The most relevant occurrence in the past 12 months has been the adoption of a revamped Investment Services and Securities Markets Act, which explicitly addresses DLT-based financial instruments. The developments that are likely to have the greatest impact in the coming months stem from this fact. It is expected that CNMV, the Spanish investment services and securities supervisor, will very shortly address, perhaps via Q&A, the different questions raised by DLT-based financial instruments, from the role investment firms are to play in their issuance, the singularities of investment services provided to retail investors using DLT-based financial instruments, to the full application of Regulation (EU) 2022/858 on a pilot regime for market infrastructures based on distributed ledger technology.

Verticals are still very much based on the traditional segregation payment services/investment services/insurance. However, there is increasingly a “slippage” between verticals, which, in the writers’ view, can only accelerate. Crowdfunding services providers are probably the best example, as, under Regulation (EU) 2020/1503, they are no longer restricted to a pure intermediation service (which was the case under the pre-existing Spanish legislation) and can now provide a pure MiFID 2 service, portfolio management of loans.

This trend is also present for legacy players, specially some of the largest Spanish banks, who have started providing investment services (reception and transmission of orders (RTO), advice) and ancillary services (custodianship) on crypto-assets.

Spain has written into national law EU Directives; EU Regulations need not be transposed. The Spanish regulatory regime does not present striking divergences with the EU regime, although, inevitably, differences exist, both to make regulation more stringent and to make regulation more flexible. Among the former, the AML/CTF rules are highlighted, where Spain has established rules more exacting than the 5th AML Directive and demanded that cross-border providers of services, operating in Spain under free provision of services, comply with them. The more flexible approach is, arguably, embodied by the Spanish investment services and securities supervisor, CNMV, which has repeatedly proved to be willing to explore disruptive business models.

Setting aside MiFID services, which carry their own regime regarding charges, the emphasis is not so much on amounts or models, as on clarity. Models must be such that consumers can be left in no doubt as to what exactly are the amounts being charged, and to what services they correspond. This is furthermore an area which supervisors, both the CNMV and Banco de España, follow closely and in which disciplinary action is regularly taken.

The principle “same services, same rules” applies. However, this is an area where the “slippage” alluded to in 2.1 Predominant Business Models might result in the application of different rules because the nature of the services provided can be ambiguous. The writers’ expectation is that the regulator will tend to close the gap, by greater clarification of the definition of the services covered by the different regulations.

Spain does have a regulatory sandbox. While it is centralised in the Ministry of Economy, all three financial regulators/supervisors (CNMV, Banco de España, Insurance Authority) participate in it. The Spanish regulatory sandbox has been designed as a structured context for experimentation of innovative and disruptive technologies applied to financial services. Applicants may submit their candidacies, providing mandated information in a structured manner, and a decision will be made by the board running the sandbox as to which of them are admitted (applicants are invited to submit candidacies with a six-month periodicity). The sandbox has been in existence since 2020, and six windows for presenting projects have already taken place. The key learning from this experience is that regulators/supervisors are principally interested in the application of innovative technologies, over other considerations.

Spain’s supervisory model is based on a three-sided structure, with some alterations. There is a supervisor for each industry – vertical banking, financial services and insurance – having competence over both prudential aspects and conduct of business rules. The division, however, is not exclusively based on the nature of the provider (credit institution versus investment firm) but will also take into account the service being provided: thus, consumer-facing rules will be supervised by CNMV, even when the provider is a credit institution, when the service being provided is an investment service.

The principal obligation placed on the entity outsourcing the service is one of diligence, both when selecting the vendor and when overseeing it. There is a strong incentive for the outsourcing entity to be diligent, as outsourcing will not lessen its own liabilities, either vis-à-vis the supervisors or the third parties. As a general rule, very often there is not a choice as to whether to outsource to a regulated entity, as this will be mandatory. Even where there is no rule, it may be advisable to do so, to mitigate any eventual liabilities.

Although this is increasingly the case, fintech providers are still perceived as being more intermediaries between providers and consumers than legacy providers are, and therefore to play less of a “gatekeeper” role.

Crowdfunding services providers are an interesting case in point, since Regulation 2020/1503 places on them a significantly lesser onus than would be put on providers of financial services such as placing of financial instruments or portfolio management. It remains to be seen, however, whether this will remain the case.

The insurance supervisor has not taken significant enforcement actions. For banking/payment services, Banco de España has publicly taken significant enforcement actions, centred on an insufficiency of governance arrangements and poor or misleading disclosure to consumers of costs and charges.

CNMV has also taken significant action, either because services were being provided by firms that did not have the proper licences in place, or because there were non-disclosed and/or non-resolved conflicts of interest in the provision of the services.

The AML/FT enforcement authority has also taken significant action, for poor application of KYC rules.

GDPR has been a significant issue for fintech services providers, as DORA looks increasingly to become. While there are no differences, in this aspect, with legacy players (other than what can result from application of the proportionality principle), legacy players might be at a slight advantage, as already having a culture of compliance that, in some cases, fintech players have not yet fully internalised.

There is an open debate on the role of influencers, their liability and whether (and how, should it be the case) they ought to be regulated (see 9.3 Conversation Curation and 14.1 Elements of Fraud, specifically for (fin)fluencers).

This issue is not applicable in this jurisdiction.

This is increasingly the trend: regulators are presently expressing their preference for unregulated products and services being channelled through non-regulated affiliates, with an emphasis on identification and status of the services provider to avoid confusion in consumers’ minds.

AML rules are probably the ones to which fintech players are the most attuned, not only because of the potentially crippling sanctions that can be exacted but because of their reputational impact. Even fintech companies that would not strictly be covered subjects under the 5th AML Directive (such as fintech companies providing tokenisation services) are complying with it, as otherwise credit institutions will refuse to service them.

Different asset classes do not require different business models. Robo-advisers can provide their services across the whole range of MiFID 2 financial instruments.

Legacy players are (i) acquiring robo-advisers and (ii) providing robo-advice services themselves. However, legacy players are encountering difficulties that fintech providers do not face: robo-advice may cannibalise other products/services that legacy players offer (such as fund distribution) and the technological solutions may be difficult to implement in addition to existing network systems.

No significant issues have arisen in relation to best execution of customer trades, probably due to the fact that Spanish robo-advisers focus their service on exchange-traded funds (ETFs).

Spain is somewhat unusual in the EU, in that providing credit to business or consumers is not yet an activity requiring an authorisation. This will necessarily change once Directive (EU) 2023/2225 on credit agreements for consumers is transposed. For the time being, the existing regulations on consumer protection (transparency and fairness of terms, principally) apply equally to fintech and incumbents.

Mortgage credit is more strictly regulated, and some activities (advice and intermediation) do require the registration of the provider with consumer protection authorities.

The underwriting process is dictated by regulation only inasmuch as AML regulation, or consumer protection regulation, may intervene.

Spain has seen a noteworthy increase of debt funds, addressed to professional investors; this is probably the largest category of non-banking loan providers. Peer-to-peer lending through crowdfunding services providers is still a residual activity; in fact, many of the lenders acting on these CSP are not so much “peers” as credit institutions and other professional lenders seeking to avail themselves of the services provided by the CSP. There is an active market for securitisations; deposit taking as a source of funds, however, requires a banking licence.

In Spain, syndication of loans is increasingly common, traditionally led by credit banks that co-finance large projects and thus diversify their risk. Sometimes syndication is carried out at an early (pre-contractual) stage and each lender assumes the risk corresponding to its share of the loan. In other cases, there is a lead lender that grants the loan and then seeks out other entities willing to syndicate with it. There are no specific regulations governing loan syndication.

It is noteworthy that, in recent years, more and more models of project debt co-financing are being seen, mainly in technological environments and usually granted to start-ups or technology companies. Thus, one finds models ranging from platforms for the trading of participation in syndicated loans to crowdlending to decentralised loans governed by smart contracts. The latter cases are increasingly common and there is a wide variety of sub-models, from staking to the granting of microcredits with “cryptoguarantees” (blocking cryptocurrencies as collateral).

Payment processors may create or implement new payment rails. However, there has been much discussion on the difficulties encountered by payment processors/payment entities to obtain IBAN for their customers. Recent modifications to the Spanish settlement system (Iberpay) have simplified this difficulty, but a definitive solution has yet to be established. Until then, the use of existing payment rails might be a simpler alternative.

There is no regulation of cross-border payments and remittances other than the Payment Services Directive (PSD2).

Fund administrators are not a necessary figure (nor probably useful) in Spain, since management companies can take on most of the services and activities fund administrators provide in other jurisdictions.

This issue is not applicable in this jurisdiction.

Marketplaces and trading platforms will require a MiFID 2 authorisation from CNMV if the assets exchanged and traded are financial in nature. This extends to DLT-based financial instruments.

Marketplaces and trading platforms for the exchange and trading of crypto-assets do not require an authorisation (yet), but stringent rules on advertising apply.

In so far as CSP can be considered marketplaces, Spanish legislation recognises the existence of national CSP not having access to an EU passport, alongside CSP regulated under Regulation 2020/1503. However, comparable requirements to those established under Regulation 2020/1503 apply to these national CSP.

This issue is not applicable in this jurisdiction.

There are no Spanish rules other than those of the EU. No cryptocurrency exchanges exist, as such. Banco de España has established a register of providers engaged in exchange services between virtual currencies and fiat currencies and custodian wallet providers, although registration is exclusively aimed at ensuring compliance with AML/CTF rules.

As mentioned above, there are no regulations; nor is there a common industry standard. However, the Spanish securities and markets supervisory authority (CNMV) has on several occasions published recommendations and Q&As, addressing crypto-assets that can be classified as transferable securities, to remind industry participants that public offerings of such cryptocurrency must be carried out in compliance with existing rules. CNMV has no general competence over crypto-assets falling outside the definition of transferable securities; however, rules on advertising will apply and be enforced by CNMV, as long as those crypto-assets are presented as investment opportunities.

There are no Spanish-specific regulations; nor is there a common industry standard.

The writers would dispute that there is a rise of peer-to-peer trading platforms, other than CSP. And, even for CSP, while many exist, it is unclear where the market is directed. Real estate financing CSP seem to be acquiring a certain preponderance, but there is not yet sufficient information to make an informed judgement.

See 7.5 Order Handling Rules.

There are no Spanish rules other than those of the EU, and CNMV has reminded entities that it will closely survey POF as it raises significant conflicts of interest.

Trading is governed by the Market Abuse Regulation (EU) 596/2014 (MAR).

There are no specific Spanish regulations in relation to the creation and use of such technologies.

See 7.5 Order Handling Rules.

.

See 7.5 Order Handling Rules.

.

No specific regulations apply; however, it may happen (as it has in the past) that CNMV will consider that programmers who develop and create trading algorithms and other electronic trading tools are in fact providing financial advice. This could be the case if the algorithm or electronic trading tool is self-executing, so that the entity using it does not in fact need to exercise discretion.

There are no specific Spanish regulations. However, as has happened in other jurisdictions, it could happen that CNMV finds that a DeFi platform is in fact providing some form of financial service. Also, operating with DeFi protocols has legal implications in areas such as tax, AML or data protection, which are important to bear in mind.

Financial research platforms are subject to registration if providing financial advice.

MAR will apply in full.

This is an issue that has been much debated in Spain, even before ESMA’s guidance on social media. The supervisor’s view is that the operator of the platform can be made responsible for whatever content is posted to the platform, inasmuch as the operator charges a fee or makes a return for operating the platform.

There is no response for this jurisdiction.

Different types of insurance are treated differently by industry participants because of the regulations. Spanish Law No 50/1980, of 8 October 1980, on Insurance Contracts, has specific provisions on insurance against damages, fire, theft (understood in a broad sense, referring to unlawful appropriation by third parties of the insured items), ground transportation, loss of profits (understood in a broad sense, referring to loss of economic performance, which could have been achieved in an act or activity if the loss described in the contract had not occurred), surety, credit, liability, legal defence, and reinsurance. Regarding personal insurance, Law No 50/1980 also has specific requirements for life insurance, accident insurance, healthcare insurance, death and disability insurance.

In general, there are no regulated regtech providers as such, but one finds some players in specific compliance areas such as KYC, electronic signature or cybersecurity.

It is assumed that technology service providers of financial institutions comply with the minimum requirements imposed by the regulations. However, in practice, there are financial institutions that demand more robust security requirements than those imposed by the regulations. Thus, there are entities that will not contract – under their internal policy rules – with technology providers if those do not meet certain cybersecurity standards (such as ISO certifications) or if their operations centre or servers are not located in the EU.

There exists an ongoing exploration of the possibilities blockchain affords both for trading and for settlement. So far, the experience is that different companies in Spain are raising funds (funding rounds) through the issuance of tokenised instruments (debt, economic rights/revenue share or equity). This is particularly the case for real estate projects, where there is significant activity.

The recent Spanish Investment Services and Securities Markets Act has introduced DLT-based financial instruments and additional regulatory developments are expected soon.

The Spanish supervisor has followed ESMA’s classification, and treats DLT-based negotiable instruments as MiFID 2 instruments for regulatory purposes. Otherwise, the MiCA classification will apply.

Issuance of DLT-based negotiable instruments requires that the issuer files an issuance document and contracts the services of an investment services firm having the legal capacity to provide registration and custody services. Regulatory developments are pending to determine the requirements such firms must meet.

There is no Spanish regulation other than Regulation (EU) 2022/858 on a pilot regime for market infrastructures based on distributed ledger technology. Discussions are ongoing for the authorisation by CNMV of the first such platforms, involving both Banco de España and ESMA, as a common interpretation is needed, especially regarding the use of e-money tokens in such market infrastructures.

There is no specific regulation. On the other hand, the fact that a financial (or physical) asset is tokenised does not modify the rules applying to it.

However, CNMV has issued guidance, in the form of Q&A, regarding funds that invest in crypto-assets. According to this, only funds incorporated under the Spanish legislation that writes Directive 2011/61 into Spanish law can invest directly in crypto-assets. Open-end funds can invest in crypto-asset-based exchange traded funds (ETFs), provided that they are distributed exclusively to professional investors. Further guidance is expected.

There are no specific Spanish rules, and thus differences are based on EU law, since different regulations give varying definitions of crypto-assets, cryptocurrencies or digital currencies, on top of which supervisory authorities, the Basel Committee and the ECB have, at different times, provided guidance or recommendations.

To cite but a few, Article 1 of the Directive (EU) 2018/843 of the European Parliament and of the Council, of 30 May 2018, defines virtual currencies as “a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically”. This definition would include both virtual currencies and blockchain assets, without making a distinction between them.

Article 3 of Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, in turn, defines “electronic money token” or “e-money token” as “a type of crypto-asset that purports to maintain a stable value by referencing the value of one official currency”, while a “crypto-asset” means “a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology”. This definition distinguishes between a crypto-asset in a broad sense and a virtual currency but giving only fiat money the status of currency; therefore, strictly speaking, under this definition a non-fiat cryptocurrency will be a crypto-asset.

See 8.5 Decentralised Finance (DeFi).

The answer will depend on the nature of the NFT (what rights and obligations are packaged under this for) and the services provided by the platform.

The Payment Services Directive (PSD2) has been a game changer for the offering of payment services, although its full effects have failed to materialise due to credit institutions’reluctance to facilitate effective application programming interfaces to third-party providers.

Banks and technology providers are coping with data privacy and data security concerns raised by open banking as well as they can, really.

The general elements of fraud apply to financial services and fintech as well as to other services. There is, perhaps, a distinctive element, attached to the role of social media. Particular attention has been paid to the role of (fin)fluencers in this area, and the Spanish supervisor has expressed its intention to make the providers of financial services (in conventional or fintech form) liable for the conduct of (fin)fluencers.

Regulators are most closely focused on advice and RTO, and portfolio management services using cryptocurrencies. The Spanish supervisor has alerted the general public to the existence of scams related to this, and is prosecuting several cases.