The Financial Technology Law Review: Spain


There is currently no specific regulatory framework in Spain or the European Union (EU) governing fintech as such. However, both the European and the Spanish supervisory authorities are conscious of the increasing importance of this sector and have been implementing different measures to promote the update of the current legislative framework and enable the fintech ecosystem to develop.

The most noteworthy initiative to date is the adoption by the European Commission on 24 September 2020 of a digital finance package, including a digital finance strategy and legislative proposals on cryptoassets and digital resilience.

Various electronic sources provide information on fintech. For instance, the Spanish Fintech and Insurtech Association has its own website and the National Securities Market Commission (CNMV) created a section on its website to set up an informal communication space with fintech. Other than this, the CNMV has created a Q&A for fintech companies on activities and services that may be within the CNMV's remit.

The main tax incentive schemes for investment in tech or fintech businesses generally applicable in Spain are: (1) the Spanish patent box regime and the research, development and innovation tax credit that potentially applies to Spanish-resident companies engaged in tech and fintech activities (generally only where the technology qualifies for it, for example, as a patent or as advance registered software); and (2) the corporate income tax benefits for start-ups and small enterprises (e.g., a 15 per cent rate applicable to standalone start-ups during their first two fiscal years, instead of the statutory 25 per cent rate or a qualified depreciation regime for tangible assets and property investments) and Spanish-resident venture-capital entities; along with (3) tax credits for 'business angels' in specific start-ups (under specific conditions). Proper structuring is essential for investors in these companies to mitigate any Spanish tax leakage applicable to investments in tech and fintech companies.

In general, and until further regulations are passed, Spain should be considered a fintech-friendly jurisdiction, which is evidenced by the approval of a regulatory sandbox. For example, in 2013 it was estimated that there were 50 fintech companies in Spain; this number grew to 408 as at September 2020.2


i Licensing and marketing

As stated in Section I, Spain has no specific fintech regulatory framework. Therefore, fintech businesses are not subject to specific licences or marketing rules in Spain. This is mainly because they provide a variety of financial services. In general, leaving aside third-party providers (TPPs) regulated under Directive (EU) 2015/2366 of the European Parliament and of the Council, of 25 November, on payment services in the internal market (PSD2) and crowdfunding and crowd-lending platforms, which are subject to Law 5/2015 of 27 April on the promotion of business financing (Law 5/2015), fintech businesses focused solely on developing IT solutions to support the provision of services by financial entities are not currently subject to any financial regulatory regime.

However, fintech businesses involved in financial activities such as deposit-taking, investment services (such as automated digital advice and the management of collective investments), payment services and insurance, are subject to the general regulatory regime applicable to any company operating in those sectors (including marketing rules) and they must therefore obtain the relevant authorisations from the authorities depending on the service rendered. For banking services, the competent authority is the Bank of Spain (BoS) or the European Central Bank. For investment services the competent authority is the CNMV and for services or products that relate to insurance, reinsurance and pension funds it is the General Directorate of Insurance and Pension Funds (DGSFP).

As mentioned, Law 5/2015 regulates crowdfunding and crowd-lending platforms and the provision of their services. These activities require an authorisation from the CNMV (with the intervention of the BoS). Unlike other financial regulations in Spain, which are transpositions of European financial directives, Law 5/2015 is purely domestic. However, on 10 November 2020, the Regulation on European Crowdfunding Service Providers (ECSP) for business entered into force. After a transition period of 12 months, the rules will begin to apply on 10 November 2021, applying directly across the EU. The initiative was part of the European Commission's fintech action plan and the mid-term review of the capital markets union action plan. The regulation lays down uniform rules across the EU for the provision of investment-based and lending-based crowdfunding services related to business financing. It allows platforms to apply for an EU passport based on a single set of rules, which makes it easier for them to offer their services across the EU with a single authorisation. The new rules are expected to increase the availability of this innovative form of finance, which will help companies seek alternatives to bank financing. Investors on crowdfunding platforms, meanwhile, will benefit from an aligned and enhanced investor protection framework, based on (1) clear rules on information disclosures for project owners and crowdfunding platforms; (2) rules on governance and risk management for crowdfunding platforms; and (3) strong and harmonised supervisory powers for national authorities overseeing the functioning of crowdfunding platforms. Within the next 24 months of the entry into force of the Regulation, existing Spanish crowdfunding platforms may continue to operate under the national rule or they may adapt to the new requirements of the Regulation and apply to the CNMV to confirm that such requirements are aligned with the Regulation and thus be able to operate throughout the EU.

Apart from the above, the Spanish government approved Law 7/2020 of 13 November for the digital transformation of the financial system, which establishes a set of measures to accompany the digital transformation of the financial system and more importantly has established a controlled testing area or sandbox. The aim of the sandbox is to carry out, with all the necessary guarantees, technology-based financial innovation projects (through new applications, processes, products or business models) provided that they are sufficiently mature, benefit users of financial services, facilitate regulatory compliance, increase the efficiency of institutions or markets or contribute to improving the performance of public functions in the financial sphere. The Spanish fintech sandbox has managed to attract a total of 67 projects to its first call, which ended on 23 February 2021. The list of participants will not be made public until they have been finally approved. The BoS, the CNMV and the DGSFP will now analyse the proposals filed and issue a reasoned report that will state whether they are admitted or rejected.

Because Spain has no specific regulatory framework governing the marketing of fintech products and services (except for Law 5/2015), these entities must observe the marketing legislation applicable to any other company. Apart from the Spanish Consumers Law, which establishes certain principles on marketing, and the general law on publicity, other applicable publicity provisions are included in the Spanish laws on electronic commerce and distance marketing of financial services.

ii Cross-border issues

There are no specific passporting procedures for fintech. Only fintech set out as regulated financial services providers have access to the cross-border provisions under Spanish laws implementing the European directives that allow for specific types of regulated entities to operate in another EU Member State without having to be authorised by their local regulators.

Accordingly, EU-regulated financial services providers benefit from the passporting procedure, which enables them to provide services in Spain on a freedom-to-provide-services basis or by establishing a branch. It is a simple notification procedure set out under the main EU financial directives (such as CRD IV, MiFID II, UCITS, AIFMD or PSD2, and now ECSP), which involves the home Member State notifying the host Member State that the relevant entity intends to provide services in its territory. A fintech authorised as an EU financial service provider under those directives would also have access to the passporting procedure.

Non-EU financial services providers who intend to provide services in Spain require an authorisation from the BoS, the CNMV or the DGSFP, even if they intend to provide services through a branch or from the territory of their home state. A non-EU fintech authorised as a financial services provider would also have access to the same authorisation procedure.

The ownership of non-regulated fintech is not restricted in Spain. Regulated fintech (such as credit institutions, investment institutions and insurance companies) are subject to a significant holdings regime that requires a purchaser of a stake 10 per cent or more to obtain prior authorisation from the corresponding supervisory authority.

Digital identity and onboarding

Digital identity is recognised in Spain. Different types of digital identities are regulated under (1) the Spanish Law 6/2020 of 11 November on aspects of the trust services (the Spanish Electronic Signature Law); and (2) Regulation (EU) No. 910/2014 of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (Regulation 910/2014) – jointly known as the Electronic Signature Laws.

Digital identity certificates can be issued by any state or private entity that complies with the regime established in the Electronic Signature Laws. However, the most widely recognised certificates are issued by public institutions (the Spanish National Mint and the Tax Agency). Electronic identity is accessible to all national and non-national persons.

The Electronic Signature Laws set out the different categories of electronic signatures depending mainly on their security features as well as the probative effects corresponding to each category, as well as regulating the characteristics and effects of each of them in Spain. In particular, there are three categories: simple electronic signature, advanced electronic signature and qualified electronic signature, in order of the simplest (with fewer security features) to the most complex, based on a recognised certificate and created by a trustworthy signature creation device, which will entail the use of the highest security features.

The three categories of electronic signature are recognised in Spain as being valid to enter into any contractual relationship or transaction. However, the Electronic Signature Laws only recognise the 'qualified electronic signature' as having the same value before a court as a handwritten signature on paper. This does not mean that other types of electronic signature do not have any legal effect. Indeed, an electronic signature may not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures. However, the evidential value of each signature will depend on how rigorous the different steps of the contracting process are and on the security measures used to ensure the identification of the signatory throughout the contracting process.

The Electronic Signature Laws also provide for a regulation in Spain of additional trust services, allowing fintech not only to improve the services they may provide but also to build certain fintech businesses around these concepts with an appropriate legal framework.

Fintech companies established as financial services providers are subject to anti-money laundering requirements that establish rules to identify clients. Such rules enable a digitised onboarding of the clients in certain cases (for instance, when the client's identity is certified in accordance with applicable regulations on electronic signatures), and subject to certain requirements.

Digital markets, payment services and funding

Collective investment vehicles are regulated under Law 35/2003 of 4 November on collective investment schemes and Law 22/2014 of 12 November on venture capital and other closed-ended investment schemes and management companies of the closed-ended investment schemes. There is no specific law for fintech collective investment vehicles.

As opposed to the rest of fintech, and as mentioned in Section II, crowdfunding and crowd-lending platforms are subject to Law 5/2015 and ECSP. Spanish consumer lending regulations apply when a fintech is involved in a credit transaction with a consumer. Loans and financings may be assigned through an assignment contract and it is very common to assign entire portfolios of loans. Such loans and financings may only be traded if they are converted into a security, which is assigned to a special purpose vehicle (SPV). Such SPV may then issue securities backed by the credit rights arising from loans. The above is the typical structure in securitisations.

The Spanish legal regime on securitisation was amended by Law 5/2015. The assignment of assets to a securitisation fund should comply with the following requirements:

  1. the transferor and, as the case may be, the issuer of the securities assigned to a securitisation fund must have audited their annual accounts for the last two financial years prior to the incorporation of the fund, except in certain cases;
  2. the transferor must disclose in its annual reports the current and future assignment of credit rights that impact each year;
  3. the assignment of the assets to the fund should be formalised in a contract; and
  4. the management company of the securitisation fund should submit a document to the CNMV for each asset assignment containing certain information on the assets.

Under Spanish law, only duly authorised entities may render professional payment services. As mentioned in Section II, the BoS grants this authorisation.

Cryptocurrencies, initial coin offerings (ICO) and security tokens

Spain has no specific regulation on blockchain technology, cryptocurrencies or the issuance of tokens. However, the European and Spanish regulators have been assessing these products for some years and have taken some steps towards their regulation.

On 24 September 2020, the European Commission published its proposed regulation on markets in cryptoassets (MiCA), which forms part of a wider set of publications on Europe's Digital Finance Strategy. MiCA will apply to any person who provides cryptoasset services or issues cryptoassets in or into Europe. It will also apply to any cryptoasset that is not already subject to EU regulation. That will include utility tokens, payment tokens, stablecoins (or asset-referenced tokens) and a newly defined e-money token (a token that is not e-money in the traditional sense, but has all the hallmarks of traditional e-money). It will not apply to security tokens that are already subject to existing EU regulations. It will also not apply to central bank digital currencies (CBDC) but imposes substantial requirements on significant stablecoins (global stablecoins or GSCs). This appears to be another regulatory step to ensure central banks retain control of monetary policy and to safeguard against perceived risks with GSCs.

MiCA defines a cryptoasset issuer as any 'person who offers cryptoassets to third parties', which is an intentionally broad definition. All issuers will have to comply with a number of general requirements, with issuers of stablecoins (or asset-referenced tokens) and e-money tokens (payment tokens) subject to more stringent requirements.

In any case, MiCA is just a proposal that still needs to undergo the EU legislative process. This could take 18–24 months and the proposal may be amended during that time.

ESMA published two statements concerning initial coin offerings (ICOs). Also, the CNMV and the Bank of Spain have warned firms and investors regarding the regulations and risks inherent to ICOs, cryptocurrencies and tokens.

As concerns the tax treatment of cryptocurrencies and tokens in Spain, the matter is not a clear-cut issue, although the European Court of Justice (ECJ) and the Spanish tax authorities have provided specific guidelines.

Regarding Spanish value added tax (VAT), the judgment of 22 October 2015, C-264/14, ruled that transactions involving non-traditional currencies, such as cryptocurrencies, are exempt from VAT pursuant to Article 135(1)(e) of Council Directive 2006/112/EC, of 28 November 2006, on the common system of VAT. Therefore, according to the ECJ, sale and purchase transactions over cryptocurrencies carried out by VAT taxable persons should be exempt from Spanish VAT. On the contrary, 'mining' activities to generate cryptocurrencies should not be subject to VAT. Both criteria have also been shared by the Spanish tax authorities in specific binding tax rulings.

For Spanish tax-resident individuals holding cryptocurrencies, and pursuant to specific binding rulings issued by the Tax Agency in 2018, income triggered on the sale or transfer of cryptocurrencies (including that resulting from the exchange of one type of cryptocurrency for another) should be deemed as capital gains from a Spanish tax standpoint, and should be taxed accordingly. Specific activities concerning cryptocurrencies (e.g., mining) may have a different tax treatment and, potentially, be deemed as business activities for Spanish tax purposes (income tax, business tax, etc.).

Other new business models

Similarly to ICOs, cryptocurrencies and tokens, self-executing contracts are not specifically regulated in Spain and so are permitted and subject to Spanish contract law like any other contract. There are no particular arbitration or mediation schemes for self-contracts. These mechanisms are available in the same terms as for any other contract. Although self-executing contracts are not specifically regulated as such, we believe the following rules should be taken into account:

  1. should the self-executing contract consist of pre-established clauses imposed by one of the parties for a generality of contracts, Law 7/1998 of 13 April on general contracting conditions will apply, which imposes certain conditions and interpretation rules, as well as a public registry for general conditions;
  2. in the event that a self-executing contract is entered into with consumers, Royal Legislative Decree 1/2007 of 16 November approving the revised text of the General Consumers Law would also apply. This regulation establishes guiding principles applicable to relationships between consumers (understood as legal or natural persons acting in a context that falls outside of their entrepreneurial or professional activities) and entrepreneurs;
  3. also of note is Law 34/2002 of 11 July on services of the information society and electronic commerce, which would apply if the contract is entered into by electronic means. It establishes a regulatory regime for electronic agreements (e.g., the information to be provided to the contracting parties prior to and after the execution of the agreements, the conditions applicable for electronic agreements to be valid, other obligations applicable to the electronic providers); and
  4. in the event that the contract falls into the definition of a financial service, Law 22/2007 on the distance marketing of financial services addressed to consumers, setting out the rules for electronic agreements and electronic marketing communications, would also apply.

Fully automated investment processes are not regulated as such under Spanish law. However, some provisions of Regulation (EU) No. 595/2014 of the European Parliament and of the Council of 16 April on market abuse (MAR) and Directive 2014/65/EU of the European Parliament and of the Council of 15 May on markets in financial instruments (MiFID II) that refer to algorithmic trading and high-frequency trading strategies.

In addition, third-party websites comparing products or providing information about financial products are subject to general data protection rules, in the same way as other service providers. They are also subject to competition rules, although they are generally not an area of concern for competition authorities to the extent that they favour free competition among the players in the market. However, concerns may be raised in the event that these websites impose most-favoured-nation clauses on any of the players.

From a pure regulatory perspective, the provision of information about financial products is not subject to authorisation if this information does not involve the provision of any other regulated services (for instance, investment advice).

In recent years, the financial industry has seen a fast-growing adaption of the economy to fintech. The most important sectoral innovations are those related to credit, payment and investment management services. Crowdfunding, crowd-lending and TPPs are good examples of new business models.

Another new business model that has recently emerged is based on the commercialisation of big data regarding consumer trends based on clients' data. This model has been already questioned by the Spanish Data Protection Agency, which imposes restrictions on the validity of customers' consent for their data to be used in an aggregated manner for its commercialisation.

Generally, the main legal and regulatory issues for fintech in Spain are the obstacles resulting from the provision of financial services that trigger licensing requirements. As stated in Section I, the current legal regime for the authorisation of financial entities, which is established by reference to EU law, does not provide for a simplified procedure for businesses that only provide a limited range of services, as is the case of many fintech. Hence, as of today, fintech providing regulated services such as payment or investments services must navigate complex and burdensome procedures in Spain or in their country of establishment before having access to customers.

Intellectual property and data protection

i Intellectual property

Fintech business models and related software may be protected by the rules applicable to the ownership of inventions and works, which should be analysed separately.

Fintech business models may be classed as inventions that are typically the result of research. That result may essentially be protected by patents, utility models or, if such protection is not available or the parties do not wish to request it, inventions can also enjoy a certain degree of protection as know-how or as trade secrets:

  1. Spanish patents provide protection for inventions for 20 years as of the filing date;
  2. utility models protect inventions of lower inventive rank than patents, and are granted for 10 years;
  3. once the referred protection periods have expired, the invention will enter the public domain and may be freely used by any person; and
  4. know-how has value as long as it is protected as a trade secret and, thus, it is kept confidential (as opposed to patents and utility models), which means that it is not generally known by individuals belonging to the environment where such information would be known and it is not easily accessible by them, it has a potential or effective commercial value by being secret and it has been subject to reasonable measures to keep it secret. These measures could include, among other things, contracts (confidentiality agreements) and the adoption of practical measures (security measures, such as password protection, limitations on access to certain personnel, etc.) demonstrating that the invention or work remains valuable.

On a separate note, software is to be deemed an invention but is protected by copyright from the very moment it is created. Registration is not necessary to protect software. The exploitation rights for the work will run for the life of the author and survive 70 years after the author's actual or declared death should the author be a natural person. If the software's author is a legal person, such rights will run for 70 years as from 1 January of the year following that in which the software was lawfully published or, failing such publication, from its creation.

Regarding the ownership of IP rights, the ownership of inventions and works should again be analysed separately. These are default rules under Spanish law to attribute ownership of inventions.

Absent other applicable rules, the natural person who creates the invention (i.e., the inventor) is the owner.

When the inventor is an employee (private or public):

  1. if the invention is a result of his or her work for an employer, pursuant to the terms of his or her employment agreement or to the instructions received from his or her employer, the employer owns the rights to the invention; and
  2. if the invention is a result of his or her independent work but he or she benefited from knowledge obtained from his or her employer or used its facilities, the employer may be deemed to own the invention or have rights to use it, in exchange for fair compensation.

The rule in connection with works is that the original owner of the rights to the work is the author or co-authors (or, in very specific and limited cases, an individual or a legal private or public entity who leads and coordinates personal contributions and publishes the result under its own name – usually in the case of software). The general rule is that the author is the owner of all moral and exploitation rights to the work. However, some specific legal presumptions as well as some important exceptions exist:

  1. regarding copyrightable work created by an employee under his or her employment agreement, Spanish law presumes that, unless otherwise agreed, all exploitation rights over the work necessary for conducting the employer's ordinary course of business are exclusively assigned to the company when the work is delivered. This assumption is extended, if such work involves software, to all exploitation rights, without limitation based on the employer's course of business; and
  2. in the event of joint co-authors, either:
    • all co-authors have equal exploitation rights, unless otherwise agreed; or
    • the exploitation rights to the work correspond to the (legal or natural) person that assumes responsibility for the creation of the work and publishes it under the person's own name.

ii Data protection

Fintech businesses located in Spain or, under certain circumstances, businesses addressing the Spanish market from non-EU territories are subject to data protection rules to the extent that they access and process personal data, either as data controllers or as service providers (i.e., data processors processing the data on behalf of their clients). From 25 May 2018, the main data protection rule in Spain is the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) that directly applies in all EU Member States. This new legal framework provides some benefits, such as the homogenisation of data protection rules within the EU, which can help local fintech businesses to expand to other EU Member States and may make it easier for fintech businesses from territories outside Spain that are GDPR-compliant to launch their services in the Spanish market.

Notwithstanding the above, at a national level and in addition to the GDPR, Spain has certain local data protection rules. In particular, a new general data protection law was passed in December 2018: Spanish Basic Law 3/2018 on data protection and digital rights guarantees (LOPD). The LOPD formally repealed the previous national data protection regulations, which were incompatible with the GDPR, and adapted local rules in order for them to be compatible with the GDPR. The main goal of the LOPD is to provide specific data protection regulation in different matters that are not expressly covered by the GDPR or that are covered by the GDPR but in relation to which the Member States are allowed to regulate further. Consequently, certain data processing (such as inclusion of debtors' data in creditworthiness shared files) have been regulated in detail in the LOPD. Also, the LOPD has approved a new set of rights of citizens in relation to new technologies, known as 'digital rights'. This set of new digital rights may affect the business of certain fintech, such as digital rights granted to employees regarding the use by employers of IT tools for monitoring purposes in the workplace or the use of geolocation systems.

The Spanish government is also trying to reinforce these digital rights by promoting the approval of Charter of Digital Rights for Spain, still under discussion, which even though it is not expected to have a legal nature, will create the framework for future regulations on this matter in Spain.

Finally, the criteria of the Spanish Data Protection Agency, which is one of the most active data protection authorities in the EU, should also be taken into account.

As regards the possibilities of fintech carrying out profiling activities (i.e., the processing of personal data involving the profiling and, in some cases, the adoption of automated decisions with an impact on individuals), such activities are subject to the GDPR and to certain guidelines of the Spanish Data Protection Agency. In general, the profiling activities under the GDPR need to be based on lawful legitimate grounds, mainly the existence of a legal duty (e.g., scoring or fraud prevention), the unambiguous or explicit consent of individuals or the existence of a legitimate interest. The Spanish Data Protection Agency's interpretation of the legitimate interest as a lawful ground for companies to carry out profiling activities has been quite restrictive in the past (e.g., it does not cover profiling carried out with second- or third-party data). Also, fintech companies must comply with additional information and transparency duties when they carry out profiling activities. In addition, if AI technologies are used to carry out profiling activities, fintech businesses must take into account the guidelines on AI issued by the Spanish Data Protection Agency and the requirements for audits on the processing of personal data using AI.3 Other additional guarantees, such as reinforced objection rights or the need to carry out privacy impact assessments are imposed.

Finally, and on a different note, some of these profiling activities may be carried out with anonymised or pseudo-anonymised data. If this is the case, fintech businesses should take into account the fact that the Spanish Data Protection Agency has issued specific guidelines for anonymisation processes.4

Year in review

In our view, the most significant legislature proposals in the fintech sector are the following.

i Sandbox

On 14 November 2020, Law 7/2020 on digital transformation of the financial system entered into force. This establishes and governs the sandbox that will offer a controlled testing environment to allow for the implementation of innovative technology projects in the financial services sector. The environment will be safe for participants to test new financial products and services, while ensuring that the stability of the financial system is maintained and potential risks are eliminated or adequately mitigated.

Project promoters (for instance, tech companies, financial entities, associations representing interests, public and private centres of investigation) and regulators will enter into a protocol to establish the rules and conditions to which the projects and testing will be subject. Guarantees and protections will be afforded to sandbox participants, including informed written consent, personal data protection, rights of withdrawal, promoter liability, guarantees covering promoter liability, confidentiality and, for the regulators, the option to end testing in cases of bad practices or failure to comply with the protocol rules.

Also, entities that participate in the sandbox may have expedited access to regulatory authorisation.

ii MiCA

On 24 September 2020, the European Commission published its proposed regulation on markets in cryptoassets (MiCA), which forms part of a wider set of publications on Europe's Digital Finance Strategy. MiCA introduces specific disclosure and transparency requirements, such as a requirement for a prospectus or white paper to be issued with a number of crypto-specific disclosures, and a requirement that issuers are established as legal entities and supervised effectively. Additional obligations will apply to issuers of asset-referenced tokens (or so called stablecoins). MiCA is a proposal that still has to go through the EU legislative process. This could take 18–24 months and the proposal may be subject to amendments during that time.

iii DORA

On 24 September, the European Commission published its legislative proposal for a Regulation on digital operational resilience for the financial sector, also referred to as the Digital Operational Resilience Act (DORA), as part of its wider digital finance package, which also includes a digital finance strategy. The overall objective of the DORA is to introduce EU-wide rules on digital operational resilience, coordinating, streamlining and upgrading existing national regulatory regimes to address the cross-border nature of ICT risks faced by the financial sector. DORA also intends to implement a comprehensive regulatory framework for European financial entities' ICT risk management, and to harmonise ICT system testing, auditing, reporting requirements and information sharing. DORA also introduces provisions for the management of ICT third-party risks, which includes an oversight framework for critical ICT third-party service providers (CTPPs), by which CTPPs fall under the direct supervision of a lead overseer.

iv Digital euro

The European Commission and the European Central Bank (ECB) issued in February 2021 a joint statement on their cooperation on a digital euro. Taking account of digitalisation, rapid changes in the payments landscape and the emergence of cryptoassets, the ECB is exploring the possibility of issuing a digital euro, as a complement to cash and payment solutions supplied by the private sector. Following the conclusion of the public consultation on 12 January 2021 and a period of preparatory work, the ECB will consider whether to start a digital euro project towards mid-2021. Such a project would answer key design and technical questions and provide the ECB with the necessary tools to stand ready to issue a digital euro if such a decision is taken. The ECB and the European Commission services are jointly reviewing at technical level a broad range of policy, legal and technical questions emerging from a possible introduction of a digital euro, taking into account their respective mandates and independence provided for in the Treaties.

Outlook and conclusions

The fintech sector in Spain is still expanding, mainly in sectors where intermediation between parties is fundamental (e.g., lending, FX, brokerage and investment services such as investment advice and portfolio management) and in the payments sector. Overall, the development of online payment platforms and big data, robotics and AI tools represent the most recent trends in innovation (to date, mainly crowdfunding and crowd-lending platforms and robo-advisers). This expansion is expected to continue in the coming years. This, combined with the increasing interest expressed by European and Spanish regulators in the sector, means that fintech is likely to be regulated in the short to medium term.

Law 7/2020 offers an excellent opportunity for new entities to access the financial system via the recently approved sandbox. A total of 67 projects have already been submitted in the first call in February 2021. The fintech market will pay close attention to the outcome of those projects during the following months.

Apart from that, recent regulatory changes have entered into force in the past months, such as a new regulation on certain aspects of digital trust services (Law 6/2020) or cybersecurity regulations (Royal Decree 43/2021). In addition, the recognition in Spain of specific digital rights is currently being reinforced through certain initiatives, such as the proposal for approval of a Spanish Charter of Digital Rights, all of which should be taken into consideration owing to their impact on the fintech legal framework. Finally, the main disruption in the global financial sector is still expected to result from ledger technologies such as blockchain. Although this type of technology is not yet commonly used, it is expected to emerge in Spain in many areas beyond just cybersecurity and cryptocurrencies.


1 Leticia López-Lapuente and Isabel Aguilar Alonso are partners at Uría Menéndez.

2 Source: Map of the Fintech Ecosystem in Spain, by Abanca Innova.

Get unlimited access to all The Law Reviews content