In 2023, the Portuguese fintech sector kept its resilience and stability. The main novelties in the Portuguese legal framework relate to changes in the taxation of income derived from virtual assets, the enactment of Bank of Portugal regulations applicable to crypto service providers, and new tax benefits applicable to start-ups and scale-ups. Finally, new rules were enacted to allow the implementation of the distributed ledger technology (DLT) pilot scheme for market infrastructures based on Regulation (EU) 2022/858 of the European Parliament and of the Council of 30 May 2022 on a pilot regime for market infrastructures based on distributed ledger technology (“DLT Pilot Regime”).
From a regulatory perspective, the greatest expected impact in 2024 will revolve around:
MiCA will likely have the practical effect of narrowing the regulatory framework between what could be called the “old school” players in the financial services and capital markets, and the “new players” usually known as fintechs.
Portuguese fintechs are a varied group of ventures. Fintech verticals in Portugal include payment services, neobanks, capital raising instruments, lending platforms, bank account aggregators, personal finance apps, crowdfunding platforms and insurance providers. Established legacy players are also present in investing, developing or promoting fintechs. The largest number of players follow a business-to-business model.
There is no general provision regulating the fintech industry in Portugal. The applicable regulatory framework is dispersed and depends on the client’s business model, sector and type of clients. Despite a case-by-case assessment being imperative, it is generally possible to identify the main regulatory framework that will likely apply to new fintechs:
The above-mentioned Acts are the foundational framework applicable to most fintechs. Other provisions and regulations may apply, and any entrepreneur in this sector must comply with the ordinances issued by regulators and supervisory authorities that are regularly enacted in light of ongoing developments in sectorial practices. In addition to local laws, regulations and ordinances, fintech activities are also extensively regulated by EU frameworks.
The Portuguese legal framework does not provide pre-established compensation models or mechanisms for fintechs. Compensation schemes will largely depend on the type of business or project being developed, applicable regulations and type of clients. Rules applicable generally stem from the Market in Financial Instruments Directive II (“MiFID II”).
The compensation models for a fintech project will usually be designed under a commission, fee or interest loan model.
Under the commission model, the industry participant will draw compensation from the subscription or closing of the position of a specific product. Under a fee-based model, the industry participant will collect a fee (fixed or variable) for rendering a specific product or service.
The particulars of each commission or fee model will largely depend on the regulatory landscape covering a given business activity, which, in some cases, may need to be segregated into different vehicles to obtain the practical effect desired by the industry participant.
For example, asset management and investment fund companies can draw commissions as established in their management rules. Still, they will not be allowed to charge a commission when a specific fund invests in other funds that the managing company of the fund controls.
In the context of payment and e-money institutions, there is the possibility of granting loans so long as they are associated with and exclusively granted for the sole purpose of the payment operation requested by the user and so long as the loan is reimbursed within 12 months. In such cases, the payment or e-money institution must ensure that the user disposes of sufficient funds under the ordinances issued by the Bank of Portugal.
The main rule to be followed is that the compensation model deployed by an industry participant needs to be transparent, proportionate, explained in detail to the customers or users and designed in such a way that no conflict of interest arises from its application. Disclosure of compensation models must take place prior to entering into a contract or transaction (as applicable).
There are not many differences between the regulation of fintech industry participants and of legacy players. The Portuguese legislature has significantly narrowed the legal framework asymmetry that previously existed between fintech and legacy players by mirroring its EU counterparts and adopting the “same activity, same risks, same rules” principle.
In practical terms, the convergence between the applicable legal framework set for legacy players and that for fintech industry participants has translated into higher entry costs to “new players” but, at the same time, has provided much-needed legal security when deploying a new financial solution in the market.
It is expected that legacy players will have an initial advantage when digging into the fintech space, considering the need to comply with tighter and heftier compliance, supervision and regulatory obligations. However, if they are able to overcome the regulatory burden set by the national and EU regulations, new players will often enjoy more flexible management and a swifter decision-making process, allowing them to develop and deploy new solutions to address market needs that are “off the radar” of legacy players. In some cases, some regulatory exemptions will apply, which may render the development of a fintech project substantially easier.
In 2021, the Portuguese government enacted general principles for the creation and regulation of Technological Free Zones, which could lead to the creation of regulatory sandboxes. Nonetheless, there is currently no particular regulatory sandbox in Portugal for fintech projects. This means that most industry participants will need to comply in part or in full with applicable regulations (some of which are listed in 2.2 Regulatory Regime).
In 2018, the Portuguese regulators created an innovation hub named the “Portugal FinLab”, opening a communication channel with new players in the fintech industry. The three main regulators participating in the FinLab are Autoridade de Supervisão de Seguros e Fundos de Pensões (“Insurance and Pension Funds Supervisory Authority”), Banco de Portugal (“Bank of Portugal”) and Comissão do Mercado de Valores Mobiliários (“Securities Market Commission”), which are usually the three leading independent regulators in the Portuguese jurisdiction.
The Portugal FinLab’s purpose of providing a communication channel between the regulators allows start-ups and new players to navigate the complexity of the legal framework. However, it is not a sandbox facilitator. The only sandbox regime applicable is the DLT Pilot Regime, but it is not domestic in nature.
Four main national regulators have jurisdiction over industry participants, each with a specific field of jurisdiction:
Participants may fall under the scope of one or more regulators depending on the nature of the project to be developed.
Unregulated functions can be mostly outsourced at will. By contrast, regulated functions are required, in certain instances, to be disclosed to the competent regulator and must follow a particular set of rules. As a rule, both the nature and extent of the outsourcing must always be contractually defined and notified.
The European Banking Authority’s revised Guidelines on Outsourcing Arrangements (EBA/GL/2019/02) are applicable to fintechs operating under MiFID II rules, and to credit institutions, payment service providers and electronic money institutions. In May 2020, the Bank of Portugal issued a Circular Letter establishing that such regulations are applicable. Later on, in 2023, a Bank of Portugal Notice established a specific framework for the registration of outsourcing agreements, requiring participants to maintain a complete and permanently updated register of all subcontracting agreements, including the functions subcontracted to intragroup service providers, and to provide notice to the Bank of Portugal of any intention to subcontract an essential or important function with a minimum of 15 days’ notice.
From a contractual perspective, matters covered in outsourcing agreements will include service level standards, business continuity, liability allocation, data protection, client risk management, protection of assets or funds if custody is transferred, AML compliance and use or licensing of IP rights.
From an employment law perspective, restrictions apply to the outsourcing of functions to an ex-employee who was terminated during the previous 12 months. Portugal also has transfer of undertaking rules that may impact outsourcing arrangements.
There is no legal concept of gatekeeper nor a specific liability regime for fintechs. Therefore, the characterisation or imposition of a service provider to act as a gatekeeper varies. Different market participants may be subject to distinct types of liability or scrutiny by regulators depending on the effective role played. In particular, obligations to report suspected money laundering activities apply across most sub-industries of fintech.
Portuguese regulators may often deploy routine inspections and audits to legacy and fintech participants. Depending on the seriousness of any breach found by the regulator, different penalties may apply, ranging from a mere administrative notice to hefty fines and, finally, to licence or authorisation suspension or revocation.
Upon finding a breach of the compliance of regulatory provisions by the regulator, the outcome of the proceeding may be settled between the fintech participant and the regulator or disputed administratively and, upon conclusion, argued in the competent court. All supervisors have official websites where the fines imposed and the results of enforcement actions can be accessed.
Several non-financial regulations may apply to fintechs.
Considering the scope of the activities developed by many fintech industry participants, Regulation (EU) 2022/2554 of the European Parliament and the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA) may also apply, imposing the need to deploy security measures to protect ICT systems used.
GDPR will likely apply as many fintechs process personal data as part of their business model. The Portuguese supervisory authority is the National Data Protection Commission.
Under Law no. 46/2018 of 13 August, which transposed the EU Network and Information Systems (NIS) Directive (2016/1148) into the domestic legal framework, fintech participants are required to have robust security measures in place against cyber threats. Encryption, access control, incident response, disaster recovery and business continuity plans are some of the contingencies for which measures must be in place.
Besides regulators, fintech industry participants often use two types of audits, namely internal and external audits.
Internal audits are a series of internal procedures to ensure activities are compliant with regulations. In most instances, fintechs must disclose the content of their internal organisational mechanisms to the supervisory regulator before initiating activities. It is customary to hire external auditors to test and assess whether the previously established compliance mechanisms are up to par with provisions and regulations in force or need adjustments.
Considering that the violation of regulatory rules could result in hefty fines, fintech industry participants prefer to either outsource part of their financial or non-financial obligations to third parties or hire third-party private auditors to ensure they comply with their obligations.
Unless otherwise provided, industry participants may generally offer “regulated” and “unregulated” services. The issue of providing “regulated” and “unregulated” services was broadly seen as an issue before the development of proper regulations regarding virtual assets, which, for an extended period, could have been considered unregulated assets. With supervisors catching up with these new types of assets or services, one can argue that most activities are now regulated and that every product or service is likely to fall under the scope of some sort of regulation.
In practical terms, fintech industry participants may be forced to undergo several different but parallel types of licensing, which, in many cases, will be independent of one another but deeply intertwined. For instance, fintechs wishing to deploy exchanges where crypto-to-fiat operations occur and associated payment services are provided may be requested by the supervisory authority to segregate these activities to mitigate the potential risks and conflicts of interest. In such cases, the solution may involve the creation of two separate legal entities covering each specific activity.
Most fintech companies must deploy AML and KYC internal provision to get their licences and conduct their activities under the scope of the AML Act, which contemplates several duties such as the need to establish policies and control procedures to identify money laundering risks.
The AML Act also forces fintech projects to identify their users through KYC procedures before engaging in a business relationship or whenever establishing transactions in the amount of EUR15,000 or above or dealing with virtual assets in the amount of EUR1,000 or above.
Fintechs should be able to refuse service to non-compliant customers or if they suspect that services or products might be utilised in money-laundering activities or connected with the financing of terrorist organisations. When deploying their AML/KYC policies, fintechs must be ready to deploy sophisticated systems to control, monitor and identify possible money-laundering activities, swiftly notify the competent authorities, and collaborate with the authorities when requested.
In practical terms, some of the duties of customer identification can be outsourced to third parties.
There is no specific law regulating the services provided by robo-advisers. Therefore, they are likely considered to fall under the definition of order execution, investment advisory services or portfolio management. Usually, robo-advisers are used for trading in traditional securities, such as shares, bonds, exchange-traded funds, and other financial instruments regulated under the Portuguese Securities Code and other ordinances issued by the Securities Market Commission. Fintechs operating under this model will also be subject to MiFID II rules.
For fintech players wishing to deploy robo-advisers trading both financial instruments and virtual assets, a hybrid licence would need to be secured because the competent authority of Portugal to authorise activities involving the custody of virtual assets is the Bank of Portugal.
Legacy players such as banks and fund management institutions have been paying close attention to robo-advisers. New solutions are expected to be developed in the future, considering the advantages they bring from a mass investment perspective and the ability to capture many retail investors. In Portugal, Banco Best is the only known retail bank offering a robo-adviser-based solution for investment in financial instruments.
In the event that robo-adviser services fall under the scope of MiFID II, “best execution” obligations require participants to take all sufficient steps to obtain the best possible result for clients.
Lending is an activity reserved to authorised credit and financial institutions, regardless of the type of borrower. In general, authorisation by the Bank of Portugal is required to grant loans as it is deemed to be a banking activity. Some forms of peer-to-peer lending would fall within the concept of crowdfunding and be regulated by the Securities Market Commission.
Depending on the type of loan, such as a consumer or asset-backed loan, rules vary in relation to certain criteria such as effort rates, interest rates and maturity date.
Consumer loans are regulated by Decree-Law no. 133/2009 of 2 June in line with Directive 2008/48/EC of the European Parliament and the Council of 23 April 2008. The Law on Distance Contracting of Financial Services would also apply. In most cases, a consumer is able to cancel a loan agreement within 14 days.
For mortgage-backed loans, the general provisions are provided by Decree-Law no. 74-A/2017 of 23 June, which transposes Directive 2014/17/EU of the European Parliament and of the Council of 4 February 2014 on credit agreements for consumers relating to residential immovable property. Under the above-mentioned provisions, lenders must refrain from unfair and misleading advertising practices and are obliged to present adequate information on the conditions of the loans being offered to the consumer.
Micro and short-term loans are also allowed for payment and e-money institutions provided that the creditors meet some criteria and conditions.
Lending institutions manage the underwriting process until a loan agreement is concluded. This process entails assessing the borrower’s creditworthiness, conducting credit rating checks, and utilising internal risk classification procedures and external credit assessments. The type of collateral provided also has a bearing on the approval process. Each Portuguese bank usually has its own set of underwriting criteria.
The regulatory landscape governing credit checks on consumers, particularly for consumer real estate loans, is multifaceted. The Consumer Credit Directive (2008/48/EC), incorporated into Portuguese law, is the cornerstone for overseeing all consumer loan agreements. However, the evolving nature of financial transactions necessitates ongoing updates to regulatory frameworks.
Moreover, real estate-backed loans are subject to additional stringent regulations under the Mortgage Credit Directive (2014/17/EU), which is also transposed into Portuguese law. These regulations encompass various aspects including advertising, contractual information dissemination and rigorous credit checks. The overarching goal is safeguarding consumers’ interests and ensuring responsible lending practices within the real estate sector.
The traditional Portuguese lending market relies on deposit-based solutions, involving a banking licence. From a commercial perspective, legacy players such as banks and credit institutions are in a position to draw funding from deposits. They are usually backed by solid human and technological resources allowing those players to collect deposits, enter into inter-bank lending, and issue debt and securitisations.
Specialised lending organisations, such as retail credit firms, have various avenues to secure funds for their lending operations. They can raise capital through securitisations or borrowing from other investors or institutions. Additionally, they may utilise peer-to-peer lending platforms, such as crowdfunding service providers, to access funds.
Peer-to-peer lending platforms will allow investors’ funds to be sourced.
Syndicated loans involve several parties and complex documentation, and are mostly used for acquisitions or in the context of restructuring. Therefore, loan syndication is reserved for the largest transactions, falling outside the market scope and practice of most fintech players. Typically, the most significant financing contracts are conducted outside of online platforms, contributing to the limited occurrence of loan syndication in the country.
Payment rails represent the digital infrastructure, facilitating cashless transactions by transferring funds from a payer to a payee. Payment processors have the flexibility to select their preferred payment rail. However, certain fixed transaction systems have become established within traditional account-based payment systems.
For instance, within the Single Euro Payments Area (SEPA), bank transfers occur through the SEPA Instant Transfer Scheme, facilitating transfers between bank accounts. Faster Payments’“Instant Payment” rail allows swift bank-to-bank transfers, a component of the European SEPA system widely supported by banks and savings banks in Portugal. This service operates round the clock, enabling users to execute transfers promptly.
Additionally, payments can be initiated via the SWIFT network to any member bank worldwide.
Modern payment methods diverge from conventional networks, enabling direct peer-to-peer transfers without intermediary financial institutions. This innovation allows users to transfer funds between accounts, bypassing traditional banking systems seamlessly.
It should be noted that although there is no legal impediment to developing and using alternative payment rails, the payment service scene in Portugal is highly dominated by SIBS, which holds control over the ATM network and is considered one of the most advanced systems in the world.
Payment transactions are governed by the EU Payment Services Directives, adopted into Portuguese law through Decree-Law no. 91/2018 of 12 November, and fall within the jurisdiction of the Bank of Portugal.
As an EU member state, Portugal falls under the geographical influence set by the SEPA Regulation (Regulation (EU) No 260/2012), which outlines the SEPA, crucial in facilitating seamless cross-border money transfers. For instance, the regulation prohibits companies from rejecting cross-border direct debits, commonly called “IBAN discrimination”, by mandating acceptance of all EU payment accounts reachable through SEPA mandates.
Non-regulatory rules regarding cross-border payments and currency remittance usually stem from AML and anti-tax fraud concerns, with mandatory documenting and reporting required. Portugal transposed Directive (EU) 2020/284 (as regards introducing certain requirements for payment service providers) imposing additional requirements on payment service providers to maintain records for three years.
Regulations governing funds and fund administrators vary depending on the asset classes invested in by the fund. There are no special rules applicable to fintechs in this regard.
Investment funds falling under the criteria outlined in the UCITS Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) are classified as UCITS.
UCITS funds, with certain exceptions, are restricted to investing in shares, money market instruments and investment fund units. Additionally, they must obtain authorisation from the Securities Market Commission. The prerequisites for becoming a UCITS management company and initiating a UCITS fund are stipulated in the regulations of the Securities Market Commission.
On the other hand, investment funds that do not meet UCITS criteria are categorised as alternative investment funds (AIFs). These may include private equity funds or real estate funds. The management and marketing of AIFs fall under the jurisdiction of AIF managers (AIFMs), who are governed by the Alternative Investment Fund Manager Directive 2011/61/EU.
The fund administrators have risk management and asset valuation functions. Compliance with such functions is required for all fund administrators and fund management companies, including small ones, unless such compliance is proven to be inappropriate under a proportionality assessment, considering the operation’s level of complexity and the fund’s investment strategy.
There are no specific legal provisions governing the relationship between fund administrators and fund advisers other than the rules governing the outsourcing of crucial functions of a regulated entity. In any case, it would be recommended for the advisory agreement to comply with rules governing data privacy and AML obligations, in addition to having well-designed liability and conflict of interest provisions. Providing clear service-level and key performance indicators is also essential.
All management funds must have an investment policy, management regulation and a well-described compensation model. Together with the Asset Management Regime, there are restrictions imposed on outsourcing of functions. Outsourcing of functions requires prior notice to the Securities Market Commission, and both the competence of the subcontracting entity and the selection process due diligence must be approved. No type of outsourcing can prevent a managing company from acting on behalf of or managing the fund, nor impede or hinder its supervision. The fund manager is the key decision maker and therefore deviation from the investment purpose is not possible.
The regulation applicable to financial assets trading platforms derives from MiFID II rules.
Euronext Lisbon, the only stock exchange in Portugal, is the most prominent trading ground for shares and other securities. Securities trading platforms are supervised by the Securities Market Commission, ensuring compliance with transparency and market integrity standards.
Multilateral trading facilities (MTFs) are also regulated under Portuguese law and constitute alternative trading platforms enabling securities trading beyond conventional stock exchanges. MTFs are subject to the Securities Market Commission and offer more adaptable trading conditions at lower costs. The only MTFs in operation in Portugal are Euronext Growth and Euronext Access, both managed by the Euronext group.
Organised trading platforms (OTFs) specialise in trading specific securities such as derivatives and have stricter regulations when compared to MTFs. They must satisfy transparency and market integrity criteria while ensuring the absence of conflicts of interest influencing trade execution.
The new EU DLT Pilot Regime offers the opportunity to develop new types of platforms, but the novelty of this new legal framework has yet to be put to the test in the Portuguese jurisdiction, despite domestic legislation already having been enacted to allow its implementation.
Finally, crypto exchange platforms can also be considered a regulated marketplace. See 7.3 Impact of the Emergence of Cryptocurrency Exchangesfor more details.
Different asset classes will have different regulations and, in some cases, fall under the supervision of different regulators. Financial instruments typically fall under the scope of MiFID II, and fintech operators operating marketplaces are supervised by the Securities Market Commission. Virtual assets, if qualified as securities, will fall under the jurisdiction of the Securities Market Commission and are regulated by the DLT Pilot Regime and recently enacted domestic regulations. At the same time, fintech operators may require authorisation from the Bank of Portugal to operate as virtual asset service providers if non-security virtual assets are traded.
Hypothetically, depending on the virtual asset admitted to trading in the marketplace, a virtual asset service provider (VASP) licence may be required (issued by the Bank of Portugal) in addition to the enrolment of the exchange with the Securities Market Commission.
Cryptocurrency exchanges, regardless of their level of centralisation, must always secure a VASP licence from the Bank of Portugal to conduct their activities. A VASP licence focuses on the KYC and AML screening aspects of the fintech operator, in line with Portugal’s transposition of the Fifth AML Directive (2018/843), as set forth by the AML Act.
The emergence of cryptocurrency exchanges has not yet impacted current domestic regulations. Still, it has drawn the attention of Portuguese supervisors. The Securities Market Commission determined that, depending on the characteristics and features of a given virtual asset, it may fall under the concept of a financial instrument and, therefore, trading or issuance of such assets is under its supervision.
There are no specific listing requirements applicable to fintech companies. All trading platforms are required to have public, transparent and non-discriminatory rules based on objective criteria ensuring the good functioning of the trading platform.
Listing requirements in a Portuguese regulated market are governed by the Portuguese Securities Code, by regulations and instructions approved by the Securities Market Commission and by Euronext’s Rule Books and Notices. Listing is also governed by the MiFID II rules, the Prospectus Regulation (2017/1129/EU), the Market Abuse Regulation (596/2014/EU) and the Transparency Directive (2004/109/EC) (as amended).
MiFID II dictates order handling rules, and the Portuguese Securities Code imposes the “best execution” principle on any financial administrator. Orders should be executed at the moment indicated by the client. When the client has not provided specific instructions, the financial intermediary must try to obtain the best possible result for the client, attending to several criteria such as price, costs, speed, the likelihood of execution and liquidation, or another pre-established factor in the EU legislation.
An intermediary will be required to inform the client beforehand of its execution policy, and any change in the execution of the orders must be communicated in advance. An intermediary may partially execute orders unless the client orders against it.
Peer-to-peer platforms have been increasing in numbers, and the crowdfunding market can be described as having gone beyond proof of concept. Both new players and legacy institutions have manifested some interest in this new type of platform granting access to investors to several markets encompassing real estate, socially responsible investments, SMEs, etc.
The level of legal sophistication applied in developing such platforms varies depending on the type of investments offered to the public. For example, it is possible to find in the Portuguese market a solution where a crowdfunding platform has opted to create hybrid solutions going through several types of licences such as payment, crowdfunding and insurance licences. In contrast, others opt for a more modest approach to retain a crowdfunding licence.
The ability to passport the crowdfunding licence to other EU member states, allowing new investment opportunities to different markets, has spiked the interest of some newly established players and legacy institutions.
Please see 7.5 Order Handling Rules.
Financial intermediaries must select their trading and execution venue based on a “best execution” policy, and must provide their clients with information on costs and expenses per service and per financial instrument.
In addition, inducement rules prevent firms from paying benefits to or receiving benefits from third parties, with a few exceptions. Notably, it is possible for firms to receive payments or inducements if required for the rendering of services, in situations where it is deemed to enhance the quality of the services, if the amount has been clearly disclosed beforehand to the client and provided that it does not interfere with the obligation of the investment firm to act honestly, fairly and professionally in accordance with its clients’ best interests.
Portugal criminalises insider dealing and market manipulation in regulated markets. The fundamental tenets of market integrity and the prevention of market abuse originate from Regulation (EU) No 596/2014, commonly known as the Market Abuse Regulation. The Market Abuse Regulation explicitly prohibits activities such as insider dealing, trading, the unauthorised disclosure of inside information and market manipulation, while incorporating measures to pre-empt and identify such misconduct.
High-frequency and algorithmic trading (HFAT) is allowed under the Portuguese Securities Code, bringing significant benefits to the market such as increased speed of orders, increased market liquidity and reduction of bid-ask spreads.
However, there are also some risks associated with HFAT, such as:
The general legal framework for HFAT is set out in MiFID II and the Portuguese Securities Code, which stipulates all financial intermediaries deploying such systems must keep registries of all placed orders, including cancellations, which must be immediately made available to the Securities Market Commission upon request.
Before initiating HFAT operations, any intermediary must communicate this intention to the Securities Market Commission and must provide:
A financial intermediary can operate as a market maker through algorithmic trading provided it has informed the Securities Market Commission. Still, it must ensure that the market-making activity is conducted continuously during the negotiation period of the platform and ensure market liquidity periodically and predictably.
A written agreement must be entered into with the trading platform establishing the conditions regarding how the liquidity and continuity of the market activity are to be ensured.
Additionally, security and control systems must be designed and put in place, allowing the monitoring of whether the conditions set out in the agreement entered into by the market makers and the platform are being consistently fulfilled.
There is no distinction made between funds and dealers engaged in these activities in the Portuguese jurisdiction.
The Portuguese legislation closely follows Commission Delegated Regulation (EU) 2017/589, delineating the regulatory technical standards that are the organisational requisites for investment firms involved in algorithmic trading. As per these standards, an investment firm must ensure it has an adequate workforce equipped with the requisite skills and technical proficiency to oversee:
Even in outsourcing or procuring software or hardware utilised in algorithmic trading activities, the investment firm bears full responsibility for its regulatory obligations. It is worth noting that these regulations do not directly apply to programmers responsible for developing or creating trading algorithms or other electronic trading tools.
There is no set of specific regulations or laws governing DeFi.
Financial research platforms are not subject to registration, nor are they regulated. However, it should be noted that this is only true if no financial advice is provided to customers.
Spreading rumours and other unverified information, independently of the nature, type or structure of the agent, can be deemed to constitute market manipulation, leading to penalties and fines, and be construed as a criminal offence.
We are unaware of any platform where “pump and dump” schemes are used in the Portuguese jurisdiction. Such schemes are forbidden by national and EU law. Should a platform or any other intermediary notice the existence of such schemes, it should immediately report this to the competent authorities. Regardless of the platform’s involvement in such schemes, in the event of illegal practices becoming apparent, lack of reporting can be deemed to be complicit behaviour with practical repercussions for the organisation. Platforms are generally required to curate conversations regarding copyright infringement, threats of violence, etc.
The insurance industry uses several underwriting processes, which will significantly depend on the type of business model developed by the industry participant.
It should be noted that insurance activity is regulated in Portugal under Law no. 147/2015 of 9 September and that various types of authorisations are available under this legal framework depending on the intended business model.
Most fintechs in insurtech operate brokerage models where data collection is remitted to a regulated insurance company, which will then apply its internal risk analysis methodology depending on the type of policy requested by the client. Insurance intermediation is also a regulated activity in Portugal.
In Portugal, there are several types of insurance, some being mandatory by law or contract.
As examples of mandatory insurance in Portugal, one can point out the following:
In some cases, the minimum coverage and conditions set by a type of insurance will be defined by ordinances issued by the ministerial department with jurisdiction over the sector in question.
Authorised insurance companies can engage in insurance activities in both the life and non-life sectors but must adopt distinct management for each activity, ensuring that both sectors are kept separate. Distinct minimum capital requirements are set for direct insurers and reinsurers, for life and non-life policies. The promotion and sale of distinct types of insurance products are subject to specific requirements, notably with regard to information duties.
Legacy players tend to specialise in either life or non-life insurance policies.
Regtech providers are not directly regulated so long as they do not render any service that is directly regulated as a subcontracted function or provide what could be considered reserved advice for some professions.
With the rise of new fintech solutions leading to the development of new regulatory frameworks, the compliance cost for all players, whether new or legacy ones, has risen in the last years. In turn, fintechs originated new and ingenious ways to streamline the procedures to comply with all the new impositions set by these new legislations and regulations.
The category under which a potential regtech could theoretically be considered to be regulated needs to be assessed on a case-by-case basis, depending on the depth and level of “compliance activity” being developed. Assessing whether a particular solution is within the scope of a regulated sector or profession is not simple. For example, KYC services are strongly prone to being outsourced. In this case, the fintech solution provider should be aware that this third-party service provider could fall within the scope of the AML Act.
Another issue that should be considered when developing a regtech project is to be aware that certain outputs can be construed as legal advice, which in some jurisdictions is illegal because such advice is reserved to licensed professionals such as lawyers, financial analysts and advisers.
The cornerstone of the assessment will mainly depend on the complexity of the analyses being offered by the solution, which may be considered of a technical nature in some cases or “mechanical” in others. When confronted with regtech solutions producing deliverables or results based on technical analyses, it would be advisable that the regtech player deploys experienced professionals to validate and confirm the results produced by the solution. In cases where the result of the activity undertaken translates to a mere fulfilment of mechanical procedures of reporting and information registration integrated into a workflow, such issues are less likely to arise.
In any case, and considering that, in most cases, regtech solutions tend to require access to sensitive and personal data, all projects are likely to fall under GDPR rules and DORA.
As stated in 11.1 Regulation of Regtech Providers, there is no specific set of provisions for regtechs.
To engage with this emerging trend, traditional banks, insurance firms and asset management entities are actively fostering their own financial innovations. They either outsource specific tasks to relevant service providers, form collaborations or partnerships with them, or actively endorse and integrate with promising start-ups. This constitutes a change in legacy players’ approach to blockchain and cryptocurrencies, a topic mostly shunned or ignored in the past.
Blockchain technology can, for example, play a significant role in new methodologies for authenticating the identity of economic agents due to the multilaterally controlled nature of information present in a registry concerning past operations and behaviours. Additionally, it can enable or enhance peer-to-peer financing mechanisms through the internet and even allow for efficiency gains in accounting and auditing procedures within banking activities.
There are various possibilities for using blockchain in the financial sector, notably registering ownership and operations relating to financial instruments.
In Portugal, there is no specific regulation for blockchain or DLT as a standalone technology. The regulatory focus on blockchain is limited to its use in the context of services involving securities, payments, financial intermediation or investment services, in addition to tackling any money-laundering-enabling features it may have.
The most recent set of rules stems from the DLT Pilot Regime. DLT financial instruments are financial instruments within the meaning of MiFID II that are issued, recorded, transferred and stored using a distributed ledger technology. One of the existing types of DLT, and the most well-known, is blockchain. The new Portuguese legislation encompasses a wide range of activities for operators of DLT-based market infrastructures. Operators are authorised to:
However, Decree-Law No. 66/2023 is limited to shares, bonds, and units of participation in collective investment schemes.
These operators’ role are financial intermediaries under the Portuguese Securities Code, and the Securities Market Commission is the competent national authority for granting and revoking specific authorisations to operate a multilateral trading or securities settlement system based on DLT.
Currently, no overarching legal framework or singular legal definition for blockchain assets is applicable within Portugal. The terminology surrounding these assets varies, adding to the complexity. For instance, the Portuguese regulator prefers the term “virtual assets” instead of “blockchain assets”, while the EU has employed “crypto-assets”, as evidenced in MiCA.
Irrespective of the terminology employed, the classification of blockchain assets as regulated financial instruments is contingent upon the specific characteristics of each asset. This determination must be made on a case-by-case basis, considering whether the asset falls within the purview of existing financial services regulation.
In accordance with the current legal framework, specific blockchain assets meet the criteria to be classified as financial instruments under MiFID II (and its incorporation into Portuguese law) or under the Portuguese Securities Code. In essence, any blockchain asset exhibiting the attributes of a financial instrument is likely to meet the criteria for regulation within this framework.
The Portuguese law does not itself provide a concrete definition of the types of tokens that can be considered securities. It is necessary to analyse the characteristics of each token to determine whether it qualifies as a security under the Portuguese Securities Code.
The categorisation of non-fungible tokens (NFTs) remains uncertain, as their status as digital assets or tokens is contingent upon their specific features and the associated rights they confer. Generally, most NFTs fall outside the concept of securities due to their non-fungible nature. However, this conceptualisation may be challenged in situations where NFTs are fractionalised and divided into smaller tradable units, a process similar to how traditional assets can be securitised and divided into shares.
The MiCA Regulation, in force as of July 2023, extends its coverage to include novel categories of crypto-assets that previously fell outside the scope of conventional EU regulation. The definition of crypto-assets consists of “a digital representation of a value or of a right that is able to be transferred or stored electronically using distributed ledger technology or similar technology”.
The applicable new rules, which include, in particular, transparency and authorisation requirements, will differ based on the characteristics of the token, as MiCA differentiates between e-money tokens, asset-referenced tokens and utility tokens.
The Securities Market Commission’s first regulatory approach consisted of a communication to entities involved in launching initial coin offerings (ICOs) regarding the legal qualification of issued crypto-assets. It stipulated that such an asset must meet the following requirements to be considered a security:
Therefore, if a token is classified as a security, its ICO will be subject to the rules and obligations for publishing a public offering prospectus as stipulated in the Portuguese Securities Code.
As for other tokens that do not qualify as securities because they do not meet the requirements above, it is necessary to determine whether they fall within the scope of the AML Act regarding entities engaged in activities with virtual assets (ie, VASPs). If so, they are subject to compliance with applicable legal and regulatory provisions relating to AML and counter-terrorism financing (see 7.3 Impact of the Emergence of Cryptocurrency Exchanges).
Please see 12.4 Regulation of “Issuers” of Blockchain Assets.
The regulation of crypto-assets is primarily determined by the categorisation of the assets being traded.
VASPs offering services described in 12.4 Regulation of “Issuers” of Blockchain Assets must adhere to diverse regulatory obligations concerning customer identification and verification, AML and the prevention of financing terrorism.
If the virtual assets are categorised as financial instruments or products, the exchange operator may be required to obtain a licence to offer investment services in compliance with the Portuguese Securities Code, which implements MiFID II, and/or with the DLT Pilot Regime as applicable.
The operation of investment funds in Portugal is subject to the new regulation outlined in the Asset Management Regime, which establishes the legal framework for collective investment undertakings in securities in corporate form and real estate investment funds in corporate form. Within this regulatory framework, no specific provisions exclusively address investments in blockchain assets.
Please see 7.3 Impact of the Emergence of Cryptocurrency Exchanges.
There is no standalone concept of blockchain asset. The AML Act provides a specific definition of “virtual assets” to identify entities that operate as VASPs and are subject to AML/KYC obligations.
A virtual asset is “a digital representation of value that is not necessarily tied to a legally established currency and does not have the legal status of fiat currency, securities, or other financial instruments. However, it is accepted by individuals or entities as a medium of exchange or investment and can be transferred, stored, and traded electronically.”
The Portuguese legal framework does not include a set of rules governing decentralised finance, which is a broad concept. Depending on the concept of DeFi, the new MiCA Regulation will not impact fully decentralised DeFi platforms. Specifically, crypto-asset services that are fully decentralised without any intermediary and crypto-assets lacking an identifiable issuer are explicitly excluded from MiCA’s scope.
Consequently, the activities of DeFi platforms and decentralised autonomous organisations remain outside the regulatory purview, provided that operational control is genuinely decentralised.
There are no specific regulations in Portugal regarding the issuance or trading of NFTs or the operation of NFT platforms/marketplaces (please see 12.3 Classification of Blockchain Assets).
However, depending on the specific characteristics of an NFT, it may be susceptible to being included in the category of securities, thus being subject to the regulations outlined in the Portuguese Securities Code.
MiCA defines a “crypto-asset” as “a digital representation of a value or of a right that is able to be transferred or stored electronically using distributed ledger technology or similar technology”, excluding NFTs from being classified as crypto-assets. However, this exclusion does not entirely exempt NFTs from falling under the purview of MiCA. The regulation still encompasses the following types of crypto-assets:
NFT marketplaces are required to register as VASPs if they enable crypto-to-crypto exchange of assets.
The rules set by PSD2 (Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015) were transposed to the Portuguese legal framework under Decree-Law no. 91/2018, enacting the Regime for Payments and Electronic Money. However, other supranational European regulations and opinions, such as the technical standards set by Regulation (EU) 2018/389 of November 2017 on strong customer authentication, also play a pivotal role when establishing new open banking solutions.
With the adoption of PSD2, two new categories of service provider in the payment industries were created that did not exist before, namely payment initiation service providers (PISPs) and account information service providers (AISPs).
At the same time, PSD2 narrowed the playing field between fintech players and the already well-established legacy players, as they were forced to provide dedicated interfaces allowing the sharing of data originating from their payment accounts.
Open banking marks a pivotal moment for conventional banks as it allows third-party providers, including commercial platforms or alternative payment providers, to deliver banking applications and services directly through open application programming interfaces.
Decree-Law no. 91/2018 of 12 November introduced changes to the provision of payment services in Portugal.
Notable aspects include its application to a wider range of payment operations, the creation and regulation of new types of payment services, the definition of security requirements for the execution of payment operations, and the imposition of greater responsibilities on payment service providers in the execution of unauthorised payment operations.
The impact of this regulation on open banking is reflected in AISPs, which allow the aggregation of information about accounts held with one or more payment service providers in a single application or website.
As for PISPs, they offer the possibility to initiate online payment operations without the customer having to interact directly with their payment service provider. PISP, contracted by the customer, accesses their account on their behalf and initiates the operation.
However, the success of implementing PSD2 in the Portuguese open banking landscape can be considered limited, considering the lack of guidance on the technical solutions to be implemented by the traditional banking sectors to the new fintech players.
The Portuguese framework that transposes PSD2 establishes rules for managing operational and security risks, instructing measures for mitigation and appropriate control mechanisms to handle operational and security risks related to the payment services provided. This law also defines the procedures to be adopted in the event of operational or security incidents, with the Bank of Portugal being the entity responsible for taking all necessary measures to protect the security of the financial system.
Another aspect regarding data security is the implementation of strong customer authentication measures for specific events, ensuring the confidentiality and integrity of users’ personalised security credentials for payment services. Violating these measures can result in severe offences, subject to significant fines.
Regarding data protection, PISPs must ensure that:
AISPs must ensure that they access only the information from designated payment accounts and associated payment transactions. Also, regulatory technical standards on strong customer authentication and secure communication place a limit of four times a day on an AISP’s access to payment account data without the customer being directly involved.
The EU rigorously regulates both domains, with GDPR extending its reach to cover open banking and broader financial sector regulations, encompassing directives such as PSD2.
Portugal has criminalised insider dealing and market manipulation in regulated markets but does not provide specific provisions for fraud in financial services. The generic criminal provisions set out in the Portuguese Penal Code can apply if the objective legal elements are met. The most similar specific crime in the financial services sector would be the use of false or misleading information in investment solicitation, which can result in imprisonment of between six and eight years, with loss of gains of the perpetrator for engaging in such practice.
The most closely related crime in the financial services sector, in this case, would most of the time be that which is known as “Burla”, which criminalises the conduct of “whoever, with the intention of obtaining for themselves or for a third party illegitimate enrichment, by means of error or deceit about facts that they cunningly provoked, induces another person to perform acts that cause them or another person patrimonial damage”, leading to a punishment of imprisonment up to three years or a fine.
The Portuguese Penal Code establishes an aggravated “Burla” classification when the loss incurred by the victim is greater than EUR5,100. In these cases, the penalty can be imprisonment of up to five years. If other conditions are met, the term of imprisonment can go up to eight years.
Any fraudulent agent should also be aware that he or she will likely also be charged with forgery, tax fraud and money laundering.
Regulators are not focused on any specific type of fraud and will communicate any crimes they detect while exercising their supervisory powers and conducting inspections.
Considering the severity of the penalities applicable to financial crimes, most industry players do not flirt with such crimes because of the actual risk of incarceration, loss of gains and professional licence cancellation.
Rua Rodrigues Sampaio 97 – 1º
1150-279 Lisboa
Portugal
+ 351 210 997 356
hello@gfdl.legal www.gfdl.legalIndustry Overview
In 2023, the global fintech industry continued to endure amid a difficult economic context and profound changes in the regulatory landscape. Nonetheless, the Portuguese fintech ecosystem in particular has seen momentum steadily growing for new ideas, funding rounds and the establishment of a local investor scene, with operators hoping to protect and promote their investments during downturns. For 2024, expectations are generally high and optimistic, in the hope that a combination of new technologies and a better economic context may contribute to sustained sector growth. At the same time, the legislative framework is expected to mature, with the entry into force of parts of the Markets in Crypto-Assets Regulation (MiCA), and the ongoing implementation of the Digital Operational Resilience Act (DORA) and the Artificial Intelligence Act (the “AI Act”), both expected to apply from 2025 onwards. Market players are also keen to monitor the progress of the so-called Payment Services Directive 3 (PSD3), the Payment Services Regulation (PSR) and the proposal for a Digital Euro as the European Central Bank digital currency.
The fintech sector is also hoping that in 2024 the regulatory framework – at the European but also the national level – develops to further harmonise requirements for companies, platforms and products. In Portugal, great attention is being given to the recent changes to the Crowdfunding Legal Framework (brought forward through Decree-Law no. 66/2023 of 8 August, amending Law no. 102/2015 of 24 August), with platforms seeking to implement new compliance mechanisms and expressing general optimism that more players may enter a market which currently has Raize as a formidable highlight after a 2018 IPO. There is also a sense of anticipation for new national legislative acts that incorporate the rules of MiCA and the European Green Bond Standard Regulation, although that may prove to be too demanding for the new Parliament that is to be elected in March.
In 2023, the Portuguese fintech ecosystem saw interesting financial operations occur and, according to the 2023 Portugal Fintech Survey, surpassed EUR1.1 billion in aggregate funding raised to date. The most significant funding rounds have involved start-ups providing payment services, such as Coverflex, HoliWally and PayNest, with the participation of Portuguese venture capital funds and also relevant foreign investors, and the insurtech sector, with Anansi raising EUR2 million and headlining a sector that is expected to become even more important this year and beyond. It should be expected that 2024 will bring new investment opportunities, considering the profile of companies now operating in the Portuguese market, increasingly including scale-ups as well as start-ups.
Trends for 2024
Artificial intelligence and machine learning
Artificial intelligence (AI) has been revolutionising the fintech industry for some time now, bringing about transformative changes in various aspects of financial services through the use of new or improved technologies. Fintech companies have been using AI tools for several purposes, including risk assessment, credit scoring, fraud detection, algorithmic trading, and investment profiling and management. 2023 brought deeper and more serious debates on the risks that accompany the merits of AI, influencing the political debate on the AI Act in its current form. It is expected that AI will become even more present in the fintech sector during 2024, but how to implement compliance mechanisms vis-à-vis the AI Act will be a hot topic both in Portugal and abroad. The links and cross-applications between AI, blockchain and smart contracts are also expected to be of interest to companies and users.
Cybersecurity and resilience
As said above, the fact that DORA will enter into force in 2025 has already driven financial institutions (including banks, electronic money issuers, payment service providers, crypto-asset service providers, investment firms and crowdfunding platforms) to commit to significant structural changes, adapting to the new legislative standard for ICT infrastructures, governance, risk management and the overall resilience of internal and third-party-provided systems and networks. Furthermore, as cybersecurity has been an important issue for a long time now, the belief is that, pursuant to DORA compliance, in-scope institutions will undertake deeper adjustments to the way they do business and organise their business to achieve a more holistic view of resilience and security, encompassing physical security, risk management and incident management. This should take place through the reinforcement of infrastructures but also a review of internal procedures and mechanisms for governing risk.
Crypto-assets
The approval of MiCA was one of the main news stories in 2023. For 2024, as the regulation partially enters into force, it is expected that Member States will start to adapt their national legal frameworks to meet the new European standards and requirements, including in Portugal. Even if this is not the case, there should be an increase in activity of potential crypto-asset service providers (CASPs) seeking to obtain national authorisations prior to the full entry into force of the regulation, expecting to “grandfather” their authorisations under the new framework and hopefully “passport” their services under the freedom to provide services within the EU. This should be accompanied by a more noticeable intervention of European regulators, particularly the European Banking Authority, issuing guidelines on relevant matters under MiCA and harmonising its application in the European space. Having now mostly overcome the existential threat of the “Crypto Winter” of 2022, it is expected that the sector – at least in Europe – will now take on a more supervised nature, closer to the general standards of the finance industry.
Crowdfunding
Although the European Crowdfunding Regulation originally dates back to 2020, this year should see a renewed interest in the crowdfunding space in Portugal. This can be explained by the amendment to the national framework in 2023, which tried to clarify and harmonise past rules that were seen as impractical and burdensome for platforms and beneficiaries alike, hoping to foster crowdfunding activities in Portugal, but also by the establishment of the ESMA register on crowdfunding platforms operating in the EU and on a cross-border basis. As a part of the fintech sector, European crowdfunding still seems to have the potential to become a more significant segment of activity, following the examples of comparable jurisdictions, such as the US and the UK.
Embedded finance/payments
Embedded finance has been a fintech trend for several years. Simply put, it consists of offering financial products and services through non-financial companies as part of their usual operations. For example, an e-commerce store may provide insurance to customers, or a retail brand may have a store branded credit card.
Alongside an expected increase in adoption in the retail sector, as customers value the experience of obtaining multiple services from one provider, it is widely expected that embedded payments will be at the centre of future European legislation on payment services (notably PSD3 and the PSR) and financial services. As always when this is the case, first movers should enjoy a significant advantage with regard to their competitors, even if the services are already broadly offered. In any case, with embedded finance, all companies may become fintech companies. That prospect brings exciting opportunities and difficult questions regarding the legal framework that is applicable to its providers.
Green fintech, sustainable finance and ESG impact
Environmental, social and governance (ESG) is here to stay as a core guideline of company and financial law evolution. As a whole, financial institutions are still trying to grasp how to incorporate ESG principles into their business models – and make them more profitable through that – while navigating an ever-changing landscape of “green” rules and obligations. This concern has been notable throughout 2023, with the progress on the European Green Bonds Standard Regulation and the Corporate Sustainability Reporting Directive as the most notable highlights, and is expected to continue in 2024.
The EU has made it clear that sustainable finance will be an integral part of its “Green Transition” and a fundamental part of its regulatory framework for financial activities and products. The incorporation of ESG standards, reporting obligations and taxonomy will gradually become mandatory for most financial institutions, with impacts on capital management and investment profiling, among other areas.
Fintech companies may be exceptionally well positioned to profit from this trend, either by promoting efficient strategies for allocating funds to sustainable purposes or by presenting sustainable investment opportunities directly to potential customers straight from their incorporation.
Financial data sharing
As part of its deeper review of the payment services framework and in trying to keep up with “open banking” and “open finance” principles, the European Commission presented a legislative proposal in 2023 for a framework for financial data access, seeking to “establish rights and obligations to manage customer data sharing in the financial sector beyond payment accounts”. The Commission believes that its proposal will promote innovation in financial products and services, while stimulating competition in the financial sector. Even though this proposal has been treated as having less importance than the proposals for PSD3 and the PSR, it is expected that, once it has been approved and entered into force, financial institutions (notably banks) will have to review their procedures and rules of service B2C and B2B, even in relation to third-party providers. For consumers, the new rules may facilitate the receiving of personalised advice and the comparison of different products and providers.
Av. Infante D. Henrique, 26
1149-096 Lisboa
Portugal
+351 21 723 18 00
+351 21 723 18 99
lisboa@abreuadvogados.com abreuadvogados.com