In 2023, the Portuguese fintech sector kept its resilience and stability. The main novelties in the Portuguese legal framework relate to changes in the taxation of income derived from virtual assets, the enactment of Bank of Portugal regulations applicable to crypto service providers, and new tax benefits applicable to start-ups and scale-ups. Finally, new rules were enacted to allow the implementation of the distributed ledger technology (DLT) pilot scheme for market infrastructures based on Regulation (EU) 2022/858 of the European Parliament and of the Council of 30 May 2022 on a pilot regime for market infrastructures based on distributed ledger technology (“DLT Pilot Regime”).

From a regulatory perspective, the greatest expected impact in 2024 will revolve around:

• the implementation of the above-mentioned DLT sandbox regime; and
• the enforcement and implementation of Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets (“MiCA” or “MiCA Regulation”), which will provide for the first time a transversal legal framework for projects applying distributed ledger technologies and virtual assets.

MiCA will likely have the practical effect of narrowing the regulatory framework between what could be called the “old school” players in the financial services and capital markets, and the “new players” usually known as fintechs.

Portuguese fintechs are a varied group of ventures. Fintech verticals in Portugal include payment services, neobanks, capital raising instruments, lending platforms, bank account aggregators, personal finance apps, crowdfunding platforms and insurance providers. Established legacy players are also present in investing, developing or promoting fintechs. The largest number of players follow a business-to-business model.

There is no general provision regulating the fintech industry in Portugal. The applicable regulatory framework is dispersed and depends on the client’s business model, sector and type of clients. Despite a case-by-case assessment being imperative, it is generally possible to identify the main regulatory framework that will likely apply to new fintechs:

• Decree-Law no. 486/99 of 13 November establishes the Portuguese Securities Code, which sets the core rules regarding securities and is part of the main legal framework of Portugal’s financial sector;
• Decree-Law no. 298/92 of 31 December establishes the Portuguese Legal Framework of Credit Institutions and Financial Companies;
• Law no. 102/2015 of 24 August establishes the Crowdfunding Financing Act, which follows closely the provisions set by Regulation (EU) 2020/1503 of the European Parliament and of the Council of 7 October 2020, on European crowdfunding service providers for business, and lays down uniform requirements for the provision of crowdfunding services, for the organisation, authorisation and supervision of crowdfunding service providers, for the operation of crowdfunding platforms as well as for transparency and marketing communications about the provision of crowdfunding services in the EU;
• Law no. 83/2017 of 18 August establishes the Combat Measures for Anti-Money Laundering and Terrorism Financing Act, which serves as a general framework for all fintechs on what concerns their anti-money laundering (AML) obligations as well as the implementation of “Know Your Customer” (KYC) provisions (“AML Act”);
• Decree-Law no. 91/2018 of 12 November establishes the Payment Services and E-money Act;
• Decree-Law no. 27/2023 of 28 April establishes the legal framework for asset management, which establishes the general framework for asset management companies and different types of collective investment organisations (including funds) (“Asset Management Regime”);
• Consumer Protection Acts also apply when dealing with consumers, including the Distance and Off-Premises Law (Decree-Law no. 24/2014); the E-commerce Law (Decree-Law no. 7/2004); the Digital Goods, Content and Services Law (Decree-Law no. 84/2021); and the General Contractual Clauses Law (Decree-Law no. 446/85);
• The General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (GDPR), is directly applicable in Portugal; and
• The MiCA Regulation became effective in June 2023 and shall be in full force in Portugal starting 30 December 2024.

The above-mentioned Acts are the foundational framework applicable to most fintechs. Other provisions and regulations may apply, and any entrepreneur in this sector must comply with the ordinances issued by regulators and supervisory authorities that are regularly enacted in light of ongoing developments in sectorial practices. In addition to local laws, regulations and ordinances, fintech activities are also extensively regulated by EU frameworks.

The Portuguese legal framework does not provide pre-established compensation models or mechanisms for fintechs. Compensation schemes will largely depend on the type of business or project being developed, applicable regulations and type of clients. Rules applicable generally stem from the Market in Financial Instruments Directive II (“MiFID II”).

The compensation models for a fintech project will usually be designed under a commission, fee or interest loan model.

Under the commission model, the industry participant will draw compensation from the subscription or closing of the position of a specific product. Under a fee-based model, the industry participant will collect a fee (fixed or variable) for rendering a specific product or service.

The particulars of each commission or fee model will largely depend on the regulatory landscape covering a given business activity, which, in some cases, may need to be segregated into different vehicles to obtain the practical effect desired by the industry participant.

For example, asset management and investment fund companies can draw commissions as established in their management rules. Still, they will not be allowed to charge a commission when a specific fund invests in other funds that the managing company of the fund controls.

In the context of payment and e-money institutions, there is the possibility of granting loans so long as they are associated with and exclusively granted for the sole purpose of the payment operation requested by the user and so long as the loan is reimbursed within 12 months. In such cases, the payment or e-money institution must ensure that the user disposes of sufficient funds under the ordinances issued by the Bank of Portugal. 

The main rule to be followed is that the compensation model deployed by an industry participant needs to be transparent, proportionate, explained in detail to the customers or users and designed in such a way that no conflict of interest arises from its application. Disclosure of compensation models must take place prior to entering into a contract or transaction (as applicable).

There are not many differences between the regulation of fintech industry participants and of legacy players. The Portuguese legislature has significantly narrowed the legal framework asymmetry that previously existed between fintech and legacy players by mirroring its EU counterparts and adopting the “same activity, same risks, same rules” principle. 

In practical terms, the convergence between the applicable legal framework set for legacy players and that for fintech industry participants has translated into higher entry costs to “new players” but, at the same time, has provided much-needed legal security when deploying a new financial solution in the market.

It is expected that legacy players will have an initial advantage when digging into the fintech space, considering the need to comply with tighter and heftier compliance, supervision and regulatory obligations. However, if they are able to overcome the regulatory burden set by the national and EU regulations, new players will often enjoy more flexible management and a swifter decision-making process, allowing them to develop and deploy new solutions to address market needs that are “off the radar” of legacy players. In some cases, some regulatory exemptions will apply, which may render the development of a fintech project substantially easier.

In 2021, the Portuguese government enacted general principles for the creation and regulation of Technological Free Zones, which could lead to the creation of regulatory sandboxes. Nonetheless, there is currently no particular regulatory sandbox in Portugal for fintech projects. This means that most industry participants will need to comply in part or in full with applicable regulations (some of which are listed in 2.2 Regulatory Regime).

In 2018, the Portuguese regulators created an innovation hub named the “Portugal FinLab”, opening a communication channel with new players in the fintech industry. The three main regulators participating in the FinLab are Autoridade de Supervisão de Seguros e Fundos de Pensões (“Insurance and Pension Funds Supervisory Authority”), Banco de Portugal (“Bank of Portugal”) and Comissão do Mercado de Valores Mobiliários (“Securities Market Commission”), which are usually the three leading independent regulators in the Portuguese jurisdiction.

The Portugal FinLab’s purpose of providing a communication channel between the regulators allows start-ups and new players to navigate the complexity of the legal framework. However, it is not a sandbox facilitator. The only sandbox regime applicable is the DLT Pilot Regime, but it is not domestic in nature.

Four main national regulators have jurisdiction over industry participants, each with a specific field of jurisdiction:

• The Bank of Portugal acts as the Portuguese Central Bank and is therefore integrated into the European System of Central Banks under the European Central Bank. It is tasked with monitoring and supervising financial, payment and e-money institutions, and with virtual asset provider authorisations.
• The Securities Market Commission oversees the offerings of securities and financial asset management companies and advisory in Portugal. It is the competent authority to issue an authorisation to engage in crowdfunding activities. Regarding crowdfunding, the Securities Market Commission may also request technical opinions from the Bank of Portugal.
• The Insurance and Pension Funds Supervisory Authority is the supervisor with jurisdiction to oversee the insurance and pension fund markets.
• The National Data Protection Commission (Comissão Nacional de Protecção de Dados) is the Portuguese public authority that supervises data processing by all public and private entities in Portugal.

Participants may fall under the scope of one or more regulators depending on the nature of the project to be developed.

Unregulated functions can be mostly outsourced at will. By contrast, regulated functions are required, in certain instances, to be disclosed to the competent regulator and must follow a particular set of rules. As a rule, both the nature and extent of the outsourcing must always be contractually defined and notified.

The European Banking Authority’s revised Guidelines on Outsourcing Arrangements (EBA/GL/2019/02) are applicable to fintechs operating under MiFID II rules, and to credit institutions, payment service providers and electronic money institutions. In May 2020, the Bank of Portugal issued a Circular Letter establishing that such regulations are applicable. Later on, in 2023, a Bank of Portugal Notice established a specific framework for the registration of outsourcing agreements, requiring participants to maintain a complete and permanently updated register of all subcontracting agreements, including the functions subcontracted to intragroup service providers, and to provide notice to the Bank of Portugal of any intention to subcontract an essential or important function with a minimum of 15 days’ notice.

From a contractual perspective, matters covered in outsourcing agreements will include service level standards, business continuity, liability allocation, data protection, client risk management, protection of assets or funds if custody is transferred, AML compliance and use or licensing of IP rights.

From an employment law perspective, restrictions apply to the outsourcing of functions to an ex-employee who was terminated during the previous 12 months. Portugal also has transfer of undertaking rules that may impact outsourcing arrangements.

There is no legal concept of gatekeeper nor a specific liability regime for fintechs. Therefore, the characterisation or imposition of a service provider to act as a gatekeeper varies. Different market participants may be subject to distinct types of liability or scrutiny by regulators depending on the effective role played. In particular, obligations to report suspected money laundering activities apply across most sub-industries of fintech.

Portuguese regulators may often deploy routine inspections and audits to legacy and fintech participants. Depending on the seriousness of any breach found by the regulator, different penalties may apply, ranging from a mere administrative notice to hefty fines and, finally, to licence or authorisation suspension or revocation.

Upon finding a breach of the compliance of regulatory provisions by the regulator, the outcome of the proceeding may be settled between the fintech participant and the regulator or disputed administratively and, upon conclusion, argued in the competent court. All supervisors have official websites where the fines imposed and the results of enforcement actions can be accessed.

Several non-financial regulations may apply to fintechs.

Considering the scope of the activities developed by many fintech industry participants, Regulation (EU) 2022/2554 of the European Parliament and the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA) may also apply, imposing the need to deploy security measures to protect ICT systems used.

GDPR will likely apply as many fintechs process personal data as part of their business model. The Portuguese supervisory authority is the National Data Protection Commission.

Under Law no. 46/2018 of 13 August, which transposed the EU Network and Information Systems (NIS) Directive (2016/1148) into the domestic legal framework, fintech participants are required to have robust security measures in place against cyber threats. Encryption, access control, incident response, disaster recovery and business continuity plans are some of the contingencies for which measures must be in place.

Besides regulators, fintech industry participants often use two types of audits, namely internal and external audits.

Internal audits are a series of internal procedures to ensure activities are compliant with regulations. In most instances, fintechs must disclose the content of their internal organisational mechanisms to the supervisory regulator before initiating activities. It is customary to hire external auditors to test and assess whether the previously established compliance mechanisms are up to par with provisions and regulations in force or need adjustments.

Considering that the violation of regulatory rules could result in hefty fines, fintech industry participants prefer to either outsource part of their financial or non-financial obligations to third parties or hire third-party private auditors to ensure they comply with their obligations.       

Unless otherwise provided, industry participants may generally offer “regulated” and “unregulated” services. The issue of providing “regulated” and “unregulated” services was broadly seen as an issue before the development of proper regulations regarding virtual assets, which, for an extended period, could have been considered unregulated assets. With supervisors catching up with these new types of assets or services, one can argue that most activities are now regulated and that every product or service is likely to fall under the scope of some sort of regulation.

In practical terms, fintech industry participants may be forced to undergo several different but parallel types of licensing, which, in many cases, will be independent of one another but deeply intertwined. For instance, fintechs wishing to deploy exchanges where crypto-to-fiat operations occur and associated payment services are provided may be requested by the supervisory authority to segregate these activities to mitigate the potential risks and conflicts of interest. In such cases, the solution may involve the creation of two separate legal entities covering each specific activity.

Most fintech companies must deploy AML and KYC internal provision to get their licences and conduct their activities under the scope of the AML Act, which contemplates several duties such as the need to establish policies and control procedures to identify money laundering risks.

The AML Act also forces fintech projects to identify their users through KYC procedures before engaging in a business relationship or whenever establishing transactions in the amount of EUR15,000 or above or dealing with virtual assets in the amount of EUR1,000 or above.

Fintechs should be able to refuse service to non-compliant customers or if they suspect that services or products might be utilised in money-laundering activities or connected with the financing of terrorist organisations. When deploying their AML/KYC policies, fintechs must be ready to deploy sophisticated systems to control, monitor and identify possible money-laundering activities, swiftly notify the competent authorities, and collaborate with the authorities when requested.

In practical terms, some of the duties of customer identification can be outsourced to third parties.

There is no specific law regulating the services provided by robo-advisers. Therefore, they are likely considered to fall under the definition of order execution, investment advisory services or portfolio management. Usually, robo-advisers are used for trading in traditional securities, such as shares, bonds, exchange-traded funds, and other financial instruments regulated under the Portuguese Securities Code and other ordinances issued by the Securities Market Commission. Fintechs operating under this model will also be subject to MiFID II rules.

For fintech players wishing to deploy robo-advisers trading both financial instruments and virtual assets, a hybrid licence would need to be secured because the competent authority of Portugal to authorise activities involving the custody of virtual assets is the Bank of Portugal.

Legacy players such as banks and fund management institutions have been paying close attention to robo-advisers. New solutions are expected to be developed in the future, considering the advantages they bring from a mass investment perspective and the ability to capture many retail investors. In Portugal, Banco Best is the only known retail bank offering a robo-adviser-based solution for investment in financial instruments.

In the event that robo-adviser services fall under the scope of MiFID II, “best execution” obligations require participants to take all sufficient steps to obtain the best possible result for clients.

Lending is an activity reserved to authorised credit and financial institutions, regardless of the type of borrower. In general, authorisation by the Bank of Portugal is required to grant loans as it is deemed to be a banking activity. Some forms of peer-to-peer lending would fall within the concept of crowdfunding and be regulated by the Securities Market Commission.

Depending on the type of loan, such as a consumer or asset-backed loan, rules vary in relation to certain criteria such as effort rates, interest rates and maturity date.

Consumer loans are regulated by Decree-Law no. 133/2009 of 2 June in line with Directive 2008/48/EC of the European Parliament and the Council of 23 April 2008. The Law on Distance Contracting of Financial Services would also apply. In most cases, a consumer is able to cancel a loan agreement within 14 days.

For mortgage-backed loans, the general provisions are provided by Decree-Law no. 74-A/2017 of 23 June, which transposes Directive 2014/17/EU of the European Parliament and of the Council of 4 February 2014 on credit agreements for consumers relating to residential immovable property. Under the above-mentioned provisions, lenders must refrain from unfair and misleading advertising practices and are obliged to present adequate information on the conditions of the loans being offered to the consumer.

Micro and short-term loans are also allowed for payment and e-money institutions provided that the creditors meet some criteria and conditions.

Lending institutions manage the underwriting process until a loan agreement is concluded. This process entails assessing the borrower’s creditworthiness, conducting credit rating checks, and utilising internal risk classification procedures and external credit assessments. The type of collateral provided also has a bearing on the approval process. Each Portuguese bank usually has its own set of underwriting criteria.

The regulatory landscape governing credit checks on consumers, particularly for consumer real estate loans, is multifaceted. The Consumer Credit Directive (2008/48/EC), incorporated into Portuguese law, is the cornerstone for overseeing all consumer loan agreements. However, the evolving nature of financial transactions necessitates ongoing updates to regulatory frameworks.

Moreover, real estate-backed loans are subject to additional stringent regulations under the Mortgage Credit Directive (2014/17/EU), which is also transposed into Portuguese law. These regulations encompass various aspects including advertising, contractual information dissemination and rigorous credit checks. The overarching goal is safeguarding consumers’ interests and ensuring responsible lending practices within the real estate sector.

The traditional Portuguese lending market relies on deposit-based solutions, involving a banking licence. From a commercial perspective, legacy players such as banks and credit institutions are in a position to draw funding from deposits. They are usually backed by solid human and technological resources allowing those players to collect deposits, enter into inter-bank lending, and issue debt and securitisations.

Specialised lending organisations, such as retail credit firms, have various avenues to secure funds for their lending operations. They can raise capital through securitisations or borrowing from other investors or institutions. Additionally, they may utilise peer-to-peer lending platforms, such as crowdfunding service providers, to access funds.

Peer-to-peer lending platforms will allow investors’ funds to be sourced.

Syndicated loans involve several parties and complex documentation, and are mostly used for acquisitions or in the context of restructuring. Therefore, loan syndication is reserved for the largest transactions, falling outside the market scope and practice of most fintech players. Typically, the most significant financing contracts are conducted outside of online platforms, contributing to the limited occurrence of loan syndication in the country.

Payment rails represent the digital infrastructure, facilitating cashless transactions by transferring funds from a payer to a payee. Payment processors have the flexibility to select their preferred payment rail. However, certain fixed transaction systems have become established within traditional account-based payment systems.

For instance, within the Single Euro Payments Area (SEPA), bank transfers occur through the SEPA Instant Transfer Scheme, facilitating transfers between bank accounts. Faster Payments’“Instant Payment” rail allows swift bank-to-bank transfers, a component of the European SEPA system widely supported by banks and savings banks in Portugal. This service operates round the clock, enabling users to execute transfers promptly.

Additionally, payments can be initiated via the SWIFT network to any member bank worldwide.

Modern payment methods diverge from conventional networks, enabling direct peer-to-peer transfers without intermediary financial institutions. This innovation allows users to transfer funds between accounts, bypassing traditional banking systems seamlessly.

It should be noted that although there is no legal impediment to developing and using alternative payment rails, the payment service scene in Portugal is highly dominated by SIBS, which holds control over the ATM network and is considered one of the most advanced systems in the world.

Payment transactions are governed by the EU Payment Services Directives, adopted into Portuguese law through Decree-Law no. 91/2018 of 12 November, and fall within the jurisdiction of the Bank of Portugal.

As an EU member state, Portugal falls under the geographical influence set by the SEPA Regulation (Regulation (EU) No 260/2012), which outlines the SEPA, crucial in facilitating seamless cross-border money transfers. For instance, the regulation prohibits companies from rejecting cross-border direct debits, commonly called “IBAN discrimination”, by mandating acceptance of all EU payment accounts reachable through SEPA mandates.

Non-regulatory rules regarding cross-border payments and currency remittance usually stem from AML and anti-tax fraud concerns, with mandatory documenting and reporting required. Portugal transposed Directive (EU) 2020/284 (as regards introducing certain requirements for payment service providers) imposing additional requirements on payment service providers to maintain records for three years.

Regulations governing funds and fund administrators vary depending on the asset classes invested in by the fund. There are no special rules applicable to fintechs in this regard.

Investment funds falling under the criteria outlined in the UCITS Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) are classified as UCITS.

UCITS funds, with certain exceptions, are restricted to investing in shares, money market instruments and investment fund units. Additionally, they must obtain authorisation from the Securities Market Commission. The prerequisites for becoming a UCITS management company and initiating a UCITS fund are stipulated in the regulations of the Securities Market Commission.

On the other hand, investment funds that do not meet UCITS criteria are categorised as alternative investment funds (AIFs). These may include private equity funds or real estate funds. The management and marketing of AIFs fall under the jurisdiction of AIF managers (AIFMs), who are governed by the Alternative Investment Fund Manager Directive 2011/61/EU.

The fund administrators have risk management and asset valuation functions. Compliance with such functions is required for all fund administrators and fund management companies, including small ones, unless such compliance is proven to be inappropriate under a proportionality assessment, considering the operation’s level of complexity and the fund’s investment strategy.

There are no specific legal provisions governing the relationship between fund administrators and fund advisers other than the rules governing the outsourcing of crucial functions of a regulated entity. In any case, it would be recommended for the advisory agreement to comply with rules governing data privacy and AML obligations, in addition to having well-designed liability and conflict of interest provisions. Providing clear service-level and key performance indicators is also essential.

All management funds must have an investment policy, management regulation and a well-described compensation model. Together with the Asset Management Regime, there are restrictions imposed on outsourcing of functions. Outsourcing of functions requires prior notice to the Securities Market Commission, and both the competence of the subcontracting entity and the selection process due diligence must be approved. No type of outsourcing can prevent a managing company from acting on behalf of or managing the fund, nor impede or hinder its supervision. The fund manager is the key decision maker and therefore deviation from the investment purpose is not possible.

The regulation applicable to financial assets trading platforms derives from MiFID II rules.

Euronext Lisbon, the only stock exchange in Portugal, is the most prominent trading ground for shares and other securities. Securities trading platforms are supervised by the Securities Market Commission, ensuring compliance with transparency and market integrity standards.

Multilateral trading facilities (MTFs) are also regulated under Portuguese law and constitute alternative trading platforms enabling securities trading beyond conventional stock exchanges. MTFs are subject to the Securities Market Commission and offer more adaptable trading conditions at lower costs. The only MTFs in operation in Portugal are Euronext Growth and Euronext Access, both managed by the Euronext group.

Organised trading platforms (OTFs) specialise in trading specific securities such as derivatives and have stricter regulations when compared to MTFs. They must satisfy transparency and market integrity criteria while ensuring the absence of conflicts of interest influencing trade execution.

The new EU DLT Pilot Regime offers the opportunity to develop new types of platforms, but the novelty of this new legal framework has yet to be put to the test in the Portuguese jurisdiction, despite domestic legislation already having been enacted to allow its implementation.

Finally, crypto exchange platforms can also be considered a regulated marketplace. See 7.3 Impact of the Emergence of Cryptocurrency Exchangesfor more details.

Different asset classes will have different regulations and, in some cases, fall under the supervision of different regulators. Financial instruments typically fall under the scope of MiFID II, and fintech operators operating marketplaces are supervised by the Securities Market Commission. Virtual assets, if qualified as securities, will fall under the jurisdiction of the Securities Market Commission and are regulated by the DLT Pilot Regime and recently enacted domestic regulations. At the same time, fintech operators may require authorisation from the Bank of Portugal to operate as virtual asset service providers if non-security virtual assets are traded.

Hypothetically, depending on the virtual asset admitted to trading in the marketplace, a virtual asset service provider (VASP) licence may be required (issued by the Bank of Portugal) in addition to the enrolment of the exchange with the Securities Market Commission.

Cryptocurrency exchanges, regardless of their level of centralisation, must always secure a VASP licence from the Bank of Portugal to conduct their activities. A VASP licence focuses on the KYC and AML screening aspects of the fintech operator, in line with Portugal’s transposition of the Fifth AML Directive (2018/843), as set forth by the AML Act.

The emergence of cryptocurrency exchanges has not yet impacted current domestic regulations. Still, it has drawn the attention of Portuguese supervisors. The Securities Market Commission determined that, depending on the characteristics and features of a given virtual asset, it may fall under the concept of a financial instrument and, therefore, trading or issuance of such assets is under its supervision.

There are no specific listing requirements applicable to fintech companies. All trading platforms are required to have public, transparent and non-discriminatory rules based on objective criteria ensuring the good functioning of the trading platform.

Listing requirements in a Portuguese regulated market are governed by the Portuguese Securities Code, by regulations and instructions approved by the Securities Market Commission and by Euronext’s Rule Books and Notices. Listing is also governed by the MiFID II rules, the Prospectus Regulation (2017/1129/EU), the Market Abuse Regulation (596/2014/EU) and the Transparency Directive (2004/109/EC) (as amended).

MiFID II dictates order handling rules, and the Portuguese Securities Code imposes the “best execution” principle on any financial administrator. Orders should be executed at the moment indicated by the client. When the client has not provided specific instructions, the financial intermediary must try to obtain the best possible result for the client, attending to several criteria such as price, costs, speed, the likelihood of execution and liquidation, or another pre-established factor in the EU legislation.

An intermediary will be required to inform the client beforehand of its execution policy, and any change in the execution of the orders must be communicated in advance. An intermediary may partially execute orders unless the client orders against it.

Peer-to-peer platforms have been increasing in numbers, and the crowdfunding market can be described as having gone beyond proof of concept. Both new players and legacy institutions have manifested some interest in this new type of platform granting access to investors to several markets encompassing real estate, socially responsible investments, SMEs, etc.

The level of legal sophistication applied in developing such platforms varies depending on the type of investments offered to the public. For example, it is possible to find in the Portuguese market a solution where a crowdfunding platform has opted to create hybrid solutions going through several types of licences such as payment, crowdfunding and insurance licences. In contrast, others opt for a more modest approach to retain a crowdfunding licence.

The ability to passport the crowdfunding licence to other EU member states, allowing new investment opportunities to different markets, has spiked the interest of some newly established players and legacy institutions.

Please see 7.5 Order Handling Rules.

Financial intermediaries must select their trading and execution venue based on a “best execution” policy, and must provide their clients with information on costs and expenses per service and per financial instrument.

In addition, inducement rules prevent firms from paying benefits to or receiving benefits from third parties, with a few exceptions. Notably, it is possible for firms to receive payments or inducements if required for the rendering of services, in situations where it is deemed to enhance the quality of the services, if the amount has been clearly disclosed beforehand to the client and provided that it does not interfere with the obligation of the investment firm to act honestly, fairly and professionally in accordance with its clients’ best interests.

Portugal criminalises insider dealing and market manipulation in regulated markets. The fundamental tenets of market integrity and the prevention of market abuse originate from Regulation (EU) No 596/2014, commonly known as the Market Abuse Regulation. The Market Abuse Regulation explicitly prohibits activities such as insider dealing, trading, the unauthorised disclosure of inside information and market manipulation, while incorporating measures to pre-empt and identify such misconduct.

High-frequency and algorithmic trading (HFAT) is allowed under the Portuguese Securities Code, bringing significant benefits to the market such as increased speed of orders, increased market liquidity and reduction of bid-ask spreads.

However, there are also some risks associated with HFAT, such as:

• increased risk of market abuse and manipulation;
• protection issues for small investors;
• volatility and operational risks; and
• market fragmentation.

The general legal framework for HFAT is set out in MiFID II and the Portuguese Securities Code, which stipulates all financial intermediaries deploying such systems must keep registries of all placed orders, including cancellations, which must be immediately made available to the Securities Market Commission upon request.

Before initiating HFAT operations, any intermediary must communicate this intention to the Securities Market Commission and must provide:

• information about investment strategy;
• detailed information about the system metrics and limits;
• detailed information about security measures to avoid faulty orders; and
• detailed information proving that the system does not create a risk of market manipulation or abuse.

A financial intermediary can operate as a market maker through algorithmic trading provided it has informed the Securities Market Commission. Still, it must ensure that the market-making activity is conducted continuously during the negotiation period of the platform and ensure market liquidity periodically and predictably.

A written agreement must be entered into with the trading platform establishing the conditions regarding how the liquidity and continuity of the market activity are to be ensured.

Additionally, security and control systems must be designed and put in place, allowing the monitoring of whether the conditions set out in the agreement entered into by the market makers and the platform are being consistently fulfilled.

There is no distinction made between funds and dealers engaged in these activities in the Portuguese jurisdiction.

The Portuguese legislation closely follows Commission Delegated Regulation (EU) 2017/589, delineating the regulatory technical standards that are the organisational requisites for investment firms involved in algorithmic trading. As per these standards, an investment firm must ensure it has an adequate workforce equipped with the requisite skills and technical proficiency to oversee:

• the pertinent trading systems and algorithms;
• the monitoring and testing of those systems and algorithms;
• the trading strategies implemented through those trading systems and algorithms; and
• compliance with the its legal obligations.

Even in outsourcing or procuring software or hardware utilised in algorithmic trading activities, the investment firm bears full responsibility for its regulatory obligations. It is worth noting that these regulations do not directly apply to programmers responsible for developing or creating trading algorithms or other electronic trading tools.

There is no set of specific regulations or laws governing DeFi.

Financial research platforms are not subject to registration, nor are they regulated. However, it should be noted that this is only true if no financial advice is provided to customers.

Spreading rumours and other unverified information, independently of the nature, type or structure of the agent, can be deemed to constitute market manipulation, leading to penalties and fines, and be construed as a criminal offence.

We are unaware of any platform where “pump and dump” schemes are used in the Portuguese jurisdiction. Such schemes are forbidden by national and EU law. Should a platform or any other intermediary notice the existence of such schemes, it should immediately report this to the competent authorities. Regardless of the platform’s involvement in such schemes, in the event of illegal practices becoming apparent, lack of reporting can be deemed to be complicit behaviour with practical repercussions for the organisation. Platforms are generally required to curate conversations regarding copyright infringement, threats of violence, etc. 

The insurance industry uses several underwriting processes, which will significantly depend on the type of business model developed by the industry participant.

It should be noted that insurance activity is regulated in Portugal under Law no. 147/2015 of 9 September and that various types of authorisations are available under this legal framework depending on the intended business model.

Most fintechs in insurtech operate brokerage models where data collection is remitted to a regulated insurance company, which will then apply its internal risk analysis methodology depending on the type of policy requested by the client. Insurance intermediation is also a regulated activity in Portugal.

In Portugal, there are several types of insurance, some being mandatory by law or contract.

As examples of mandatory insurance in Portugal, one can point out the following:

• work hazard insurance;
• service hazard insurance;
• personal accident insurance;
• assistance to third parties;
• damage insurance;
• sickness insurance;
• fire hazards insurance;
• bond/deposit insurance;
• civil liability;
• theft insurance; and
• life insurance.

In some cases, the minimum coverage and conditions set by a type of insurance will be defined by ordinances issued by the ministerial department with jurisdiction over the sector in question.

Authorised insurance companies can engage in insurance activities in both the life and non-life sectors but must adopt distinct management for each activity, ensuring that both sectors are kept separate. Distinct minimum capital requirements are set for direct insurers and reinsurers, for life and non-life policies. The promotion and sale of distinct types of insurance products are subject to specific requirements, notably with regard to information duties.

Legacy players tend to specialise in either life or non-life insurance policies.

Regtech providers are not directly regulated so long as they do not render any service that is directly regulated as a subcontracted function or provide what could be considered reserved advice for some professions.

With the rise of new fintech solutions leading to the development of new regulatory frameworks, the compliance cost for all players, whether new or legacy ones, has risen in the last years. In turn, fintechs originated new and ingenious ways to streamline the procedures to comply with all the new impositions set by these new legislations and regulations.

The category under which a potential regtech could theoretically be considered to be regulated needs to be assessed on a case-by-case basis, depending on the depth and level of “compliance activity” being developed. Assessing whether a particular solution is within the scope of a regulated sector or profession is not simple. For example, KYC services are strongly prone to being outsourced. In this case, the fintech solution provider should be aware that this third-party service provider could fall within the scope of the AML Act.

Another issue that should be considered when developing a regtech project is to be aware that certain outputs can be construed as legal advice, which in some jurisdictions is illegal because such advice is reserved to licensed professionals such as lawyers, financial analysts and advisers.

The cornerstone of the assessment will mainly depend on the complexity of the analyses being offered by the solution, which may be considered of a technical nature in some cases or “mechanical” in others. When confronted with regtech solutions producing deliverables or results based on technical analyses, it would be advisable that the regtech player deploys experienced professionals to validate and confirm the results produced by the solution. In cases where the result of the activity undertaken translates to a mere fulfilment of mechanical procedures of reporting and information registration integrated into a workflow, such issues are less likely to arise.

In any case, and considering that, in most cases, regtech solutions tend to require access to sensitive and personal data, all projects are likely to fall under GDPR rules and DORA.

As stated in 11.1 Regulation of Regtech Providers, there is no specific set of provisions for regtechs.

To engage with this emerging trend, traditional banks, insurance firms and asset management entities are actively fostering their own financial innovations. They either outsource specific tasks to relevant service providers, form collaborations or partnerships with them, or actively endorse and integrate with promising start-ups. This constitutes a change in legacy players’ approach to blockchain and cryptocurrencies, a topic mostly shunned or ignored in the past.

Blockchain technology can, for example, play a significant role in new methodologies for authenticating the identity of economic agents due to the multilaterally controlled nature of information present in a registry concerning past operations and behaviours. Additionally, it can enable or enhance peer-to-peer financing mechanisms through the internet and even allow for efficiency gains in accounting and auditing procedures within banking activities.

There are various possibilities for using blockchain in the financial sector, notably registering ownership and operations relating to financial instruments.

In Portugal, there is no specific regulation for blockchain or DLT as a standalone technology. The regulatory focus on blockchain is limited to its use in the context of services involving securities, payments, financial intermediation or investment services, in addition to tackling any money-laundering-enabling features it may have.

The most recent set of rules stems from the DLT Pilot Regime. DLT financial instruments are financial instruments within the meaning of MiFID II that are issued, recorded, transferred and stored using a distributed ledger technology. One of the existing types of DLT, and the most well-known, is blockchain. The new Portuguese legislation encompasses a wide range of activities for operators of DLT-based market infrastructures. Operators are authorised to:

• provide registration and deposit services for DLT financial instruments;
• manage multilateral trading systems;
• manage securities settlement systems;
• receive, transmit and execute orders on behalf of others;
• manage portfolios on behalf of others; and
• trade on their own account.

However, Decree-Law No. 66/2023 is limited to shares, bonds, and units of participation in collective investment schemes.

These operators’ role are financial intermediaries under the Portuguese Securities Code, and the Securities Market Commission is the competent national authority for granting and revoking specific authorisations to operate a multilateral trading or securities settlement system based on DLT.

Currently, no overarching legal framework or singular legal definition for blockchain assets is applicable within Portugal. The terminology surrounding these assets varies, adding to the complexity. For instance, the Portuguese regulator prefers the term “virtual assets” instead of “blockchain assets”, while the EU has employed “crypto-assets”, as evidenced in MiCA.

Irrespective of the terminology employed, the classification of blockchain assets as regulated financial instruments is contingent upon the specific characteristics of each asset. This determination must be made on a case-by-case basis, considering whether the asset falls within the purview of existing financial services regulation.

In accordance with the current legal framework, specific blockchain assets meet the criteria to be classified as financial instruments under MiFID II (and its incorporation into Portuguese law) or under the Portuguese Securities Code. In essence, any blockchain asset exhibiting the attributes of a financial instrument is likely to meet the criteria for regulation within this framework.

The Portuguese law does not itself provide a concrete definition of the types of tokens that can be considered securities. It is necessary to analyse the characteristics of each token to determine whether it qualifies as a security under the Portuguese Securities Code.

The categorisation of non-fungible tokens (NFTs) remains uncertain, as their status as digital assets or tokens is contingent upon their specific features and the associated rights they confer. Generally, most NFTs fall outside the concept of securities due to their non-fungible nature. However, this conceptualisation may be challenged in situations where NFTs are fractionalised and divided into smaller tradable units, a process similar to how traditional assets can be securitised and divided into shares.

The MiCA Regulation, in force as of July 2023, extends its coverage to include novel categories of crypto-assets that previously fell outside the scope of conventional EU regulation. The definition of crypto-assets consists of “a digital representation of a value or of a right that is able to be transferred or stored electronically using distributed ledger technology or similar technology”.

The applicable new rules, which include, in particular, transparency and authorisation requirements, will differ based on the characteristics of the token, as MiCA differentiates between e-money tokens, asset-referenced tokens and utility tokens.

The Securities Market Commission’s first regulatory approach consisted of a communication to entities involved in launching initial coin offerings (ICOs) regarding the legal qualification of issued crypto-assets. It stipulated that such an asset must meet the following requirements to be considered a security:

• it represents one or more legal situations of a private and patrimonial nature;
• considering the represented legal situation, it is comparable to a typical security; and
• in the information provided by the issuer, there are elements from which the issuer’s commitment to conduct can be inferred, resulting in an expectation of return for the investor, whether it be:
1. the right to income (if the token, for example, grants the right to profits or interest); or
2. the performance of acts by the issuer or related entity suitable for increasing the token’s value.

Therefore, if a token is classified as a security, its ICO will be subject to the rules and obligations for publishing a public offering prospectus as stipulated in the Portuguese Securities Code.

As for other tokens that do not qualify as securities because they do not meet the requirements above, it is necessary to determine whether they fall within the scope of the AML Act regarding entities engaged in activities with virtual assets (ie, VASPs). If so, they are subject to compliance with applicable legal and regulatory provisions relating to AML and counter-terrorism financing (see 7.3 Impact of the Emergence of Cryptocurrency Exchanges).

Please see 12.4 Regulation of “Issuers” of Blockchain Assets.

The regulation of crypto-assets is primarily determined by the categorisation of the assets being traded.

VASPs offering services described in 12.4 Regulation of “Issuers” of Blockchain Assets must adhere to diverse regulatory obligations concerning customer identification and verification, AML and the prevention of financing terrorism.

If the virtual assets are categorised as financial instruments or products, the exchange operator may be required to obtain a licence to offer investment services in compliance with the Portuguese Securities Code, which implements MiFID II, and/or with the DLT Pilot Regime as applicable.

The operation of investment funds in Portugal is subject to the new regulation outlined in the Asset Management Regime, which establishes the legal framework for collective investment undertakings in securities in corporate form and real estate investment funds in corporate form. Within this regulatory framework, no specific provisions exclusively address investments in blockchain assets.

Please see 7.3 Impact of the Emergence of Cryptocurrency Exchanges.

There is no standalone concept of blockchain asset. The AML Act provides a specific definition of “virtual assets” to identify entities that operate as VASPs and are subject to AML/KYC obligations.

A virtual asset is “a digital representation of value that is not necessarily tied to a legally established currency and does not have the legal status of fiat currency, securities, or other financial instruments. However, it is accepted by individuals or entities as a medium of exchange or investment and can be transferred, stored, and traded electronically.”

The Portuguese legal framework does not include a set of rules governing decentralised finance, which is a broad concept. Depending on the concept of DeFi, the new MiCA Regulation will not impact fully decentralised DeFi platforms. Specifically, crypto-asset services that are fully decentralised without any intermediary and crypto-assets lacking an identifiable issuer are explicitly excluded from MiCA’s scope.

Consequently, the activities of DeFi platforms and decentralised autonomous organisations remain outside the regulatory purview, provided that operational control is genuinely decentralised.

There are no specific regulations in Portugal regarding the issuance or trading of NFTs or the operation of NFT platforms/marketplaces (please see 12.3 Classification of Blockchain Assets).

However, depending on the specific characteristics of an NFT, it may be susceptible to being included in the category of securities, thus being subject to the regulations outlined in the Portuguese Securities Code.

MiCA defines a “crypto-asset” as “a digital representation of a value or of a right that is able to be transferred or stored electronically using distributed ledger technology or similar technology”, excluding NFTs from being classified as crypto-assets. However, this exclusion does not entirely exempt NFTs from falling under the purview of MiCA. The regulation still encompasses the following types of crypto-assets:

• fractional NFTs;
• NFTs issued in a large series/collection;
• crypto-assets featuring a sole NFT element serving as a unique identifier; and
• crypto-assets that, despite being unique and non-fungible, exhibit de facto features linked to practical uses, rendering them fungible and/or not entirely unique.

NFT marketplaces are required to register as VASPs if they enable crypto-to-crypto exchange of assets.

The rules set by PSD2 (Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015) were transposed to the Portuguese legal framework under Decree-Law no. 91/2018, enacting the Regime for Payments and Electronic Money. However, other supranational European regulations and opinions, such as the technical standards set by Regulation (EU) 2018/389 of November 2017 on strong customer authentication, also play a pivotal role when establishing new open banking solutions.

With the adoption of PSD2, two new categories of service provider in the payment industries were created that did not exist before, namely payment initiation service providers (PISPs) and account information service providers (AISPs).

At the same time, PSD2 narrowed the playing field between fintech players and the already well-established legacy players, as they were forced to provide dedicated interfaces allowing the sharing of data originating from their payment accounts.

Open banking marks a pivotal moment for conventional banks as it allows third-party providers, including commercial platforms or alternative payment providers, to deliver banking applications and services directly through open application programming interfaces.

Decree-Law no. 91/2018 of 12 November introduced changes to the provision of payment services in Portugal.

Notable aspects include its application to a wider range of payment operations, the creation and regulation of new types of payment services, the definition of security requirements for the execution of payment operations, and the imposition of greater responsibilities on payment service providers in the execution of unauthorised payment operations.

The impact of this regulation on open banking is reflected in AISPs, which allow the aggregation of information about accounts held with one or more payment service providers in a single application or website.

As for PISPs, they offer the possibility to initiate online payment operations without the customer having to interact directly with their payment service provider. PISP, contracted by the customer, accesses their account on their behalf and initiates the operation.

However, the success of implementing PSD2 in the Portuguese open banking landscape can be considered limited, considering the lack of guidance on the technical solutions to be implemented by the traditional banking sectors to the new fintech players.

The Portuguese framework that transposes PSD2 establishes rules for managing operational and security risks, instructing measures for mitigation and appropriate control mechanisms to handle operational and security risks related to the payment services provided. This law also defines the procedures to be adopted in the event of operational or security incidents, with the Bank of Portugal being the entity responsible for taking all necessary measures to protect the security of the financial system.

Another aspect regarding data security is the implementation of strong customer authentication measures for specific events, ensuring the confidentiality and integrity of users’ personalised security credentials for payment services. Violating these measures can result in severe offences, subject to significant fines.

Regarding data protection, PISPs must ensure that:

• information about the customer is only provided to the payee and only with the customer’s explicit consent;
• the information requested from the customer shall only be that necessary to provide the services;
• data will not be used, accessed or stored for any other purposes; and
• the scope of data to be shared with AISPs and PISPs by the Account Servicing Payment Service Providers does not include the customer’s identity (eg, address, date of birth, etc).

AISPs must ensure that they access only the information from designated payment accounts and associated payment transactions. Also, regulatory technical standards on strong customer authentication and secure communication place a limit of four times a day on an AISP’s access to payment account data without the customer being directly involved.

The EU rigorously regulates both domains, with GDPR extending its reach to cover open banking and broader financial sector regulations, encompassing directives such as PSD2.

Portugal has criminalised insider dealing and market manipulation in regulated markets but does not provide specific provisions for fraud in financial services. The generic criminal provisions set out in the Portuguese Penal Code can apply if the objective legal elements are met. The most similar specific crime in the financial services sector would be the use of false or misleading information in investment solicitation, which can result in imprisonment of between six and eight years, with loss of gains of the perpetrator for engaging in such practice.

The most closely related crime in the financial services sector, in this case, would most of the time be that which is known as “Burla”, which criminalises the conduct of “whoever, with the intention of obtaining for themselves or for a third party illegitimate enrichment, by means of error or deceit about facts that they cunningly provoked, induces another person to perform acts that cause them or another person patrimonial damage”, leading to a punishment of imprisonment up to three years or a fine.

The Portuguese Penal Code establishes an aggravated “Burla” classification when the loss incurred by the victim is greater than EUR5,100. In these cases, the penalty can be imprisonment of up to five years. If other conditions are met, the term of imprisonment can go up to eight years.

Any fraudulent agent should also be aware that he or she will likely also be charged with forgery, tax fraud and money laundering.

Regulators are not focused on any specific type of fraud and will communicate any crimes they detect while exercising their supervisory powers and conducting inspections.

Considering the severity of the penalities applicable to financial crimes, most industry players do not flirt with such crimes because of the actual risk of incarceration, loss of gains and professional licence cancellation.