The Financial Technology Law Review: Italy


Fintech is radically innovating the way financial services are designed and offered and is rapidly transforming the structure of the financial industry. It represents an evolving phenomenon that involves several market segments (e.g., banking activities, payment services, virtual currencies, crowdfunding, peer-to-peer lending and investment services), and heterogeneous tools and techniques (e.g., robo-advice, distributed ledger technologies (DLT) and artificial intelligence (AI)).

The payment services sector appears to be the area that has experienced major developments as, following the Second Payment Services Directive's (PSD II's) entry into force and implementation within the Italian legal framework at the beginning of 2018, new business opportunities are offered to fintech companies. In this regard, 2019 witnessed the IPO of Nexi SpA, one of the Europe's biggest players in the payment services market. Marketplace lending represents another interesting phenomenon in the fintech area, not only for the registered growth rates in terms of volumes in the last few years, but also and especially for the innovative character of the business models deployed. Other developments are also taking place in the credit sector, securities trading and risk management.

Although the benefits of technological changes may take some time to fully materialise, innovation can contribute to reducing costs and information asymmetries, increasing efficiency and competition, and widening access to financial services. Market estimates indicate that investment in financial innovation has increased sixfold at the global level in the last five years. An increase in fintech investments has also been witnessed in the Italian market, although it is still modest compared with other European countries.

In this context, Italian competent authorities appear to be aware that fintech developments could deeply affect the ability of the financial industry to evolve and prosper. At the same time, they are also concerned about the risks that might emerge regarding consumer protection, among other things. Indeed, greater use of digital technologies, which raises the number of potential entry points for cyberattacks, can increase the financial system's vulnerability and generate institution-specific, financial and operational, and systemic risks.

From a regulatory perspective, despite efforts to arrive at a harmonised approach to fintech regulation, the current legal framework governing fintech is still largely incomplete. Moreover, doubts exist as to how to interpret existing rules, as fintech activities are often difficult to classify based on traditional principles.

The Italian government and competent authorities are thus developing an increasingly fintech-friendly environment. For instance, the Bank of Italy (BoI) has long been in contact with market operators offering innovative solutions: since 2017 it has had an innovation hub, 'FinTech Channel', on its website through which the BoI directly interfaces with operators in a digital environment to assess their compliance with legislation, identify potential problems and consider changes to the rules and procedures applied at national level.

Moreover, to ensure adequate protection of consumers, investors and the financial market in general, and to stimulate competition in the market, in 2019 the Ministry of Economy and Finance (MEF) was granted the power to adopt one or more regulations to set the conditions and methods for conducting trials concerning fintech activities aimed at pursuing service and product innovation in the financial, credit, insurance and regulated market sectors through new technologies (known as sandboxes). Simultaneously, a new fintech committee was established within the MEF to define the objectives and programmes and implement the actions necessary to foster fintech's development in Italy.

The BoI and the Italian Companies and Stock Exchange Commission (Consob) recently issued several regulations implementing the provisions introduced by the Italian government on blockchain, cryptocurrencies and crowdfunding, among other things (see Sections IV and V). Consob has also launched several initiatives, including a public consultation on crypto activities and initial coin offerings (ICOs) adopting blockchain technologies, as well as research programmes concerning robo-advice, blockchain, marketplace lending, and other fintech-related topics. The initiatives are aimed at understanding more about the aspects that can influence the financial system and at regulating the fintech phenomenon.2

Finally, with regard to tax incentives, fintech companies can benefit from, among other things:

  1. an innovative start-up regime, according to which – direct or indirect – investments in innovative start-up companies are partially deductible (if certain conditions are met);
  2. a patent box regime that provides for a 50 per cent exemption from corporate tax in relation to those incomes arising from direct use or licensing of qualified intangible assets (e.g, patents, know-how); and
  3. tax credit on research and development activities, according to which companies can benefit from a tax credit ranging from 6 per cent to 12 per cent (depending on the kind of expenses) of the R&D expenses (with a maximum cap).


i Licensing and marketing

Currently, no specific fintech licence or regulatory framework exists for fintech sector activities. The only exception is the management of crowdfunding portals, which is regulated by Article 50 quinquies of Legislative Decree No. 58 of 24 February 1998 (the Italian Financial Act) and Consob Regulation No. 18592 of 26 June 2013, which requires an authorisation for portal managers other than banks and investment firms (see Section IV).

As a general rule, specific authorisation is always required for activities that qualify as reserved activities under Italian law, regardless of the (technological) means used to carry out them. Therefore, fintech firms that perform banking activities, investment services and asset management activities (including robo-advice and digital asset and wealth management services), payment services or insurance activities are subject to the general Italian and European regulatory framework; thus, they must have obtained authorisation from the competent supervisory authorities (the BoI, European Central Bank, Consob and the Italian Insurance Supervisory Authority (IVASS)) and comply with the relevant legal framework (including prudential and governance requirements and business conduct rules).

Considering the absence of a clear and all-encompassing Italian regulatory framework applicable to fintech activities, the marketing of fintech products and services provided by regulated fintech entities is currently governed by the same rules applicable to any other regulated entity (e.g., Italian consumer protection law and BoI regulations on the transparency of banking and financial transactions and services).

With regard to credit information services, the Italian framework sets out different rules depending on the private or public nature of the credit information system. Notably, private information systems contain information on credits provided by participating companies, but registration is not mandatory for banks or financial intermediaries. Conversely, these intermediaries are required to enrol with the Central Credit Register,3 an information system regarding customers' risk position managed by the BoI, that is intended to, among other things, improve the quality of credit provided by intermediaries. The Central Credit Register can be accessed only by registered intermediaries and, on request, by individuals or entities. The register contains information on credit amounting to €30,000 or more.

ii Cross-border issues

In Italy, regulated activities can be carried out either through the establishment of a branch or under the regime of the freedom to provide services. As outlined in Section II.i, Italy has no ad hoc regulatory framework in place – or passporting procedure – that specifically governs the provision of fintech products and services. Therefore, if a fintech company intends to offer products or services in Italy that – regardless of the technology used – fall within the definition of a reserved activity, the company will need to comply with all the relevant regulations. More specifically, EU-licensed companies, regardless of their fintech nature, benefit from the passporting procedure set out by the main EU directives governing the provision of regulated activities (e.g., the Fourth Capital Requirements Directive,4 the Second Markets in Financial Instruments Directive (MiFID II), Solvency II, the Undertakings for Collective Investment in Transferable Securities Directive, the Alternative Investment Fund Managers Directive or PSD II). These passporting procedures require, among other things, a simple notification to the competent authorities of the home and host Member States, without, in principle, the need to obtain a local licence in the host Member State.

If non-EU companies wish to provide fintech products or services that fall within the definition of a reserved activity in Italy, they will need to obtain prior authorisation from the relevant Italian competent authority (the BoI, Consob or IVASS, depending on the type of activity).

Furthermore, companies wishing to actively market services and products in Italy might be required to obtain prior authorisation and meet specific requirements depending on, among other things, the type of services and products, the level of information provided on such services and products and whether the marketing activity is targeted at Italian residents.

In Italy, foreign exchange and currency controls are not subject to restrictions except for those concerning banknote circulation.5 Additionally, as a general rule, the Italian legal framework does not limit foreigners' rights to own Italian companies. However, if a foreigner wishes to acquire a significant holding in a supervised entity (e.g., bank, financial intermediary, investment firm or asset management company), specific rules set out in the Italian Banking Act and in the Italian Financial Act apply. These rules require the potential acquirer to, among other things, file a prior authorisation application with the relevant competent authority and meet specific integrity, fairness, transparency and professionalism requirements.6

Law No. 58 of 28 June 2019 granted Consob the power to order internet connectivity providers to deny access from Italy to foreign websites through which unauthorised financial services are offered. Since July 2019, more than 160 websites have been blocked to prevent licence abuse and guarantee adequate protection for retail investors.7

Digital identity and onboarding

The Italian government has been implementing a digital identity public system (SPID) through the Agency for Digital Italy (AGID) since 2016. SPID allows citizens (including those resident in other countries) to access (through personal login credentials) online services provided by public and private entities.

Personal login credentials for SPID are provided by private identity providers licensed by the AGID. Citizens are therefore free to decide which entity to entrust their digital identity. SPIDs can be implemented inside a business under a specific agreement with the AGID and an agreement with identity providers. Examples of both agreements are available on the government's website. Payment terms and conditions are set out in the agreement with the AGID and cannot be amended by the parties. Few private parties are currently implementing SPIDs because of the high cost of doing so.

Furthermore, banking and investment services providers can implement fully digitalised onboarding of clients, provided that additional requirements to the physical onboarding are met. These requirements, which are generally set out for the provision of banking and investment services through long-distance communication, mainly concern transparency (e.g., sending pre-contractual and contractual documents through a durable medium),8 anti-money laundering (AML) identification duties (e.g., double checking of identification data)9 and consumer's protection (e.g., client's right withdraw within 14 days from entering into the contract).10

An innovative remote video-identification procedure to meet customer due diligence requirements for AML purposes is now regulated by the BoI's regulation of 30 July 2019.11

Digital markets, payment services and funding

i Crowdfunding

A high-level definition of crowdfunding was recently introduced by Law Decree No. 34 of 30 April 2019 (converted into Law No. 58 of 28 June 2019): crowdfunding is the instrument through which a number of investors directly finance households and enterprises by means of online platforms.12

Nevertheless, Italy was one of the first countries in Europe to introduce specific legislation governing equity crowdfunding, which is laid down in the Italian Financial Act13 and Consob Regulation No. 18592 of 26 June 2013 (Crowdfunding Regulation).14 Under this legislation, the management of equity crowdfunding portals is limited to:

  1. investment firms and banks authorised to provide investment services, which are considered 'de facto managers' and require no specific licence; and
  2. portal managers other than those under point (a), which need to be duly authorised and enrolled on a special register managed by Consob.15

Moreover, equity crowdfunding portals may only be used to offer to the public financial instruments that are issued by small and medium enterprises (SMEs), innovative start-ups, collective investment schemes, social enterprises and companies that mainly invest in SMEs.

In this respect, Law No. 145/2018 (the 2019 Budget Law) amended the Italian Financial Act by introducing the ability to offer also debt instruments through crowdfunding portals, provided that this is carried out through a separate area of the portals and that these instruments are addressed only to professional investors and other categories of investors identified by Consob. With Resolution No. 21110 of 10 October 2019, Consob amended the Crowdfunding Regulation to align the secondary regulations with the new provisions in the Italian Financial Act. The Crowdfunding Regulation was further amended in 2020, through Consob Resolution No. 21259 of 6 February 2020, which (among other things) removed the obligation for portal managers to participate in an investor-compensation scheme but maintained the obligation to take out insurance to cover professional liability.

ii Debt financing and lending platforms

One main area in which Italian fintech companies are growing is debt financing, which includes lending activities and secondary market trading using online platforms.

More specifically, peer-to-peer lending and social lending have experienced rapid growth in recent years and represent one of the more mature fintech sub-sectors, even though no specific regulation governs them so far. At the end of 2016, the BoI clarified that peer-to-peer lending and social lending may fall under the definition of the following activities, which are reserved to duly authorised entities: lending, collection of savings and payment services.16

Additionally, the BoI defines lending-based crowdfunding as an activity carried out through an online platform that allows several parties to collect repayable funds and clarifies, among other things, that the following activities do not constitute 'collection of savings':

  1. managers of online platforms: if they receive funds to be held in payment accounts that can be used only to provide payment services by entities authorised to carry out payment services or to issue electronic money; and
  2. borrowers: if they acquire funds from:
    • individual lenders (following personalised negotiations) that are supported by the platform manager only to enable the execution of the agreement; or
    • entities subject to prudential supervision.

Law Decree No. 34/2019 (converted into Law No. 58/2019) introduced a high-level definition of social lending: the instrument through which a number of parties may request, through online platforms, repayable funds for personal use or financing for a project to a number of potential lenders (including institutional investors).17

Invoice lending and invoice trading are other businesses that an increasing number of online platforms are breaking into. Fintech firms involved in these activities adopt business models that normally require prior authorisation to operate as banks or financial intermediaries. However, limited cases exist of non-regulated fintech firms managing online platforms without entering into any lending agreements with the final customers.

With regard to trading loans on a secondary market, purchasing receivables qualifies as a lending activity that may be performed only by banks, financial intermediaries enrolled on the BoI's register under Article 106 of the Italian Banking Act, and alternative investment funds that invest in receivables.18 Furthermore, as to securitisations, special purpose vehicles may purchase receivables under a simplified procedure that reduces transfer costs. This also ensures that all charges and guarantees retain their validity and priority, without the need for any additional formality, provided that all notification duties are complied with.19

iii Payment services

Innovative payment services represent one of the most prominent and widespread fintech developments in Italy. The provision of payment services in Italy is subject to the BoI's prior authorisation under Article 114 novies of the Italian Banking Act.

Following PSD II's implementation in Italy with Legislative Decree No. 218/2017, the Italian Banking Act now includes two new payment services: payment initiation and account information services. In July 2019, the BoI amended its regulation on payment service providers to introduce rules on third-party providers (TPPs), which are typically payment initiation service providers (PISPs) and account information service providers (AISPs).20 PISPs and AISPs are fintech companies that must be duly authorised and comply with the regulatory framework on payment services; and must offer payment initiation and account information services by exploiting the new business opportunities provided by technological innovation. These new services require access to data and accounts held by credit institutions or other payment services providers. Therefore, each payment service provider with payment accounts accessible online (mainly banks) is now required to provide access – through at least one access interface – to their clients' data and accounts to other TPPs to enable them to carry out their business effectively. In line with the EBA's opinion of 16 October 2019,21 the BoI recently pointed out that the deadline for the migration to authentication approaches that comply with the EU framework on strong customer authentication22 has been postponed to December 2020.23

iv Collective investment schemes

Collective investment schemes are mainly regulated in Italy under the Italian Financial Act and its implementing regulations, which do not envisage any ad hoc provisions applicable to fintech entities falling under the definition of managers of collective investment schemes. Therefore, these fintech entities must comply with the general legal framework on asset management activities under the Italian Financial Act.

Cryptocurrencies, initial coin offerings (ICO) and security tokens

In February 2019, Law No. 12/201924 introduced the definition of distributed ledger technology (DLT) to recognise the legal effects of electronic time stamps under Article 41 of EU Regulation No. 910/2014 and the storage of an electronic document through a DLT. Moreover, in May 2019 the AGID established a working group tasked with preparing the implementing technical standards providing the DLT requirements that ensure these transactions have legal effect, which are yet to be published.

These new provisions mark a significant step forward in developing blockchain technology in Italy and follow Italy's subscription to the European Blockchain Partnership Initiative in September 201825 and the signing of the Southern European Countries Ministerial Declaration on Distributed Ledger Technologies in December 2018.26

With regard to virtual currencies, the first relevant and binding definition of virtual currency was introduced by Legislative Decree No. 90/2017, which implemented Anti-Money Laundering Directive (AMLD) IV and amended Italian AML law (Legislative Decree No. 231/2007 – the AML Decree). The AML Decree was subsequently further amended by Legislative Decree No. 125/2019, which implemented AMLD V in Italy.

Virtual currency is now defined as:

the digital representation of value, not issued nor guaranteed by a central bank or a public authority and not necessarily linked to a value having a legal tender, that is used as a means of exchange for the purchase of goods and services or for investment purposes and that is transferred, stored and traded through electronic devices.27

The AML Decree also provides ad hoc definitions of virtual currency service providers and digital portfolio service providers. A virtual currency service provider is:

any natural or legal person who provides to third parties, in a professional manner, also online, useful services to the use, exchange, storage of virtual currency and to their conversion from or into legal tender currencies or into value digital representations, including digital representations convertible into other virtual currencies as well as issue, offer, transfer and compensation services and any other functional service to the acquisition, negotiation or brokerage in the exchange of the same currencies.28

Moreover, a digital portfolio service provider is:

any natural or legal person who provides to third parties, in a professional manner, also online, private cryptographic key safeguarding services on behalf of their clients, in order to hold, store and transfer virtual currencies.29

Under the AML Decree, these providers are subject to specific notification and enrolment requirements, which will be set out in a decree from the MEF (currently available only in its draft version).30 Once this Decree enters into force, virtual currency service providers will be required to:

  1. notify the MEF of the commencement of their activities; and
  2. enrol with a special section of the currency exchangers' register.

Failure to comply with the notification duty under point (a) may result in the application of specific administrative penalties.

Additionally, the AML Decree, as amended by Legislative Decree No. 125/2019, extends AML compliance obligations (i.e., customer due diligence, storage of data, notification of suspicious transactions and abstention in case of impossibility to carry out the customer due diligence) to providers engaged in services related to the use of virtual currency and to digital portfolio service providers.31 This extension – and in general the application of AML duties to parties operating in the cryptocurrencies and tokens field – has raised concerns, at both European and national level, owing to the volatility of virtual currencies.32

The above definition of virtual currencies first appeared in a communication published by the BoI in 2015,33 which contained clarifications of the characteristics of virtual currencies; and, in line with the European Banking Authority (EBA),34 a warning about the use of these currencies, as they could result in a breach of Italian regulations with the risk of criminal penalties.35

In 2018, the BoI issued another communication declaring its adherence to the European Supervisory Authorities (ESAs) warning on virtual currencies36 and discouraging Italian banks, other supervised entities, and consumers from buying or selling virtual currencies following several scandals involving cryptocurrencies.37 The BoI also highlighted that several non-regulated entities are involved in trading virtual currencies and, as they are not subject to AML regulations, their activity could pose risks. Moreover, Consob published a consumer warning regarding the cryptocurrencies-related risks.38 Additionally, in 2018 Consob adopted several measures regarding companies that offer investments in cryptocurrencies and initial coin offerings (ICOs), qualifying their activity as public offering of financial products (i.e., financial instruments and any other form of financial investment)39 without the necessary prior authorisation.40 Furthermore, in March 2019, Consob published a discussion paper for consultation at national level on the possibility of regulating cryptoassets and ICOs. The discussion paper resulted in the publication of a final report in January 2020 that addresses the main issues raised by recipients.41

As of today, there are no specific tax provisions governing cryptocurrencies in Italy. However, the Italian tax authority has recently issued some resolutions providing preliminary guidelines on the tax treatment of cryptocurrencies.

According to the Italian tax authority, any gains deriving from the disposal or the conversion of cryptocurrency shall be treated as foreign currencies and therefore:

  1. individuals shall be taxed – at 26 per cent tax rate – if, during the fiscal year and for at least seven consecutive days, the threshold of ownership of cryptocurrency exceeds €51,645.69; and
  2. companies are subject to tax under the general corporation tax regime for profits and losses (currently, corporate income tax rate is 24 per cent).

With reference to VAT, the Italian tax authority is aligned with the position of the European Court of Justice – the Skatteverket case (C-264/14) – according to which, cryptocurrency trading is a commercial activity that falls within the scope of VAT but shall be considered as exempt from VAT by virtue of Article 135(1)e of the VAT Directive, which deals with currency-related transactions.

The Italian tax authority has also provided some guidelines with reference to the 'utility token' (those that enable the token's holder future access to the products or services offered by the token's issuer or a third party). These financial instruments are assimilated to 'vouchers' from the token's issuer perspective and, as such, are taxed when the goods (or services) are transferred to the token's holder. Any gains deriving from the disposal of utility token are subject to tax in the hand of the holder; the latter could be either an individual or a company. In the first case, the relevant gains are subject to 26 per cent tax rate, otherwise they are subject to corporate taxation at a 24 per cent tax rate.

Digital assets

Other new business models

Law No. 12/2019 also introduced the definition of smart contracts as part of DLT. Indeed, smart contracts are defined as 'a computer program that works through distributed ledger technology and whose performance automatically binds two or more parties based on effects defined by the parties themselves'.

Smart contracts on a DLT are considered entered into in writing if the AGID's guidelines are complied with. However, the AGID has yet to issue any such guidelines. Moreover, to ensure that smart contracts are concluded in writing, an electronic signature system that is able to identify the parties must be in place. The system must be an advanced electronic signature or a qualified one; both are envisaged by European Regulation No. 1999/93 and Italian Legislative Decree No. 82/2005.

Thus, smart contracts are currently specifically defined as operating only through a DLT, but this does not mean that their use is prohibited elsewhere. Indeed, smart contracts are generally defined as:

an automatable and enforceable agreement. Automatable by computer, although some parts may require human input and control. Enforceable either by legal enforcement of rights and obligations or via tamper-proof execution of computer code.42

Unless specifically prohibited, smart contracts can be used provided they meet the certainty requirements set out by law.

In general, fintech encompasses a wide range of financial services and products that intersect with technology. Banks and other traditional players are gradually evolving their business models by increasing the level of their services. Innovations related to, among other things, mobile and digital payments, cloud computing, data governance and risk management software have increased the efficiency of banking activities and allow cost reductions regarding the material provision of some services. Indeed, banks are reducing their territorial presence in favour of more digitalised business models. Although the effects of digitalisation in an economy based on territorial rooting are yet to be proven, several banks have started to develop full-service banking businesses almost exclusively based on digitalised platforms.43 Furthermore, to accelerate this process, many banks are collaborating with existing fintech companies (through partnerships or acquisitions of a stake in these companies) to immediately acquire the know-how needed to implement digitalised business models.44

At the same time, fintech companies frequently need to rely on banks or other supervised entities to implement business models – such as digital payments or financing platforms – that require authorisation from the competent supervisory authorities. In this respect, the main regulatory issue raised by new digitalised services performed by fintech companies concerns identifying those businesses that could fall within the scope of reserved activities, particularly if these businesses are operated without reliance on supervised entities.

In this context, social lending and digital lending platforms represent a new funding model for individuals and SMEs that sometimes face difficulties in accessing traditional bank funding. In these cases, the transfers between lenders and borrowers are carried out through a digital platform, thereby reducing the costs associated with the traditional financial intermediation of banks and increasing the remuneration deriving from lending activities (see Section IV).

The range of fintech products and services also covers the use of artificial intelligence to support the entire investing process (e.g., robo-advice and algorithmic trading). In this respect, although robo-advice is not expressly regulated under the Italian legal framework, from a regulatory standpoint, it could fall within the definition of investment advice (see Section II.i). On this basis, it could therefore be considered a reserved activity that only duly authorised subjects are permitted to carry out and that must comply with the Italian regulatory framework on investments services.45 As to algorithmic trading, under the Italian Financial Act46 and Consob Regulation No. 20249 of 28 December 2017, banks and investment firms can engage in algorithmic trading or high-frequency algorithmic trading, thus operating with minimal or no human intervention, subject to notification and recording duties to Consob.

Consob recently published its Strategic Plan for 2019–2021,47 which includes several initiatives to assess the impact of digitisation on financial intermediation processes (including robo-advice) with the aim of promoting innovation while ensuring investor protection. Moreover, to promote and support entrepreneurship, stimulate market competition and ensure adequate protection of consumers, investors and the capital market, the MEF was recently granted the power to adopt one or more regulations to define the conditions and methods for conducting trials concerning fintech activities (known as regulatory sandboxes).48 Simultaneously, a new fintech committee was established within the MEF to implement the actions necessary to foster fintech's development in Italy.49

Cyberattacks are one of the main emerging risks associated with the use of technology in financial services. To address this issue, Legislative Decree No. 65 of 18 May 2018 implemented Directive (EU) 2016/1148 concerning measures for a high common level of security for network and information systems across the European Union. In addition, the BoI and Consob recently agreed to adopt a common cyber-resilience strategy for Italy's financial market infrastructure to improve financial security and business continuity.50 In line with this, in 2016 the BoI and the Italian Banking Association (ABI) sponsored the establishment of the Italian Financial Cybersecurity unit,51 which coordinates information sharing and cyber-threat intelligence among participating financial companies, allowing them to share critical information and enhance the awareness of cyber risk beyond what would have otherwise been possible within the confines of their own organisations.52

As to websites comparing financial products offered or providing information about the financial products themselves, there are no specific privacy provisions or competitive rules, but these legislative provisions can be relevant. In addition, websites covering the insurance sector feature tight regulation that requires comparison websites to be authorised by IVASS,53 as also provided by the Insurance Distribution Directive.54 Conversely, banking and financial fields do not include any ad hoc regulation for third-party product-comparison, if no banking or financial products marketing is carried out.

Intellectual property and data protection

It is essential for fintech businesses to generate the most possible value from the innovative and technological tools and systems they use. Therefore, protecting these tools and systems with intellectual property rights when possible is extremely important.

Software patentability is generally excluded because software cannot be considered an invention per se (Article 45 of the Italian Industrial Property Code). Although software is sometimes patent eligible, patents are excluded in most cases in the fintech field. However, Italian law envisages software safeguards through copyright protection (Article 64 bis of the Italian Copyright Law), which is granted if the software meets the creative requirements set out in the copyright law.

Fintech businesses are increasingly using open-source software or standard software as a base on which to develop customised solutions for their businesses. In these cases, attention must be paid to the presence of copyleft clauses that often impose to disclose the source code of the developments made. According to the applicable terms, obligations to disclose may vary.

Furthermore, business knowledge can be protected as a business secret. This protection ensures that no-one can use secret information developed for business purposes. The fact that the information is secret ensures protection is granted.

Specific rules must be set out in agreements between parties to ensure that the owner of the IP rights over any invention or software created under a contractual relationship is clear.

The following rules apply to employment relationships:

  1. inventions by the employee in performing his or her work duties: the employer is the owner of IP rights over the employee's inventions;
  2. inventions by the employee in performing his or her work duties, even if invention is not a specific work duty: the employer is the owner of IP rights over the employee's inventions, but the employee has the right to be fairly remunerated for the invention; and
  3. inventions by the employee outside his or her work duties, but connected with the employer's field of business: the employee is the owner of IP rights over the inventions, but the employer has a pre-emptive right over the inventions.

In the fintech field, it is necessary to ensure that personal data is lawfully processed in compliance with European Regulation 2016/679 (General Data Protection Legislation – GDPR, which came into force on 25 May 2018) and Italian legislation (specifically Legislative Decree No. 196/2003, the Privacy Code, recently amended by Legislative Decree No. 101/2018). Indeed, sensitive information relating to the financial assessment of natural persons are frequently processed, and a large amount of correct information is gathered to ensure the legal obligations imposed on financial intermediaries are met. The legal obligations deriving from MiFID II and from AML legislation are a prime example. Both require that information be gathered to profile clients and conduct risk analysis to provide the most profitable investment portfolio for both financial intermediaries and clients. Although profiling is mandatory by law, the GDPR must be complied with, particularly information and transparency duties that require disclosure of the rules governing the profiling system if requested by the data subject or client. This is a very sensitive area because complying with the data subject's right could contrast with the legal entity's right to protect business information and keep it secret.

Big Data plays a strategic role in the fintech field and, to ensure business growth, fintech businesses need to have access to advanced technology and well-structured databases. Credit and commercial information systems also play a strategic role in this sector by providing information and thus meeting fintech operators' business needs. The activities performed by these systems are regulated by law and, within the privacy legislation, by specific codes of conduct. It must be underlined that large differences exist between the two information systems. As outlined in Section II.i, credit information systems can be public (i.e., the Central Credit Register managed by the BoI) or private, and only financial intermediaries (and other entities under the BoI's control) may supplement the databases and ask for information to be extracted from the databases. Conversely, commercial information systems provide information collected from public sources and are available to the public. Commercial information systems are thus clearly fundamental for payment institutions and, especially since PSD II's entry into force, their importance in the fintech field continues to increase. In 2019, the Italian Data Protection Authority issued specific codes of conduct for the processing of commercial and credit information providing, inter alia, for strict regulation of credit-score databases, modalities and time limits for the collection and preservation of log files regarding banking transactions.

Year in review

As the results of a recent survey launched by the BoI and published in December 2019 show,55 financial sector players' interest in fintech continues to grow. The BoI report highlights, among other things, that the Italian financial system has planned investments in fintech projects for a total of approximately €390 million for 2019–2020. These include collaborations with existing fintech companies (in the form of partnerships or acquisition of a stake in these companies), technologies that improve the efficiency of internal controls systems, open banking and payment services, technologies that facilitate the conclusion of cross-border transactions, robo-advisers, crowdfunding, cloud computing, cybersecurity, AI, DLT and smart contracts.

Traditional financial institutions such as banks or insurers no longer regard fintech companies as competitors, but rather increasingly view them as potential partners in developing and improving new or existing business models. In fact, traditional financial operators are responding with the following strategies to adapt their current market demands:

  1. development of platform services;
  2. acquisitions of, or partnerships with, fintech companies; and
  3. creation of pure digital banks.

A significant number of projects have been launched or are about to be launched in Italy. Non-banking intermediaries have focused their attention on the same needs, demands and issues that banks are concerned with. However, their involvement in investment projects is still limited from a quantitative standpoint,56 with the focus currently being mainly on payment services, new forms of financial intermediation, high-frequency trading, robo-advice and crowdfunding.

Against this backstop, the Italian regulatory framework has undergone significant reforms that have impacted the fintech sector. More specifically, throughout 2019 and 2020, the following regulations (among others) were issued or placed under consultation to comply with the EU framework and establish a fintech-friendly environment:

  1. the amended version of the BoI's supervisory instruction to payment institutions was published in July 2019 to implement PSD II (see Section IV.iii);
  2. Consob Regulation No. 18592 of 26 June 2013 on crowdfunding was amended and supplemented in October 2019 and February 2020 to implement the new provisions introduced by the 2019 Budget Law and by Legislative Decree No. 165/2019, which amended the Italian Financial Act (see Section IV.i);
  3. Law No. 12/2019 introduced the definitions of DLT and smart contracts (see Section V);
  4. the BoI's provisions on customer due diligence duties for AML purposes were published in July 2019 (see Sections III and V);
  5. Legislative Decree No. 125/2019 amended the AML Decree by introducing the definition of digital portfolio service providers and modifying the definitions of virtual currencies and virtual currency service providers (see Section V);
  6. Law Decree No. 34/2019, converted into Law No. 58/2019:
    • introduced a regulatory sandbox in Italy and established the fintech committee within the MEF (see Section VI); and
    • provides high-level definitions of crowdfunding and social lending (see Sections IV.i and Section IV.ii);
  7. a public consultation launched by Consob on ICOs and crypto activities took place between May 2019 and January 2020 (see Section V); and
  8. a public consultation launched by the MEF in February 2020 on a draft decree providing the implementing provisions of the regulatory sandbox and the fintech committee introduced by Law No. 58/2019 (see Section VI).

At the European level, following the 2018 action plan on how to harness the opportunities created by technology-enabled innovation in financial services, in December 2019 the European Commission placed two proposals under consultation, one concerning the establishment of an EU framework for markets in cryptoassets57 and the other a digital operational resilience framework for financial services.58 Moreover, in December 2019, the expert group on regulatory obstacles to financial innovation delivered its final report to the European Commission, which outlines 30 recommendations on regulation, innovation and finance.59

Finally, the EBA published several reports throughout 2019 and some in 2020 on, for example, cryptoassets, regulatory sandboxes and hubs, the impact of fintech on payment institutions and e-money institutions' business models, the authorisation approaches in relation to fintech activities, and the development, implementation and adoption of Big Data and advanced analytics.60

Outlook and conclusions

Technology-enabled innovation in financial services is fast developing and offers numerous advantages. Indeed, fintech opened financial intermediation and credit markets to new players, which is bound to change the way traditional intermediaries operate. Moreover, fintech has the potential to, among other things:

  1. increase efficiency and reduce costs;
  2. improve access to, and provision of, financial services;
  3. enhance the customer experience; and
  4. create markets for new and innovative financial services and products.

As technology continues to break down the barriers to entry in the bank and financial services markets, banks and other regulated entities are reacting to this changing environment and adopting online banking offerings. This involves them shifting the distribution of their standard services to online platforms via multichannel networks, thereby reducing the number of physical branches, which allows the remaining branches to specialise in high value-added services (e.g., private banking, corporate finance and advisory).

Technology is being leveraged to improve the efficiency of middle- and back-office processes, and to provide more effective risk management tools. Fintech technologies and products offer a wide range of possibilities, and can be instrumental in improving the quality of services offered to clients and give market players an important competitive edge. They can also present further opportunities to fully exploit the advantages of an integrated European financial services market, since they facilitate the distribution of retail products and services on a cross-border basis.

Fintech may also mean that old risks take new forms and that new (substantially increased) risks, such as cyber-risks, arise. As mentioned in Section VI, the BoI and Consob recently agreed to adopt a common cyber-resilience strategy for Italy's financial market infrastructure to improve the financial security and business continuity.

A wide variety of fintech businesses are currently operating in Italy in almost every sub-sector of the fintech industry. According to the most recent information, almost 300 fintech companies are based in Italy, and this number continues to grow. Crowdfunding is the largest sub-sector of the fintech industry, followed by payment services, asset management, blockchain, virtual currencies, insurance and peer-to-peer lending. A wide range of innovative fintech solutions have recently been developed in the Italian payment services sector, mainly through apps that provide alternatives to traditional banking channels. The local insurance and asset management sectors are also very interested in fintech solutions. Domestic banks have also started seeing fintech as a way to innovate their everyday business, and have made investments that take advantage of fintech solutions in relation to open banking, cloud computing, AI, robo-advice, automated systems aimed at increasing the efficiency of internal procedures governing banking and financial services' compliance, and audit and AML functions, among others.

Combined with the increasing interest expressed by the European and Italian regulators in the sector, fintech will likely be thoroughly regulated in the short- or medium-term. The European Commission recently took steps in this direction by placing two proposals under consultation, one concerning the establishment of an EU framework for markets in cryptoassets and the other a digital operational resilience framework for financial services (see Section VIII).

Further regulatory changes also arrived with the entry into force of the GDPR and the PSD II. The most significant disruption to the global financial sector is still expected to be from ledger technologies such as blockchain. Although the use of this type of technology is not yet widespread, it is expected to emerge in Italy in many areas and, in light of the newly introduced definitions of DLTs and smart contracts, looks set to go beyond cybersecurity and cryptocurrencies.

Finally, although the macro-economic consequences of the covid-19 outbreak and its impact on the Italian financial sector are yet to be seen, innovation and technology are proving to be extremely helpful in addressing the issues arising from the spread of the coronavirus. This will no doubt bring future benefits also in terms of greater exploitation of high-tech activities and services.


1 Giuseppe Rumi, Federico Vezzani and Tommaso Faelli are partners at BonelliErede.

2 See, for example, the series of contributions and documents dedicated to fintech launched by Consob, in collaboration with the main Italian universities, in March 2018.

3 The rules on BoI's Central Credit Register are set out in BoI Circular No. 139 of 11 February 1991, as subsequently amended and supplemented.

4 As recently amended by Directive (UE) 2019/878.

5 e.g., the cross-border transport limits on physical currency and its equivalents (no more than €10,000) and limits on cash payments (no more than €3,000).

6 See, for example, Article 25 of the Italian Banking Act and its implementing regulations.

7 Data as of 1 March 2020. Source: Consob website.

8 See: (1) BoI's transparency provisions of 29 July 2009, as subsequently amended, for banking and payment services; and (2) Consob's Intermediaries Regulation No. 20307 of 15 February 2018, for investment services.

9 See the BoI's regulation of 30 July 2019 on customer due diligence.

10 See Legislative Decree No. 206 of 6 September 2005 (Italian Consumers Code).

11 See Annex 3 to the BoI's regulation on customer due diligence published in July 2019 after a public consultation started in April 2018.

12 See Article 18, Paragraph 4, of Law Decree No. 34/2019.

13 As amended by Law Decree No. 179/2012, converted into Law No. 221/2012.

15 Currently, there are 37 portal managers enrolled on the register managed by Consob.

17 See Article 18, Paragraph 4, of Law Decree No. 34/2019.

18 See Article 106 of the Italian Banking Act.

19 See Article 4, Paragraph 1, of Law No. 130 of 30 April 1999 and Article 58 of the Italian Banking Act.

20 See the BoI regulation on payment institutions and electronic money institutions of 23 July 2019.

21 See EBA's opinion on the deadline for the migration to strong customer authentication for e-commerce card-based payment transactions:

22 See Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing PSD II regarding regulatory technical standards for strong customer authentication and common and secure open standards of communication.

24 That converted into law, with amendments, Law Decree 14 December 2018, No. 135.

27 See Article 1, Paragraph 2, let. qq) of Legislative Decree No. 231 of 21 November 2007, as amended by Legislative Decrees No. 90 of 25 May 2017 and No. 125 of 4 October 2019.

28 See Article 1, Paragraph 2, let. ff) of the AML Decree.

29 See Article 1, Paragraph 2, let. ff bis) of the AML Decree.

30 In January 2018, the MEF published a decree for consultation setting out the timing and conditions for the notification of the commencement of virtual currency activities by service providers. However, the final version of this decree has yet to be published.

31 See Article 3, Paragraph 5, let. i) and let. i bis) of the AML Decree.

32 Indeed, the volatility of virtual currencies and the difficulties in identifying the virtual wallet's owner appear inconsistent with AML duties (see, for example, Question No. 3-2018/B of the Italian National Council Notaries).

34 See EBA warning on the use of virtual currencies at the following link:

35 See Articles 130 (abusive activity of collection of savings), 131 (abusive banking activity) and 131 ter (abusive provision of payment services) of the Italian Banking Act, and Article 166 (abusive provision of investment services) of the Italian Financial Act.

37 i.e., the bankruptcy of the well-known Japanese exchange facility MtGox and, more recently, in January 2019, the bankruptcy of the Italian company BG Services S.r.l., which managed the BitGrail exchange in Nano cryptocurrency.

39 In several resolutions and communications Consob clarified that 'any other form of financial investment' refers to investments that include: (1) the use of capital; (2) an expectation of return; and (3) the related risk. See, among other things, Consob Communication No. DEM/3082035 of 19 December 2003 and Consob Resolution No. 14422 of 13 February 2004.

40 See, for example, Consob Resolutions No. 20693 of 14 November 2018, No. 20741 of 12 December 2018 and No. 21148 of 13 November 2019, whereby Consob suspended an offer of tokens and an offer of virtual currencies under Article 99 of the Italian Financial Act.

42 Smart Contract Templates: foundations, design landscape and research directions; Christopher D Clack, Vikram A Bakshi, Lee Braine; arXiv:1608.00771v3 [cs.CY], 15 March 2017.

43 See, for example, Buddybank (the digital bank powered by Unicredit), CheBanca! (part of Mediobanca's group) and Widiba (part of MPS group).

44 See, for example, the partnership between UBI Banca (the fourth largest Italian bank) and Fabrick, a fintech company specialised in open banking services and the acquisition by DEPObank of a controlling stake in PrestaCap, a digital lending platform.

45 See Consob Regulation No. 20307 of 15 February 2019.

46 See Article 67 ter of the Italian Financial Act.

48 See Article 36, Paragraph 2 bis, of Law Decree No. 34/2019.

49 See Article 36, Paragraph 2 octies, of Law Decree No. 34/2019.

52 Recently, Consob also adhered to the Italian Financial Cybersecurity unit. See the press release of 3 December 2019:

53 See Articles 106 and 108 of Legislative Decree No. 209 of 7 September 2005.

54 See Article 2, Paragraph 1, No. 1 of Directive 2016/97/EU.

56 For example, the BoI survey of December 2019 highlighted that the investments in fintech made by Italian asset management companies and Italian investment firms represent less than 1 per cent of the overall amount of investments made by financial sector's incumbents.

Get unlimited access to all The Law Reviews content