Fintech 2025

PORTUGAL Law and Practice Contributed by: João G Gil Figueira, Rodrigue Devillet Lima and Catarina Andrade Miranda, GFDL Advogados

With the adoption of PSD2, two new categories of service providers were established in the pay - ment industry: payment initiation service provid - ers (PISPs) and account information service pro - viders (AISPs). At the same time, PSD2 narrowed the playing field between fintech players and the already well-established legacy players, as they were forced to provide dedicated interfaces allowing the sharing of data originating from their pay - ment accounts. Open banking marks a pivotal moment for con - ventional banks, allowing third-party providers, including commercial platforms or alternative payment providers, to deliver banking applica - tions and services directly through open applica - tion programming interfaces. Decree-Law No 91/2018 of 12 November intro - duced changes to the provision of payment ser - vices in Portugal. Notable aspects include its application to a wid - er range of payment operations, the creation and regulation of new types of payment services, the definition of security requirements for the execu - tion of payment operations, and the imposition of greater responsibilities on payment service providers in the execution of unauthorised pay - ment operations. The impact of this regulation on open banking is reflected in AISPs, which allow the aggrega - tion of information about accounts held with one or more payment service providers in a single application or website. As for PISPs, they offer the possibility to initiate online payment operations without the customer having to interact directly with their payment ser -

vice provider. PISP, contracted by the customer, accesses their account on their behalf and initi - ates the operation. 11.2 Concerns Raised by Open Banking The Portuguese framework that transposes PSD2 establishes rules for managing operational and security risks, instructing measures for miti - gation and appropriate control mechanisms to handle operational and security risks related to the payment services provided. This law also defines the procedures to be adopted in the event of operational or security incidents, with the Bank of Portugal being the entity responsible for taking all necessary measures to protect the security of the financial system. Violating these measures can result in severe offences, subject to significant fines. Regarding data protection, PISPs must ensure that: • information about the customer is only pro - vided to the payee and only with the custom - er’s explicit consent; • the information requested from the customer shall only be that necessary to provide the services; • data will not be used, accessed or stored for any other purposes; and • the scope of data to be shared with AISPs and PISPs by the Account Servicing Pay - ment Service Providers does not include the customer’s identity (eg, address, date of birth, etc). AISPs must ensure that they access only the information from designated payment accounts and associated payment transactions. Also, reg - ulatory technical standards on strong customer authentication and secure communication place

700 CHAMBERS.COM

Powered by