Fintech 2022 Comparisons

The Portuguese fintech ecosystem has been developing at a fast-tracked pace, through disruptive initiatives that have raised awareness and interest and have signalled the Portuguese market as a growing fintech hub.

Portuguese regulators are committed to helping the fintech market thrive. To this effect, Banco de Portugal (the Portuguese Central Bank) and CMVM (the Portuguese Securities Market Commission) have created direct channels for communication between fintechs and the relevant authorities. Moreover, the FinLab, which is the Portuguese first innovation hub, bringing together Banco de Portugal, CMVM and ASF (the Portuguese insurance authority) has set the tone for a dynamic dialogue between start-ups, scaleups, incumbents and regulators alike, which is a crucial tool for the sustainable growth of the industry. In this context, international fintechs are also looking to establish their base of operations in Portugal as a part of their strategy. 

Highlights from recent fintech industry activity in Portugal entail new fintech players appearing or consolidating their presence in the market, and leading global fintech players establishing operation hubs in Portugal. In addition, focus has been given to a collaborative approach in the development of projects or products through partnerships between incumbents and start-ups.

In accordance with the 2021 Portugal Fintech Report that maps industry numbers, the most popular segments are currently payments and money transfers, insurtech, lending and credit, cybersecurity and regtech, blockchain, and crypto. The top 30 fintechs have raised over EUR437 million until 2021 from both national and international VCs, 81% of the top companies are headquartered in Portugal, and cybersecurity and regtech (60%) and blockchain and crypto (27%) have raised the highest amounts of funding, followed by insurtech (8%). On average, 31% of funding comes from international investors, of which 82% comes from the USA, 8% from Portugal, and 7% from France. According to the Portuguese Fintech Report, 33% of the investors have stated that the ability to execute is the top positive characteristic of Portuguese fintechs, followed by talent (24%), and problem being solved (21%).

The main fintech verticals by amount of allocated funding consist of cybersecurity and regtech, bockchain and crypto and insurtech; most Portuguese fintechs operate under a B2B model (83%). On the average, teams are composed by 30 employees, with more than 14% being larger.

The Portuguese financial services landscape is still predominantly occupied by incumbents, but these have been trying to strategically position themselves in the sector, either by investing in new business segments or through integration or collaboration with emerging fintechs.

Fintechs often start to operate as unregulated entities, developing their business model in stages that allow them to manage the cost of the regulatory burden. They are able to leverage on this apparent regulatory freedom, which incumbents lack, to develop their activity favouring a “tiered” approach. Incumbents, however, have the regulatory approvals required to operate in the financial markets therefore making the alignment of interests/incentives evident.

Such explains the confluence between the two opposing sides, manifesting itself through investment, joint ventures or other means of collaboration. This is part of a wider global trend we are observing in Portugal as well, although Portuguese incumbents, when compared to other countries, seem more reluctant in making direct investments in fintechs.

Portuguese legislation in relation to verticals such as banking and financial services, payment services, insurance, investment funds, financial instruments, investment services and investment firms, crowdfunding, anti-money laundering and prevention of terrorism financing, data protection, and market protection to name a few, closely follows either European level harmonisation or regulation. The regulatory regime will differ in accordance with the applicable business segment.

There are no specific legislation applying only to fintechs, except for crowdfunding platforms.

Crowdfunding platforms are subject to prior registration with CMVM, and the holders of qualifying participations and the members of the management body of the managing entity of the platform are subject to fit and proper requirements.

There are no specific compensation models under Portuguese law that industry participants may use to charge customers.

The application of “traditional” regulation to fintechs depends on the type of activity undertaken by them. Where the company’s business falls within the scope of regulated activities, fintechs will become subject to the same set of rules as legacy players. Notwithstanding this, where regulatory provisions are discretionary or where it is not possible to straightforwardly apply a specific rule, regulators have to apply a proportionality principle, as well as assess the extent to which risks posed by fintechs are analogous to those posed by incumbents and therefore warrant the same level of regulation. 

Portugal approved a new framework for the establishment of technological free zones (TFZ) under Decree-Law 67/2021 of 30 July 2021, which will allow the creation of regulatory sandboxes to promote testing and experimentation in any area of technological innovation. Decree-Law 67/2021 determines the model of governance of the TFZs, creating an authority that, without prejudice to the competencies of other entities, has the function of centrally managing and promoting the network of TFZs that may be created.

TFZs are physical environments, geographically located in a real or semi-real environment, intended for experimentation of innovative technology-based products, services and processes, with the support and monitoring of the respective competent authorities. Decree-Law 67/2021 establishes the conditions for the creation of TFZs with the aim of installing, in Portugal, several TFZs, with each one of them being especially geared towards certain technologies or sectors and thus contributing to the dynamisation of the regions of Portugal.

The jurisdiction of each Portuguese regulator is clearly defined by activity sector. In this context, Banco de Portugal supervises banking activities, financial companies, payment institutions, electronic money institutions and payment systems, CMVM supervises financial markets and market participants, trading venues and exchanges, public offers of securities, UCITS and AIFM, and ASF supervises insurance companies, reinsurance companies, pension funds, insurance mediation, and distribution.

The outsourcing of operational functions that are critical for the provision of services must be made in a manner that enables regulated entities to ensure that they can provide the service in a continuous and satisfactory manner. Regulated entities are bound to perform such tasks as deemed required to prevent any additional operational risk that may result from outsourcing. In case the outsourcing prevents the regulator’s ability to monitor the licensed entity, then the relevant outsourcing should not take place. 

Therefore, contractual arrangements on outsourcing must have clear rules regarding the access to information, reporting and data sharing to enable the regulated entity to obtain all the information that it requires to comply with the applicable regulatory framework or to provide that information to a regulator in case of an inspection or inquiry. In addition, when setting up outsourcing arrangements, regulated entities should take into consideration EBA’s guidelines on outsourcing arrangements.

Fintech providers may be deemed to be gatekeepers when they are themselves regulated, such as crowdfunding platforms, or non-financial entities subject to AML/KYC compliance, as is occurring, for example, with virtual asset service providers. In these examples, the obligations to monitor or conduct any regulatory obligation emerge from applicable law, and it is arguable whether any liability could exist out of managing a platform that is not underpinned by legal provisions.

All three regulators closely monitor licensed entities and conduct periodical and ad hoc on-site inspections, from which certain enforcement actions may result. However, in the context of fintech’s main verticals and industry participants, there are no significant enforcement actions to note that have been publicly reported.

Fintech companies are subject to a myriad of legal regimes, namely data protection, cybersecurity and consumer protection. Regulation is one of the main obstacles to fintech’s growth as they take in the cost of compliance and regulation that legacy players are able to dilute, to a certain degree, due to scaling.

However, fintechs should not delay the configuration of their business plans, strategy, product or services to the applicable legal requirements as being compliant will significantly reduce the cost of having to adjust at a later stage, increase their reputability vis-à-vis other market participants, incumbents, regulators and clients and help them integrate more easily with other players either by setting up joint ventures or being absorbed by incumbents.

On a separate note, additional regulation has proven to be fertile ground for the development of new technological solutions in the regtech sector that is supplying legacy players with the tech instruments and services required to deal with regulatory growing obligations.

Portuguese companies, including Portuguese fintechs, are usually subject to review by accounting and auditing firms in connection with the certification of their accounts. There are no other official reviewers of fintechs, but it is possible to say that the industry monitors itself through private initiative associations and organisations that are watchful of the phenomenon, procure trends and companies to follow.

In addition, Portugal Fintech is a non-profit association which aggregates fintech industry data on an annual basis.

Industry participants do not often bundle regulated products and services with non-regulated products, with some exceptions. Regulator’s scrutiny often increases where it has concerns over conflicts of interest and other risks to the regulated products from mixing up with non-regulated products and services which drives market participants to segregate regulated products into separate legal entities.

The applicable AML Rules depend on the categorisation of each Fintech company. In this sense, Law No 83/2017 of 18 August which establishes the measures to combat money laundering and the financing of terrorism, imposes a set of rules and requirements to financial entities, and non-financial entities which activities have higher risk of being used for the purposes of money laundering or financing of terrorism (eg, gambling activities, auction houses, real estate brokerage, high-volume cash based transactions) or which can act as gatekeepers (eg, lawyers, solicitors, notaries). Pursuant to Law No 83/2017 of 18 August, virtual asset services providers are non-financial entities subject to compliance with AML obligations which must register with Banco de Portugal before they can start any activities with virtual assets in Portugal.

There is no requirement to set-up different business models for different asset classes in the context of robo-advising. Notwithstanding, robo-advising configuration will depend on the type of service and assistance, and if there is human intervention or not, in order to determine the level of automation, cost, security and the nature of the assets. The technology and algorithm should be able to determine the investor’s profile, risk appetite and investment objectives in order to build an adequate portfolio, without regard to the specific classes of assets.

According to ESMA's recommendations on the subject, companies that resort to robo-advising should offer a very clear explanation of the exact extent and degree of human intervention, and whether and how the customer may request human interaction. In addition, an explanation of how the client’s responses impact the appropriateness of their investment decisions should be provided. In order to ensure the suitability and consistency of the assessment carried out through automated tools, companies should regularly monitor and test algorithms on which the suitability of transactions recommended or performed on behalf of the customers is based.

Legacy players have applied robo-advisers in investment services such as automated portfolio planning, automatic asset allocation and risk assessment.

The overarching best execution obligation included in MiFID II requires firms to take all sufficient steps in order to obtain the best possible result (the best execution rule). Therefore, when executing client orders or placing orders with (or transmitting orders to) other entities to execute, several execution factors must be taken into account, especially in determining the execution price and transaction costs. Firms will have to follow their execution policies in executing the relevant investor’s orders, in each case by directing these to multiple execution venues or selecting other firms to provide the execution services.

Investment Firms

Investment firms have to execute orders in the terms and conditions that are most favourable to investors, considering elements such as:

• execution capabilities and opportunity for price improvement;
• promptness of execution;
• handling large trades;
• ability to maintain confidentiality of trading intentions;
• availability of technology to process trades;
• reliable and accurate settlement capabilities;
• research capabilities;
• competitiveness in the marketplace;
• financial responsibility and responsiveness to the adviser;
• additional services provided to clients (eg, custodial services); and
• identify and address conflicts of interest surrounding their brokerage selection and trading practices.

Robo-adviser technology and platforms have certain obstacles in connection with the lack of human perception, limitation of questionnaires made to investors, and inability to address market failures. Therefore, if a licensed entity is using robo-advising technology it is still ultimately responsible for achieving best execution for the client, and must ensure that the platform can satisfy the best execution requirement.

The regulatory framework applicable to loan origination to individuals is different than for SMEs and large businesses. Individuals will be considered consumers and therefore the lender will have to comply with mandatory pre-contractual obligations, including delivering certain standard documents and rules regarding the setting up of interest and fees that may be charged to the consumer. In addition, online lending to consumers will have to comply with rules regarding unfair terms, e-commerce and contractual agreements entered at a distance, consumers’ right of withdrawal, unsolicited services and communications, solvency and creditworthiness assessment of consumers.

With the exception of unfair terms, SMEs and large businesses do not qualify as consumers and do not fall under the scope of application of the above-mentioned rules.

The underwriting and onboarding processes of industry participants must comply with anti-money laundering and prevention of terrorism financing and know-your-customer (KYC) requirements, in order to comply with the identification and due diligence of customers.

In addition, certain onboarding processes have additional rules applicable to video-conference onboarding and other digital channels, with specifications on how to conduct the onboarding in a valid way.

In Portugal, peer-to-peer lending is not allowed, with the exception of loan crowdfunding. The bulk of funds used for loans is raised from deposits and lenders.

The syndication of loans is made by banks in Portugal. There is no specific regulation in this respect.

The Portuguese payment system laws transposing PSD2 establish rules regarding the principles of non-discrimination, objectiveness and proportionality in the access to payment systems. Payment processors are free to create private payment systems that could potentially be designated by Banco de Portugal as a system under the Settlement Finality Directive and Portuguese legislation implementing the same, which creates certain rules on settlement finality and insolvency. 

Cross-border payments are regulated by Regulation (EC) No 924/2009 of the European Parliament and of the Council of 16 September 2009 on cross-border payments in the Community. This regulation establishes that charges for cross-border payments in euros are the same as for corresponding payments within a member state, as well as facilitates the execution of cross-border payments by payment service providers, through standardisation in the use of the international bank account number (IBAN) and the bank identifier code (BIC), and establishes rules on interchange fees applicable to cross-border payments.

The role of the fund manager is a regulated activity that can be carried out either by the management’s corporate body of the investment company in self-management investment or a third party that is authorised as fund manager. Portuguese legislation covers investment funds targeting securities, real estate or alternative investments (Law No 16/2015, as amended), venture capital funds (Law No 18/2015, as amended) and pension funds (Law No 27/2020), which include rules that define the role of the management entity, its eligibility and regulatory requirements for a company to become a fund manager.

Fund managers have specific conduct duties and the fund manager’s agreement has, to a certain degree, a predefined content that is established in the law. A fund manager of a securities, real estate or alternative fund must enter into a fund management contract with a self-managed investment company, which should be made in writing and regulate several issues, notably selection and replacement of the management entity, the investment policy, the dividend’s distribution policy, the voting rights policy and the loan and leverage policy that the fund manager has to comply with.

In addition, the agreement will also set rules regarding the fees to be paid to the fund manager, the methodology to calculate the number and value of the participation units, and the procedures that the fund manager must follow to deal with any claims. Similar rules apply to pension funds (Law No 27/2020, as amended), and to venture capital funds (Law No 18/2015, as amended).

In Portugal, marketplaces and trading platforms consist of regulated markets, multilateral trading facilities and organised trading facilities (in each case as defined in Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments or MiFID II), which are subject to authorisation and supervision from CMVM, the Portuguese securities market commission. 

The regulatory regime for regulated markets, multilateral trading facilities and organised trading facilities is included in the Portuguese Securities Code, and results from the transposition of MiFID II.

The main difference that results from the regulation applicable to these marketplaces and trading facilities in Portugal is that, according to the Portuguese Securities Code, whereas regulated markets require a special authorisation to be granted by the Portuguese Minister of Finance, by means of a Ministerial Order, after consultation with the CMVM, multilateral trading facilities and organised trading facilities are only required to be registered with the CMVM.

In addition, while regulated markets need to be managed by a specialised management entity, multilateral trading facilities and organised trading facilities may also be managed by financial intermediaries, such as credit institutions, brokerage firms, among others.

Although there are some other specific differences in the regulatory regimes for each trading venue specified above, other rules apply irrespectively to each one of those venues. Thus, the Portuguese legislator adopted rules on:

• the financial instruments that may be subject to organised trading;
• information requirements;
• the list of eligible transactions for each regulated market, multilateral trading facilities or organised trading facilities;
• on transparency requirements;
• on access to member or participant status; or
• on the execution of orders.

Under Portuguese law, and in line with MiFID II, there are no different requirements in relation to infrastructure at product level, however, some trading platforms are identified by asset class.

The emergence of cryptocurrency exchanges has not, to date, impacted the existing legal framework applicable to trading venues, and there is no specific legal framework for cryptocurrency exchange platforms.

However, cryptocurrency exchange platforms must be registered as a VASP with Banco de Portugal, in accordance with Law No 83/2017 of 18 August. This registration process is focused on the prevention of money laundering and the financing of terrorism.

Listing standards require that the form and content of the securities, including in relation to their form of representation, comply with legal requirements that the securities have been issued in accordance with the personal law of the issuer, that the issuer has an economic and financial situation that enables the issuance of the relevant securities, by being compatible with its nature and with the regulated market where the securities are being requested to be admitted into trading, that the issuer has developed its activity for at least three years and disclosed its management reports and annual accounts for the three years prior to the admission. 

Order handling rules in MiFID II require investment firms to implement procedures and arrangements that provide for the prompt, fair and expeditious execution of client orders, relative to other client orders or the trading interests of the investment firm. Therefore, if a firm cannot execute an order, it shall transmit the order to another firm that is able to execute it.

Investment firms must make sure that the orders are promptly and accurately recorded and allocated in order to be carried out swiftly and in a sequential manner, except if market conditions prevent the same or the nature of the orders makes it unpractical to do so. In addition, the firm has an obligation to inform retail clients whenever there is a material difficulty affecting the normal carrying out of orders.

Peer-to-peer trading platforms in Portugal consist of crowdfunding platforms, which are subject to the crowdfunding regulation (Regulation (EU) No 2020/1503, of 7 October 2020) and the Portuguese crowdfunding legislation. There are currently six crowdfunding platforms registered with CMVM.

There has not been a substantial impact from the rise in crowdfunding platforms, which may be linked to some limitations to crowdfunding under the Portuguese crowdfunding rules that restricted the amount of investment per investor and per crowdfunding. It will be interesting to see if the crowdfunding regulation will lead to an increase in the number of crowdfunding platforms active in Portugal.

See 3.3 Issues Relating to Best Execution of Customer Trades. The best-execution rule applies if trading platforms are qualified as investment firms.

Financial intermediaries must select their trading and execution venue based on a best-execution policy, and must provide their clients with information on costs and expenses per service and per financial instrument. In addition, inducements rules prevent firms from paying benefits to or receiving benefits from third parties, with few exceptions. Notably, it is possible for firms to receive payments or inducements if required for the rendering of services, in situations where it is deemed to enhance the quality of the services, if the amount is clearly and previously disclosed to the client and provided that it does not interfere with the obligation of the investment firm to act honestly, fairly and professionally in accordance with the best interests of its clients. 

According to the applicable legislation in Portugal, market integrity and transparency are guaranteed by preventing market abuse in the form of insider trading and market manipulation, meaning that manipulating the market or using inside information are generally prohibited activities. Also, financial intermediaries must always ensure that the structure of financial instruments, including its characteristics, does not adversely affect end customers/investors or lead to market integrity concerns.

MiFID II establishes rules governing high frequency algorithmic trading which is a subset of algorithmic trading. These rules require firms to store time sequenced records of their algorithmic trading systems and trading algorithms for at least five years. Records should contain sufficient detail to enable monitoring by the relevant competent authority and include information such as details of the person in charge of each algorithm, a description of the nature of each decision or execution algorithm and the key compliance and risk controls. These rules have been transposed into Portuguese law, were included in the Portuguese Securities Code, and are complemented by the MIFID Regulatory Technical Standards and Delegated Acts.

High-frequency algorithmic trading enables the execution of a large number of transactions in seconds or fractions of a second by using certain infrastructures, and can bring numerous advantages regarding efficiency and costs. However, it also entails certain risks as potential failures of algorithms, IT systems and processes.

A firm that is engaging in algorithmic trading must therefore have effective systems and risk controls to ensure that its trading systems are resilient and subject to appropriate trading thresholds and limits. In addition, these firms should also adopt automated surveillance procedures in order to prevent market manipulation and security measures relating to cybersecurity and limit the staff’s access rights to the systems. Different classes of assets do not have different regulatory regimes.

Additionally, firms that use algorithmic trading must ensure that their trading systems do not operate in such a way as to contribute to a disorderly functioning of the market, and have to make records in an approved format, and keep them accurate and chronological, of all bids placed and executed on trading venues, including the cancellation of bids, and transmit them to CMVM upon request of their request.

Under Portuguese law, investment firms are not allowed to execute client’s orders with proprietary capital or to engage in matched principal trading on regulated markets or multilateral trading facilities in which they operate.

Matched principal trading is only permitted in organised trading facilities, where the client expressly consents to the process and the transaction does not involve derivatives contracts which have been cleared in accordance with Article 5 of the European Market Infrastructure Regulation (Regulation (EU) No 648/2012, as amended). In addition, the financial intermediary must be registered as such and be authorised to deal on its own account by the CMVM.

Market-making strategies by intermediaries that engage in algorithmic trading requires a written contract to be executed with the trading venue, that ensures that the activity will be continuous during a specified proportion of the trading period.

There are no particular rules establishing a distinction between funds and dealers engaging in algorithmic or high-frequency trading activities.

There are no general laws and regulations in Portugal on developing and programming trading algorithms that apply to programmers. However, it should be noted that in April 2021 the European Commission published a Proposal for a Regulation of the European Parliament and for the Council laying down harmonised rules on artificial intelligence. The proposal provides for a risk-based regulatory approach and is addressed to both providers of software systems or algorithms and its users.

Financial research platforms must register as financial intermediaries if their services included providing investment research and financial analysis or other forms of general recommendation relating to transactions in financial instruments; otherwise, they are not subject to any registration requirements.

The spreading of rumours and other unverified information can be considered as a form of manipulation or attempted manipulation of financial instruments since it can have a significant impact on the prices of financial instruments in a relatively short period of time. Abuse of information, market manipulation, insider dealing, and benchmark manipulation are crimes or misdemeanours, as applicable, under Portuguese securities law.

The Market Abuse Regulation

Furthermore, Regulation (EU) No 596/2014 of the European Parliament and of the Council, of 16 April 2014, on market abuse (the "Market Abuse Regulation") applies in Portugal and governs inside information, insider dealing, unlawful disclosure of inside information and market manipulation in relation to financial instruments admitted to trading on a regulated market or for which a request for admission to trading has been made, traded on an multilateral trading facility (MTF), or admitted to trading on an MTF or for which a request for admission to trading on an MTF has been made, traded on an organised trading facility, or financial instruments not previously mentioned, the price or value of which depends on or has an effect on the price or value of a financial instrument referred to above, including, but not limited to, credit default swaps and contracts for difference.

The Market Abuse Regulation also applies to behaviour or transactions, including bids, relating to the auctioning on an auction platform authorised as a regulated market of emission allowances or other auctioned products based thereon, including when auctioned products are not financial instruments, pursuant to Regulation (EU) No 1031/2010. In addition, prohibition of market manipulation also applies to spot commodity contracts (which are not wholesale energy products), where the transaction, order or behaviour has or is likely or intended to have an effect on the price or value of a financial instrument mentioned above, and to types of financial instruments, including derivative contracts or derivative instruments for the transfer of credit risk, where the transaction, order, bid or behaviour has or is likely to have an effect on the price or value of a spot commodity contract where the price or value depends on the price or value of those financial instruments and behaviour in relation to benchmarks.

In Portugal, there are no specific rules regarding conversation curation and this will be set by the terms of use of the specific research platform, however, price distortion behaviours and market manipulation that include pump and dump schemes and spreading of inside information regarding securities and other financial instruments are prohibited behaviours that are subject to Portuguese securities law and the Market Abuse Regulation.

The insurance underwriting processes in Portugal are significantly dictated (or, at least, constrained) by regulation. Since there are no specific rules or processes concerning the underwriting of insurance in the insurtech industry, insurtechs abide and adapt to the general (and traditional) rules concerning the underwriting of insurance. 

The regulations in this respect include general provisions concerning means of commercialisation, documentation, policyholders and consumers rights, information duties and contents of the insurance agreements, applicable in all types of insurance, but also specific rules concerning (and adapted to) each type of insurance which are necessarily different, depending on the risk at stake (eg, life insurance, civil liability insurance, damages insurance, health insurance, and insurance-based investment products). The underwriting process is also influenced by the rules relating to solvency, diversification and risk applicable to insurance companies.

Different types of insurance are treated differently by industry participants and by regulators, although there is a broad set of common rules applicable independently of the type of insurance at stake (for instance, rules on distance selling of financial products, approved by Decree-Law 95/2006, of 29 May 2006, the general section of the Portuguese insurance contract framework, approved by Decree-Law 72/2008, of 16 April 2008, or the Portuguese insurance distribution law, approved by Law 7/2019, of 16 January 2019). The fact that part of the applicable provisions concerning underwriting processes and the contents of the insurance agreements varies depending firstly, on whether it corresponds to life or non-life insurance, and secondly on the exact type of insurance at stake leads to such different types of insurance being treated slightly differently by regulators and industry players alike.

Regtech activities are not automatically regulated and the extent to which they may become subject to regulations is based on a case-by-case analysis. In most situations, regtechs are only tangent to regulated activities and therefore do not require licensing or authorisations to undertake their business. However, if they do overlap with regulated activities, they will become subject to the respective applicable rules.

One thing to take into consideration when assessing how regtechs may be regulated is determining how regtechs’ services integrate with their customer base – licensed entities in the banking, payment, financial or insurance sectors. In a lot of cases, the scope of regtechs’ activities will represent an outsourcing of functions from the licensed entity since they focus on compliance and reporting in areas such as fraud prevention, anti-money laundering, prevention of terrorism financing, onboarding of new clients, cybersecurity, data science and AI. For that reason, certain obligations or procedures will have to be complied with that result from requirements of the overarching financial regulation. EBAs’ guidelines on outsourcing arrangements should therefore be considered in this event.

In the case of outsourcing services for regulated entities, regtechs must be aware of EBA’s guidelines on outsourcing arrangements (EBA/GL/2019/02) and recommendations on outsourcing to cloud service providers (EBA/REC/2017/03), both applicable in Portugal through, respectively, circulars CC/201900000065 and CC/2019/00000025, that can impact the content of the agreement. Notably, Banco de Portugal has informed supervised entities that outsourcing arrangements should include clauses on rights of access, information, and audit of the outsourcing entity by relevant financial entity to ensure an adequate control of the outsourced services.

Additionally, in certain sectors industry practice may be a precedent to take into consideration, but most contractual terms will be set in accordance with the parties’ commercial agreement on how to share risk. This will be a combination of several factors, which include identifying legal risk and commercial risk. While the first should not deviate from the rules that burden a certain entity with the obligation to comply with certain provisions (eg, the licensed entity cannot shift legal liability vis-à-vis the regulator to the regtech company), the second will be set in accordance with the parties’ respective bargaining power. Notwithstanding, major clauses to negotiate will involve service levels, duties of care and diligence, confidentiality, reporting, warranties, security, data protection and liability (where this can be contractually set).

The potential uses of blockchain are limitless. To date in Portugal, reports of application of DLT/ blockchain technology include issuance of tokens, NFTs, Sports NFTs collections, NFTs marketplaces, hackathon and innovation challenges, development of marketplace for collateralised loans with NFTs, cryptocurrencies exchange and wallet services, data analysis (eg, using cryptography to measure energy consumed by households), copyright licensing and registration, municipal licences, registration of title of investment units in UCITs, creation of a pilot blockchain platform to manage the distribution of investment funds, development of an energy marketplace, and access to real estate information. However, a lot of projects are still at an early stage of either conceptualisation or development.

In the financial services’ sector there are still few initiatives originating in Portugal and very few that are sponsored by legacy players, even though this is one of the most obvious areas of application of blockchain technology. Nonetheless, it is worth mentioning some activity undertaken by Portuguese related start-ups in businesses such as cryptocustody, blockchain and cryptocurrency research platform and digital currency payment platforms. However, from the more traditional side, Portuguese market participants are accessing services enabled on the blockchain at a trial level.

Banco de Portugal, in its capacity as both central bank and national competent authority for the supervision of credit and payment institutions, and CMVM, the Portuguese securities market commission, have shown that they are watchful of this reality and mostly following EU’s agencies and EU’s authority and guidelines in this context. Most of the Portuguese regulators’ announcements and press releases concern cryptocurrencies, which are one of the blockchain enabled assets that yield the most attention from the public and pose greater risks to market supervision and consumer protection.

In any case, the regulators’ watchdog approach consists of public warnings (which mostly follow ESAs warnings on ICOs), recommendations and guidelines to interpretation of the existing legal framework and how it may apply to certain activities, and both regulators have clarified that they will not take any immediate steps to regulate cryptocurrencies, tokens or blockchain technology (with the exception of anti-money laundering laws, which follows the EU directive).

In addition, there is a wide recognition from the regulators that technology must have enough room to develop and that excessive regulation or inadequate regulation may hinder improvements to the industry and to citizens. For this reason, there is no specific legislation focusing on blockchain or blockchain enabled technology or assets in Portugal. This is likely to be maintained until such time there is a coordinated EU regulatory approach to this reality, or as may result from the EU’s agenda in this context and sponsored initiatives.

The qualification of blockchain assets varies in accordance with their underlying structure and the rights and obligations that they may attribute to their holder. There is no official classification of blockchain assets, and the main qualification is made between utility type tokens, security type tokens and cryptocurrencies (see 12.7 Virtual Currencies), although most often tokens will have hybrid characteristics by combining features of each of the main types.

Following this classification, utility tokens are regarded as being akin to a consumption functionality and security tokens are investment like instruments. Understanding if a token is analogous to a financial instrument will have to be assessed on a case-by-case basis by analysing the entitlements that the asset provides to its holder. Notably how the asset performs in relation to another underlying reality, how the asset is transferred, how its value is accounted for, if there is a market and liquidity for the asset, what are the nature of the claims the assets’ holder can have over its issuer and how legitimate is the holder’s expectation of future returns and/or added value from the initial investment.

For utility type tokens, although there is no specific regulation in force that applies to them (which can change if the European Regulation on Markets in Crypto-assets comes into effect), it can be argued that, if they fall within the relevant scope of application, there is no reason to exclude them from consumers’ law in relation to the sale of goods or services, e-commerce protection and general principles and rules of contractual law and civil law (eg, defaulted goods or services, misrepresentation, breach of contract and fraud). Nonetheless, the cross-border nature of most transactions will make this very difficult to enforce.

Security/Investment Tokens

In relation to security/investment type tokens, CMVM noted that tokens can be qualified, on a case-by-case basis, as (atypical) securities under Portuguese law. The CMVM has issued guidelines to assess whether or not a specific token may become subject to securities regulation and which consists of the following criteria:

• can the asset be regarded as a “document” whether represented in dematerialised (book-entry) or physical form that is representative of one or more rights of private and economic nature that are homogenous and tradeable in a market; and
• given its particular characteristics, is the asset similar to typical securities under Portuguese law.

For the purpose of verifying the second item, the CMVM will take into account any elements, including those made available to potential investors (which may include any information documents, eg, white paper) that describe the issuer’s obligation to undertake any actions from which the investor may draw an expectation to have a return on its investment, such as to grant the right to any type of income (eg, the right to receive earnings or interest) or undertaking certain actions, by the issuer or a related entity aimed at increasing the token’s value (eg, airdrops, burns or repurchase commitments).

Initial coin offerings (ICOs) or token offerings are not subject to any specific regulation under Portuguese law. However, the CMVM has announced the need for all entities involved in ICOs to assess the legal nature of the tokens being offered, notably their potential qualification as securities with the automatic application of securities and financial market laws as a consequence. ICOs that aim to offer tokens that represent certain rights and/or economic interests in a venture with a view to obtaining future returns (eg, right to take part in the profits of a venture, project or company or currency-type tokens) may potentially be qualified as securities and cross over to securities’ intensively regulated world becoming subject to existing securities regulations, including public offerings of securities and/or securities trading venues.

In this respect, ESMA has published advice on initial coin offerings and crypto-assets and advises on the potential application of:

• the Prospectus Regulation (Regulation (EU) 2017/1129, as amended);
• the Transparency Directive (Directive 2013/50/EU);
• the Markets in Financial Instruments Directive (Directive 2014/65/EU);
• the Market in Financial Instruments Regulation (Regulation (EU) No 600/2014) and respective implementing acts;
• the Market Abuse and Short-Selling Regulation (Regulation (EU) No 596/2014 and Regulation (EU) No 236/2012);
• the Settlement Finality Directive (Directive 2009/44/EC);
• the Central Securities Depository Regulation (Regulation (EU) No 909/2014); and
• the Alternative Investment Fund Managers Directive (Directive 2011/61/EU).

At present there is no specific regulation put in place designed to govern blockchain asset trading platforms and the existing Portuguese market trading platforms – regulated markets, multilateral trading facilities, organised trading facilities and systematic internalisers – are not prepared to enable trading of blockchain assets.

However, in case a platform intends to allow its users to trade any crypto-asset that qualifies as a transferable security or financial instrument, or receives, transmits, or execute orders on behalf of its users in respect of those same instruments, that platform will need to register in advance before the CMVM in order to apply for an investment firm’s licence and procure an authorisation to be able to perform one or more of those activities, being subject to the respective regime, as set out in the Portuguese Securities Market Code and the Portuguese Investment Firms Regime.

There is no particular set of rules applying to funds that invest in blockchain assets in Portugal, other than what results from the existing legal framework applicable to investments in non-financial intangible assets. At the EU level, ESMA has noted the potential application of the Alternative Investment Fund Managers Directive to certain ICOs, and the CMVM has noted that the investment in crypto-assets through funds can only be performed by specialised alternative investment funds and collective investment undertakings in non-financial assets. 

The possible application of the Undertakings for Collective Investment in Transferable Securities Directive (Directive 2009/65/EC) should also be taken into consideration, when a token offering may be regarded as a collective investment scheme as such term is defined in UCITS.

Virtual currencies are defined as a “digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically”, in Directive (EU) No 2015/849, of 20 May 2015, as amended by Directive (EU) No 2018/843, of 30 May 2018, which has been transposed into the Portuguese law that establishes anti-money laundering measures and prevention of terrorist financing, approved by Law No 83/2017, of 18 August 2017.

Cryptocurrencies do not have legal tender and do not qualify as fiat currency. Therefore, these assets are not treated as money (or, in principle, electronic money). Nevertheless, they are seen as an alternative private payment method that has a contractual nature with characteristics that somewhat replicate some of the core traits of traditional money:

• storage of value;
• unit of account; and
• medium of exchange.

Cryptocurrencies can become subject to securities regulation if they also qualify as security/investment type tokens.

Virtual asset service providers dealing with virtual currencies are now required to register with Banco de Portugal for the purposes of AML compliance and oversight. Virtual asset service providers are any natural or legal person who conducts as a business one or more of the following activities or operations for or on behalf of another natural or legal person:

• exchange between virtual assets and fiat currencies;
• exchange between one or more forms of virtual assets;
• transfer of virtual assets; and
• safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets.

Decentralised finance is not currently defined or regulated under any specific legal framework in Portugal. DeFi is regarded as the use of decentralised ledgers often based on blockchain technology to undertake financial transactions (eg, virtual asset swaps, providing liquidity to liquidity pools, staking virtual assets, trading derivatives in decentralised trading platforms and decentralized lending and borrowing).

Despite not being regulated under a particular legal act, it is important to note that, depending on the nature of the activity and asset, certain existing rules applicable to financial markets, securities and financial instruments, crowdfunding, among others, may apply in principle to the activity or the asset.

Notwithstanding, in the European Commission’s proposal for a Regulation on Markets in Crypto-assets of 24 September 2020, the European Commission has identified a number of challenges and obstacles to applying existing rules to certain financial instruments or security tokens and trading venues that are based on decentralised exchanges and permissionless DLT networks, since existing legislation was designed with the scope of traditional financial services and instruments in mind and is not fully technology neutral.

The European Commission has also advanced a proposal for a Regulation on a pilot regime for market infrastructures based on distributed ledger technology that aims to allow a common use of DLT technology in the trading and post-trading of crypto-assets that qualify as financial instruments, which hopefully will allow firms to exploit the full potential of blockchain, DLT and crypto-asset, while ensuring financial stability.

There are no specific provisions addressing the regulation of non-fungible tokens. These assets are generally regarded as a sub-type of utility token that may warrant liability vis-à-vis consumers, as with other digital goods. In any event, Portuguese authorities are driven by a substance over matter approach which means that NFTs that bear hybrid characteristics to securities can be requalified as a security token, in which case it will be caught by regulatory restrictions. Additionally, it is not clear if NFTs are included in the definition of virtual assets relevant for the application of AML laws, but at the moment NFT marketplaces are not being treated as VASP.

Portugal has transposed PSD2 into national legislation and PSD2 grossly aims to fully harmonise PSD2’s provisions throughout member states. Therefore, Portugal’s open banking initiatives consist of those introduced by PSD2 (including, account information service providers and payment initiation service providers) by making it easier for customers, banks and other third-party service providers to securely share data with each other and by increasing payment services users’ experience through more convenient payment management across different banks via centralised platforms, enabling more effective cash management.

In Portugal, market participants have now adjusted to Commission Delegated Regulation (EU) No 2018/389 of 27 November 2017 supplementing Directive (EU) No 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication, which came into force on 14 September 2019.

Customer Level

On a more immediate customer level, effects of PSD2 and of the Commission’s Delegated Regulation have been felt through the introduction of new services such as immediate payment transfers, a stronger sense of security in payment transactions, centralised access to accounts’ information and easier payment solution methods.

Market Level

On a market level, PSD2 has put pressure on incumbents to step-up their strategy and vision in providing payment services, driving some banks to internally procure to develop new projects aimed at exploring new opportunities introduced by PSD2 and others to seek new partners, particularly in the technological segment. Fintechs have been rising and most are trying to scale cross-border leveraging out of their digital presence and EU’s basic freedoms which allows them to passport their services to a wider customer base. Market participants in Portugal have been following this trend and competitiveness has increased as new enterprises seek payment services provider licences and registration with Banco de Portugal.

Security concerns regarding open banking, privacy and data security must be dealt with by taking into consideration, among other legislation, Regulation (EU) No 910/2014 of the European Parliament and of the Council, of 23 July 2014, on electronic identification and trust services for electronic transactions in the internal market. A significant measure to mitigate security concerns and increase trust in APIs is the requirement of qualified certificates (ie, for electronic seals and web access). In addition, data that is shared between payment service providers is limited to that strictly necessary for the payment service that is taking place, which limits the risk of misuse and mismanagement of personal data.

On a market note, this is a segment where a lot of technological firms are taking the lead and offering banks and other financial institutions with solutions to enable them to comply with the ever-growing legislation without the significant cost in R&D.