What national authorities regulate the provision of financial products and services?
In Portugal, the financial sector is supervised and regulated in line with the specialised or institutional model, according to which each of the banking, insurance and securities markets are supervised and regulated by a specialised institution, as opposed to the twin peaks system.
The Bank of Portugal supervises credit institutions (including banks), financial companies, payment institutions, electronic money institutions offering retail banking products and services and credit intermediaries. The Securities Commission (CMVM) regulates the markets in financial instruments, as well as the entities that act therein and the undertakings for collective investments. Lastly, the Supervisory Authority for Insurance and Pension Funds (ASF) regulates insurance and reinsurance companies, pension funds and their management companies, as well as insurance mediation.
The regulation of the provision of financial products and services will therefore vary according to the product provided and the entity that provides the relevant products and services.
What activities does each national financial services authority regulate?
The Bank of Portugal regulates, monitors and penalises the marketing of retail financial products and services. Its supervision covers bank deposits, housing loans, consumer credit, corporate credit and other credit (except for the finance of transactions in financial instruments) and payment instruments.
The ASF is responsible for the supervision and regulation of insurance and reinsurance activity, brokering of insurance and pension funds, together with other related and ancillary activities.
Finally, the CMVM is responsible for:
- the supervision of organised trading of financial instruments, public offers of securities, clearing and settlement of the related transactions and of central securities depositories;
- the regulation of markets in financial instruments, the public offering of securities, the activities carried out by entities subject to the CMVM’s supervision; and
- the supervision and regulation of the conduct of business duties by entities that intend to enter into or broker insurance agreements linked to investment funds and the marketing of individual adhesion agreements to open-end pension funds.
What products does each national financial services authority regulate?
See question 2.
What is the registration or authorisation regime applicable to financial services firms and authorised individuals associated with those firms? When is registration or authorisation necessary, and how is it effected?
For a credit institution, a financial intermediary, an undertaking for collective investment, an insurer, a reinsurer or a pension fund management company to be incorporated in Portugal, it must be granted prior authorisation and register with the relevant regulatory authority. The entity must submit an authorisation request, containing elements required by law.
The Bank of Portugal will decide on authorisation within six months of the request. If it fails to decide within this timeline, the request is presumed denied (except for the credit intermediaries authorisation process, which is presumed approved); if it grants authorisation, it must subsequently notify the European Banking Authority (EBA) of this fact.
The CMVM will decide within 30 days of the registration request. If there is no decision within that timeline, the request is considered denied.
The ASF will decide on the matter within three months. If there is no decision within that timeline, the request is considered denied.
Moreover, the management and supervisory bodies of the abovementioned entities are subject to prior approval by, and registration with, the competent regulatory authorities.
What statute or other legal basis is the source of each regulatory authority’s jurisdiction?
The jurisdiction of the Bank of Portugal is established in Law No. 5/98, of 31 January, as amended, and in the Portuguese Credit Institution and Financial Companies Legal Framework (Decree-Law No. 298/92, of 31 December, as amended (RGICSF)).
The ASF’s jurisdiction is established in its by-laws (Decree-Law No. 1/2015, of 6 January, as amended), in the Insurance and Reinsurance General Framework (Law No. 147/2015, of 9 September, as amended) and in the Pension Funds and Respective Management Entities General Framework (Decree-Law No. 12/2006, of 20 January, as amended).
Finally, the main source of CMVM’s jurisdiction is established in its by-laws (Decree-Law No. 5/2015, of 8 January, as amended) and the Portuguese Securities Code (Decree-Law No. 486/1999, of 13 November, as amended (CVM)).
Note, however, that these are only the primary legal statutes for each regulatory authority, given that there is a large amount of complementary legislation regarding each regulatory authority’s jurisdiction.
What principal laws and financial service authority rules apply to the activities of financial services firms and their associated persons?
The Portuguese legal framework governing the activities of financial services firms and their associated persons is strongly influenced by the corresponding EU legal instruments.
The Portuguese regulatory framework governing the activity of financial services companies is mainly set out in the RGICSF and CVM.
However, the notices, instructions and circular letters issued by the Bank of Portugal as well as the regulations, instructions and recommendations issued by the CMVM (secondary legislation) also play an important role in the regulation and interpretation of existing legislation and in the establishment of additional rules and provisions.
Scope of regulation
What are the main areas of regulation for each type of regulated financial services provider and product?
The main areas of regulation of regulated financial services providers and products are:
- authorisation and registration;
- business conduct rules;
- capital and liquidity rules;
- information duties;
- corrective actions and interim administration rules; and
- anti-money laundering rules.
What additional requirements apply to financial services firms and authorised persons, such as those imposed by self-regulatory bodies, designated professional bodies or other financial services organisations?
In Portugal, there is no established tradition of self-regulation by market participants.
However, pursuant to the CVM, within the limits of the law, specific regulated entities (such as managing entities of centralised securities systems or of settlement systems) may self-regulate the activities they manage.
In addition, other types of entities (such as managing entities and professional associations of financial intermediaries) may approve codes of conduct regulating and developing specific aspects provided in the law.
However, these rules are always subject to registration or to notification to the CMVM.
What powers do national financial services authorities have to examine and investigate compliance? What enforcement powers do they have for compliance breaches? How is compliance examined and enforced in practice?
The national financial services authorities - namely the Bank of Portugal, the CMVM and the ASF - enjoy a wide array of powers to examine and investigate compliance with financial services regulations. In general, they may request any information or examine registry books, ledgers and other documents. The financial entities may not hamper such examination by availing themselves of professional secrecy rules. The national financial services authorities may also hear any person, including by way of summons, and conduct on-site examinations - upon the issuance of a court warrant - with the assistance of other entities (including the police authorities). There is also a publicly available channel dedicated to collecting information related to compliance breaches.
With regard to the enforcement of compliance breaches, the national financial services authorities have the general power to substitute financial services firms in discharging their disclosure obligations when the firms have failed to do so. They may also disclose compliance breaches to the public. In the specific case of entities managing regulated markets and multilateral trading facilities, clearing houses, central securities depositories, and central counterparties, the CMVM may replace these entities if they do not carry out the necessary measures to ensure the regular functioning of the markets. Furthermore, the CMVM may determine that an entity reduces or does not increase its exposure to financial instruments and may prohibit or limit the distribution or sale of financial instruments and the performance of a given activity or financial practice.
In practice, the investigation of compliance is usually carried out through:
- requests for information; or
- the examination or registry books, ledgers and other documents, often further to a complaint made through the available channel dedicated to collecting information related to compliance breaches.
What are the powers of national financial services authorities to discipline or punish infractions? Which other bodies are responsible for criminal enforcement relating to compliance violations?
The national financial services authorities hold administrative powers, but do not hold civil or criminal powers. Their powers include the right to impose fines and ancillary sanctions (see question 12).
The power of criminal enforcement lies exclusively with the public prosecutor and the Portuguese criminal courts.
What tribunals adjudicate criminal and civil financial services infractions?
Financial services civil liability is adjudicated by the Portuguese civil courts and any regulatory infractions are adjudicated by the Court of Competition, Regulation and Supervision.
Financial services criminal infractions are adjudicated by the Portuguese criminal courts. If a specific crime also caused civil damages, the criminal court may, in addition to the criminal conviction, award damages to the wronged party.
What are typical sanctions imposed against firms and individuals for violations? Are settlements common?
Typical sanctions are:
- pecuniary fines;
- loss of the economic benefit obtained from the infraction;
- loss of the object of the infraction;
- public disclosure of the final decision;
- when the offender is a natural person, the prohibition to serve in corporate bodies or in any senior management positions of any financial entities for a specific period, up to a maximum of 10 years; and
- suspension of the exercise of the voting rights held by shareholders in entities that are subject to the supervision of the Bank of Portugal, for a period ranging from one to 10 years.
Settlements, understood as an agreement between the relevant authority - either the regulator or a court - and the offender, are not regulated under Portuguese law. This means that a final decision shall be unilaterally reached by the relevant authority. The respondent will then have the right to accept the decision or appeal.
Appeals against decisions made by the regulator are filed with the Court of Competition, Regulation and Supervision. Appeals against court decisions are filed with the relevant upper level court.
What requirements exist concerning the nature and content of compliance and supervisory programmes for each type of regulated entity?
Portuguese law focuses more on requiring financial entities to adopt internal structures and policies that ensure the compliance and supervisory function, than on detailing the specific contents that such programmes shall include, which is ultimately the responsibility of the boards of directors.
Financial entities must have control systems in place with integrated permanent procedures allowing for the adequate implementation of the relevant financial entity’s strategy.
Such internal control systems shall:
- be applied consistently to all the offices of the relevant financial entity; and
- be adequate in relation to the size, nature and complexity of the activity, the nature and the magnitude of the risks undertaken or to be undertaken, as well as the level of centralisation and delegation of powers established in the relevant financial institution.
The financial entity shall plan, implement and maintain its internal control system in an adequate form. It shall also formalise the specific documents of the respective strategies, systems, procedures and policies.
Among other matters, the internal control system shall take into consideration the possibility of negative impacts resulting from breaches of any laws, regulations, specific determinations, contracts, rules of conduct and rules of relationships with clients, practices or ethical principles that may lead to:
- legal sanctions;
- limitations upon business opportunities;
- reduction of the potential for expansion; or
- the impossibility to demand the performance of contractual obligations by counterparties.
How important are gatekeepers in the regulatory structure?
Gatekeepers, such as the chief compliance officer or the internal auditor, perform an essential role in monitoring and supervising compliance by the relevant financial entities with their applicable legal obligations.
The functions of the chief compliance officer include:
- monitoring and regularly assessing the efficiency of measures and procedures adopted to detect any risk of breach of the entity’s legal obligations;
- providing advice to the management body for the purpose of compliance with the legal obligations applicable to its members;
- monitoring and assessing internal control procedures with regard to money laundering and terrorism financing, as well as the centralisation of information and its communication to the relevant authorities;
- providing any information to the management body concerning indications of breaches of legal obligations, rules of conduct and rules governing relationships with clients or other duties that may make the financial entity or their employees and service providers commit an administrative sanction;
- maintaining a register of breaches; and
- preparing and presenting a report to the management body and the supervisory body, at least annually, identifying breaches and the measures adopted to correct them.
The functions of the internal auditor include:
- the preparation of an audit plan to assess the suitability and efficiency of the different internal audit components, which shall be oriented to the risk of the activities, systems and procedures of the institution;
- the issuance of recommendations based on the results of the assessment and monitoring observance with them; and
- the preparation and presentation of a report to the management body and the supervisory body, at least annually, on audit matters, with a summary of the main deficiencies detected in the audit, which may evidence a deterioration in the internal audit system, as well as identifying the recommendations that were followed.
Directors' duties and liability
What are the duties of directors, and what standard of care applies to the boards of directors of financial services firms?
Directors of financial services firms are subject to the general standard of care applicable to directors of companies and the specific standard of care applicable to directors of financial entities.
With regard to the general standard of care applicable to companies, directors are subject to two fundamental general duties:
- the duty of care, which requires availability, technical expertise and knowledge of the company’s activity, in proportion to his or her functions within the company; and
- the duty of loyalty, which requires directors to serve the company’s interest, taking into consideration the long-term interests of shareholders and other stakeholders’ interests, of crucial importance to the company’s sustainability.
Concerning the specific standard of care applicable to financial entities, directors shall ensure diligent, neutral, loyal, discreet and conscious performance, when serving the interests assigned to them. Directors must employ diligence and perform their functions as careful and orderly managers, in accordance with the principle of risk-sharing and safe investment, and considering the interests of depositors, investors, other creditors and clients.
When are directors typically held individually accountable for the activities of financial services firms?
In general, directors’ liability arises mainly as a result of non-compliance with their duties. If directors’ conduct falls below the standard expected of them, this might entail accountability for their acts or omissions, resulting in civil, administrative or even criminal liability. As further detailed, the liability of the legal persons concerned does not exclude the directors’ liability.
In general, company directors are held civilly liable for the damages caused to the company by their acts or omissions carried out in breach of legal or contractual duties, assuming that the civil liability requirements are fulfilled. Notwithstanding, liability may be excluded in the event that the directors prove that they acted in an informed manner, free from any personal interest and in accordance with criteria of a corporate rationale, applying the ‘business judgement rule’.
Directors may also incur:
- civil liability towards the creditors, when as a result of wilful or negligent non-compliance by the directors with their legal or contractual duties, the assets of the company become insufficient to satisfy the respective debts; and
- civil liability towards the shareholders and third parties, when damages are directly caused to them by the directors while performing their functions.
Directors of financial entities may also be held liable for the breach of regulatory provisions, when it is proven that they should have been aware of the breach and should have taken the appropriate measures to avoid its occurrence.
Criminal liability, in turn, may also be extended to a director in cases where the company, through that director who is voluntarily acting on its behalf, commits a criminal offence.
Private rights of action
Do private rights of action apply to violations of national financial services authority rules and regulations?
Standard of care for customers
What is the standard of care that applies to each type of financial services firm and authorised person when dealing with retail customers?
The standard of care that applies to financial entities and authorised persons when dealing with non-professional clients is the highest level of diligence in order to protect the interests of their clients.
With regard to financial intermediaries specifically, the applicable legal framework aims to protect non-professional clients, in particular by establishing duties to inform. First, whenever financial instruments or money belonging to non-professional clients are held or are intended to be held by a financial intermediary, the latter shall inform the clients about specific risks. Second, the financial intermediary shall provide its clients with information regarding service fees. Third, there are specific investment services that require particular duties to inform, such as:
- the execution of orders and the related policy; and
- portfolio management.
Moreover, the financial intermediary shall request explicit and prior permission whenever it intends to use financial instruments that are registered or deposited in the name of a non-professional client.
Does the standard of care differ based on the sophistication of the customer or counterparty?
With regard to financial intermediaries, the standard of care varies in light of the level of sophistication of the client. The lower the degree of knowledge and experience of the client, the greater the extent and depth of the information to be provided. The standard of diligence in providing information to non-professional clients is therefore more demanding than that applicable to professional clients.
Furthermore, Portuguese law sets out some legal presumptions regarding professional clients. Indeed, for the purpose of providing investment advice, the financial intermediary may presume that professional clients are capable of financially assuming any risk resulting from any potential loss of investment, except when the treatment as a professional client results from their own request. Whenever the financial intermediary provides an investment service to a professional client, it is deemed that the professional client has the necessary level of experience and knowledge about the relevant financial instruments, transactions and services.
How are rules that affect the financial services industry adopted? Is there a consultation process?
The Bank of Portugal and the CMVM play an important role within the legislative process for financial services industry laws. The Bank of Portugal is bound to advise the government on the economic and financial sectors and the CMVM also advises on the setting of policies regarding financial instruments, financial markets and the entities participating in them.
In addition, as stated under question 6, the Bank of Portugal and the CMVM may approve secondary legislation.
In Portugal, there is no mandatory consultation process regarding the secondary legislation issued by the Bank of Portugal. However, depending on the relevance, impact or complexity of the subject matter, the Bank of Portugal is likely to submit the draft regulation for public consultation and take the comments of interested parties into consideration.
Regarding the CMVM, its by-laws provide that prior to the adoption or amendment of any regulation containing external standards of efficacy, the CMVM shall carry out a public consultation.
How do national financial services authorities approach cross-border issues?
Duly authorised financial institutions with their head office abroad wishing to perform their activities in Portugal may do so under the freedom to provide services under EU legislation, or by the establishment of a branch or a representative office.
In the case of the freedom to provide services under the EU legislation, as a prerequisite for the commencement of the provision of services in Portugal, the applicant should notify the competent authority of its home member state, which shall then notify the relevant Portuguese authorities.
Entities authorised to perform financial services in Portugal will be included in a publicly accessible registry held by the relevant Portuguese authority.
Although, for example, a foreign credit institution providing services in Portugal is primarily subject to the supervision of its home member state, according to the RGICSF, the Bank of Portugal may supervise its compliance with the Portuguese legal provisions governing the supervision of liquidity, the implementation of monetary policy and the information report on its activity within Portuguese territory. The Bank of Portugal also exercises this compliance function as regards the decisions and measures taken on monetary, financial and foreign exchange policies. In addition, the Bank of Portugal may instruct credit institutions providing banking services in Portugal to inform the public as to their governing rules, characteristics, main business and financial situation.
In addition, in the event that the relevant financial services to be rendered on a cross-border basis are not rendered occasionally or temporarily, but rather will be rendered on a regular or frequent basis, there is a risk that the Portuguese supervision authority may consider that the relevant entity is attempting to avoid the rules applicable to the entities established in Portugal and that therefore it should establish a branch or a representative office in Portugal.
What role does international standard-setting play in the rules and standards implemented in your jurisdiction?
International standards play an important role in the Portuguese legal jurisdiction, as the regulatory authorities often refer to them as guidelines and, in certain cases, try to align their regulation with them.
Nonetheless, they do not have binding force and therefore the regulatory authorities may deviate from those standards.