Compliance programmes

Programme requirements

What requirements exist concerning the nature and content of compliance and supervisory programmes for each type of regulated entity?

Portuguese law focuses more on requiring financial entities to adopt internal structures and policies that ensure the compliance and supervisory function, than on detailing the specific contents that such programmes shall include, which is ultimately the responsibility of the boards of directors.

Financial entities must have control systems in place with integrated permanent procedures allowing for the adequate implementation of the relevant financial entity’s strategy.

Such internal control systems shall:

  • be applied consistently to all the offices of the relevant financial entity; and
  • be adequate in relation to the size, nature and complexity of the activity, the nature and the magnitude of the risks undertaken or to be undertaken, as well as the level of centralisation and delegation of powers established in the relevant financial institution.

The financial entity shall plan, implement and maintain its internal control system in an adequate form. It shall also formalise the specific documents of the respective strategies, systems, procedures and policies.

Among other matters, the internal control system shall take into consideration the possibility of negative impacts resulting from breaches of any laws, regulations, specific determinations, contracts, rules of conduct and rules of relationships with clients, practices or ethical principles that may lead to:

  • legal sanctions;
  • limitations upon business opportunities;
  • reduction of the potential for expansion; or
  • the impossibility to demand the performance of contractual obligations by counterparties.

How important are gatekeepers in the regulatory structure?

Gatekeepers, such as the chief compliance officer or the internal auditor, perform an essential role in monitoring and supervising compliance by the relevant financial entities with their applicable legal obligations.

The functions of the chief compliance officer include:

  • monitoring and regularly assessing the efficiency of measures and procedures adopted to detect any risk of breach of the entity’s legal obligations;
  • providing advice to the management body for the purpose of compliance with the legal obligations applicable to its members;
  • monitoring and assessing internal control procedures with regard to money laundering and terrorism financing, as well as the centralisation of information and its communication to the relevant authorities;
  • providing any information to the management body concerning indications of breaches of legal obligations, rules of conduct and rules governing relationships with clients or other duties that may make the financial entity or their employees and service providers commit an administrative sanction;
  • maintaining a register of breaches; and
  • preparing and presenting a report to the management body and the supervisory body, at least annually, identifying breaches and the measures adopted to correct them.

The functions of the internal auditor include:

  • the preparation of an audit plan to assess the suitability and efficiency of the different internal audit components, which shall be oriented to the risk of the activities, systems and procedures of the institution;
  • the issuance of recommendations based on the results of the assessment and monitoring observance with them; and
  • the preparation and presentation of a report to the management body and the supervisory body, at least annually, on audit matters, with a summary of the main deficiencies detected in the audit, which may evidence a deterioration in the internal audit system, as well as identifying the recommendations that were followed.
Directors' duties and liability

What are the duties of directors, and what standard of care applies to the boards of directors of financial services firms?

Directors of financial services firms are subject to the general standard of care applicable to directors of companies and the specific standard of care applicable to directors of financial entities.

With regard to the general standard of care applicable to companies, directors are subject to two fundamental general duties:

  • the duty of care, which requires availability, technical expertise and knowledge of the company’s activity, in proportion to his or her functions within the company; and
  • the duty of loyalty, which requires directors to serve the company’s interest, taking into consideration the long-term interests of shareholders and other stakeholders’ interests, of crucial importance to the company’s sustainability.

Concerning the specific standard of care applicable to financial entities, directors shall ensure diligent, neutral, loyal, discreet and conscious performance, when serving the interests assigned to them. Directors must employ diligence and perform their functions as careful and orderly managers, in accordance with the principle of risk-sharing and safe investment, and considering the interests of depositors, investors, other creditors and clients.

When are directors typically held individually accountable for the activities of financial services firms?

In general, directors’ liability arises mainly as a result of non-compliance with their duties. If directors’ conduct falls below the standard expected of them, this might entail accountability for their acts or omissions, resulting in civil, administrative or even criminal liability. As further detailed, the liability of the legal persons concerned does not exclude the directors’ liability.

In general, company directors are held civilly liable for the damages caused to the company by their acts or omissions carried out in breach of legal or contractual duties, assuming that the civil liability requirements are fulfilled. Notwithstanding, liability may be excluded in the event that the directors prove that they acted in an informed manner, free from any personal interest and in accordance with criteria of a corporate rationale, applying the ‘business judgement rule’.

Directors may also incur:

  • civil liability towards the creditors, when as a result of wilful or negligent non-compliance by the directors with their legal or contractual duties, the assets of the company become insufficient to satisfy the respective debts; and
  • civil liability towards the shareholders and third parties, when damages are directly caused to them by the directors while performing their functions.

Directors of financial entities may also be held liable for the breach of regulatory provisions, when it is proven that they should have been aware of the breach and should have taken the appropriate measures to avoid its occurrence.

Criminal liability, in turn, may also be extended to a director in cases where the company, through that director who is voluntarily acting on its behalf, commits a criminal offence.

Private rights of action

Do private rights of action apply to violations of national financial services authority rules and regulations?


Standard of care for customers

What is the standard of care that applies to each type of financial services firm and authorised person when dealing with retail customers?

The standard of care that applies to financial entities and authorised persons when dealing with non-professional clients is the highest level of diligence in order to protect the interests of their clients.

With regard to financial intermediaries specifically, the applicable legal framework aims to protect non-professional clients, in particular by establishing duties to inform. First, whenever financial instruments or money belonging to non-professional clients are held or are intended to be held by a financial intermediary, the latter shall inform the clients about specific risks. Second, the financial intermediary shall provide its clients with information regarding service fees. Third, there are specific investment services that require particular duties to inform, such as:

  • the execution of orders and the related policy; and
  • portfolio management.

Moreover, the financial intermediary shall request explicit and prior permission whenever it intends to use financial instruments that are registered or deposited in the name of a non-professional client.

Does the standard of care differ based on the sophistication of the customer or counterparty?

With regard to financial intermediaries, the standard of care varies in light of the level of sophistication of the client. The lower the degree of knowledge and experience of the client, the greater the extent and depth of the information to be provided. The standard of diligence in providing information to non-professional clients is therefore more demanding than that applicable to professional clients.

Furthermore, Portuguese law sets out some legal presumptions regarding professional clients. Indeed, for the purpose of providing investment advice, the financial intermediary may presume that professional clients are capable of financially assuming any risk resulting from any potential loss of investment, except when the treatment as a professional client results from their own request. Whenever the financial intermediary provides an investment service to a professional client, it is deemed that the professional client has the necessary level of experience and knowledge about the relevant financial instruments, transactions and services.

Rule making

How are rules that affect the financial services industry adopted? Is there a consultation process?

The Bank of Portugal and the CMVM play an important role within the legislative process for financial services industry laws. The Bank of Portugal is bound to advise the government on the economic and financial sectors and the CMVM also advises on the setting of policies regarding financial instruments, financial markets and the entities participating in them.

In addition, as stated under question 6, the Bank of Portugal and the CMVM may approve secondary legislation.

In Portugal, there is no mandatory consultation process regarding the secondary legislation issued by the Bank of Portugal. However, depending on the relevance, impact or complexity of the subject matter, the Bank of Portugal is likely to submit the draft regulation for public consultation and take the comments of interested parties into consideration.

Regarding the CMVM, its by-laws provide that prior to the adoption or amendment of any regulation containing external standards of efficacy, the CMVM shall carry out a public consultation.