Contributed By Sérvulo & Associados
The FinTech market in Portugal is evolving at an interesting pace. Both the business community and the research community are developing interesting FinTech projects in several domains, some of them fostered by the Web Summit, held annually in Portugal since 2016.
One of the most prominent examples is Raize, a crowdfunding platform focused on peer-to-peer lending, which was listed on the Euronext non-regulated market segment in July 2018.
Portugal already has its first crypto-currency – Bityond, which allows its owners to participate in polls related to the development of the platform created by the company or to donate tokens to the company in order to develop new functionalities and applications.
Given these developments, a new communication platform, called Portugal FinLab (www.portugalfinlab.org), has been set up between financial sector innovators (start-ups or incumbent institutions) and the Portuguese regulatory authorities. Through Portugal FinLab, regulators provide clarification to participants regarding the regulatory environment, so the objective of Portugal FinLab is to create efficient communication between regulators and participants, in order to facilitate the understanding of the regulatory reality in which they operate during the creation and development of new projects in the area of FinTech and Insurtech.
Moreover, the Portuguese Securities Commission (CMVM: Comissão do Mercado de Valores Mobiliários) has set up a department in charge of market developments, which reveals openness and proximity to operators in the prospective analysis of operations regarding FinTech matters.
CMVM has also recently announced a full revision of the Securities Code for the coming year, and it will be important to see to what extent this major reform will affect the FinTech sector.
Finally, it is expected that Parliament will soon start debating a new legislative framework in respect of crypto-currency trading. No date for the approval of this piece of legislation can be indicated at this stage.
Most investment services in Portugal are offered by banks, and the market for online investment services is limited when compared to other EU countries. Over the last few years there have been some new (banking) players offering fully digital investment services but this is still a niche segment in Portugal.
In 2015 a new legal framework for crowdfunding entered into force in Portugal (Lei nº 102/2015: Regime Jurídico do Financiamento Colaborativo). Among others, this legal framework governs electronic platforms for equity crowdfunding, which must apply for prior registration with CMVM. In May 2018, CMVM announced the registry of the first authorised platform for equity crowdfunding in Portugal.
As mentioned, electronic crowdfunding platforms are subject to prior registry with the Portuguese Securities Commission. The entity managing the platform must meet several conditions, including a minimum legal capital of EUR50,000 and professional indemnity insurance covering at least EUR1 million per event and EUR1.5 million per year. The holders of qualifying participations and the members of the management body of the entity owning and managing the platform are subject to fit and proper requirements. As a rule, public offers for crowdfunding must not exceed EUR1 million (on an individual basis and in any 12-month period). As another general rule, investors must not participate in offers in excess of EUR3,000 (on an individual basis), and must not invest more than EUR10,000 in crowdfunding in any 12-month period.
The Portuguese financial regulation system is primarily in charge of three independent administrative authorities, which are responsible for supervising the banking, securities and insurance sectors in Portugal:
Whether a FinTech company falls within the scope of these regulators will depend on its business and the type of activity that is to be pursued.
FinTech is not subject to any specific legal framework in Portugal, per se, with the only exception being, as already stated, the new legal framework for crowdfunding. FinTech companies that provide regulated services in Portugal are subject to the general regulatory regimes that apply to any business providing those services in the national market.
The Portuguese Securities Commission has not created a regulatory sandbox, despite some calls to do so by market players and even the Portuguese Competition Authority.
In the financial sector, the jurisdiction of Bank of Portugal includes banking activities, electronic money and payment systems, while the Portuguese Securities Commission is dedicated to investment products, listings and public offers of securities.
In this context, it is relevant to note that some grey areas do persist. In July 2018 CMVM released a public statement on virtual currencies, in which it states that there is not yet any regulation or supervision in Portugal regarding crypto trading platforms, ICOs or virtual currency trading.
The outsourcing of regulated activities within the financial sector should always be done in a manner that does not risk or hinder the compliance of any applicable regulatory requirements by either the outsourced entity or the original credit institution/financial company. Although it will most likely be more convenient to outsource in a regulated entity, this is not mandatory. Nonetheless, the credit institution/financial company is strongly advised to select an outsourcer that is capable of undertaking the services delegated as if they were to be provided by the original credit institution/financial company itself, considering the latter remains liable towards the supervisor and the final client regardless of the fact that the task at hand has been delegated to a third party.
In light of this, it will also be crucial for the credit institution/financial company to retain enough elements and powers to ensure the execution of the outsourced services in the event that the outsourced entity fails to provide such service or to comply with any relevant applicable rules. Therefore, it is expected that the credit institution/financial company will keep some degree of control over the outsourced services at all times and therefore be able to replace the outsourced service-provider if it fails to comply with its tasks.
Finally, it should be noted that outsourcing topics are covered extensively by Portuguese legislation (such as the Portuguese Securities Code and the Credit Institutions and Financial Companies Act), further to the EU regulations and the EBA Guidelines and ESMA Guidelines on outsourcing arrangements.
As far as is known, there has not been any publicly reported civil or criminal prosecution in respect of such matters, nor have there been any administrative procedures involving sanctions as far as FinTech companies are concerned. Nonetheless, the Portuguese regulators have the authority to apply sanctions to any person or legal entity that fails to comply with the applicable laws or with the regulation in force.
The FinTech industry covers a wide range of businesses and activities, and, for that reason, a variety of legislation, in addition to the Legal Framework of Credit Institutions and Financial Companies (Decree-Law No 298/92) and the Portuguese Securities Code (Decree-Law No 486/99), significantly impacts the vertical. Among said legislation, privacy laws, anti-money laundering laws and cybersecurity laws assume great importance to FinTech businesses. There are no specific legal or regulatory requirements for FinTech companies regarding such matters.
Law no. 83/2017 provides the legal framework for the prevention of money laundering and the financing of terrorism, and has been complemented with a set of regulations, instructions and recommendations issued by the national supervisory authorities. The AML legal framework applies to a significant number of regulated entities and persons carrying out a certain type of activities, including crowdfunding platforms and respective managing entities, in the categories of donation and reward and non-profit organisations. As far as a person or company carries out those activities (regulated or not), compliance with the anti-money laundering laws is required, which includes an obligation to have appropriate policies and procedures in place to combat money laundering and terrorism financing.
Among other duties, entities that are subject to anti-money laundering requirements must comply with customer identification and due diligence procedures prior to the establishment of any business relationships when carrying out occasional transactions that amount to at least EUR15,000 (either by means of one single transaction or various related transactions) or that consist of a transfer of funds above EUR1,000, and, in general, every time they find a transaction or the identification details of the customer suspicious in the sense that it might be linked to money laundering.
In the field of data privacy, the entry into force of the General Data Protection Regulation (Regulation (EU) 2016/679), in May 2018, is the main landmark to be considered, with its provisions being directly applicable in all Member States to the processing of personal data by automated means, and to manual processing if the personal data forms or is intended to form part of a filing system. Non-compliance with the Data Protection Law is generally deemed an administrative offence, and the fine for a severe violation can be up to EUR20 million, or, in the case of an undertaking, up to 4% of its total global turnover of the preceding fiscal year, whichever is higher. For less severe violations, the GDPR sets forth fines of up to EUR10 million, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher.
As yet, there is no specific national regulation providing a specific legal framework in the context of the GPDR in Portugal, but legislation implementing or consolidating the GDPR is currently being prepared.
Portuguese Cybercrime Law (Law No 109/2009), which implemented the European Convention on Cybercrime, and Law No 46/2018, which transposed the NIS Directive (Directive on Security of Network and Information Systems), also play an important role in the protection of FinTech technology in Portugal, by implementing security requirements for operators of essential services and digital services-providers.
Social media and similar tools have not yet been targeted by specific regulation in Portugal. Naturally, if social media and similar tools are used for marketing purposes, data privacy and data protection rules as defined under GDPR will apply, as well as marketing rules regarding advertising of financial products to consumers.
Although one might argue that FinTech is the financial tech sector that has evolved most significantly in Portugal, it would be unfair to say that it is a widely scrutinised market at this time.
Financial regulators are relevant stakeholders and are most definitely paying close attention to the FinTech market, not only on an individual basis but collectively.
As mentioned above, all Portuguese financial regulators recently joined efforts with a private FinTech association to create a marketing platform (Portugal FinLab) to host and promote FinTech and InsurTech initiatives in a start-up hub, and to assist these up-and-coming players to understand the market and its regulatory challenges and new rules better.
In addition to the promotional and new initiatives angle, and further to the supervisors’ role, it should be noted that the Portuguese Securities Code and the Credit Institutions and Financial Companies Act (further to the Portuguese Companies Act) not only tasks the supervisory body of the institution with a reviewing role regarding the entity that is being supervised, but also tasks its internal and external auditor (if any) with monitoring the relevant entity’s practices. In some specific FinTech cases – such as equity crowdfunding, the one that is regulated at this stage – this review role can also fall within the scope of the management entity's tasks.
In Portugal, there has already been a regulator’s response to unregulated products in respect to the cryptocurrency Bityond. After analysing Bityond’s Whitepaper, CMVM issued a Notice concluding that this token is not a security and therefore it is not subject to the supervision of CMVM. However, CMVM does not exclude the possibility of some of these instruments being treated as securities.
There are several possibilities on approaching and implementing robo-advisory technology, depending on the type of service and assistance required, and on whether there is human intervention. Thus, the implementation of such technology considers factors such as automation, costs, safety and the nature of the assets.
Assets are an important factor to consider: the more complex the products, the higher the level of assistance and advisory.
The bottom line is that this technology will determine the profile of the investors by verifying their risk appetite and investment objectives in order to build their portfolio, regardless of the assets they are interested in. The premise around robo-advisory technology is that investors will answer questionnaires with their personal information to reach their investing profile. This information is put through a computer algorithm, which will generate an investment portfolio that is adequate to the investors.
In the financial services industry, robo-advisers are designed to provide investment services such as automated portfolio planning, automatic asset allocation or risk assessment.
The key characteristic of such technology is the reduction or, in some cases, the elimination of human intervention.
There are several companies that specialise in this type of service, like Mint (one of the first attempts to launch robo-advisory technology through the creation of semi-automated personal finance management), Betterment or Wealthfront. Betterment is an automated goal-based investment company that provides investment solutions based on the risk profile and objectives of the investors, while Wealthfront is an investment services company that provides financial planning through the use of this technology, allowing the automation of the investment.
However, nowadays, robo-adviser technology has diverged from invest-advice platforms to a wide range of applications, such as the tax planning of a company or even retirement plans.
With MiFID II, there are new requirements and rules concerning investor protection. Therefore, investment firms must adopt and implement adequate measures to obtain the best possible result when executing an investor’s orders: the best execution rule.
Companies will execute their investors' orders in compliance with their execution policies. When executing investors' orders, investment firms can direct these to multiple execution venues or can opt to select other firms to provide the execution services.
In accordance with MiFID II, the best-execution obligation requires investment firms to execute the orders on the terms and conditions most favourable to investors, considering the price, costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of the order, and the investor may give specific indications that guide the performance of the financial intermediary. Thus, the best possible result shall be determined in terms of the total consideration, representing the price of the financial instrument and the costs relating to execution.
Financial intermediaries are also obliged to review their execution policies and procedures used for executing investors' transactions.
The implementation of this technology needs to be compliant with the legal requirements that apply to investment advice and best execution obligations, and should be designed to consider the essential characteristics that allow execution under the best conditions for investors.
Some of the problems attributed to the use of this technology are related to the lack of human perception, the limitation of the questionnaires made to investors or the inability to address market failures.
Given its characteristic to create an investment profile or investment portfolio for clients, legacy players must determine that a robo-adviser system ensures an appropriate profile for customers based on price, costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of the order.
This automated technology may cause problems regarding the execution of investors' orders, namely in market failure scenarios, since the programme itself will not initially be designed to take those risks into consideration.
Likewise, the possibility of taking orders by the investors can be a challenge when facing the automatisation.
In general terms, loans to individuals that qualify as consumers benefit from a set of legal rules aimed at providing enhanced protection for consumers against unfair or misleading practice, particularly with respect to the disclosure of information. These legal rules include:
Small, medium-sized and large businesses do not qualify as consumers for the purposes of the above-mentioned legal rules, and do not fall under their scope of application (except for the lighter provisions concerning unfair terms).
The underwriting processes are heavily influenced by anti-money laundering requirements or those to combat the financing of terrorism and other know-your-customer (KYC) requirements, which mould the taking-onboard of new customers. Bank of Portugal has established the technical, risk assessment, monitoring and personnel requirements for video-conference and other digital channels and how they should be conducted in order to be considered as an alternative means to complying with customer due diligence measures of identifying the customer and verifying the customer’s identity.
The requirements concerning the assessment of customers' creditworthiness established in Bank of Portugal’s recommendation referred to under 4.1 Differences in the Business or Regulation of Loans Provided to Different Entities above are also demanding, even though they do not apply, for instance, to credits equal to or lower than ten times the monthly minimum wage (currently EUR600) and may limit the easiness, straightforwardness and swiftness of the onboarding usually associated with online agreements.
Given the rising marketing of retail banking services through digital channels (in particular mobile apps and online platforms), on 17 January 2018, Bank of Portugal required credit institutions that enable their customers to initiate and conclude the process of contracting credit products through digital channels to provide Bank of Portugal with information about the process, the safety mechanisms and the features of the credit products ten days in advance, prior to the commencement of the marketing.
A survey of credit institutions made by Bank of Portugal in 2016 shows that 88% of credit institutions make online channels available to individual customers (65% to corporate customers) and 62% of credit institutions make mobile apps available to individual customers (38% to corporate customers). The survey also concluded that, in consumers' online lending, there is some tendency to dematerialise certain procedures (insertions of customers’ personal data, digital identification and authentication, document uploads, visualisation, download or sending of contractual and pre-contractual information) but they are not fully executed on a distance basis. Some credit institutions indicate that certain procedures are made through an app, tablet or other device installed in credit intermediaries, because of the business model developed with these credit intermediaries, which are also points of sale. Because of the recent approval of the regime of credit intermediaries, which has made market access significantly more burdensome, it is expected that there will be a rise in automated/online lending at these points of sale, without the intervention of credit intermediaries.
According to Bank of Portugal’s Report on Financial Stability of December 2018, the liabilities of the banking system in the first semester of 2018 increased 1.5% in comparison with December 2017, due to an increase in deposits from clients and other credit institutions and a decrease in financing with central banks and through debt securities. The deposits increased 2.2% in this period and represent about 66% of the total liabilities and equity. This increase was more notable in the deposits of individuals and non-financial companies. The volume of current accounts is also increasing in comparison with term deposits, given the negligible interest rates (which reflect ECB monetary policy and also the introduction by Bank of Portugal in 2011 of a deduction to Tier 1 capital for new deposits that exceed 300 bp over the Euribor, which was only repealed with the Capital Requirements Regulation).
On the other hand, interbank lending increased by 14.2% during the first semester of 2018 and represents about 6.3% of the net assets, whereas financing with central banks decreased (4.7% of the total assets), comprised mostly of TLTRO (targeted longer-term refinancing operations). The weight of debt securities also diminished (4.2% of the assets), due to a decrease in covered bonds of 19% (the major credit institutions have issued instruments eligible as capital and also eligible for Minimum Requirement for own funds and Eligible Liabilities (MREL)). Directive (EU) 2017/2399 of the European Parliament and of the Council of 12 December 2017 amending Directive 2014/59/EU as regards the ranking of unsecured debt instruments in insolvency hierarchy (which are eligible for MREL but not as capital) has not yet been transposed in Portugal.
Besides banks, significant market players in consumer credit activity are credit institutions that take the form of credit financial institutions (known as "instituições financeiras de crédito" or by its acronym IFIC) or credit financial companies. These entities are not allowed to receive deposits from the public.
As far as is known, the syndication of online loans is not a current market practice in Portugal. There is also no specific regulation in this respect.
In Portugal there are two main payment systems:
Both systems are operated by the competent Portuguese Banking Authority, which is also the Portuguese Central Bank (Bank of Portugal). Payment processors can create new private payment systems but it is up to Bank of Portugal to designate which systems are covered by the Portuguese legislation implementing the Settlement Finality Directive and thus benefiting from settlement finality and its special insolvency regime. The Portuguese legislation implementing PSD 2 has set out rules governing the objective, non-discriminatory and proportionate access to payment systems.
In Portugal, the role of the fund administrator can be carried out by the management corporate body of the investment company (in the event of self-management investment) or by a third party that is authorised to execute such role (which could occur in an investment company and always happens in the case of investment funds).
Fund administrators (commonly known as management entities) are regulated regardless of the type of fund to be administrated. Investment funds targeting securities, properties or alternative investments are vastly regulated by Law 16/2015 (as amended), while venture capital funds are covered by Law 18/2015 (as amended) and pension funds are covered by Decree-Law 12/2006 (as amended), all of which comprise significant sets of rules defining the role of the management entity, its eligibility as such, and regulatory requirements for a company to become a fund administrator.
Some rules differ depending on the type of fund, as does the relevant entity that will be granting authorisation for future fund administrators and accessing its suitability and regulatory compliance, as well as supervising its performance as fund administrator. A fund administrator of a pension fund will be authorised and supervised by ASF, and fund administrators of venture capital, securities, property or alternative investments have to be authorised by both Bank of Portugal and CMVM) and also supervised by the latter.
Despite recent evolution in terms of tools and fund administration techniques, tech has not yet had any regulatory impact on the assessment, conduct and choice of fund administrators.
Fund administrators are subject to specific conduct duties, and the content of a fund administration contract is already defined – to a significant extent – by the law applicable to that specific type of fund.
Under Law 16/2015 (as amended), a fund administrator of a securities, property or alternatives fund is required to enter into a fund administration contract with a self-managed investment company. This contract needs to be made in writing and will define a wide range of topics, namely how the management entity is selected and replaced, the investment policy, the dividend distribution policy, the voting rights policy and the loan and leverage policy that the fund administrator will need to abide by at all times, the fees to be paid to the fund administrator, the methodology to calculate the number and value of the participation unit of the fund, and how the fund administrator should act with respect to any claims.
As for investment funds or investment companies managed by a fund administrator, Law 16/2015 (as amended) further determines a very similar set of rules that can be drawn from the legal regime provisions governing the fund administration governance and activity.
Similar rules apply to pension funds, as per Decree-Law 12/2006 (as amended), and to venture capital funds, pursuant to Law 18/2015 (as amended).
Fund administrators have always undertaken a very proactive gatekeeper role in Portugal. Under Law 16/2015 (as amended), fund administrators of a securities, property or alternative investment fund are subject to a general surveillance duty which obliges the management entity to monitor compliance closely with all relevant rules applicable to that management fund.
If, for any reason, the fund administrator is not capable of guaranteeing that compliance, the relevant supervisor (in this case, CMVM) ought to be promptly informed of that fact in order to decide whether and how it should act and what actions must be undertaken by the fund administrator to tackle this issue.
Similar rules apply to pension funds, as per Decree-Law 12/2006 (as amended), and to venture capital funds, pursuant to Law 18/2015 (as amended).
According to MiFID II, there are three trading platforms: regulated markets, multilateral trading facilities and organised trading facilities.
Regulated markets are those systems which, having been authorised as such by any Member State of the European Union, are multilateral and operate on a regular basis in order to enable the pooling of interests in financial instruments with a view to concluding contracts on such instruments.
The Code defines multilateral trading systems as the systems that have such quality and enable the meeting of interests relating to financial instruments in the system and in accordance with non-discretionary rules for the conclusion of contracts on such instruments.
Finally, organised trading facilities (OTFs) are multilateral systems that are neither a regulated market nor a multilateral trading system, but through which multiple buying and selling interests are expressed by third parties in relation to debt instruments, including securitised bonds, or derivatives, with a view to concluding contracts on such instruments. Equity instruments are therefore excluded.
The trading regime applies to every type of asset classes. The law does not segregate the treatment of crypto assets or other different asset classes. From a trading regime perspective, there are only separate regimes for the listing of shares and bonds.
In Portugal is no legislation or regulation concerning crypto-currencies exchanges. According to the Portuguese Banking Authority, operations related to crypto-currencies are not illegal or forbidden. However, the entities that issue and/or sell virtual currencies are not subject to any obligation for authorisation or registration with Bank of Portugal. Therefore, crypto-currency issuing or selling activity is not currently subject to any kind of prudential or behavioural supervision.
The general listing standards require that:
Furthermore, the issuer of securities to be traded on an official listing market must develop its activity for at least three years, and disclose, in accordance with the law, its management reports and annual accounts for the three years prior to the one in which admission is requested.
There are no listing standards agreed upon by the industry.
MiFID and MiFID II rules concerning order handling have been transposed into Portuguese law, requiring investment firms to implement procedures and arrangements that provide for the prompt, fair and expeditious execution of client orders, relative to other client orders or the trading interests of the investment firm.
If the firm cannot execute an order, it shall transmit the order to another firm that is able to execute it.
The firm must ensure that orders are promptly and accurately recorded and allocated, and that the orders are carried out sequentially and promptly, unless doing so is impracticable due to the nature of the order or the prevailing conditions of the market, or if the interests of the client require otherwise; the firm must also ensure that a retail client is informed promptly about any material difficulty relevant to the proper carrying-out of orders.
As in most peer-to-peer platforms, peer-to-peer trading platforms can contribute to the stimulation of the financial instruments markets by attempting to democratise market access in a desirably more efficient and user-friendly trading environment and catalysing individual innovation and entrepreneurship.
The perception of the financial risk to be assumed by the peers, including the identification of a counterparty risk to other market participants, and concerns about security, data and fraud protection justify the regulatory framework not remaining impervious to these technological advances and to the rise of 'prosumerism' associated with peer production and consumption. Whilst some regulatory responsibility should be delegated to the markets and to the platforms (eg, by promoting reliable peer-monitoring mechanisms), a public and governmental oversight of these platforms cannot be disregarded, in order to adjust the requirements for systems and controls in different trading environments for trading platforms aimed at enabling the sound technical operations of the facility, controlling the existence of effective contingency arrangements to cope with any risk of system disruption and avoiding erroneous orders or otherwise malfunctioning in a way that may create a disorderly or dysfunctional market.
It should also be stressed that MiFID II introduced a broad concept of organised trading facility (OTFs), in order to capture any facility or system that is not a multilateral trading facility or regulated market, and to bring these facilities and systems under the regulatory scope.
ESMA’s Q&A provide clarity on the type of arrangements that qualify as an OTF. Therefore, any entity should seek authorisation to operate an OTF where the three following conditions are met:
Notwithstanding the possible difficulty in identifying the platform operator, OTFs should be able to determine and restrict access, based, inter alia, on the role and obligations which they have in relation to their clients. OTFs will only relate to bonds, structured finance products, emission allowances or derivatives. In addition, orders on an OTF must be executed on a discretionary basis.
Under MiFID, firms had to "take all reasonable steps" to obtain the best possible result for clients when exercising a client order. This duty was strengthened, with MiFID II now instead requiring firms to “take all sufficient steps to obtain, when executing orders, the best possible result for their clients taking into account price, costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of the order."
Despite ESMA having confirmed that the requirement for “sufficient” steps sets a higher bar for compliance than “reasonable” steps, the Portuguese legislator left the best execution duty unchanged in the implementation of MiFID II.
In order to comply with the requirement to act in the best interests of their clients, investment firms will need to assess the market landscape regularly to determine whether or not there are alternative venues that they could use. This means that investment firms should also be mindful of all the new innovations in business approaches and supporting new technologies, and the emergence of new execution venues geared toward specific market needs, in order to demonstrate that they have put policies in place that monitor adequately the quality and appropriateness of their execution arrangements and to ensure that the design and review process of policies is appropriate and takes into account new services or products offered by the firms. This obligation may encourage new entrants, although it may also naturally increase the fragmentation of market liquidity.
Another topic is the exclusion of the best execution duty where there is a specific instruction from the client (the investment firm shall execute the order following the specific instruction). If the specific instruction has been influenced by the firm (which led the client to present that instruction), this exclusion should not apply.
Regarding direct electronic access (DEA) to an OTF, ESMA has noted that a DEA order could be considered as a client-specific instruction to the broker providing the DEA arrangements to its clients.
The general inducements rule prevents firms from paying benefits to or receiving benefits from third parties, unless the benefits are designed to enhance the quality of the relevant service to the client, and do not impair compliance with the firm’s duty to act honestly, fairly and professionally in accordance with the best interests of its clients.
Unlike FCA, as far as is known, the Portuguese Securities Commission has not specifically addressed the practice of brokers demanding payments from counterparties as a condition for conducting client business, although this will most certainly fall under the scope of application of the inducements rule.
Some experts claim that third-country investment firms (not directly affected by MiFID II) may provide a loophole enabling the payment for order flow ban to be bypassed, insofar as evidence can be provided that the contact was exclusively initiated from the client. The lure of commission-free brokerage or other attractive business models to consumers (regardless of that business model being supported by sales of customers’ order flows, like Robinhood did to high-frequency traders, and possibly with an increased risk of conflicts of interest and relaxation of the brokers best-execution duties), in an online/app environment, may pose a competition challenge to EU-based brokers.
The protection of the market is historically one of the major goals assumed by the Portuguese legislator, thus imposing on financial intermediaries and market members a duty to behave with integrity and to refrain from taking part in transactions or carrying out actions that are capable of putting the market’s orderly functioning, transparency or credibility at risk (Article 311 of the Portuguese Securities Code).
In Portugal, alongside the provisions resultant from MIFID II, transposed into national law by Law No 35/2018 (see Articles 208-A, 317-E, 317-F, 317-G, 317-H of the Portuguese Securities Code), the legal framework for algorithmic and high-frequency trading is complemented by MIFID Regulatory Technical Standards and Delegated Acts (RTS 6, 7, 8, 9, 10, 11 and 12), which is directly applicable, with no significant differences among asset classes. The Portuguese regulator has not yet made any specific provisions or recommendations for algorithmic trading.
Specifically, pursuant to Articles 317-E and 317-F of said Securities Code, a financial intermediary that engages in algorithmic trading must have effective systems and risk controls in place that are suitable to ensure that its trading systems are resilient and subject to appropriate trading thresholds and limits, and to prevent the sending of erroneous orders in a way that may contribute to a disorderly market.
Investment firms must notify their intentions to engage in algorithmic trading to the Portuguese Securities Commission, as well as to the trading venue where the firm intends to engage in algorithmic trading as a member or participant, and, prior to the deployment or development of a substantial update of an algorithm, algorithmic trading system or algorithmic trading strategy, firms must test their conformance and adequacy (RTS 6 - Commission Delegated Regulation (EU) 2017/589). Investment firms shall also be able to cancel immediately, as an emergency measure, any or all of their unexecuted orders submitted to any or all trading venues to which they are connected.
Financial intermediaries must ensure the existence of an independent compliance function with the necessary authority, resources and expertise to monitor the firm’s compliance with its regulatory obligations. Non-compliance with the legal requirements regarding engaging in algorithmic or high-frequency trading activities is sanctioned as an administrative offence and subject to a fine of up to EUR5 million, or up to 10% of the global turnover of the preceding fiscal year, whichever is higher (Articles 388 and 397-A of the Portuguese Securities Code).
Regulatory regimes concerning algorithmic and high-frequency trading are applicable to all managing entities responsible for trading platforms, since, as acknowledged in RTS 7 (Commission Delegated Regulation (EU) 2017/584), the risks potentially arising from algorithmic trading are present in any type of trading platform that is supported by electronic means.
Consequently, specific organisational requirements can also be found in respect of Regulated Markets, Multilateral Trading Facilities and Organised Trading Facilities allowing for algorithmic trading through their systems. As such, Article 208-A of the Portuguese Securities Code, complemented by RTS 7, imposes further requirements in respect of governance, compliance functions, staffing and outsourcing for exchanges and exchange-like platforms.
Trading venues must ensure that their trading systems have sufficient capacity to perform their functions without failures or errors in the matching transactions system, and shall also set out the conditions for the usage of their electronic order submission systems by their members. The regulation provides for a set of requirements relating to the resilience of the platforms, for which purpose the trading venue must conduct due diligence to determine the knowledge and technical arrangements of the traders requesting connection to the venue, in order to prevent disorderly trading conditions.
In Portugal, investment firms or market operators are not allowed to execute client orders against proprietary capital, or to engage in matched principal trading on the Regulated Markets or Multilateral Trading Facilities they operate. Pursuant to Article 200-A (6) (b) of the Portuguese Securities Code, matched principal trading is only permitted in OTF, since the client has expressly consented to the process, provided that a type of derivatives contracts which has been the object of a centralised clearing obligation in accordance with Article 5 of the European Market Infrastructure Regulation (EMIR – Regulation (EU) 648/2012) is not at stake.
For this purpose, the market operator must be registered as a financial intermediary authorised to deal on its own account by the Portuguese Securities Commission, who shall monitor its engagement in said activity to ensure that it does not give rise to conflicts of interest between the investment firm or the market operator and its clients.
On the other side, concerning the adoption of market-making strategies by intermediaries that engage in algorithmic trading, whenever an investment firm intends to engage in algorithmic trading to pursue a market-making strategy, it shall guarantee, by means of a binding written contract to be celebrated with the trading venue, that said activity is continuous during a specified proportion of the trading period. In that context, an investment firm would also have to put systems and controls in place that are adequate to ensure that it fulfils its obligations under said agreement at all times (Article 317-G of Portuguese Securities Code).
The general best-execution rules also apply to investment firms that engage in algorithmic or high-frequency trading strategies, even with higher incidence, given the specific duties imposed by MiFID II and RTS 6, 7 and 8 regarding governance, organisation, and systems and controls requirements applicable to traders and trading venues.
There are no specific rules establishing different regulatory solutions for funds and dealers engaging in algorithmic or high-frequency trading activities.
Payment for order flow occurs whenever an investment firm receives a fee or commission from the client that originates the order and, simultaneously, from the counterparty the trade is then executed with – typically a market-maker or other liquidity provider, which in that way pays for the investment firm clients’ order flow. These arrangements are often deemed to result in potential situations of conflict of interest between the investment firm and its clients by encouraging the firm to execute its client's orders with the counterparties willing to pay the highest commissions and thereby undermining the firm’s ability to comply with its best execution obligations. In such a case, this type of practice is surely adequate to restrict transparency and efficiency in the price formation processes.
According to Articles 304 and 309 of the Portuguese Securities Code, financial intermediaries should always conduct their activity by assuring the protection of the legal interests of their clients. As such, when in a situation of apparent conflict of interest, they must act in order to ensure their clients receive fair and equal treatment, necessarily giving preference to their legal interests.
Payments or inducements for the execution of orders are generally prohibited under Articles 313 and 313-A of the Portuguese Securities Code, although are accepted in cases where the payments of fees are necessary for the rendering of the services, and in situations where the practice is deemed to enhance the quality of the service provided and is clearly and previously disclosed to the client. Remunerations, commissions or benefits shall only be paid when justified by the provision of an additional or higher level of quality service to the client, and provided that it is disclosed and does not interfere with the obligation of the investment firm to act honestly, fairly and professionally in accordance with the best interests of its clients.
Financial research platforms are not regulated per se in Portugal, and therefore are subject solely to the general EU rules under the Market Abuse Regulation and MiFID II. Such platforms are subject to registration when they qualify as investment firms. Portuguese law does not impose any registration on participants in such platforms.
As it stems in general from the market-abuse regime, the spreading of rumours can be qualified as market manipulation if it corresponds to fraudulent practices that are capable of artificially altering the regular functioning of the securities market or other financial instruments (Article 379 Portuguese Securities Code).
The duty to avoid market-manipulation and inside information applies to any person, so it also applies to financial research platforms.
If financial research platforms are investment firms, there are duties to report suspicious or unlawful behaviour.
Portugal is taking its first steps in the InsurTech market and has yet to adjust its regulations to the new types of insurance (smart) contracts, such as Usage-Based Insurance (UBI) or the PAYD and the PHYD types, or even IoD contracts. Although InsurTech has initiated a discussion about how big data and the collection of real-time information can affect underwriting processes, Portuguese regulation has not yet established specific rules covering that topic, but has rather focused on regulating insurance contracting executed at a distance, and respective information duties.
Therefore, the more traditional underwriting processes remain in force in Portugal and depend on the type of insurance contract at stake – eg, health and life insurance consider vectors such as the insured person’s medical history and examinations and the current mortality rate, while car insurance takes into account other factors, such as the driver’s collision history, their age and the vehicle. All underwriting processes are defined by the regulation that applies to the relevant type of insurance.
Under the Portuguese regime, different insurance types are subject to different legal regimes, with some differences – namely, regarding underwriting processes and criteria or mandatory coverage rules. However, some topics are subject to the same rules regardless of the type of insurance – eg, under Law No 7/2019 (that implements Directive (EU) 2016/97 on insurance distribution in Portugal), all insurance contracts are subject to the same distribution rules regardless of the type of insurance at stake.
The ever-so-demanding regulatory requirements applicable to the financial sectors have contributed to the emergence of RegTech providers. These providers enable credit institutions and financial companies to comply with regulatory demands by means of providing compliance, risk management, transaction monitoring and reporting and control services to the companies in a more technological – hence effective – manner. However, although it is fair to say that the market already has a number of players (most are foreign, although there are a couple of domestic rising companies), RegTech is quite a recent market development in Portugal.
At the time of writing, RegTech providers do not need to be incorporated as a regulated company, although the RegTech provider’s conduct and activity will most likely fall in the financial outsourcing umbrella. Under EU and PT laws, outsourcing requirements and rules are deemed to be applicable not only to investment or banking activities but also to operational activities of the institution that can be categorised as crucial or, at least, important to guarantee the provision of services by the financial entity without disruptions. Considering that RegTech tackles regulatory, compliance and reporting challenges, it comes as no surprise that the choice, hiring and conduct of a RegTech by a financial company operating in the banking or capital markets sectors are subject to EU and PT outsourcing rules and will result in conduct duties for these providers in similar terms to those applicable to the company that hired that provider.
Considering that, from a legal perspective, this is an underdeveloped area, both parties have quite a significant margin of discretion. Common-ground clauses – that also aim to tackle outsourcing – usually cover duties of conduct, care, surveillance and diligence, information reporting duties, integrity and no-disruption guarantees, data secrecy, data security and data protection assurance and liability clauses (the latter being rather important considering that the provider can cause the credit institution or the financial company to fail a report delivery and be heavily sanctioned in return, regardless of the fact that the fail was due to a RegTech provider and not the financial entity).
Moreover, these contracts usually include detailed clauses on the level of service to be provided, with strict timing and data quality specifications.
For those cases where outsourcing rules are deemed directly applicable, one must consider the EU rules on the core elements of the outsourcing contract (namely those listed in EU Delegated Regulation 565/2017 and implementing national rules) that define mostly the obligations of the credit institutions and financial companies that subcontract or hire RegTechs.
Other clauses arise from the complexity of the contract’s services, the regulatory rules applicable to the scope of the services to be rendered, and the risk that any breach ultimately represents.
In light of the above, it is fair to say that the vast majority of these contract clauses are yet to become customary in the industry.
In those cases where a RegTech provider might uncover some facts that could be a relevant indication that a serious criminal offence has taken or is about to take place (such as AML/FT issues), said RegTech provider will or might be bound to report such event to the competent authorities, further to communicating it to the credit institution or financial company that has hired the service.
Any affirmative duties to look for such events will most likely be a result of the contract that was agreed upon and executed between the RegTech provider and the credit institution/financial company.
It should be noted that any affirmative duty belongs to the credit institution/financial company (which will also be the entity liable for any resulting breaches of such duty), so it is expected that the above-mentioned contract assigns some degree of (contractual) responsibility to the RegTech provider in the event of failing to detect suspicious or unlawful behaviour independently of those events that are subject to other types of reporting to the competent authorities.
Blockchain technology started with the most famous crypto-currency – bitcoin – but the importance and different applicability the underlying technology could have soon became clear.
There are several possible applications for this technology and they are starting to be tested and developed in the most varied areas, from health services to financial services.
Various institutions, such as banks and tech companies, are gathering efforts for the development of this technology.
Thus, efforts to apply this technology to different market structures have begun to emerge. There are already many application cases such as record keeping and optimisation of corporate processes, loans, clearing and settlement systems, cash equities markets, investment, alternative financing, and the execution of smart contracts, among others.
The Portuguese Association of Investment Funds became a pioneer by presenting a proposal for a blockchain-based investment fund distribution platform, in which the Proof-of-concept allowed "to validate the applicability of blockchain technology, to verify its flexibility and efficiency gains in the operationalisation of the subscription, redemption, cancellation and reporting procedures to the regulator through this platform.”
There is currently no legislation or new rule proposals about blockchain. CMVM and Bank of Portugal are still very cautious about approaching this new technology.
There has been an effort by the authorities to discuss, understand and study this subject.
CMVM has provided a series of conferences and presentations regarding blockchain technology, and set up a department in charge of market developments, which reveals openness and proximity to operators in the prospective analysis of operations regarding these matters.
Currently, there are several types of digital assets, such as crypto-currencies, security tokens, utility tokens or crypto commodities with cryptographic basis.
Although the discussion on the classification of blockchain-based assets is still in its early stages, and will take some time to reach a consensus, there are some attempts to regulate these assets.
The problem in classifying blockchain-based assets is knowing which legislation will be applied and which mandatory requirements must be met, and how market players, including financial intermediaries and supervisory authorities, are to act.
In Portugal there is no understanding on the different classifications of blockchain-based assets, nor on their regulation. Both the Portuguese Banking Authority and the Portuguese Securities Commission have pronounced themselves on crypto-currencies, as explained 12.7 Virtual Currencies, below.
To describe the regulation of blockchain assets issuers, as well as the initial sales, the classification must first be determined.
In Portugal, there is no legislation or regulation concerning blockchain assets, which means that blockchain assets and blockchain operations are not illegal or forbidden.
The Portuguese Market Commission has pronounced itself on the issuing of cryptocurrencies, stating that the entities that issue and/or sell virtual currencies are not subject to any obligation for authorisation or registration with Bank of Portugal. Therefore, the issuing or selling of crypto-currencies is not subject to any kind of prudential or behavioural supervision.
Blockchain-based trading platforms are not currently regulated. In the financial markets, the existing trading platforms are regulated markets, multilateral trading facilities, organised trading facilities and systematic internalisers. None of those platforms is designed to incorporate a blockchain-based trading platform, and there are no changes foreseen in the existing operating requirements to these platforms, namely in MiFID II, that may lead to such application.
In the European Union, there are two major diplomas that regulate investment funds: the Undertakings for Collective Investment in Transferable Securities Directive (“UCITS”) and the Alternative Investment Fund Managers Directive (“AIFMD”).
As there is still no consensus as to its categorisation, UCITS will not be applicable to blockchain-based assets. For this purpose, funds that invest in blockchain assets shall be regulated by the AIFMD.
Blockchain assets are digital assets that can be immediately transferable, at any time, to any person, and which are recorded within a public or permissioned distributed ledger system.
The most common and well-known blockchain assets are crypto-currencies (more specifically bitcoin) – the use of tokens based on the distributed ledger technology.
As there is still no certainty regarding the nature of crypto-currencies, at least in Portugal, there is no real difference between the different blockchain assets. In the case of blockchain as a system of registration and data sharing, the genesis of its functioning will not be very different when applied to crypto-currencies or other assets.
According to the Portuguese Banking Authority, operations related to crypto-currencies are not illegal or forbidden, and the entities that issue and/or sell virtual currencies are not subject to any obligation to obtain authorisation from or registration with Bank of Portugal. Therefore, the issuing or selling of crypto-currencies is not subject to any kind of prudential or behavioural supervision.
In Portugal, there is no official position on the nature of crypto-currencies yet. The Chairman of Bank of Portugal (and other board members) has publicly expressed the view that crypto-currency is not a currency but an “asset”.
In this particular case, crypto-currencies are not supervised or regulated by Bank of Portugal, which is still waiting for the European Commission to take the first step in order to regulate crypto-currencies.
In July 2018, CMVM released an alert/statement on virtual currencies, in which it states that there is no regulation or supervision regarding trading platforms, ICO nor virtual currencies trading. Therefore, there is no legal protection or guarantees for crypto-currencies traders/investors.
According to CMVM, tokens issued in an ICO represent different rights and credits, and can be qualified as atypical securities if they meet the respective requirements under Portuguese Law.
For this purpose, regarding ICOs, the relevant legislation at the national and European Union level that will be applied is as follows:
One of the advantages of blockchain is the possibility of maintaining anonymity in transactions. The traceability of the data and registration leads to the need for greater protection, as their integrity is essential for the functioning of the system.
There are some General Data Protection Regulation (“GDPR”) requirements that should be mentioned, namely Articles 5 and 17.
Article 5 of GDPR states that the collection of data should only occur for legitimate and explicit purposes in order to receive fair and transparent treatment.
In the blockchain platform, which includes personal data, platform service-providers may encounter some impediments related to the wishes of customers and investors. Article 17, which confers a right of erasure of data and can generate conflict with the use of a blockchain system, establishes a set of reasons that can lead to the activating of this right by the owners. This seems to be contrary and detrimental to the idea underlying the DLT technology in question, particularly regarding the possibility of access to investor history.
Even so, this "right to be forgotten" appears to be conditioned in a way that makes it mandatory for the owner to present a specific reason when demanding the deletion of the data.
This "erasure" can arise either because the data is no longer "necessary for the purpose for which they were collected", or because there is no longer any consent from the owner, or because of illicit treatment, among other reasons.
If the owner withdraws the consent, it will be difficult or impossible to access the platform in the future; it would have to provide all the data again.
Nevertheless, it is certain that the construction and implementation of this technology must consider the legal provisions in order to find a solution that can reconcile both realities.
The Portuguese legislation implementing PSD 2 entered into force on 13 November 2018 and its wording closely follows the wording of the directive. Although there is some uncertainty regarding the framework for offering payment initiation services and payment account information services until the entry into force of the RTS on authentication and communication, some players are already providing those services in the market.
New actors seeking registration/authorisation as payment initiation service providers/payment account information service providers are still waiting for the regulation by the Portuguese Banking Authority specifying the information and documents to be provided in the application for registration/authorisation, and also the rules governing the professional indemnity insurance (or other comparable guarantee).
There is some expectation on the market regarding the API that is being developed by SIBS for access to payment accounts by third-party payment services-providers and which should be available in the second semester of 2019.
Banks and technology-providers are taking a cautious approach to the new possibilities created by open banking. One of the consequences of this cautious approach is the general revision of the terms and conditions in use by banks and the factoring in of these concerns in new terms and conditions for upcoming payment services. Most banks are relying on consent as the basis for personal data processing (rather than on other possible grounds), and are adapting the methods for requesting consent so as to comply with the new GDPR regime.