Building Fintech in Spain: The 13 Most Misunderstood Regulations

Fintech is one of the most important new emerging industries in the world. The past several years showed significant progress in Spain and in the world in general. Reality shows that in the very short term, companies will need to leverage their capabilities and continue to evolve, in order to be able to meet the new financial demands of clients. That means, adapt to ever-changing regulations and to guarantee a regular process of innovation.

PSD2 and the Spanish Sandbox

The recently approved Spanish Law on the digital transformation of the financial system has set in motion our national regulatory sandbox, which will boost Spain as a Fintech destination. Owing to the fact that not only will generate an exponential growth of the industry and the Spanish international competitiveness and the quality of the Fintech services, but also will provide security and legal certainty to controlled testing activities in regulated environments.

Also, it needs to be pointed out that the Bank of Spain offers favourable conditions for Fintech license obtaining because it sets reasonable and transparent terms in the proceedings for e-money and payment services institutions. Consequently, without a doubt, Spain is currently leading the European Fintech industry.

Do you want to launch your Fintech business in Spain? Be aware of the applicable regulations

Note that an EU member state cannot prevent credit institutions located on other member states from freely operating in its territory, in accordance with the single license or “Community passport” principle. On the other hand, non-EU companies interested in launching operations in Europe, are allowed to establish a branch in EU countries, prior authorization of the corresponding supervisory body.

If you are a foreign investor and you want to set-up a technology-driven subsidiary or branch in Spain aimed to provide financial services, you shall strictly comply with some of the following regulations:

Online Payment Regulations on:

• Payment services and urgent measures in financial matters – Royal (Decree-Law 19/2018, of 23 November)
• Electronic money institutions (Law 21/2011, of 26 July)
• The legal regime of electronic money institutions (Royal – Decree 778/2012, of 4 May)

E-money companies (either providing or not payment services and with a required minimum share capital of 350K) and purely payment services institutions (with a required minimum share capital from EUR 20K to EUR 125K) shall submit an application before the Bank of Spain in order to obtain a license. In this regard, any branch in Spain of an e-money or payment services institution whose parent company is registered or authorized outside the European Union is allowed to issue electronic money in the EU. However, the rules governing branches of e-money institutions that have their head office outside the Community should not be more favourable than those for branches of electronic money institutions which have their head office in another Member State.

The branches of e-money institutions that have their head office outside the Community should not benefit from the freedom of establishment under Article 43 of the Treaty in the Member States other than those in which they established. Neither, they will not benefit from the freedom to provide services under the second paragraph of Article 49 of the Treaty.

The companies interested in submitting a license before the Bank of Spain must provide documentation such as:

• The program of operations and information about their structural organization,
• The business plan,
• Compliance system: Information about the governance agreements and the internal control mechanisms (administrative, risk management and accounting procedures),
• Internal anti-money laundering controls,
• Security policy, among others.

Regulations on specialized lending institutions (EFC) and promoting business finance.

Royal Decree 309/2020, of 11 February on specialized lending institutions (EFC)

Law 5/2015, of 27 April on promoting business finance

They can be established as specialized lending institutions (with a required minimum share capital of EUR 5M), companies providing financial services in specific areas, such as consumer credits, mortgage credit, financing of commercial transactions, etc. Their activity is subject to a regulatory regime monitored by the Spanish Bank, similar to that of banking institutions.

Consumer Credit regulation

Law 16/2011, of 24 June on consumer credit

It regulates the granting of a credit by a lender (performing its business or commercial activities), to consumers, as natural persons acting for purposes outside his or her trade, business or profession. The Law excludes credits lower than EUR 200, and credits secured by mortgages, leasing agreements, no-interest credits, etc. The lender shall provide the standard European consumer credit information and should explain any points the consumer need clarifying to help him/her judge whether the offer matches his/her financial situation.

Regulation for the digital transformation of the financial system

Law 7/2020, of 14 November, for the digital transformation of the financial system

The Spanish sandbox will enable technological innovation projects developed by any individual or legal entity (individually or jointly), request the starting of a pilot project and test in a special and controlled regulatory environment. It including technology firms, financial institutions, credit servicers, representative associations, public or private centers of research or any other interested party. The applications must be innovative and sufficiently advanced. The prototypes must offer a minimum viable product (MVP), and able to provide added value.

Marketing of financial products

Law 22/2007, of 11 July, on distance marketing of financial products to consumers

This regulation is applicable to the contracts concerning financial services concluded between a supplier and a consumer under an organized distance sales or service-provision scheme run, run by the supplier, who for the purpose of that contract, makes exclusive use of one or more means of distance communication up to and including the time at which the contract is concluded. The rules provide rights to the consumers, such as the reception of comprehensive information from the provider before the contract is concluded, the withdrawal from the contract during a cooling-off period, and not to receive unauthorized phone calls and e-mails (spam).

General law for the protection of consumers’ and users’ rights

Royal Legislative Decree 1/2007 of 16 November, approving the revised text of the general law for the protection of consumers and users and other complementary laws

This is known as the main consumer protection regulation. It applies to the commercial relationships entered into an entity performing its business or commercial activities, to consumers, as natural persons acting for purposes outside his or her trade, business or profession.

The regulation is aimed to protect the rights of the consumers, such as the 14-days withdrawal period, refunds, transparent and clear information, the prevention of hidden charges and other unfair practices.

General Contracting Conditions

Law 7/1998, of 13 April, on General Contracting Conditions

This regulation is aimed to protect unfair terms in contracts. Contrary to good faith, the standard terms and conditions are built for a wide range of contracts (pre-drafted), and they are imposed because they have not been individually negotiated with the counterparty (adherent). Note that the standard terms not only refer to agreements entered into between companies and consumers, but also to agreements entered into between companies.

Prevention of money laundering and terrorism financing

Law 10/2010, of 28 April, on prevention of money laundering and terrorism financing

The purpose of this Law is to safeguard the integrity of the financial system, and it shall apply to credit institutions, payment and e-money institutions, and professional financial intermediaries, among other obliged persons.

Due to this fact, Fintech companies must set in place Know-Your-Customer procedures and provide them to the SEPBLAC (Spain’s Financial Intelligence Unit), systematic monthly reporting (if applicable), and any transactions in which there is any indication or certainty that it bears a relation to money laundering or terrorism financing. The obliged entities must appoint a representative to SEPBLAC, and may authorize up to two persons to act on his / her behalf.

Also, the companies must approve a prevention manual, which shall be kept up to date with complete information on the internal control measures, which will be subject to an annual upgrade. Besides, under some circumstances, they will need to establish an Internal Compliance Committee and/or a Technical unit and carry out employees’ training.

Regulations on E-commerce and Information Society Services

Law 34/2002, of 11 July, on e-commerce and information society services

Appropriate legal framework for services contracted or provided by electronic means. It includes:

• Contracting goods and services,
• the supply of information (such as that provided by newspapers or magazines that can be found on the Internet),
• intermediation activities relating to the provision of access to the Internet,
• the transmission of data by telecommunications networks,
• the provision of temporary copies of Internet pages requested by users,
• posting of information,
• other services or applications provided by third-party on their own servers,
• the provision of search tools or links to other Internet sites,
• the temporary copying of Internet pages requested by users,
• the hosting on their own servers of information, services or applications provided by others,
• the provision of search tools or links to other Internet sites,
• as well as any other service provided at the individual request of users (downloading of video or audio files…), provided that it represents an economic activity to the provided.

GDPR (EU) and the Spanish Data Protection

The Organic Law 3/2018, of December 5, on Data Protection and Guarantee of Digital Rights 

One of the most important regulations for Fintech businesses. EU data protection regulations apply when the company processes personal data and is based inside the EU, regardless of where the actual data processing takes places. When the company is established outside the EU but processes personal data in relation to the offering of goods or services to individuals in the EU, or monitors the behaviour of individuals within the EU, they will also have to appoint a representative in the EU.

Also, the appointment of a Data Protection Officer (DPO) is mandatory when the company regularly or systematically monitors individuals or processes special categories of data or related to criminal convictions and offences, taking into consideration this processing is a core business activity performed on a large scale. Spanish regulation offers a list of business activities that are required to appoint a DPO.