- About Garrigues
- Practice Areas
Areas and industries
- Team More
- Garrigues news room
- Calendar of events
- Work with us More
Legislative challenges for regulating fintech companies in Spain and Latin America
Garrigues FinTech Hub Team.
Although Fintech regulations need to continue to evolve, this step forward needs to be accompanied by advances in its supervision. In this respect, the fintech phenomenon in itself carries a risk for supervisors, who will need adequate instruments and processes to achieve their objectives of overseeing financial stability in the market in the new digital context.
One of the main legislative challenges for fintech regulations is to produce a regulation adapted to the needs of the new market players. The goal is to avoid the existence of financial entities operating outside the regulatory framework or the creation of shadow banking, through a technological adaptation of obsolete legislations, by guaranteeing certainty in the use of financial services in the market and taking financial and cybersecurity risks into account. In this sense, although it is necessary to define specific boundaries for the operations and supervision of activities and entities of this type, the aim should not be to restrain the market completely: a detailed regulation of the current situation of fintechs would not last, giving rise instead to a need for constant reforms.
Regulatory, tax, administrative and IP protection challenges
From a European perspective, the approval of Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market - also known as the Second Payments Services Directive or PSD2 - has enabled the regulated entry of new payment services, enhancing the protection of customers and the security of e-commerce transactions. But this is only a first step towards the regulation of fintechs.
Moreover, although certain advances have been made in the Spanish framework concerning fintechs, such as the regulation on financial credit institutions (establecimientos financieros de crédito), electronic money institutions or the commonly known as crowdlending platforms (plataformas de financiación participativa), regulated by Law 5/2015, of April 27, 2015, on the promotion of business finance, or the transposition of PSD2, the constant advances in this industry have given rise to the need for greater regulations on this subject.
In this context, numerous countries have made progress in the creation of the so-called regulatory sandboxes, where new financial services or products can be tested in a controlled environment overseen by the competent authority. Spain is taking important steps along these lines, such as the recent approval, barely a few months ago, of Law 7/2020, of November 13, 2020 for the digital transformation of the financial system (also known as the Sandbox Law).
The intention behind the approval of a Spanish sandbox is to encourage innovation in new business models in a controlled space, guaranteeing the protection of potential end customers and allowing supervisors to observe the potential risks that will need to be regulated to ensure the financial stability in the market.
Nevertheless, additional steps will be needed in order to to contribute even further to provide a framework adapted to the new context and to provide a solution to global needs as well as to the more specific aspects previously discussed.
Tax: New legislation expected in the short term
In the tax field, fintech companies face numerous challenges. From the perspective of direct taxation, they have heavily digitized business models and therefore the work being undertaken by the OECD and by the European Union in relation to the digital economy is completely applicable to them, such as the potential measures to combat the shifting of tax bases, the existence of digital permanent establishments or the allocation of taxable profits in the various jurisdictions where they operate. In this regard, we can refer to the work conducted in the OECD’s Pillar I regarding the digital nexus for profit allocation, included within the framework of the BEPS plans of action. In the European Union, a consultation period was recently opened on an initiative to implement a digital levy.
Over recent years unilateral measures by various neighboring countries in relation to levying indirect taxes on digital services have been successfully implemented. This is the case of the new tax on certain digital services that came into force in Spain on January 16, 2021 and whose implementing regulations have yet to be published, involving a host of uncertainties (including the scope of application of the specific exemption for regulated financial services provided by regulated financial institutions and the consequences for the fintech industry). These non-harmonized measures may carry new obstacles in the evolvement of the fintech business at European level.
In the VAT field classic issues arise such as where the boundary lies to determine which fintech services may be exempt from VAT according to whether the specific service is considered “financial” (and exempt, as a general rule) or “technological” (and therefore subject and not exempt). These doubts will be resolved in the short term through official administrative or judicial interpretations by courts and tribunals in Spain and in the European Union, and, in the medium term, they could prompt an amendment of the VAT Directive and/or Spanish legislation.
This all means that in the short term a constant stream of new interpretations and rules in the field of taxation with impact on the fintech industry may be expected both at a legislative, case-law and doctrinal level.
Administrative law: A necessary call to the principles of good regulation
From a legal administrative law perspective, it is necessary to abide by the principles of good regulation embodied in article 129 of Law 39/2015, of October 1, 2015, on the common administrative procedure for public authorities, applicable to both legislative initiative and regulatory powers.
Among those principles, the principles of necessity and proportionality are of particular relevance, as the principles requiring draft legislation to include the indispensable regulations to cover the pursued objectives, and above all, to ensure that the measures that are identified and included in that legislation are the least restrictive of rights and impose the least burdens and obligations on those to whom they are applicable.
When applied to fintechs, the principle of necessity would be the one which would require that regulations to be justified by real dysfunctions or risks that have first been identified; and the principle of proportionality would mean that to deal with those real dysfunctions or risks the regulations cannot go beyond what is strictly indispensable.
It should also be taken into account the provisions set forth in article 4 of Law 40/2015, of October 1, 2015, on the public sector legal regime, which demands that both principles must be applied to any administrative measures that restrict rights or impose certain requirements for the conduct of an activity, with the aim of choosing the least restrictive measure and justifying its suitability to achieve the sought aims.
Additionally, it should be noted that the Spanish National Markets and Competition Commission, in a report on the impact on competition of new technology in the financial industry, warned of the advisability of observing those principles in any laws and regulations to be approved in this field, and of the serious risks of an impeditive or distorting impact that the opposite could entail.
Other principles of good regulation that have a determining effect in this field are those of legal certainty and efficiency. The first, insofar this industry is constantly evolving, it is necessary to have a regulatory framework that is sufficiently stable, predictable and clear to design a reliable and attractive regulatory environment, which is suited to the practical needs of financial service providers and users in the digital environment. And the second, for the reason that it will always be best, in accordance with specific features of this industry, for any draft legislation to avoid unnecessary or ancillary administrative burdens, and to ensure instead that the formalities for creating and registering operating companies are reasonably swift, in order to facilitate and enhance that they work and evolve better and with greater flexibility.
The achievement of all these principles will undoubtedly be no easy task and will require a very in-depth legal analysis from multiple perspectives, though it is certain that, even if this work is not completed at the same pace as the market for this growing industry evolves, the involvement of public and private players will ensure a framework that provides the response demanded by the needs that have already been identified. To achieve this last objective, another principle of good regulation that will be needed is that of transparency, aimed at enabling active participation by the parties who will be subject to the rules in their creation process.
Intellectual and industrial property: Protection through trade secrets legislation
Among the main risks present in fintechs’ activities are the unauthorized use and improper disclosure of customers’ data, as well as the fact of the underlying business methods, data and algorithms at many fintech companies are not usually patentable. However, their vulnerability to misappropriation of these data has been addressed in the Trade Secrets Law (Law 1/2019, of February 20, 2019) which allows the protection of assets such as algorithms, business plans, market research, personal or non personal data and, in short, key information which is currently one of fintech companies’ most valuable assets.
Nevertheless, in order to be eligible for protection under the Trade Secrets Law, the information (i) must be secret, in the sense that it is not generally known to the persons within the sector; (ii) must have value precisely because it is secret, and (iii) reasonable efforts have been taken to keep it secret and to maintain its confidentiality.
These types of requirements can be substantiated if the appropriate measures are implemented. Although there is no single model to follow (i.e. it is not the same for a multinational as for a startup), a few measures will always be of assistance. The first golden rule to be obeyed in all cases is that access to confidential information must always be restricted to those who really strictly need it. In relation to this premise, the company must also be able to prove, among other elements, that (i) technological safety measures are in place; (ii) the relevant confidentiality agreements or NDAs have been signed with third parties who have access to the information; (iii) confidentiality clauses have been included in the contracts signed with the company’s managers, employees and collaborators; (iv) there is a policy designed to create a corporate culture of observing confidentiality and using technology devices correctly; and (v) policies are updated and managers and employees are trained to understand them correctly.
A correct confidentiality policy gives fintech companies greater value in the eyes of potential investors, who research this element thoroughly during their due diligence processes. Besides, it is an indispensable requirement to be able to defend the unauthorized use of these assets in court. An example of this is the recent Financial Information Technologies, LLC case (March, 2020) in which the US courts ruled against one of its competitors for misappropriation and misuse of trade secrets related to secure payment technology for transactions. This case concluded with the award of damages close to 6 million dollars and an obligation for the infringing party to cease using the confidential information.
The future Fintech Law and the challenges of regulating an industry experiencing constant innovation
Chile is currently involved in the process of passing draft bill for a law that will regulate various elements of the fintech industry, including crowdfunding platforms. This draft bill represents a major incentive for both domestic and international operators who are hoping to start operating under clear regulations and within well-defined market guidelines.
In that context, the main challenges that the Chilean legislator faces, similarly to those needing to be addressed by other lawmakers on this subject, are to create legislation on a dynamic market which must be provided with a certain degree of flexibility and clear boundaries, but which at the same time must also allow for the entry of innovation inherent to an industry that is constantly evolving.
One of the proposed options lies in creating a set of rules structured to allow for the regulatory model to be easily adapted, by providing a general framework which can be implemented through administrative instruments that can be updated more swiftly, as and when the pace of change in the industry so requires.
In this regard, it will be particularly important to establish in the new law whether intermediaries for financial instruments will be excluded from the rules on securities and stock exchange brokers under Title VI of the Securities Market Law or General Rule No 380 of the Financial Market Commission. Explicit rules should also be incorporated on the option of concluding secondary sales of shares on crowdfunding platforms.
All of this means that the Chilean legislator, like their counterparts in other countries, needs to create a self-sufficient set of legal rules able to be adapted and coexist adequately with the existing principles governing the financial system, by creating a law that recognizes and incorporates the particular characteristics of an industry that is constantly evolving and innovating.
Neobanks in the Peruvian market: A trend moving forward with strength
The entry of new players in the Peruvian market is becoming increasingly relevant and imposing a new financing model. In this line, it can be observed how customers evaluate operators in the financial market based on their experience with the platforms for the services offered by fintech companies and particularly by neobanks.
Neobanks are institutions that do not operate from physical premises, as opposed to traditional banks, and that provide all types of financial services online. Under the current Peruvian legislation, there are no specific regulations on the operations of digital banks, although two models exist for this type of entities: the challenger bank or the neobank.
On the one hand, a challenger bank is a bank that has no physical infrastructure and operates in countries that have specific laws and regulations on digital banks. On the other hand, a neobank is a digital bank operating on the basis of a banking license held by another institution. In Peru, this type of operating procedure may involve a banking, financial, cooperative or other type of institution that already has a license issued by Peruvian banking regulator SBS (Superintendencia de Banca, Seguros y AFP).
Although these types of strategic alliances between conventional banks and fintech companies do not require an express authorization from the Peruvian banking regulator, they demand relevant regulatory considerations (especially for the banking institution holding the license underlying the alliance). Thus, risk management by the authorized institution, analysis of the terms and conditions of contracts with the fintech company and the potential implementation of a regulatory sandbox are all key points to be taken into account to regulate their conduct.
In particular, it is expected that the SBS will implement a sandbox system to benefit the development of the fintech ecosystem in the country. However, given the characteristics of the Peruvian market, (i.e. the current legislation and the financial regulations are flexible for the creation of new ideas and innovations), this sandbox model would create a different environment to those of the regulatory sandboxes in other countries. In this sense, the key is to determine which additional elements may be obtained with the sandbox and how innovation matters can be fostered more decisively.
Additionally, from the standpoint of risk management, operational risk and the risk related to the safety of information must be analyzed in detail in order to comply with the SBS’s legislation on risk management. Although this regulations establish minimum requirements that companies must comply with, according to the types of financial products offered, those companies have to implement sufficient and necessary mechanisms to manage such risks. Besides, from a contractual standpoint in relation to the established alliance, the institution authorized by the SBS must also comply with certain requirements. In any case, the responsibility for the service stays with the financial institution in all cases.
From fintech to big tech: The next challenge for the Mexican regulator
In Mexico, within the fintech industry, emphasis is now being placed on the role of big tech, big technology companies with large established networks of users (Apple, Google, Amazon, Facebook or Alibaba). These companies have become important business players in all markets, having decided recently to diversify their activities into financial services. In addition to choosing the sectors in which fintech companies have found windows of opportunity, such as consumer lending and payment aggregation services, they also sought to issue cryptocurrencies (which is the case of Facebook and Libra).
That said, the fintech industry is not only made up of innovative and low equity players, but has also seen the increasingly strong entry of players with an economic capacity that could compete with or overtake the GDP figures of some countries and that already have a strong network of consumers, representing a problem for regulators throughout the world, including the Mexican regulator.
The particular challenges brought by the entry of big tech companies in the industry relate to (i) competition; (ii) regulatory arbitrage; (iii) potential risks to the stability of the system; and (iv) consumer protection.
In relation to competition, it has yet to be determined whether the entry of these players to the market will bring greater innovation or whether these big tech companies will create new monopolies or market concentration among these new players.
Moreover, unlike conventional banks, which operate by attracting the general public's savings, and using those funds in lending transactions, big tech companies do not raise funds and their activities are likely to be supported by funds requested from conventional financial institutions. In this respect, in the unlikely event that these institutions have a problem to repay their loans, this could spread to the financial system as a whole and depending on the size of that leverage, carry a major risk for financial stability.
The risks increase if we consider that, unlike conventional financial institutions, tech companies are not regulated at the moment (or at least are not subject to regulatory obligations in the same way as financial institutions). This creates an uneven regulatory framework among competitors which places conventional financial institutions in a position that might favor concentrations among big tech companies, and adversely affect the position of conventional financial institutions who cannot compete in an even playing field.
©2023 J&A Garrigues, S.L.P. All rights reserved