PORTUGAL Law and Practice Contributed by: João G Gil Figueira, Rodrigue Devillet Lima and Catarina Andrade Miranda, GFDL Advogados
Internal audits are a series of procedures to ensure activities comply with regulations. In most instances, fintechs must disclose the con - tent of their internal organisational mechanisms to the supervisory regulator before initiating activities. It is customary to hire external audi - tors to test and assess whether the previously established compliance mechanisms are up to par with provisions and regulations in force or need adjustments. Considering that the violation of regulatory rules could result in hefty fines, fintech industry par - ticipants prefer to either outsource part of their financial or non-financial obligations to third par - ties or hire third-party private auditors to ensure they comply with their obligations. 2.13 Conjunction of Unregulated and Regulated Products and Services Industry participants may generally offer “regu- lated” and “unregulated” services unless other - wise provided. The issue of providing “regulated” and “unregulated” services was broadly seen as an issue before the development of proper reg - ulations regarding virtual assets, which, for an extended period, could have been considered unregulated assets. With supervisors catching up with these new types of assets or services, one can argue that most activities are now regu - lated and that every product or service is likely to fall under the scope of some regulation. In practical terms, fintech industry participants may be forced to undergo several different but parallel types of licensing, which, in many cases, will be independent of one another but deeply intertwined. For instance, fintechs wishing to deploy exchanges where crypto-to-fiat opera - tions occur and associated payment services are provided may be requested by the super - visory authority to segregate these activities to
mitigate the potential risks and conflicts of inter - est. In such cases, the solution may involve the creation of two separate legal entities covering each specific activity. 2.14 Impact of AML and Sanctions Rules Most fintech companies must deploy AML and KYC internal provisions to get their licences and conduct their activities under the scope of the AML Act, which contemplates several duties, such as establishing policies and control proce - dures to identify money laundering risks. The AML Act also forces fintech projects to iden - tify their users through KYC procedures before engaging in a business relationship, establishing transactions of EUR15,000 or above, or dealing with virtual assets of EUR1,000 or above. MiCA requires crypto-asset service providers to implement robust AML measures. This includes verifying user identities (KYC), monitoring trans - actions, and assessing the source of funds. Providers must also conduct enhanced due dili - gence when dealing with customers and finan - cial institutions from high-risk third countries. Fintechs should be able to refuse service to non- compliant customers or if they suspect services or products might be utilised in money-laun - dering activities or connected with the financ - ing of terrorist organisations. When deploying their AML/KYC policies, fintechs must be ready to deploy sophisticated systems to control, monitor and identify possible money-laundering activities, swiftly notify the competent authori - ties, and collaborate with them when requested. In practical terms, some of the duties of cus - tomer identification can be outsourced to third parties.
687 CHAMBERS.COM
Powered by FlippingBook