1 Legal and enforcement framework

1.1 In broad terms, which legislative and regulatory provisions govern the fintech space in your jurisdiction?

There is no general framework governing fintech in Portugal. Therefore, the regulatory treatment of players in the Portuguese fintech space depends on the legal qualification of the different types of companies and the products and services they offer.

The main legal and regulatory frameworks applicable to fintech companies are those relating to payment and e-money services and crowdfunding.

As regards payment services, the main categories of fintech companies are payment service institutions and e-money issuers, both of which are regulated under Decree-Law 91/2018 enacting the Payment Services and E-Money Legal Framework (PSEMLF), which transposed the EU Second Payment Services Directive (2015/2366) into Portuguese law. The PSEMLF also introduced the necessary regulation for third-party providers such as payment initiation service providers and account information service providers to enter the Portuguese market.

Additional sectoral regulations apply to certain entities, depending on the scope of their services and activities.

Crowdfunding and service providers (including crowdfunding platforms) are locally regulated by:

  • the Crowdfunding Law (102/2015) and Law 3/2018, setting out sanctions for violations of the Crowdfunding Law; and
  • Portuguese Securities Market Commission (CMVM) Regulation 1/2016.

Apart from local laws and regulations, fintech activities are also subject to broader EU-level legal frameworks, such as the EU Crowdfunding Regulation (2020/1503).

1.2 Do any special regimes apply to specific areas of the fintech space?

Yes. Please see question 4.1 for a more detailed analysis of each of the fintech areas covered by specific legal regimes in Portugal.

1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?

Fintech regulation and supervisory oversight are split between two competent authorities, depending on the scope of the matter and the relevant activities – notably, whether they involve payment/e-money services or crowdfunding services.

The Bank of Portugal (BoP), Portugal's central bank, is the financial services regulator responsible for overseeing the banking and financial sector. Banks, credit and mortgage credit institutions, and payment and e-money institutions regulated under the PSEMLF, fall under its supervision. The BoP is also responsible for:

  • authorising and registering entities that wish to provide payment services or to register as a payment institution or e-money institution; and
  • authorising and overseeing third-party providers.

In the context of the PSEMLF (and other broader financial services regulations), the BoP is the competent authority for the enforcement of the applicable regulatory duties. It has investigative and behavioural supervisory powers, as well as the ability to impose fines ranging from €3,000 to €5 million, depending on the seriousness of the offence.

In addition to pecuniary sanctions, the BoP is competent to apply ancillary sanctions, including:

  • seizure and confiscation of the economic proceeds of the offence;
  • publication of the final sentence;
  • suspension of the exercise of voting rights conferred on members of payment institutions or e-money institutions for a period of between one and 10 years;
  • disqualification from holding corporate positions and administrative, managerial, directorship or leadership positions in credit institutions, financial companies, payment institutions and electronic money institutions, for a period of between six months and three years; and/or
  • a full or partial ban, for up to three years, on engaging in the business of providing payment services or issuing electronic money.

As far as crowdfunding is concerned, the CMVM oversees all securities market-related business and activities, as well as crowdfunding activities, including the registration and authorisation of crowdfunding platforms and their related activities. The CMVM also jointly oversees, together with the BoP, securities market activities performed by entities that fall under the BoP's scope of supervision.

The BoP was also recently appointed as the national competent authority for anti-money laundering and terrorist financing oversight of crypto-asset service providers. Although crypto-assets are not legally recognised in Portugal, service providers operating in the crypto industry are nonetheless bound to register with the BoP for anti-money laundering purposes.

A specific sanctioning regime applies to crowdfunding based on Law 3/2018, which provides that the entity responsible for legal enforcement is the CMVM. As such, in addition to the regulatory and supervisory powers granted under the Portuguese crowdfunding regime, the CMVM may impose fines ranging between €2,500 and €1 million, depending on the seriousness of the offence.

The CMVM also has the power to impose ancillary sanctions, such as:

  • seizure and confiscation of the economic proceeds of the offence;
  • temporary interdiction of the offender's exercise of the profession or activity to which the offence relates;
  • a prohibition on exercising any administrative, management, direction, leadership or supervisory functions and, in general, representation in entities that are subject to supervision by the CMVM;
  • publication by the CMVM, at the expense of the offender and on publicly accessible websites for the purposes of general prevention of the legal system and protection of the securities markets or other financial instruments, of the sanction imposed; and
  • cancellation of the registration required to undertake crowdfunding activities.

1.4 What is the regulators' general approach to fintech?

Please see question 8.1. The Portuguese regulators' approach to fintech is twofold:

  • On the one hand, the regulators are responsible for the supervision and legal enforcement of the provisions that currently regulate the fintech space in Portugal (eg, crowdfunding and payment-related services).
  • On the other hand, the regulators have been encouraging and supporting the emergence of technological innovation hotspots in the financial sector – notably by promoting and participating in associations aimed at developing platforms and initiatives to help companies, start-ups and banks, among others, comply with the necessary regulatory requirements to establish themselves as fintech players.

1.5 Are there any trade associations for the fintech sector?

Two trade associations serve as contact platforms for companies, stakeholders and interested parties involved in the fintech industry in Portugal:

  • Portugal Fintech, established in 2016, has created the Fintech House – an incubator aimed at:
    • facilitating networking opportunities among players in the fintech, insurtech, regtech and cybersecurity markets; and
    • bringing entities into contact with regulators through a physical space (which also accepts virtual membership), while also promoting direct contact with up-and-coming companies and start-ups, as well as more established companies, alongside legal and business consultancy.
  • The Fintech and Insurtech Association, also created in 2016, supports technological innovation in the insurance market.

In parallel, Portugal FinLab – a joint initiative of the BoP, the CMVM and the Portuguese insurance regulator – is an acceleration programme aimed at start-ups and other seed-stage fintech companies, which provides a more company-friendly channel of communication with regulators, fostering direct contact.

For initiatives driven by public authorities and regulators, see question 8.1.

2 Fintech market

2.1 Which sub-sectors of the fintech industry have become most embedded in your jurisdiction?

In line with the existing regulatory framework, the most embedded sub-sectors of the fintech industry in Portugal are:

  • payment services;
  • electronic money institutions; and
  • crowdfunding.

Despite the lack of an applicable legal regime, other influential fintech sub-sectors include:

  • crypto-asset services;
  • insurtech; and
  • alternative funding and credit granting activities outside the scope of traditional credit institutions (eg, 'buy now, pay later' services and peer-to-peer lending).

Recent and anticipated developments at the EU level include:

  • the Proposal for a Regulation of the European Parliament and of the Council on Markets in Crypto-assets, amending Directive (EU) 2019/1937; and
  • the recent enactment of both:
    • the Regulation of the European Parliament and of the Council on a Pilot Regime for Market Infrastructure Based on Distributed Ledger Technology; and
    • the Regulation of the European Parliament and of the Council on Digital Operational Resilience for the Financial Sector, amending Regulations (EC) 1060/2009, (EU) /2012, (EU) 600/2014 and (EU) 909/2014.

As a result, we anticipate that the Portuguese crypto industry will continue to gain traction, and that both existing and new players will develop and establish themselves in Portugal.

2.2 What products and services are offered?

A considerable variety of fintech services and products are offered in Portugal.

The trends to date have been very much associated with the fields that are currently regulated – that is, payment services and electronic money institutions. Their offerings comprise:

  • digital accounts;
  • payments and transfers;
  • the use of technological resources to apply for online credit and to carry out home banking and open-banking operations; and
  • crowdfunding.

Other products on the market relate to the use of digital platforms through blockchain to:

  • contract insurance;
  • access financial brokerage channels; and
  • in particular, access personal finance platforms (including both the trading of securities in capital markets and the trading of cryptoassets).

2.3 How are fintech players generally structured?

According to a Bank of Portugal (BoP) report issued in January 2021, there is no uniform pattern in the structure of payment institutions, electronic money institutions and fintech entities operating in Portugal. Even so, 90% of payment institutions and electronic money institutions do not belong to any financial group, with other fintech entities aligning with this trend; and the vast majority have up to 100 employees, with several of them regarded as start-ups.

In addition, most of these institutions/entities follow the business-to-business (B2B) model, where services are provided to legal persons other than the end client of the financial services; only 20% have a business-to-consumer business model, where services are provided directly to the end client.

2.4 How are they generally financed?

Most fintech players in Portugal are not financed through banking credit, as the conditions would be highly onerous in a business sector in which many are considered start-ups. Instead, they depend on their own funds and capital in the initial stages of development.

In this sense, venture capital financing sources are frequently used, such as funds and business angels (individual investors) that operate through investment rounds in exchange for participation in the shareholder structure of these fintech players.

Nevertheless, the entities and business segments associated with larger, more traditional corporate groups may be financed directly by them, or (more rarely) by credit institutions.

2.5 How are they positioned within the broader financial services landscape?

As mentioned in question 2.3, most fintech players in Portugal operate under the B2B model, where services are provided to legal entities that are not the end consumers of the services. This means that they currently assume a supporting role for businesses developed by companies, credit institutions or financial institutions – a trend which has been driven by the regulatory framework that is currently in force.

2.6 Do start-ups generally outsource back office functions and is there a developed market for them to access? What are the legal implications of outsourcing?

According to a BoP report of January 2021, 35% of fintech companies operating in Portugal outsource back-office functions and there is an informal market for acquiring these types of services (eg, IT and logistics functions).

Although there is no specific outsourcing regime in Portugal, this is allowed under the Labour Code (Law 7/2009) through the establishment of open-ended or fixed-term contracts. An outsourcing company may use temporary workers, just like any other company.

In 2019 the European Banking Authority published its Guidelines on Outsourcing, which set out (in light of several EU Directives) a number of recommendations, such as the following:

  • Carry out due diligence procedures prior to outsourcing;
  • Identify conflicts of interest; and
  • Establish audit and compliance procedures.

This notwithstanding, if the services provided are of a regulated nature, the general European framework for the outsourcing of financial services must also be taken into account.

3 Technologies

3.1 How are the following key technologies in the fintech space regulated and what specific legal issues are associated with each? (a) Internet (e-commerce); (b) Mobile (m-commerce); (c) Big data (mining); (d) Cloud computing; (e) Artificial intelligence; and (f) Distributed ledger technology (Blockchain, cryptocurrencies)

(a) Internet (e-commerce)

Several rules are relevant to the provision of fintech products and services to consumers in Portugal through e-commerce platforms.

The Regulation of the European Parliament and of the Council on a Single Market for Digital Services and amending Directive 2000/31/EC – known as the Digital Services Act (DSA) – has updated and harmonised the obligations and accountability regime for digital intermediaries according to:

  • their size;
  • the nature of their services; and
  • their impact on the digital ecosystem.

The DSA adopts a risk-based approach. It applies to providers of intermediary services offered to recipients whose place of establishment is within the European Union or which are located in the EU, irrespective of the place of establishment of the service provider. As such, depending on the characteristics of the fintech provider, it may be subject to the horizontal and (most probably) the platform-specific obligations set out in the DSA.

The Consumer Protection Framework is also applicable to fintech products and services made available to consumers based in Portugal, including:

  • the Distance and Off-Premises Law (Decree-Law 24/2014);
  • the E-commerce Law (Decree-Law 7/2004);
  • the Digital Goods, Content and Services Law (Decree-Law 84/2021); and
  • the General Contractual Clauses Law (Decree-Law 446/85).

Lastly, fintech providers based and operating in Portugal must make available an electronic complaints books, in line with the Complaints Book Law (Decree-Law 156/2005).

These horizontal rules are complemented by sector-specific laws applicable to financial products and services which aim to protect individual investors/consumers, such as the Contracts at a Distance for Financial Services Law (Decree-Law 95/2006).

The consumer/investor protection framework requires the provision of minimum pre-contractual information to consumers/investors in the terms and conditions/terms of use. This includes information about:

  • the entity providing the product/service; and
  • the characteristics of the product/service;

All relevant contractual and pre-contractual information must be provided in the Portuguese language in a clear and understandable manner.

There is no specific law on the advertising of fintech products and services. The primary law applicable to advertising, irrespective of the sector and channels of communication in question, is the Advertising Code (Decree-Law 330/90). The Unfair Commercial Practices Law (Decree-Law 57/2008) also aims to protect consumers, competitors and other market stakeholders from unfair commercial practices, including misleading and false advertising. The Advertising Code and the Unfair Commercial Practices Law:

  • apply to advertising addressed to consumers in Portugal, regardless of the means, form and content; and
  • set out the general criteria to assess whether an advertising practice is deceptive or misleading.

According to the Advertising Code, the following parties may be held individually or jointly liable for deceptive advertising and for any damages caused to third parties as a result of the dissemination of illicit advertising:

  • advertisers (ie, entities on whose behalf the marketing communication is conveyed);
  • advertising professionals (ie, natural persons who carry out advertising activities); advertising agencies (ie, legal persons whose exclusive purpose is the exercise of advertising activities);
  • any other entity that carries out advertising activities; and
  • the owner of the respective advertising medium or the respective concessionaire.

In addition, sector-specific rules impose restrictions on the advertising and marketing of financial products and services. More specifically, Bank of Portugal (BoP) Notice 10/2008, which applies to credit institutions and financial companies, specifies the application of the general principles of the Advertising Code regarding the advertising and marketing of financial products and services, and includes specific rules for the advertising of credit products to consumers.

Furthermore, the Unauthorised Financial Activity and Protection of Consumers Law (78/2021):

  • prohibits the advertising of financial products and services by unauthorised entities; and
  • sets forth obligations for both advertising agencies and websites or similar platforms.

Once the Proposal for a Regulation of the European Parliament and of the Council on Markets in Crypto-assets, amending Directive (EU) 2019/1937 ('MiCA Regulation') comes into force, these obligations will be extended to the advertising of crypto-assets.

Both the horizontal rules and the sector-specific rules discussed above require that any advertising targeting Portuguese consumers – including in relation to financial products and services – be provided in the Portuguese language, even if it is also made available in another language.

Lastly, any direct marketing electronic communications regarding financial products and services should be:

  • subject to the explicit consent of the consumer/investor, as per the laws mentioned above; and
  • in line with:
    • the EU General Data Protection Regulation (2016/679); and
    • the e-Privacy Law (41/2004).

(b) Mobile (m-commerce)

There are no specific laws and regulations regarding m-commerce. Please see question 3.1(a), as the same rules apply to m-commerce.

(c) Big data (mining)

For more information on the data protection framework in Portugal, please see question 5.1.

Without prejudice to the privacy and data protection framework, the following EU regulatory initiatives are of particular importance with respect to big data:

  • the Proposal for a Regulation of the European Parliament and of the Council on European Data Governance, which will apply from September 2023;
  • the Proposal for a Regulation of the European Parliament and of the Council on Harmonised Rules on Fair Access to and Use of Data; and
  • the Common European Data Spaces Initiative, with the Proposal for a Financial Data Space expected during 2023. This initiative was originally expected in 2022, as per the Communication of the European Commission on Common European Data Spaces; while the Financial Data Space was one of the strategic objectives set out in the EU Digital Finance Strategy. The Report on Open Finance by the Expert Group on a European Financial Data Space was published on 24 October 2022.

These data-related regulatory initiatives form the three pillars of the EU Data Strategy. They aim to:

  • ensure that data can circulate within the European Union and across sectors;
  • ensure that high-quality data is available to foster innovation and the training of EU artificial intelligence (AI) systems in key sectors, such as finance;
  • ensure compliance with EU rules and values; and
  • establish fair, practical and clear rules on data access and use, including data governance mechanisms across the European Union.

(d) Cloud computing

Without prejudice to any data protection concerns relating to the use of cloud computing in the banking and finance sector, there are no specific rules applicable to cloud computing in Portugal.

However, the European Banking Authority Guidelines on Outsourcing Arrangements are applicable to cloud computing products and services where these pertain to the outsourcing of critical or important activities of financial institutions. The BoP is responsible for monitoring compliance with the guidelines. In this regard, the BoP has issued Circular Letter CC/2019/00000065 of 15 October 2019, which further highlights the importance of compliance with the guidelines.

(e) Artificial intelligence

For big data related to AI, please see question 3.3. For the data protection framework in Portugal, please see question 5.1.

As yet, there are no AI-specific laws in Portugal. However, any EU-wide regulatory or policy initiatives will have an impact on AI regulation in Portugal. As such, once finalised, the Proposal for a Regulation Laying Down Harmonised Rules on Artificial Intelligence – the Artificial Intelligence Act (AIA) – will be directly applicable in Portugal. The current wording of the AIA allows for the adoption of possible derogations by member states (eg, regulatory sandboxes; designated national authorities for notification and supervision; authorisation of certain uses of high-risk AI systems). Following the entry into force of the AIA, it is expected that the Portuguese legislature will publish an implementing act.

Moreover, in relation to liability, the Proposal for a Directive on Liability for Defective Products and the Proposal for a Directive on Adapting Non-contractual Civil Liability Rules to Artificial Intelligence will be horizontally applied to AI systems, irrespective of the sector (with some exceptions). As such, they may be applicable to AI-powered fintech products and services. Once the directives have been finalised, the Portuguese legislature will have up to two years after their entry into force to transpose them into national law.

In addition, since 2015 the European Supervisory Authorities have been issuing various reports on the use of AI in fintech and on automation in financial advice. More importantly, the European Securities and Markets Authority's Final Report Guidelines on the suitability requirements of the Second Markets in Financial Instruments Directive (2014/65/EU), which were published on 23 September 2022 following public consultation, set out specific recommendations for entities that use AI to provide robo-advice, including on:

  • the provision of minimum information to consumers/investors regarding the use of robo-advice and human intervention; and
  • the format in which such information should be provided.

(f) Distributed ledger technology (Blockchain, cryptocurrencies)

Blockchain and distributed ledger technology (DLT): Blockchain and DLT-related technologies are not subject to regulation in Portugal. Reaffirming the technology-neutral approach of EU and national regulations, the recent Regulation of the European Parliament and of the Council on a Pilot Regime for Market Infrastructure Based on DLT – which will be directly applicable in Portugal – allows for the issuance and operation of financial instruments based on DLT. The market infrastructure for the purposes of this regulation comprises:

  • DLT multilateral trading facilities;
  • DLT settlement systems; and
  • DLT trading and settlement systems.

Nonetheless, at the time of writing, there is still no registered DLT market infrastructure operating in Portugal.

Cryptocurrencies: Cryptocurrencies are not currently subject to regulation in Portugal. However, following the final approval and entry into force of the MiCA Regulation, which will be directly applicable in Portugal, cryptocurrencies and players in the crypto space will be regulated by either the Portuguese Securities Market Commission or the BoP, depending on the type of crypto-asset and the nature of the issuer.

Under the Anti-money Laundering (AML) Law (83/2017), which transposed the EU Fifth Anti-Money Laundering Directive, entities operating with virtual assets are subject to certain AML obligations and must register with the BoP before commencing operations in Portugal.

Moreover, if cryptocurrencies or other crypto-assets are considered to be security tokens, the application of both national and European securities regulations will be triggered.

4 Activities

4.1 How are the following key activities in the fintech space regulated and what specific legal issues are associated with each? (a) Crowdfunding, peer-to-peer lending; (b) Online lending and other forms of alternative finance; (c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb); (d) Forex; (e) Trading; (f) Investment and asset management; (g) Risk management; (h) Roboadvice; and (i) Insurtech.

(a) Crowdfunding, peer-to-peer lending

Alternative finance activities are regulated at the national level under the crowdfunding legal framework and fall under the regulatory supervision of the Portuguese Securities Market Commission (CMVM). Crowdfunding is regulated by the Crowdfunding Law (102/2015), with Law 3/2018 setting out the sanctions for violation of the Crowdfunding Law.

This regime is complemented by CMVM Regulation 1/2016, which sets out the relevant application requirements and the procedures for obtaining and maintaining a valid licence to operate a crowdfunding platform (either equity or debt). Before they can start operating, crowdfunding firms must register with, and be authorised by, the CMVM. The following documents must be included in the application:

  • the applicant's corporate details;
  • its structure and beneficial ownership;
  • the managers' identification and 'fit and proper' documentation;
  • the business plan and model;
  • an indication of whether the firm should be considered a financial intermediary or an agent of a financial intermediary; and
  • evidence of compliance with the minimum financial requirements. After registration, these minimum financial requirements are:
    • a minimum share capital of €50,000;
    • an insurance policy covering at least €1 million per claim and at least €1.5 million in aggregate claims per year; or
    • a combination of both that ensures sufficient similar coverage.

Where relevant, the additional requirements arising from the entry into force of the EU Crowdfunding Regulation (2020/1503) on 10 November 2021 are also directly applicable in Portugal; although in this regard, it remains to be seen whether the CMVM will be appointed as the competent national authority under this regulation, as national law in that respect is yet to be enacted. As the market develops and the number of market players increases, peer-to-peer funding alternatives offered by crowdfunding platforms will become more sophisticated in the medium to long term.

(b) Online lending and other forms of alternative finance

Online lending and other forms of alternative finance are regulated by:

  • the Consumer Credit Regime (Decree-Law 133/2009);
  • the Law on Distance Contracts (Decree-Law 24/2014); and
  • the Law on Distance Contracting of Financial Services (Decree-Law 95/2006).

As these constitute forms of lending activity, they are regulated by the Bank of Portugal (BoP).

Under the Consumer Credit Regime, online lenders must comply with all legal requirements set out in the law, such as the obligation to:

  • provide consumers with detailed pre-contractual information, including the total cost of credit, the annual percentage rate and the repayment terms;
  • provide clear and concise information in all advertising;
  • allow consumers to cancel a credit agreement within 14 days of signing; and
  • assess the creditworthiness of consumers to ensure that they can afford to repay the loan.

The Law on Distance Contracts also contains several provisions on contracts concluded away from business premises, which include:

  • the right of withdrawal as described above; and
  • consumer information requirements, such as:
    • a description of the trader;
    • the characteristics of the product to be acquired; and
    • the price.

Many of these contracts are prepared using standard drafts and are intended for mass consumption. Mandatory rules that apply in such cases are set out in the Law of General Contractual Clauses (Decree-Law 446/85), which applies to contracts that are entered into online.

Finally, the Law on Distance Contracting of Financial Services has very similar provisions to the consumer protection regimes described above, with the nuance that the information requirements are more specific insofar as they relate to financial services. Among other things, they include the following:

  • a description of the main characteristics of the financial service;
  • specification of either:
    • the total price payable for the financial service by the consumer to the supplier, including all commissions, charges and expenses, and all taxes paid via the supplier; or,
    • if an exact price cannot be indicated, the basis for the calculation of the price enabling the consumer to verify it;
  • an indication of the possibility that other taxes or costs may exist that have not been paid or imposed by the supplier;
  • the additional costs arising for the consumer from the use of means of distance communication, where such additional costs are charged;
  • the period for which the information provided is valid;
  • the payment instructions;
  • an indication of whether the financial service relates to instruments involving special risks due to their characteristics or the operations to be executed; and
  • an indication that the price depends on fluctuations in the financial markets outside the control of the supplier, and that past performance is not indicative of future results.

The financial services that may be provided in this way are not limited to the granting of credit, but rather cover a variety of products marketed by financial intermediaries; and as such, their supervision also involves the CMVM and the Portuguese Insurance Authority (ASF).

(c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb)

The regulatory treatment of fintech companies in Portugal depends on the exact legal nature of the products and services that they offer. The main legal and regulatory concerns in terms of fintech relate to payment services and e-money activities, as well as crowdfunding platforms.

As outlined in question 1.1, the two main categories of fintech companies are payment services institutions and e-money issuers. These are both regulated under the Payment Services and E-Money Legal Framework (PSEMLF), which transposed the EU Second Payment Services Directive. The PSEMLF also set out the requirements for payment initiation service providers (PISPs) and account information service providers (AISPs) to enter the Portuguese market.

The PSEMLF further sets out the applicable rules and requirements for the incorporation and licensing of payment institutions and e-money issuers, as well as PISPs and AISPs, which are all subject to the BoP's supervision. To this end, specific mandatory legal documentation must be filed with the BoP, including:

  • the draft bylaws;
  • the business plan;
  • a share capital commitment;
  • the corporate structure and beneficial ownership;
  • the managers' identification and 'fit and proper' documentation; and
  • corporate governance and internal compliance models and procedures.

The minimum statutory share capital requirement currently ranges from:

  • €20,000 to €125,000 for payment institutions (depending on the type of services provided); and
  • a minimum of €350,000 for e-money institutions.

PISPs must have a minimum statutory share capital of €50,000; and AISPs must take out an insurance policy or other similar guarantee scheme covering their activities in the Portuguese territory in case of breach or unauthorised access to data. All marketing and advertising activities carried out by these entities must abide by the general rules applicable to marketing and advertising by banks and other financial institutions. Among other requirements, all marketing and advertising products and materials must:

  • clearly identify the offering or advertising entity; and
  • ensure that the main features and conditions of the marketed products or services are easily understood by targeted consumers.

The PSEMLF establishes an extensive list of products and services that may only be offered by payment or e-money institutions, as well as by PISPs or AISPs. This means that in practice – considering the nature and business model of most fintech companies, and the services offered – they will have to qualify as one of these entities under Portuguese law and request authorisation to this effect when registering with the BoP.

Payment and e-money institutions based abroad may render their services in Portugal subject to prior authorisation and registration with the BoP. The applicable requirements and procedures may vary according to the state of origin. Entities based in EU member states can choose to render their services in Portugal:

  • through a branch registered in Portugal;
  • through authorised agents based in Portugal (notably in relation to e-money distribution); or
  • on a freedom to provide services basis.

If the entity is based in a third-country state, it must incorporate a branch or, alternatively, a subsidiary legal entity in the Portuguese territory (by following the relevant, more demanding, procedure).

(d) Forex

There are no specific regulations relating to the surge in fintechs associated with forex markets. For all intents and purposes, forex is a trading market on an over-the-counter basis, whose brokers must:

  • be authorised by the CMVM under the Securities Code (CVM); and
  • comply with all applicable regulations at both the CMVM and European Securities and Markets Authority level.

More specifically, forex brokers must comply with the duties arising under the Second Markets in Financial Instruments Directive (2014/65/EU) (MiFID II), as well as the Anti-money Laundering Law.

In addition, as the forex market is concerned with the trading of foreign exchange and currency values, the Legal Regime of Economic and Financial Transactions with Foreign Countries and Foreign Exchange Transactions (Decree-Law 295/2003) also applies. This sets forth several legal obligations – in particular, regarding reporting to the competent authorities (in this case, the BoP).

(e) Trading

Financial brokerage is subject to the legal obligations set out in the CVM and MiFID II, and more recently in the Investment Company Regime (Decree-Law 109-H/2021), which establishes the legal requirements for the authorisation, licensing, establishment and operation of investment and trading companies (as financial intermediaries).

These requirements are generally applicable to more traditional players, and no material differences exist regarding fintech companies when providing regulated activities such as trading and brokerage services to the general public.

(f) Investment and asset management

The Portuguese securities market is regulated by the CVM, which incorporates the changes resulting from MiFID II and the securities and capital markets-related regulatory framework. There are currently no regulations on the use of fintech-specific services in the securities market; although entities engaging in investment and asset management services (as well as any regulated services pertaining to securities or investment services) should abide by the general regulatory framework applicable to those assets and services, regardless of whether they are provided on a fintech basis or on a traditional basis.

All securities market-related activities are subject to the existing securities framework that applies to traditional entities and activities (if they fall within its scope). Certain fintech matters (eg, blockchain and cryptocurrencies) fall outside the scope of the securities laws altogether if the assets to which they relate are not classed as a security or a financial instrument under MiFID II. The CMVM does not regulate crypto-assets and initial coin offerings unless the underlying crypto-asset qualifies as a security (this assessment is made on a case-by-case basis); and in any event until the Proposal for a Regulation of the European Parliament and of the Council on Markets in Crypto-assets, amending Directive (EU) 2019/1937 comes into play.

(g) Risk management

Most traditional financial services providers develop their own fintech-related initiatives and can thus circumvent the regulatory barriers and hurdles which would otherwise apply to a new company entering this space, given that their banking licence allows them to pursue most fintech activities.

However, traditional financial services firms and fintech firms usually establish partnerships or other joint venture-type arrangements in order to comply with risk management obligations regarding:

  • data protection and data sharing;
  • client ownership;
  • protection of client funds (where applicable);
  • compliance with AML obligations;
  • ownership of technology and partnership goodwill;
  • service-level agreements (SLAs); and
  • associated penalties.

On 25 February 2019, the European Banking Authority (EBA) published its revised Guidelines on Outsourcing Arrangements (EBA/GL/2019/02), which entered into force on 30 September 2019 and became applicable in Portugal on 31 May 2020 through BoP Circular Letter CC/201900000065. The 2006 Committee of European Banking Supervisors Guidelines on Outsourcing (GL02/2006) and the EBA's Recommendation on Outsourcing to Cloud Service Providers were repealed as a result. Under the guidelines, fintech companies that qualify as investment firms under MiFID II, credit institutions, payment service providers and electronic money institutions must:

  • set up a comprehensive outsourcing framework (including outsourcer due diligence, oversight and audits, and contract management);
  • enter into appropriate (or review existing) arrangements with outsourcers (including SLAs); and
  • maintain an outsourcing register of all outsourcers and outsourced activities.

The guidelines require these institutions to devote particular attention to outsourcing agreements:

  • relating to critical or important functions, especially if the outsourcing concerns functions relating to core business lines and critical functions (as defined in Articles 2(1)(35) and (36) of the EU Bank Recovery and Resolution Directive (2014/59/EU); and
  • identified by institutions using the criteria established in Articles 6 and 7 of EU Regulation 2016/778.

For example, outsourcing agreements must include rules on the sub-outsourcing of these critical or important functions (Section 13.1 of the guidelines).

When assessing whether an outsourcing arrangement relates to a function that is deemed critical or important, entities must take into account (together with the outcome of the ordinary risk assessment outlined in Section 12.2 of the guidelines) at least the following factors:

  • whether the outsourcing arrangement is directly connected to the provision of banking activities or payment services for which the service provider is authorised;
  • the potential impact of any disruption to the outsourced function or failure by the service provider to provide the service at the agreed service levels on a continuous basis;
  • short and long-term financial resilience and viability, including (if applicable) their assets, capital, costs, funding, liquidity, profits and losses;
  • business continuity and operational resilience;
  • operational risk, including conduct, information and communication technology and legal risks;
  • reputational risks; and
  • where applicable, recovery and resolution planning, resolvability and operational continuity in an early intervention, recovery or resolution situation.

Entities should also verify the potential impact of the outsourcing arrangement on their ability to:

  • identify, monitor and manage all risks;
  • comply with all legal and regulatory requirements, and conduct appropriate audits of the outsourced function;
  • continue with service provision to clients;
  • limit their aggregate exposure to the same service provider and the potential cumulative impact of outsourcing arrangements in the same business area;
  • manage the size and complexity of any business area affected;
  • switch to another service provider, if necessary or desirable, both contractually and in practice, considering the estimated risks, impediments to business continuity, costs and timeframe for doing so (suitability);
  • reintegrate the outsourced function payment institution (if necessary or desirable); and
  • ensure sufficient levels of data protection and data availability in the event of a confidentiality breach or failure, in terms of the entity's integrity and that of its clients, including compliance with the EU General Data Protection Regulation.

Unregulated fintech companies (ie, providers of unregulated services to institutions that distribute their services to EU branches) must still observe certain outsourcing requirements, such as:

  • complying with the industry's regulatory standards (eg, ISAE 3000 or ISAE 3402);
  • having a sub-outsourcing framework agreement in place; and
  • entering into outsourcing agreements with sub-outsourcing providers.

Under the guidelines, 'outsourcing' means an arrangement of any form between an institution, a payment institution or an electronic money institution and a service provider, under which the service provider performs a process, service or activity that would otherwise be undertaken by the institution, the payment institution or the electronic money institution itself.

(h) Robo-advice

In addition to what is stated in question 4.4, robo-advice may consist of financial intermediation services where such advice targets investment-related services or financial instruments. As such, these services and their providers are also subject to the duties that apply under MiFID II, particularly with regard to suitability (of the technological means used). Fintech companies that wish to offer this type of service must also apply to the CMVM for a financial intermediation licence.

Additionally, robo-advisors must ensure that their algorithms and models are regularly tested and monitored to ensure their accuracy and effectiveness in providing investment advice to clients.

As regards the European approach to this phenomenon, please see question 3.5.

(i) Insurtech

Insurtech activities are not specifically regulated in Portugal. Insurance activities provided on a fintech basis are generally regulated by the ASF at the national level, under the same framework that applies to traditional insurance activities. However, the ASF is actively engaged in insurtech developments and is open to new initiatives (notably through the Portugal FinLab programme).

Insurance and reinsurance activities are governed by the Insurance Legal Framework, approved under Law 147/2015, which sets out the requirements for the authorisation and registration of all insurance companies operating in Portugal, as well as for their prudential supervision. Insurtech solutions and services are generally accepted in the Portuguese market, provided that they comply with the general insurance and reinsurance legal framework.

5 Data security and cybersecurity

5.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for fintech companies?

The EU General Data Protection Regulation (GDPR) is directly applicable in Portugal, with the GDPR Implementation Law (58/2019) specifying the application of certain provisions in the country. The national supervisory authority is the Portuguese Commission for Data Protection (CNPD).

The CNPD has issued guidelines on data protection which, although not specifically referring to financial institutions or financial data, also apply to fintech services offered in Portugal. These guidelines should be complemented by the guidelines and recommendations of the European Data Protection Board (EDPB) – especially:

  • Recommendation 02/2021 on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transaction; and
  • Guidelines 06/2020 on the interplay between the EU Second Payment Services Directive and the GDPR, which specifically refer to financial data and payment service providers.

In addition, the e-Privacy Law applies to all electronic communications with consumers/investors.

5.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for fintech companies?

The Cybersecurity Law (46/2018), which transposed the EU Network and Information Systems (NIS) Directive (2016/1148) into national law, is the main legal instrument regulating cybersecurity in Portugal, together with the Cybersecurity Act Implementation Law (Decree-Law 65/2021) and Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for the application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact. The national authority responsible for cybersecurity matters is the National Centre for Cybersecurity.

The Cybersecurity Law will soon be amended following the introduction of the EU NIS 2 Directive (2022/2555). This will be particularly important for entities in:

  • the banking sector – that is, credit institutions, as defined in Article 4(1) of Regulation (EU) 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms; and
  • the financial markets infrastructure sector – that is:
    • operators of trading venues, as defined in Article 4(24) of the Second Markets in Financial Instruments Directive (2014/65/EU); and
    • central counterparties, as defined in Article 2 (1) of Regulation (EU) 648/2012 of the European Parliament and of the Council of 4 July 2012 on over-the-counter derivatives, central counterparties and trade repositories.

Such entities will be required to comply with the new obligations once the NIS 2 Directive has been transposed into national law, which must take place by 17 October 2024.

In addition, the guidelines and recommendations of the CNPD and the EDPB regarding technical and organisational security measures, and the reports of the European Union Agency for Cybersecurity – especially those referring to the financial sector – should be taken into consideration by fintech entities operating in Portugal.

6 Financial crime

6.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for fintech companies?

Fintech companies that are authorised as payment institutions under the Payment Services and E-Money Legal Framework (PSEMLF) and those that fall under the definition of 'electronic money institutions' are bound by the Anti-money Laundering (AML) Law, which transposed the EU Fourth Anti-Money Laundering Directive into national law.

Under the AML Law, these fintech companies must, among other things:

  • apply customer due diligence;
  • report suspicious transactions;
  • store copies of, or the data extracted from, documents supplied by customers in the context of customer due diligence;
  • store customer correspondence and any internal or external documents, records and analysis demonstrating AML compliance; and
  • implement adequate internal policies, procedures, controls and training to prevent money laundering.

The AML obligations for entities managing crowdfunding platforms (regulated under Law 102/2015) are less stringent. These entities need only store records of:

  • the full identities of investors and beneficiaries;
  • the amounts invested (segregated by investor and operation);
  • the full identities of persons that undergo a partial or full depreciation of investments;
  • the amounts of each investor's remuneration, share capital, dividends and profits; and
  • the full identities of beneficiaries and donors, and the donated amounts per donor and per operation, for reward-based and donation-based crowdfunding.

Many compliance issues faced by fintech businesses relate to uncertainty regarding the applicable laws and regulations. The regulatory burden and associated costs can be substantial and may vary significantly depending on the type of activity performed by the fintech business. Where this activity requires a licence or authorisation from the regulatory authorities, the procedures for obtaining these are usually protracted and costly. This often means that the company cannot commence operations until it has obtained the necessary licence or authorisation, causing many firms (notably start-ups) either to go bankrupt, become acquired or seek another (more fintech-friendly) jurisdiction in which to base their operations.

Fintech firms may also struggle with the stringent AML and know-your-customer laws and regulations, which may put excessive strain on an early-stage firm's operations. This may be aggravated by the data privacy and cybersecurity laws and regulations, especially if a fintech business is targeting the consumer market.

In addition, both the PSEMLF and the Crowdfunding Law contain general criminal provisions which apply to companies and their management for certain offences and breaches of regulatory duties that constitute crimes.

This notwithstanding, the regulatory challenges faced by fintech companies are beginning to be addressed and partially smoothed out as regulators become more approachable and sensitive to the concerns of start-ups. A specific example is the promotion of initiatives such as Portugal Finlab.

Bank of Portugal (BoP) Notice 1/2023 was recently published, which:

  • extends the duties under the AML Law to entities that carry out activities with crypto-assets; and
  • defines, among other things:
    • the conditions for the exercise of preventive duties; and
    • the procedures, instruments, mechanisms, application formalities, reporting obligations and other aspects that, at any given time, prove to be adequate and necessary for the adoption of measures allowing or facilitating BoP's assessment of compliance with these preventive duties and other legal obligations.

The notice will enter into force on 15 July 2023.

Finally, as regards the applicable criminal regime, the Criminal Code (Decree-Law 48/95) provides for several crimes against assets (where financial crimes are included), including:

  • money laundering;
  • undue receipt of advantage; and
  • terrorist financing.

7 Competition

7.1 Does the fintech sector present any specific challenges or concerns from a competition perspective? Are there any pro-competition measures that are targeted specifically at fintech companies?

There are no specific regulatory measures on competition issues within the fintech industry. The reason why there has been no targeted legislative focus on competition issues is because the Portuguese Competition Authority identifies competition issues in an externalised manner.

One of the main concerns relates to the late transposition of the EU Second Payment Services Directive, which has meant that fintechs entering the payment services market have been treated differently from credit institutions as third-party providers. This may result in abuse of dominance by existing and more established players. At present, fintech entrants can do business only if they are granted access to the account data and infrastructure (settlement and clearing systems) of the incumbent operators, notwithstanding the existing regulations on open banking.

The situation is different as regards crowdfunding: as this constitutes an alternative financing source, the only points to be highlighted by market stakeholders are regulatory uncertainty and the lack of harmonisation with the European regulatory framework up until recently.

Potential concerns in the future could relate to the use of technologies for the circulation, validation and access of data within the fintech universe, including blockchain and distributed ledger technology (DLT); although a harmonised regulatory regime for the latter is already in place under the Regulation of the European Parliament and of the Council on a Pilot Regime for Market Infrastructure Based on DLT.

8 Innovation

8.1 How is innovation in the fintech space protected in your jurisdiction?

In 2020, the Portuguese government approved Council of Ministers Resolution 29/2020, which establishes general principles for a legislative framework that promotes and facilitates research, demonstration and testing activities, in 'free technology zones', of innovative technologies, products, services, processes and models. The resolution goes beyond the creation of disparate 'regulatory sandboxes', 'innovation spaces', 'experimental spaces' or 'living labs' set up for specific sectors. It adopts an integrated, cross-sectoral approach to experimentation activities, thus reducing the regulatory burden and promoting a culture of innovation.

The Portuguese government is currently drafting primary cross-sectoral legislation for these technology free zones, with the aim of ensuring a common vision for all sectors and areas of activity, while reflecting the specificities of each sector and its regulatory framework, including fintech. Hitherto, the approach of the Portuguese legislature and regulatory authorities to fintech had been somewhat neutral (partly due to the late transposition of the EU Second Payment Services Directive, which was delayed by almost a year).

The Portuguese financial regulators – that is, the Bank of Portugal (BoP), the Portuguese Securities Market Commission (CMVM) and the ASF – established Portugal FinLab to serve as an easily accessible channel of communication between the regulators and entrepreneurs and emerging companies. The programme aims to support fintech businesses in navigating the legal and regulatory challenges that they face. More recently, there has been growing interest in these matters among the regulators, as evidenced by their active participation in fintech conferences and publication of relevant information on their respective websites.

In July 2022, the Portuguese regulators (in partnership with Portugal Fintech) launched the fourth Portugal FinLab competition, in which applicant fintech entities were selected based on their potential to fall under the regulatory competence of at least one of the regulatory authorities (the BoP, the CMVM or the ASF). After the initial pitch day – which involved brief sessions in which the proposed projects were presented and defended – a technical committee set up by the regulatory authorities chose up to five projects for further analysis in light of the criteria defined by the organisation, such as:

  • the need for regulatory support;
  • innovative potential and development phase; and
  • the benefits and risks for the consumer and the financial sector.

The ultimate aim is to help these entities launch in the market.

Meanwhile, Portugal Fintech continues to promote the domestic fintech market by promoting the visibility of early-stage fintech, regtech, insurtech and cybersecurity companies among the legislature, investors, consultants, banks, regulators and other relevant entities. In late 2019, Portugal Fintech launched Fintech House, a unique technological innovation and financial services hub that "aims to be the meeting point of the entire ecosystem". Portugal Fintech also launched the Fintech365 programme to help companies navigate the regulatory challenges faced by the financial sector and accelerate the digital transformation.

8.2 How is innovation in the fintech space incentivised in your jurisdiction?

Please see question 8.1.

9 Talent acquisition

9.1 What is the applicable employment regime in your jurisdiction and what specific implications does this have for fintech companies?

As there is no specific employment framework for fintech companies, the scope of this question is very broad.

In Portugal, employment relationships are governed by several sources of law, listed below in descending hierarchical order:

  • international sources – notably international conventions concluded by the EU and Portuguese legislatures;
  • the Portuguese Constitution;
  • local law, notably the Labour Code;
  • collective bargaining agreements (CBAs); and
  • repeated labour practices that are not contrary to good faith.

In addition, the employment relationship is governed by the terms and conditions agreed in the individual employment contract and any other ancillary agreements.

A CBA may prevail over the law unless stated otherwise by the latter (ie, the law determines either that it is imperative or that it will yield to a CBA provision that is more beneficial to the employee).

Employment law applies to the relationship established by an employment contract – that is, the contract under which an individual undertakes to provide paid activity on behalf of another person or entity, being subject to its authority and direction.

Employment law provisions on personality rights, equality and non-discrimination, and occupational health and safety also apply in situations where an individual carries out a professional activity for another person or entity without legal subordination, and is considered economically dependent on the latter.

Employment law further distinguishes between:

  • standard employment contracts and special types of employment contracts which are subject to specific rules (eg, term contracts, part-time work, domestic service); and
  • standard employees and special categories of employees who are granted additional protection (eg, student workers; pregnant, postpartum or lactating employees; employees with a disability or chronic illness).

As a rule, employment contracts are not subject to any special form unless otherwise provided by law, given that the rule is that employment contracts are concluded for an indefinite period. However, some employment contracts, such as those listed below, must be concluded in writing:

  • term employment contracts (either fixed term or uncertain term), which require justification of the temporary need for employment – in particular, the relation between the temporary need in question and the duration of the contract. If the justification provided is considered insufficient, the contract will be null and void and will be converted into an indefinite-term contract;
  • employment contracts with foreign employees (which have specific requirements depending on the country);
  • multiple employer employment contracts;
  • part-time employment contracts; and
  • management employment contracts.

Employers must inform their employees in writing of all relevant aspects of their employment contract, including the mandatory information required by law, within 60 days of execution of the contract; this information is normally included in the employment contract.

Portuguese labour law also establishes minimum employment standards, such as:

  • the national minimum wage (€760 in 2023);
  • limits on working time (eight hours per day and 40 hours per week); and
  • the minimum duration of annual leave (22 days).

The causes for termination are only those expressly foreseen in the law, as follows:

  • dismissal during a trial period;
  • expiry of a term contract;
  • dismissal of management-level employees;
  • dismissal for business reasons or unsuitability; and
  • dismissal for just cause or for disciplinary reasons.

Individual and collective dismissals must always be preceded by a formal procedure, which varies depending on the cause for dismissal.

The following categories of employees benefit from increased protection against dismissal:

  • pregnant, postpartum or lactating employees and employees on parental leave;
  • current and former members of the corporate bodies of employees' representation structures and candidates for those positions; and
  • whistleblowers and employees who have reported cases of harassment.

Fintech companies present no specific labour implications, except that, in view of the sector in which these companies operate – and according to the EU Whistleblower Protection Directive (2019/1937) and the transposed national law – they must implement a mechanism for the internal and/or external reporting of irregular practices and breaches of EU law, which may include labour irregularities (eg, harassment cases).

9.2 How can fintech companies attract specialist talent from overseas where necessary?

Taking a more holistic approach, fintech companies should define their benefit plans and labour conditions, as well their salaries, with the aim of remaining competitive with other players in the sector.

Today, classic company benefit plans no longer represent true points of differentiation and retention: employees are seeking competitive remuneration packages that go far beyond the base salary and for opportunities to enhance their work/life balance.

Therefore, companies are generally:

  • investing in increasingly diversified and alternative benefit models for most employees (regardless of personal and family context or age group); and
  • focusing on improving their work environment.

Work/life balance and the promotion of mental health are now key aspects of people management in the employment context. However, company benefit plans should be adapted to the specific reality of each company.

10 Trends and predictions

10.1 How would you describe the current fintech landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

In respect of future developments in the Portuguese fintech industry, we believe that at least three regulatory points are worthy of mention.

First, we are still witnessing the effects of the late transposition of the EU Second Payment Services Directive (PSD2). We also anticipate that developments in the Portuguese legal landscape will be slower than elsewhere in the European Union in terms of the implementation of any amendments made to PSD2, given the public consultation on this statute launched in May 2022 by the European Commission. We expect that the update to the regulatory framework will extend the scope of application of the legal regime on payment services, which will also require revisions to the Payment Services and E-Money Legal Framework (although this is not expected to occur in 2023). The aim of this reform is to:

  • regulate new products and services;
  • tackle payment fraud; and
  • improve the regulation of access to account information.

As a result, in future, the use of traditional means of payment (in which credit institutions still hold a dominant position) may become fragmented, giving way to a 'free' market for the supply of payment services in the open banking field, where Portugal is still encountering the problems outlined in question 7.1.

There is also considerable anticipation about the regulation of data channelling and circulation infrastructure and activities relating to crypto-assets.

As EU regulations are directly applicable in the Portuguese legal system, the Regulation of the European Parliament and of the Council on a Pilot Regime for Market Infrastructure based on Distributed Ledger Technology ('DLT Pilot Regime') came into force on 23 March 2023. The DLT Pilot Regime only covers transferable securities – that is, crypto-assets considered to be securities under the Second Markets in Financial Instruments Directive (2014/65/EU) (MiFID II) that are issued, transferred and stored using DLT ('tokenised securities'). It does not cover derivatives or money market instruments. In addition, the DLT Pilot Regime grants market operators the possibility to engage directly with end users and admit them directly as users on a DLT multilateral trading facility. It is a sandbox regime and there are certain product-dependent thresholds that a DLT market operator may not exceed.

The DLT Pilot Regime therefore creates a framework for tokenised securities, which are subject to the provisions of MiFID II, to be traded and settled on multilateral trading venues in the future and in a more open environment, as the regulation also foresees the grant of temporary authorisations to investment firms or central securities depositories that will allow them to act in this regard.

Finally, as many crypto-assets are not considered securities or financial instruments, the Proposal for a Regulation of the European Parliament and of the Council on Markets in Crypto-assets, amending Directive (EU) 2019/1937 ('MiCA Regulation'), is expected to set out a regulatory framework that covers, in a harmonised manner:

  • the licensing and supervision of service providers, such as providers of custodian services or operators of crypto-asset trading platforms;
  • the qualification, issuance, offering and admission to trading of crypto-assets (including stablecoins such as e-money tokens or asset-referenced tokens);
  • the enhanced regulatory treatment of stablecoins that qualify as 'relevant/significant' under the MiCA Regulation; and
  • market conduct and behaviour relating to the trading of crypto-assets (including provisions on market abuse and insider trading).

We also believe that 2023 may bring material developments in the payment services and e-money markets, as consumers move away from traditional banking-based payment methods (with many opting instead for the technologies provided by fintechs) and pursue direct contact with these types of entities.

The way to drive this change is by strengthening the e-commerce sector, in which Portugal still lags behind most European countries in terms of usage – notably in relation to point-of-sale credit and 'buy now, pay later' solutions. On the other hand, there is also a trend towards greater use of open banking and embedded finance (the placement of a financial product in a non-financial customer experience, journey or platform).

11 Tips and traps

11.1 What are your top tips for fintech players seeking to enter your jurisdiction and what potential sticking points would you highlight?

Our top tips for fintech players seeking to enter the Portuguese market are as follows:

  • Depending on the type of business that will be carried out, it is essential to comply with the licensing, authorisation and operational requirements set out in the applicable laws.
  • The preparation of a well-constructed information package and a dossier containing everything required is crucial to avoid long and burdensome queries and information requests.
  • Close cooperation and open communication channels with the key entities in charge of the fintech space, on a full disclosure and transparency basis, will go a long way towards expediting the provision of all necessary information and registration elements to the relevant points of contact within the regulatory structure.
  • Portugal Fintech and Portugal FinLab are extremely useful programmes for up-and-coming fintech players, smoothing the path to registration and authorisation.
  • Seeking specialist advice when entering the Portuguese market will also enhance the prospects of success of any application. Start-ups and tech-oriented companies tend to cut costs and corners where legal counsel is concerned; but we would advise against this given the regulatory hurdles to market entry, which are easier and cheaper to overcome with the right legal assistance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.