1 Legal and enforcement framework

1.1 In broad terms, which legislative and regulatory provisions govern the fintech space in your jurisdiction?

The fintech space is mainly subject to the legislative and regulatory provisions applicable to banks and other financial institutions, investment services companies and insurance companies and brokers.

In addition to the e-commerce regulations that apply to online marketing and online contracting, other general regulations – such as the Civil Code, the Commercial Code, the General Law for the Protection of Consumers and Users, the Organic Law on Protection of Personal Data and Digital Rights and even the Criminal Code, in case of offences – also apply where relevant.

1.2 Do any special regimes apply to specific areas of the fintech space?

Spain has not adopted an ‘all-inclusive' legal approach to the fintech space. Instead, each fintech industry vertical is governed by the general legal provisions applicable to traditional players in that sub-sector.

One of the few exceptions is the regime applicable to equity crowdfunding and crowdlending platforms set out in the Law on Promotion of Business Financing (5/2015).

1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?

The three main regulatory bodies that are responsible for enforcing the applicable laws and regulations are as follows:

  • the Bank of Spain, regarding banking activities and payment services;
  • the Spanish Securities Exchange Commission (CNMV), with respect to investment services and issuance and trading of securities; and
  • the General Directorate for Insurance and Pension Funds, in relation to insurance activities.

In addition to their supervisory and sanctioning powers, these bodies may grant authorisations for reserved activities and pass technical regulations and guidelines.

1.4 What is the regulators' general approach to fintech?

Initially, the approach of the Spanish regulators to fintech was characterised by a lack of knowledge of certain business models and a lack of trust in these newcomers to the regulated environment.

However, as a result of the consolidation of the fintech sector and the steps undertaken in other jurisdictions, the regulators have become increasingly aware of the industry's potential to enhance competition in the financial markets and increase the efficiency of services for consumers.

This has led to the creation of specialised financial innovation departments within each of the regulators. The CNMV has also created a web portal specifically dedicated to consultations relating to fintech and innovation.

Finally, the effective implementation of the financial sandbox in Spain is also expected shortly.

1.5 Are there any trade associations for the fintech sector?

The Spanish Association of Fintech and Insurtech, which covers all industry verticals of both fintech and insurtech, is the most active association.

Other sectoral associations are also active in this regard, such as the Spanish Association of Crowdfunding, the Association of Crowdlending in Spain, the Spanish Association of Microloans and the Spanish Association of Tokens.

2 Fintech market

2.1 Which sub-sectors of the fintech industry have become most embedded in your jurisdiction?

All fintech industry verticals have evolved in Spain through the efforts of different national and international players.

The most embedded sub-sectors in terms of volume of activity and number of entities are lending (especially with regard to microloans), investment services (mainly roboadvisers and real estate crowdfunding), personal finance managers and payment solutions.

2.2 What products and services are offered?

Fintech companies in Spain offer a broad range of products and services, such as:

  • microloans;
  • equity crowdfunding;
  • crowdlending;
  • personal finance management;
  • comparison of financial products;
  • automated investment advice or management;
  • foreign exchange/securities trading;
  • payment services;
  • client online identification; and
  • big data related to the financial sector.

2.3 How are fintech players generally structured?

Most fintech players are start-up companies incorporated with limited economic and human resources, which generally have lean structures.

Nonetheless, more sophisticated structures are also in evidence in some of the most successful Spanish firms that have successfully raised larger amounts of funds, and in the neobanks and investment platforms launched by some incumbents.

2.4 How are they generally financed?

Initially, fintech players have been financed by private investors (eg, business angels, family offices) through investment rounds, some of which have used crowdfunding platforms.

Access to private equity funds has been more constrained, due to the legal restrictions on investment by such vehicles in the financial sector. This has also sometimes hindered the ability of fintech players to access public funding such as grants and soft loans.

More recently, the volume of investment channelled by banks through equity investments and incubators/acceleration programmes has also increased.

2.5 How are they positioned within the broader financial services landscape?

The position of fintech companies within the Spanish financial services landscape differs significantly from one sub-sector to another.

As regards lending, for instance, while microloan firms have gained significant market share, the market share of crowdlending platforms is still minimal.

Payment services offered by fintechs are also increasing as compared to those offered by banks – a trend which should be boosted further by the implementation of the second Payment Services Directive and the movements of big tech companies such as Facebook and Google.

By contrast, to date neobanks have gained market share only among specific client segments, such as millennials and frequent travellers, and as yet pose no threat to the incumbent entities.

The market shares of roboadvisers and equity crowdfunding platforms are also modest in comparison to the Spanish investment market as a whole.

2.6 Do start-ups generally outsource back office functions and is there a developed market for them to access? What are the legal implications of outsourcing?

Fintech start-ups generally outsource processes such as online client identification for know your customer purposes, collection and claims management and infrastructure development.

The main restrictions to outsourcing relate to the processing of personal data under the EU General Data Protection Regulation and associated local developments. Moreover, regulated credit entities operating in Spain are subject to specific requirements for the delegation of essential services and functions, and the technological providers of such services must cooperate with the regulators to facilitate the supervision of regulated entities.

3 Technologies

3.1 How are the following key technologies in the fintech space regulated and what specific legal issues are associated with each? (a) Internet (e-commerce); (b) Mobile (m-commerce); (c) Big data (mining); (d) Cloud computing; (e) Artificial intelligence; and (f) Distributed ledger technology (Blockchain, cryptocurrencies)

(a) Internet (e-commerce)

Internet (e-commerce) activity is mainly regulated by the Law on Information Society Services and Electronic Commerce (34/2002). This law broadly regulates services that are offered online, such as fintech services.

Under this law, the essential legal information that must be posted on company websites includes the company's cookie policy, privacy and data protection policy and legal notice. The website must also include the general conditions of service.

Specific legal issues in this regard relate to the existence of abusive contracts, with ill-defined terms and conditions, and cybersecurity crimes such as phishing, identity theft and information kidnapping.

(b) Mobile (m-commerce)

Mobile applications are governed by the same regulations applicable to e-commerce.

In addition to general risks discussed in question 3.1, legal issues concerning m-commerce arise from circumstances such as the following:

  • Mobile devices are always connected and in most cases logged into fintech applications, creating vulnerability to cyberattacks; and
  • If a password is lost or stolen, the information to reset the password is normally sent to the same device, increasing the risk of information theft.

(c) Big data (mining)

No specific regulation in Spain deals exclusively with big data. The most important regulation on this subject is the Organic Law on Protection of Personal Data and Digital Rights (3/2018), which implemented the EU General Data Protection Regulation in Spain – in particular, as regards the principles relating to the storage, processing, transfer and security of personal data.

The following legal issues are relevant in this field:

  • In most of cases the data used in big data processes is collected unlawfully and used without the knowledge of the data subjects, due to the fact that they do not know the terms and conditions under which their personal data is being processed.
  • It is important to apply appropriate anonymisation and pseudoanonymisation procedures.

(d) Cloud computing

There is no special regulation on cloud computing in Spain. This notwithstanding, this area has many legal implications which are regulated by laws such as the Law on Information Society Services and Electronic Commerce, the Civil Code and the General Law for the Protection of Consumers and Users.

Likewise, since the most important legal implications relate to the storage, processing, transfer and security measures of personal data, the Organic Law on Protection of Personal Data and Digital Rights is also applicable.

The Spanish Data Protection Agency has published a Guide for Customers of Cloud Computing Services, to help ensure that customers are aware of their rights.

(e) Artificial intelligence

There is no specific regulation on artificial intelligence in Spain. As in the case of big data, given the relevance of the data to this technology, the Organic Law on Protection of Personal Data and Digital Rights is the most important regulation on this matter.

Legal issues in this field include concerns arising from the fact that, as part of an automated decision-making process, once data is used it is impossible to execute the subject rights recognised by the organic law.

(f) Distributed ledger technology (Blockchain, cryptocurrencies)

There is no specific regulation on blockchain or cryptocurrencies in Spain.

The most relevant issues to date concern investment in cryptocurrencies and the funding of projects through the issuance of tokens by means of initial coin offerings. These issues have been addressed by the Spanish Securities Exchange Commission and the Bank of Spain in certain warnings and guidelines they have issued.

4 Activities

4.1 How are the following key activities in the fintech space regulated and what specific legal issues are associated with each? (a) Crowdfunding, peer-to-peer lending; (b) Online lending and other forms of alternative finance; (c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb); (d) Forex; (e) Trading; (f) Investment and asset management; (g) Risk management; (h) Roboadvice; and (i) Insurtech.

(a) Crowdfunding, peer-to-peer lending

The Law on the Promotion of Business Financing (5/2015) regulates equity crowdfunding and crowdlending activities.

Both businesses are considered reserved activities and, as such, their performance requires that so-called ‘participatory financing platforms' obtain authorisation from the Spanish Securities Exchange Commission (CNMV). Furthermore, if such platforms intermediate the flow of funds between funding seekers and investors, they must also either obtain authorisation as a payment services firm or engage an authorised payment services firm for such purposes.

(b) Online lending and other forms of alternative finance

There is no specific regulation on online lending in Spain. This notwithstanding, the Law on Consumer Credit Contracts (16/2011) and the general consumer protection and e-commerce regulations apply to such activities.

Furthermore, certain court rulings have established restrictive criteria regarding interest on revolving credit loans and microloans based on the Law on Repression of Usury 1908.

On the other hand, invoice trading is not subject to the Law on the Promotion of Business Financing, which regulates crowdlending.

(c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb)

Payment services are regulated by Royal Decree 19/2018 on Payment Services and Other Financial Measures, which implemented the second Payment Services Directive in Spain.

This legal provision recognises two new categories of payment services firms in Spain: account information services providers and payment initiation services providers.

Regardless of the fact that the requirements regarding security measures entered into force on 14 September 2019, the Bank of Spain has confirmed that it will grant an additional transition period for entities to adapt to them.

(d) Forex

The foreign exchange (forex) industry is considered an investment service in Spain and, as such, is regulated by the Spanish Securities Market Law (whose consolidated text was approved by Royal Decree 4/2015) and the development legislation on investment services firms.

(e) Trading

Trading is an investment service which may be rendered only by banks and securities companies and securities agencies. Trading is also regulated by the Spanish Securities Market Law and the development legislation on investment services firms.

Social trading platforms may also be considered as a regulated investment service.

Binary options and financial contracts for difference have been subject to intervention measures pursuant to the CNMV Resolution of 27 June 2019.

(f) Investment and asset management

Investment advice may be rendered by any of the four classes of investment services firms, with financial advisory firms the simplest of these.

On the other hand, asset management entailing the creation of a client portfolio that is managed discretionally may be performed by any investment services firm other than financial advisory firms, with portfolio management companies the simplest of these.

These activities are regulated by the Spanish Securities Market Law and the development legislation on investment services firms.

(g) Risk management

Credit entities and investment services firms are obliged to have internal risk control departments; as a general principle, this task may be outsourced only to other regulated entities.

(h) Roboadvice

The development of automated advice and/or portfolio management activities entails the performance of a regulated investment service, provided that the advice activity refers to specific instruments and is made taking into consideration the personal circumstances of the investor.

(i) Insurtech

Insurance activities carried out by neo-insurers are subject to the Law on Ordination, Supervision and Solvency of Insurance and Reinsurance Companies (20/2015).

The digital distribution of insurance products as intermediary (either as an exclusive or tied agent or as an insurance broker), and insurance comparison platforms and marketplaces, are subject to the Law on Mediation of Private Insurance and Reinsurance (26/2006).

Other insurtech sub-sectors, such as peer-to-peer insurance and crowdsurance, are not yet regulated in Spain.

5 Data security and cybersecurity

5.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for fintech companies?

Fintech companies must abide by the Organic Law on Protection of Personal Data and Digital Rights, which means they are obliged to respect fundamental rights regarding personal data protection.

Certain particularities regarding credit information systems must be taken into account. First, fintech companies are obliged to inform the client in the event of a denial of service due to information obtained from credit bureaux. Second, they are also obliged to inform the client when payment defaults are registered with credit bureaux.

5.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for fintech companies?

The most relevant regulations with regard to cybersecurity include:

  • the Law on Information Society Services and Electronic Commerce;
  • the Law on Electronic Signatures (50/2003);
  • the Organic Law on Protection of Personal Data and Digital Rights;
  • the Law on General Telecommunications (9/2014);
  • the Law on Retention of Data Related to Electronic Communications and Public Communication Networks;
  • Royal Decree 381/2015, which establishes measures against illegal or irregular traffic which has fraudulent purposes in electronic communications;
  • the Criminal Code;
  • the National Cybersecurity Strategy 2019; and
  • the Regulation on the Evaluation and Certification of Technology Security.

As a general principle, fintech companies must adopt special technical measures to manage, reduce and prevent incidences that may affect the security of the network and information systems that they use and provide.

6 Financial crime

6.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for fintech companies?

The provisions regulating money laundering in Spain are the Law on the Prevention of Money Laundering and the Financing of Terrorism (10/2010) and Royal Decree 304/2014 approving the regulations of Law 10/2010.

Fintech companies that carry out activities that are covered by Article 2.1 of Law 10/2010 (eg, lending or payment services) are covered by this regime, as well as by the criteria established by the Spanish Anti-Money Laundering Authority.

They must thus comply with obligations relating to due diligence, reporting and internal control.

These legal obligations apply to all entities covered by this regime that operate in Spain, regardless of whether this is through a subsidiary or branch or otherwise.

7 Competition

7.1 Does the fintech sector present any specific challenges or concerns from a competition perspective? Are there any pro-competition measures that are targeted specifically at fintech companies?

The Spanish National Commission on Markets and Competition (CNMC) recently published its Study on the Impact in the Competition of the New Technologies in the Financial Sector (Fintech). In this document, the CNMC highlights that the fintech phenomenon requires a new regulatory approach and recommends, among other things, that regulation not hinder fintech innovations and be applied proportionally.

Furthermore, the CNMC is monitoring the market to ensure that traditional financial entities do not seek to protect themselves from the disruption caused by fintechs by creating artificial barriers to competition.

8 Innovation

8.1 How is innovation in the fintech space protected in your jurisdiction?

Most of the innovation in the fintech space relates to software development. In Spain, software is considered an IP right and is protected under the Intellectual Property Law (1/1996).

Moreover, as a result of the recent enactment of the Law on Trade Secrets (1/2019), software, code and algorithms, and commercial know-how will all benefit from broader protection in Spain.

8.2 How is innovation in the fintech space incentivised in your jurisdiction?

Innovation in the fintech space is incentivised mainly through the roll-out of multiple acceleration and incubation programmes by financial entities and private investors, and more recently through specific initiatives of the public administrations.

9 Talent acquisition

9.1 What is the applicable employment regime in your jurisdiction and what specific implications does this have for fintech companies?

The Workers' Statute is the main employment law in Spain. Nonetheless, the Spanish employment legal framework also includes a large number of national and regional regulations, collective bargaining agreements and criteria arising from relevant case law.

The labour issues that usually arise upon incorporation of fintech companies include:

  • the most suitable types of employment contracts (including teleworking contracts);
  • the applicable collective bargaining agreement, depending on the company's main activity;
  • the regulation of working hours;
  • the applicable social security regime for key positions;
  • post-contractual non-compete covenants; and
  • minimum commitment agreements or golden parachutes in case of termination of the employment contract.

9.2 How can fintech companies attract specialist talent from overseas where necessary?

Spanish fintech companies usually try to attract specialist talent by leveraging on the country's general advantages: the Mediterranean lifestyle, an affordable cost of living, good flight connections, reputed business schools and tech clusters in big cities such as Barcelona and Madrid.

As most of these are start-up companies and cannot offer high salaries, they usually offer a package of flexible labour conditions (including teleworking and other benefits in kind). For key personnel, it is also common to grant stock options or other incentive plans.

10 Trends and predictions

10.1 How would you describe the current fintech landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

Fintech companies are booming in Spain, in all verticals. Neobanks, real estate investment platforms, payment services providers (including account information and payment initiation) and blockchain ventures are leading the field today; although big data and artificial intelligence tools, together with regtech initiatives, may be the next big thing.

New developments anticipated in Spain over the next 12 months include the implementation of the Fifth Anti-money Laundering Directive, which will subject cryptocurrency exchanges and wallet providers to the Law on the Prevention of Money Laundering and the Financing of Terrorism and its associated Royal Decree 304/2014. In addition, the sandbox for financial innovation should soon become a reality if, as expected, Parliament ratifies the draft government bill that regulates its creation.

11 Tips and traps

11.1 What are your top tips for fintech players seeking to enter your jurisdiction and what potential sticking points would you highlight?

Top tips for fintech players that are keen to start operating in Spain include conducting a thorough legal validation of their business models, to ensure that these will not require specific authorisations or registrations in Spain and will not be subject to particular local requirements such as anti-money laundering provisions. In the case of lending platforms, other business elements – such as default rates and recent case law – should also be assessed.

As regards the sticking points, business-to-consumer entities in particular are still struggling to gain market share, as the cost of acquiring clients and the difficulties in penetrate mature markets jeopardise their growth. Likewise, the levels of financing raised by Spanish fintech companies in comparison with their peers in other jurisdictions are still quite modest, since the local investment environment is limited and access to international investors is restricted to larger rounds and very successful stories.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.