Portugal: Fintech (2nd edition)

The In-House Lawyer Logo

This country-specific Q&A provides an overview of the legal framework and key issues surrounding fintech law in Portugal.

This Q&A is part of the global guide to Fintech.

For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/fintech-2nd-edition

  1. What are the sources of payments law in your jurisdiction?

    Currently, Portuguese payments law is regulated under Decree-Law no. 91/2018, of 12 November (the Payment Services and E-Money Legal Framework, “PSELF”), which transposed Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 (PSD2) into the Portuguese legal order.

  2. Can payment services be provided by non-banks, and if so on what conditions?

    Yes. Under the PSELF, the provision of payment services may be performed by non-banking entities, notably payment institutions and e-money institutions. In light of the PSD2 transposition, the PSELF also created the necessary regulatory framework for Payment Initiation Service Providers (PISP) and Account Information Service Providers (AISP) to enter the Portuguese payments business. These entities are subject to regulatory requirements which must be met before beginning their activities.

    The PSELF sets out the applicable rules and requirements for the incorporation and licensing of payment institutions and e-money issuers, as well as PISPs and AISPs, all being subject to the Bank of Portugal’s supervision.

    Although AISPs are exempt of certain specific regulatory requirements, the authorisation and registry of all these entities entails that certain mandatory legal documentation must be filed with the Bank of Portugal, including, inter alia, draft bylaws, business plan, share capital commitment, corporate structure and beneficial ownership, the managers’ identification and fit and proper documentation, as well as corporate governance and internal compliance models and procedures. Current minimum statutory share capital requirements applicable to payment institutions ranges from € 20,000 to € 125,000 (including PISPs, which must have a minimum statutory capital of € 50,000) and a minimum of € 350,000 for e-money institutions. Although AISPs are exempted from the minimum regulatory share capital requirements, they must arrange for an insurance policy deemed sufficient to cover liabilities arising from the unauthorised access to users’ payment accounts information. PISPs are also required to hire insurance covering liabilities arising from or in connection with the services rendered to customers (notably pertaining to unauthorised or fraudulent transactions initiated through them).

  3. What are the most popular payment methods and payment instruments in your jurisdiction?

    Card-based payments, direct debits and bank transfers are the most popular and deeply-rooted payment methods in Portugal. Notwithstanding, we note that a recent surge in new payment apps has begun to gain traction (please refer to answer to question 19 below concerning the Mbway payment method introduced by SIBS and whose Application Programming Interfaces (APIs) other banks have also began implementing in their own systems, consisting in real-time instant bank account transfers).

  4. What is the status of open banking in your jurisdiction (i.e. access to banks’ transaction data and push-payment functionality by third party service providers)? Is it mandated by law, if so to which entities, and what is state of implementation in practice?

    The recently enacted PSELF, following the PSD2’s regulation of payment services and the provision of new service providers such as Third-Party Providers (TPPs), which include PISPs and AISPs, has paved the way for new players and solutions to enter the open-banking market. Notwithstanding, the current market trend seems to be the adoption and development of these new services by incumbent banks and other well-established players, with newcomers having little to no expression or penetration thus far.The provision of these types of services entails the need for both PISPs and AISPs to access their clients’ transaction data and other account information and security credentials held with their payment service providers, including credit institutions, provided that these TPPs obtain the necessary consent from such clients. Access by TPPs must be extensive enough so as to allow TPPs to provide payment services in an unhindered and efficient manner and may only be denied by credit institutions on an objective, non-discriminatory and proportionate basis.

    In this context, a September deadline has been set for banks to make their APIs available to TPPs. In the meantime, some banks in Portugal, such as BIG and BPI, have already launched services that allow their customers to access bank account information held with other credit institutions, therefore SIBS, engaging in direct competition with AISPs.

    Apart from TPPs, the PSELF provides that any credit institution (whether incorporated in Portugal or in another Member State) and other entities regulated under PSD2 may also provide payment initiation and account information services.

    As such, and leveraging on its unique position in the Portuguese payments market (as the manager and owner of the Multibanco network), SIBS has launched SIBS API Market, a platform in which 18 financial institutions take part and which allows said institutions to test their payment initiation and account information solutions, with the support of a specialized technical team, enabling access to and full usage of its infrastructure.

  5. How does the regulation of data in your jurisdiction impact on the provision of financial services to consumers and businesses?

    There are no fintech-specific data laws, but as fintech businesses regularly collect, control and process vast amounts of data (including personal data, notably know your customer (KYC) data), they are subject to data protection rules (notably the General Data Protection Regulation – “GDPR”). The GDPR applies not only to fintech companies established in the EU but also to companies established outside the EU, in case they have European natural person customers and the processing of the customers' personal data is made in the context of the offering of services to those data subjects (regardless of whether a payment is required from the data subjects).

    The European Data Protection Board (EDPB) has clarified that the intention to target customers in the EU is key to assess whether entities established outside the EU are subject to the GDPR (according to its Guidelines 3/2018 on the territorial scope of the GDPR, which are currently under public consultation).

    The processing of personal data by payment services providers may require customer consent. If that is the case (notably, if the processing of a customer's personal data is not strictly necessary to provide a payment service expressly requested by a payment service user, as the EDPB clarified in its PSD2 Letter to Sophie in't Veld from 5 July 2018), pre-ticked opt-in boxes will no longer be allowed for obtaining valid consent. This is because consent must be expressed either through a statement or by a clear affirmative action from the data subject.

    The GDPR places onerous accountability obligations on data controllers (such as payment service providers that are regulated under PSD2) to demonstrate compliance, which is a major paradigm shift in the data protection regime. This includes:

    • Conducting data protection impact assessments (DPIAs) for more risky processing operations (such as those involving the processing of personal data which may be used to commit financial fraud);
    • Notifying personal data breaches to the Portuguese Data Protection Authority (CNPD) through its online form;
    • Implementing data protection safeguards by design and by default.

    Another important aspect of data processing in the context of the provision of payment services is the definition of clients' profiles and business segmentation, as well as automated decision-making based on profiling. Automated decisions are generally prohibited if they produce effects concerning the data subject or that significantly affect him/her and are based solely on automated processing of data intended to evaluate certain personal aspects relating to him/her.

    The GDPR has introduced new provisions to address the risks arising from profiling and automated decision-making. The GDPR allows this type of decision-making only if the decision is either:

    • Necessary for the entry into or performance of a contract with the customer, or authorised by EU or Member State law that applies to the controller;
    • Based on the individual's explicit consent.

    Where one of these grounds applies, additional safeguards must be introduced, and specific information must be disclosed about the automated individual decision-making (including profiling).

    There are additional restrictions on using special categories of data (such as health-related data or biometric data) for any processing of personal data, which can ultimately impact the way payment service providers will implement Strong Customer Authentication mechanisms under PSD2’s Regulatory Technical Standards Regulation, as the Regulatory Technical Standards Regulation suggests the use of the payment service users' biometric data in that context.

    Without prejudice to the above, it is important to note that the final version of the Portuguese legislation implementing the GDPR has been promulgated by the President of the Portuguese Republic and it shall enter into force soon. Said law brings some additional adjustments or restrictions to the rules set out in the GDPR (notably regarding requirements for allowing the portability and interoperability of financial data, which shall take place, whenever possible, in an open format).

    Additionally, CNPD has consistently ruled that financial data is sensitive data (in the sense that it reveals aspects of an individual’s private life) and should therefore be protected under the Portuguese Constitution, which may ultimately affect how Portuguese courts will apply the GDPR rules in respect of said financial data.

    Furthermore, Article 16 of the PSELF extends the banking secrecy obligations to payment service providers (and to their agents, workers and representatives), even if they are not credit institutions or financial institutions according to Portuguese banking laws. Breaching banking secrecy rules is a criminal offence.

    Banking secrecy rules determine that disclosure of clients' data protected by banking secrecy (including cross-border transfers) is only permitted with prior customer authorisation or if the processing is necessary to ensure one of the following:

    • Compliance with a legal obligation of the payment service provider;
    • The performance of a task carried out in the public interest

    CNPD has already ruled that all personal data processed by a bank is subject to bank secrecy.
    In the case of processing clients' data for the purposes of anti-money laundering reporting, the disclosure of specific relevant personal data is based on the fulfilment of a legal obligation. It is therefore not necessary to obtain clients' authorisation for disclosure to the competent authorities.

    The concept of "client authorisation" under PSELF and the financial institutions legal framework differs from the concept of "consent" under the GDPR (that is, the inclusion of client authorisation provisions is part of and requisite of the services being provided by payment service providers, and can be included in general terms and conditions, whereas consent for GDPR purposes must be based on an affirmative and explicit action by the client). Therefore, many banks and other payment service providers choose to collect clients' authorisation to disclose information covered by banking secrecy in the context of their general client terms and conditions.

    Payment service providers that are authorised as payment institutions under PSELF and those that fall under the definition of e-money institutions are bound by Law No. 83/2017 of 18 August (which transposes the Fourth EU Anti-Money Laundering Directive). Under the Portuguese AML framework, such service providers must (among others):

    • Apply customer due diligence;
    • Report suspicious transactions;
    • Store copies of, or the extracted data from, documents supplied by customers in the context of customer due diligence;
    • Store customer correspondence and any internal or external documents, records and analysis which show AML compliance;
    • Implement adequate internal policies, procedures, controls and training to prevent money laundering.

    Lastly, Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union, which became applicable last 29th May, applies to all data other than personal data as defined in the GDPR. This may include, in some instances, financial data processed by payment service providers (as clarified in Annex 5 of the European Commission’s Impact Assessment Report on the Regulation). Most notably, the Regulation states that “the Commission shall encourage and facilitate the development of self-regulatory codes of conduct at Union level in order to contribute to a competitive data economy, based on the principles of transparency and interoperability (…) covering, inter alia, the following aspects: (a) best practices for facilitating the switching of service providers and the porting of data in a structured, commonly used and machine-readable format; (b) minimum information requirements to ensure that professional users are provided, before a contract for data processing is concluded, with sufficiently detailed, clear and transparent information regarding the processes, technical requirements, timeframes and charges that apply in case a professional user wants to switch to another service provider or port data back to its own IT systems.

  6. What are regulators in your jurisdiction doing to encourage innovation in the financial sector? Are there any initiatives such as sandboxes, or special regulatory conditions for fintechs?

    We are currently not aware of any such initiatives on the regulators’ behalf. However, we note that the CMVM (the Portuguese Market Securities Commission or CMVM) is actively engaging market players and stakeholders in a recent effort to improve and understand businesses’ concerns and regulatory obstacles currently hindering innovation and new technologies to enter the market.

    At the same time, Portugal Fintech has launched an initiative named “Portugal FinLab” which is meant to be a communication channel between innovators and the Portuguese Financial Regulators. Through this channel, the regulators give guidelines pertaining to the regulatory framework that may apply to the projects submitted to them. The purpose of the Portugal FinLab is to support the development of projects that are genuinely innovative and conduct a regulation by design development to such new businesses.

    It is the result of a partnership between the regulators Banco de Portugal, CMVM and ASF - Insurance and Pension Funds Supervisory Authority –, along with Portugal Fintech.

    This programme has ended its first edition and the first batch of companies has already began their early stages of activity, with some of them starting to partner with big companies and offering their product benefiting from such media exposure and large client-base.

  7. Do you foresee any imminent risks to the growth of the fintech market in your jurisdiction?

    The most evident risk we foresee as to the growth of the fintech ecosystem in Portugal pertains to the regulatory and supervisory authorities’ treatment and understanding of the different subjects. The actual interpretation of some of the provisions included in the PSD2 and the transposed PSELF (notably in what concerns the exemptions provided thereunder) may prove controversial and hinder some business models which would otherwise assume that the PSD2 transposed framework would not apply to it.

    More troublesome seems to be the matters related to cryptocurrencies and blockchain technology initiatives, due to the apparent inertia of both the Bank of Portugal and the CMVM (as well as the legislator’s) will to regulate and give context to such potential disruptive technologies.

  8. What tax incentives exist in your jurisdiction to encourage fintech investment?

    Even though we are not aware of any current tax incentive specifically aimed at encouraging fintech investment, there are tax incentives generally available to start-up investment which may be of importance considering that most of fintech investment is made through start-ups.
    As an example, “Programa Semente” establishes that individual taxable persons who make eligible investments up to € 100,000 in start-ups can deduct 25% of the investment made up to a limit of 40% of the Personal Income Tax collection.

  9. Which areas of fintech are attracting investment in your jurisdiction, and at what level (Series A, Series B etc)?

    The current market status of investment in fintech in Portugal is rather slow, which we envisage is due to the delay in transposing the PSD2 into national law. As such, the recent enactment of the PSELF approved a new and reformed legal framework for the majority of fintech companies currently operating in the Portuguese market, while simultaneously paving the way for new market players and new types of companies to enter the market and offer their products and services to both consumers and other businesses. It also marked the legal recognition of TPPs, furthering the open banking ecosystem with the surging of new companies or services rendered by already established players – such as payment initiation and account information services.

    Notwithstanding, we note that there have been some specific foreign fintech businesses entering the Portuguese market, although opening branches or subsidiaries and not providing direct investment in new Portuguese-based projects. Exception to this is the new crowdfunding platforms which have been accompanied by the correspondent surge in new players managing such platforms.

  10. If a fintech entrepreneur was looking for a jurisdiction in which to begin operations, why would it choose yours?

    It should choose ours because Portugal is becoming more innovation-driven and events such as Web Summit have attracted numerous investors and start-ups to the Portuguese market. We currently see such trend evolving and many start-ups taking advantage of an attractive work life balance kind of approach, while simultaneously benefiting from increasing initiatives aiming to increase investment in innovative areas such as fintech (please see, for example, the example of Portugal FinLab above.

  11. Access to talent is often cited as a key issue for fintechs – are there any immigration rules in your jurisdiction which would help or hinder that access, whether in force now or imminently? For instance, are quotas systems/immigration caps in place in your jurisdiction and how are they determined?

    Yes, there are immigration rules in Portugal which intend to facilitate the access of tech business developers to our country.

    In fact, the new Regulatory Decree regarding the entry, permanence, exit and removal of foreigners into and out of the Portuguese national territory in force enables the optimization and flexibility of the residence visa and permit proceedings, notably for the foreign entrepreneurs and highly qualified workers in order to encourage the establishment in Portugal of new tech and innovative businesses.

    These new provisions foresee the possibility of issuing a residence visa specifically for entrepreneur foreigners who wish to invest in Portugal notably in the tech and innovative areas.

    An example of Portugal’s commitment to facilitate bringing these projects into our country is the “StartUp Visa” which is a program destined to bring to Portugal foreign business developers who wish to establish their projects in Portugal. This program had a previous certification process for the incubator companies to apply in order to host entrepreneur foreigners who wish to create and develop tech companies in the national territory. The applications for the start-up companies are already available online at https://webapps.iapmei.pt/StartupVisa/VisaEmp/Account/Login.aspx and there is no deadline foreseen for the submission of the applications. When an application is approved, a residence visa may be requested by the entrepreneur(s) of the project (up to five for each application) at the consular post, which will be valid for four months and may be renewed. After arriving in Portugal, the entrepreneurs must schedule a meeting with the Immigration Authority (“Serviço de Estrangeiros e Fronteiras”) in order to request for the residence permit.

  12. If there are gaps in access to talent, are regulators looking to fill these and if so how? How much impact does the fintech industry have on influencing immigration policy in your jurisdiction?

    The Fintech industry plays a highly important role in Portuguese immigration policy as explained above.

    The proof of the importance of this area of business to our country is clearly defined by these new rules that have recently been created to encourage this type of investment to come to Portugal, debureaucratising and speeding up the request and issuance of residence visas and permits for this purpose.

  13. What protections can a fintech use in your jurisdiction to protect its intellectual property?

    Protection of fintech technology can take place by various means. The protection of software seems to be the most relevant, as fintech technology usually translates into computer systems and applications. Software is protected in Portugal under the same legal rules that apply to copyright protection (according to Decree-Law no. 252/94, of 20 October, as amended). Copyright does not require a registry to exist, but this can be done in the General-Inspection for Cultural Activities (IGAC). Software per se cannot be protected by a patent, unless it meets the criteria to be considered a computer implemented invention, which is an invention whose implementation involves the use of a computer, computer network or other programmable apparatus. In addition, computer-implemented business models can also be patented, to the extent that they are claimed as a technical solution for a technical problem (for instance, automating a response considering the data collected) and involving technical considerations (e. g., the reading of the database). Otherwise, business models are not patentable. All in all, a case-by-case analysis is necessary to determine if protection by patent is feasible.

    Technology developed in the context of a fintech business can also be protected as a trade secret. Trade secrecy protects against any act of someone that assesses, appropriates or copies (or any other conduct which, under the circumstances, is considered contrary to honest commercial practices), without consent, information that is secret, which has a commercial value due to that fact and which has been subject to reasonable steps, by the person lawfully in control of the information, to keep it secret (for instance, the execution of non-disclosure agreements). Note that current national legal provisions on trade secrecy, which are included in the Industrial Property Code – approved by Decree-Law no. 110/2018, of 10 December –, have been subject to considerable revision and expansion, which is mostly related to the transposition of Directive (EU) 2016/943 of 8 June 2016, on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure. The Directive brought substantial changes to the trade secrecy regime, notably on the protection criteria and the enforcement regime, which is expected to become clearer and more effective with the mentioned legislative change.

    Note that a computer platform usually also comprises a set of data, as well as visual interfaces. The data may also be protected as a database if the requirements set in law (Decree-Law No. 122/2000, which transposed Directive No. 96/9/CE, as amended, on the protection of databases) are met. Interfaces can further be protected by copyright under the Copyright Code (approved by Decree-Law No. 63/85, as amended) in their look and feel, screen display and individual visual elements, if they all meet the criteria to be protected (mainly, are ‘creative’). Copyright protection, in this case, belongs to the employer or the person that orders the creation, if so established or if the name of the creator is not referred to in the work. In this case, the creator may require a special compensation if the creation exceeds the performance of the task or when the creation is used or brings benefits not included or foreseen in the creator’s remuneration.

  14. How are cryptocurrencies treated under the regulatory framework in your jurisdiction?

    The consistent current regulatory approach in Portugal with relation to cryptocurrencies has been to not consider them as legal tender and to not issue specific regulation dealing with them. Both the Bank of Portugal (BoP) and the CMVM follow this approach.

    ICOs

    The BoP has (as far back as 2013) issued clarifications stating that Bitcoin (and all remaining cryptocurrencies) cannot be considered secure currency, as:

    • It is issued by unregulated and unsupervised entities.
    • Users bear all the risks (as there is no fund for the protection of depositors/investors).

    This approach closely follows the position of the European Banking Authority (EBA). Specific regulation on cryptocurrencies is not expected soon, as both the Portuguese Government and the BoP have stated that they will not unilaterally regulate cryptocurrencies, and that the first step must be taken by the European Commission.

    In this respect, both the European Securities and Markets Authority (ESMA) and EBA sent reports on 9 January 2019 to EU policymakers on ICOs and crypto assets assessing the applicability and suitability of EU legislation in relation to these and advising the European Commission. According to EBA's report, the competent national authorities report low crypto assets activity levels in their jurisdictions and these are hence not currently a threat to financial stability. However, regarding consumer protection, market integrity and the level playing field, the report flags the following issues:

    • Current EU financial services legislation does not apply to several forms of crypto asset/activity;
    • Specific services relating to providing crypto asset custodian wallets and crypto asset trading platforms are not considered regulated activities under EU law;
    • Different approaches are emerging across the EU.

    The EBA therefore recommends that the European Commission carries out a cost/benefit analysis to assess whether EU-level action to address these issues is appropriate and feasible at this stage.

    ESMA has also identified a few concerns in the current financial regulatory framework regarding crypto assets (according to the press release for ESMA's report). These gaps and issues fall into two categories:

    • For crypto assets that qualify as financial instruments under MiFID, some areas require potential interpretation or re-consideration of specific requirements to allow for an effective application of existing regulations.
    • For crypto assets that do not qualify as financial instruments, the absence of applicable financial rules leaves investors exposed to substantial risks. At a minimum, ESMA considers that anti-money laundering (AML) requirements should apply to all crypto assets and related activities. There should also be appropriate risk disclosure in place, so that consumers are made aware of the potential risks before committing funds to crypto assets.

    ESMA therefore recommends that the European Commission either:

    • Proposes a bespoke regime for specific types of crypto assets (such as tokens that do not qualify as financial instruments) by means of a directive, allowing for the tailoring of the rules to the specific risks and issues;
    • Does nothing (which would fail to address the known investor protection and market integrity concerns).

    Despite the lack of regulation and supervision, the BoP has indicated that the use of cryptocurrencies is not forbidden or illegal. Therefore, the BoP is currently more focused on a preventive and educational approach, by alerting to the risks of cryptocurrencies.

    The CMVM has also issued an alert to investors in November 2017 on ICOs indicating that most ICOs are not regulated and that, as a result, investors would be unprotected from (i) high volatility/lack of funds, (ii) potential of fraud/money laundering, (iii) inadequate documentation (most ICO's have no prospectus, only a "white paper", which is only a marketing document and not legally binding) and (iv) risk of loss of the invested capital.

    Considering the above, the usual distinction between the different types of tokens (or the rights and obligations which their issuance and possession entail) underlying the transactions may prove useful. If tokens are used mainly as a means of payment, the regulatory approach of the BoP and EBA is the relevant one. Conversely, where tokens are more similar to securities, the approach of CMVM/ESMA is the applicable one.

    Despite some lack of regulatory clarity, there seems to be some progress in acknowledging this reality, in light of the recent Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing and amending Directives 2009/138/EC and 2013/36/EU (Fifth EU Anti-Money Laundering Directive). The Directive extends the scope of application of the Fourth EU Anti-Money Laundering Directive to virtual currencies to:

    • Exchange services between virtual currencies and traditional (fiat) currencies.
    • Wallet providers offering custodial services of credentials necessary to hold, store and transfer virtual currencies.

    Additionally, the Fifth EU Anti-Money Laundering Directive offers the following definition of ´virtual currencies´: a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically.

    Despite the amendment to the EU AML framework, the BoP clarified that financial institutions must control transfers of funds from and to platforms of negotiation of cryptocurrencies (that is, cryptocurrency exchanges) under AML legislation. In this respect, it has been widely reported that two major banks in Portugal have blocked, in the beginning of 2019, all transfers to this type of entities.

    Additionally, on tax matters relating to cryptocurrencies, the Court of Justice of the European Union (“CJEU”) already addressed the question on whether transactions, such as the exchange of bitcoin or other cryptocurrency for traditional currency, and vice versa, in return for payment of a sum equal to the difference between, on the one hand, the price paid by the operator to purchase bitcoins and, on the other hand, the price at which he sells those same bitcoins to his clients, qualified as a supply of services for consideration for VAT purposes and, if so, whether such supply would be considered exempt from VAT.

    The CJEU decided that the exchange of bitcoins for traditional currency qualifies as a supply of services for VAT purposes. As to the question on whether these transactions should be regarded as exempt supplies, the CJEU pointed out that bitcoin, being a contractual means of payment, cannot be regarded as a current account or a deposit account, a payment or a transfer. Moreover, unlike a debt, cheques and other negotiable instruments referred to in Article 135(1)(d) of the VAT Directive, bitcoin is a direct means of payment between the operators that accept it. Therefore, the CJEU ruled that transactions, such as exchange of cryptocurrency for traditional currency, and vice versa, should be exempt from VAT under the provision of article 135(1)(e) of the VAT Directive. As the question submitted to the Court concerned only the exchange of cryptocurrency for legal tender currency, the CJEU did not expressly addressed the subject of whether the exchange of, e.g., bitcoins for a different cryptocurrency should also be regarded for VAT purposes as an exempt supply of services under article 135(1)(e) of the VAT Directive. However, in our view, the same reasoning applies and the answer should therefore be the same.

    CJEU’s judgements are directly effective in all Member-States and, therefore, the Tax Authorities in all Member-States must abide by them. With this judgement, bitcoin exchangers, start-ups and users finally know where they stand from a VAT perspective. Buying, selling, sending, receiving, accepting and spending bitcoin will not be taxed, which allows economic agents to deal with bitcoin as they would with legal tender currency or other types of money.

    More recently, the Portuguese Tax Authority (“PTA") issued binding rulings under which it stated that any gains derived from bitcoin trading should not be considered income for Personal Income Tax (“PIT”) purposes to the extent such activity does not constitute a business or professional activity. Indeed, the PTA concluded that gains derived from the sale of bitcoin would not fall under the concept of capital gains or investment income as defined by the Portuguese PIT Code and, consequently, those gains are not covered by the taxable base of the Portuguese PIT.

  15. How are initial coin offerings treated in your jurisdiction? Do you foresee any change in this over the next 12-24 months?

    Please refer to our reply to the previous question, above.

    We do not envisage that Portuguese regulators will take the first step in reviewing the legal and regulatory treatment for ICOs, and we should probably expect them to closely follow the guidance issued by EBA and ESMA in this respect before any paradigm shifts take place at a national level.

  16. Are you aware of any live blockchain projects (beyond proof of concept) in your jurisdiction and if so in what areas?

    No, not that we are aware of. However please note that due to the early-stages and the recent enactment of the regulatory framework resulting from the PSD2 transposed quite recently, many initiatives and businesses are currently in seed phase and subject to confidentiality terms and thus we envisage that once the legal and the remaining regulatory framework is defined and enacted by the BoP, new projects will be disclosed to the market.

  17. To what extent are you aware of artificial intelligence already being used in the financial sector in your jurisdiction, and do you think regulation will impede or encourage its further use?

    AI is a central technology for all sectors and industries, and as a result its testing and use is growing worldwide, including in Portugal. Indeed, AI (together with Big Data) is already being used in Portugal by banks and fintech companies, e.g., in customer service, in the analysis and granting of credit and even in regulatory compliance. AI brings several legal and regulatory challenges, from warranty, liability, transparency, among others. Regulation of AI is being thoroughly discussed at the international level, including in the EU, and such discussions also cover the strategic approach to adopt in this field.

    On 8 April 2019, the European Commission-led High-Level Expert Group on AI presented Ethics Guidelines for Trustworthy Artificial Intelligence. According to the Guidelines, trustworthy AI should be: (1) lawful - respecting all applicable laws and regulations; (2) ethical - respecting ethical principles and values; (3) robust - both from a technical perspective while taking into account its social environment. The Guidelines put forward a set of 7 key requirements – which are duly developed in the Guidelines – that AI systems should meet in order to be deemed trustworthy. These include:

    • Human agency and oversight;
    • Technical Robustness and safety;
    • Privacy and data governance;
    • Transparency;
    • Diversity, non-discrimination and fairness;
    • Societal and environmental well-being;
    • Accountability.

    Additionally, the Portuguese government has also recently approved its National Strategy for Artificial Intelligence – “AI Portugal 2030”, which sets out the main general objectives to reach by 2030, including:

    • Added Economic Growth: the added value brought by AI technologies to the economic growth should be significant;
    • Scientific Excellence: improve the front-line position in fundamental and applied AI research of the Portuguese Academia (universities, polytechnic schools and research institutions) measured in terms of publication impact, international leaderships, and international collaborations;
    • Human Development: Increase dramatically the qualifications of the labour force, in particular technological qualifications, while promoting inclusion and awareness at all levels of education.

    The National Strategy does not specifically address, however, the challenges AI will bring to the financial sector. Nonetheless, it is reasonable to assume that the increasing number of public guidelines and recommendations (both at national and international level) will foster investment in and the development of new AI-driven technologies and businesses.

    In this scope, it is important to make sure that any potential AI regulation does not impede or hinder the development and use of AI, and an approach of regulating without a full understanding of the evolution of this technology shall be avoided. .

  18. Insurtech is generally thought to be developing but some way behind other areas of fintech such as payments. Is there much insurtech business in your jurisdiction and if so what form does it generally take?

    We are not aware of any current projects in the insurtech area in the Portuguese market. However, we note that recently the insurance market has been subject to some instability, with a series of M&A transactions involving the biggest Portuguese insurers, and so it may be expected that once such companies are running smoothly after the recent market turmoil, new solutions arise eyeing the insurtech segment.

  19. Are there any areas of fintech that are particularly strong in your jurisdiction?

    The somewhat recent entering into force of the crowdfunding legal framework has seen a surge in new players and stakeholders on the market, introducing new crowdfunding (mostly debt crowdfunding) platforms, which in turn have opened new funding alternatives to either individuals and corporations.

    Payments is also a business which has seen an increased relevance, with the introduction of new solutions and platforms, notably, the so-called Mbway, a service by SIBS allowing for instant transfers between bank accounts. Following its success, incumbent banks have started to incorporate the service in their proprietary homebanking apps and started to charge somewhat high fees for users of the original, standalone Mbway, in an effort to bring back the small-amounts payments and transfers to their own systems.

  20. What is the status of collaboration vs disruption in your jurisdiction as between fintechs and incumbent financial institutions?

    We are not aware of any current collaboration between incumbent financial institutions in Portugal and other fintech companies. The most common approach to fintech by Portuguese banks seems to be carried out either by internal development and R&D or by integrating outsourced services or solutions to tech firms.

  21. To what extent are the banks and other incumbent financial institutions in your jurisdiction carrying out their own fintech development / innovation programmes?

    The current status of fintech development by banks and other institutions in Portugal can be described as being in a very early stage, though some innovations are starting to appear, notably in the account information services component. There are some banks, mostly those whose business model is based on remote/web-based services with a more younger and tech-savvy target that are also currently developing some fintech-related projects.

  22. Are there any strong examples of disruption through fintech in your jurisdiction?

    Despite fintech-related businesses and initiatives being currently in a very early stage in Portugal, the recent surge in crowdfunding platforms has begun to make some impact in what concerns the market perception regarding the different financing sources, with more and more individuals and small businesses resorting to this new financing alternatives instead of more traditional bank-based lending solutions.

    Further true disruption on the payments side of the market is still to be seen, but with the PSD2 finally transposed onto Portuguese law we envisage that, in the short to medium term, both incumbent banks and new players will start bringing disruptive products and solutions to market.