Garrigues Digital_

For the fintech sector to continue to be a breeding ground for new disruptive financial business models, it must have a regulatory framework that provides the legal certainty for these to flourish.

A call for the principles of good regulation

When looking at the legislative challenges arising in the fintech arena from the legal-administrative perspective, the principles of good regulation enshrined in the laws on common administrative procedure must be observed, as we first discussed here. In particular, the principles of necessity and proportionality, whereby any legislation proposed must include the indispensable regulations to cover the objectives sought and, above all, whereby the measures that are identified and included in that legislation must be the least restrictive and burdensome on operators as possible.

A sufficiently stable, predictable and clear regulatory framework is necessary so that a reliable and attractive regulatory environment can be designed, one that is both suited to the practical needs of financial service providers and users in the digital environment and that ensures the necessary protection for consumers and the public interest.

To bring about such requisite legal certainty in this constantly evolving sector - and, in addition, to clearly transmit the message that such certainty exists - we need to have a specific supervisory structure that helps avoid some of the risks that threaten the greatest damage as regards fintech activities, such as financial players operating outside the regulatory framework, the creation of shadow banks, the misuse of technological innovations for money laundering or terrorism financing, etc.

In perhaps somewhat broad terms, the preamble to Law 7/2020, of November 13, 2020, for the digital transformation of the financial system, states that, as regards fintech supervision, the law does not seek to “change the current framework of distributing responsibilities among authorities, notwithstanding collaboration between all authorities in the new digital context”. Article 3.b of the Law therefore defines “supervisory authorities” as the national financial authorities with supervisory functions that are competent in view of the subject-matter in question, “whether the Bank of Spain, the National Securities Market Commission (CNMV) or the Directorate General of Insurance and Pension Funds”.

This is less precise, for example, than the provisions of article 71.1 of Royal Decree-Law 19/2018, of November 23, 2018, on payment services and other urgent financial measures, which clearly establishes that payment services providers shall be subject to “direct application of the penalty rules set out in Title IV of Law 10/2014, of June 26, 2014, on regulation, supervision and solvency of credit institutions, as well as Royal Decree 2119/1993, of December 3, 1993, on the penalty proceeding applicable to parties operating in the financial markets”, and of article 71.2 of that same royal decree, which specifies that “the Bank of Spain is designated as the competent national authority entrusted with guaranteeing and monitoring effective compliance with this Royal Decree-Law”.

Perhaps the fact that the fintech sector is ever-changing means that, for now, lawmakers simply cannot have the big-picture view that would allow them to design a more specific supervisory system to help guarantee greater levels of legal certainty in the sector. However, the authorities should set this as at least a medium-term goal.

Naturally, we are not arguing for the creation of a supervisory system that is so thorough and watertight that it risks stifling the innovation that is the very hallmark of fintech. Rather, we would like to see a legal framework that, overall, adequately responds to the demands derived from the constitutionally guaranteed principle of legality, which, of course, means that unlawful conduct and the corresponding penalties, as well as the authority entrusted with exercising sanctioning powers, must be specifically established in a legal text, and with the requisite clarity so that operators know exactly what to expect.

Sandbox pilot projects

Sandboxes, or frameworks in which innovators can conduct real-world experiments under a regulator’s supervision, are yet another story. Law 7/2020 established a monitoring and control system adapted to the particular features of this type of regulatory environment.

By operating within a regulatory sandbox, developers of innovative technology projects for use in the financial system are able to temporarily carry out, in the terms envisaged in the protocol signed with the Bank of Spain, the CNMV or the Directorate General of Insurance and Pension Funds, an activity that, in ordinary conditions, would require the prior approval of the corresponding supervisor.

This is therefore a special course (one of “experimentation”) for allowing developers to begin carrying out an activity; however, just because the approval or licenses usually required are waived in these cases, this does not mean there are no control mechanisms whatsoever.

On the contrary: article 15 of Law 7/2020 establishes several control measures that, together with the other ways stipulated for protecting project participants (such as informed consent, personal data protection, the right to withdraw, etc.), are specifically meant to ensure that the conditions established in the corresponding protocol and in the law in general are fulfilled.

In particular, supervisory authorities can designate one or more monitors to oversee the testing carried out within a pilot project, and supervisory authorities are entrusted with certain policing powers, such as to issue written instructions to developers to ensure fulfillment of the required conditions, to insist on changes to protocols so that the testing can be carried out appropriately, to gather as much information as deemed useful and to carry out inspections.

In fact, article 15 expressly establishes that sandbox projects will be cut short if the protocol or the applicable legislation is breached (and, under article 16, if the monitoring authority detects patent or persistent weaknesses or potential risks to financial stability, the integrity of financial markets or consumer protection). Furthermore, if such a breach also entails an infringement of the regulations on control and discipline, the natural persons and legal entities, as well as the holders of management or administrative posts in the latter, may incur administrative liability, which is publishable pursuant to Law 10/2014, the Revised Securities Market Law, Law 20/2015, of July 14, 2015, on the regulation, supervision and solvency of insurance and reinsurance companies, and other legislation applicable to financial market players.