerical code issued for each use and generated by the system.

Financial service providers, including payment institutions and e-money institutions, may carry out fully digitised onboarding of clients, including, as of recently, by using videoconference procedures.

The Bank of Portugal's Notice No. 2/2018 allows financial institutions to make use of remote onboarding procedures while complying with the know your customer (KYC) requirements set out under the applicable AML framework. Currently, admissible remote onboarding procedures under applicable AML law and Notice 2/2018 are videoconferencing and other means of KYC and onboarding procedures carried out by qualified trust service providers (the latter being compliant with the framework set forth under Regulation (EU) No. 910/2014).

IV DIGITAL MARKETS, FUNDING AND PAYMENT SERVICES

Both payment services providers (i.e., payment and e-money institutions as well as PISPs and AISPs) and crowdfunding platforms – either equity or loan based – are subject to licensing and registry requirements with either the Bank of Portugal or the CMVM, respectively.

Although still in a very preliminary phase, owing to the applicable framework having entered into force recently, crowdfunding schemes are gaining some traction, mostly in the loan-based platforms sector. Further developments may arise in this field as the market develops and market players become more sophisticated and numerous, in which case movements towards securitisation of loan portfolios originating from such platforms may eventually begin to be noticed in the medium to long term.

Notwithstanding, current securitisation law (Decree Law No. 453/99, as amended) defines which entities may qualify as originators of receivables for securitisation purposes and these are limited to the Portuguese state and other public legal persons, credit institutions, financial companies, insurance firms, pension funds and pension fund management companies. However, other legal persons that have their accounts legally certified by an auditor registered with the CMVM for the previous three years may also assign loans for securitisation purposes; this may open the door to crowdfunding entities being able to enter into securitisation and other structured finance transactions, which were traditionally reserved to banks and other incumbents. However, owing to the nature of the entities resorting to crowd-lending platforms for funding, as well as those managing such platforms, we envisage that such a movement towards securitisation may still take some time.

V CRYPTOCURRENCIES AND INITIAL COIN OFFERINGS

Blockchain or distributed ledger technology is not subject to specific regulation in Portugal as a technology. Indeed, the focus of regulation brought by blockchain has pertained essentially to a specific sector: banking and finance, including cryptocurrencies and initial coin offerings (ICOs), notably in what concerns investor protection and fraud prevention.

However, the approach in Portugal in this sector has been to exclude cryptocurrencies from being qualified as tender or 'legal currency' and not issuing specific regulation dealing with them. Both the Bank of Portugal and the CMVM share this understanding and – like the majority of European regulators – are pursuing a wait-and-see approach in anticipation of a possible broader and harmonised European legislation ruling these matters.

However, the Bank of Portugal has, as far back as 2013,2 issued a clarification under which it considered that bitcoin cannot be considered secure currency, given that its issuing is done by non-regulated and non-supervised entities. In addition, the Bank of Portugal clarified and stated that the users bear all the risks, as there is no fund or protection scheme guaranteeing depositors or investors' funds. This approach closely follows the position of the European Banking Authority (EBA). Note that specific regulation on cryptocurrencies is not expected soon: both the government and the Bank of Portugal have stated that they will not regulate cryptocurrencies and that the first step shall be taken by the European Commission.3 In this respect, both ESMA and the EBA sent reports, on 9 January 2019, to EU policymakers on ICOs and cryptoassets, assessing and advising the European Commission on the applicability and suitability of EU legislation to said instruments. Notably, EBA's report stresses that:

[C]ompetent [national] authorities have reported to the EBA that it is their understanding that cryptoasset activity levels in their jurisdictions remain low and do not, at this stage, present a threat to financial stability, a finding which aligns with the observations of the Financial Stability Board. However, some issues arise, in particular with regard to consumer protection, market integrity and the level playing field, in view of the fact that: (a) current EU financial services law does not apply to a number of forms of crypto asset/activity; (b) specific services relating to cryptoasset custodian wallet provision and crypto asset trading platforms may not constitute regulated activities under EU law; and (c) the emergence of divergent approaches across the EU has been identified. For these reasons, the EBA considers that there would be merit in the European Commission carrying out a cost/benefit analysis to assess whether EU level action is appropriate and feasible at this stage to address the issues set out above.

Additionally, ESMA's report's press release states that:

ESMA has identified a number of concerns in the current financial regulatory framework regarding cryptoassets. These gaps and issues fall into two categories:
  1. For cryptoassets that qualify as financial instruments under MiFID, there are areas that require potential interpretation or re-consideration of specific requirements to allow for an effective application of existing securities and financial regulations; and
  2. Where these assets do not qualify as financial instruments, the absence of applicable financial rules leaves investors exposed to substantial risks. At a minimum, ESMA believes that Anti Money Laundering (AML) requirements should apply to all cryptoassets and activities involving cryptoassets. There should also be appropriate risk disclosure in place, so that consumers can be made aware of the potential risks prior to committing funds to cryptoassets.

In this light, and considering that gaps and issues identified would best be addressed at the European level, ESMA then suggests that the European Commission either:

  1. propose a bespoke regime for specific types of cryptoassets (which does not qualify as financial instruments) by means of a Directive, allowing for the tailoring of the rules to the specific risks and issues posed by those cryptoassets; or
  2. do nothing, which would fail to address the known investor protection and market integrity concerns.

Despite the lack of regulation and supervision, the Bank of Portugal has indicated that the use of cryptocurrencies is not forbidden or an illegal act. Hence, this entity is so far more focused on a preventive and educational approach, by means of alerting to the risks of cryptocurrencies.

The CMVM also issued an alert to investors in November 2017 on ICOs, indicating that most ICOs are not regulated – in which case investors are unprotected due to the high volatility and lack of funds, potential of fraud or money laundering, inadequate documentation (most ICOs have no prospectus but only a White Paper) and risk of loss of the invested capital. Still, the CMVM paved the way for regulation according to their specific circumstances.

Considering the above, the usual distinction between the different types of tokens (or rather the rights and obligations that their issuance and possession entail) underlying the transactions may prove useful. Should tokens be used mainly as a means of payment, the approach taken by the Bank of Portugal and EBA is the one to look at. Conversely, where tokens have more similarities to securities, the approach of the CMVM and ESMA is the one to take note of.

Despite a slight lack of regulatory clarity, there seems to have been some progress in acknowledging this situation, given that the recent proposal for amending the AML Directive (Directive 2015/849) extends its scope of application to virtual currencies; namely, to exchange services between virtual currencies and fiat currencies, and to wallet providers offering custodial services of credentials necessary to access virtual currencies. Notwithstanding the proposed amendment to the European AML framework, the Bank of Portugal has clarified that financial institutions are under the obligation to control transfers of funds coming from and going to platforms of negotiation of cryptocurrencies under AML provisions. In this respect, some major banks in Portugal have blocked transfers that have these types of entities as beneficiaries, although some are beginning to allow transfers being made to exchanges that are deemed more trustworthy.

In line with the Court of Justice of the European Union (CJEU)'s interpretation on the VAT treatment of transactions with cryptocurrencies,4 the Portuguese Tax Authority (PTA) recently issued binding rulings5 stating that transactions, such as exchange of cryptocurrency for traditional currency, and vice versa, should be exempt from VAT.6

Binding rulings only bind the PTA towards the taxable person who submitted the ruling request and in relation to the questions specifically raised to the PTA in such request. Following the CJEU's judgment, which should apply in all Member States, the binding rulings issued by the PTA were an important step forward in the definition of the VAT treatment of bitcoin transactions. With these binding rulings, entities exchanging cryptocurrencies, start-ups and users are now in a safer environment in Portugal from a VAT perspective. Buying, selling, sending, receiving, accepting and spending cryptocurrencies in exchange for legal tender currency (and vice versa) will not trigger a VAT liability, which allows economic agents to deal with cryptocurrencies as they would with legal tender currency or other types of money.

Additionally, for personal income tax (PIT) purposes, the PTA had already issued a binding ruling7 stating that any gains derived from the exchange of bitcoin for legal tender currency (and vice versa) should not be considered income for personal income tax (PIT) purposes to the extent such activity does not constitute a business or professional activity. Indeed, the PTA concluded that gains derived from the sale of bitcoin would not fall under the concept of capital gains or investment income as defined by the Portuguese PIT Code and, consequently, those gains are not covered by the taxable base of the Portuguese PIT.

VI OTHER NEW BUSINESS MODELS

There has recently been a substantial dynamic in the Portuguese fintech market, with the entering of new players and stakeholders offering new types of services and products. As an example, the past year saw the market entry of fintech companies offering solutions to export and import finance and to exchange currency through innovative services, as well as crowdfunding platforms aimed at specific markets and business – such as the crowdfunding of real estate developments. This movement hints at the growing market that the recently enacted PSEMLF transposing the PSD2 shall further accelerate, opening up new business opportunities for emerging companies in the areas of open banking services, neo-banks and all other innovation-driven solutions occurring in the banking and financial sector today.

However, in the meantime, new fintech companies offering innovative services may struggle with the burdensome procedures imposed by applicable laws and regulations mentioned above (including the licence and registration procedures or AML-related issues).

Despite the above, services resorting to smart contracts do seem to have some legal comfort. Indeed, from 2007 onwards Portugal has had a specific provision dealing with contracts executed by means of computers without human intervention in its E-Commerce Law (Decree-Law No. 7/2004). This provision applies contract law to these types of contracts and further applies to programming errors, malfunctions and distorted messages the legal regime on mistake. Though self-executing or smart contracts are a step further from contracts concluded without human intervention, it seems that they are permitted under Portuguese law – and, what is more, the above provision may be applicable to them. Indeed, there is a general principle in Portuguese law that, unless otherwise provided, contracts are not subject to a specific form. However, no specific legal framework exists on smart contracts.

VII INTELLECTUAL PROPERTY AND DATA PROTECTION

Protection of fintech technology can take place by several means. The protection of software seems to be the most relevant, as fintech technology usually translates into computer systems and applications. Software is protected in Portugal under the same legal rules that apply to copyright protection (according to Decree-Law No. 252/94, which transposed Directive No. 91/250/CEE, later repealed by Directive No. 2009/24/CE, on computer programs, as amended). Copyright on the computer program belongs to the employer if the software is created by an employee in the execution of his or her duties or following the instructions given by the employer. Copyright does not require registry to exist, but this can be done in the General-Inspection for Cultural Activities (IGAC). Software can also be protected by patent in the cases where it meets the criteria to be considered a computer implemented invention, which is an invention whose implementation involves the use of a computer, computer network or other programmable apparatus. In addition, computer-implemented business models can also be patented, to the extent that they are claimed as a technical solution for a technical problem (e.g., automating a response considering the data collected) and involving technical considerations (e.g., the reading of the database). Otherwise, business models are not patentable. All in all, a case-by-case analysis is necessary to determine if protection by patent is feasible.

Technology developed in the context of a fintech business can also be protected as trade secret. Trade secrecy protects against any act of a person that assesses, appropriates or copies (or any other conduct that, under the circumstances, is considered contrary to honest commercial practices), without consent, information that is secret, that has a commercial value due to that fact and that has been subject to reasonable steps, by the person lawfully in control of the information, to keep it secret (for instance, the execution of non-disclosure agreements). Current national legal provisions on trade secrecy, which are included in the Industrial Property Code – approved by Decree-Law No. 110/2018, of 10 December – have been subject to considerable revision and expansion, which is mostly related to the transposition of Directive (EU) 2016/943 of 8 June 2016, on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure. The Directive brought substantial changes to the trade secrecy regime, notably on the protection criteria and the enforcement regime, which is expected to become clearer and more effective with the mentioned legislative change.

A computer platform usually also comprises a set of data, as well as visual interfaces. The data may also be protected as a database if the requirements set in law (Decree-Law No. 122/2000, which transposed Directive No. 96/9/CE, as amended, on the protection of databases) are met. Interfaces can further be protected by copyright under the Copyright Code (approved by Decree-Law No. 63/85, as amended) in their look and feel, screen display and individual visual elements, if they all meet the criteria to be protected (mainly, are 'creative'). Copyright protection, in this case, belongs to the employer or the person that orders the creation, if so established or if the name of the creator is not referred to in the work. In this case, the creator may require a special compensation if the creation exceeds the performance of the task or when the creation is used or brings benefits not included or foreseen in the creator's remuneration.

Fintech businesses collect, control and process vast amounts of personal data (including know-your-customer data) and, as a result, they are subject to data privacy rules.

These rules are, from 25 May 2018, the ones provided in the General Data Protection Regulation (GDPR) (EU Regulation No. 2016/679, of 27 April). The GDPR applies not only to Fintech companies established in the EU but also to companies established outside the EU, in case they have customers in the European Union and the processing of the customers' personal data is made in the context of the offering of services to those data subjects, irrespective of whether a payment of the data subject is required. The European Data Protection Board (EDPB) has clarified, in its Guidelines 3/2018 on the territorial scope of the GDPR, adopted on 16 November 2018, that the intention to target customers in the EU is key to assessing whether entities established outside the territory of the EU are subject to the GDPR.

In general, the processing of personal data requires customer's consent. Pre-ticked opt-in or opt-out boxes will no longer be allowed, since consent must be expressed through a statement or by a clear affirmative action. The GDPR places onerous accountability obligations on data controllers to evidence compliance, which constitutes a major paradigm shift in the data protection regime. This includes, among others, conduct data protection impact assessments for more risky processing operations (such as those involving the processing of personal data that could be used to commit financial fraud), and implement data protection by design and by default.

These general data protection rules are complemented by bank secrecy and AML rules, which fintech companies will have to observe when providing services to their clients.

Bank secrecy rules determine that disclosure of clients' personal data protected by bank secrecy (including cross-border transfers) is permitted only with prior customer consent or if the processing is necessary to obtain one of the following:

  1. compliance with a legal obligation to which the data controller is subject;
  2. the pursuit of the legitimate interests of the data controller or the third party or parties to whom the data is disclosed, except where such interests are overridden by the interests of the data subject; or
  3. the performance of a task carried out in the public interest.

In the past, the Portuguese Data Protection Authority had already ruled in a specific case that all personal data processed by a bank is subject to bank secrecy.

In the case of processing clients' data for the purposes of anti-money laundering reporting, the disclosure of specific relevant personal data is based upon the fulfilment of a legal obligation, and there is no need to obtain data subject consent. As the concept of 'client authorisation' under PSEMLF and the financial institution's legal framework differs from the concept of 'consent' under the GDPR, many banks and other financial institutions opt to collect clients' authorisation to disclose information covered by banking secrecy in the context of their general client terms and conditions.

Another important aspect of data processing in the context of fintech business is the definition of clients' profiles and business segmentation, as well as automated decision-making based on profiling. Automated decisions that produce effects concerning the data subject or that significantly affect him or her and are based solely on the automated processing of data intended to evaluate certain personal aspects relating to him or her are not permitted.

The GDPR has introduced new provisions to address the risks arising from profiling and automated decision-making. Mainly, under the GDPR, one may only carry out this type of decision-making where the decision is either necessary for the entry into or performance of a contract or authorised by the EU or Member State law applicable to the controller, or, finally, based on the individual's explicit consent. Where one of these grounds applies, additional safeguards must be introduced, as well as disclosure of specific information about automated individual decision-making, including profiling. Lastly, there are additional restrictions on using special categories of data (such as health-related data or biometric data) for any processing of personal data, which can ultimately impact the way Fintech companies will implement Strong Customer Authentication mechanisms under the PSD2 Regulatory Technical Standards, as the Regulatory Technical Standards suggest the use of the payment service users' biometric data in that context.

Without prejudice to the above, Portuguese legislation implementing or densifying the GDPR is currently in preparation and may bring some additional adjustments or restrictions to the rules set out in the GDPR, notably concerning additional safeguards regarding the processing of financial data. The CNPD has consistently ruled that financial data are sensitive data, in the sense that they reveal aspects of an individual private life and, thus, said data should be protected under the Portuguese Constitution. This may prove influential in the final version of the Portuguese data protection implementing act and may affect fintech companies operating in Portugal or offering services to Portuguese customers.

VIII YEAR IN REVIEW

Fintech-specific regulation has seen major developments during the past 18 months, notably with the much-anticipated and long delayed transposition of the PSD2 into Portuguese legislation. New players in the PISP and AISP business will be expected to appear in the short to medium term, while some incumbent and traditional banks are also beginning to take advantage of the new framework and are starting to provide open banking services to their customers.

Additionally, the new AML law has also seen some developments with the entry into force of Notice 2/2018 of the Bank of Portugal, which sets out further regulation and specific standards regarding AML obligations to be observed by fintech companies (notably concerning reporting obligations, risk-based policies and KYC and onboarding procedures). As previously mentioned, the Bank of Portugal's notice clarifying the requirements for remote onboarding procedure paves the way for a more dynamic approach to potential fintech customers and the surging of new market players. However, market data shows that this possibility of using a videoconference as a way of complying with KYC obligations is mostly being used by banks owing to the technical and financial demands that such procedure implies under the applicable regulation, although newcomers may take advantage of partnerships with third-party qualified trust service providers to go around the costly and demanding infrastructure that videoconferencing encompasses.

The crowdfunding sector is also beginning to take its first steps, with new platforms being registered and others in the middle of the registration and authorisation procedures, which boosts the fintech market in this area.

IX OUTLOOK AND CONCLUSIONS

The newly enacted PSEMLF transposing the PSD2 has approved a new and reformed legal framework for the majority of fintech companies currently operating in the Portuguese market, while simultaneously paving the way for new market players and new types of companies to enter the market and offer their products and services to both consumers and other businesses. It has also legally recognised third-party providers such as PISPs and AISPs, furthering the open banking ecosystem with the surging of new companies – such as payment initiation and account information services.

In parallel, crowdfunding investment schemes will also see an increase in both the number of entities operating in the market and the transaction volume associated with these types of investments, pursuing more democratic and decentralised equity and debt markets, as both the consumer market and the regulators themselves are beginning to be more aware and prone to the changes in the way some services are provided in the financial sector.

Regulation of the cryptocurrencies market has not yet been subject to public discussion or a more focused regulatory analysis by either the Bank of Portugal or the CMVM. Apart from some of the mentioned warnings issued by both entities, Portuguese regulators have adopted a 'wait and see' approach in this respect. As such, and despite the unpredictability of this issue – where opinions change and evolve at almost the same pace as the market itself – there is no envisaged change to the legal or regulatory status of cryptocurrencies other than the mentioned amendment to the AML Directive.

The Portuguese fintech market, which has observed a rather slow but steady development, shall greatly benefit from the PSD2 innovations. These may provide an incentive for regulatory and supervision authorities to look into this ever-evolving market more closely, whether by fostering innovation by means of friendlier regulation or by furthering the existing regulation into accommodating the new paradigm shift from traditional physical banking to an open and digital financial economy. Increasing the means of remote account opening, adapting the AML-related obligations to a digitalised reality, among others, may prove indispensable for the continuous evolution of the Portuguese fintech market.


Footnotes

1 Tiago Correia Moreira is a managing associate, Helena Correia Mendonça is a principal consultant, Conceição Gamito is a senior adviser and José Miguel Carracho is an associate at Vieira de Almeida (VdA). The authors would like to thank António Andrade (an of counsel in the IP department), Maria de Lurdes Gonçalves (a senior associate in the ICT department), Joana Branco Pires (a consultant in the tax department), David Paula and Sebastião Barros Vale (associates in the ICT department).

2 Following a study by the European Central Bank on 'Virtual Currency Schemes', of October 2012. The Bank of Portugal also reiterated, in 2014, that the use of virtual currency brings risks to consumers and, in 2015, advised banks to abstain from buying, detaining or selling virtual currencies (Circular Letter 011/2015/DPG, of 10 March 2015).

3 But, according to the EU Fintech Action Plan published on 8 March 2018, the Commission stated that 'the case for broad legislative or regulatory action or reform at EU level' on fintech issues is 'limited'. Despite this assertion, the Commission is set to assess 'the extent to which the legal framework for financial services is technology neutral and able to accommodate FinTech innovation, or whether it needs to be adapted to this end'. It further clarified, with relation to crowdfunding, that 'The EU framework proposed in this Action Plan will offer a comprehensive European passporting regime for those market players who decide to operate as European crowdfunding service providers.

4 CJEU's case law C-264/14, from 22 October 2015 (Skatteverket v. David Hedqvist). In this case, the CJEU decided that the exchange of bitcoin for traditional currency qualifies as a supply of services for VAT purposes. As to the question of whether these transactions should be regarded as exempt supplies, the CJEU pointed out that bitcoin, being a contractual means of payment, cannot be regarded as a current account or a deposit account, a payment or a transfer. Moreover, unlike a debt, cheques and other negotiable instruments referred to in Article 135(1)(d) of the VAT Directive, bitcoin is a direct means of payment between the operators that accept it. Therefore, the CJEU ruled that transactions, such as exchange of cryptocurrency for traditional currency, and vice versa, should be exempt from VAT under the provision of Article 135(1)(e) of the VAT Directive. The CJEU did not expressly address the subject of whether the exchange of, for example, bitcoin for a different cryptocurrency should also be regarded for VAT purposes as an exempt supply of services under Article 135(1)(e) of the VAT Directive. However, in our view, the same reasoning applies and the answer should therefore be the same.

5 Binding Rulings 12904 from 15 February 2018 and 14763 from 28 January 2019.

6 Under the provision of Article 9(27)(d) of the Portuguese VAT Code (which corresponds to the transposition of article 135(1)(e) of the European VAT Directive).

7 Binding Ruling 5717/2015 from 27 December 2016.