Fintech in Spain 2024

Fintech in Spain 2024

FINTECH 2024

SPAIN

Carmen Torres, Ignacio González, Juan Sosa, María Tomillo, Raquel Ballesteros

(Simmons & Simmons)

FINTECH LANDSCAPE AND INITIATIVES

General innovation climate

1. What is the general state of fintech innovation in your jurisdiction?

The Spanish fintech community is one of the biggest in Europe. In this regard, Spain continues to promote this type of business, and the number of companies that use innovation and technology in the financial industry increases each year. There are studies that show that 70 percent of the total number of fintech companies provide services linked to credit activities. The number of companies focused on electronic payments is increasing as well as those dedicated to investment solutions.

Government and regulatory support

2. Do government bodies or regulators provide any support specific to financial innovation? If so, what are the key benefits of such support?

The Spanish Securities Market Commission (CNMV) set up a point of contact for business initiatives related to financial innovations, which is currently available on the CNMV’s online portal – the CNMV Fintech Portal. This site gives online support to promote fintech initiatives that deliver better outcomes for consumers and that improve the efficiency and competitiveness of the Spanish financial markets. Through this site, the CNMV collaborates with fintech businesses and financial institutions, providing guidance regarding the interpretation and application of rules and regulations where appropriate. Law No. 7/2020, of 13 November, for the digital transformation of the financial system regulates the fintech sandbox in Spain, following the models already established in other jurisdictions. Under this Law, among others, the following objectives have been met:

• financial sustainability control and risk minimization;
• mitigation and adaptation of the regulatory burden;
• creation of a space to boost the development of open financial innovation; and
• the attraction of international investment.

This legislation offers new opportunities for this country and important advantages to improve the position of the Spanish fintech sector. Since the creation of the fintech sandbox for Spain, a significant number of projects have been submitted, and some of those initiatives have been already accepted and are being assessed (through a process in which the General Secretary of the Treasury in Spain and the relevant supervisory authorities in Spain – the Bank of Spain, CNMV and the General Directorate for Insurance and Pension Funds – actively participate). The objectives of the accepted initiatives are aligned with those indicated in the aforementioned Law No. 7/2020, and will contribute to promoting the digital transformation of the financial system, improving services to clients and the activity of supervisory authorities, generating significant potential gains for the different participants in this industry and society as a whole. The Spanish Association of Fintech and Insurtech actively participated in the creation of this fintech sandbox. The sandbox is designed to position Spain as a leader in financial innovation.

FINANCIAL REGULATION

Regulatory bodies

3. Which bodies regulate the provision of fintech products and services?

The regulator in charge of supervision of fintech products and services is the Spanish Securities Market Commission (CNMV) together with the Bank of Spain and the General Directorate for Insurance and Pension Funds, depending on the type of entity intending to provide services in Spain and the exact nature of those services.

Regulated activities

4. Which activities trigger a licensing requirement in your jurisdiction?

There are a large number of activities that, when carried out in Spain on a professional and ongoing basis in respect of specified financial instruments, trigger licensing requirements. These are set out in a number of different regulations, including those implementing Directive 2014/65/EU (Markets in Financial Instruments Directive II) in Spain as well as legislation that governs activities carried out by financial institutions, such as credit entities.

The most common activities that may require a license with respect to specified financial-instruments include:

• the reception and transmission of orders;
• the execution of orders on behalf of clients;
• portfolio management;
• providing investment advice (which requires that specific recommendations are made as opposed to providing generic advice only);
• the underwriting or placing of financial instruments, or both;
• dealing in investments as the principal or agent;
• arranging or bringing about deals in investments; and
• making arrangements with a view to transactions in investments.

To carry on any of these activities in relation to specified financial instruments on a professional and ongoing basis in Spain, the relevant entity or natural person must obtain the appropriate authorization or passport. In addition to this authorization, registration is a requirement to operate in Spain. Authorization is also required to carry out marketing or canvassing of clients on a professional basis, as well as prior or preliminary activities related to investment services and the offering of financial instruments.

A similar regime applies to the provision of services that are typical activities carried out by credit entities. The Spanish implementing text of Directive 2013/36/EU (Capital Requirements Directive) expressly states that the activity of taking repayable funds from the public (whether in the form of deposits, loans or temporary transfers of financial assets or other analogous actions) is a licensable activity that can only be carried out by credit entities that are authorized to operate in Spain and duly registered with the Bank of Spain. Taking repayable funds from the public using capital markets through the issuance and placement of instruments with the aim of giving credit is a reserved activity.

Notably, the provision of loans does not trigger licensing requirements, even though it is a typical activity of credit entities. However, while the activity of extending credit is not a reserved activity, it is usually connected to other regulated activities that trigger licensing requirements.

Regarding payment services, it is prohibited for entities or natural persons who are not payment service providers (apart from certain exceptions derived from Directive (EU) 2015/2366 (Second Payment Services Directive) (PSD2) to provide payment services in Spain on a professional basis.

Consumer lending

5. Is consumer lending regulated in your jurisdiction?

Although it has traditionally been an activity carried out in Spain by credit institutions and financial credit establishments, in the case of a non-financial institution (namely, neither a credit institution nor a financial credit establishment) that is dedicated solely to the activity of granting consumer loans, this non-credit institution (formed as a company) may carry out this activity without a license. The number of persons who tend to get credit from non-financial institutions offering personal loans rather than other traditional means (e.g, banking credit cards and banking loans) is increasing.

The regulatory regime for consumer credit is governed by Law No. 16/2011, of 24 June, on Credit Agreements for Consumers. This regulatory regime applies to all contracts where entities or natural persons in the course of their business activity, profession or craft, grant or promise to grant a consumer credit in the form of a deferred payment, loan, opening credit or any other equivalent means of financing, with the aim of covering personal needs outside of his or her professional or business activity and amounting to at least €200. This regulation broadly sets out the requirements that lenders need to comply with in relation to the provision of information, documents and statements, and the detailed requirements as to the form and content of the credit agreement itself, including advertising, information to consumers, content, form of the contracts, cases of null-and-void contracts, right of withdrawal and costs.

In addition, Legislative Decree 1/2007, of 16 November, for the Protection of Consumers and Users also applies to consumer lending. Depending on the circumstances, other Spanish supplementary regulations may also be relevant.

Secondary market loan trading

6. Are there restrictions on trading loans in the secondary market in your jurisdiction?

Provided that the loan itself is being traded, and not the loan instrument (the financial instrument creating or acknowledging indebtedness), there are no restrictions on trading loans in the secondary market.

Collective investment schemes

7. Describe the regulatory regime for collective investment schemes and whether fintech companies providing alternative finance products or services would fall within its scope.

The general regulatory regime for collective investment schemes (CISs) in Spain consists of the transposition of Directive 2009/65/EC (Undertakings for Collective Investment in Transferable Securities Directive) and Directive 2011/61/EU (Alternative Investment Fund Managers Directive) (AIFMD), in addition to the regime that applies specifically to Spanish CISs.

CISs are regulated products in Spain and must be locally registered. Management and distribution of CISs (namely, marketing, promotion and advertising) may only be carried out by licensed entities in Spain as these activities trigger licensing requirements. Marketing of CISs is defined as those activities aimed at raising funds from clients by way of any advertising activity for their investment into the CIS. Advertising activity consists of targeting the public through telephone calls initiated by the CIS or its management company, home visits, personalized letters, emails or any other electronic media forming part of a dissemination, promotional or marketing campaign.

Whether a fintech company falls within the scope of this regulatory regime will depend on the exact nature of its business and the type of activities being carried out.

Alternative investment funds

8. Are managers of alternative investment funds regulated?

Managers of alternative investment funds are regulated in Spain under the AIFMD, which was implemented in Spain by Law No. 22/2014, of 12 November, governing private equity entities, other closed-ended collective investment undertakings, and the management companies of closed-ended collective investment undertakings, which amended Law No. 35/2003, of 4 November, on Collective Investment Schemes.

Peer-to-peer and marketplace lending

9. Describe any specific regulation of peer-to-peer or marketplace lending in your jurisdiction.

Peer-to-peer lending is considered a crowd-lending activity under Spanish legislation and is regulated by Law No. 5/2015, of 27 April, on the Promotion of Business Financing.

Crowdfunding

10. Describe any specific regulation of crowdfunding in your jurisdiction.

Crowdfunding is regulated by Law No. 5/2015, of 27 April, on the Promotion of Business Financing. This Law affects reward-based crowdfunding, equity crowdfunding and crowd lending, and governs, among others, the normal operating model and regime of platforms, the accreditation of the investor and the limits established for the amount of the investment. These limits, which are some of the most restrictive elements established in the Law, include limitations on:

• raising funds for start-ups that amount to €5 million for accredited investors (namely, professional investors) and €2 million for non-accredited investors;
• equity crowdfunding projects, which cannot exceed 125 percent of the project’s projected target; and
• platforms and projects to be invested in by non-accredited investors, which are capped at €10,000 and €3,000 respectively.

It is expressly established that these types of investments are not covered by the guarantee fund.

Additionally, Regulation (EU) 2020/1503 on European crowdfunding service providers for business, which regulates and tries to harmonize the functioning of these alternative financing systems, entered into force on 10 November 2021.

Invoice trading

11. Describe any specific regulation of invoice trading in your jurisdiction.

There is no specific regulation of invoice trading in Spain. As a general rule, there are no restrictions on invoice trading; however, the activities and structure of a firm engaged in invoice trading should be analyzed to determine whether a regulated activity that requires permission or authorization is taking place.

Payment services

12. Are payment services regulated in your jurisdiction?

Payment services are regulated by Royal Decree-Law No. 736/2019, of 20 December, on the legal regime on payment services and payment entities, which completes the transposition of PSD2 in Spain, which was partially implemented by means of the Royal Decree-Law No. 19/2018, of 23 November, on payment services and other financial measures.

Payment services include:

• services enabling cash to be placed on a payment account, as well as all the operations required for operating a payment account;
• services enabling cash withdrawals from a payment account, as well as all the operations required for operating a payment account;
• execution of payment transactions;
• transfers of funds on a payment account with the user’s payment service provider or with another payment service provider;
• execution of payment transactions where the funds are covered by a credit line for a payment service user;
• issuing and acquiring payment instruments;
• money remittance; and
• execution of payment transactions where the consent of the payer to execute a payment transaction is given by means of any telecommunication, digital or IT device and a payment is made to the telecommunication, IT system or network operator, acting only as an intermediary between the payment service user and the supplier of the goods and services.

To provide payment services in Spain, a firm must fall within the definition of a ‘payment service provider’, which includes:

• credit institutions;
• electronic money institutions;
• the national postal service of Spain;
• the Bank of Spain; and
• the Spanish general government administration, autonomous communities and local bodies.

A firm that provides payment services in or from Spain as a regular occupation or business activity (and is not exempt) must apply for registration as a payment institution. Sanctions may be imposed on any natural or legal person providing payment services without authorization. Since December 2019, entities wishing to act as payment institutions must follow the specific procedure established under aforementioned Royal Decree-Law No. 736/2019, of 20 December, and submit a request with the Bank of Spain to obtain relevant authorization. The cross-border business of payment institutions will be possible in Spain as far as relevant passports to set up a local branch or agents have been received by the Bank of Spain from entities located within the territory of the European Union. The provision of services without the presence of these entities in Spain will be also available if relevant notifications are received by the Bank of Spain. Spanish entities will provide services abroad if the Bank of Spain has received relevant notifications. In the case of the provision of activities in or from entities located out of the European Union, express authorization is needed. In certain cases, the Bank of Spain may reject this authorization.

Open banking

13. Are there any laws or regulations introduced to promote competition that require financial institutions to make customer or product data available to third parties?

No.

Robo-advice

14. Describe any specific regulation of robo-advisers or other companies that provide retail customers with automated access to investment products in your jurisdiction.

There is no specific regulation of robo-advisers or other companies that provide retail customers with automated access to investment products in Spain. In terms of licensing requirements, Spanish legislation does not distinguish based on the profiles of targeted investors, whether professional or retail. Automated access to investment products through fintech companies in Spain is only possible if the relevant licenses are duly obtained.

Fintech companies may provide automated activities related to investment advice (when referring to specific financial instruments taking into account the personal circumstance of the investor) and portfolio management in Spain, but these activities imply the provision of certain services that trigger licensing requirements. In any case, authorization and registration with the CNMV will be mandatory. In Spain, there are a number of entities providing this type of service, most of them being investment firms exclusively dedicated to providing investment advice.

Insurance products

15. Do fintech companies that sell or market insurance products in your jurisdiction need to be regulated?

Selling or marketing insurance products in Spain is a regulated activity and entities providing this service fall under the relevant Spanish regulation. In this regard, a fintech company must act under the form of a regulated entity (e.g, insurance company or insurance intermediary as broker or agent). The Association of Fintech and Insurtech has published a white paper on fintech regulation in Spain, aimed at creating an adequate framework for these types of entities and to encourage alternatives to the existing Spanish regulations for financial services providers in Spain, including insurance services providers.

Credit references

16. Are there any restrictions on providing credit references or credit information services in your jurisdiction?

The rules on credit ratings laid down in Regulation (EC) No. 1060/2009 (as amended) apply in Spain. A credit-rating agency is required to adopt, implement and enforce adequate measures to ensure that its credit ratings are based on a thorough analysis of all the information that is available and that is relevant to its analysis according to its rating methodologies. At present, there are only two credit-rating agencies domiciled in Spain and included in the official register of the CNMV.

CROSS-BORDER REGULATION

Passporting

17. Can regulated activities be passported into your jurisdiction?

An EEA firm may exercise passport rights to provide services in Spain and may provide services through a local branch or agent or on a cross-border basis without a presence in the territory. A non-EEA firm or an EEA firm that is not undertaking an activity that can be passported into Spain must establish a local presence, obtain an appropriate license or, in some cases, receive authorization from the relevant regulator to operate on a cross-border basis.

Requirement for a local presence

18. Can fintech companies obtain a license to provide financial services in your jurisdiction without establishing a local presence?

An EEA firm may exercise passport rights to provide services in Spain. A non-EEA firm or an EEA firm that is not undertaking an activity that can be passported into Spain must establish a local presence, obtain an appropriate license or, in some cases, receive authorization from the relevant regulator to operate on a cross-border basis.

SALES AND MARKETING

Restrictions

19. What restrictions apply to the sales and marketing of financial services and products in your jurisdiction?

Although general rules on marketing and advertising shall apply to the investment business, there are specific regulations covering the sales and marketing of investment services and products in Spain. In accordance with Law No. 6/2023, of 17 March 2023, on Securities Markets and Investment Services (the Securities Market Law), this activity must be only carried out by entities that are authorized or passported to provide the relevant investment service.

Although the sales and marketing of financial services is not an investment service itself, the activity consisting of marketing as well as the canvassing of clients triggers licensing requirements in Spain.

Advertising and marketing of investment services and products are covered under sectorial regulations, in particular, under Order EHA/1717/2010, of 11 June, on Regulation and Control of Advertising of Investment Services and Products and Spanish Securities Market Commission (CNMV) Circular 2/2020, of 28 October, on advertising of investment products and services that cover this type of advertising in Spain and include a definition of advertising activity. In this regard, advertising activity includes a communication to the general public aimed to promote, directly or indirectly through third parties, the contracting of a specific investment service or product (covering financial instruments under Directive 2014/65/EU (Markets in Financial Instruments Directive II)), as well as those communications made in the course of a public offer with the aim of impacting its result. It is expressly contemplated that advertising activity shall exist in respect of communications to the general public on the management or marketing of collective investment schemes, private equity schemes or securitization vehicles, although these communications do not refer to a specific product. This legal provision determines the procedures and controls that entities must have in place when producing advertising materials in connection with investment services and products.

The content of the advertising material in no case may contradict or play down the importance of the information contained in the prospectus and the key investor information document. Advertising materials must be clearly recognizable as such and the promotional character of the message must be explicit and evident. All information included in the materials must be fair, clear and not misleading, with the ultimate goal of abiding by the general obligation to act in an honest, loyal and professional manner and in the best interests of clients while rendering investment services.

The CNMV has supervisory functions in respect of the marketing and advertising of investment services and products.

Banking

In respect of banking activities, on 15 July 2020, Circular 4/2020, of 26 June, of the Bank of Spain, on advertising of banking products and services (Bank of Spain Circular 4/2020) was published. Bank of Spain Circular 4/2020 repealed Circular 6/2010, of 28 September, of the Bank of Spain, on advertising of banking products and services and it develops Ministerial Order EHA/1718/2010, of 11 June, on regulation and control of advertising related to banking services and products (Order 1718/2010). Other rules such as Order EHA/2899/2011, of 28 October, on Transparency and Protection of Clients of Banking Services may also apply.

Bank of Spain Circular 4/2020, Order 1718/2010, CNMV Circular 2/2020 and Order EHA 1717/2010 together with Law No. 10/2014, of 26 June, on management, supervision and solvency of credit institutions (Law No. 10/2014) and implementing regulations, and the Securities Market Law and its implementing regulations fully complete the sectorial legislation on advertising of banking and investment products and services Spain, with the general rules on advertising that continue to be governed by General Law No. 34/1988, of November 11, on Advertising (Law No. 34/1988). The Spanish regulation governing the advertising of banking products and services and the one governing the advertising of investment products and services follow the same pattern.

Bank of Spain Circular 4/2020 and CNMV Circular 2/2020 contain rules on controls and procedures that credit institutions must adopt when they are promoting their products in Spain, their potential adhesion to self-regulation systems, and the content and format of such promotions including information on the supervisory powers of the Bank of Spain and the CNMV and potential sanctions that may be enforced (e.g, cessation or rectification of certain promotional activities).

The Bank of Spain has supervisory functions in respect of the marketing and advertising of banking services and products.

CRYPTOASSETS AND TOKENS

Distributed ledger technology

20. Are there rules or regulations governing the use of distributed ledger technology or blockchains?

No.

Cryptoassets

21. Are there rules or regulations governing the promotion or use of cryptoassets, including digital currencies, stablecoins, utility tokens and non-fungible tokens (NFTs)?

On 29 April 2021, Royal Decree-Law No. 7/2021 entered into force, implementing Directive (EU) 2018/843 (Fifth Anti-Money Laundering Directive) and amending certain provisions of Law No. 10/2010 on the prevention of money laundering and terrorist financing. The Law includes regulation of the information to be disclosed by service providers of digital currency exchange, transfer of digital currency and custody of digital currency, among others.

The Law considers service providers as subject to the Spanish anti-money laundering legislation. Cryptoasset service providers must be included in the relevant register at the Bank of Spain. They have nine months from the entry into force of Royal Decree-Law No. 7/2021 to be included in the relevant register. Breach of the registration obligation and the provision of these services to Spanish residents would be qualified as a very serious infringement.

The new registration requirement before the Bank of Spain was published on 20 October 2021.

Token issuance

22. Are there rules or regulations governing the issuance of tokens, including security token offerings (STOs), initial coin offerings (ICOs) and other token generation events?

The Spanish Securities Market Commission (CNMV) and the Bank of Spain published a joint statement on 9 February 2021, building on another statement from 2018, in which they warned about the risks that these new types of assets pose for participants in the financial system and, in particular, for small investors. The statement highlighted the complexity, volatility and potential lack of liquidity of these investments.

Royal Decree-Law No. 5/2021, of 12 March, on extraordinary measures to support business solvency in response to the covid-19 pandemic, introduced a new article 240-bis in Law No. 6/2023, of 17 March 2023, on Securities Markets and Investment Services (the Securities Market Law) to strengthen the legal framework for the protection of investors with regard to the advertising of new instruments and financial assets in the digital area.

The amendment of the Securities Market Law has regulated that the CNMV has been granted powers to subject the advertising of cryptoassets, and other assets and instruments that are not regulated by the Securities Law and that are offered as investments, to administrative control.

On 10 January 2022, CNMV Circular 1/2022 of 10 January, on the advertising of cryptoassets presented as a means of investment (CNMV Circular 1/2022), was published. It aims to develop the rules, principles and criteria to which the advertising of cryptoassets shall be subject, in particular, to delimit the scope of application and obliged entities to CNMV Circular 1/2022.

CNMV Circular 1/2022 governs the advertising of cryptoassets that are the means of investment. For these purposes, any advertising directed at investors or potential investors in Spain that, implicitly or explicitly, offers or draws attention to cryptoassets as a means of investment will be considered to be advertising activity.

In all circumstances, it will be presumed that a cryptoasset is offered or attention is drawn to it as a possible means of investment when its acquisition is promoted or any reference to its return, price or value, current or future is made, which might suggest an opportunity to invest in such cryptoasset, even though it may occasionally be used as a means of exchange.

Likewise, in all circumstances, advertising will be understood to be aimed at investors in Spain when it is provided on physical media in Spain, through Spanish media (including web pages or domains) and when it is provided in Spanish or other official languages, unless it contains a statement that the services or products offered are not aimed at or accessible to investors in Spain.

CNMV Circular 1/2022 will be applicable to the following parties:

• cryptoasset service providers when they engage in cryptoasset advertising activities;
• advertising service providers; and
• any natural or legal person, other than those indicated in previous points, who on their own initiative or on behalf of third parties, engages in an activity of advertising of cryptoassets.

When designing their advertising campaigns and each of the advertising pieces that comprise them, obliged entities to CNMV Circular 1/2022 shall take into account the nature and complexity of the advertised product, the characteristics of the communications media used and the target audience.

All commercial communications must include information on the risks of the product they advertise, specifically:

• The following warning shall be included in the commercial communication, using a format and positioning that ensures its relevance in the advertising piece and not as secondary information or as a footnote: ‘Investment in cryptoassets is unregulated, may not be suitable for retail investors and the entire amount invested may be lost.’
• A link or reference to the location of the additional information shall be included, which shall, as a minimum, refer to the information and risks identified. The link must be identified with the following text: ‘It is important to read and understand the risks of this investment, which are explained in detail on this site.’
• When the medium used only allows for a reference, an indication must be given of where information about the risks can be found and the importance of reading that information.

Advertising activity aimed at investors in Spain shall not require prior CNMV notification, except in the case of mass advertising campaigns. However, even when they are not mass advertising campaigns in the strictest sense, some obliged entities to CNMV Circular 2/2022 may be required to provide prior notification for all their advertising campaigns, where it is considered necessary due to the potential impact on their target audience.

In the exercise of its supervisory function, the CNMV can ask the obliged entities to CNMV Circular 1/2022 to provide specific information on advertising campaigns or pieces to assess their compliance with the requirements set forth in CNMV Circular 1/2022. This type of request must be answered by the entity within a period of three business days.

The obliged entities to CNMV Circular 2/2022 shall keep a register of the following information and documentation relating to ongoing advertising campaigns and those carried out in the past two years:

• General information on the campaign: start and end date, territorial scope, description of the target audience, list of the media and advertising channels used for dissemination and a quantitative estimate of the number of people to which it is being targeted.
• Specific information on the advertising pieces: a copy must be kept of all advertising pieces with a different message (including clarifications or legal warnings) or format (radio spot, television advertisement, banner, poster, etc) broadcast during the campaign, in the original format or in electronic format that can be accessed.
• Identification of the advertising service providers and the advertising contracts or agreements entered into.

Obliged entities to CNMV Circular 2/2022 that carry out mass advertising campaigns must provide the documentation and information indicated in CNMV Circular 2/2022 at least 10 business days before their execution.

They must present a document giving prior notification of the mass advertising campaign that shall adhere to the template included for this purpose on the CNMV’s website, in addition to the following documentation, which shall be clear, concise, consistent and sufficient to allow an assessment to be made of the scope and impact it may have on the public:

• General information about the campaign: details of the cryptoassets that are the object of the campaign or the services to be advertised, a description of the target audience and a list of the media and advertising media used for their dissemination.
• Specific information on the advertising pieces: a copy of all advertising pieces with a different message (including clarifications or legal warnings and warnings about risks) or format (radio spot, television advertisement, banner, poster, et cetera) to be broadcast during the campaign, in the original format or in an electronic format that can be read or accessed.

The prior notification will allow the advertising campaign to start 10 business days after its presentation, unless the CNMV indicates otherwise. Under no circumstances shall a lack of response from the CNMV during the period between the notification and the start of the campaign imply that the CNMV considers that the campaign complies with all the rules contained in CNMV Circular 1/2022.

Further, in September 2020, the European Commission made a proposal for the regulation of markets in crypto-assets (MiCA) (the MiCA Proposal). This regulation intends to cover and regulate those cryptoassets that are not regulated by the current regulation in force (an example of a regulated cryptoasset would be electronic money). However, a large part of the cryptoassets typology is not framed within said regulation.

In this sense, the MiCA Proposal aims to harmonize the entire legal regime within the scope of currently unregulated cryptoassets; thus, all national regulations on any matter within its scope of application would be voided, based on the principle of the primacy of EU law.

An additional purpose of the MiCA Proposal is to guarantee an appropriate legal framework for the promotion of innovation and new technologies guaranteeing investor protection.

Finally, it should be noted that the proposed regulation will apply to all providers who:

• issue or advise on the issuance of cryptoassets; and
• provide cryptoassets services within the European Union.

Some cryptoassets are considered electronic money (e.g, stablecoins), and these will not be regulated by the MiCA Proposal.

Although there are no local regulations governing this type of product in Spain, the CNMV and Bank of Spain have expressed their concern on multiple occasions regarding the risks involved when dealing with this type of product. In this regard, the last publication was a joint press statement by the CNMV and the Bank of Spain on cryptocurrency investment risks. Following joint press statements published in 2018 and 2021, where the Bank of Spain and the CNMV warned about the high risk posed by these types of investments owing to, among other factors, their extreme volatility, complexity and lack of transparency, now both supervisory authorities in Spain include express alerts to the public on the fact that these products are complex instruments that may not be appropriate for small-scale savers, their price having a high speculative component that may even entail the loss of the amounts invested. Other aspects have been a matter of concern, such as the existence of leverage-derivative products linked to cryptocurrencies through which it is possible to indirectly invest in those instruments, and the risks linked to the use of cryptocurrencies as means of payment, among others.

On 14 March 2022, the Committee on Economic and Monetary Affairs of the European Parliament approved a new draft of the regulation on MiCA. In the approved draft, it has been agreed not to include the amendment that de facto prohibited the provision of services related to cryptoassets that were not environmentally friendly. This prohibition affected those that are mined with the proof of work mechanism.

Finally, the European Parliament has approved the final text of MiCA on 20 April 2023. The entry into force will be 20 days later than its publication. The version adopted by the European Parliament will have to be formally approved by the Council and will enter into force 20 days after its publication in the Official Journal of the European Union.

The MiCA Regulation will be applicable 18 months after the date of entry into force, with the exception of Titles III and IV (issuance of e-money tokens and asset-backed tokens), which will apply 12 months after the date of entry into force.

ARTIFICIAL INTELLIGENCE

Artificial intelligence

23. Are there rules or regulations governing the use of artificial intelligence, including in relation to robo-advice?

The Spanish Securities Market Commission (CNMV) has stated that the fact that investment advice or portfolio management is automated does not make a difference in the way that the service is regulated and that the relevant conduct of business rules, suitability assessments and other rules apply in the normal way. In this regard, there are no specific rules or regulations governing the use of artificial intelligence.

CHANGE OF CONTROL

Notification and consent

24. Describe any rules relating to notification or consent requirements if a regulated business changes control.

There are specific rules relating to the change of control of regulated entities. Where a person (whether acting separately or with others) decides to acquire, directly or indirectly, shares in a credit institution, insurance company or investment firm that imply acquiring a significant holding or taking control of the entity, the relevant regulators (the Bank of Spain, the Spanish Securities Market Commission or the General Directorate for Insurance and Pension Funds) must first be notified and provide their consent. The notification must be accompanied by documents and information that will enable the relevant regulator to analyze the suitability of the potential acquirer. Once the relevant regulator expressly states that there are no grounds to prevent the acquisition, the acquisition may take place.

A prior request must always be sent to the relevant supervisory authority and the acquisition may not take place before receiving relevant authorizations. There are specific procedures and standardized forms that must be used in these circumstances.

FINANCIAL CRIME

Anti-bribery and anti-money laundering procedures

25. Are fintech companies required by law or regulation to have procedures to combat bribery or money laundering?

There is no specific legal or regulatory requirement for fintech companies to have anti-money laundering procedures. The Spanish Anti-Money Laundering Law applies to a number of regulated entities and persons carrying out certain activities. Compliance with the Anti-Money Laundering Law is compulsory and includes an obligation to have appropriate policies and procedures in place to combat money laundering and terrorism financing.

Spanish legislation does not regulate anti-bribery and corruption separately. The relevant regulation establishes monitoring mechanisms to avoid illicit activity in organizations while also providing a range of sanctions, including the suspension of the activities and the dissolution of the company engaged in illegal activities. Regardless of whether they are regulated, fintech companies should adopt a proactive position to establish preventive criminal monitoring measures and appropriate policies and procedures as a matter of good governance and risk management.

Where initial coin offerings fall under the classification of a public offer, procedures to combat bribery or money laundering should be in place.

In May 2018, the EU approved new anti-money laundering legislation targeting anonymity in the cryptocurrency market.

On 29 April 2021, Royal Decree-Law No. 7/2021 entered into force, amending Spanish Law No. 10/2010 on the prevention of money laundering and terrorist financing and implementing Directive (EU) 2018/843 (Fifth Anti-Money Laundering Directive). The following developments shall be taken into account:

• new obliged entities:
• virtual currency service providers for the exchange of fiat currencies and the custody of electronic wallets for these virtual currencies;
• entities providing account information services (commonly known as ‘aggregators’); and
• insurance companies authorized to operate investment-related insurance business (amendment, not a new category); and
• creation of a central and single registry of beneficial ownership throughout the national territory of Spain (Spanish Central UBO Registry); and
• creation of a registry of virtual currency providers.

Royal Decree 609/2023 of 11 July 2023, which creates the Spanish Central UBO Registry and approves the regulation thereof, came into effect on 19 September 2023. However, some provisions have a different deadline – for example, entities that can show a legitimate interest in accessing the Spanish Central UBO Registry can do so from 19 October 2023.

Guidance

26. Is there regulatory or industry anti-financial crime guidance for fintech companies?

There is no anti-financial crime guidance specifically for fintech firms. However, firms that are subject to the Anti-Money Laundering Law for carrying out certain types of activities subject to anti-money laundering checks should comply with it. In addition, these entities should follow the general recommendations for internal monitoring to prevent money laundering and terrorism financing issued by the Spanish Executive Service of the Commission for the Prevention of Money Laundering.

Regulatory and financial crime rules apply as far as the entities are subject to these regulations considering the type of activity or the type of entity (banks, insurance companies, asset managers, investment firms, et cetera). In this regard, there is an initiative proposing the creation of a specific regulatory framework for the fintech sector.

DATA PROTECTION AND CYBERSECURITY

Data protection

27. What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?

On 25 May 2018, Regulation (EU) 2016/679 (General Data Protection Regulation) (GDPR) came into force with direct effect across the entire European Union. In Spain, additionally, domestic law (Organic Law No. 3/2018, of 5 December, on the protection of personal data and guarantee of digital rights (SLDP) was enacted and came into effect on 7 December 2018. Likewise, among other ‘domestic peripheric regulations’, two of them that play an important role in the field of processing personal data within the fintech sector, Law No. 34/2002, of July 11, on services of the information society and electronic commerce (LSSIyCE) and General Telecommunications Law No. 11/2022, of June 28, which transposes Directive 2002/58/EC, of July 12, on privacy and electronic communications.

Within the European Union, the GDPR – given its direct and primacy effects – governs the processing of personal data provided that the material and territorial scope stated in article 2 and article 3 of the GDPR, respectively, is triggered. Likewise, the SLDP has regulated some outstanding key legal points from the GDPR and additionally has extended its approach to some other topics (among others):

• the appointment of the Spanish Data Protection Authority (AEPD) as the Spanish supervisory authority;
• granting powers of inspection and corrective measures to the AEPD;
• list of infringements, penalties and the particularities of the sanctioning procedure in place; and
• catalogue of new digital rights for the data subjects (seen from the other side, duties for the businesses).

The GDPR relies on general principles stated in article 5, ‘accountability’ presumably being the most disruptive one in comparison with the previous regime (Directive 95/46/EC (Data Protection Directive). The GDPR requires that any processing of personal data shall be done on a lawful basis, depending on the category of personal data (either general or standard (article 6) or special (article 9 in relation to article 6)). Additionally to the lawful basis, the GDPR requires a mandatory obligation to process personal data: to inform the data subject in the terms laid down in the GDPR. Such duty places a significant burden on businesses, as they shall always ensure that their customers are duly informed, which is a crucial change to the previous data protection regime.

The GPDR poses a significantly increased compliance burden on businesses (accountability principle), including, for example, mandatory requirements to notify the AEPD of data breaches; introduction of a new ‘public body’ named the ‘Lead Supervisory Authority’ aimed at exercising powers with regard to cross-border processing of personal data; and requirements for most private entities to appoint a data protection officer. Businesses that infringe the GDPR may be subject to a variety of corrective measures imposed by the supervisory authorities, among others, administrative fines of an amount up to €20 million or 4 percent of global turnover, whichever is higher (e.g, the last administrative fine imposed by the AEPD to Google LLC amounted to some €10 million).

Cross-border processing of data falls under the legal framework of the GDPR, therefore no relevant changes have to be borne in mind (except that the new public body, the Lead Supervisory Authority, will take on powers regarding cross-border processing of personal data).

International transfer of personal data to third countries (not including Iceland, Liechtenstein and Norway, as they are part of the European Economic Area) is covered by article 45(1) of the GDPR (transfers on the basis of an adequacy decision):

A transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection. Such a transfer shall not require any specific authorization.

Note that the judgment of the Court of Justice of the European Union in Schrems II, handed down on 23 July 2020, annulled the ‘privacy shield’ that provided the legal framework (adequacy decision) for the international transfer of personal data between the European Union and the United States. As of today, there is no adequacy decision in place with the United States and due to the last non-binding opinions by the European Data Protection Board and the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs advising against the adequacy decision, we cannot expect an agreement between both parties in the coming months. The judgment also emphasized the responsibilities of exporters and importers to ensure that the processing of personal data has been and will continue to be carried out in compliance with the level of protection set by the GDPR. Additionally, to suspend the transfer or terminate the contract where the importer of the data is not, or is no longer, able to comply with standard data protection clauses incorporated in the relevant contract between exporter and importer. Whatever mechanism is chosen for the international transfer of personal data, it must be ensured that, overall, the transferred personal data will have the benefit of an essentially equivalent level of protection as in the European Union.

Likewise, in relation to the United Kingdom, it is important to mention that on 28 June 2021, the European Commission adopted an adequacy decision with the United Kingdom, which ensures the free flow of personal data between the two parties for a period of four years (until June 2025) (article 46 of the GDPR (transfers subject to appropriate safeguards) and article 49 of the GDPR (derogations for specific situations).

Cybersecurity

28. What cybersecurity regulations or standards apply to fintech businesses?

There are no local rules on cybersecurity for fintech companies, although Directive (EU) 2016/1148 on cybersecurity has been transposed by means of Royal Decree-Law No. 12/2018, of 7 September, which was amended by Royal Decree-Law No. 43/2021, of 26 January.

With regard to sector standards, public body the National Institute of Cybersecurity is in charge of cybersecurity issues and plays an important role in informing, advising and guiding private entities in relation to cybersecurity incidents. A brief guide on the fintech sector has been released on the Institute’s website.

OUTSOURCING AND CLOUD COMPUTING

Outsourcing

29. Are there legal requirements or regulatory guidance with respect to the outsourcing by a financial services company of a material aspect of its business?

There are no regulations specific to the outsourcing of IT systems, including in relation to cloud computing and the internet of things. However, depending on the activities contemplated, consideration will need to be given to the processing of personal data under Regulation (EU) 2016/679 (General Data Protection Regulation) and Organic Law No. 3/2018, of 5 December, on the protection of personal data and guarantee of digital rights’ legal framework, aspects of the Intellectual Property Law approved by Royal Legislative Decree No. 1/1996, of 12 April (the Copyright Law), and parts of the General Telecommunications Law No. 9/2014, of 9 May.

Financial services companies planning to outsource certain services or activities may be subject to specific regulations. In general, credit institutions may delegate the provision of certain services and the carrying on of certain functions to a third party, provided that:

• there is no resulting void in the credit institution’s functions or reduction in its internal control capacities; and
• supervisory authorities can continue to perform their supervisory responsibilities.

Note that outsourcing does not reduce a credit institution’s liability for its legal obligations.

Additional restrictions apply to the delegation by a credit institution of essential services or essential functions. Generally, a service or function is considered essential if it could affect compliance with the terms of a credit institution’s authorization, financial results, solvency or the continuity of banking activity. Financial institutions must notify any agreements delegating essential services or functions to the Bank of Spain, the Spanish Securities Market Commission, or both, with one month’s advance notice.

Bank of Spain Circular 2/2016 sets out further details regarding the extent to which outsourcing is permitted.

Credit institutions providing investment services must comply with additional requirements set out in Law No. 6/2023, of 17 March 2023, on Securities Markets and Investment Services (the Securities Market Law).

Cloud computing

30. Are there legal requirements or regulatory guidance with respect to the use of cloud computing in the financial services industry?

The EU Agency for Network and Information Security (ENISA) guidance titled ‘Secure Use of Cloud Computing in the Finance Sector’ contains analysis of the security of cloud computing systems in the finance sector and provides recommendations. Cooperation between financial institutions, national financial supervisory authorities and cloud service providers is encouraged. ENISA advocates a risk-based approach to developing cloud computing systems in the finance sector.

Likewise, any storage of personal data provided through cloud computing services should bear in mind the processing of personal data (security measures adopted, international transfer of personal data, et cetera).

INTELLECTUAL PROPERTY RIGHTS

IP protection for software

31. Which intellectual property rights are available to protect software, and how do you obtain those rights?

Computer programs are protected, generally, as literary works under Royal Legislative Decree No. 1/1996, of 12 April (the Copyright Law). Although registration is not required for protection, it is highly recommended.

In the labor field, subject to the Copyright Law, software is generally considered a ‘collective literary work’, which entitles businesses to become the exclusive holder of moral and exploitation rights derived from the creation of the software. Nonetheless, even though such legal provision generally applies it is highly recommended to introduce in the employment contract clauses of assignment of exploitation rights in favor of the business.

Besides the labor field, which is caught by specific rules given the relationship between employer and employee, the two main ways of obtaining moral and exploitation rights derived from software are:

1. creation (original owner); or
2. assignment or license of exploitation rights (derivative owner)

In (2), the original creator will keep the moral rights as such rights cannot be assigned or licensed under the Copyright Law.

In some particular cases, software can be protected under a patent legal framework as long as it is considered a computer-implemented invention that solves a technical problem in an inventive way. In this regard, on 1 June 2023, the Agreement on a Unified Patent Court (UPC) came into force in 17 EU member states, excluding Spain due to its ratification rejection. However, the UPC Agreement leaves the door open to the rest of the EU member states, including Spain, to apply for accession to the European Unitary Patent system.

IP developed by employees and contractors

32. Who owns new intellectual property developed by an employee during the course of employment? Do the same rules apply to new intellectual property developed by contractors or consultants?

As a general rule that applies to both IP (e.g, patents) and copyright (e.g, software), the exploitation rights of inventions or works created by employees:

• during the course of his or her role in the company; and
• related to the functions assigned to his or her job belongs to the employer, provided that the employer uses it for the business.

Nonetheless, there are particular exceptions stated in Spanish legislation (e.g, the Patent Law) that would require analysis on a case-by-case basis. As a matter of recommendation, it is always advisable to introduce, in the employment contract, the assignment of exploitation right clauses in favor of the employer.

Contractors or consultants, as external to the entity, shall be required to assign or license the exploitation rights derived from the inter parties relationship, when acting as service providers. An ad hoc IP and copyright clause to set forth the legal regime applicable to the contract is highly recommended.

Joint ownership

33. Are there any restrictions on a joint owner of intellectual property’s right to use, license, charge or assign its right in intellectual property?

In the field of IP (e.g, see the Spanish Patent Law), the joint ownership of the patent exploitation right is expressly laid down and some specific rules apply. The first regime governing joint ownership is the agreement between the joint owners, which will not impede each joint owner from exploiting the patent; subsidiarily, the terms laid down in the Patent Law will apply; failing that, Spanish civil law principles will be triggered.

The Copyright Law differentiates between collaborative works and collective works. The first is made by the collaboration of different co-authors and its division must be agreed by all the co-authors, although no author can unreasonably withhold his or her consent for any exploitation once work has been released. Each co-author is able to exploit his or her part of the work unless it prejudices the work (as a whole). The collective work is made by different authors but under the initiative and coordination of a person or entity (normally, the second one), being the one in charge of the initiative and coordination task which will hold the exclusive morale and exploitation rights of the work.

Trade secrets

34. How are trade secrets protected? Are trade secrets kept confidential during court proceedings?

Directive (EU) 2016/943 (Trade Secrets Directive) has been implemented in Spain by means of Law No. 1/2019, of 20 February, on trade secrets (the Trade Secret Law). Therefore, to benefit from trade secret protection three requisites shall be met (namely, confidential, business value by virtue of its secrecy and adequate measures implemented to keep it confidential).

Despite this, the lack of compliance with the requirements for trade secret protection does not mean a lack of protection, as there might be protection under the umbrella of ‘know-how’. Commission Regulation (EU) No. 316/2014, of 21 March, defines ‘know-how’ as:

• a secret;
• substantial; and
• an identified package of practical information, resulting from experience and testing, without requiring proactive measures to be taken to ensure secrecy (as is required for trade secrets).

According to the Trade Secret Law, trade secrets’ ownership cannot be alleged as an exception to disclose it before administrative bodies and judicial proceedings when they are performing their respective public duties, nonetheless effective and adequate measures shall be put in place to avoid the disclosure of trade secrets to third parties.

Branding

35. What intellectual property rights are available to protect branding and how do you obtain those rights? How can fintech businesses ensure they do not infringe existing brands?

In general terms, trademarks can be protected as registered trademarks either in Spain alone (as a Spanish trademark before the Spanish Patent and Trademark Office (OEPM), across the European Union (as an EU trademark before the European Union Intellectual Property Office (EUIPO) or throughout the international trademark procedure before the World Intellectual Property Office (WIPO). Certain branding, such as logos and stylized marks, can also be protected by the ‘commercial name’ legal regime, design rights and the requisites to be protected by copyright as artistic works may also be met.

The OEPM has a database that can be searched to identify which trademarks are already registered. In addition, the EUIPO trademark database can be searched to identify registered or applied for trademark rights with effect in the entire European Union. Likewise, the WIPO has an open global trademark database with information concerning national, EU and international trademark registrations.

Remedies for infringement of IP

36. What remedies are available to individuals or companies whose intellectual property rights have been infringed?

There are plenty of remedies related to IP and copyright infringements that may be of use to an injured party.

Regarding IP, the injured party is entitled, among others, to take measures before local or European offices (eg, see in the field of trademarks through annulment action or expiry due to lack of use action), file preventive letters (to prevent infringement of a patent), as well as submitting legal actions before the courts with or without interim measures or preliminary measures.

For copyright infringement, the injured party can, among other measures, request an administrative decision be handed down by the Spanish Copyright Commission, as well as file an arbitral procedure before international public bodies such as the WIPO (e.g, in the case of domain name disputes). Likewise, they may also be entitled to file preventive letters (see Ruling No. 84/2020 handed down by Barcelona Mercantile Court No. 8, dated 25 February 2020) and they are entitled to file legal actions before the courts with or without interim measures or preliminary measures.

COMPETITION 

Sector-specific issues

37. Are there any specific competition issues that exist with respect to fintech companies in your jurisdiction?

No.

TAX

Incentives

38. Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the fintech sector in your jurisdiction?

The entry into force of Law No. 28/2022 to promote the start-up ecosystem has brought the following important tax incentives:

• a reduced corporate income tax rate of 15 percent for the first fiscal year of positive taxable base and the following three fiscal years; and
• the stock options exemption for Spanish tax resident employees of the start-up has been improved from €12,000 to €50,000.

Increased tax burden

39. Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for fintech companies in your jurisdiction?

Yes. Law No. 13/2022 establishes new obligations to provide information on clients to the tax administration in accordance with Directive 2011/16/EU (Directive on Administrative Co-Operation 8). This change may have a considerable impact in relation to the administrative costs faced by fintech companies, especially in services linked to cryptoassets.

Further, in the last budget bill (Law No. 31/2022) a reduced corporate income tax rate of 23 percent has been implemented for those groups of companies whose net turnover in the immediately preceding tax period is less than €1 million as a whole.

IMMIGRATION

Sector-specific schemes

40. What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there any special regimes specific to the technology or financial sectors?

EEA nationals do not require a work or residence permit.

Non-EEA nationals must obtain work and residence permits to live and work in Spain. A range of licenses can be issued by employers, each license has its own specific requirements.

As a general rule, for the technology and financial sectors, the quickest and easiest way to recruit skilled staff from abroad is through the highly qualified foreign professionals (HQP) permit. This type of permit is for professionals who are graduates or postgraduates of universities and prestigious business schools who will be employed in Spain and whose fixed annual salary will be set at least at €50,000. The HQP permit has a streamlined process: according to the law, an application for a residence permit must be resolved by the Spanish authorities within a maximum of 20 working days from when it was duly registered, attaching all necessary documents. Once the permit has been granted, the candidate will need to request a visa at the Spanish consulate of the candidate’s country of residence. Should the candidate be a legal resident in Spain at the time the work permit is submitted, the process would be even quicker as the visa step would not be needed.

UPDATE AND TRENDS IN FINTECH IN SPAIN

Current developments

41. Are there any other current developments or emerging trends to note?

There are no relevant developments to note.

* The authors wish to thank Alfredo de Lorenzo and Álvaro Muñoz of Simmons & Simmons LLP for their assistance in the preparation of this chapter.

* The information in this chapter was accurate as of June 2023.

If you need more consulting, please Contact Us at TNHH NT International Law Firm (ntpartnerlawfirm.com)

You can also download the .docx version here.

“The article’s content refers to the regulations that were applicable at the time of its creation and is intended solely for reference purposes. To obtain accurate information, it is advisable to seek the guidance of a consulting lawyer.”

LEGAL CONSULTING SERVICES

090.252.4567

HÃY CLICK ĐỂ LẠI SĐT CHÚNG TÔI SẼ GỌI NGAY CHO BẠN MIỄN PHÍ

NT INTERNATIONAL LAW FIRM

• Email: info@ntpartnerlawfirm.com – luatsu.toannguyen@gmail.com
• Phone: 090 252 4567
• Address: B23 Nam Long Residential Area, Phu Thuan Ward, District 7, Ho Chi Minh City, Vietnam