Financial Crime World

Regulatory Compliance for FinTech Businesses in Portugal

FinTech companies operating in Portugal face a complex regulatory environment that requires them to comply with various legal regimes beyond those specific to the financial sector. In this article, we will discuss the key aspects of regulatory compliance for FinTech businesses in Portugal, focusing on data protection, cybersecurity, and consumer protection regulations.

Data Protection

FinTech businesses collect, control, and process vast amounts of personal data (including KYC data), subjecting them to the General Data Protection Regulation (GDPR). The GDPR applies not only to FinTech companies established in the EU but also to those outside the EU if:

  • They have customers in the EU.
  • The processing of customers’ personal data is made in the context of offering services to those data subjects.

Key Compliance Requirements

Here are some key compliance requirements for FinTech businesses under the GDPR:

  1. Customer Consent: If processing customer data is not strictly necessary for providing a payment service, pre-ticked opt-in boxes are no longer allowed for obtaining valid consent. Consent must be expressed through a statement or clear affirmative action.
  2. Data Protection Impact Assessments (DPIAs): Conduct DPIAs for more risky processing operations, such as those involving personal data that may be used to commit financial fraud.
  3. Notification of Personal Data Breaches: Notify the Portuguese Data Protection Authority through its online form in case of a breach.
  4. Data Protection by Design and Default: Implement data protection safeguards by design and by default.

Additional Compliance Considerations

Here are some additional compliance considerations for FinTech businesses:

  1. Automated Decision-Making: Automated decisions are generally prohibited if they produce effects concerning the data subject or that significantly affect them, and are based solely on automated processing of data intended to evaluate certain personal aspects relating to them.
  2. Special Categories of Data: There are additional restrictions on using special categories of data (such as health-related data or biometric data) for any processing of personal data.

Conclusion

In conclusion, FinTech companies operating in Portugal must comply with various legal regulations beyond those specific to the financial sector, including GDPR and other privacy laws. These businesses must implement measures such as consent from customers, DPIAs, notification of breaches, and safeguards by design and default in order to avoid penalties and maintain customer trust.

By understanding these regulatory requirements, FinTech companies can ensure compliance with Portuguese law and build a strong foundation for their business operations.