Italy is becoming an attractive jurisdiction for fintech initiatives due to the good reputation of Italian supervisory authorities, the favourable tax regime and public subsidies for start-up companies, the availability of highly skilled resources, the lower costs of human capital and real estate compared to other European cities, and the attractiveness of the Italian lifestyle, especially for young talents.

Major EU fintech players are establishing an Italian hub for their EU operations, and the Italian fintech ecosystem is expanding significantly.

Italian supervisory authorities (Bank of Italy, Consob and IVASS) have completed several regulatory sandbox programmes with a number of incumbent institutions and new market players, and some of them are still on-going. Several partnership or co-operation agreements between financial institutions and new fintech operators have been signed in the last year in the form of white label or distribution arrangements. Traditional market players also completed M&A transactions to acquire innovative fintech platforms or fund their expansion.

The Italian government recently published a consultation paper outlining the draft rules implementing the Market in Crypto-Assets Regulation (MiCAR) – which will be one of the key regulatory topics in 2024. As the obligations applicable to Virtual Asset Service Providers (VASPs) under the current regulatory framework are not particularly burdensome, the transition to the MiCAR regime will have a major impact for VASPs operating in Italy.

Italy was one of the first countries to introduce a specific legislation on equity crowdfunding platforms. As a result, the market for crowdfunding services is already well established, alongside peer-to-peer lending and invoice trading platforms – which are also predominant in the Italian fintech space. Most of these platforms successfully applied for a licence to operate under the European Crowdfunding Service Providers (ECSP) Regulation at the end of the transition regime in 2023.

Traditional banking groups have recently started to launch fintech companies or units offering innovative payment solutions, crypto-exchange services or trading in fractional shares. Some of these services are based on co-operation or white label agreements with other fintech players.

Social trading, micro-investing or robot advisory solutions are not particularly popular yet, while BNPL services are offered on a large scale. Insurtech companies operating on the basis of an MGA (managing general agent) model are also gaining traction and increasing their market shares.

The Italian regulatory regime is largely dependent on the framework that applies at EU level, for instance:

• micro-investing, social trading, robot advisory, algorithmic trading and similar fintech services are subject to the Italian rules on the provision of investment or asset management services, implementing the EU regulatory framework (MiFID2, AIFMD, UCITS, etc);
• crowdfunding platforms are regulated by the common rules applicable under the ECSP Regulation; and
• insurtech operators must comply with the Italian rules implementing the Insurance Distribution Directive (IDD) as well as the Solvency II Directive in case of insurance undertakings.

Only a few fintech business models are still subject to national regimes that are not harmonised at EU level. For instance, specific rules apply under Italian law to loan brokerage and intermediation activities. These rules are relevant for online comparison platforms offering differing financing products.

Entities (other than banks) that engage in lending activities towards Italian customers (both consumers and business entities) must operate under a specific licensing regime provided for under the Italian Banking Act. However, this regime does not apply to EU alternative investment funds, which can engage in direct lending activities following completion of a non-objection procedure with the Bank of Italy.

A specific national regime applies to VASPs operating in Italy. The Italian rules are less restrictive compared to those that apply in other EU countries, as they do not impose any material obligations on VASPs except for the duty to be registered with the Italian competent authority (Organismo Agenti e Mediatori) (OAM), comply with the Italian AML legislation and send quarterly reports to the OAM. However, these rules will significantly change as a result of the full entry into force of the MiCAR.

The compensation models depend on the regulatory restrictions applicable to the different types of businesses performed by fintech operators.

In case of investment or asset management services, the key restrictions are those concerning the payment or receipt of inducements. According to these rules, any compensation that is paid to the fintech company by third parties other than customers – such as rebates from other brokers or asset managers – must be duly justified in accordance with the criteria set out under the Italian provisions implementing the MiFID2. The payment of inducements is not permitted in case of independent advice or portfolio management services – while additional restrictions may derive in the future from the approval at EU level of the “Retail Investment Strategy” proposed by the European Commission.

In the field of banking and financing services the Italian rules require a full disclosure of the fees that are charged to customers, and there is no possibility to charge any direct or indirect fee that has not been previously indicated in the relevant pre-contractual documentation.

There is still a lack of transparency in the field of crypto services, as there are no obligations to disclose the fees that are charged by the VASPs to their customers. For instance, several market players earn their fees by applying a spread to the exchange transactions made by the customers, but the spread is not disclosed before the transaction is instructed.

Due to the principle of technology neutrality, the regulation of fintech industry participants in Italy is generally similar to the one of legacy players, such as banks and other traditional financial institutions.

Fintech players offering products and services that are regulated under the common rules applying to financial, banking, investment, asset management and insurance services are subject to the same rules and the same supervisory regime of other market players. Only in exceptional cases (eg, crowdfunding platforms or VASPs) the Italian framework provides for specific rules applying exclusively to fintech operators.

Fintech companies may benefit from certain exemptions from the ordinary requirements that apply to legacy players. In particular, Italian authorities recently introduced the regulatory sandbox, which allows fintech companies to offer their services without complying with some of the provisions that would otherwise apply to them in accordance with the ordinary rules.

In 2021, Italian authorities launched a regulatory sandbox for fintech projects. The regulatory sandbox is managed by the Bank of Italy, Consob, IVASS, and the Ministry of Economy. It allows fintech start-ups to test innovative business models under the supervision of the Italian regulators for a period of up to 18 months.

The application to be admitted to the regulatory sandbox may be submitted either by (i) a financial institution that is already subject to the supervision of the regulatory authorities mentioned above, or (ii) an entity that is not subject to any form of supervision. In the latter case, the application may be accepted if the business that the entity intends to carry out (i) is subject to authorisation requirement, (ii) benefits from one of the exemptions contemplated under the applicable law, or (iii) consists of a service or activity that is performed for the benefit of a supervised financial institution.

In addition to the above requirements, it is necessary that the project (i) is significantly innovative, (ii) requires an exemption from the regulatory requirements set forth in the regulations issued by the relevant supervisory authorities, (iii) brings an added value to the business, (iv) is in a sufficiently advanced state of development in order for it to be tested in the context of the sandbox, and (v) is economically and financially sustainable or adequately funded.

The application for the regulatory sandbox can be prepared on the basis of the standard forms made available by Italian supervisory authorities. The deadline for the submission of the first applications expired in January 2021, and several projects have already been admitted to the regulatory sandbox. A new call for applications was published by Italian authorities in 2023.

There are several regulatory authorities that have jurisdiction over fintech industry participants in Italy.

The most important regulatory authorities are the Bank of Italy (Banca d'Italia) (ie, the Italian Central Bank), the Italian Securities and Exchange Commission (Commissione Nazionale per le Società e la Borsa or Consob), and the Italian Insurance Supervisory Authority (Istituto per la Vigilanza sulle Assicurazioni or IVASS).

• The Bank of Italy is exclusively responsible for the supervision of credit institutions, payment institutions, electronic money institutions and specialised lenders enrolled in the register kept by the Bank of Italy in accordance with Article 106 of the Italian Banking Act. With respect to credit institutions, the Bank of Italy acts as the designated national competent authority (NCA) in the context of the Single Supervisory Mechanism (SSM).
• The European Central Bank (ECB) is ultimately responsible for the supervision of credit institutions operating in Italy. These responsibilities are exercised directly in the case of significant institutions, or indirectly through the Bank of Italy in case of less significant institutions.
• The supervisory responsibilities concerning the business of investment firms and asset managers (as well as credit institutions or other financial institutions carrying out investment services and activities) are shared between the Bank of Italy and Consob. The same applies to firms managing regulated markets and post-trade settlement systems, as well as to crowdfunding platforms operating under the European Crowdfunding Service Providers Regulation.
• Consob is the authority that is responsible to ensure that investment and asset management services are performed in a transparent way and in compliance with the applicable rules of conduct. It also has responsibility for any public offer of financial instruments or products on the Italian market and investor protection issues (including, for instance, as regards initial coin offerings (ICOs)). Pending the full implementation in Italy of the Regulation on European Crowdfunding Service Providers, Consob also remains responsible for the supervision of equity-based crowdfunding platforms.
• IVASS oversees insurance undertakings and distributors – although the regulatory responsibilities concerning the business of insurance distributors will soon be transferred to a new supervisory authority called ORIAS (which is in the process of being established).
• With respect to anti-money laundering matters, the Bank of Italy is responsible for the compliance with the applicable regulations by credit institutions, payment institutions, e-money institutions, asset managers and investment firms. IVASS has the same responsibility in relation to the business of insurance undertakings and distributors. The Italian Financial Intelligence Unit (Unità di Informazione Finanziaria – UIF) is established within the Bank of Italy and is responsible for all matters relating to suspicious transactions and sanctioned persons.
• The Italian Supervisory Body for Agents and Brokers (Organismo Agenti e Mediatori – OAM) is responsible for the supervision of financial agents and loan brokers. Recently, it also undertook the role of supervisor in relation to the activities of VASPs – although the supervisory responsibilities concerning VASPs will change as a result of the entry into force of the MiCAR.
• The competences and powers of the regulatory authorities mentioned above overlap in several areas. Furthermore, Italian authorities co-operate with the European regulators that are competent in their respective fields, such as in particular the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), in addition to the ECB. Some market players are directly subject to the supervision of EU authorities (ie, the ECB for credit institutions and ESMA for credit rating agencies).

Regulated entities are allowed to outsource their functions to external service providers, provided that they comply with the requirements imposed in this respect by the applicable regulations enacted by national and EU authorities.

While the specific requirements applying to outsourcing arrangements differ depending on the nature and qualification of the financial institution, the principles on outsourcing are very similar and can be summarised as follows.

• The outsourcing of functions does not exonerate the outsourcing entity from the obligation to comply with all requirements applicable to the outsourced function. The outsourcing entity must ensure that these requirements are complied with by the outsourcer (and any sub-outsourcer appointed by the latter).
• Before outsourcing its functions, the outsourcing entity must conduct a due diligence on the outsourcer and ensure that it has adequate skills, experience, and resources to carry out the services in a proper way. The outsourcing entity must ensure that there is proper oversight on the outsourced functions and the risks associated with it. It must identify a person that is responsible for overseeing and monitoring the outsourced activities and the compliance with the agreed service levels (SLA).
• There must be a specific rationale justifying the outsourcing of functions – at least for some financial institutions, such as asset managers. Special rules apply to the outsourcing of critical or important functions, such as for instance internal control functions (compliance, risk, internal audit, AML). The outsourcing of critical or important functions must be notified to (and in some cases approved by) competent supervisory authorities.
• The outsourcing agreement must be executed in writing and must contain certain provisions identified in the applicable regulations. Typically these provisions relate, among others, to (i) the inspection and information rights of the outsourcing entity as well as of competent supervisory authorities, (ii) the description of the SLAs and key performance indicators (KPIs), (iii) the consequences in case of breach of the SLAs/KPIs (including, as applicable, penalty clauses), and (iv) the termination rights of the outsourcing entity in case of breach of contract by the outsourcer.

Outsourcing to non-regulated entities is generally possible subject to certain exceptions. For instance, asset managers can outsource portfolio management or risk management functions only to authorised financial institutions.

Outsourcing arrangements are used in the Italian fintech industry, among others, in order for financial institutions to offer services to their clients by leveraging on the tech and IT infrastructure developed by fintech companies. In these cases, Italian regulatory authorities generally expect the regulated financial institution to assess the reliability of the technology used by the fintech company and establish appropriate control systems to monitor the activities carried out by the fintech company on an ongoing basis.

There has been a wide debate among Italian scholars about the responsibility of e-commerce and internet platforms in general (including social networks) for the activities carried out by the customers on their platforms. This debate has not been extended yet to fintech operators, but there are already cases where the liability of fintech providers for the actions of their customers becomes a relevant question from a legal standpoint.

In case of crypto exchanges, for instance, some customers that were victims of fraud by third parties are claiming that the exchange operator was responsible for ascertaining that the crypto transfers were instructed by the customers on a legitimate basis and that accordingly they should be held liable for such fraud.

Similarly, in case of social trading platforms, some customers are claiming that the fintech operator managing the platform was responsible for the investment advice given by platform users.

It is still unclear how the Italian case law will react to these claims, and whether Italian regulators will ask fintech providers to take any specific measures to prevent any inappropriate behaviours on their platform.

Italian regulators have not taken significant enforcement actions in the fintech space in recent years.

Italian regulatory authorities have, however, issued specific warnings related to some fintech business models and operators. For instance, the Bank of Italy recently issued a communication on BNPL models outlining the lack of transparency of some BNPL market players from a consumer protection standpoint. Another communication was issued in relation to the use of crypto service providers and blockchain technology in general by Italian financial institutions.

VASPs became subject to higher regulatory scrutiny in 2023 in terms of regulatory reporting and compliance with AML matters.

Italian fintech players are subject to various non-financial services regulations that impact industry participants, such as those relating to privacy, cybersecurity, social media content and software development. These regulations are particularly relevant to fintech companies as they often handle sensitive information.

The compliance with the GDPR, for instance, is an essential element of the regulatory oversight system of each fintech operator. Fintech companies must process personal data of their customers in a transparent, secure and lawful manner. Failure to comply with the GDPR can result in significant fines and reputational damage.

Fintech operators must also have robust security measures in place to protect against cyber threats, including encryption, access controls, incident response, disaster recovery and business continuity plans. As for the use of social media, particular caution must be exercised in assessing whether any message transmitted on these platforms qualifies as a form of advertising subject to regulatory requirements in accordance with Italian law.

Due to the technology neutrality principle that underpins most of the regulations applicable in this field, fintech operators are not subject to specific or more rigid requirements compared to legacy players. However, they are typically more vulnerable to certain types of risks, such as cyber threats, due to their reliance on technology. Accordingly, they must pay particular attention to the compliance with the relevant obligations.

Fintech operators that are licensed and subject to supervision by an Italian regulatory authority are also subject to the duty to appoint an external auditor to verify the accounts of the company, as well as internal control functions.

In terms of internal controls, the first line of defence is represented by the business units that are responsible for the day-to-day management of the company’s operations. The second line of defence includes the compliance, AML and risk management functions. These are “second level” control functions because their task is to ensure that the business units operate in compliance with the regulatory framework and internal policies of the company. The third line of defence includes the internal audit function, which verifies whether the company has a sound and solid internal control framework, and carries out audit activities on the company’s business.

As a matter of fact, in most of the cases, the compliance, AML, risk management and internal audit functions are outsourced to third-party service providers, such as consultancy companies or law firms.

In those cases where the obligation to appoint external auditors or set up an internal control system does not apply, fintech companies may still conduct their own internal audits and risk assessments to ensure compliance with relevant laws and regulations, and to identify and mitigate any potential risks.

Industry participants can offer both regulated and unregulated products or services. In case of regulated financial institutions, the offer of unregulated products or services is generally possible provided that this non-regulated business is instrumental or ancillary to the main financial business carried out by the company.

For instance, some payment service providers offering acquiring or other payment services are also licensing the software or other IT technological solutions that enable the use of these payment services by other operators.

From the perspective of Italian regulators, if the offer of the unregulated products or services gives rise to significant risks for the company’s business, or if the unregulated products or services have their own relevance and importance from a commercial standpoint, it is preferable for the financial institution to create a separate legal entity offering the unregulated products or services.

The creation of a separate legal entity could also be beneficial for the fintech operator, because it avoids the application of the rules that normally apply to regulated products or services to those products or services that are not subject to specific regulatory obligations.

There are a few cases of companies offering non-regulated services or products (eg, comparison websites, utility operators, companies offering budgeting tools or financial education courses) that are starting to consider the offer of regulated services or products, such as investment or saving products. In these cases the simultaneous offer of regulated and non-regulated services is more problematic, because the performance of regulated services typically requires a licence or authorisation.       

The compliance with AML requirements is a key aspect of the business carried out by fintech companies in Italy. The most relevant issue that fintech companies typically face in this respect is how to balance the need to comply with the KYC procedures that are required in accordance with the Italian AML requirements, on the one hand, and the possibility to create an onboarding process which is smooth and customer friendly in terms of user experience, on the other hand.

It is essential for fintech companies to design a remote customer onboarding process that does not significantly affect the conversion rates and at the same time is consistent with the Italian regulator obligations.

The need to comply with Italian AML obligations is often a game changer for some fintech players, as it may render the onboarding process particularly burdensome. Some fintech operators prefer to clearly separate the regulated and non-regulated services in order to carry out their AML/KYC activities only with respect to customers using the regulated services offered by the company.

Another aspect that is particularly relevant for fintech operators is the monitoring of customers’ transactions. Fintech players must develop internal algorithms or systems that are able to identify suspicious transactions in order to report them to the Italian Financial Intelligence Unit. While traditional financial institutions already have well-established procedures and systems to perform these transaction-monitoring activities, several fintech companies must establish these methodologies from scratch.

Sanctions for non-screening are a significant and relevant part of the KYC procedures that every fintech company must adopt in accordance with Italian law. Also, as a result of the recent conflict in Ukraine, this has become a particularly sensitive issue.

The regulatory requirements applicable to robot advisory activities depend on the nature of the underlying asset class.

Robot advisory activities are normally performed in relation to assets qualifying as financial instruments, such as shares, bonds, ETFs or other listed instruments. In these cases, the performance of robot advisory services qualify as investment advice or portfolio management under the Italian rules implementing the MiFID2.

If robot advisory services are offered in connection with crypto-assets, the company might need to be registered to operate as VASPs in accordance with the Italian regulatory requirements.

Robot advice is becoming part of the traditional models implemented by legacy players in the performance of investment services or activities. Some Italian banking groups have already introduced robot advisory solutions or other similar solutions to enhance the quality of the services rendered to their clients.

Under the Italian rules implementing the MiFID2, investment firms are required to take all reasonable steps to obtain the best possible result for their clients when executing orders. Robot advisory platforms must be designed in a manner which ensures compliance with this principle. However, this could be challenging for a number of reasons.

While investment firms must disclose their execution policy to their customers, it might be difficult to give complete and transparent information on how the algorithm executes the customers’ orders. The algorithm itself must comply with the restrictions and limitations that are outlined in the company’s internal policies, and this requires a significant degree of co-ordination between the compliance, business and IT functions of the company. The company must ensure that the execution of orders is appropriately monitored, which might not always be the case if all transactions are executed through an algorithm.

In terms of licensing obligations, there are no significant differences in the business of loans to individuals, small business and other players. Unlike other countries, in Italy, lending activities constitute a regulated business regardless of the nature of the borrower.

The nature of the borrower plays a role in terms of transparency obligations and conduct of business rules. Consumers and small businesses qualifying as “micro-enterprises” in accordance with the EU framework are generally subject to a higher degree of protection having regard to the pre-contractual and ongoing transparency obligations that lenders must abide by.

In addition, certain lenders (such as in particular alternative investment funds) may extend loans only to non-consumer borrowers.

The Italian regulations do not provide a detailed description of how the underwriting process should be handled, but outline some key principles which must be complied with by the lenders with respect to the assessment of the creditworthiness of the borrower.

Traditional lenders largely rely on the information available in credit risk databases in order to assess the creditworthiness of the borrower, in addition to the information concerning their income, employment, age, etc. The amount of information to be transmitted by the customer is normally quite significant and the outcome of the underwriting process is not immediate.

Some fintech players have, however, developed innovative solutions where the credit scoring of the customer is completed on the basis of information taken from public sources, data analysis or even social networks. Other fintech operators offer algorithm-driven processes where the creditworthiness of the customer is assessed in real time, with no need for extensive underwriting procedures.

Peer-to-peer lending and invoice trading platforms are widely used in the Italian fintech market. Conversely, business models based on deposits are less common due to the need to get a banking licence.

Other legal structures that are used to fund loans through fintech platforms are securitisation vehicles and alternative investment funds.

Securitisation vehicles are used in connection with BNPL business models. The merchant grants a payment deferral to the customer and transfers the resulting receivable to the securitisation vehicle against the payment of a purchase price. The securitisation vehicle is not subject to the transparency requirements that would otherwise apply to consumer credit transactions.

Alternative investment funds are also used in order to grant loans to non-consumer borrowers. The possibility to grant loans to non-consumer borrowers is, however, limited to alternative investment funds that are established in the EU and complete a non-objection procedure with the Bank of Italy in order to be authorised to carry out direct lending activities in Italy.

The syndication of the loans generated by fintech platforms may take place by transferring the credit risk to third parties (eg, through sub-participation or securitisation arrangements).

Alternatively, the syndication can occur at the level of the vehicle that is structured to grant the loans, for instance by having the securitisation vehicle or alternative investment fund issuing different classes of notes or units.

Some Italian fintech platforms aim at enabling financial institutions to syndicate loans through a tokenisation process – ie, by tokenising the interests in the loans and transferring them to third-party investors.

There is no rule which prevents payment processors from creating or implementing new payment rails. Under the Italian rules implementing the PSD2, payment processors may create new payment systems, provided that these are safe, secure and reliable. The payment systems created by payment processors must also be inter-operable with other payment systems, so that customers can make payments seamlessly between different systems.

Cross-border payments and remittances are subject to the Italian rules implementing the PSD2. They can be performed only by payment institutions, e-money institutions and banks operating in accordance with the PSD2 framework.

As a matter of practice, fund administration activities are normally performed by depositary banks in Italy. While the depositary business is subject to specific licensing obligations and is currently limited to Italian banks (or branches of EU banks), no licensing obligation applies to fund administration activities.

Fund administration activities are normally provided in the context of outsourcing agreements that are drafted in accordance with the applicable rules on outsourcing. According to these rules, the agreements must contain a number of provisions, for instance on the level of the services (SLAs) carried out by the fund administration and the key performance indicators (KPIs), the consequences in case of non-compliance with the SLAs and KPIs, etc.

The regulatory regime applicable to trading platforms ultimately depends on the nature of the assets traded on the platform.

If the assets qualify as financial instruments in accordance with the MiFID2 framework, as in the case of shares, bonds, etc, the marketplace or exchange must be authorised to operate as a regulated market, or to manage a multilateral trading facility (MTF) or organised trading facility (OTF). If the financial instruments are issued through DLT technology, the company operating the platform could apply for a licence under the EU DLT Pilot Regime Regulation.

The notion of MTF and OTF under the MiFID2 is particularly broad and could potentially cover different types of platforms and marketplaces, including those operating through peer-to-peer systems. An exemption from the authorisation requirements is provided in relation to platforms operating as “bulletin boards”, where purchase and selling interests are advertised, but the trades are not executed on the platform.

Crowdfunding platforms can operate in accordance with the EU Regulation on crowdfunding services. However, the trading on the secondary market of financial instruments issued in the context of crowdfunding offers is possible only on the basis of the bulletin board model referred to above.

Invoice trading platforms are not subject to the MiFID2 framework but could require a specific licence to operate as (i) payment service provider (if the platform manages the payment transactions underlying the trades executed on the platform), (ii) financial intermediary enrolled in the register kept by the Bank of Italy in accordance with Article 106 of the Italian Banking Act (if the platform manager purchases the receivables), or (iii) loan broker (if the receivables are purchased by a bank or financial intermediary).

Finally, crypto exchange platforms are subject to the duty to enrol in the register kept by the OAM, pending the entry into force of the new regime under the MiCAR.

Different asset classes have different regulatory regimes.

Platforms trading financial instruments are subject to the MiFID2 requirements, or the rules set out under the DLT Pilot Regime Regulation in case of financial instruments issued on DLT.

Companies operating crypto exchange platforms must be enrolled in the register of VASPs kept by the OAM (or the new register of Crypto-Asset Service Providers once the MiCAR will become fully applicable).

Under Italian law, companies operating cryptocurrency exchange platforms must be enrolled in the register of VASPs kept by the OAM.

VASPs that are enrolled in the OAM register are subject to the Italian AML requirements and must report the transactions executed by their customers on a quarterly basis to the OAM.

The current regime will change as a result of the full entry into force of the rules on Crypto-Asset Service Providers set forth in the MiCAR.

The existing rules on VASPs do not make any specific distinction between centralised and decentralised exchanges – while this distinction will conversely become very relevant under the MiCAR.

There are no specific listing standards that apply to fintech marketplaces or trading platforms.

Trading platforms that operate under a MIFID2 licence must carry out their services in accordance with the rules set out under the MiFID2. Platforms that are not subject to the MiFID2 regulatory regime are not subject to any specific regulations in terms of order handling rules.

Peer-to-peer platforms trading financial instruments are subject to the same regulatory regime applying to other trading venues under the MiFID2, unless they operate as a “bulletin board”. The bulletin board exemption applies, among others, only if the trade between the purchaser and the seller of the relevant financial instrument is executed outside the platform.

The broad notion of trading venues that is adopted under the MiFID2 constitutes a limit for the development of peer-to-peer trading platforms that do not fall within the scope of the MiFID2 rules. On the other hand, peer-to-peer trading platforms subject to the MiFID2 must operate in accordance with the same rules that apply to traditional market players.

The application of the MiFID2 best execution rules to peer-to-peer trading platforms depends on the role played by the platform in the context of the execution of the order and the qualification of the services offered to its customers.

If the platform operator is subject to the best execution obligations, it must take appropriate steps to ensure that its clients receive the best possible execution of orders, regardless of whether these are executed on the peer-to-peer platform of other venues.

In order to make the assessment on how to execute the order, the platform operators must take into account several factors, such as the costs and speed of execution, the size and nature of the orders, etc. These factors must be reflected in the order execution policy approved by the company operating the trading platform.

In the case of a payment for order flow, the platform operator receives compensation from a party (typically a broker or a market maker) for routing trades for trade execution to that particular party.

The payment of this type of compensation is subject to restrictions in accordance with the MiFID2 inducement regime. The company receiving the payment must demonstrate that the compensation enhances the quality of the services rendered to the customers, for instance because otherwise the trading execution route would not be available. Payments for order flow are accordingly allowed only if they pass the test to be considered as permitted inducements in accordance with the MiFID2 rules.

Trading platforms operating as regulated markets or MTFs under the MiFID2 are subject to the market abuse regime set out under the Market Abuse Regulation (MAR). They must also comply with a number of transparency obligations with respect to the trades executed on these platforms.

Algorithmic trading activities carried out in relation to financial instruments are subject to specific regulatory requirements under Italian law. In line with the MiFID2 definition, algorithmic trading occurs whenever a computer algorithm automatically determines individual parameters of orders such as whether to initiate the order, the timing, price or quantity of the order or how to manage the order after its submission, with limited or no human intervention. It does not include any system that is only used for the purpose of routing orders to one or more trading venues or for the processing of orders involving no determination of any trading parameters or for the confirmation of orders or the post-trade processing of executed transactions.

High-frequency trading techniques are characterised by:

• infrastructure intended to minimise network and other types of latencies, including at least one of the following facilities for algorithmic order entry: co-location, proximity hosting or high-speed direct electronic access;
• system-determination of order initiation, generation, routing or execution without human intervention for individual trades or orders; and
• high message intraday rates which constitute orders, quotes or cancellations.

Investment firms that use algorithmic trading are subject to specific requirements in terms of risk controls, continuity arrangements, monitoring programmes, etc. They must notify Consob (or the competent authority of their home member state) of the intention to use algorithmic trading techniques.

In line with the MiFID2 regime under Italian law, a market maker is any person who holds themselves out on the financial markets on a continuous basis as being willing to deal on own account by buying and selling financial instruments against that person’s proprietary capital at prices defined by that person.

A market-making strategy is defined as any strategy adopted by a player who engages in algorithmic trading when, acting for its own account as a member or participant of one or more trading venues, the strategy involves the entry of irrevocable and simultaneous buy and sell transactions, of comparable size and at competitive prices, relating to one or more financial instruments on a single trading venue or on different trading venues, resulting in the provision of liquidity on a regular and frequent basis to the market.

If a company operating on the basis of a high-frequency trading system implements a market-making strategy, it must be subject to the same requirements applying to market makers under the MiFID2.

The MiFID2 obligations concerning high-frequency trading apply to investment firms operating as such when executing trades or dealing on behalf of their clients. Investment funds trade on their own account and do not execute trades or dealings on behalf of their clients.

Programmers of algorithmic trading mechanisms are not subject to any specific regulatory obligations. However, investment firms using third-party systems offering algorithmic trading functionalities are responsible for the compliance with the MiFID2 obligations where they outsource or procure software or hardware used in algorithmic trading activities. The investment firms must also have sufficient knowledge and the necessary documentation to ensure effective compliance with this obligation in relation to any procured or outsourced hardware or software used in algorithmic trading.

In Italy there is no specific regulation governing DeFi platforms. The regulatory obligations potentially applicable to such platforms depend on the nature of the crypto-assets that are exchanged by the platform participants.

DeFi platforms exchanging virtual currencies can fall within the scope of the Italian registration requirements applicable to VASPs. If the DeFi platforms trade security or investment tokens, then the MiFID2 rules (or the Italian rules on prospectus requirements, door-to-door sale or distance marketing of financial instruments or products) could come into consideration.

The publication of financial research, or general financial recommendations which are not addressed to single customers, does not trigger any regulatory authorisation requirement in Italy.

These activities do not amount to investment advice, as long as the platform does not provide any personal recommendation to a single customer in relation to an investment in one or more financial instruments.

There is no specific regulation concerning the spreading of rumours or other unverified information in Italy, unless in relation to financial instruments that are traded on regulated markets or MTFs. In this latter case, the spreading of rumours and other unverified information might amount to market abuse.

Companies managing social trading platforms must pay attention to behaviours that could amount to market abuse through pump-and-dump or similar schemes. Under the MAR, market participants must take reasonable steps to detect and prevent market abuse, including by identifying any behaviour that could be in breach of the applicable obligations. As a consequence, in the context of social trading platforms, the platform operator may be required to monitor the activity of the platform users, as well as to identify and prevent any behaviour that could amount to market abuse.

The underwriting process followed by insurance undertakings in Italy requires a specific assessment of the insurance risks to be covered under the insurance policy. Several insurtech operators offer their services on the basis of an MGA, where the insurtech operator is responsible for managing and underwriting insurance risks on behalf of the insurance undertaking. In these cases the criteria to underwrite the insurance risks are detailed directly in the MGA agreement entered into between the agent and the insurance undertaking.

Under Italian law, different requirements apply to life and non-life insurance. Except for a limited number of grandfathered insurance companies who can offer both life and non-life insurance products, the general principle is that an insurance undertaking can operate either as a life or as a non-life insurance carrier.

Insurance and non-insurance products are also subject to different requirements and obligations in terms of pre-contractual transparency. In the context of life insurance products, specific obligations apply to the offer and marketing of insurance-based investment products (IBIPs), such as for instance unit-linked policies.

In the field of non-life insurance policies, a detailed set of rules applies to mandatory motor liability insurance.

There is no specific regulation of regtech providers in Italy. Instead, regtech providers are subject to various regulations depending on the specific activities they engage in.

When regtech solutions are applied in the financial or banking sector, they may be subject to supervision by the relevant authority, such as typically Consob or the Bank of Italy. Regtech providers normally operate as outsourcers on behalf of traditional financial institutions or fintech operators. In these cases, the outsourcing agreement must be subject to specific requirements as detailed in the relevant regulations. The outsourcing must also be notified to the competent regulator, and the financial institution must monitor on an ongoing basis the activities that are performed by the outsourcer in accordance with the outsourcing agreement.

Regtech solutions are particularly popular in relation to AML compliance. Several market players offer solutions allowing for an easier and faster KYC process, or managing the regulatory reporting to Italian authorities.

Besides AML regulations, regtech providers are also offering their services in the field of data collection and management, safe-keeping and storage of contractual documentation and regulatory reporting to Italian competent authorities.

As a matter of practice, the contract between financial institutions and regtech providers includes SLAs and KPIs in order to verify and monitor the quality and accuracy of the services carried out by the regtech provider. Typically the SLAs and KPIs are detailed in the annexes to the outsourcing contract.

SLAs may include recovery plans, time to answer, output standards, and may also include penalties if the regtech provider fails to meet the specified performance levels.

Additionally, financial institutions may require technology providers to agree to contractual clauses that are requested by the law or by guidelines outlined by the supervisory authorities. These provisions are designed to protect the financial institution against losses or damages that may result from the technology provider’s failure to meet the agreed-upon performance and accuracy standards.

Additional obligations apply in the event that the technology provider carries out a critical or important function on behalf of the financial institution.

Traditional financial institutions are considering using blockchain-based services or platforms in different ways.

Blockchain technology can simplify several operational processes, for instance in the field of fund processing and distribution, or the certification, analysis and sharing of the information concerning the credit portfolio of financial institutions.

Some Italian financial institutions have partnered (or are considering to partner) with blockchain service providers to offer crypto-exchange services to their customers, or to issue stablecoins. Other financial institutions are considering the possibility to invest their liquidity on DeFi platforms.

There is no set of rules specifically dedicated to blockchain services. In June 2022, the Bank of Italy issued a communication addressed to Italian financial institutions where it highlighted the risks associated with the use of blockchain technology. The Bank of Italy required financial institutions to carefully evaluate the use of blockchain technologies on the basis of the applicable regulatory framework, including the rules on outsourcing. Financial institutions must also inform their customers in a transparent manner about the risks involved in the use of the blockchain technology.

There is no specific provision under Italian law classifying the different types of crypto-assets. As a matter of practice and based on the indications given by Consob in the past, crypto-assets can be classified as:

• utility tokens;
• payment tokens;
• investment or security tokens; or
• hybrid tokens.

Investment or security tokens may qualify as financial instruments if they satisfy the conditions of the related definition set out under the Italian provisions implementing the MiFID2.

If the tokens do not qualify as financial instruments, they may still be classified as financial products (prodotti finanziari) under Italian law. The offer or trading of financial products is subject to requirements that are similar to those applicable to the offer or trading of financial instruments.

The classification of certain investment tokens as financial products is likely going to be reviewed in the context of the implementation in Italy of the MiCAR rules.

As clarified by the Italian government, while enacting the second-level regulations on the register of VASPs, the issue of virtual currencies (for instance, by way of ICOs) does not trigger the duty to enrol in the VASP register, unless the entity offers additional services such as the exchange or negotiation of virtual currencies.

If the tokens qualify as financial products or instruments, the ICO could be subject to the Italian prospectus obligations, unless it falls within the scope of one of the exemptions provided for under the Italian regulatory framework (eg, if the offer is addressed to professional investors only, or the amount of the offer is lower than EUR8 million).

The regulation of crypto-assets primarily depends on the qualification of the traded assets.

When the crypto-assets qualify as virtual currencies, the exchange is subject to the duty to enrol in the register of VASPs and comply with the Italian AML obligations.

If the crypto-assets qualify as financial instruments or products, it is possible that the exchange operator would need a licence to provide investment services in accordance with the Italian provisions implementing the MiFID2.

Funds that invest in crypto-assets are not specifically regulated under Italian law. The question that is currently being debated is whether and to what extent crypto-assets can constitute an eligible investment for Italian investment funds – and, in particular, alternative investment funds, considering the strict limitations that apply to UCITS funds.

The general principle under Italian law is that alternative investment funds can invest, among others, in any asset for which there is a market and that have a value which can be determined with certainty at least on a semi-annual basis. While these conditions appear to be met in cases of cryptocurrencies that are traded on major exchanges, they are not satisfied by all types of crypto-assets.

While crypto-assets are not generally defined under Italian law, the Italian AML Decree provides for a specific definition of “virtual currencies” in order to identify those entities that operate as VASPs and that are subject to the Italian AML obligations.

Virtual currency is defined as a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency, but is accepted as a means of exchange for the purchase of goods and services or for investment purposes, and which can be transferred, stored and traded electronically.

The definition does not cover a number of crypto-assets, such as asset tokens, investment or security tokens and NFTs, even though it is still debated whether the Italian rules on VASPs apply to this type of crypto-assets as well.

The Italian rules do not make any distinction between centralised and decentralised platforms (DeFi) and apply to both structures in the same way. This approach creates a number of regulatory uncertainties owing to the fact that the Italian regulations are meant to apply to individuals or legal entities and do not address the issue of how the legal and regulatory responsibilities should be allocated in the case of DeFi platforms. This issue must be assessed on a case-by-case basis depending on the business model, legal structure and functioning of the DeFi protocol.

There is no regulation in Italy applying to the offer, trading and exchange of NFTs. The rules applying to these activities depend on the features of the NFTs and their underlying assets. In addition, it is also relevant to understand whether the NFTs are issued as fractional or non-fractional NFTs. Fractional NFTs may indeed be qualified as financial products or instruments and be subject to specific restrictions or limitations. It is also unclear whether the sale of NFTs must be subject to the Italian AML requirements.

Italy has an open and supportive regulatory environment for open banking. As a consequence of the implementation of the PSD2, Italian payment service providers are required to open up their APIs to third-party service providers, thereby allowing for more competition and innovation. Some market players have developed open-banking platforms permitting the offer of various banking and financial services to the platforms’ customers by other market players.

A key aspect to be considered in this respect from a legal and regulatory standpoint relates to the collection, treatment and sharing of the personal data of the customers. Particular caution should also be exercised with respect to the security requirements to ensure the inter-operability among various service providers.

Under the Italian rules implementing the PSD2, banks and other payment service providers must ensure that customer data is shared securely with authorised third-party providers (TTPs). Payment service providers and TTPs are required to adopt various security measures to protect customer data and ensure compliance with data protection requirements.

The most important measures to be taken in this respect are those relating to the adoption of strong customer authentication (SCA) measures. SCA tools include two-factor authentication procedures and biometric authentication. They are aimed at minimising identity thefts or other frauds, as well as the dissemination of personal data concerning the customers of the relevant payment service providers.

The fight against financial fraud in the financial services and fintech sector involves the potential application of several provisions of the Italian Criminal Code and sector-specific regulations. The key provisions are Articles 640 and 640-ter of the Criminal Code, which deal with conventional fraud and computer fraud, crucial in tackling deception in traditional and digital finance. Legislative Decree 184/2021 marks a significant step forward by specifically targeting fraud related to non-cash payment methods, including digital payments and cryptocurrencies. In addition, Article 615-ter of the Criminal Code combats unauthorised access to computer or telecommunication systems, a prevalent problem in the cybersecurity landscape of the financial and banking sector. The Italian Financial Code complements these measures with Article 166, which punishes those entities not authorised to carry out financial activities vis-à-vis the public. Furthermore, Article 167 punishes those who, in the provision of portfolio management or collective asset management services, in violation of the provisions governing conflicts of interest, engage in transactions that cause damage to investors. These provisions are key to maintaining market integrity and protecting investors from unauthorised transactions and mismanagement of assets. The Italian Financial Code also contains provisions against market abuse, including insider trading and market manipulation, further safeguarding market fairness and transparency.

Financial regulators are increasingly focusing on a range of sophisticated frauds that exploit the latest technological advancements and the volatile landscape of investment opportunities. High on their radar are schemes involving cryptocurrencies, forex trading, and binary options, which often operate through unlicensed platforms. These platforms do not only pose significant risks to investors due to their lack of regulatory oversight but also serve as hotbeds for fraudulent activities, misleading promises of high returns, and non-existent risk management.

Cybersecurity threats such as phishing attacks and online banking fraud have also become prevalent. These involve deceitful tactics to steal personal and financial information, leading to unauthorised access to funds and sensitive data. The rapid evolution of these cyber risks necessitates vigilant regulatory oversight and robust cybersecurity measures to protect consumers.

Financial “influencers” (so-called fininfluencers) have also become subject to regulatory scrutiny – and will likely become subject to more stringent regulatory obligations as a result of the “Retail Investment Strategy” to be approved at EU level.