PORTUGAL Law and Practice Contributed by: João G Gil Figueira, Rodrigue Devillet Lima and Catarina Andrade Miranda, GFDL Advogados
security measures in place against cyber threats. Encryption, access control, incident response, disas - ter recovery, and business continuity plans are essen - tial contingencies that require implemented measures. 2.12 Review of Industry Participants by Parties Other Than Regulators Besides regulators, fintech industry participants often use two types of audits, namely internal and exter - nal audits. Internal audits are a series of procedures to ensure activities comply with regulations. In most instances, fintechs must disclose the content of their internal organisational mechanisms to the supervisory regulator before initiating activities. It is customary to hire external auditors to test and assess whether the previously established compliance mechanisms are up to par with provisions and regulations in force or need adjustments. Considering that the violation of regulatory rules could result in hefty fines, fintech industry participants pre - fer to either outsource part of their financial or non- financial obligations to third parties or hire third-party private auditors to ensure they comply with their obli - gations. 2.13 Conjunction of Unregulated and Regulated Products and Services Industry participants may generally offer “regulated” and “unregulated” services unless otherwise provid - ed. The issue of providing “regulated” and “unregu - lated” services was broadly seen as an issue before the development of proper regulations regarding vir - tual assets, which, for an extended period, could have been considered unregulated assets. With supervi - sors catching up with these new types of assets or services, one can argue that most activities are now regulated and that every product or service is likely to fall under the scope of some regulation. In practical terms, fintech industry participants may be forced to undergo several different but parallel types of licensing, which, in many cases, will be inde - pendent of one another but deeply intertwined. For instance, fintechs wishing to deploy exchanges where crypto-to-fiat operations occur and associated pay - ment services are provided may be requested by the supervisory authority to segregate these activities to
mitigate the potential risks and conflicts of interest. In such cases, the solution may involve the creation of two separate legal entities covering each specific activity. 2.14 Impact of AML and Sanctions Rules Most fintech companies must deploy AML and KYC internal provisions to get their licences and conduct their activities under the scope of the AML Act, which contemplates several duties, such as establishing policies and control procedures to identify money laundering risks. The AML Act also forces fintech pro - jects to identify their users through KYC procedures before engaging in a business relationship, establish - ing transactions of EUR15,000 or above, or dealing with virtual assets of EUR1,000 or above. MiCA requires crypto-asset service providers to implement robust AML measures. This includes veri - fying user identities (KYC), monitoring transactions, and assessing the source of funds. Providers must also conduct enhanced due diligence when dealing with customers and financial institutions from high- risk third countries. Fintechs should be able to refuse service to non-com - pliant customers or if they suspect services or prod - ucts might be utilised in money-laundering activities or connected with the financing of terrorist organisa - tions. When deploying their AML/KYC policies, fin - techs must be ready to deploy sophisticated systems to control, monitor and identify possible money-laun - dering activities, swiftly notify the competent authori - ties, and collaborate with them when requested. In practical terms, some of the duties of customer identification can be outsourced to third parties. 2.15 Financial Action Task Force (FATF) Standards Portugal’s AML framework, including Law No 83/2017 of 18 August, complies with FATF standards and requirements. As a member of FATF since 1991, Por - tugal enforces measures such as customer due dili - gence, transaction monitoring, and reporting of suspi - cious activities, aligning with FATF recommendations and EU regulations.
648 CHAMBERS.COM
Powered by FlippingBook