Answer ... (a) Crowdfunding, peer-to-peer lending
Alternative finance activities are regulated at the national level under the crowdfunding legal framework and fall under the regulatory supervision of the Portuguese Securities Market Commission (CMVM). Crowdfunding is regulated by the Crowdfunding Law (102/2015), with Law 3/2018 setting out the sanctions for violation of the Crowdfunding Law.
This regime is complemented by CMVM Regulation 1/2016, which sets out the relevant application requirements and the procedures for obtaining and maintaining a valid licence to operate a crowdfunding platform (either equity or debt). Before they can start operating, crowdfunding firms must register with, and be authorised by, the CMVM. The following documents must be included in the application:
- the applicant’s corporate details;
- its structure and beneficial ownership;
- the managers’ identification and ‘fit and proper’ documentation;
- the business plan and model;
- an indication of whether the firm should be considered a financial intermediary or an agent of a financial intermediary; and
-
evidence of compliance with the minimum financial requirements. After registration, these minimum financial requirements are:
-
- a minimum share capital of €50,000;
- an insurance policy covering at least €1 million per claim and at least €1.5 million in aggregate claims per year; or
- a combination of both that ensures sufficient similar coverage.
Where relevant, the additional requirements arising from the entry into force of the EU Crowdfunding Regulation (2020/1503) on 10 November 2021 are also directly applicable in Portugal; although in this regard, it remains to be seen whether the CMVM will be appointed as the competent national authority under this regulation, as national law in that respect is yet to be enacted. As the market develops and the number of market players increases, peer-to-peer funding alternatives offered by crowdfunding platforms will become more sophisticated in the medium to long term.
(b) Online lending and other forms of alternative finance
Online lending and other forms of alternative finance are regulated by:
- the Consumer Credit Regime (Decree-Law 133/2009);
- the Law on Distance Contracts (Decree-Law 24/2014); and
- the Law on Distance Contracting of Financial Services (Decree-Law 95/2006).
As these constitute forms of lending activity, they are regulated by the Bank of Portugal (BoP).
Under the Consumer Credit Regime, online lenders must comply with all legal requirements set out in the law, such as the obligation to:
- provide consumers with detailed pre-contractual information, including the total cost of credit, the annual percentage rate and the repayment terms;
- provide clear and concise information in all advertising;
- allow consumers to cancel a credit agreement within 14 days of signing; and
- assess the creditworthiness of consumers to ensure that they can afford to repay the loan.
The Law on Distance Contracts also contains several provisions on contracts concluded away from business premises, which include:
- the right of withdrawal as described above; and
-
consumer information requirements, such as:
-
- a description of the trader;
- the characteristics of the product to be acquired; and
- the price.
Many of these contracts are prepared using standard drafts and are intended for mass consumption. Mandatory rules that apply in such cases are set out in the Law of General Contractual Clauses (Decree-Law 446/85), which applies to contracts that are entered into online.
Finally, the Law on Distance Contracting of Financial Services has very similar provisions to the consumer protection regimes described above, with the nuance that the information requirements are more specific insofar as they relate to financial services. Among other things, they include the following:
- a description of the main characteristics of the financial service;
-
specification of either:
-
- the total price payable for the financial service by the consumer to the supplier, including all commissions, charges and expenses, and all taxes paid via the supplier; or,
- if an exact price cannot be indicated, the basis for the calculation of the price enabling the consumer to verify it;
- an indication of the possibility that other taxes or costs may exist that have not been paid or imposed by the supplier;
- the additional costs arising for the consumer from the use of means of distance communication, where such additional costs are charged;
- the period for which the information provided is valid;
- the payment instructions;
- an indication of whether the financial service relates to instruments involving special risks due to their characteristics or the operations to be executed; and
- an indication that the price depends on fluctuations in the financial markets outside the control of the supplier, and that past performance is not indicative of future results.
The financial services that may be provided in this way are not limited to the granting of credit, but rather cover a variety of products marketed by financial intermediaries; and as such, their supervision also involves the CMVM and the Portuguese Insurance Authority (ASF).
(c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb)
The regulatory treatment of fintech companies in Portugal depends on the exact legal nature of the products and services that they offer. The main legal and regulatory concerns in terms of fintech relate to payment services and e-money activities, as well as crowdfunding platforms.
As outlined in question 1.1, the two main categories of fintech companies are payment services institutions and e-money issuers. These are both regulated under the Payment Services and E-Money Legal Framework (PSEMLF), which transposed the EU Second Payment Services Directive. The PSEMLF also set out the requirements for payment initiation service providers (PISPs) and account information service providers (AISPs) to enter the Portuguese market.
The PSEMLF further sets out the applicable rules and requirements for the incorporation and licensing of payment institutions and e-money issuers, as well as PISPs and AISPs, which are all subject to the BoP’s supervision. To this end, specific mandatory legal documentation must be filed with the BoP, including:
- the draft bylaws;
- the business plan;
- a share capital commitment;
- the corporate structure and beneficial ownership;
- the managers’ identification and ‘fit and proper’ documentation; and
- corporate governance and internal compliance models and procedures.
The minimum statutory share capital requirement currently ranges from:
- €20,000 to €125,000 for payment institutions (depending on the type of services provided); and
- a minimum of €350,000 for e-money institutions.
PISPs must have a minimum statutory share capital of €50,000; and AISPs must take out an insurance policy or other similar guarantee scheme covering their activities in the Portuguese territory in case of breach or unauthorised access to data. All marketing and advertising activities carried out by these entities must abide by the general rules applicable to marketing and advertising by banks and other financial institutions. Among other requirements, all marketing and advertising products and materials must:
- clearly identify the offering or advertising entity; and
- ensure that the main features and conditions of the marketed products or services are easily understood by targeted consumers.
The PSEMLF establishes an extensive list of products and services that may only be offered by payment or e-money institutions, as well as by PISPs or AISPs. This means that in practice – considering the nature and business model of most fintech companies, and the services offered – they will have to qualify as one of these entities under Portuguese law and request authorisation to this effect when registering with the BoP.
Payment and e-money institutions based abroad may render their services in Portugal subject to prior authorisation and registration with the BoP. The applicable requirements and procedures may vary according to the state of origin. Entities based in EU member states can choose to render their services in Portugal:
- through a branch registered in Portugal;
- through authorised agents based in Portugal (notably in relation to e-money distribution); or
- on a freedom to provide services basis.
If the entity is based in a third-country state, it must incorporate a branch or, alternatively, a subsidiary legal entity in the Portuguese territory (by following the relevant, more demanding, procedure).
(d) Forex
There are no specific regulations relating to the surge in fintechs associated with forex markets. For all intents and purposes, forex is a trading market on an over-the-counter basis, whose brokers must:
- be authorised by the CMVM under the Securities Code (CVM); and
- comply with all applicable regulations at both the CMVM and European Securities and Markets Authority level.
More specifically, forex brokers must comply with the duties arising under the Second Markets in Financial Instruments Directive (2014/65/EU) (MiFID II), as well as the Anti-money Laundering Law.
In addition, as the forex market is concerned with the trading of foreign exchange and currency values, the Legal Regime of Economic and Financial Transactions with Foreign Countries and Foreign Exchange Transactions (Decree-Law 295/2003) also applies. This sets forth several legal obligations – in particular, regarding reporting to the competent authorities (in this case, the BoP).
(e) Trading
Financial brokerage is subject to the legal obligations set out in the CVM and MiFID II, and more recently in the Investment Company Regime (Decree-Law 109-H/2021), which establishes the legal requirements for the authorisation, licensing, establishment and operation of investment and trading companies (as financial intermediaries).
These requirements are generally applicable to more traditional players, and no material differences exist regarding fintech companies when providing regulated activities such as trading and brokerage services to the general public.
(f) Investment and asset management
The Portuguese securities market is regulated by the CVM, which incorporates the changes resulting from MiFID II and the securities and capital markets-related regulatory framework. There are currently no regulations on the use of fintech-specific services in the securities market; although entities engaging in investment and asset management services (as well as any regulated services pertaining to securities or investment services) should abide by the general regulatory framework applicable to those assets and services, regardless of whether they are provided on a fintech basis or on a traditional basis.
All securities market-related activities are subject to the existing securities framework that applies to traditional entities and activities (if they fall within its scope). Certain fintech matters (eg, blockchain and cryptocurrencies) fall outside the scope of the securities laws altogether if the assets to which they relate are not classed as a security or a financial instrument under MiFID II. The CMVM does not regulate crypto-assets and initial coin offerings unless the underlying crypto-asset qualifies as a security (this assessment is made on a case-by-case basis); and in any event until the Proposal for a Regulation of the European Parliament and of the Council on Markets in Crypto-assets, amending Directive (EU) 2019/1937 comes into play.
(g) Risk management
Most traditional financial services providers develop their own fintech-related initiatives and can thus circumvent the regulatory barriers and hurdles which would otherwise apply to a new company entering this space, given that their banking licence allows them to pursue most fintech activities.
However, traditional financial services firms and fintech firms usually establish partnerships or other joint venture-type arrangements in order to comply with risk management obligations regarding:
- data protection and data sharing;
- client ownership;
- protection of client funds (where applicable);
- compliance with AML obligations;
- ownership of technology and partnership goodwill;
- service-level agreements (SLAs); and
- associated penalties.
On 25 February 2019, the European Banking Authority (EBA) published its revised Guidelines on Outsourcing Arrangements (EBA/GL/2019/02), which entered into force on 30 September 2019 and became applicable in Portugal on 31 May 2020 through BoP Circular Letter CC/201900000065. The 2006 Committee of European Banking Supervisors Guidelines on Outsourcing (GL02/2006) and the EBA’s Recommendation on Outsourcing to Cloud Service Providers were repealed as a result. Under the guidelines, fintech companies that qualify as investment firms under MiFID II, credit institutions, payment service providers and electronic money institutions must:
- set up a comprehensive outsourcing framework (including outsourcer due diligence, oversight and audits, and contract management);
- enter into appropriate (or review existing) arrangements with outsourcers (including SLAs); and
- maintain an outsourcing register of all outsourcers and outsourced activities.
The guidelines require these institutions to devote particular attention to outsourcing agreements:
- relating to critical or important functions, especially if the outsourcing concerns functions relating to core business lines and critical functions (as defined in Articles 2(1)(35) and (36) of the EU Bank Recovery and Resolution Directive (2014/59/EU); and
- identified by institutions using the criteria established in Articles 6 and 7 of EU Regulation 2016/778.
For example, outsourcing agreements must include rules on the sub-outsourcing of these critical or important functions (Section 13.1 of the guidelines).
When assessing whether an outsourcing arrangement relates to a function that is deemed critical or important, entities must take into account (together with the outcome of the ordinary risk assessment outlined in Section 12.2 of the guidelines) at least the following factors:
- whether the outsourcing arrangement is directly connected to the provision of banking activities or payment services for which the service provider is authorised;
- the potential impact of any disruption to the outsourced function or failure by the service provider to provide the service at the agreed service levels on a continuous basis;
- short and long-term financial resilience and viability, including (if applicable) their assets, capital, costs, funding, liquidity, profits and losses;
- business continuity and operational resilience;
- operational risk, including conduct, information and communication technology and legal risks;
- reputational risks; and
- where applicable, recovery and resolution planning, resolvability and operational continuity in an early intervention, recovery or resolution situation.
Entities should also verify the potential impact of the outsourcing arrangement on their ability to:
- identify, monitor and manage all risks;
- comply with all legal and regulatory requirements, and conduct appropriate audits of the outsourced function;
- continue with service provision to clients;
- limit their aggregate exposure to the same service provider and the potential cumulative impact of outsourcing arrangements in the same business area;
- manage the size and complexity of any business area affected;
- switch to another service provider, if necessary or desirable, both contractually and in practice, considering the estimated risks, impediments to business continuity, costs and timeframe for doing so (suitability);
- reintegrate the outsourced function payment institution (if necessary or desirable); and
- ensure sufficient levels of data protection and data availability in the event of a confidentiality breach or failure, in terms of the entity’s integrity and that of its clients, including compliance with the EU General Data Protection Regulation.
Unregulated fintech companies (ie, providers of unregulated services to institutions that distribute their services to EU branches) must still observe certain outsourcing requirements, such as:
-
complying with the industry’s regulatory standards (eg, ISAE 3000 or ISAE 3402);
- having a sub-outsourcing framework agreement in place; and
- entering into outsourcing agreements with sub-outsourcing providers.
Under the guidelines, ‘outsourcing’ means an arrangement of any form between an institution, a payment institution or an electronic money institution and a service provider, under which the service provider performs a process, service or activity that would otherwise be undertaken by the institution, the payment institution or the electronic money institution itself.
(h) Robo-advice
In addition to what is stated in question 4.4, robo-advice may consist of financial intermediation services where such advice targets investment-related services or financial instruments. As such, these services and their providers are also subject to the duties that apply under MiFID II, particularly with regard to suitability (of the technological means used). Fintech companies that wish to offer this type of service must also apply to the CMVM for a financial intermediation licence.
Additionally, robo-advisors must ensure that their algorithms and models are regularly tested and monitored to ensure their accuracy and effectiveness in providing investment advice to clients.
As regards the European approach to this phenomenon, please see question 3.5.
(i) Insurtech
Insurtech activities are not specifically regulated in Portugal. Insurance activities provided on a fintech basis are generally regulated by the ASF at the national level, under the same framework that applies to traditional insurance activities. However, the ASF is actively engaged in insurtech developments and is open to new initiatives (notably through the Portugal FinLab programme).
Insurance and reinsurance activities are governed by the Insurance Legal Framework, approved under Law 147/2015, which sets out the requirements for the authorisation and registration of all insurance companies operating in Portugal, as well as for their prudential supervision. Insurtech solutions and services are generally accepted in the Portuguese market, provided that they comply with the general insurance and reinsurance legal framework.