PORTUGAL Law and Practice Contributed by: João G Gil Figueira, Rodrigue Devillet Lima and Catarina Andrade Miranda, GFDL Advogados
same time, PSD2 narrowed the playing field between fintech players and the already well-established lega - cy players, as they were forced to provide dedicated interfaces allowing the sharing of data originating from their payment accounts. Open banking marks a pivotal moment for conven - tional banks, allowing third-party providers, including commercial platforms or alternative payment pro - viders, to deliver banking applications and services directly through open application programming inter - faces. Decree-Law No 91/2018 of 12 November introduced changes to the provision of payment services in Por - tugal. Notable aspects include: • its application to a wider range of payment opera - tions; • the creation and regulation of new types of pay - ment services; • the definition of security requirements for the execution of payment operations; and • the imposition of greater responsibilities on pay - ment service providers in the execution of unau - thorised payment operations. The impact of this regulation on open banking is reflected in AISPs, which allow the aggregation of information about accounts held with one or more payment service providers in a single application or website. As for PISPs, they offer the possibility of initi - ating online payment operations without the customer having to interact directly with their payment service provider. PISP, contracted by the customer, accesses their account on their behalf and initiates the opera - tion. 11.2 Concerns Raised by Open Banking The Portuguese framework that transposes PSD2 establishes rules for managing operational and secu - rity risks, instructing measures for mitigation and appropriate control mechanisms to handle opera - tional and security risks related to the payment ser - vices provided. This law also defines the procedures to be adopted in the event of operational or security incidents, with the Bank of Portugal being the enti - ty responsible for taking all necessary measures to
protect the security of the financial system. Violating these measures can result in severe offences, subject to significant fines. Regarding data protection, PISPs must ensure that: • information about the customer is provided to the payee only, and only with the customer’s explicit consent; • the information requested from the customer shall only be that necessary to provide the services; • data will not be used, accessed or stored for any other purposes; and • the scope of data to be shared with AISPs and PISPs by the Account Servicing Payment Service Providers does not include the customer’s identity (eg, address, date of birth, etc). AISPs must ensure that they access only the informa - tion from designated payment accounts and associ - ated payment transactions. Also, regulatory techni - cal standards on strong customer authentication and secure communication place a limit of four times a day on an AISP’s access to payment account data without the customer being directly involved. The EU rigorously regulates both domains, with GDPR extending its reach to cover open banking and broad - er financial sector regulations, encompassing direc - tives such as PSD2. DORA does not directly address specific issues like data privacy or data security con - cerns raised by open banking, but it does play an important role in strengthening the overall resilience of financial institutions, which indirectly impacts security and operational risks, including in the context of open banking.
12. Fraud 12.1 Elements of Fraud
Portugal has criminalised insider dealing and market manipulation in regulated markets but does not pro - vide specific provisions for fraud in financial services. The generic criminal provisions set out in the Por - tuguese Penal Code can apply if the objective legal elements are met. The most similar specific crime in the financial services sector would be the use of false
659 CHAMBERS.COM
Powered by FlippingBook