Contributed By Morais Leitão, Galvão Teles, Soares da Silva & Associados
The Portuguese fintech ecosystem has been developing at a fast-tracked pace, through disruptive initiatives that have raised partners and investors’ awareness and interest and by signalling the Portuguese market as a growing fintech hub. To this effect, the FinLab, which is the Portuguese first innovation hub, bringing together Banco de Portugal (the Portuguese banking authority), CMVM (the Portuguese securities authority) and ASF (the Portuguese insurance authority) has set the tone for a dynamic dialogue between startups, scaleups, incumbents and regulators alike, which is a crucial tool for the sustainable growth of the industry. In this context, international fintechs are also looking to establish their base of operations as a part of their strategy.
Highlights from recent fintech industry activity in Portugal entail new fintech players appearing or consolidating their presence in the market, and leading global fintech players establishing operation hubs in Portugal. In addition, focus has been given to a collaborative approach in the development of projects or products through partnerships between incumbents and startups.
In accordance with the 2020 Portugal Fintech Report that maps industry numbers, the most popular segments are currently payments and money transfers, insurtech and blockchain and crypto, the top 30 fintechs have raised over EUR275 million until 2020 from both national and international VCs, employs more than 1,100 employees, 76% of the top companies are headquartered in Portugal, and alternative funding and payments and money transfers have raised the highest amounts of funding, followed by blockchain and crypto.
The main fintech verticals by amount of allocated funding consist of alternative financing, capital markets and wealth management, insurtech, regtech and cybersecurity and blockchain and crypto; most Portuguese fintechs operate under a B2B model.
The Portuguese financial services landscape is still predominantly occupied by incumbents, but these have been trying to strategically position themselves in the sector, either by investing in new business segments or through integration or collaboration with emerging fintechs.
Fintechs often start to operate as unregulated entities, developing their business model in stages that allow them to manage the cost of the regulatory burden. They are able to leverage on this apparent regulatory freedom, which incumbents lack, to develop their activity favouring a “tiered” approach. Incumbents, however, have the regulatory approvals required to operate in the financial markets therefore making the alignment of interests/incentives evident.
Such explains the confluence between the two opposing sides, manifesting itself through investment, joint ventures or other means of collaboration. This is part of a wider global trend we are observing in Portugal as well, although Portuguese incumbents, when compared to other countries, seem more reluctant in making direct investments in fintechs.
Portuguese legislation in relation to verticals such as banking and financial services, payment services, insurance, investment funds, financial instruments, investment services and investment firms, crowdfunding, anti-money laundering and prevention of terrorism financing, data protection, and market protection to name a few, closely follows either European level harmonisation or regulation. The regulatory regime will differ in accordance with the applicable business segment.
There are no specific legislation applying only to fintechs, except for crowdfunding platforms.
Crowdfunding platforms are subject to prior registration with CMVM, and the holders of qualifying participations and the members of the management body of the managing entity of the platform are subject to fit and proper requirements. Crowdfunding public offers must not exceed EUR1 million (on an individual basis and in any 12-month period) and investors may not invest in excess of EUR3,000 on a single offer, and more than EUR10,000 in any 12-month period.
There are no specific compensation models under Portuguese law that industry participants may use to charge customers.
The application of “traditional” regulation to fintechs depends on the type of activity undertaken by them. Where the company’s business falls within the scope of regulated activities, fintechs will become subject to the same set of rules as legacy players. Notwithstanding this, where regulatory provisions are discretionary or where it is not possible to straightforwardly apply a specific rule, regulators have to apply a proportionality principle, as well as assess the extent to which risks posed by fintechs are analogous to those posed by incumbents and therefore warrant the same level of regulation.
In 2020, the Portuguese Government approved Ministerial Resolution 29/2020, dated 5 March 2020, which sets the framework principles for the creation of a Portuguese regulatory sandbox, and the approval of Ministerial Resolution 31/2020, dated 5 March 2020, which establishes the Portuguese Digital Mission Structure, which sets the main goals of the Portuguese digital agenda. The envisaged Portuguese regulatory sandbox should be overarching to include any area where technology should be given a freer testing field and will be designated by the terminology “Technology Free Zones” (from the Portuguese expression Zonas Livres Tecnológicas), and will be promoted and co-ordinated within the Portugal Digital Mission.
The jurisdiction of each Portuguese regulator is clearly defined by activity sector. In this context, Banco de Portugal supervises banking activities, financial companies, payment institutions, electronic money institutions and payment systems, CMVM supervises financial markets and market participants, trading venues and exchanges, public offers of securities, UCITS and AIFM, and ASF supervises insurance companies, reinsurance companies, pension funds, insurance mediation and distribution.
The outsourcing of operational functions that are critical for the provision of services must be made in a manner that enables regulated entities to ensure that they can provide the service in a continuous and satisfactory manner. Regulated entities are bound to perform such tasks as deemed required to prevent any additional operational risk that may result from outsourcing. In case the outsourcing prevents the regulator’s ability to monitor the licensed entity, then the relevant outsourcing should not take place.
Therefore, contractual arrangements on outsourcing must have clear rules regarding the access to information, reporting and data sharing to enable the regulated entity to obtain all the information that it requires to comply with the applicable regulatory framework or to provide that information to a regulator in case of an inspection or inquiry. In addition, when setting up outsourcing arrangements, regulated entities should take into consideration EBA’s guidelines on outsourcing arrangements.
Fintech providers may be deemed to be gatekeepers when they are themselves regulated, such as crowdfunding platforms, or non-financial entities subject to AML/KYC compliance, as is occurring, for example, with virtual asset service providers. In these examples, the obligations to monitor or conduct any regulatory obligation emerge from applicable law, and it is arguable whether any liability could exist out of managing a platform that is not underpinned by legal provisions.
All three regulators closely monitor licensed entities and conduct periodical and ad hoc on site inspections, from which certain enforcement actions may result. However, in the context of fintech’s main verticals and industry participants, there are no significant enforcement actions to note that have been publicly reported.
Regulation is one of the main obstacles to fintech’s growth as they take in the cost of compliance and regulation that legacy players are able to dilute, to a certain degree, due to scaling. However, fintechs should not delay the configuration of their business plans, strategy, product or services to the applicable legal requirements as being compliant will significantly reduce the cost of having to adjust at a later stage, increase their reputability vis-à-vis other market participants, incumbents, regulators and clients and help them integrate more easily with other players either by setting up joint ventures or being absorbed by incumbents.
On a separate note, additional regulation has proven to be fertile ground for the development of new technological solutions in the regtech sector that is supplying legacy players with the tech instruments and services required to deal with regulatory growing obligations.
Portuguese companies, including Portuguese fintechs, are usually subject to review by accounting and auditing firms in connection with the certification of their accounts. There are no other official reviewers of fintechs, but it is possible to say that the industry monitors itself through private initiative associations and organisations that are watchful of the phenomenon, procure trends and companies to follow.
In addition, Portugal Fintech is a non-profit association which purpose is to foster the Portuguese fintech ecosystem, through initiatives such as the Fintech Report which aggregates industry data on an annual basis and the Fintech House, which is a dedicated co-working space, as well as helps manage and publicise the FinLab which is the Portuguese financial hub managed by the Portuguese regulators.
Industry participants do not often bundle regulated products and services with non-regulated products, with some exceptions. Regulator’s scrutiny often increases where it has concerns over conflicts of interest and other risks to the regulated products from mixing up with non-regulated products and services which drives market participants to segregate regulated products into separate legal entities.
There is no requirement to set-up different business models for different asset classes in the context of robo-advising. Notwithstanding, robo-advising configuration will depend on the type of service and assistance, and if there is human intervention or not, in order to determine the level of automation, cost, security and the nature of the assets. The technology and algorithm should be able to determine the investor’s profile, risk appetite and investment objectives in order to build an adequate portfolio, without regard to the specific classes of assets.
Legacy players have applied robo-advisers in investment services such as automated portfolio planning, automatic asset allocation and risk assessment.
The overarching best execution obligation included in MiFID II requires firms to take all sufficient steps in order to obtain the best possible result (the best execution rule). Therefore, when executing client orders or placing orders with (or transmitting orders to) other entities to execute, several execution factors must be taken into account, especially in determining the execution price and transaction costs. Firms will have to follow their execution policies in executing the relevant investor’s orders, in each case by directing these to multiple execution venues or selecting other firms to provide the execution services.
Investment firms have to execute orders in the terms and conditions that are most favourable to investors, considering elements such as:
Robo-adviser technology and platforms have certain obstacles in connection with the lack of human perception, limitation of questionnaires made to investors, and inability to address market failures. Therefore, if a licensed entity is using robo-advising technology it is still ultimately responsible for achieving best execution for the client, and must ensure that the platform can satisfy the best execution requirement.
The regulatory framework applicable to loan origination to individuals is different than for SMEs and large businesses. Individuals will be considered consumers and therefore the lender will have to comply with mandatory pre-contractual obligations, including delivering certain standard documents and rules regarding the setting up of interest and fees that may be charged to the consumer. In addition, online lending to consumers will have to comply with rules regarding unfair terms, e-commerce and contractual agreements entered at a distance, consumers’ right of withdrawal, unsolicited services and communications, solvency and creditworthiness assessment of consumers.
With the exception of unfair terms, SMEs and large businesses do not qualify as consumers and do not fall under the scope of application of the above-mentioned rules.
The underwriting and onboarding processes of industry participants must comply with anti-money laundering and prevention of terrorism financing and know-your-customer (KYC) requirements, in order to comply with the identification and due diligence of customers.
In addition, certain onboarding processes have additional rules applicable to video-conference onboarding and other digital channels, with specifications on how to conduct the onboarding in a valid way.
In Portugal, peer-to-peer lending is not allowed, with the exception of loan crowdfunding. The bulk of funds used for loans is raised from deposits and lenders.
The syndication of loans is made by banks in Portugal. There is no specific regulation in this respect.
The Portuguese payment system laws transposing PSD2 establish rules regarding the principles of non-discrimination, objectiveness and proportionality in the access to payment systems. Payment processors are free to create private payment systems that could potentially be designated by Banco de Portugal as a system under the Settlement Finality Directive and Portuguese legislation implementing the same, which creates certain rules on settlement finality and insolvency.
Cross-border payments are regulated by Regulation (EC) No 924/2009 of the European Parliament and of the Council of 16 September 2009 on cross-border payments in the Community. This regulation establishes that charges for cross-border payments in euros are the same as for corresponding payments within a Member State, as well as facilitates the execution of cross-border payments by payment service providers, through standardisation in the use of the International Bank Account Number (IBAN) and the Bank Identifier Code (BIC), and establishes rules on interchange fees applicable to cross-border payments.
The role of the fund manager is a regulated activity that can be carried out either by the management’s corporate body of the investment company in self-management investment or a third party that is authorised as fund manager. Portuguese legislation covers investment funds targeting securities, real estate or alternative investments (Law No 16/2015, as amended), venture capital funds (Law 18/2015, as amended) and pension funds (Decree-Law 12/2006, as amended), which include rules that define the role of the management entity, its eligibility and regulatory requirements for a company to become a fund manager.
Fund managers have specific conduct duties and the fund manager’s agreement has, to a certain degree, a predefined content that is established in the law. A fund manager of a securities, real estate or alternative fund must enter into a fund management contract with a self-managed investment company, which should be made in writing and regulate several issues, notably selection and replacement of the management entity, the investment policy, the dividend’s distribution policy, the voting rights policy and the loan and leverage policy that the fund manager has to comply with. In addition the agreement will also set rules regarding the fees to be paid to the fund manager, the methodology to calculate the number and value of the participation units, and the procedures that the fund manager must follow to deal with any claims. Similar rules apply to pension funds (Decree-Law 12/2006, as amended), and to venture capital funds (Law 18/2015, as amended).
In Portugal, marketplaces and trading platforms consist of regulated markets, multilateral trading facilities and organised trading facilities (in each case as defined in Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments or MiFID II), which are subject to authorisation and supervision from CMVM, the Portuguese securities regulator.
The regulatory regime for regulated markets, multilateral trading facilities and organised trading facilities is included in the Portuguese Securities Code, and results from the transposition of MiFID II.
The main difference that results from the regulation applicable to these marketplaces and trading facilities in Portugal is that, according to the Portuguese Securities Code, whereas regulated markets require a special authorisation to be granted by the Portuguese Minister of Finance, by means of a Ministerial Order, after consultation with the CMVM, multilateral trading facilities and organised trading facilities are only required to be registered with the CMVM.
In addition, while regulated markets need to be managed by a specialised management entity, multilateral trading facilities and organised trading facilities may also be managed by financial intermediaries, such as credit institutions, brokerage firms, among others.
Although there are some other specific differences in the regulatory regimes for each trading venue specified above, other rules apply irrespectively to each one of those venues. Thus, the Portuguese legislator adopted rules on:
Under Portuguese law, and in line with MiFID II, there are no different requirements in relation to infrastructure at product level, however, some trading platforms are identified by asset class.
The emergence of cryptocurrency exchanges has not, to date, impacted the existing legal framework applicable to trading venues.
Listing standards require that the form and content of the securities, including in relation to their form of representation, comply with legal requirements, that the securities have been issued in accordance with the personal law of the issuer, that the issuer has an economic and financial situation that enables the issuance of the relevant securities, by being compatible with its nature and with the regulated market where the securities are being requested to be admitted into trading, that the issuer has developed its activity for at least three years and disclosed its management reports and annual accounts for the three years prior to the admission.
Order handling rules in MiFID II require investment firms to implement procedures and arrangements that provide for the prompt, fair and expeditious execution of client orders, relative to other client orders or the trading interests of the investment firm. Therefore, if a firm cannot execute an order, it shall transmit the order to another firm that is able to execute it.
Investment firms must make sure that the orders are promptly and accurately recorded and allocated in order to be carried out swiftly and in a sequential manner, except if market conditions prevent the same or the nature of the orders makes it unpractical to do so. In addition, the firm has an obligation to inform retail clients whenever there is a material difficulty affecting the normal carrying-out of orders.
Peer-to-peer trading platforms in Portugal consist of crowdfunding platforms, which are subject to registration with the CMVM and the Portuguese crowdfunding legislation. There are currently six crowdfunding platforms registered with CMVM.
There has not been a substantial impact from the rise in crowdfunding platforms, which may be linked to some limitations to crowdfunding under the Portuguese crowdfunding rules that restrict the amount of investment per investor (EUR3,000 per offer and EUR10,000 per year (limits do not apply to companies, individuals with annual income above EUR70,000 and professional investors) and per crowdfunding (EUR1 million (annual limit) or EUR5 million if the crowdfunding is exclusively directed to be funded by companies and/or individuals with annual income above EUR70,000).
It should be noted that the new crowdfunding regulation (Regulation (EU) 2020/1503, of 7 October 2020) is set to apply from 10 November 2021 onwards and will replace the Portuguese crowdfunding law and regulation in respect of the matters that overlap in scope.
See 3.3 Issues Relating to Best Execution of Customer Trades. The best-execution rule applies if trading platforms are qualified as investment firms.
Financial intermediaries must select their trading and execution venue based on a best-execution policy, and must provide their clients with information on costs and expenses per service and per financial instrument. In addition, inducements rules prevent firms from paying benefits to or receiving benefits from third parties, with few exceptions. Notably, it is possible for firms to receive payments or inducements if required for the rendering of services, in situations where it is deemed to enhance the quality of the services, if the amount is clearly and previously disclosed to the client and provided that it does not interfere with the obligation of the investment firm to act honestly, fairly and professionally in accordance with the best interests of its clients.
According to the applicable legislation in Portugal, market integrity and transparency are guaranteed by preventing market abuse in the form of insider trading and market manipulation, meaning that manipulating the market or using inside information are generally prohibited activities. Also, financial intermediaries must always ensure that the structure of financial instruments, including its characteristics, does not adversely affect end customers/investors or lead to market integrity concerns.
MiFID II establishes rules governing high frequency algorithmic trading which is a subset of algorithmic trading. These rules require firms to store time sequenced records of their algorithmic trading systems and trading algorithms for at least five years. Records should contain sufficient detail to enable monitoring by the relevant competent authority, and include information such as details of the person in charge of each algorithm, a description of the nature of each decision or execution algorithm and the key compliance and risk controls.
High frequency algorithmic enables the execution of a large number of transactions in seconds or fractions of a second by using certain infrastructures. These rules have been transposed into Portuguese law and were included in the Portuguese Securities Code, and are complemented by MIFID Regulatory Technical Standards and Delegated Acts.
A firm that is engaging in algorithmic trading must therefore have effective systems and risk controls to ensure that its trading systems are resilient, subject to appropriate trading thresholds and limits, and to prevent any erroneous orders to be sent that may contribute to a disorderly market. Different classes of assets do not have different regulatory regimes.
Under Portuguese law, investment firms are not allowed to execute client’s orders with proprietary capital or to engage in matched principal trading on regulated markets or multilateral trading facilities in which they operate.
Matched principal trading is only permitted in organised trading facilities, where the client expressly consents to the process and the transaction does not involve derivatives contracts which have been cleared in accordance with Article 5 of the European Market Infrastructure Regulation (Regulation (EU) 648/2012). In addition, the financial intermediary must be registered as such and be authorised to deal on its own account by the CMVM.
Market-making strategies by intermediaries that engage in algorithmic trading requires a written contract to be executed with the trading venue, that ensures that the activity will be continuous during a specified proportion of the trading period.
There are no particular rules establishing a distinction between funds and dealers engaging in algorithmic or high-frequency trading activities.
There are no general laws and regulations in Portugal on developing and programming trading algorithms that apply to programmers.
Financial research platforms must register as financial intermediaries if their services included providing investment research and financial analysis or other forms of general recommendation relating to transactions in financial instruments; otherwise they are not subject to any registration requirements.
The spreading of rumours and other unverified information can be considered as a form of manipulation or attempted manipulation of financial instruments since it can have a significant impact on the prices of financial instruments in a relatively short period of time. Abuse of information, market manipulation, insider dealing, and benchmark manipulation are crimes or misdemeanours, as applicable, under Portuguese securities law.
The Market Abuse Regulation
Furthermore, Regulation (EU) No 596/2014 of the European Parliament and of the Council, of 16 April 2014, on market abuse (Market Abuse Regulation) applies in Portugal and governs inside information, insider dealing, unlawful disclosure of inside information and market manipulation in relation to financial instruments admitted to trading on a regulated market or for which a request for admission to trading has been made, traded on an multilateral trading facility (MTF), or admitted to trading on an MTF or for which a request for admission to trading on an MTF has been made, traded on an organised trading facility, or financial instruments not previously mentioned, the price or value of which depends on or has an effect on the price or value of a financial instrument referred to above, including, but not limited to, credit default swaps and contracts for difference.
The Market Abuse Regulation also applies to behaviour or transactions, including bids, relating to the auctioning on an auction platform authorised as a regulated market of emission allowances or other auctioned products based thereon, including when auctioned products are not financial instruments, pursuant to Regulation (EU) No 1031/2010. In addition, prohibition of market manipulation also applies to spot commodity contracts (which are not wholesale energy products), where the transaction, order or behaviour has or is likely or intended to have an effect on the price or value of a financial instrument mentioned above, and to types of financial instruments, including derivative contracts or derivative instruments for the transfer of credit risk, where the transaction, order, bid or behaviour has or is likely to have an effect on the price or value of a spot commodity contract where the price or value depends on the price or value of those financial instruments and behaviour in relation to benchmarks.
The insurance underwriting processes in Portugal are significantly dictated (or, at least, constrained) by regulation. Since there are no specific rules or processes concerning the underwriting of insurance in the insurtech industry, insurtechs abide and adapt to the general (and traditional) rules concerning the underwriting of insurance.
The regulations in this respect includes general provisions concerning means of commercialisation, documentation, policyholders and consumers rights, information duties and contents of the insurance agreements, applicable in all types of insurance, but also specific rules concerning (and adapted to) each type of insurance which are necessarily different, depending on the risk at stake (eg, life insurance, civil liability insurance, damages insurance, health insurance, among others). The underwriting process is also influenced by the rules relating to solvency, diversification and risk applicable to insurance companies.
Different types of insurance are treated differently by industry participants and by regulators, although there is a set of common rules applicable independently of the type of insurance at stake (for instance, rules on distance selling of financial products, approved by Decree-Law 95/2006, of 29 May 2006, the general section of the Portuguese insurance contract framework, approved by Decree-Law 72/2008, of 16 April 2008, or the Portuguese insurance distribution law, approved by Law 7/2019, of 16 January 2019). The fact that a significant part of the applicable provisions concerning underwriting processes and the contents of the insurance agreements varies depending at first, on whether it corresponds to life or non-life insurance, and secondly on the exact type of insurance at stake leads to such different types of insurance being treated differently by regulators and industry players alike.
Regtech activities are not automatically regulated and the extent to which they may become subject to regulations is based on a case-by-case analysis. In most situations, regtechs are only tangent to regulated activities and therefore do not require licensing or authorisations to undertake their business. However, if they do overlap with regulated activities, they will become subject to the respective applicable rules.
One thing to take into consideration when assessing how regtechs may be regulated is determining how regtechs’ services integrate with their customer base – licensed entities in the banking, payment, financial or insurance sectors. In a lot of cases, the scope of regtechs’ activities will represent an outsourcing of functions from the licensed entity since they focus on compliance and reporting in areas such as fraud prevention, anti-money laundering, prevention of terrorism financing, onboarding of new clients, cybersecurity, data science and AI. For that reason, certain obligations or procedures will have to be complied with that result from requirements of the overarching financial regulation. EBAs’ guidelines on outsourcing arrangements should therefore be considered in this event.
In certain sectors industry practice may be a precedent to take into consideration, but most contractual terms will be set in accordance with the parties’ commercial agreement on how to share risk. This will be a combination of several factors, which include identifying legal risk and commercial risk. While the first should not deviate from the rules that burden a certain entity with the obligation to comply with certain provisions (eg, the licensed entity cannot shift legal liability vis-à-vis the regulator to the regtech company), the second will be set in accordance with the parties’ respective bargaining power. Notwithstanding, major clauses to negotiate will involve service levels, duties of care and diligence, confidentiality, reporting, warranties, security, data protection and liability (where this can be contractually set).
The potential uses of blockchain are limitless. To date in Portugal, reports of application of DLT/ blockchain technology include issuance of tokens, data analysis (eg, using cryptography to measure energy consumed by households), copyright licensing and registration, municipal licences, registration of title of investment units in UCITs, development of an energy marketplace, and access to real estate information, to name a few. However, most of these projects are still at an early stage of either conceptualisation or development, with few exceptions.
In the financial services’ sector there is still very few initiatives originating out Portugal and very few that are sponsored by legacy players, even though this is one of the most obvious areas of application of blockchain technology. Nonetheless, it is worth mentioning some activity undertaken by Portuguese related start-ups in businesses such as crypto custodian, blockchain and cryptocurrency research platform and digital currency payment platform. However, from the more traditional side, Portuguese market participants are accessing services enabled on the blockchain at a trial level.
Banco de Portugal, in its capacity as both central bank and national competent authority for the supervision of credit and payment institutions, and CMVM, the Portuguese securities authority, have shown that they are watchful of this reality and mostly following EU’s agencies and EU’s authority and guidelines in this context. Most of the Portuguese regulators’ announcements and press releases concern cryptocurrencies, which are one of the blockchain enabled assets that yield the most attention from the public and pose greater risks to market supervision and consumer protection.
In any case, the regulators’ watchdog approach consists of public warnings (which mostly follow ESAs warnings on ICOs), recommendations and guidelines to interpretation of the existing legal framework and how it may apply to certain activities, and both regulators have clarified that they will not take any immediate steps to regulate cryptocurrencies, tokens or blockchain technology (with the exception of anti-money laundering laws).
In addition, there is a wide recognition from the regulators that technology must have enough room to develop and that excessive regulation or inadequate regulation may hinder improvements to the industry and to citizens. For this reason, there is no specific legislation focusing on blockchain or blockchain enabled technology or assets in Portugal, and this is likely to be maintained until such time as the EU develops a regulatory approach to this reality, or as may result from the EU’s agenda in this context and sponsored initiatives.
The qualification of blockchain assets various in accordance with their underlying structure and the rights and obligations that they may attribute to their holder. There is no official classification of blockchain assets, and the main qualification is made between utility type tokens, securities type tokens and cryptocurrencies (see 12.7 Virtual Currencies), although most often tokens will have hybrid characteristics by combining features of each of the main types.
Following this classification, utility tokens are regarded as being akin to a consumption functionality and security tokens are investment like instruments. Understanding if a token is analogous to a financial instrument will have to be assessed on a case-by-case basis by analysing the entitlements that the asset provides to its holder, notably how it performs in relation to another underlying reality, how its value is accounted for, if there is liquidity for the asset and how legitimate is the holder’s expectation of future returns and/or added value from the initial investment.
For utility type tokens, although there is no specific regulation in force that applies to them, it can be argued that, if they fall within the relevant scope of application, there is no reason to exclude them from consumers’ law in relation to the sale of goods or services, e-commerce protection and general principles and rules of contractual law and civil law (eg, defaulted goods or services, misrepresentation, breach of contract, fraud, etc), but the cross-border nature of most transactions will make this very difficult to enforce.
In relation to security/investment type tokens, CMVM noted that tokens can be qualified, on a case-by-case basis, as (atypical) securities under Portuguese law. The CMVM has developed a test to assess whether or not a specific token may become subject to securities regulation and which consists of the following criteria: can the asset be regarded as a “document” whether represented in dematerialised (book-entry) or physical form that is representative of one or more rights of private and economic nature that are homogenous and tradeable in a market, and, given its particular characteristics, is the asset similar to typical securities under Portuguese law.
For the purpose of verifying the second item, the CMVM will take into account any elements, including those made available to potential investors (which may include any information documents – eg, white paper) that describe the issuer’s obligation to undertake any actions from which the investor may draw an expectation to have a return on its investment, such as to grant the right to any type of income (eg, the right to receive earnings or interest) or undertaking certain actions, by the issuer or a related entity aimed at increasing the token’s value.
Regulation of initial coin offerings (ICOs) or token offerings is not subject to any specific regulation under Portuguese law, however, the CMVM has announce the need for all entities involved in ICOs to assess the legal nature of the tokens being offered, notably their potential qualification as securities with the automatic application of securities and financial market laws as a consequence. ICOs that aim to offer tokens that represent certain rights and/or economic interests in a venture with a view to obtaining future returns (eg, right to take part in the profits of a venture, project or company or currency-type tokens) may potentially be qualified as securities and cross over to securities’ intensively regulated world becoming subject to existing securities regulations, including public offerings of securities and/or securities trading venues.
In this respect, ESMA has published advice on Initial Coin Offerings and Crypto-Assets and advises on the potential application of, among others:
At present there is no specific regulation put in place designed to govern blockchain asset trading platforms and the existing Portuguese market trading platforms – regulated markets, multilateral trading facilities, organised trading facilities and systematic internalisers – are not prepared to enable trading of blockchain assets.
There is no particular set of rules applying to funds that invest in blockchain assets in Portugal. At EU level, ESMA has noted the potential application of the Alternative Investment Fund Managers Directive to certain ICOs. The possible application of the Undertakings for Collective Investment in Transferable Securities Directive (Directive 2009/65/EC) should also be taken into consideration, when a token offering may be regarded as a collective investment scheme as such term is defined in UCITS.
Virtual currencies are defined as a “digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically”, in Directive (EU) 2015/849, of 20 May 2015, as amended by Directive (EU) 2018/843, of 30 May 2018, which has been transposed into the Portuguese law that establishes anti-money laundering measures and prevention of terrorist financing, approved by Law no. 83/2017, of 18 August.
Cryptocurrencies do not have legal tender and do not qualify as fiat currency. Therefore, these assets are not treated as money (or, in principle, electronic money). Nevertheless, they are seen as an alternative payment method that has a contractual nature with characteristics that somewhat replicate some of the core traits of traditional money:
Cryptocurrencies may become subject to regulation if they perform also as utility tokens or security/investment type tokens.
Virtual asset service providers dealing with virtual currencies are now required to register with Banco de Portugal for the purposes of AML compliance and oversight. Virtual asset service providers are any natural or legal person who conducts as a business one or more of the following activities or operations for or on behalf of another natural or legal person:
Decentralised finance is not currently defined or regulated under any specific legal framework in Portugal. DeFi is regarded as the use of decentralised ledgers often based on blockchain technology to undertake financial transactions (eg, exchanges, derivatives, lending and borrowing).
Despite not being regulated under a particular legal act, it is important to note that, depending on the nature of the activity and asset, certain existing rules applicable to financial markets, securities and financial instruments, among others, may apply in principle to the activity or the asset.
Notwithstanding, in the European Commission’s proposal for a Regulation on Markets in Crypto-assets of 24 September 2020, the European Commission has identified a number of challenges and obstacles to applying existing rules to certain financial instrument or security tokens and trading venues that are based on decentralised exchanges and permissionless DLT networks, since existing legislation was designed with the scope of traditional financial services and instruments in mind and is not fully technology neutral.
The European Commission has also advanced a proposal for a Regulation on a pilot regime for market infrastructures based on distributed ledger technology that aims to allow a common use of DLT technology in the trading and post-trading of crypto-assets that qualify as financial instruments, which hopefully will allow firms to exploit the full potential of blockchain, DLT and crypto-asset, while ensuring financial stability.
Portugal has transposed PSD2 into national legislation and PSD2 grossly aims to fully harmonise PSD2’s provisions throughout Member States. Therefore, Portugal’s open banking initiatives consist of those introduced by PSD2 (including, account information service providers and payment initiation service providers) by making it easier for customers, banks and other third-party service providers to securely share data with each other and by increasing payment services users’ experience through more convenient payment management across different banks via centralised platforms, enabling more effective cash management.
In Portugal, market participants have now adjusted to Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication, which came into force on 14 September 2019.
On a more immediate customer level, effects of PSD2 and of the Commission’s Delegated Regulation have been felt through the introduction of new services such as immediate payment transfers, a stronger sense of security in payment transactions, centralised access to accounts’ information and easier payment solution methods.
On a market level, PSD2 has put pressure on incumbents to step-up their strategy and vision in providing payment services, driving some banks to internally procure to develop new projects aimed at exploring new opportunities introduced by PSD2 and others to seek new partners, particularly in the technological segment. Fintechs have been rising and most are trying to scale cross-border leveraging out of their digital presence and EU’s basic freedoms which allows them to passport their services to a wider customer base. Market participants in Portugal have been following this trend and competitiveness has increased as new enterprises seek payment services provider licences and registration with Banco de Portugal.
Security concerns regarding open banking, privacy and data security must be dealt with by taking into consideration, among other legislation, Regulation (EU) No 910/2014 of the European Parliament and of the Council, of 23 July 2014, on electronic identification and trust services for electronic transactions in the internal market. A significant measure to mitigate security concerns and increase trust in APIs is the requirement of qualified certificates (ie, for electronic seals and web access). In addition, data that is shared between payment service providers is limited to that strictly necessary for the payment service that is taking place, which limits the risk of misuse and mismanagement of personal data.
On a market note, this is a segment where a lot of technological firms are taking the lead and offering banks and other financial institutions with solutions to enable them to comply with the ever-growing legislation without the significant cost in R&D.