PORTUGAL Law and Practice Contributed by: João G Gil Figueira, Rodrigue Devillet Lima and Catarina Andrade Miranda, GFDL Advogados
ment, and e-money institutions, as well as with virtual asset provider authorisations. • CMVM oversees the offerings of securities and financial asset management compa - nies and advisory in Portugal. The compe - tent authority is to issue an authorisation to engage in crowdfunding activities. Regarding crowdfunding, CMVM may also request tech - nical opinions from the Bank of Portugal. • The Insurance and Pension Funds Superviso - ry Authority is the supervisor with jurisdiction to oversee the insurance and pension fund markets. • The National Data Protection Commission ( Comissão Nacional de Proteção de Dados ) is the Portuguese public authority that supervis - es data processing by all public and private entities in Portugal. Participants may fall under the scope of one or more regulators depending on the nature of the project to be developed. As Portugal has not yet adopted domestic regu - lation to implement and enforce the MiCA Regu - lation, the authority responsible for authorising and supervising crypto-asset service providers, as well as overseeing MiCA’s transitional regime and its terms, has yet to be determined. 2.7 No-Action Letters In Portugal, regulators such as CMVM do not typically issue “no-action” letters in the same way regulatory entities might issue them in some other jurisdictions. However, Portuguese regulators may provide informal guidance or clarifications regarding the application of existing regulations to specific cases, often through official statements, or writ - ten opinions.
Entities seeking regulatory clarification may approach the CMVM or other relevant authorities for such guidance, though these are not formally recognised as “no-action” letters. 2.8 Outsourcing of Regulated Functions Unregulated functions can be mostly outsourced at will. By contrast, regulated functions are required, in certain instances, to be disclosed to the competent regulator and must follow a particular set of rules. As a rule, both the nature and extent of the outsourcing must always be contractually defined and notified. The European Banking Authority’s revised Guidelines on Outsourcing Arrangements (EBA/ GL/2019/02) are applicable to fintechs operating under MiFID II rules, as well as to credit institu - tions, payment service providers, and electronic money institutions. In May 2020, the Bank of Portugal issued a Circular Letter establishing that such regulations are applicable. Later on, in 2023, a Bank of Portugal Notice established a specific framework for the registration of out - sourcing agreements, requiring participants to maintain a complete and permanently updat - ed register of all subcontracting agreements, including the functions subcontracted to intra - group service providers, and to provide notice to the Bank of Portugal of any intention to sub - contract an essential function with a minimum of 15 days’ notice. From a contractual perspective, matters covered in outsourcing agreements will include service level standards, business continuity, liability allo - cation, data protection, client risk management, protection of assets or funds if custody is trans - ferred, AML compliance and use or licensing of IP rights.
685 CHAMBERS.COM
Powered by FlippingBook