The Financial Technology Law Review: Portugal
The regulatory treatment of fintech-related matters in Portugal greatly depends on the legal qualification of the different types of fintech companies or the products and services being offered.
The main legal and regulatory fintech concerns are those directed at payment services and e-money related activities, as well as at crowdfunding platforms. The two current major categories of fintech companies are payment services institutions and e-money issuers, both regulated under Decree-Law No. 91/2018, of 12 November, enacting the Payment Services and E-Money Legal Framework (PSEMLF), which transposed Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 (the PSD2) to the Portuguese legal framework. The PSEMLF, in light of the PSD2 transposition, also created the necessary regulation for third-party providers such as Payment Initiation Service Providers (PISP) and Account Information Service Providers (AISP) to enter the Portuguese market. Crowdfunding platforms, in turn, are regulated by Law No. 102/2015 of 24 August and Law No. 3/2018 of 9 February, as well as by Portuguese Securities Market Commission (CMVM) Regulation 1/2016 and Ministerial Order No. 344/2015 of 12 October.
The Portuguese legislator and regulatory authorities' approach to fintech has been somewhat neutral, which resulted in the late transposition of Payment Services Directive 2 (PSD2) (a delay of almost a year from the deadline of 13 January 2018). There is also no legal approach for testing financial technology under a sandbox regime as of now. This is also true from a tax perspective, where no specific Portuguese legal regime exists on tax incentives for fintech-related matters.
Notwithstanding this, the Portuguese financial regulators (i.e., the Bank of Portugal, the CMVM and the Insurance and Pension Funds Authority) have recently implemented the Portugal FinLab programme, which is now in its second edition, with the purpose of establishing an easily accessible communication channel between entrepreneurs and emerging companies and the financial regulators, aimed at supporting the development of fintech businesses and companies in navigating the legal and regulatory challenges and concerns posed by the regulators. Additionally, there has also been increased interest in these matters by the regulators, which have participated in fintech-related conferences and disclosed information released during these conferences on their websites.
i Licensing and marketing
The PSEMLF sets out the applicable rules and requirements for the incorporation and licensing of payment institutions and e-money issuers as well as PISPs and AISPs, all being subject to the Bank of Portugal's supervision. For that effect, certain mandatory legal documentation must be filed with the Bank of Portugal, including, inter alia, draft by-laws, business plan, share capital commitment, corporate structure and beneficial ownership, the managers' identification and fit and proper documentation, as well as corporate governance and internal compliance models and procedures. Current minimum statutory share capital requirements applicable to payment institutions ranges from a minimum of €20,000 to €125,000 (depending on the type of services provided) and a minimum of €350,000 for e-money institutions. PISPs are required a minimum statutory share capital €50,000 and AISPs are required to hire an insurance policy or other similar guarantee scheme covering their activity in Portuguese territory in the case of breach or unauthorised access to data.
All marketing and advertising carried out by these entities must abide by the general rules applicable to marketing and advertising by banks and other financial institutions. This means that, among other requirements, all marketing and advertisement products and materials must clearly identify the offering or advertising entity while ensuring that the main features and conditions of the marketed products or services are easily perceived by targeted consumers.
The PSEMLF provides for an extensive list of products and services that may only be offered or rendered by either payment or e-money institutions, as well as PISPs or AISPs. This means that, in practice, considering the nature and business model of most fintech companies and the services they offer, such entities will have to qualify under Portuguese law as one of these entities (being that an entity securing an e-money licence ensures that it can render all services regulated under the PSEMLF, provided it requires an authorisation to that effect when registering with the Bank of Portugal), having thus to comply with its regulatory framework.
In what concerns crowdfunding platforms, Portuguese law sets out the requirements and conditions for the corporate entities managing crowdfunding platforms, which are subject to the CMVM's supervision when they are either collaborative equity-based or loan-based platforms. These entities are subject to prior registry and authorisation with the CMVM. The submission shall be accompanied by the relevant required documentation, which includes, inter alia, the corporate details, structure and beneficial ownership, managers' identification and fit and proper documentation, business plan and model, indication about whether it should be considered a financial intermediary or an agent thereof, as well as evidence of compliance with the minimum financial requirements. Upon registration these minimum financial requirements must be either (1) a minimum share capital of €50,000; (2) an insurance policy covering a minimum of €1 million per claim, and a minimum of €1.5 million in aggregate claims per year; or (3) a combination of both (1) and (2) that ensures proper similar coverage.
ii Cross-border issues
Payment or e-money institutions based abroad may render their services in Portugal, subject to prior authorisation and registry with the Bank of Portugal. The applicable requirements and procedures may vary according to the origin state, as entities based in EU Member States may choose to render their services in Portugal either through a branch registered in Portugal, through authorised agents based in Portugal (notably in what concerns e-money distribution) or under a licence granting them the freedom to provide services.
Should the applying entity be based in a third-country state, it shall incorporate a branch or, alternatively, incorporate a legal entity subsidiary in Portuguese territory (following the relevant, though more demanding, procedure).
In relation to crowdfunding platforms, no cross-border regime has yet been enacted under either European or Portuguese law; this lack of passporting regime requires foreign crowdfunding platforms interested in acting in the Portuguese market to complete the Portuguese registration process with the CMVM (adjusting, for such purpose, the relevant internal documents to meet the Portuguese law requirements) in order to obtain the required local registration. This has been the process applied by the CMVM to cross-border crowdfunding platforms acting in Portugal that are registered with the CMVM and with the competent authority of its home Member State. The latest news in this respect indicates that the CMVM will likely wait for the next developments in the proposed European regulation on crowdfunding service providers, which, among other matters, envisages a more harmonised and standard approach to cross-border activities by these entities.
Digital identity and onboarding
Portuguese citizens must have a citizenship card containing data relevant for their identification (such as full name, parentage, nationality, date of birth, gender, height, facial image and signature). This card also includes the civil identification number, the taxpayer number, the user number for health services and the social security number (Law No. 7/2007, which creates the citizenship card, as amended). The citizenship card proves the identity of its holder before any public and private authorities and entities, through two mechanisms:
- by means of reading the visible elements of the card, together with the optical reading of a specific area of the card destined to such reading (its reading is, however, reserved, mainly, to entities or services of the state or public administration); and
- by means of electronic authentication.
The citizenship card further allows its holder to unambiguously authenticate the authorship of electronic documents by means of an electronic signature. The card contains a chip where additional information is available, such as address and fingerprints – it is in this chip that the certificates for secure authentication and for the qualified electronic signature are available. Hence, the holder of a Portuguese citizenship card has two digital certificates: one for authentication and another for e-signature. However, while the authentication certificate is always activated when the card is delivered to its holder, the e-signature certificate is of optional activation, and such activation can only be done by citizens who are at least 16 years old. A citizen who wishes to use the certificates shall insert his or her PIN in the device requesting or permitting the use of such authentication (or signature) method.
Law No. 7/2007 expressly refers to Regulation 910/2014 on electronic identification and trust services for electronic transactions (the eIDAS Regulation), indicating that the provisions therein established apply to the certificates. Portuguese law on the citizenship card thus already acknowledges the eIDAS Regulation. However, when it comes to trust services, especially e-signature, Decree-Law No. 290-D/99, as amended, continues to be the legislation containing the details on e-signature.
It is important to also note that the certificates of the citizenship card are subject to the legal and regulatory rules of the Portuguese State Electronic Certification System (approved by Decree-Law No. 116-A/2006). This system aims to guarantee the electronic security of the state and the strong digital authentication of electronic transactions among the services and bodies of the public administration, as well as between the state and the citizens and companies.
In addition, Law No. 37/2014, as amended, created the 'digital mobile key', which is an additional and voluntary means (1) of authentication in portals and sites of the public administration and (2) of qualified electronic signature in the terms indicated in the eIDAS Regulation. All citizens may require the association of their civil identification number to a mobile phone number or an email. Foreign citizens without a civil identification number may also require such association, which is done through their passport number, their tax identification on residence permits (or other documents as indicated in the regime for entry, stay, exit and expulsion of foreigners from the national territory) or their residence card. The digital mobile key is a system for secure authentication comprising a permanent password and a numerical code issued for each use and generated by the system.
Financial service providers, including payment institutions and e-money institutions, may carry out fully digitised onboarding of clients, including, as of recently, by using videoconference procedures.
The Bank of Portugal's Notice No. 2/2018 allows financial institutions to make use of remote onboarding procedures while complying with the know your customer (KYC) requirements set out under the applicable AML framework. Currently, admissible remote onboarding procedures under applicable AML law and Notice 2/2018 are videoconferencing and other means of KYC and onboarding procedures carried out by qualified trust service providers (the latter being compliant with the framework set forth under Regulation (EU) No. 910/2014).
The Portuguese Data Protection Authority (CNPD) has consistently ruled that companies may only reproduce or take and keep a photocopy of a Portuguese citizenship card with the holders' consent, expressed in the terms of the General Data Protection Regulation (GDPR) (EU Regulation No. 2016/679 of 27 April). Although Law No. 7/2007 does provide for an exception to this obligation (notably, where the reproduction and storage of the copy of the citizenship card is expressly provided by law), CNPD has clarified that financial institutions that are bound by KYC obligations under AML laws are still required to obtain such a consent, as the law does not expressly refer to the citizenship card as the means of verifying the client's or the beneficial owner's identity during an onboarding process. In this regard, financial institutions are advised to offer their clients alternative means of proving their identity, such as by providing a copy of their passports or driver's licences.
Digital markets, payment services and funding
Both payment services providers (i.e., payment and e-money institutions as well as PISPs and AISPs) and crowdfunding platforms – either equity or loan based – are subject to licensing and registry requirements with either the Bank of Portugal or the CMVM, respectively.
Although still in a very preliminary phase, owing to the applicable framework having entered into force recently, crowdfunding schemes are gaining some traction, mostly in the loan-based platforms sector, where there are now six crowd-lending platforms registered with the CMVM. Further developments may arise in this field as the market develops and market players become more sophisticated and numerous, in which case movements towards securitisation of loan portfolios originating from such platforms may eventually begin to be noticed in the medium to long term.
Notwithstanding, current securitisation law (Decree Law No. 453/99, as amended) defines which entities may qualify as originators of receivables for securitisation purposes and these are limited to the Portuguese state and other public legal persons, credit institutions, financial companies, insurance firms, pension funds and pension fund management companies. However, other legal persons that have their accounts legally certified by an auditor registered with the CMVM for the previous three years may also assign loans for securitisation purposes; this may open the door to crowdfunding entities being able to enter into securitisation and other structured finance transactions, which were traditionally reserved to banks and other incumbents. However, owing to the nature of the entities resorting to crowd-lending platforms for funding, as well as those managing such platforms, we envisage that such a movement towards securitisation may still take some time.
Cryptocurrencies, initial coin offerings (ICO) and security tokens
Blockchain or distributed ledger technology is not subject to specific regulation in Portugal as a technology. Indeed, the focus of regulation brought by blockchain has pertained essentially to a specific sector: banking and finance, including cryptocurrencies and initial coin offerings (ICOs), notably in what concerns investor protection and fraud prevention. There is currently no regulation concerning the tokenisation of assets in general (and securities in particular, such as bonds or shares), although nothing in the law seems to generally prohibit it. As such, in principle we see no impediment to the tokenisation of assets or credits, provided that parties involved in a given transaction would agree on the dematerialisation of such agreement/title and the underlying assets (and the corresponding representation of such assets by tokens). Notwithstanding this, it would not be applicable in principle to those assets subject to special registration or notarisation formalities (such as real estate assets) as this would additionally entail a formal and legal recognition by the governmental or registration authorities on the correspondence to such dematerialised property titles to the physical/notarial reality which still has no legal framework in place for these cases.
However, the approach in Portugal in this sector has been to generally exclude cryptocurrencies from being qualified as tender or 'legal currency' and not issuing specific regulation dealing with them. Both the Bank of Portugal and the CMVM share this understanding and – like the majority of European regulators – are pursuing a wait-and-see approach in anticipation of a possible broader and harmonised European legislation ruling these matters.
Nonetheless, a different case-by-case approach should be taken regarding those assets qualifying as securities, such as security tokens or other hybrid tokens comprising some security-like traits, pursuant to ESMA's advice from 9 January 2019,3 whereas cryptoassets qualifying as transferable securities (or another type of financial instrument under MiFID II's criteria) should be subject to the broader EU financial rules in this respect (including, inter alia, MiFID II, the Prospectus and Market Abuse Directives, etc.). Although the definition of what qualifies as a 'security' is mostly committed to national regulation implementing EU legislation, we would envisage the CMVM to follow the same approach as ESMA and deciding on the applicability of the legal framework applicable to securities (including that of public offerings in the case of ICOs) on a case-by-case basis. An example of this approach can be seen in the context of the Bityond ICO in 2018, where the CMVM decided not to apply the public offerings regime (and the securities legal framework as a whole) after having analysed the white paper and the token's configuration and associated rights and obligations, which did not present similar traits to those of tradeable securities.
However, the Bank of Portugal has, as far back as 2013,4 issued a clarification under which it considered that Bitcoin cannot be considered secure currency, given that its issuing is carried out by non-regulated and non-supervised entities. In addition, the Bank of Portugal clarified this and stated that the users bear all the risk, as there is no fund or protection scheme guaranteeing depositors' or investors' funds. This approach closely follows the position of the European Banking Authority (EBA). Note that specific regulation on cryptocurrencies is not expected soon: both the government and the Bank of Portugal have stated that they will not regulate cryptocurrencies and that the first step shall be taken by the European Commission.5 In this respect, both ESMA and the EBA sent reports, on 9 January 2019, to EU policymakers on ICOs and cryptoassets, assessing and advising the European Commission on the applicability and suitability of EU legislation to said instruments. Notably, EBA's report stresses that:
[C]ompetent [national] authorities have reported to the EBA that it is their understanding that cryptoasset activity levels in their jurisdictions remain low and do not, at this stage, present a threat to financial stability, a finding which aligns with the observations of the Financial Stability Board. However, some issues arise, in particular with regard to consumer protection, market integrity and the level playing field, in view of the fact that: (a) current EU financial services law does not apply to a number of forms of crypto asset/activity; (b) specific services relating to cryptoasset custodian wallet provision and crypto asset trading platforms may not constitute regulated activities under EU law; and (c) the emergence of divergent approaches across the EU has been identified. For these reasons, the EBA considers that there would be merit in the European Commission carrying out a cost/benefit analysis to assess whether EU level action is appropriate and feasible at this stage to address the issues set out above.
Additionally, ESMA's report's press release states that:
ESMA has identified a number of concerns in the current financial regulatory framework regarding cryptoassets. These gaps and issues fall into two categories:
- For cryptoassets that qualify as financial instruments under MiFID, there are areas that require potential interpretation or re-consideration of specific requirements to allow for an effective application of existing securities and financial regulations; and
- Where these assets do not qualify as financial instruments, the absence of applicable financial rules leaves investors exposed to substantial risks. At a minimum, ESMA believes that Anti Money Laundering (AML) requirements should apply to all cryptoassets and activities involving cryptoassets. There should also be appropriate risk disclosure in place, so that consumers can be made aware of the potential risks prior to committing funds to cryptoassets.
In this light, and considering that gaps and issues identified would best be addressed at the European level, ESMA then suggests that the European Commission either:
- propose a bespoke regime for specific types of cryptoassets (which does not qualify as financial instruments) by means of a Directive, allowing for the tailoring of the rules to the specific risks and issues posed by those cryptoassets; or
- do nothing, which would fail to address the known investor protection and market integrity concerns.
Despite the lack of regulation and supervision, the Bank of Portugal has indicated that the use of cryptocurrencies is not forbidden or an illegal act. Hence, this entity is so far more focused on a preventive and educational approach, by means of alerting to the risks of cryptocurrencies.
The CMVM also issued an alert to investors in November 2017 on ICOs, indicating that most ICOs are not regulated – in which case investors are unprotected due to the high volatility and lack of funds, potential of fraud or money laundering, inadequate documentation (most ICOs have no prospectus but only a White Paper) and risk of loss of the invested capital. Still, the CMVM paved the way for regulation according to their specific circumstances.
Considering the above, the usual distinction between the different types of tokens (or rather the rights and obligations that their issuance and possession entail) underlying the transactions may prove useful. Should tokens be used mainly as a means of payment, the approach taken by the Bank of Portugal and EBA is the one to look at. Conversely, where tokens have more similarities to securities, the approach of the CMVM and ESMA is the one to take note of.
Despite a slight lack of regulatory clarity, there seems to have been some progress in acknowledging this situation, given that the recent proposal for amending the AML Directive (Directive 2015/849) extends its scope of application to virtual currencies; namely, to exchange services between virtual currencies and fiat currencies, and to wallet providers offering custodial services of credentials necessary to access virtual currencies. Notwithstanding the proposed amendment to the European AML framework, the Bank of Portugal has clarified that financial institutions are under the obligation to control transfers of funds coming from and going to platforms of negotiation of cryptocurrencies under AML provisions. In this respect, some major banks in Portugal have blocked transfers that have these types of entities as beneficiaries, although some are beginning to allow transfers being made to exchanges that are deemed more trustworthy.
In line with the Court of Justice of the European Union (CJEU)'s interpretation on the VAT treatment of transactions with cryptocurrencies,6 the Portuguese Tax Authority (PTA) recently issued binding rulings7 stating that transactions, such as exchange of cryptocurrency for traditional currency, and vice versa, should be exempt from VAT.8
Binding rulings only bind the PTA towards the taxable person who submitted the ruling request and in relation to the questions specifically raised to the PTA in such request. Following the CJEU's judgment, which should apply in all Member States, the binding rulings issued by the PTA were an important step forward in the definition of the VAT treatment of Bitcoin transactions. With these binding rulings, entities exchanging cryptocurrencies, start-ups and users are now in a safer environment in Portugal from a VAT perspective. Buying, selling, sending, receiving, accepting and spending cryptocurrencies in exchange for legal tender currency (and vice versa) will not trigger a VAT liability, which allows economic agents to deal with cryptocurrencies as they would with legal tender currency or other types of money.
Additionally, for personal income tax (PIT) purposes, the PTA had already issued a binding ruling9 stating that any gains derived from the exchange of Bitcoin for legal tender currency (and vice versa) should not be considered income for personal income tax (PIT) purposes to the extent such activity does not constitute a business or professional activity. Indeed, the PTA concluded that gains derived from the sale of Bitcoin would not fall under the concept of capital gains or investment income as defined by the Portuguese PIT Code and, consequently, those gains are not covered by the taxable base of the Portuguese PIT.
Other new business models
There has recently been a substantial dynamic in the Portuguese fintech market, with the entering of new players and stakeholders offering new types of services and products. As an example, the past year saw the market entry of fintech companies offering solutions to export and import finance and to exchange currency through innovative services, as well as crowdfunding platforms aimed at specific markets and business – such as the crowdfunding of real estate developments. This movement hints at the growing market that the recently enacted PSEMLF transposing the PSD2 shall further accelerate, opening up new business opportunities for emerging companies in the areas of open banking services, neo-banks and all other innovation-driven solutions occurring in the banking and financial sector today.
However, in the meantime, new fintech companies offering innovative services may struggle with the burdensome procedures imposed by applicable laws and regulations mentioned above (including the licence and registration procedures or AML-related issues).
Despite the above, services resorting to smart contracts do seem to have some legal comfort. Indeed, from 2007 onwards Portugal has had a specific provision dealing with contracts executed by means of computers without human intervention in its E-Commerce Law (Decree-Law No. 7/2004). This provision applies contract law to these types of contracts and further applies to programming errors, malfunctions and distorted messages the legal regime on mistake. Though self-executing or smart contracts are a step further from contracts concluded without human intervention, it seems that they are permitted under Portuguese law – and, what is more, the above provision may be applicable to them. Indeed, there is a general principle in Portuguese law that, unless otherwise provided, contracts are not subject to a specific form. However, no specific legal framework exists on smart contracts.
On the use of artificial intelligence (AI) in the context of novel business models, adding to the rules on automated decision-making highlighted in Section VII below, on 8 April 2019, the European Commission-led High-Level Expert Group on AI presented Ethics Guidelines for Trustworthy Artificial Intelligence. According to the Guidelines, trustworthy AI should be: (1) lawful – respecting all applicable laws and regulations; (2) ethical – respecting ethical principles and values; and (3) robust – both from a technical perspective and considering its social environment. The Guidelines put forward a set of seven key requirements – which are duly developed in the Guidelines – that AI systems should meet in order to be deemed trustworthy. These include:
- human agency and oversight;
- technical robustness and safety;
- privacy and data governance;
- diversity, non-discrimination and fairness;
- societal and environmental wellbeing; and
Additionally, the Portuguese government has also recently approved its National Strategy for Artificial Intelligence – 'AI Portugal 2030', which sets out the main general objectives to reach by 2030, including:
- added economic growth: the added value brought by AI technologies to the economic growth should be significant;
- scientific excellence: improve the front-line position in fundamental and applied AI research of Portuguese academia (universities, polytechnics and research institutions) measured in terms of publication impact, international leaderships, and international collaborations; and
- human development: increase dramatically the qualifications of the labour force, in particular technological qualifications, while promoting inclusion and awareness at all levels of education.
The National Strategy does not specifically address, however, the challenges AI will bring to the financial sector. Nonetheless, it is reasonable to assume that the increasing number of public guidelines and recommendations (both at national and international level) will foster investment in and the development of new AI-driven technologies and businesses.
The new European Commission committed to putting forward proposed legislation for a coordinated European approach on the human and ethical implications of AI during its first 100 days in office (i.e., until March 2020). A 19 February Commission White Paper sets out the scope of a future EU regulatory framework and the types of envisaged requirements, notably:
- voluntary labelling;
- training data;
- data and record-keeping;
- information to be provided;
- robustness and accuracy;
- human oversight; and
- specific requirements for certain particular AI applications, such as those used for purposes of remote biometric identification.
In light of the above, there is a considerable degree of uncertainty as to what the binding legal instruments that may be enacted in the coming years and that may impact the use of AI in financial products will look like, both at the European and national level.
Intellectual property and data protection
Protection of fintech can be effected through several means. The protection of software seems to be the most relevant, as fintech technology usually translates into computer systems and applications. Software is protected in Portugal under the same legal rules that apply to copyright protection (according to Decree-Law No. 252/94, which transposed Directive No. 91/250/CEE, later repealed by Directive No. 2009/24/CE, on computer programs, as amended). Copyright on the computer program belongs to the employer if the software is created by an employee in the execution of his or her duties or following the instructions given by the employer. Copyright does not require registry to exist, but this can be done in the General-Inspection for Cultural Activities (IGAC). Software can also be protected by patent in the cases where it meets the criteria to be considered a computer implemented invention, which is an invention whose implementation involves the use of a computer, computer network or other programmable apparatus. In addition, computer-implemented business models can also be patented, to the extent that they are claimed as a technical solution for a technical problem (e.g., automating a response considering the data collected) and involving technical considerations (e.g., the reading of the database). Otherwise, business models are not patentable. All in all, a case-by-case analysis is necessary to determine if protection by patent is feasible.
Technology developed in the context of a fintech business can also be protected as trade secret. Trade secrecy protects against any act of a person that assesses, appropriates or copies (or any other conduct that, under the circumstances, is considered contrary to honest commercial practices), without consent, information that is secret, that has a commercial value due to that fact and that has been subject to reasonable steps, by the person lawfully in control of the information, to keep it secret (for instance, the execution of non-disclosure agreements). Current national legal provisions on trade secrecy are included in the Industrial Property Code – approved by Decree-Law No. 110/2018, of 10 December as reviewed following the transposition of Directive (EU) 2016/943 of 8 June 2016, on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure.
A computer platform usually also comprises a set of data, as well as visual interfaces. The data may also be protected as a database if the requirements set in law (Decree-Law No. 122/2000, which transposed Directive No. 96/9/CE, as amended, on the protection of databases) are met. Interfaces can further be protected by copyright under the Copyright Code (approved by Decree-Law No. 63/85, as amended) in their look and feel, screen display and individual visual elements, if they all meet the criteria to be protected (mainly, are 'creative'). Copyright protection, in this case, belongs to the employer or the person that orders the creation, if so established or if the name of the creator is not referred to in the work. In this case, the creator may require a special compensation if the creation exceeds the performance of the task or when the creation is used or brings benefits not included or foreseen in the creator's remuneration.
Fintech businesses collect, control and process vast amounts of personal data (including know-your-customer data) and, as a result, they are subject to data privacy rules.
These rules are, from 25 May 2018, the ones provided in the GDPR. The GDPR applies not only to Fintech companies established in the EU but also to companies established outside the EU, in case they have customers in the European Union and the processing of the customers' personal data is made in the context of the offering of services to those data subjects, irrespective of whether a payment of the data subject is required. The European Data Protection Board (EDPB) has clarified, in its Guidelines 3/2018 on the territorial scope of the GDPR, adopted on 16 November 2018, that the intention to target customers in the EU is key to assessing whether entities established outside the territory of the EU are subject to the GDPR.
In some instances, the processing of personal data may require the customer's consent. Pre-ticked opt-in or opt-out boxes will no longer be allowed, since consent must be expressed through a statement or by a clear affirmative action. The GDPR places onerous accountability obligations on data controllers to evidence compliance, which constitutes a major paradigm shift in the data protection regime. This includes, among others, conduct data protection impact assessments for more risky processing operations (such as those involving the processing of personal data that could be used to commit financial fraud), and implement data protection by design and by default.
These general data protection rules are complemented by banking secrecy and AML rules, which fintech companies will have to observe when providing services to their clients.
Bank secrecy rules determine that disclosure of clients' personal data protected by banking secrecy (including cross-border transfers) is permitted only with prior customer authorisation or if the disclosure is necessary to obtain one of the following:
- compliance with a legal obligation that expressly limits those secrecy duties;
- compliance with judicial authorities' requests in the context of criminal proceedings; or
- compliance with a disclosure obligation to the Bank of Portugal, the CMVM or tax authorities, when they are acting pursuant to their respective attributions.
In the past, the CNPD had already ruled in a specific case that all personal data processed by a bank is subject to banking secrecy.
In the case of processing clients' data for the purposes of anti-money laundering reporting, the disclosure of specific relevant personal data is based upon the fulfilment of a legal obligation, and there is no need to obtain data subject consent. As the concept of 'client authorisation' under PSEMLF and the financial institution's legal framework differs from the concept of 'consent' under the GDPR, many banks and other financial institutions opt to collect clients' authorisation to disclose information covered by banking secrecy in the context of their general client terms and conditions. In the case of processing clients' data for the purposes of anti-money laundering reporting under Portuguese AML regulations, the disclosure of specific relevant personal data is based upon the fulfilment of a legal obligation, and there is no need to obtain the data subject's consent.
Another important aspect of data processing in the context of fintech business is the definition of clients' profiles and business segmentation, as well as automated decision-making based on profiling. Automated decisions that produce effects concerning the data subject or that significantly affect him or her and are based solely on the automated processing of data intended to evaluate certain personal aspects relating to him or her are not permitted.
The GDPR has introduced new provisions to address the risks arising from profiling and automated decision-making. Mainly, under the GDPR, one may only carry out this type of decision-making where the decision is either necessary for the entry into or performance of a contract or authorised by the EU or Member State law applicable to the controller, or, finally, based on the individual's explicit consent. Where one of these grounds applies, additional safeguards must be introduced, as well as disclosure of specific information about automated individual decision-making to affected data subjects, concerning the logic, significance and envisaged consequences. In a January 2020 response to the MEP Sophie in't Veld's letter on unfair algorithms, addressing whether the GDPR was sufficient to protect data subjects from unfair automated decision-making, the EDPB stressed that 'controllers are obliged to consider all the potential risks that the use or creation of the specific algorithm can potentially pose to the rights and freedoms of natural persons and, if necessary, take measures to address these risks'.
There are also additional restrictions on using special categories of data (such as health-related data or biometric data) for any processing of personal data, which can ultimately impact the way Fintech companies will implement Strong Customer Authentication mechanisms under the PSD2 Regulatory Technical Standards, as the Regulatory Technical Standards suggest the use of the payment service users' biometric data in that context. The CNPD has consistently ruled that financial data are sensitive data, in the sense that they reveal aspects of an individual's private life and, thus, said data should be protected under the Portuguese Constitution. As financial data are also considered by the EDPB as data of a highly personal nature, this may ultimately influence the stringency of technical and organisational measures data controllers and processors choose to implement to protect said data, as well as on the need to undergo a data protection impact assessment (DPIA) before commencing processing activities on said data. The processing of financial data may, then, entail the need for a DPIA under the CNPD's Regulation 1/2018, which lists the processing activities subject to a mandatory DPIA, as the Regulation refers to the processing of data of a highly personal nature in four of its nine cases.
Without prejudice to the above, Portuguese legislation implementing the GDPR has entered into force on 8 August last year. Law No. 58/2019 brings some additional adjustments or restrictions to the rules set out in the GDPR, notably regarding the processing of deceased persons' personal data, the applicable data storage periods and minors' consent for data processing. Most notably, and without prejudice to the GDPR's purpose limitation principle, Law No. 58/2019 allows controllers or processors to keep personal data until the expiration of any statutory limitation periods during which they may need to use the data to demonstrate compliance with legal or contractual obligations.
Year in review
Fintech-specific regulation has seen major developments during the past 18 months, notably with the much-anticipated and long delayed transposition of the PSD2 into Portuguese legislation. New players in the PISP and AISP business will be expected to appear in the short to medium term, while some incumbent and traditional banks are also beginning to take advantage of the new framework and are starting to provide open banking services to their customers.
Additionally, the new AML law has also seen some developments with the entry into force of Notice 2/2018 of the Bank of Portugal, which sets out further regulation and specific standards regarding AML obligations to be observed by fintech companies (notably concerning reporting obligations, risk-based policies and KYC and onboarding procedures). As previously mentioned, the Bank of Portugal's notice clarifying the requirements for remote onboarding procedure paves the way for a more dynamic approach to potential fintech customers and the surging of new market players. However, market data shows that this possibility of using a videoconference as a way of complying with KYC obligations is mostly being used by banks owing to the technical and financial demands that such procedure implies under the applicable regulation, although newcomers may take advantage of partnerships with third-party qualified trust service providers to go around the costly and demanding infrastructure that videoconferencing encompasses.
The crowdfunding sector keeps growing and evolving, with new platforms being registered and others in the middle of the registration and authorisation procedures, which boosts the fintech market in this area.
Portugal Fintech (a Portuguese association supporting the emerging fintech ecosystem) continues its mission to promote the Portuguese fintech market, gathering fintech, regtech, insurtech and cybersecurity companies in Portugal, fostering their access and visibility with legislators, start-ups, investors, consultants, banks, regulators and other relevant entities. 2019 was also marked by the opening of the FintechHouse by Portugal Fintech, a technological innovation and financial services hub, described as 'a unique place that aims to be the meeting point of the entire Ecosystem'.
The Portugal FinLab, an acceleration programme providing a communication channel between new players in the market (or even incumbent institutions having innovative tech-based financial projects or products) and the Portuguese regulatory authorities is now in its second edition. Through it, the regulators provide guidelines and support without the usual hurdles to the participants on how to navigate and operate in the regulatory system.
Outlook and conclusions
The recently enacted PSEMLF transposing the PSD2 has approved a new and reformed legal framework for the majority of fintech companies currently operating in the Portuguese market, while simultaneously paving the way for new market players and new types of companies to enter the market and offer their products and services to both consumers and other businesses. It has also legally recognised third-party providers such as PISPs and AISPs, furthering the open banking ecosystem with the surging of new companies – such as payment initiation and account information services.
In parallel, crowdfunding investment schemes will also see an increase in both the number of entities operating in the market and the transaction volume associated with these types of investments, pursuing more democratic and decentralised equity and debt markets, as both the consumer market and the regulators themselves are beginning to be more aware and prone to the changes in the way some services are provided in the financial sector.
Regulation of the cryptocurrencies market has not yet been subject to public discussion or a more focused regulatory analysis by either the Bank of Portugal or the CMVM. Apart from some of the mentioned warnings issued by both entities, Portuguese regulators have adopted a 'wait and see' and case-by-case approach in this respect. As such, and despite the unpredictability of this issue – where opinions change and evolve at almost the same pace as the market itself – there is no envisaged change to the legal or regulatory status of cryptocurrencies other than the mentioned amendment to the AML Directive, which still has not been implemented into national law.
The Portuguese fintech market, which has observed a rather slow but steady development, shall greatly benefit from the PSD2 innovations in the areas of open banking and payment initiation services, with new players entering the market in this segment and new solutions being developed by traditional banks (mostly where account information services are concerned). These may provide an incentive for regulatory and supervision authorities to look into this ever-evolving market more closely, whether by fostering innovation by means of friendlier regulation or by furthering the existing regulation into accommodating the new paradigm shift from traditional physical banking to an open and digital financial economy. Increasing the means of remote account opening, adapting the AML-related obligations to a digitalised reality, among others, may prove indispensable for the continuous evolution of the Portuguese fintech market.
1 Tiago Correia Moreira is a partner, Helena Correia Mendonça is a principal consultant, Conceição Gamito is a senior adviser and José Miguel Carracho and Francisca César Machado are associates at Vieira de Almeida (VdA). The authors would like to thank André Marques Piteira (an associate in the IP department), David Paula and Sebastião Barros Vale (associates in the ICT department).
2 In this respect, it is noteworthy that Directive (EU) 2015/1535 of the European Parliament and of the Council, which defines and sets-out rules on information society services, states that this Directive shall not apply to rules relating to matters covered by EU legislation in the field of financial services, as listed non-exhaustively in Annex II to this Directive. This may ultimately raise some doubts about the applicability of Regulation (EU) 2019/1150 to the provision of online intermediation services relating to financial services. The Regulation also states that it 'shall not apply to online payment services (…) which are not provided with the aim of the facilitating the initiation of direct transactions and which do not involve a contractual relationship with consumers', without prejudice to EU law applicable in the areas of judicial cooperation in civil matters, competition, data protection, trade secrets protection, consumer protection, electronic commerce and financial services.
3 See ESMA's Advice on Initial Coin Offerings and Crypto-Assets, published on 9 January 2019 (ESMA50-157-1391).
4 Following a study by the European Central Bank on 'Virtual Currency Schemes', of October 2012. The Bank of Portugal also reiterated, in 2014, that the use of virtual currency brings risks to consumers and, in 2015, advised banks to abstain from buying, detaining or selling virtual currencies (Circular Letter 011/2015/DPG, of 10 March 2015).
5 But, according to the EU Fintech Action Plan published on 8 March 2018, the Commission stated that 'the case for broad legislative or regulatory action or reform at EU level' on fintech issues is 'limited'. Despite this assertion, the Commission is set to assess 'the extent to which the legal framework for financial services is technology neutral and able to accommodate FinTech innovation, or whether it needs to be adapted to this end'. It further clarified, with relation to crowdfunding, that 'The EU framework proposed in this Action Plan will offer a comprehensive European passporting regime for those market players who decide to operate as European crowdfunding service providers.
6 CJEU's case law C-264/14, from 22 October 2015 (Skatteverket v. David Hedqvist). In this case, the CJEU decided that the exchange of Bitcoin for traditional currency qualifies as a supply of services for VAT purposes. As to the question of whether these transactions should be regarded as exempt supplies, the CJEU pointed out that Bitcoin, being a contractual means of payment, cannot be regarded as a current account or a deposit account, a payment or a transfer. Moreover, unlike a debt, cheques and other negotiable instruments referred to in Article 135(1)(d) of the VAT Directive, Bitcoin is a direct means of payment between the operators that accept it. Therefore, the CJEU ruled that transactions, such as exchange of cryptocurrency for traditional currency, and vice versa, should be exempt from VAT under the provision of Article 135(1)(e) of the VAT Directive. The CJEU did not expressly address the subject of whether the exchange of, for example, Bitcoin for a different cryptocurrency should also be regarded for VAT purposes as an exempt supply of services under Article 135(1)(e) of the VAT Directive. However, in our view, the same reasoning applies and the answer should therefore be the same.
7 Binding Rulings 12904 from 15 February 2018 and 14763 from 28 January 2019.
8 Under the provision of Article 9(27)(d) of the Portuguese VAT Code (which corresponds to the transposition of article 135(1)(e) of the European VAT Directive).
9 Binding Ruling 5717/2015 from 27 December 2016.