Fintech Laws and Regulations 2022

Approaches and developments

In November 2021, CONSOB, the Bank of Italy and IVASS – respectively the financial markets, banking and insurance sector regulators – issued ad hoc regulations to set up the administrative procedure to be followed by Fintech businesses (“Fintechs”) to access the Fintech Sandbox Programme introduced by Law Decree no. 34 of 2019, as subsequently amended by Law no. 58 of 2019.  Such regulations, which are very similar to each other, contain the first definition of “Fintech” in the Italian legal system, as follows: “activities aimed at pursuing service and product innovation, through new technologies, in the banking, finance and insurance sector”.  Whilst the Fintech Sandbox Programme still must prove its worth (so far very few Fintechs have been admitted to the programme), its adoption signals the lawmakers’ increased realisation that the sector is ripe with potential.  In fact, even before its adoption, the regulators (especially CONSOB) had shown their availability to establish lines of communication with Fintechs and their advisors.  Whilst smaller local banks have, for the most part, been largely cut out of the financial innovation, larger domestic and international lenders operating in Italy have ventured into the sector both by establishing corporate Fintech programmes and by focusing their corporate venture capital divisions on Fintech.

In a country where financial markets have not traditionally thrived and the banking sector was – up until the last decade of the past millennium – heavily invested in by the public sector, financial innovation is making surprising headway.  Boosting the adoption of digital technologies has been a priority for Italy’s governments over the past few years.  In fact, to this end, dedicated government schemes have been set up to fund digital startups as well as to promote and finance Artificial Intelligence as a means to innovate business practices.  Such initiatives are especially aimed at industries that, traditionally, have been the cornerstone of the Italian business community, such as fashion, food, art and hospitality, but also specialist industrial sectors.

In this context, blockchain in general, and specifically its application in the field of cryptocurrencies, has been one of the centrepieces of the latest government’s efforts to promote innovation.  Such efforts, however, have been partially stymied by a general resistance to adopt new payment systems in a country where cash is still the most common way to settle bills, which of course might facilitate tax evasion.  This resistance led the government to press ahead with its plan to turn Italy into a cashless society, by passing a law granting significant rebates to tax payers who avoid paying in cash.  Whilst such a measure was primarily aimed at fighting tax evasion, it did, in fact, make alternative payment methods, including cryptocurrencies, a more popular option with the general public.  A further boost towards cashless payment has been, of course, as a result of the COVID-19 crisis, during which cash was seen as a potential means of infection and online purchases warranted digital payment.

2. Fintech offering in Italy

A broad range of Fintech offerings are now available in Italy:

1. AI-based alternative lenders – aims at simplifying and expediting the traditional bureaucratic borrowing experience.  Some of these new breeds of lenders grant loans and financing in a matter of minutes leveraging Artificial Intelligence.  Other Fintech startups are focusing on revenue-sharing lending, allowing borrowers to repay their loan periodically through their business proceeds.
2. Algorithmic Credit Scoring – utilises big data and next generation AI-based business analytics to provide swifter and customised credit scoring services.  Algorithmic Credit Scoring is also increasingly used in the insurance sector, as there appears to be a correlation between credit scoring and risk profile.  Relinquishing personal data is still regarded with some degree of suspicion in Italy, even if people are realising that only with better profiling can customised services be enjoyed.
3. Buy Now Pay Later (Consumer) – entities allow consumers to pay only a portion of a service or a product’s price, and settle the balance in monthly payments.  Although BNPL is not as widespread in Italy as it is in other European countries, it is swiftly catching on.  Although BNPL does not appear to have shown up in the regulators’ radar as in other jurisdictions, we expect that Italian regulators will increase scrutiny if they suspect that BNPL encourages excessive accumulation of personal debt among consumers.
4. Buy Now Pay Later (B2B) – in a country whose entrepreneurial landscape is mainly composed of small and medium businesses, there is potential great demand for financial services allowing businesses to postpone payment when purchasing goods or services online.  In the case where very small or “micro” businesses especially are involved, B2B BNPL services pose similar questions as their consumer version.
5. Custom Insurance – entities use Artificial Intelligence, Machine Learning and data enrichment to offer customers ad hoc customised insurance services, at the same time reducing the insurer’s liability by improving its ability to identify the customer profile risk and lowering insurance premiums.
6. Crowdfunding platforms have also sprouted up in great number in Italy over the past few years and are increasingly considered an important cog in the national startup financing landscape.
7. Peer to Peer Lending.  In 2009, the Bank of Italy famously suspended the operations of Zopa, one of the first peer-to-peer lending operators in Italy, as it was found to have carried out banking activity in the absence of a banking authorisation under article 10 of the Banking Code (TUB – Testo Unico Bancario) as well as to have accepted deposits, which also requires a banking authorisation.  Requiring a banking authorisation – which typically entails meeting burdensome capital and organisational requirements – would have, in effect, annihilated the nascent peer-to-peer lending business in Italy.  However, in 2010 Italy transposed the PSD1 Directive, allowing peer-to-peer lending providers to be regarded as payment institutions and authorised as such under article 114-novies TUB.
8. Robo-advice.  Under the EU MIFID II Directive  – principally transposed in Italy by way of amending the TUF (Testo Unico della Finanza) – financial advice is a regulated activity, which can only be carried out by entities authorised to provide investment services and activities in Italy under article 18 TUF.  In simple terms, Robo-advice can be described as the activity carried out by Artificial Intelligence agents by collecting and processing a great amount of investors’ data in order to recommend the most appropriate investment service.  Whilst Robo-advice has been heralded by some as the potential solution to prevent agency and conflicts of interest, it can also pose significant threats to investors.  In fact, algorithms can be faulty, due both to their design, bugs or hacking, and algorithmic appropriateness does not necessarily coincide with regulatory appropriateness.  Or, sometimes, Robo-advisers are not genuine, as in the case of the settlement between Charles Schwab and the SEC of May 2022, which saw the largest US investment services company agreeing to pay USD 187m in a regulatory settlement when it was accused of extracting hidden profits after Robo-adviser customers had been told that they were not charged fees for the service.  Robo-advisers are still relatively underused in Italy compared with other jurisdictions such as the US or the UK; however, the recent upward trends anticipate increasing regulatory scrutiny.
9. Crypto Services (Exchanges and Wallets).  Operating a crypto exchange in Italy (i.e., the businesses of converting cryptocurrencies into different cryptocurrencies, fiat money into cryptocurrencies, or the other way around) is not regarded, per se, as an investment service, hence is not subject to authorisation by CONSOB (however, it is regarded as an investment service if it is offered in a bundle with such other features as crypto staking, etc.).  Crypto exchanges and wallet service providers, however, must meet rigorous anti-money laundering (“AML”)  requirements pursuant to the AML5 EU Directive, as implemented in Italy by way of amendment to Legislative Decree no. 231 of 2007.  In addition, as from 16 May 2022, all Crypto Services providers operating in Italy are required to enrol with an ad hoc register (the “OAM Register”) held by the public body governing financial agents and mediators.  Applicants can be either individuals or legal persons, in the latter case incorporated in Italy or – if incorporated in another EU Member State – having set up a permanent establishment in Italy.  The OAM may accept or reject applications within 15 days of their filing, and applicants cannot start operating until their application has been accepted (ad hoc interim provisions were set forth for exchanges and wallets already transacting business in Italy before the OAM Register was set up).

3. Regulatory and insurance technology 

1. Regulatory Technology.  Over the past few years Regulatory Technology (“Regtech”) platforms have been increasingly utilised for the purposes of ensuring compliance with: (a) AML regulations; (b) prudential requirements in the banking system; (c) reporting by financial intermediaries; and (d) the rules governing trading venues.  As with all digital platforms, Regtech tools are subject to a number of risks, including coding bugs and hacking.  However, in a context in which the distinction between Supertech (i.e., Supervisory Technology, the digital instruments used by regulators for supervising purposes) and Regtech is fading, and regulators tend to use the same software as regulated businesses, what commentators see as the greatest risk is that regulators might not be given appropriate means to leverage Regtech.  In fact, regulators must adopt Regtech solutions that not only factor in all the existing applicable regulations, but are flexible enough as to embed new and/or amended regulations as they enter into force all applicable regulators’ guidelines.  Besides, as more and more regulated businesses spin out their previously captive Regtech development divisions, when procuring Regtech solutions regulators must ensure that providers are not conflicted.  Alternatively, regulators may develop Regtech solutions in-house, but this option clashes against the traditional regulators’ lack of technical inhouse talent.
2. Insurance Technology.  Insurance Technology (“Insurtech”) has recently made significant headway in Italy.  Given the scale and capital required of insurance companies, lately many Insurtechs have changed their business model and aspirations, positioning themselves as strategic partners or add-ons to traditional insurance companies.  In fact, Insurtech startups have basically focused on providing insurance companies with comprehensive AI-based credit scoring technologies and on carrying out customer algorithmic profiling in order to provide tailor-made assessments of customers’ insurance needs.  Artificial Intelligence-based scoring technology requires the collection of great amounts of data (so called Big Data), from a number of digital sources, including social media.  Some commentators have disputed the correlation between credit scoring and insurance risk, while others have pointed out the risk of hidden algorithmic bias, i.e. those situations in which high insurance risk levels are inferred from data that are indirectly linked to ethnic or religious groups (such as dietary preferences or residing in poorer districts).  Insurtechs have sometimes struggled to succeed and win investors in a very competitive market. Whilst they typically claim to be able to track risks in real time, cut the number of insurance claims by anticipating incidents and speed up processing paperwork, what most insurtechs still need to prove is that they can deliver on their “core underwriting”, i.e., on the price at which they are prepared to underwrite customers’ risks.  In fact, loss ratios, which measure claims incurred as a proportion of premium sold, are high compared to those of traditional insurance companies, denting the insurtechs’ profitability.  Insurtechs claim that loss ratios will decrease over time, as the Machine Learning tools that they have deployed will learn more about their customer base.

4. Regulatory bodies

1. IVASS (Istituto per la Vigilanza sulle Assicurazioni) is the independent authority charged with supervising the insurance sector.  IVASS is both in charge of supervising the insurance sector and of issuing mandatory regulations addressed to insurance and reinsurance companies.  Among the broad powers that have been granted, the authority to request written reports, carry out inspections and impose sanctions stand out.  Sanctions can include the withdrawal of the insurance authorisation, but it must be confirmed by the Ministry for Economic Development.  If a group of companies include an insurance or reinsurance undertaking, IVASS’ powers can also be directed to the whole group.  Under certain circumstances, other regulators may have limited supervision powers over insurance companies, for example, CONSOB in relation to the issuing of financial products by insurance companies or the Bank of Italy, in relation to the supervision of financial conglomerates.  A close cooperation protocol was signed in 2013 between IVASS and the Fair Competition Authority (AGCM – Autorità Garante della Concorrenza e del Mercato).
2. CONSOB (Commissione Nazionale per le Società e la Borsa) is the financial market watchdog in charge of supervising the entities carrying out investment services and activities (intermediaries) or offering financial products as well as regulated markets and other trading venues and issuers of financial instruments.  CONSOB’s responsibilities are extremely broad as they span from: granting (or denying) authorisations to carry out investment services in Italy; ensuring that investment services providers established in other EU countries meet the requirements to carry out their activity in Italy; ensuring that entities offering financial products (i.e., any type of financial investment, including the financial instruments regulated at EU level) draw up an appropriate prospectus describing the products that they intend to offer and obtain CONSOB’s approval on the prospectus; and supervising the functioning of regulated markets, trading venues and issuers, including their reporting and governance obligations and IPOs duties.  Over the past few years, as an increasing number of players in the crypto domain has entered the Italian market, CONSOB has found itself facing several challenges, such as determining whether the new crop of crypto offerings fall within the definition of financial products or financial instruments.
3. The European Central Bank and the Bank of Italy are responsible for carrying out prudential supervision over Italian banks in the framework of the Single Supervisory Mechanism.
4. Certain minor supervisory tasks are still carried out at regional level (Italy is administratively divided into 20 regions, some of which enjoy special autonomy for historical reasons) or by public entities (for example CICR, the inter-ministerial committee for loans and savings), whose actual relevance is currently only formal.

5. Key regulations and regulatory approaches

1. Distributed Ledger Technology.  Italy has also passed legislation aimed at introducing a statutory definition of blockchain and smart contracts.  In fact, by way of Law Decree no. 135 of 2018, as subsequently amended by Law no. 12 of 2019, Distributed Ledger Technologies have been defined as follows: “Technologies and IT protocols which make use of a ledger which is shared, distributed, replicable, simultaneously accessible, with a decentralised architecture based on cryptography such that it allows for the recording, validation, updating, storing of verifiable data by each participant, non-alterable and non-modifiable.”  Of course, such an attempt to provide a statutory definition of DLTs has been received critically by a number of commentators, but the government has informally signalled that they would be happy to amend it if need be.  In particular, critics have pointed out that the definition of DLT does not seem to include permissioned blockchain in which, depending on the applicable governance rules, administrators may be permitted to alter ledgers, in determined circumstances.
2. Smart Contracts.  Law Decree no.135 of 2019 also provides a definition of Smart Contracts as a software programme which operates on DLTs and whose execution automatically binds two or more parties based on pre-determined arrangements between them.  Smart Contracts meet the written requisite, as required under Italian law in certain circumstances, by way of digital identification of the interested parties as per certain guidelines to be issued by Agenzia per l’Italia Digitale, a government agency charged with overseeing and promoting the adoption of innovative digital technology in Italy.  In general, the coronavirus pandemic forced Italian small- and mid-size businesses to embrace e-commerce and digital innovation, with many commentators forecasting new blockchain use cases.
3. Fintech Sandbox.  A long-awaited piece of legislation introducing regulatory sandboxes for Fintech businesses was recently passed.  In fact, on July 2, 2021, the Decree of the Ministry of Economy and Finance no. 100 of 30 April 2021 was published on the Italian Official Legal Bulletin, entering into force on July 17, 2021 (the “Sandbox Decree”).  Whilst the Sandbox Decree is aimed at fostering all types of Fintech innovation, blockchain will likely play a prominent role in the sandbox experiment.

The idea behind the Sandbox Decree is to set up a Fintech Committee composed of representatives of all the authorities potentially involved in the authorisation or supervision of Fintech businesses, i.e. the Italian Financial Markets Watchdog (CONSOB), the communications authority (AGCOM), the competition authority (AGCM), the data protection authority, the governmental body in charge of digitalisation, the tax agency and the insurance watchdog.  The working of the Fintech Committee is described in detail in an effort to establish a comprehensive, but nimble process to evaluate sandboxes applicants.  Sandbox rights, if granted, last 18 months and, in certain circumstances, can be extended.

6. Restrictions

In general, there are no restrictions on Fintech.  Of course, all Fintech offerings must comply with the applicable legislation, from consumers’ protection to data privacy (for example, when storing customers’ data on cloud servers) to financial regulations.

However, two set of rules are so strictly enforced by regulators that they can be regarded as red lines that no Fintech is allowed to cross.  Such rules are the prohibition against carrying out banking activity without having been granted  banking authorisation and the prohibition against providing investment services in the absence of ad hoc authorisation.

1. Banking Authorisation.  Accepting deposits from savers and extending loans to borrowers is the core of banking activity as defined by TUB and can only be carried out by authorised banks.  The law is clear in stating that receiving funds for the purposes of issuing e-money or operating a payment service does not constitute “accepting deposits”, hence no banking authorisation is warranted.  Articles 130 and 131 TUB set forth significant financial sanctions for those who carry out banking activity without authorisation.  Unauthorised banking, depending on the circumstances, may also be regarded a criminal offence punished with up to four years’ imprisonment.
2. Investment Services and Activities (authorisation).  The provision of investment services and activities in Italy is conditional on obtaining ad hoc authorisation, which is granted by CONSOB in consultation with the Bank of Italy.  Carrying out such services or activities in the absence of an authorisation may trigger financial sanctions as well as criminal sanctions of up to eight years’ imprisonment.

7. Cross-border business

1. Cross-Border Banking.  As an open economy, Italy allows its banks to set up subsidiaries abroad and foreign banks to operate in Italy.  Banks with their principal offices in EU countries belonging to the Single Supervisory Mechanism (“SSM”) are authorised to establish a subsidiary under the SSM rules, whilst banks with principal offices outside the SSM must notify the Bank of Italy of their intention of setting up a subsidiary in Italy, and the Bank of Italy and CONSOB may set up the conditions on which a subsidiary can operate.  The Bank of Italy, further to consulting with the Italian Foreign Ministry, is in charge of authorising non-EU Member States banks to set up their first subsidiary in Italy, whilst further subsidiaries are autonomously authorised by the Bank of Italy.
2. Cross-Border Investment Services and Activities.  Entities authorised to provide Investment Services and Activities in other EU Member States may also provide such services and activities in Italy.  Such “passporting right” is conditional on the carrying out of certain notification procedures involving the home country and Italian regulators.  Entities authorised to provide investment services in non-EU countries can only provide investment services and activities in Italy if authorised by CONSOB and the Bank of Italy, on condition that they meet the general requirements to be authorised to provide such services and that their home countries are in line with certain international regulatory practices.