PORTUGAL Law and Practice Contributed by: João G Gil Figueira, Rodrigue Devillet Lima and Catarina Andrade Miranda, GFDL Advogados
2.10 Significant Enforcement Actions Portuguese regulators may often deploy routine inspections and audits to legacy and fintech partici - pants. Depending on the seriousness of any breach found by the regulator, different penalties may apply, ranging from a mere administrative notice to hefty fines and, finally, to licence or authorisation suspen - sion or revocation. Upon finding a breach of the compliance of regula - tory provisions by the regulator, the outcome of the proceeding may be settled between the fintech par - ticipant and the regulator or disputed administratively and, upon conclusion, argued in the competent court. All supervisors have official websites where the fines imposed, and the results of enforcement actions, can be accessed. 2.11 Implications of Additional, Non- Financial Services Regulations Several non-financial regulations may apply to fin - techs. Considering the scope of the activities devel - oped by many fintech industry participants, the DORA Regulation, which fully entered into force on 17 Janu - ary 2025, may also apply. This regulation imposes the requirement to implement security measures to pro - tect ICT systems in use. GDPR will likely apply as many fintechs process per - sonal data as part of their business model. The Por - tuguese supervisory authority is the National Data Protection Commission. MiCA requires crypto-asset service providers to com - ply with the GDPR. This applies to all published infor - mation, including data made available on their web - sites. In addition, MiCA sets specific requirements for publications and marketing communications, includ - ing those on social media. Service providers must ensure compliance with these standards and take measures to prevent the dissemination of false or misleading information in crypto-asset white papers, as well as fraudulent or scam practices. Under Law No 46/2018 of 13 August, which trans - posed the EU Network and Information Systems (NIS) Directive (2016/1148) into the domestic legal frame - work, fintech participants are required to have robust
The European Banking Authority’s revised Guidelines on Outsourcing Arrangements (EBA/GL/2019/02) are applicable to fintechs operating under MiFID II rules, as well as to credit institutions, payment service pro - viders and electronic money institutions. In May 2020, the Bank of Portugal issued a Circular Letter estab - lishing that such regulations are applicable. Later on, in 2023, a Bank of Portugal Notice established a specific framework for the registration of outsourc - ing agreements, requiring participants to maintain a complete and permanently updated register of all subcontracting agreements, including the functions subcontracted to intragroup service providers, and to provide notice to the Bank of Portugal of any intention to subcontract an essential function with a minimum of 15 days’ notice. From a contractual perspective, matters covered in outsourcing agreements will include: • service level standards; • business continuity; • liability allocation; • data protection; • client risk management; • protection of assets or funds if custody is trans - ferred; • AML compliance; and • use or licensing of IP rights. From an employment law perspective, restrictions apply to outsourcing functions to an ex-employee who was terminated during the previous 12 months. Portugal also has transfer of undertaking rules that may impact outsourcing arrangements. 2.9 Gatekeeper Liability There is no legal concept of gatekeeper nor a specific liability regime for fintechs. Therefore, the characteri - sation or imposition of a service provider to act as a gatekeeper varies. Different market participants may be subject to distinct types of liability or scrutiny by regulators depending on the effective role played. In particular, obligations to report suspected money- laundering activities apply across most sub-industries of fintech.
647 CHAMBERS.COM
Powered by FlippingBook