The Financial Technology Law Review: Spain
There is currently no specific regulatory framework in Spain or the European Union governing fintech. However, both the European and the Spanish supervisory authorities are conscious of the increasing importance of this sector and they are currently analysing it with a view to eventually regulating it.
There are various electronic sources providing information on fintech. For instance, the Spanish Fintech and Insurtech Association has its own website and the National Securities Market Commission (CNMV) has created a section on its website aimed at establishing an informal communication space with fintech. Besides this, the CNMV has created a Q&A on fintech for activities and services where fintech may be involved.
The main tax incentive schemes for investment in tech or fintech businesses generally applicable in Spain are: (1) the Spanish patent box regime and the research, development, and innovation tax credit potentially applicable to Spanish-resident companies engaged in tech and fintech activities (generally only in those cases in which the technology qualifies, e.g., as a patent or as advance registered software), and (2) the corporate income tax benefits for start-ups (e.g., a 15 per cent rate for the start-up's first two fiscal years, instead of the statutory 25 per cent rate) and Spanish-resident venture-capital entities, along with (3) tax credits for 'business angels' in specific start-ups (under specific conditions) represent. Proper structuring is essential for investors in these companies to mitigate any Spanish tax leakage applicable to investments in tech and fintech companies.
In general terms, and until further regulations are passed, Spain should be considered as a relatively fintech-friendly jurisdiction. By way of example, in 2013 it was estimated that there were 50 fintech companies in Spain; this number increased to 392 as at December 2019.2 In 2019, the fintech industry grew by 16 per cent.
i Licensing and marketing
As stated in Section I, there is no specific regulatory framework in Spain governing fintech. As a result, there is no specific fintech licence nor are there any specific marketing rules that are applicable to fintech. This is mainly due to the fact that fintech businesses in Spain provide a variety of financial services. In general, leaving aside third-party providers (TPPs) regulated under Directive (EU) 2015/2366 of the European Parliament and of the Council, of 25 November, on payment services in the internal market (PSD2) and crowdfunding and crowd-lending platforms, which are subject to Law 5/2015 of 27 April on the promotion of business financing (Law 5/2015), fintech business focused only on developing IT solutions to support the provision of services by financial entities are not currently subject to any financial regulatory regime.
However, fintech that engages in financial activities such as deposit-taking, investment services (such as automated digital advice and the management of collective investments), payment services and insurance, is subject to the general regulatory regime that applies to any company operating in those sectors (including marketing rules) and, therefore, has to obtain authorisation from the relevant authorities depending on the service rendered. For banking services, the competent authority would be the Bank of Spain (BoS) or the European Central Bank. In the case of investment services the competent authority would be the CNMV and for services or products that relate to insurance, reinsurance and pension funds it would be the General Directorate of Insurance and Pension Funds (DGSFP).
As stated above, Law 5/2015 regulates crowdfunding and crowd-lending platforms and the provision of their services. The performance of these activities is subject to obtaining an authorisation which is granted by the CNMV (with the intervention of the BoS). Unlike other financial regulations in Spain, which are transpositions of European financial directives, Law 5/2015 is purely domestic. However, this will probably change, since in March 2018 the European Commission published a proposal for a regulation of the European Parliament and of the European Council on European crowdfunding service providers for business (the Proposal). Although the Proposal will not apply to crowdfunding services that are provided by natural or legal persons in accordance with national law (such as those provided under Law 5/2015), the Proposal establishes that a legal person that intends to provide crowdfunding services shall apply to the European Securities and Markets Authority (ESMA) for authorisation as a crowdfunding service provider. The Proposal is unique because it is the first time that one of the European Supervisory Authorities has been allowed to grant an authorisation for the provision of a financial service within the European Union.
Apart from the above, and after a year of no progress, on 28 February 2020, the Ministry of the Economy finally published the latest Draft Law for the Digital Transformation of the Financial System, which was approved by the government in February 2019 (the Draft Bill). The objectives of this law are: (1) ensuring that the financial supervisory authorities have adequate instruments to keep performing their supervisory and regulatory functions within the new digital environment; and (2) facilitating the innovative process in order to achieve better access to financing by productive sectors, more efficient financial services and a greater attraction of talent in a highly competitive international environment. In line with promoting digital innovation, the Draft Bill, once approved, will implement a regulatory sandbox in Spain, which intends to include both private and general interest projects. Following the commencement of the parliamentary process, it is predicted that the Draft Bill will be approved around mid-June 2020.
In this line of promotion of digital innovation, the Draft Bill implements a regulatory sandbox in Spain, the terms of which will be unknown until the final text of the Draft Bill is published. The Draft Bill is under discussion and there is no specific deadline for its passing.
Since there is no specific regulatory framework in Spain governing the marketing of fintech products and services (except for Law 5/2015), these entities must observe the marketing legislation applicable to any other company. Apart from the Spanish law on the protection of consumers, which establishes certain principles on marketing, and the general law on publicity, other applicable publicity provisions are included within the Spanish laws on electronic commerce and distance marketing of financial services.
In Spain, there are negative credit information registries that may be accessed by any natural or legal person in accordance with certain rules. The BoS handles the Risk Information Centre (CIR), which contains information on loans, credits, bank endorsements and general risks regarding customers, provided by the reporting institutions (such as credit entities) and that may only be accessed by natural or legal persons who are holders of risks declared to the CIR in accordance with certain rules.
ii Cross-border issues
There are no particular passporting procedures available for fintech. Only fintech set out as regulated financial services providers would have access to the cross-border provisions under Spanish laws implementing the European directives that allow for specific types of regulated entities to operate in another country without having to be authorised by their local regulators.
Accordingly, EU-regulated financial services providers benefit from the passporting procedure, which enables them to provide services in Spain on a freedom-to-provide-services basis or by establishing a branch. It is a simple notification procedure set out under the main EU financial directives (such as CRD IV, MiFID II, UCITS, AIFMD or PSD2), which involves the home Member State notifying the host Member State that the relevant entity intends to provide services in its territory. A fintech authorised as an EU financial service provider under those directives would also have access to the passporting procedure.
For non-EU financial services providers, however, their provision of services in Spain is subject to an authorisation procedure before the BoS, the CNMV or the DGSFP, even if they intend to provide services by means of a branch or from the territory of their home state. A non-EU fintech authorised as a financial services provider would also have access to the same authorisation procedure.
A local licence is not necessary if the entity is passported or authorised to provide its services from its home state into Spain. Additionally, a branch is not strictly necessary as the freedom-to-provide-services option is also possible, although in certain cases Spanish law does not provide such an alternative and the establishment of a branch is a must. The marketing of certain services and products in Spain will be subject to Spanish law and may trigger licensing requirements depending on the circumstances. The unsolicited provision of services does not trigger licensing requirements if no actual services are provided in Spanish territory.
In the case of crowdfunding platforms and in accordance with the Proposal, the authorisation to be granted by the ESMA to a crowdfunding service provider shall be effective for the entire territory of the European Union. Thus, there will be no need to passport a local licence to other Member States for those companies to provide their services in the host Member State. Additionally, the Proposal states that host Member States shall not require crowdfunding service providers to have a physical presence in their territory for them to provide their services on a cross-border basis.
The ownership of non-regulated fintech is not restricted in Spain. Regulated fintech (such as credit institutions, investment institutions and insurance companies) are subject to a significant holdings regime that requires a purchaser of a stake of more than 10 per cent to obtain prior authorisation from the relevant supervisory authority.
Digital identity and onboarding
Yes, digital identity is recognised in our jurisdiction. Different types of digital identities are regulated under (1) Spanish Law 59/2003, of 19 December, on electronic signatures, as it was amended by Regulation 910/2014 (the Spanish Electronic Signature Law) and (2) Regulation (EU) No. 910/2014 of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (Regulation 910/2014) – jointly known as the Electronic Signature Laws.
Digital identity certificates can be issued by any state or private entity that complies with the regime established in the Electronic Signature Laws. However, the most widely recognised certificates are issued by public institutions (the Spanish National Mint and the Tax Authority). Electronic identity is accessible to all national and non-national persons.
The Electronic Signature Laws set out the different categories of electronic signatures depending mainly on their security features as well as the probative effects corresponding to each category, as well as regulating the characteristics and effects of each of them in Spain. In particular, there are three categories: simple electronic signature, advanced electronic signature and qualified electronic signature, in order of the simplest (with fewer security features) to the most complex, based on a recognised certificate and created by a trustworthy signature creation device, which will entail the use of the highest security features.
The three categories of electronic signature are recognised in Spain as being valid to enter into any contractual relationship or transaction. However, the Electronic Signature Laws only recognise the 'qualified electronic signature' as having the same value before a court as a handwritten signature on paper. This does not mean that other types of electronic signature do not have any legal effect. Indeed, an electronic signature may not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures. However, the evidential value of each signature will depend on the strength of the different steps of the contracting process and the security measures that have been used to ensure the identification of the signatory throughout the contracting process.
Fintech companies established as financial services providers are subject to anti-money laundering requirements that establish rules for the identification of clients. Such rules enable a digitised onboarding of the clients in certain cases (for instance, when the client's identity is certified in accordance with applicable regulations on electronic signatures), and subject to certain requirements.
Digital markets, payment services and funding
Collective investment vehicles are mainly regulated under Law 35/2003 of 4 November on collective investment schemes and Law 22/2014 of 12 November on venture capital and other closed-ended investment schemes and management companies of the closed-ended investment schemes. There is no specific law for fintech collective investment vehicles.
As opposed to the rest of fintech, and as indicated in Section II, crowdfunding and crowd-lending platforms are subject to Law 5/2015, which, for the first time in Spain, regulates the activities of these platforms. These activities are currently subject to obtaining an authorisation that is granted by the CNMV (with the intervention of the BoS), but this authorisation regime will probably change as a result of the implementation of the Proposal. In this regard, the ESMA will be the relevant supervisory authority that may grant authorisations for the provision of crowdfunding and crowd-lending services. Peer-to-peer lending that is not performed through a crowd-lending platform is not regulated in Spain.
Spanish consumer lending regulations are applicable when a fintech is engaged in a credit transaction with a consumer. Loans and financings may be assigned by way of an assignment contract and it is very common to assign entire portfolios of loans. Such loans and financings may only be traded if they are converted into a security, which is assigned to a special purpose vehicle (SPV). Such SPV may then issue securities backed by the credit rights arising from loans. The above is the typical structure in securitisations.
The Spanish legal regime on securitisation was amended by Law 5/2015. The assignment of assets to a securitisation fund should comply with the following requirements:
- the transferor and, as the case may be, the issuer of the securities assigned to a securitisation fund must have audited their annual accounts for the last two financial years prior to the incorporation of the fund, except in certain cases;
- the transferor must disclose in its annual reports the current and future assignment of credit rights that impact each year;
- the assignment of the assets to the fund should be formalised in a contract; and
- the management company of the securitisation fund should submit a document to the CNMV for each asset assignment containing certain information on the assets.
We expect that Law 5/2015 will be further amended as a consequence of the publication of Regulation (EU) 2017/2402 and Regulation (EU) 2017/2401, which lay down a general framework for securitisation and create a specific framework for simple, transparent and standardised securitisation within the European Union.
Under Spanish law the rendering of payment services on a professional basis may only be conducted by entities authorised for such purposes. As indicated in Section II, the BoS is the competent authority to grant this authorisation.
Cryptocurrencies, initial coin offerings (ICO) and security tokens
There is no Spanish regulation on blockchain technology, cryptocurrencies or the issuance of tokens. The European and Spanish regulators are starting to review these activities although there are no legal developments as of today with respect to the qualification of tokens as securities.
ESMA published two statements in November 2017 concerning initial coin offerings (ICOs). The first one contained certain alerts to firms involved in ICOs. ESMA outlines that it is the duty of the firms themselves to consider the regulatory framework applicable to them and meet the relevant regulatory requirements, even if they are from outside the European Union. In this regard, although ESMA did not conclude that the Propectus Directive, the MiFID, the AIFMD and the Fourth AMLD are directly applicable to ICOs, cryptocurrencies and tokens, these may fall inside the scope of such regulations. The second statement was related to the warnings that may be considered by the investors when investing in ICOs, cryptocurrencies and tokens. In February 2018, the European Supervisory Authorities also issued a notice warning investors and consumers about the risks associated with buying cryptocurrencies. In February and September 2018, the CNMV issued its criteria regarding ICOs and cryptoassets in similar terms to that of ESMA.
In parallel, ESMA has been working with different national competent authorities (including the CNMV) to analyse the different business models of cryptoassets, the risks and potential benefits that they may introduce, and how they fit within the existing regulatory framework. Based on this, ESMA issued advice on ICOs and cryptoassets in January 2019. This report identified the gaps in the existing regulatory framework in relation to the ICOs and cryptoassets. We expect further regulation from the EU on the basis of this advice to address the gaps identified by ESMA.
In March 2019, the CNMV issued a statement to clarify that it has neither authorised any prospectus nor authorised or verified any transaction in connection with cryptocurrencies.
The current European and Spanish legislation on anti-money laundering is not directly applicable to ICOs, cryptocurrencies and tokens. However, Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018, amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (AMLD), contains a provision by virtue of which the AMLD will be applicable to service providers of exchange services between virtual currencies and fiat currencies and custodian wallet providers.
In light of ESMA's statements, the CNMV and the BoS have also warned firms and investors regarding the regulations and risks inherent to ICOs, cryptocurrencies and tokens.
As concerns the tax treatment of cryptocurrencies and tokens in Spain, the matter is not a clear-cut issue, although the European Court of Justice (ECJ) and the Spanish tax authorities have provided specific guidelines.
Regarding Spanish value added tax (VAT), the judgment of 22 October 2015, Case C-264/14, ruled that transactions involving non-traditional currencies, such as cryptocurrencies, are exempt from VAT pursuant to Article 135(1)(e) of the Council Directive 2006/112/EC, of 28 November 2006, on the common system of VAT. Therefore, in accordance with the ECJ's considerations, sale and purchase transactions over cryptocurrencies carried out by VAT taxable persons should be exempt from Spanish VAT. On the contrary, 'mining' activities to generate cryptocurrencies should not be subject to VAT. Both criteria have also been shared by the Spanish tax authorities in specific binding tax rulings.
For Spanish tax-resident individuals holding cryptocurrencies, and pursuant to specific binding rulings issued by the General Directorate of Taxes in 2018, income triggered upon the sale or transfer of cryptocurrencies (including that resulting from the exchange of one type of cryptocurrency for another) should be deemed as capital gains from a Spanish tax standpoint, and should be taxed accordingly. Specific activities concerning cryptocurrencies (e.g., mining) may have a different tax treatment and, potentially, be deemed as business activities for Spanish tax purposes (income tax, business tax, etc.).
Other new business models
Similarly to ICOs, cryptocurrencies and tokens, self-executing contracts are not specifically regulated in Spain and so are permitted and subject to Spanish contract law like any other contract. There are no particular arbitration or mediation schemes for self-contracts. These mechanisms are available in the same terms as for any other contract. Although self-executing contracts lack legislation of their own, we believe the below rules should be taken into account:
- should the self-executing contract consist of pre-established clauses imposed by one of the parties for a generality of contracts, Law 7/1998 of 13 April on General Contracting Conditions will apply, which imposes certain conditions and interpretation rules, as well as a public registry for general conditions;
- in the event that a self-executing contract is entered into with consumers, Royal Legislative Decree 1/2007 of 16 November approving the revised text of the general law on the protection of consumers and users, would also be applicable. This regulation establishes guiding principles applicable to relationships between consumers and users (understood as legal or natural persons acting in a context that falls outside of their entrepreneurial or professional activities) and entrepreneurs;
- also of note is Law 34/2002, of 11 July, on services of the information society and electronic commerce, which would apply in the event that the contract is entered into by electronic means. It establishes a regulatory regime for electronic agreements (e.g., the information to be provided to the contracting parties prior to and after the execution of the relevant agreements, the conditions applicable for the validity of electronic agreements, other obligations applicable to the electronic providers); and
- in the event that the contract falls into the definition of a financial service, Law 22/2007 on the distance marketing of financial services addressed to consumers, setting out the rules for electronic agreements and electronic marketing communications, would also be applicable.
Fully automated investment processes are not regulated as such under Spanish law. However, there are provisions within Regulation (EU) No. 595/2014 of the European Parliament and of the Council of 16 April on market abuse (MAR) and Directive 2014/65/EU of the European Parliament and of the Council of 15 May on markets in financial instruments (MiFID II) that refer to algorithmic trading and high-frequency trading strategies.
In addition, third-party websites comparing products or providing information about financial products are subject to general data protection rules, in the same way as other service providers. They are also subject to competition rules, although they are generally not an area of concern for competition authorities to the extent that they favour free competition among the players in the market. However, concerns may be raised in the event that these websites impose most-favoured-nation clauses on any of the players.
From a pure regulatory perspective, the provision of information about financial products is not subject to authorisation provided that this information does not involve the provision of any other regulated services (for instance, investment advice).
In recent years the financial industry has seen a fast-growing adaption of the economy to fintech. The most important sectoral innovations are those related to credit, payment and investment management services. Crowdfunding, crowd-lending and TPPs are good examples of new businesses models.
The insurtech market has also experimented significant growth and, as of December 2019, there are 196 start-ups in Spain related to this business, according to the Insurtech Map of the Spanish Fintech and Insurtech Association. Further disruption is expected in the insurtech market in the near future.
Another new business model that has recently emerged is based on the commercialisation of big data regarding consumer trends based on clients' data. This model has been already questioned by the Spanish data protection authority, which imposes restrictions on the validity of customers' consent for their data to be used in an aggregated manner for its commercialisation.
Generally, the main legal and regulatory issues for fintech in Spain are the obstacles resulting from the provision of financial services that trigger licensing requirements. As stated in Section I, the current legal regime for the authorisation of financial entities, which is established by reference to EU law, does not provide for a simplified procedure for businesses that only provide a limited range of services, as is the case of many fintech. Hence, as of today, fintech providing regulated services such as payment or investments services must navigate complex and burdensome procedures in Spain or in their country of establishment before having access to customers.
Intellectual property and data protection
i Intellectual property
Fintech businesses models and related software may be protected by the rules applicable to the ownership of inventions and works, which should be analysed separately.
Fintech business models may be classed as inventions that are typically the result of research. That result may essentially be protected by patents, utility models or, if such protection is not available or the parties do not wish to request it, inventions can also enjoy a certain degree of protection as know-how or as trade secrets:
- Spanish patents provide protection for inventions for 20 years as of the filing date;
- utility models protect inventions of lower inventive rank than patents, and are granted for a period of 10 years;
- once the referred protection periods have expired, the invention will enter the public domain and may be freely used by any person; and
- know-how has value as long as it is protected as a trade secret and, thus, it is kept confidential (as opposed to patents and utility models), which means that it is not generally known by individuals belonging to the environment where such information would be known and it is not easily accessible by them, it has a potential or effective commercial value by being secret and it has been subject to reasonable measures to keep it secret. These measures could include, among other things, contracts (confidentiality agreements) and the adoption of practical measures (security measures, such as password protection, limitations on access to certain personnel, etc.) demonstrating that the invention or work remains valuable.
On a separate note, software is be deemed an invention but is protected by copyright from the very moment of its creation. Registration is not necessary for the protection of software. The exploitation rights for the work will run for the life of the author and survive 70 years after the author's actual or declared death.
Regarding the ownership of IP rights, the ownership of inventions and works should again be analysed separately. These are default rules under Spanish law to attribute ownership of inventions.
Absent other applicable rules, the natural person who creates the invention (i.e., the inventor) is the owner.
If the inventor is an employee (private or public):
- if the invention is a result of his or her work for a company, pursuant to the terms of his or her employment agreement or to the instructions received from the company, then the owner of the rights to the invention will be the company; and
- if the invention is a result of his or her independent work but relevant knowledge obtained from a company or the company's facilities was used, then the company can claim ownership rights to the invention or a right to use the invention, subject to the payment of fair compensation.
The rule in connection with works is that the original owner of the rights to the work is the author or co-authors (or, in very specific and limited cases, an individual or a legal private or public entity who leads and coordinates personal contributions and publishes the result under its own name – usually in the case of software). The general rule is that the author is the owner of all moral and exploitation rights to the work. However, some specific legal presumptions as well as some important exceptions exist:
- Regarding copyrightable work created by an employee under his or her employment agreement, Spanish law presumes that, unless otherwise agreed, all exploitation rights of the work have been assigned, on an exclusive basis, to the company for the purposes of its ordinary course of business. This assumption applies in particular, but is not limited to, the creation of software.
- In the event of joint co-authors, either:
- all co-authors have equal exploitation rights, unless otherwise agreed; or
- the exploitation rights to the work correspond to the (legal or natural) person that assumes responsibility for the creation of the work and publishes it under the person's own name.
ii Data protection
Fintech businesses located in Spain or, under certain circumstances, businesses addressing the Spanish market from non-EU territories are subject to data protection rules to the extent that they access and process personal data, either as data controllers or as service providers (i.e., data processors processing the data on behalf of their clients). From 25 May 2018, the main data protection rule applicable in Spain is the General Data Protection Regulation (Regulation (UE) 2016/679) (GDPR) that is directly applicable to all EU Member States. This new legal framework provides some benefits, such as the homogenisation of data protection rules within the EU, which can help local fintech businesses to expand to other EU Member States and may make it easier for fintech businesses from territories outside Spain that are GDPR-compliant to launch their services in the Spanish market.
Notwithstanding the above, at a national level and in addition to GDPR, certain local data protection rules exist in Spain. In particular, a new general data protection law was passed in December 2018: Spanish Basic Law 3/2018 on Data Protection and Digital Rights Guarantees (LOPD). The LOPD formally repealed the previous national data protection regulations, which were incompatible with the GDPR, and adapted local rules in order for them to be compatible with GDPR. The main goal of the LOPD is providing specific data protection regulation in different matters that are not expressly covered by the GDPR or that are covered by the GDPR but in relation to which the Member States are given some competence to enact a more detailed regulation. Consequently, certain data processing (such as inclusion of debtors' data in creditworthiness shared files) have been regulated in detail in the LOPD. Also, the LOPD has approved a new set of rights of citizens in relation to new technologies, known as 'digital rights'. This set of new digital rights may impact the business of certain fintech businesses, such as digital rights granted to employees regarding the use by employers of IT tools for monitoring purposes in the workplace or the use of geolocation systems.
Finally, the criteria of the Spanish Data Protection Agency, which is one of the most active data protection authorities within the EU, must also be taken into account.
As regards the possibilities of fintech companies carrying out profiling activities (i.e., the processing of personal data involving the profiling and, in some cases, the adoption of automated decisions with an impact on individuals), such activities are subject to the GDPR rules and to certain guidelines of the Spanish Data Protection Agency. In general terms, the profiling activities under the GDPR need to be based on lawful legitimate grounds, mainly the existence of a legal duty (e.g., scoring or fraud prevention), the unambiguous or explicit consent of individuals or the existence of a legitimate interest. The interpretation of the Spanish Data Protection Agency of the legitimate interest as a lawful ground for companies to carry out profiling activities has been quite restrictive in the past (e.g., it does not cover profiling carried out with second- or third-party data). Also, additional information and transparency duties must be complied with by fintech companies when carrying out profiling activities. In addition, if AI technologies are used to carry out profiling activities, fintech businesses must take into account the guidelines on AI issued by the Spanish Data Protection Agency. Other additional guarantees, such as reinforced objection rights or the need to carry out privacy impact assessments are imposed. Finally, some of these profiling activities may be carried out with anonymised or pseudo-anonymised data. If this were the case, fintech business must take into account that the Spanish Data Protection Agency has issued specific guidelines for carrying out anonymisation processes.3
Year in review
No specific regulation on fintech was published in the past 18 months except for the implementation in Spain of PSD2, which has come to regulate the activity of TPPs. TPPs are an example of fintech companies that provide payment initiation services or account information services. TPPs must adopt certain security measures when providing their services. Among other obligations, TPPs must ensure that the personalised security credentials of the payment service user are not, with the exception of the user and the issuer of the personalised security credentials, accessible to other parties and that they are transferred through safe and efficient channels. Additionally, TPPs must not use, access or store any data for purposes other than for the provision of the payment initiation service. The incorporation of TPPs is subject to the authorisation of the BoS. The initial capital of those TTPs that provide payment initiation services must at no time be less than €50,000. However, if the TPPs only provide account information services, they will not be subject to the initial capital requirement.
Apart from the above, the European Commission issued a public consultation on fintech in March 2017 addressed to all citizens and organisations. The consultation period finalised in June 2017. After the analysis of the responses given, the European Commission has issued an action plan on fintech in March 2018 (the Action Plan).
The Action Plan sets out some steps to enable innovative business models to scale up, support the uptake of new technologies, increase cybersecurity and the integrity of the financial system. In accordance with the Action Plan, the European Commission will, among other things:
- host an EU FinTech Laboratory where European and national authorities will engage with tech providers in a neutral, non-commercial space;
- present a blueprint with best practices on regulatory sandboxes, based on guidance from European Supervisory Authorities; and
- report on the challenges and opportunities of cryptoassets later in 2018 in the framework of its EU Blockchain Observatory and Forum, which was launched in February 2018 for a period of two years.
As announced in the Action Plan, the European Commission has established an EU FinTech Lab to raise the level of regulatory and supervisory capacity and to share knowledge about new technologies. The EU FinTech Lab met for the first time on 20 June 2018 in Brussels. The focus of the session was outsourcing to cloud in the banking and insurance sectors. Also they addressed a number of specific questions and challenges around this technology, to enhance understanding and facilitate the work of regulators on cloud outsourcing.
On 13 December 2019, the EU FinTech Lab published its recommendations on how to create a framework for technology-enabled provision of financial services. The EU FinTech Lab's 30 recommendations pertain to the innovative use of technology in finance, maintaining a level playing field, access to data, and the financial inclusion and ethical use of data.
Additionally, it should be highlighted that Directive 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (the NIS Directive) provided legal measures to enhance the overall level of cybersecurity in Member States. Spain incorporated the NIS Directive with the Royal Decree-Law 12/2018, of 7 September, on security of networks and information systems, although the necessary implementing regulations are yet to come.
Outlook and conclusions
The fintech sector in Spain is still in the process of significant expansion, mainly in sectors where intermediation between parties is fundamental (e.g., lending, FX, brokerage and investment services such as investment advice and portfolio management) and in the payments sector. Overall, the development of online payment platforms and big data, robotics and artificial intelligence tools represent the most recent trends in innovation (to date, mainly crowdfunding and crowd-lending platforms and robo-advisers). This expansion process is expected to continue in the coming years. This, combined with the increasing interest expressed by European and Spanish regulators in the sector, means that it is likely that fintech will be regulated in the short or medium term.
Apart from that, recent regulatory changes have entered into force in the past months, such as the General Data Protection Regulation (EU Regulation 2016/679), the new law on trade secrets (Law 1/2019) and the LOPD. Although there is no certainty about when the Proposal could be passed by the European Parliament and the Council, and when the Draft Bill will be passed by the Spanish government, they should be taken into consideration owing to their impact on the fintech legal framework.
Apart from the above, the main disruption in the global financial sector is still expected to result from ledger technologies such as blockchain. Although the use of this type of technology is not yet widespread, it is expected to emerge in Spain in many areas and will not just be limited to cybersecurity and cryptocurrencies.
1 Leticia López-Lapuente is a partner and Isabel Aguilar Alonso is a counsel at Uría Menéndez.
3 Available in Spanish at https://www.aepd.es/media/guias/guia-orientaciones-procedimientos-anonimizacion.pdf.