The Financial Technology Law Review: Portugal


The regulatory treatment in Portugal of fintech-related matters greatly depends on the legal qualification of the different types of fintech companies or the products and services being offered.

The main legal and regulatory fintech concerns are those related to payment services and e-money related activities, as well as crowdfunding platforms. The two current main categories of fintech companies are payment services institutions and e-money issuers, both of which are regulated under Decree-Law No. 91/2018 of 12 November, enacting the Payment Services and E-Money Legal Framework (PSEMLF), which transposed Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 (the PSD2) to the Portuguese legal framework. The PSEMLF also created the necessary regulation for third-party providers such as Payment Initiation Service Providers (PISP) and Account Information Service Providers (AISP) to enter the Portuguese market. Crowdfunding platforms are regulated by Law No. 102/2015 of 24 August and Law No. 3/2018 of 9 February, as well as by the Portuguese Securities Market Commission (CMVM) Regulation 1/2016.

The Portuguese legislator and regulatory authorities' approach to fintech has been somewhat neutral, which resulted in the late transposition of the Payment Services Directive 2 (PSD2) (a delay of almost a year from the 13 January 2018 deadline). Furthermore, there is still no legal approach for testing financial technology under a sandbox regime. This is also true from a tax perspective, seeing as no specific legal regime exists in Portugal for fintech-related tax incentives.

Notwithstanding this, the Portuguese financial regulators (i.e., the Bank of Portugal (BoP), the CMVM and the Insurance and Pension Funds Authority (ASF)) implemented the Portugal FinLab programme (now in its third edition) with the purpose of establishing an easily accessible communication channel between entrepreneurs and emerging companies, on the one hand, and the financial regulators, on the other, aimed at supporting fintech businesses and companies in navigating the legal and regulatory challenges and concerns posed by the regulators. Additionally, regulators have shown increased interest in these matters, as demonstrated by their participation in fintech-related conferences and the disclosure on their websites of information released during these conferences.


i Licensing and marketing

The PSEMLF sets out the applicable rules and requirements for the incorporation and licensing of payment institutions and e-money issuers as well as PISPs and AISPs, all being subject to the BoP's supervision. For that effect, specific mandatory legal documentation must be filed with the BoP, including, inter alia, draft by-laws, business plan, share capital commitment, corporate structure and beneficial ownership, the managers' identification and fit and proper documentation, as well as corporate governance and internal compliance models and procedures. The minimum statutory share capital requirement currently applicable to payment institutions ranges from a minimum of €20,000 to €125,000 (depending on the type of services provided) and a minimum of €350,000 for e-money institutions. PISPs must have a minimum statutory share capital of €50,000 and AISPs are required to hire an insurance policy or other similar guarantee scheme covering their activity in Portuguese territory in the case of breach or unauthorised access to data.

All marketing and advertising carried out by these entities must abide by the general rules applicable to marketing and advertising by banks and other financial institutions. This means that, among other requirements, all marketing and advertisement products and materials must clearly identify the offering or advertising entity, while also ensuring that the main features and conditions of the marketed products or services are easily understood by targeted consumers.

The PSEMLF provides for an extensive list of products and services that may only be offered by payment or e-money institutions, as well as PISPs or AISPs. This means that, in practice, considering the nature and business model of most fintech companies and the services offered, they will have to qualify as one of these entities under Portuguese law (being that an entity with an e-money licence ensures that it can render all services regulated under the PSEMLF, provided that it requests an authorisation to that effect when registering with the BoP), thus having to comply with its regulatory framework.

In what concerns crowdfunding platforms, Portuguese law sets out requirements and conditions applicable to the corporate entities managing these platforms, which are subject to the CMVM's supervision when they are either collaborative equity-based or loan-based platforms. These management entities of crowdfunding platforms are subject to prior registry and authorisation with the CMVM. Their application must be accompanied by the required documentation, which includes, inter alia, the entity's corporate details, structure and beneficial ownership, the managers' identification and fit and proper documentation, business plan and model, indication of whether it should be considered a financial intermediary or an agent thereof, as well as evidence of compliance with the minimum financial requirements. Minimum financial requirements are either (1) a minimum share capital of €50,000; (2) an insurance policy covering a minimum of €1 million per claim, and a minimum of €1.5 million in aggregate claims per year; or (3) a combination of both (1) and (2) that ensures proper similar coverage.

ii Cross-border issues

Payment or e-money institutions based abroad may render their services in Portugal, subject to prior authorisation and registry with the BoP. The applicable requirements and procedures may vary according to the state of origin, as entities based in European Union (EU) Member States can choose to render their services in Portugal through a branch registered in Portugal, through authorised agents based in Portugal (notably in what concerns e-money distribution) or under a licence granting them the freedom to provide services.

Should the applying entity be based in a third-country state, it shall incorporate a branch or, alternatively, incorporate a subsidiary legal entity in Portuguese territory (by following the relevant, though more demanding, procedure).

Digital identity and onboarding

Portuguese citizens must have a citizenship card containing their relevant identification data, which includes a civil identification number, taxpayer number, healthcare user number and social security number (Law No. 7/2007 creating the citizenship card, as amended). The citizenship card proves the identity of its holder before any public or private authorities and entities, through two mechanisms:

  1. by the reading of the visible elements of the card, together with the optical reading of a reserved area of the card (this optical reading being mainly limited to state or public administration entities or services); and
  2. by means of electronic authentication.

The citizenship card further allows its holder to unambiguously authenticate authorship of electronic documents by means of an electronic signature. The card contains a chip where additional information is available, such as address and fingerprints – it is in this chip that the certificates for secure authentication and for the qualified electronic signature are available. Hence, the holder of a Portuguese citizenship card has two digital certificates: one for authentication and another for e-signature.

Law No. 7/2007 expressly refers to Regulation 910/2014 on electronic identification and trust services for electronic transactions (the eIDAS Regulation), indicating that the provisions established therein apply to the certificates. However, when it comes to electronic identification and trust services, including e-signatures, electronic seals and time stamps, Decree-Law No. 12/2021 is the legislation that consolidates the Portuguese rules on electronic identification, including the probative value of e-signatures.

Furthermore, Law No. 37/2014, as amended, created the 'digital mobile key', which is an additional and voluntary means (1) of authentication in portals and sites of the public administration and (2) of qualified e-signature in the terms indicated in the eIDAS Regulation. All citizens may request to associate their civil identification number to a mobile phone number or an email address. Foreign citizens without a civil identification number may also request this association, which is done through their passport number, their tax identification on residence permits (or other documents, as indicated in the regime for the entry, stay, exit and expulsion of foreigners from national territory) or their residence card. The digital mobile key is a secure authentication system comprising a permanent password and a numerical code issued for each use and generated by the system.

Financial service providers, including payment institutions and e-money institutions, may carry out fully digitised onboarding of clients, including, as of recently, by using videoconferencing procedures.

BoP Notice No. 2/2018 allows financial institutions to make use of remote onboarding procedures while complying with the know-your-customer (KYC) requirements set out under the applicable anti-money laundering (AML) framework. At present, the admissible remote onboarding procedures under applicable AML law and Notice 2/2018 are videoconferencing and other means of KYC and onboarding procedures carried out by qualified trust service providers (the latter being compliant with the framework set forth under Regulation (EU) No. 910/2014).

Digital markets, payment services and funding

Both payment and e-money institutions, as well as PISPs and AISPs and the management entities of crowdfunding platforms, are subject to licensing and registry requirements with either the BoP or the CMVM, respectively.

Crowdfunding schemes are gaining some traction. There are now six management entities of crowdfunding platforms registered with the CMVM, the majority of which operate in the loan-based platforms sector. Further developments may arise in this field following the entry into force of the Regulation on European Crowdfunding Service Providers for Business and as the market develops and market players become more sophisticated and numerous, in which case movements towards the securitisation of loan portfolios originating from such platforms may begin to be noticed in the medium to long term.

Notwithstanding, current securitisation law (Decree Law No. 453/99, as amended) defines which entities may qualify as originators of receivables for securitisation purposes and these are currently limited to the Portuguese state and other public legal persons, credit institutions, financial companies, insurance firms, pension funds and pension fund management companies. However, entities that have their accounts of the previous three years legally certified by an auditor registered with the CMVM may also assign loans for securitisation purposes; this may open the door to crowdfunding entities being able to enter into securitisation and other structured finance transactions, which were traditionally reserved to banks and other incumbents. Nevertheless, owing to the nature of the entities resorting to crowd-lending platforms for funding, as well as those managing such platforms, we envisage that such a movement towards securitisation may still take some time.

In June 2019, Regulation (EU) 2019/1150 of the European Parliament and of the Council on promoting fairness and transparency for business users of online intermediation services came into force, placing certain obligations upon providers of online intermediation services simultaneously (1) constituting information society services,2 (2) allowing business users to offer goods or services to consumers and (3) provided to business users on the basis of contractual relationships (such as platforms' terms of use). Obligations include transparency and intelligibility requirements for platforms' terms and conditions, duties of notification to business users concerning changes to those terms and conditions, limitations on the restriction, suspension and termination of online intermediation services, explanation of ranking parameters (when the online intermediation services include such ranking), transparency with respect to the differentiated treatment of business users and the service provider's access to personal data through the platform, and the setting up of an internal complaint-handling system with specific characteristics (without prejudice against the possibility of business users resorting to mediation).

Cryptocurrencies, initial coin offerings (ICO) and security tokens

Blockchain or distributed ledger technology is not subject to specific regulation in Portugal as a technology. Indeed, the regulation brought by blockchain has been essentially focused on the banking and finance sector, including cryptocurrencies and initial coin offerings (ICOs), notably in what concerns investor protection and fraud prevention. There is currently no regulation on the tokenisation of assets in general (and securities in particular, such as bonds or shares), although nothing in the law seems to generally prohibit it. As such, in principle we see no impediment to the tokenisation of assets or credits, provided that the parties involved in a given transaction agree on the dematerialisation of such agreement or title and the underlying assets (and the corresponding representation of such assets by tokens). Notwithstanding, in principle it would not be applicable to those assets subject to special registration or notarisation formalities (such as real estate assets) as this would additionally entail formal legal recognition by the governmental or registration authorities of the correspondence to such dematerialised property titles to the physical or notarial reality that still has no legal framework in place for these cases.

However, in Portugal the approach in this sector has been to generally exclude cryptocurrencies from being qualified as tender or 'legal currency' and not to issue specific regulation dealing with them. As far back as 2013,3 the BoP issued a clarification under which it considered that Bitcoin cannot be considered secure currency, given that its issuing is carried out by non-regulated and non-supervised entities. In addition, the BoP clarified this and stated that users bear all the risk, as there is no fund or protection scheme guaranteeing depositors' or investors' funds. This approach closely follows the position of the European Banking Authority (EBA). Despite the lack of regulation and supervision, the BoP has indicated that the use of cryptocurrencies is not a forbidden or illegal act. Hence, this entity is so far more focused on a preventive and educational approach, by means of alerting to the risks of cryptocurrencies.

Both the BoP and the CMVM share this understanding and – like the majority of European regulators – have been pursuing a wait-and-see approach towards regulation at the European level, which has culminated in the proposal for Regulations contained in the Digital Finance Package, which will bring a broader and harmonised European framework applicable to both cryptoassets and blockchain technology.

Until such Regulations are effectively enacted and come into force, a different case-by-case approach should be taken regarding those assets qualifying as securities, such as security tokens or other hybrid tokens comprising some security-like traits, pursuant to the European Securities and Markets Authority (ESMA)'s advice dated 9 January 2019,4 whereas cryptoassets qualifying as transferable securities (or another type of financial instrument under the Markets in Financial Instruments Directive (MiFID) II criteria) should be subject to the broader EU financial rules in this respect (including, inter alia, MiFID II, the Prospectus and Market Abuse Directives, etc.). Although the definition of what qualifies as a 'security' has been mostly committed to national regulation implementing EU legislation, we would expect to see the CMVM adopt the same approach as ESMA and to decide on the applicability of the legal framework applicable to securities (including that of public offerings, in the case of ICOs) on a case-by-case basis. An example of this approach was seen in 2018 in the context of the Bityond ICO, where the CMVM decided not to apply the public offerings regime (and the securities legal framework as a whole) after having analysed the white paper and the token's configuration and associated rights and obligations, which did not present traits similar to those of tradeable securities.

ESMA has identified a number of concerns regarding the current financial regulatory framework as applies to cryptoassets. These concerns and 'gaps' fall under two categories:

  1. for cryptoassets that qualify as financial instruments under MiFID, there are areas that potentially require interpretation or reconsideration of specific requirements to allow for an effective application of existing securities and financial regulations; and
  2. where these assets do not qualify as financial instruments, the absence of applicable financial rules leaves investors exposed to substantial risks. At a minimum, ESMA believes that AML requirements should apply to all cryptoassets and activities involving cryptoassets. There should also be appropriate risk disclosure in place, so that consumers can be made aware of the potential risks prior to committing funds to cryptoassets.

The CMVM also issued an alert to investors in November 2017 on ICOs, indicating that most ICOs are not regulated – in which case investors are unprotected because of the high volatility and lack of funds, potential of fraud or money laundering, inadequate documentation (most ICOs have no prospectus, only a White Paper) and risk of loss of the invested capital. Still, the CMVM has paved the way for regulation according to their specific circumstances.

Considering the above, the usual distinction between different types of tokens (or rather, the rights and obligations that their issuance and possession entail) underlying the transactions may prove useful. Where tokens are used mainly as a means of payment, the approach taken by the BoP and EBA is the one to look at. Conversely, where tokens share more similarities with securities, the approach taken by the CMVM and ESMA is the one to take note of.

Despite a slight lack of regulatory clarity, some progress appears to have been made in acknowledging this situation, considering the recent proposals for regulations on Markets in Cryptoassets and on a pilot regime for market infrastructures based on distributed ledger technology, under the Digital Finance Package, which is expected to see further material developments in the near future.

Law 58/2020 of 31 August transposed the recent Anti-Money Laundering Directive changes, extending its scope of application to virtual currencies (namely, to crypto exchanges and wallet providers offering custodial services) and imposing an obligation to register with the BoP and to comply with KYC and AML procedures with respect to their clients and the transactions taking place in their exchanges or wallets.

In line with the Court of Justice of the European Union (CJEU)'s interpretation of the VAT treatment of transactions with cryptocurrencies,5 the Portuguese Tax Authority (PTA) recently issued binding rulings6 stating that transactions such as the exchange of cryptocurrency for traditional currency, and vice versa, should be exempt from VAT.7

Binding rulings only bind the PTA towards the taxable person who submitted the ruling request and in relation to the questions specifically raised to the PTA in such request. Following the CJEU's judgment, which should apply in all Member States, the binding rulings issued by the PTA were an important step forward in the definition of the VAT treatment of Bitcoin transactions. With these binding rulings, entities exchanging cryptocurrencies, start-ups and users are now operating in a safer environment in Portugal from a VAT perspective. Buying, selling, sending, receiving, accepting and spending cryptocurrencies in exchange for legal tender currency (and vice versa) will not trigger a VAT liability, thus allowing economic agents to deal with cryptocurrencies as they would with legal tender currency or other types of money.

Additionally, for personal income tax (PIT) purposes, the PTA had already issued a binding ruling8 stating that any gains derived from the exchange of Bitcoin for legal tender currency (and vice versa) should not be considered income for PIT purposes, to the extent that this activity does not constitute a business or professional activity. Indeed, the PTA concluded that gains derived from the sale of Bitcoin would not fall under the concept of capital gains or investment income as defined by the Portuguese PIT Code and, consequently, those gains are not covered by the taxable base of the Portuguese PIT.

Other new business models

The Portuguese fintech market has recently been experiencing great dynamism, with the entry of new players and stakeholders offering new types of services and products. We believe this dynamism will increase further when the new proposals for regulations under the EU's Digital Finance Package come to light, encouraging the continued growth of the market already fostered by the transposed PSD2 and opening up new business opportunities for emerging companies in the areas of open banking services, neo-banks and all other innovation-driven solutions being developed in the banking and financial sector today.

However, in the meantime, new fintech companies offering innovative services may struggle with the burdensome procedures imposed by the applicable laws and regulations mentioned above (including the licence and registration procedures or AML-related issues).

Despite the above, services resorting to smart contracts do seem to have some legal comfort. Indeed, from 2007 onwards Portugal has had a specific provision dealing with contracts executed by means of computers without human intervention, in its E-Commerce Law (Decree-Law No. 7/2004). This provision applies contract law to these types of contracts and further applies the doctrine of mistake to programming errors, malfunctions and distorted messages. Though self-executing or smart contracts are a step further from contracts concluded without human intervention, it appears that they are permitted under Portuguese law; what is more, the above provision may be applicable to them. Indeed, there is a general principle in Portuguese law that, unless otherwise provided, contracts are not subject to a specific form. However, no specific legal framework exists on smart contracts.

Intellectual property and data protection

The protection of fintech can be carried out through several means. The protection of software seems to be the most relevant, as fintech technology usually translates into computer systems and applications. Software is protected in Portugal under the same legal rules that apply to copyright protection (according to Decree-Law No. 252/94, which transposed Directive No. 91/250/CEE, later repealed by Directive No. 2009/24/CE, on computer programs, as amended). Copyright of a computer program belongs to the employer if the software is created by an employee in the execution of his or her duties or following instructions given by the employer. Copyright does not require registry to exist, but this can be done in the General-Inspection for Cultural Activities (IGAC). Software can also be protected by patent in cases where it meets the criteria to be considered a computer implemented invention (i.e., an invention whose implementation involves the use of a computer, computer network or other programmable apparatus). In addition, computer-implemented business models can also be patented, to the extent that they are claimed as a technical solution for a technical problem (e.g., automating a response considering the data collected) and involve technical considerations (e.g., the reading of a database). Otherwise, business models are not patentable. All in all, a case-by-case analysis is necessary to determine if protection by patent is feasible.

Technology developed in the context of a fintech business can also be protected as a trade secret. Trade secrecy protects against any act of a person who accesses, appropriates or copies (or any other conduct that, under the circumstances, is considered contrary to honest commercial practices), without consent, information that is secret, that has a commercial value because of that fact and that has been subject to reasonable steps, by the person lawfully in control of the information, to keep it secret (for instance, the execution of non-disclosure agreements). Current national legal provisions on trade secrecy are included in the Industrial Property Code, approved by Decree-Law No. 110/2018 of 10 December, as reviewed following the transposition of Directive (EU) 2016/943 of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure.

A computer platform usually comprises a set of data, as well as visual interfaces. This data may also be protected as a database if the requirements set forth by law (namely, Decree-Law No. 122/2000, which transposed Directive No. 96/9/CE, as amended, on the protection of databases) are met. Interfaces can be further protected by copyright under the Copyright Code (approved by Decree-Law No. 63/85, as amended) in what respects their look and feel, screen display and individual visual elements, if they all meet the criteria to be protected (mainly, are 'creative'). Copyright protection, in this case, belongs to the employer or the person that ordered the creation, if so established or if the name of the creator is not referred to in the work. In this case, the creator may require special compensation if the creation exceeds the performance of the task set or when the creation is used in a way or brings benefits not included or foreseen in the creator's remuneration.

Fintech businesses collect, control and process vast amounts of personal data (including know-your-customer data) and, as a result, they are subject to the data privacy rules provided in the General Data Protection Regulation (GDPR), which applies not only to Fintech companies established in the EU but also companies established outside the EU, if they have customers in the European Union and the processing of the customers' personal data is made in the context of the offering of services to those data subjects, irrespective of whether a payment is required from the data subject. The European Data Protection Board (EDPB) has clarified, in its Guidelines 3/2018 on the territorial scope of the GDPR, adopted on 16 November 2018, that the intention to target customers in the EU is key to assessing whether entities established outside the territory of the EU are subject to the GDPR.

In some instances, the processing of personal data may require the customer's consent. Pre-ticked opt-in or opt-out boxes will no longer be allowed, as consent must be expressed through a statement or clear affirmative action. The GDPR places onerous accountability obligations on data controllers to evidence compliance, which constitutes a major paradigm shift in the data protection regime. This includes, among others, the conduct of data protection impact assessments for more risky processing operations (such as those involving the processing of personal data that could be used to commit financial fraud) and the implementation of data protection by design and by default.

These general data protection rules are complemented by banking secrecy and AML rules, which fintech companies will have to observe when providing services to their clients.

Bank secrecy rules determine that the disclosure of clients' personal data protected by banking secrecy (including cross-border transfers) is permitted only with the client's prior authorisation or if the disclosure is necessary to achieve one of the following:

  1. compliance with a legal obligation that expressly limits those secrecy duties;
  2. compliance with judicial authorities' requests in the context of criminal proceedings; or
  3. compliance with a disclosure obligation towards the BoP, the CMVM or the tax authorities, when these entities are acting pursuant to their respective attributions.

In the past, the Portuguese Data Protection Authority (CNPD) had already ruled in a specific case that all personal data processed by a bank is subject to banking secrecy.

As regards the processing of clients' data for the purposes of anti-money laundering reporting, the disclosure of specific relevant personal data is based upon the fulfilment of a legal obligation, and there is thus no need to obtain the data subject's consent. As the concept of 'client authorisation' under the PSEMLF and the financial institutions' legal framework differs from the concept of 'consent' under the GDPR, many banks and other financial institutions opt to collect clients' authorisation to disclose information covered by banking secrecy in the context of their general client terms and conditions.

Another important aspect of data processing in the context of fintech business is the definition of clients' profiles and business segmentation, as well as automated decision-making based on profiling. Automated decisions that produce effects concerning the data subject or that significantly affect him or her and are based solely on the automated processing of data intended to evaluate certain personal aspects relating to him or her are not permitted.

The GDPR has introduced new provisions to address the risks arising from profiling and automated decision-making. Mainly, under the GDPR, one may only carry out this type of decision-making where the decision is either necessary for the entry into or performance of a contract or authorised by the EU or Member State law applicable to the controller, or, finally, based on the individual's explicit consent. Where one of these grounds applies, additional safeguards must be introduced, as well as disclosure of specific information about automated individual decision-making to affected data subjects, concerning the logic, significance and envisaged consequences. In a January 2020 response to the Member of the European Parliament Sophie in't Veld's letter on unfair algorithms, addressing whether the GDPR was sufficient to protect data subjects from unfair automated decision-making, the EDPB stressed that 'controllers are obliged to consider all the potential risks that the use or creation of the specific algorithm can potentially pose to the rights and freedoms of natural persons and, if necessary, take measures to address these risks'.

There are also additional restrictions on using special categories of data (such as health-related data or biometric data) for any processing of personal data, which can ultimately impact the way Fintech companies will implement Strong Customer Authentication mechanisms under the PSD2 Regulatory Technical Standards, as the Regulatory Technical Standards suggest the use of the payment service users' biometric data in that context. The CNPD has consistently ruled that financial data are sensitive data, in the sense that they reveal aspects of an individual's private life and, thus, said data should be protected under the Portuguese Constitution. As financial data is also considered by the EDPB as data of a highly personal nature, this may ultimately influence the stringency of technical and organisational measures data controllers and processors choose to implement to protect said data, as well as on the need to undergo a data protection impact assessment (DPIA) before commencing processing activities on said data. The processing of financial data may, then, entail the need for a DPIA under the CNPD's Regulation 1/2018, which lists the processing activities subject to a mandatory DPIA, as the Regulation refers to the processing of data of a highly personal nature in four of its nine cases.

Without prejudice to the above, Portuguese legislation implementing the GDPR has entered into force on 8 August 2019. Law No. 58/2019 brings some additional adjustments or restrictions to the rules set out in the GDPR, notably regarding the processing of deceased persons' personal data, the applicable data storage periods and minors' consent for data processing. Most notably, and without prejudice to the GDPR's purpose limitation principle, Law No. 58/2019 allows controllers or processors to keep personal data until the expiry of any statutory limitation periods during which they may need to use the data to demonstrate compliance with legal or contractual obligations.

Year in review

Fintech-specific regulation has seen major developments during the past 18 months, notably with the much-anticipated and long-delayed transposition of the PSD2 into Portuguese legislation. New players in the PISP and AISP business are expected to appear in the short to medium-term, while some incumbent and traditional banks are also beginning to take advantage of the new framework and starting to provide open banking services to their customers.

Additionally, the new AML law has also seen some developments with the entry into force of Notice 2/2018 of the BoP, which sets out further regulation and specific standards regarding AML obligations to be observed by fintech companies (notably concerning reporting obligations, risk-based policies, and KYC and onboarding procedures). As previously mentioned, the BoP's notice clarifying the requirements for remote onboarding procedure paves the way for a more dynamic approach to potential fintech customers and the emergence of new market players. However, market data shows that the possibility of using videoconferencing as a way of complying with KYC obligations is mostly being used by banks, owing to the technical and financial demands that this procedure implies under the applicable regulation, although newcomers may take advantage of partnerships with third-party qualified trust service providers to get around the costly and demanding infrastructure that videoconferencing encompasses.

The crowdfunding sector keeps growing and evolving, with new platforms being registered and others in the middle of the registration and authorisation procedures, boosting the fintech market in this area.

Portugal Fintech (a Portuguese association supporting the emerging fintech ecosystem) continues its mission to promote the Portuguese fintech market, by gathering fintech, regtech, insurtech and cybersecurity companies in Portugal and fostering their access to and visibility among legislators, start-ups, investors, consultants, banks, regulators and other relevant entities. FintechHouse, opened in 2019 by Portugal Fintech and which is a technological innovation and financial services hub described as 'a unique place that aims to be the meeting point of the entire Ecosystem', has launched the Fintech365 programme to help all those enrolled better navigate the regulatory challenges presented by the financial sector and to accelerate their digital transformation.

The Portugal FinLab, an acceleration programme providing a communication channel between new market players (or even established institutions with innovative tech-based financial projects or products) and the Portuguese regulatory authorities, is now in its second edition. Through this programme, the regulators provide guidance and support to participants, without the usual hurdles, on how to navigate and operate in the existing regulatory system.

Outlook and conclusions

The transposition of the PSD2 has approved a new and reformed legal framework for the majority of fintech companies currently operating in the Portuguese market, while simultaneously paving the way for new market players and new types of companies to enter the market and offer their products and services to both consumers and other businesses. It has also legally recognised third-party providers such as PISPs and AISPs, expanding the open banking ecosystem with the emergence of new companies – such as payment initiation and account information services.

In parallel, crowdfunding investment schemes will see an increase in both the number of entities operating in the market and the transaction volume associated with these types of investments, pursuing more democratic and decentralised equity and debt markets, as both the consumer market and the regulators themselves are becoming more aware of and prone to the changes in the way some services are provided in the financial sector.

The envisaged new regulation on the cryptocurrencies market is also promising, in the sense that it will complement and further enable new business models for current and future players in the fintech sector, whether by attracting new companies or by opening more traditional established actors, such as banks and other financial institutions, to the new opportunities that will inevitably arise for existing (or even newly created) assets in a tokenised reality. These innovations, fuelled by the recent surge in retail investors with spare liquidity and an appetite for risk entering the market looking for digitised ways of investing, or even participating, in the financial and banking system, will undoubtedly provide for interesting developments in the fintech market for years to come.


1 Tiago Correia Moreira is a partner, Helena Correia Mendonça is a principal consultant, and José Miguel Carracho and Francisca César Machado are associates at Vieira de Almeida (VdA). The authors would like to thank Conceição Gamito (a senior adviser in the tax department), André Marques Piteira (a senior associate in the IP department) and David Paula (a senior associate in the ICT department).

2 In this respect, it is noteworthy that Directive (EU) 2015/1535 of the European Parliament and of the Council, which defines and sets out rules for information society services, states that this Directive shall not apply to rules relating to matters covered by EU legislation in the field of financial services, as non-exhaustively listed in Annex II to this Directive. This may ultimately raise some doubts about the applicability of Regulation (EU) 2019/1150 to the provision of online intermediation services relating to financial services. The Regulation also states that it 'shall not apply to online payment services (…) which are not provided with the aim of facilitating the initiation of direct transactions and which do not involve a contractual relationship with consumers', without prejudice to EU law applicable in the areas of judicial cooperation in civil matters, competition, data protection, trade secrets protection, consumer protection, electronic commerce and financial services.

3 Following a study carried out by the European Central Bank on 'Virtual Currency Schemes', from October 2012. In 2014, the Bank of Portugal also reiterated that the use of virtual currency brings risks to consumers and, in 2015, it advised banks to abstain from buying, detaining or selling virtual currencies (Circular Letter 011/2015/DPG, of 10 March 2015).

4 See ESMA's Advice on Initial Coin Offerings and Crypto-Assets, published on 9 January 2019 (ESMA50-157-1391).

5 CJEU's case law C-264/14, from 22 October 2015 (Skatteverket v. David Hedqvist). In this case, the CJEU decided that the exchange of Bitcoin for traditional currency qualifies as a supply of services for VAT purposes. As to the question of whether these transactions should be regarded as exempt supplies, the CJEU pointed out that Bitcoin, being a contractual means of payment, cannot be regarded as a current account or a deposit account, a payment or a transfer. Moreover, unlike a debt, cheques and other negotiable instruments referred to in Article 135(1)(d) of the VAT Directive, Bitcoin is a direct means of payment between the operators that accept it. Therefore, the CJEU ruled that transactions such as the exchange of cryptocurrency for traditional currency, and vice versa, should be exempt from VAT under the provision of Article 135(1)(e) of the VAT Directive. The CJEU did not expressly address the subject of whether the exchange of, for example, Bitcoin for a different cryptocurrency should also be regarded, for VAT purposes, as an exempt supply of services under Article 135(1)(e) of the VAT Directive. However, in our view, the same reasoning applies and the answer should therefore be the same.

6 Binding Rulings 12904 of 15 February 2018 and 14763 of 28 January 2019.

7 Under Article 9(27)(d) of the Portuguese VAT Code (which corresponds to the transposition of Article 135(1)(e) of the European VAT Directive).

8 Binding Ruling 5717/2015 of 27 December 2016.

Get unlimited access to all The Law Reviews content