chambers global practice guides italy fintech · 2017. 12. 11. · case between europe and the...

ITALY

LAW AND PRACTICE: p.3Contributed by Studio Prosperetti

The ‘Law & Practice’ sections provide easily accessible information on navigating the legal system when conducting business in the jurisdic-tion. Leading lawyers explain local law and practice at key transactional stages and for crucial aspects of doing business.

CHAMBERSGlobal Practice Guides

FinTech

2018

Law & Practice – ItalyContributed by

Studio Prosperetti

ITALY

LAW AND PRACTICE: p.3Contributed by Studio Prosperetti

The ‘Law & Practice’ sections provide easily accessible information on navigating the legal system when conducting business in the jurisdic-tion. Leading lawyers explain local law and practice at key transactional stages and for crucial aspects of doing business.

Law and Practice itaLYContributed by Studio Prosperetti Authors: Eugenio Prosperetti, Giulio Pascali, Alessandro Buccilli

3

Law and PracticeContributed by Studio Prosperetti

CONTENTS1. Fintech Market p.4

1.1 The Development of FinTech Products and Services p.41.2 The Market for FinTech Products and Services p.51.3 The Key Market Participants in the Specified

Activities p.51.4 FinTech Technologies/Companies p.61.5 Partnerships Between Traditional Institutions

and FinTech Companies p.61.6 Approach to FinTech Innovation p.6

2. regulation p.62.1 Regulatory Regimes for Specified Activities or

FinTech Companies p.62.2 Regulatory or Governmental Agencies for

Specified Activities or FinTech Companies p.72.3 Capital and Liquidity Requirements p.82.4 “Sandbox” or Other Regulatory “Neutral Zones” p.82.5 Change of Control Approval Requirements p.92.6 Recent Developments or Notable Proposed/

Forthcoming Regulatory Changes p.92.7 Burden of Regulatory Framework and Protection

of Customers p.92.8 Regulatory Impediments to FinTech Innovation

at Traditional Financial Institutions p.92.9 Regulatory Regime’s Approach to Consumers

and Small Business Customers p.92.10 Outreach by Regulators or Government

Authorities to Engage with FinTech Innovators p.102.11 Unregulated Specified Activities p.102.12 Foreign FinTech Companies p.102.13 Regulatory Enforcement Actions Against

FinTech Companies p.102.14 “Shadow Banking” p.10

3. Form of Legal entity p.103.1 Potential Forms of Charter p.103.2 Key Differences in Form p.113.3 Recent Legal Changes p.11

4. Legal infrastructure (non-regulatory) p.114.1 Desirable Changes to Facilitate Specified Activities p.114.2 Access to Real-Time Gross Settlement Systems p.114.3 Special Insolvency Regimes p.114.4 Electronic Signatures p.114.5 Standards for Proving Identity in Electronic

Transactions p.12

5. data Privacy and cybersecurity p.125.1 Data Privacy and Cybersecurity Regulatory

Regimes p.125.2 Recent and Significant Data Privacy Breaches p.125.3 Companies Utilising Public Key Infrastructures

or Other Encryption Systems p.125.4 Biometric Data p.13

6. intellectual Property p.136.1 Intellectual Property Protection Regime p.136.2 Trade Secret Regime p.136.3 Copyrights, Patents, Trade Marks p.136.4 Protection of Intellectual Property or Trade Secrets p.136.5 Joint Development of Intellectual Property p.136.6 Intellectual Property Litigation p.136.7 Open Source Code p.13

7. tax Matters p.147.1 Special Tax Issues, Benefits or Detriments p.14

8. issues Specific to the Specified activities p.148.1 Additional Legal Issues p.14

itaLY Law and PracticeContributed by Studio Prosperetti Authors: Eugenio Prosperetti, Giulio Pascali, Alessandro Buccilli

4

Studio Prosperetti is a specialised boutique firm dedicated to three main areas of practice: IT law, competition law and labour law. FinTech work is handled by the IT law and competition law team. The firm has an international net-work of partner firms and it has recently issued an opinion regarding the privacy regulation of a software platform in ten countries for a multi-national client, as well as assist-ing a corporate client as lead counsel in a litigation on a technology platform (satellite communication) involving France, Germany and Italy. The IT practice area can han-

dle a vast range of judicial and non-judicial matters as well as privacy, IP and antitrust cases, and advice in the field of IT law and FinTech. FinTech-specific work includes devel-oping the privacy compliance mechanisms of the “Jiffy” service (peer-to-peer payment), advising on contracts and regulation concerning payment notifications to clients, e-ticketing services, advising in a competition case in the field of payment notification messages, advising on patents of a real-time payment system and advising on e-payment and digital identity services to public administrations.

authorseugenio Prosperetti, the head and name partner of the firm, has a wealth of experience in IT, competition, privacy, TMT, copyright, administrative law and start-up law. He is a member of the Scientific Committee of the Italian

Association of Payment Services Providers, a founding member of the Roman start-up ecosystem association, a member of the Centre for Intellectual Property and Competition at LUISS “Guido Carli” University and a board member of the Italian Academy for Internet Code and the Institute for the Study of Media and Economics. Eugenio, who has a PhD in commercial law from Rome “Tor Vergata” University, is an associate professor of commercial law and a lecturer in IT law in the Department of Law at LUISS “Guido Carli” University, Rome, as well as a legal consultant to the Italian Digital Agency for its e-ID cross-border portability project and a member of the Italian Government Task Force for use of Artificial Intelligence in Public Administration.

Giulio Pascali, a senior associate, prac-tises in IT, competition, privacy, TMT, copyright, administrative law and start-up law. Giulio is a teaching assistant in IT law in the Department of Law at LUISS “Guido Carli” University, Rome, having

specialised in antitrust and IP at the same institution. He is a former consultant to a research project of the Autorità per le Garanzie nelle Comunicazioni, the regulator and competition authority for the communications industry in Italy, and the University of Siena on next-generation networks.

Alessandro Buccilli, a legal trainee, practises in competition, privacy, copy-right, company law and cybercrime. He participated as cybercrime defence counsel at the “Tango Down” criminal trial about the Italian Constitutional Court

website hacking. He has a Juris Doctor from the University of Rome “Tor Vergata” Law School, with a comparative law thesis of “Abuso di Posizione dominante il caso Google, tra Europa e USA” (Abuse of dominant position: the Google case between Europe and the USA).

1. Fintech Market

1.1 The development of Fintech Products and Services The Italian jurisdiction is a live market for FinTech. Many FinTech products and services are now available from tra-ditional banking and insurance operators, as well as start-up companies (see answers below for a list of the requisites for the creation of a start-up company in Italy). Most of the available products and services are centred on new payment methods, based on apps that enable the user to pay a cer-tain amount of money — from a bank account or from an

electronic wallet, such as PayPal, Google Wallet or similar services — to another user of the same app, using the phone number, e-mail address or other similar simplified ‘co-or-dinates’ as the payment destination and giving real-time confirmation that a payment order has been successfully placed. Such systems still heavily rely on traditional bank-ing activities; for example, electronic wallets still need users to link their credit/debit card, to acquire and utilise the funds obtained and/or shared through the new payment methods.

The main players for the new payment systems are SIA with its “Jiffy” system, which is able to order a bank wire and


5

transfer money between accounts domiciled at different banks, and is used by most Italian banks as well as rapidly expanding in the EU; and Satispay, which is based on a wallet connected to the bank account and is able to transfer money with real-time notice of the payment order to other users of the system or to a compatible point of sale (POS). The ICBPI Institute, the owner of the very popular CartaSI credit card, has also announced the imminent launch of a dedicated plat-form that will enable the instant transfer of funds using the new standards (SCTInst) for instant bank wires.

The major Italian banks offer peer-to-peer (P2P) payment solutions to their account holders and e-payment wallets. However, these solutions are not yet popular with Italian consumers, probably due to a resilient national habit of using cash payments, which has survived for a long time and has also led to a below-average use of credit cards in Italy. This could also be regarded as an advantage, as a large number of users have yet to embrace an e-payment solution from scratch and may show enthusiasm for the upcoming payment solutions, because they are easy to use and should prove faster than the traditional ones. State legislation re-cently came into force providing an obligation for shops and professionals to allow clients to pay through a POS device, but low sanctions and protests because of high commissions applied by banks for POS services have so far posed some limitations to the enforcement of said provisions.

There is also a growing interest, especially in some areas of the country, for alternative currency solutions and Italy has seen a rising popularity of FinTech solutions based on commercial networks that accept payment with currency equivalents. Sardinia witnessed the birth of Sardex, which is now the second most exchanged currency equivalent and is managed by Sardex SpA, which governs the network of en-terprises and the mutual exchange of Sardex credits against services and goods using non-banking and non-monetary regulations.

Other recent additions to the FinTech market are P2P lend-ing services (for example, Oval Money).

Crowdfunding services are also available from 48 active Italian platforms (32 reward-based and 16 equity-based) regulated by Consob, the Italian stock exchange commis-sion (for example, Eppela, Mamacrowd, Starsup and Unica-seed). Some have a general focus, while others raise funds for companies with specialised areas of activity such as food, payments, social and videogame creation (for example, the crowdfunding platform Eppela, while not specifically focus-ing on a specific type of activity, is getting a name in the vide-ogame industry by financing the translation and dubbing in Italian of recent videogames).

The market is very interested in developing innovative solu-tions regarding blockchain technology and many important banks and financial institutions (eg, Banca Intesa, Unicredit, Banca Sella) are directly studying applications of blockchain technology and also keeping a close watch on new FinTech companies dealing in Bitcoin and similar digital currencies (the Bank of Italy is working on a regulation for Bitcoin and innovative digital currencies and has).

Another sector where FinTech companies are steadily work-ing in Italy is e-ticketing: many traditional and new com-panies are offering mobile apps and services to allow users to pay for their parking, use of public transport and other activities requiring a ticket (theatre, music events, etc). The main operators are Pluriservice Srl (the owner of MyCicero, a platform providing not only e-ticketing and payment for public transport services in all major cities, but also pay-ments for public administration services and fines, where allowed), Telepass SpA (the traditional provider of motor-way tolls, which is now also dealing in e-payment having transformed Pyng, its platform for e-payment of parking tickets in a general e-payment system called Telepass Pay), MyTaxi Scrl (the provider of the eponymous mobile appli-cation, brokering taxi booking and payments in all major Italian cities) and Miropass Srl (the creator of the TuPassi system, a website and a mobile app connected with many public administration (PA) services, which allows its users to book their places or public services such as post offices, registry offices and many others).

1.2 The Market for Fintech Products and Services Italy is nurturing FinTech companies and services in all cat-egories.

However, due to existing regulatory limits, some kinds of services, even if developed in Italy, must be operated from abroad. This is especially true for Bitcoin services, because the Bank of Italy is still working on Bitcoin regulation, and for the new kinds of intermediaries provided in the Second Payment Services Directive (PSD2) (payment order services and account information services) because this Directive is not yet implemented in the Italian jurisdiction.

So existing regulatory limits have generally not proven to be an obstacle to the development of innovative FinTech activi-ties in Italy; only to their possibility of operating 100% in Italian territory.

1.3 The Key Market Participants in the Specified activitiesThere are around 115 start-up companies in Italy that oper-ate in the FinTech market thanks to dedicated legislation, which greatly favours innovative start-ups vis-à-vis tradi-tional companies and eliminates many procedural and sub-stantial requirements as well as providing significant tax and


6

employment incentives (for example, no taxation on 30% of equity investments in start-ups, flexible employment con-tracts, lower cost of social security for employees), while traditional providers have now made available an ‘online’ bank (part of the same group or independent operations that were acquired by traditional financial institutions). A solution provided by online banks allows users to open an account and operate a wide range of banking and trading services through a smartphone app/website without any per-sonal interaction (for example, Fineco, Widiba, Hello bank and Webank).

As described above, it is difficult to draw a balance between innovative financial service providers and traditional ones, because most of the time new services or start-up companies are progressively integrated in the commercial offer of tradi-tional service providers; for example, Webank was born as a spin-off from the BPM group, a major bank based in Milan that reacquired all the assets of Webank in 2014, preserving its brands and the main characteristics, Fineco is a part of Unicredit Group, Widiba is a part of MPS Group and Hello Bank is a part of BNP Paribas Group.

1.4 Fintech technologies/companies Financial technologies and FinTech companies are stead-ily gaining momentum and starting to attract financial re-sources and the attention of the public. Traditional financial service providers, however, are keeping their pace and place, and are not being entirely displaced by new financial tech-nology and FinTech companies thanks to the integration mechanism described above. However, traditional banks are rapidly closing many physical branches and dismissing employees to cope with the FinTech revolution, so FinTech services are already transforming the markets they operate in.

Regarding crowdfunding platforms, their peculiar financ-ing mechanism is also attracting more and more investors to very small companies, opening market segments that are rapidly growing. In 2016, the medium equity crowdfunding investment per person in Italy was EUR6,800, with a 159% increase vis-à-vis 2015 and EUR2.9 million of total invest-ment in Italy. Certain platforms (for example, Nexequity) have seen individual investments of up to EUR700,000 (data from the Association of Italian Equity Crowdfunding).

1.5 Partnerships Between traditional institutions and Fintech companiesMost of the incubators for start-up companies in Italy are funded by private investors with public partnership in their equity investments (for example, regional and EU funding), but it is not uncommon for traditional financial institutions to publish private tenders and/or to finance competitions for FinTech instruments and start-ups subsequently to ac-quire new technologies and/or dedicated licences from the

winners of said competitions. Some banks have also started, in recent years, to finance their own start-up business pro-grammes and/or incubators (this is the case for UniCredit, one of the most important financial institutions in Italy, and its StartLab accelerating programme), while others prefer to issue dedicated financial planning instruments, such as the CrediAzienda Start-up Financial Plan offered by BNL (BNP-Paribas Group), another one of the most important banks in Italy.

1.6 approach to Fintech innovationThe Italian jurisdiction is demonstrating itself each year to be more and more friendly towards FinTech innovation, with a steadily increasing supply of laws and regulations to pro-mote this kind of market. The start-up regulation issued in 2012 and 2015, and constantly updated and upgraded during the past years, is proving a very strong tool for innovation and the inflow of capitals, and recent governments have been steadily working to improve such an impetus.

While new laws and regulations provide each year more instruments for start-ups and companies, powering the en-gine of innovation, the enforcement of old and new laws and regulations in court is still somewhat slow (but not costly, if compared to other jurisdictions). The time necessary to obtain a judicial decision can sometimes be an obstacle for companies requiring certainty in their business, which should seek specialised advice to avoid being ‘caught’ in lengthy proceedings that would hamper the advantages of incentives provided by the Italian legislation. ADR proce-dures are therefore becoming a widespread solution to avoid bringing claims to court.

2. regulation

2.1 regulatory regimes for Specified activities or Fintech companiesA general requirement for all kinds of regulated specified activities (blockchain activities are not regulated) is that administrators, directors, auditors and the general manager should not have criminal records, been sentenced to prison for periods of over one year for certain crimes, been subject to bankruptcy and similar proceedings, and/or have been suspended from public office.

Payment institutions in Italy must comply with the follow-ing requirements: corporate form of joint stock, limited, limited liability or co-operative company, registered offices and general direction offices on Italian soil, and a definite amount of minimum paid capital ranging from EUR20,000 to EUR125,000 for payment institutions and EUR350,000 minimum for electronic money institutions. Furthermore, a precise programme regarding initial activities and organi-sation is required; plus, managers must meet specific addi-


7

tional requirements of professional experience (for example, a minimum of five years in the field).

As for identity management, Italy has recently approved a national electronic identity system called SPID. Enterprises that intend to provide identity management services com-pliant with SPID technology should register with the Ital-ian Agency for Digital Development (Agenzia per l’Italia Digitale, or AGID) and should be incorporated as a limited liability/joint stock company (srl or spa) with a minimum corporate capital of EUR5 million to offer the full range of identity management services, while a smaller amount, if a limited range of services is offered, can be authorised by AGID.

Investment management activities are generally allowed in the form of intermediaries called SGR (Società Gestione Risparmio), which is a company type dedicated to financial asset management. SGR activity should be authorised by the Bank of Italy and Consob (see below). They require a minimum corporate capital of EUR1 million, plus the integ-rity and professional requirements described above. Other entities that can be used are SICAV (Società d’Investimento a Capitale Variabile) companies, entities where investment funds are offered to investors through equity of the company itself. Requirements are the same as for SGR companies.

However, adopting a regulated entity is necessary only when a specified activity falls within the perimeter of the Uniform Banking Text or is devoted to providing an electronic trust service such as electronic identity; several FinTech services/activities can be exercised without a specific authorisation (for example, e-ticketing, some forms of SMS payments, etc) and, generally, an analysis of the specific service is advis-able to assess whether and which specific requirements are mandated. Also very important, given the prominent role of Consumer Law and Privacy Law in Italy (see below) is assessing consumer and privacy compliance of FinTech ser-vices before they are launched to the public.

Activities that generally involve regulated entities are those that require management of currency from/to bank ac-counts, soliciting and managing investment or funding, in-surance and credentials for secure access to public entities/banks and/or providing payment instruments that allow payments in legal currency and insurance services.

It is also interesting to note that the Italian regulation de-rived from PSD1, issued in 2010 (legislative decree 11/2010), provides a specific definition of “payment operations carried out through any telecommunication device,” limiting this category to those operations where the goods and services acquired are delivered/used through the same telecommu-nication device that has paid them and where the telecom-

munication operator is also the provider of the goods and services offered.

This has so far acted as a slight limitation to the diffusion of payment services through telecommunication devices, for traditional and FinTech companies. The implementation of PSD2 in Italy might, hopefully, fill the gap, by removing the described limitations and further expanding the field of op-eration for these services.

It is also to be noted that another provision in the PSD1 implementation decree of 2010 states that payment instru-ments allowing single payments below EUR30 or having an expense limitation of EUR150 are exempt from some of the transparency obligation and alert systems provided therein. The same provision also states that if the payment system providers for the sender and the receiver of the payment are based in Italy, the limits referred to in the previous paragraph are doubled. Plus, in the case of use of prepaid payment in-struments, the expense limitation is raised to a maximum of EUR500. This is an important provision for micro-payments and electronic currency exchanges, and is actually an imple-mentation of PSD1 to the maximum extents provided there-in. The main beneficiaries of this provision are banks and FinTech companies dealing in micro-payments, electronic currencies, money lending services, crowdfunding and, in general, micro-financial services.

In August 2017, new legislation was approved to remove existing limits to specified activites relevant to mobile pay-ments of museums, shows, cultural events and transporta-tion. Now mobile payments can be easily applied to these categories.

Also, crowdfunding received a specific regulation: for this specified activity, Consob (see below) requires a corporate form of joint stock company, the integrity and professional requirements described for banks and investment manage-ment activities, plus the submission of a detailed report on its internal structure and registration in a public register. Banks and financial institutions may operate and be auto-matically registered in the crowdfunding register.

In Italy, the rules for the specified activities are the same nationwide, because regional and local entities have no ju-risdiction on these subjects, save for the area of local public transport and parking where local regulations may apply for payment.

2.2 regulatory or Governmental agencies for Specified activities or Fintech companiesFinTech companies and specified activities are regulated by several regulatory and governmental agencies in Italy. The main ones are the Ministry of Economy and Finance (MEF), which decides and enforces governmental financial policies


8

over treasury, finance and taxation, and the Ministry of Eco-nomic Development (MISE), which supersedes government regulation concerning incentives, industry, markets and consumer protection, as well as managing all authorisations and spectrum regulation for the telecommunication market.

Technical regulation of many of the specified activities is, however, generally mandated by legislation to the Central Bank of Italy (Banca d’Italia), which is responsible for the surveillance of bank activities and for approving the regula-tions that enact general laws such as the Uniform Banking Text (TUB), which was approved in 1993 (Legislative De-cree 385/1993) and subsequently amended to include new EU developments such as electronic money and payment institutions.

A central piece of regulation by the Bank of Italy is the tech-nical regulation that enacts the Legislative Decree on pay-ment services, as well as regulations on anti-money laun-dering.

Regulation of crowdfunding platforms has been mandated by the lawmaker in 2012 to Consob, the agency that super-vises stock exchange trade. Consob approved equity crowd-funding regulation in 2013 and revised it in 2016, so provid-ing authorisation and registration requirements for entities that wish to create and operate crowdfunding platforms in Italy.

AGID is designated by law as the sole body responsible for regulating and monitoring digital payments towards public entities and issues technical regulations related to electronic identity (the Italian SPID system) and electronic signature providers. AGID is also the enforcement entity for the pro-visions of the EU eIDaS Regulation, regulating and moni-toring EU electronic identities used in Italy. AGID also has the responsibility of the systems which govern cross-border recognition of e-IDs from other Member States and compiles a mandatory three-year plan for state IT governance and innovation. AGID also manages the systems which allow Public Administration to receive e-payment (PagoPA).

The Ministry for Economic Development, together with the communications authority, Autorità Garante per le Comuni-cazioni (AGCOM), is also the designated authority for the development of infrastructures related to high-speed inter-net connection for PAs and private users, and manages and directly co-ordinates many public calls for tenders relating to European initiatives, such as the Horizon 2020 EU Initiative.

The regulation and compliance of insurance services are managed by the IVASS agency, so FinTech companies oper-ating in the insurance field should monitor regulation issued by this entity.

Consumer law protection ensures a very different and spe-cific approach on the matter; since the enforcement of the most recent European directive on the protection of con-sumer rights, in fact, the law states the direct competence of the Italian Antitrust Authority (AGCM), save for those economic sectors where a different national regulatory au-thority (NRA) has issued specific regulation deriving from European laws and principles. Also, while the AGCM can investigate, assess and sanction with very high fines the vio-lation of antitrust and/or competition issues, ordinary courts can also deal with the matter of indemnifying customers in-volved in such issues (AGCM has no direct powers concern-ing the imposition of damage indemnification to customers).

Privacy aspects are all regulated by the Privacy Code (Leg-islative Decree 196/2003), which is enacted by the Italian Data Protection Office (Garante per la Protezione dei Dati Personali, or GdP). The Data Protection Office also drafts technical regulations for specific sectors and is now working on the transition to the new EU Privacy Regulation, which will expand its powers of enforcement on any use of personal data concerning Italian residents.

All relevant laws and regulations are usually directly enforce-able by the issuing authority, but it is also true that many decisions are challenged in administrative courts, which are fairly rapid in their decisions where a temporary ruling is requested.

2.3 capital and Liquidity requirementsThere are no specific requirements, limitations, regulatory or charter-type requirements provided by law on FinTech companies, save for requirements imposed by EU regulation on payment institutions, insurance companies and e-ID pro-viders, which have been discussed above. The Bank of Italy is working with the government (MISE) to enact PSD2, which will regulate new types of FinTech companies as third-party payment providers and account information providers, with specific capital requirements as provided by the EU Direc-tive.

2.4 “Sandbox” or Other regulatory “neutral Zones”In Italy there are no explicit ‘sandboxes’ or regulatory ‘neu-tral zones’ regarding FinTech, so far. This, of course, as op-posed to some ‘grey areas’ in regulation, which provide for experimentation and the introduction of new services on the matter, which is especially true in the area of Bitcoin and alternative currency, where many providers have intro-duced services based on the absence or uncertain application of specific regulations (for example, Bitcoin ATMs, Bitcoin commerce and the Sardex network of services), or in trading platforms and brokerage, where the current regulation leaves many empty spaces for innovative products to fill (the only


9

regulation affecting innovative trading platforms is the one governing its taxation).

2.5 change of control approval requirements The requirements for FinTech companies are the general ones provided by the TUB for companies in the banking/insurance sector in cases in which FinTech activities are car-ried out using these types of regulations/entities as there is no specific “FinTech” company category.

As set forth in the TUB, any acquisition of shareholdings involving the possibility, for the acquirer, of controlling and/or exercising significant influence over the bank or giving the acquirer a holding of voting rights or capital equal to at least 10% must be pre-emptively authorised by the Euro-pean Central Bank (ECB) through a request filed through the Bank of Italy. Any variation of equity that results in con-trol of over 20% of voting rights must be pre-emptively au-thorised as well, which also applies to situations of indirect control of equity/voting rights. The authorisation may be denied or suspended if the acquirer is reputed by the ECB as unfit for the governance of the financial institute/bank.

2.6 recent developments or notable Proposed/Forthcoming regulatory changesItaly (as with other EU Member States) is working on imple-menting PSD2, which introduces important changes with a view to the FinTech sector.

After the implementation of the Directive, new non-banking intermediaries — the so-called TPPs, third-party payment providers — will be able to offer information and payment services that will allow users to access and operate bank ac-counts through the services of third parties. This will also incentivise the use of e-ID compliant with the eIDaS EU Regulation, as a common and unified credential for bank-ing and third-party and public administration services. The Italian framework has a particular advantage in this field, as its public SPID identity is the only EU electronic iden-tity compliant with eIDaS rules, which is designed to work with private services such as e-commerce and e-banking. This means that if the SPID project is successful and private entities start adopting the system, Italy could grow into be-coming the host country of a federated network of services accessible with a single set of credentials/identity, which would also include a federated payment system based on the same credentials.

Recently, the Italian government has appointed Diego Pia-centini, the former chief executive of Apple Italy and Ama-zon Sarl vice-president and general manager of Europe, the Middle East and Africa, as digital agenda commissioner, with extensive powers to act where the public entities are inefficient in bringing forward the digital agenda. Piacentini is also working on e-ID regulation to improve the circulation

of electronic identities and electronic payments. Legislative updates in September 2016 oblige all Italian public admin-istration to accept several kinds of digital payments and for this reason, AGID, the Italian Digital Agency, has established a public payment hub called PagoPA to serve Italian public administration. In addition to the above, the completion of the digitalisation process of Italian public civil records, which will create a centralised database, will make access to resident data, which is essential to confirm identities and payments, easier and more efficient.

2.7 Burden of regulatory Framework and Protection of customersThere is a great difference in FinTech businesses, depending on whether the business falls within the ‘banking’ categories, which makes the specified activity subject to almost all the rather cumbersome regulatory frameworks applicable to or-dinary banks. Specified activities that are not regulated fall out of the traditional regime thanks to innovations under PSD2 and therefore have a great advantage. Many specified activities are possible without entering a regulated field, so start-ups and innovative Purchasing Managers’ Indexes (PMIs) in the Italian FinTech sector seem to have a reason-able burden in terms of legal obligations.

2.8 regulatory impediments to Fintech innovation at traditional Financial institutionsAs previously described, banks and other traditional finan-cial institutions have a heavy burden in terms of surveillance, compliance and reporting for any activity, which leads them to delegate innovation to separate companies in the group or third-party vendors, or invest in start-ups that will develop new technology.

The market shows that the most prominent innovation will be brought from outside traditional institutions that will in-corporate these technologies thereafter.

2.9 regulatory regime’s approach to consumers and Small Business customersItalian consumer protection legislation against unfair trade practices is specifically drafted to provide identical pro-tection for consumers and small-business customers. The AGCM is the designated NRA with exclusive competence on assessing and sanctioning consumer unfair trade practices. The AGCM can issue sanctions of up to EUR5 million and, if its orders concerning consumer protection are ignored, can stop the relevant business through which the unfair trade practice has been carried out and issue yet more sanctions on the infringing company.

As far as ordinary consumer protection is concerned (for example, specific anti-consumer contract clauses and class action enforcement), small businesses are left out and only individuals benefit from the protection. The class action


10

system, introduced in Italy only a few years ago in a very mild form, has not met the general interest of consumers, who often prefer to deal with their issues through the help of consumer associations on a case-by-case basis seeking personal restoration/reimbursement, which is still a popu-lar system in Italy, where there is no case law tradition of punitive damages.

2.10 Outreach by regulators or Government authorities to engage with Fintech innovators Italian national regulatory authorities have developed a cer-tain number of best practices when dealing with innovation in general. Among the many regulatory instruments, they usually prefer opening public consultations with the stake-holders before adopting new regulation on a specific topic. In the case of FinTech activities, the most recent outreaches made by national authorities towards the understanding of the matter are the openings of the Bank of Italy regarding the uses and potential of blockchain technology. In June 2016, the governor of the Bank of Italy, Ignazio Visco, stated in a public speech that he is a “fan” of blockchain technology and that the Bank of Italy would start exploring the potential of this innovative technology working with stakeholders. This is a notable outreach, considering that only a year before, the Bank of Italy had issued an official “warning” on the risks of virtual currency units, a very different position from the most recent one described above.

2.11 Unregulated Specified activities In recent times, many so-called over-the-top (OTT) elec-tronic communication services have risen to prominence, providing free messaging services and notifications. Such services make use of third-party infrastructures, networks and services to provide innovative services, without sustain-ing many of the costs for transport and maintenance of ser-vice. A good example of an area where unregulated services are challenging regulated services is the market of manda-tory notifications to clients of financial services, where SMS notification services are increasingly being replaced by new solutions (for example, WhatsApp), which, while appar-ently providing the same communication and notification services, have an unclear, if not absent, regulation. NRAs are still investigating the matter, but the enforcement of existing regulatory provisions appears difficult on the providers of such new services, which are usually based abroad.

2.12 Foreign Fintech companiesFinTech companies that operate as banking/financial entities within the subject matter of the Uniform Banking Code are subject to reciprocity and their first subsidiary in Italy is to be authorised by the Bank of Italy. Subsequent openings can be prohibited by the Bank of Italy only for reasons related to the bank’s ability to support the new premises. Banking/financial entities that provide their services through online techniques do not require a subsidiary in Italy, but privacy

legislation in some cases requires that their servers (or a back-up of the same) be in Italian territory, or at least in an EU country. This poses many interesting issues, specifically relating to the possibility, for a banking/financial company, of acquiring server hosting space from third parties operat-ing abroad, in non-EU countries.

Companies that have no operational headquarters in Italy or in the EU area are not allowed to benefit from the innova-tive start-up regime and companies that have no registered office in Italy cannot acquire the status of innovative SME (PMI Innovativa, see 3.3 recent Legal changes) and, for the same reasons, regional incentives for start-ups may only be accessible if a subsidiary is located in the territory of a certain region of Italy.

2.13 regulatory enforcement actions against Fintech companies No direct regulatory enforcement actions have been recently enacted against FinTech companies, save for the regulation on the requisites for constitution of digital identity provid-ers. Such regulation, issued by the Agency for Digital Italy in 2014, required private companies willing to establish themselves as digital identity providers to have a registered capital of at least EUR5 million, while such a requisite did not apply to public bodies willing to attain such qualification. The Administrative Courts of Rome (TAR Lazio) declared the disparity void in 2015, restoring the ability of FinTech companies to qualify as digital identity providers without the need of such a high registered capital.

2.14 “Shadow Banking” The Uniform Banking Code regulates all financial and bank-ing activities in Italy. Therefore, it also forbids any such ac-tivity to companies and/or subjects that are not authorised to act as registered banks and/or financial institutions. Any credit, banking and financial activity may be pursued only by companies registered in the official registers managed by the Bank of Italy. Abusive and/or shadow banking activities are criminal offences, punishable with high fines and imprison-ment, which also applies to FinTech companies, without any difference with ordinary companies.

The Bank of Italy, the Ministry of Finance (Ministero dell’Economia e delle Finanze) and Consob have joint su-pervisory powers in this area.

3. Form of Legal entity

3.1 Potential Forms of charterThere are no special laws or regulations concerning the forms of charter that may be used by FinTech companies vis-à-vis ordinary companies. As such, a FinTech company can


11

adopt the form of charter it deems more appropriate, based on the limitations and/or points of strength of each one.

Regarding financial entities, the TUB states that banks may only be constituted as joint-stock companies or limited li-ability co-operatives, which also applies to FinTech compa-nies willing to attain the qualification for their businesses in Italy in a regulated environment. Companies wishing to operate as innovative start-ups are instead bound to the form of simplified limited liability company and they can either adopt a fixed charter prepared by the Ministry of Economic Development and use a very quick incorporation procedure or draft their own charter through a notary (see 3.3 recent Legal changes for a simplified list of the requisites and the benefits deriving from the adoption of this type of company charter).

3.2 Key differences in FormSrl companies are generally the most favoured form, because they offer much versatility in devising the charter and gov-ernance (very lean or with board, auditors, etc) and limited liability with a low minimum corporate capital. Spa (joint stock companies) are instead fit for very large businesses, but not as flexible. Innovative start-ups and innovative SMEs may be created from srls or spas, following the requisites and limitations provided by law.

3.3 recent Legal changes No recent legal changes in the Italian jurisdiction have affect-ed the desirability of one form of legal entity over another.

In 2012, the so-called Growth Decree 2.0 (Decreto Crescita 2.0, dl 179/2012) introduced the definition and requisites for the creation of innovative start-ups in Italy. This type of company benefits from many exemptions and bureau-cratic facilities, albeit for a limited period of five years since its constitution and/or inscription in the dedicated registry (among those, notably, online, free-of-charge incorporation, exemption from regulation on dummy companies, easier to compensate VAT credits, stock options and work for equity schemes). To be regarded as an innovative start-up, a com-pany must:

•be newly constituted, or established for less than five years;•have its HQ in Italy or any EU member state, as long as one

of its branches is in Italy;•have a yearly turnover below EUR5 million;•not distribute profits;•not be listed on regulated market;•have a corporate purpose related to technological innova-

tion; and•not result from company mergers, split-ups or sellings-off.

In addition to the above requisites, the company must meet, alternatively, at least one of the following requisites:

•it must devote at least 15% of its annual costs to R&D;•it must have a third of its workforce as PhD students/grad-

uates or researchers;•two thirds of its partners holding a Master’s degree; or•have ownership, deposit, registration or licence of a patent

or software.

In 2015, following the great success of the innovative start-up model, the Italian government created yet another type of charter, the small and/or medium innovative company (PMI Innovativa), which has some of the same requisites and benefits already provided for innovative start-ups, but without the time limitation of five years imposed on that type of company.

4. Legal infrastructure (non-regulatory)

4.1 desirable changes to Facilitate Specified activitiesNo special regime is provided, in Italy, specifically for Fin-Tech companies and commercial law has not been specifi-cally amended for FinTech innovation. Many of the recent innovations regarding IP, start-ups and taxation exemptions will be of great help to FinTech companies, more than to ordinary ones, and the legislator devised them to incentivise FinTech.

4.2 access to real-time Gross Settlement Systems There is no special regime for FinTech companies to obtain direct access to real-time gross settlement systems or simi-lar infrastructures. Therefore, they can access those systems only through regulated financial institutions or if they have such nature.

4.3 Special insolvency regimesNo special and/or separated or dedicated insolvency regimes are provided for FinTech companies. Therefore, FinTech companies are subject to the same insolvency regimes pro-vided by the law for ordinary financial institutions. It is also relevant whether the FinTech company acts as a regulated financial institution or a non-regulated ordinary company because special legislation governs the insolvency of banking entities (for example, bail-in procedure).

4.4 electronic Signatures According to Italian regulation, electronic signatures issued by registered providers are equivalent to ‘wet ink’ signatures. Electronic signatures, as provided by Italian law and the Eu-ropean eIDaS regulation, are issued by a registered provider, which has to identify its owner personally or via certified remote procedures and store the relevant details (copy of a valid ID, registration of any remote/online identification procedure, etc) for at least ten years in a secure facility. There are 11 registered providers so far in Italy, according to AGID.


12

4.5 Standards for Proving identity in electronic transactionsSince July 2016, with the entry into force of the European eIDaS regulation, completed by its three additional execu-tion decisions and regulations, the EU has already provided its general guidelines for the development of the systems for proving identity in electronic transactions, in its three differ-ent levels (base, significant and high warranty).

At the moment in Italy, the regulations issued by AGID and by the president of the Counsel of Ministries for the imple-mentation of the SPID system is one of the most prominent applications of the eIDaS regulation in Europe. An electronic identity issued according to the SPID protocol includes a dedicated ID number, all personal identification attributes (name, surname, date and place of birth, sex, fiscal code and a valid pre-existing ID, for physical people; name, registered offices and VAT code, for companies) and at least a second-ary identification attribute (a mobile phone number, an e-mail address, a registered home and/or digital address, plus any other data that may be defined by AGID as relevant). All data acquired for issuing an electronic identity has to be stored, by the relevant identity provider, for at least 20 years after its expiry or revocation. The data included in an electronic identity is used each time by the relevant compa-nies and/or SPID providers directly or indirectly involved, to verify the identity of the user/company operating an electronic transaction. If the electronic identity has not ex-pired or been revoked by its legitimate bearer, an electronic transaction for legitimate goods and/or services is valid and binding between the parties.

5. data Privacy and cybersecurity

5.1 data Privacy and cybersecurity regulatory regimes Italy is one of the EU Member States with the greatest atten-tion to data privacy and cybersecurity, because its data pro-tection laws inspired general EU data protection legislation.

As in other EU States, personal data and sensitive data can only be used with appropriate information and the express consent of the data subject, and transfer to non-EU countries is not allowed where there are no guarantees of an adequate privacy standard.

Cybersecurity violations (for example, failure to adopt suf-ficient security measures in a computer network) are regulat-ed as data protection law infringements and may be subject to administrative sanctions, as for data protection infringe-ments, and, in the case of repeated and serious violations, criminal sanctions.

Almost all matters involving privacy, data protection and cy-bersecurity regulatory regimes in Italy are directly handled by the relevant NRA, the National Data Protection Agency Garante Privacy. However, some of the issues involving spe-cific technological aspects of cybersecurity are also handled by both the Department for Communications of the Min-istry of Economic Development and the communications NRA, AGCOM. The enforcement of almost all practical aspects of privacy and cybersecurity is directly handled by specific police bodies and/or branches (such as the special Postal Services and Telecommunications branch of the Ital-ian Financial Police), assisting NRAs in their investigations thanks to specific protocols with the relevant authorities in-volved. This has brought a very detailed regulation body into existence and the powers of the GdP will further increase with the full entry into force of the new European Privacy Regulation, expected in late May 2018.

5.2 recent and Significant data Privacy Breaches There have been few recent and significant data privacy out-breaks involving Italian FinTech companies. However, many of the detailed regulations issued in time by the GdP have been introduced following the decision on specific privacy cases brought before the GdP itself, so any future privacy decisions or cases involving FinTech companies will surely influence any subsequent detailed privacy regulation.

An important cybersecurity attack involved the Italian Con-stitutional Court in 2013 due to the “TangoDown” hacking attack claimed by the Anonymous international organisa-tion, which seemed to stop the online connection of the web-site temporarily. Four people were arrested for the crime and others are currently facing trial.

Other important attacks include a breach of the data serv-ers of a division of Unicredit Group which gave the hackers access to profile data of about 400,000 clients between Oc-tober 2016 and July 2017. In June 2017 hackers attacked the Italian Ministry of Foreign Affairs and obtained access to some accounting data. In July 2017 the online platform of a prominent Italian political party was attacked and some lists containing members’ data were published.

5.3 companies Utilising Public Key infrastructures or Other encryption SystemsThe Italian Privacy Law provides a dedicated regime for public administrations and companies dealing with public services and/or infrastructures. Such bodies are subject to more compelling rules on data retention, access to private information and data, security measures and data breach violation protocols. In time, the GdP has detailed many of these specific obligations, by issuing specific decisions and/or detailed regulations.


13

Furthermore, public key infrastructures and encryption systems based on digital signatures and electronic identity must be issued by providers authorised by AGID, which also monitors and sanctions any violations by these providers of the provisions of the Digital Administration Code (for example, issuing a non-secure digital signature or e-ID).

Violations like identity theft, illegal access to computer sys-tems, illegal circulation of credentials, improper identifica-tion of persons requesting digital signature or e-ID are also subject to criminal sanctions.

5.4 Biometric dataDuring the last five years, the GdP had been working to develop specific regulation on biometric data, by issuing public consultations with stakeholders and interested par-ties. The road to a comprehensive regulation on the matter is, however, a work in progress, because the latest regula-tion was issued in 2014 and only introduced strict measures for the processing of biometric data, as well as a dedicated channel for data breach alerts, to be filed within 24 hours since the event occurred. Given that many of the techni-cal implementations and (not only privacy) issues related to biometric data are slowly emerging each year, the GdP is likely to adopt new decisions on specific cases and subse-quent general regulations on the matter in the next few years. The implementation of the new European Privacy Regula-tion expected in 2018 will probably increase the need for new regulatory interventions on biometric data, as well as on many other privacy topics.

6. intellectual Property

6.1 intellectual Property Protection regime Italy, as an EU Member State, is compliant with every EU IP regime and therefore has a strong protection of copyright (including software copyright) and inventions.

IP violations may be of a civil or criminal nature and, gener-ally, the victim of the violation has the choice of whether to pursue the violation in a civil or criminal court. Civil viola-tions have dedicated courts (Sezioni in materia di Impresa), which are supposed to be specialised and faster than ordi-nary courts in their decisions but their efficiency depends on how the local court is organised. Courts can issue interim decisions in cases where there is an irreparable prejudice in waiting for an ordinary decision and there appears to be legal ground.

Online copyright has a fast-track procedure by which the copyright owner can send an online notice to AGCOM that will signal the violation to the online provider and, if no one brings the matter to court, take down the illegal content. This has proved to be a very efficient way of hampering the ille-

gal distribution online of copyrighted content, as the most recent data published by AGCOM shows.

6.2 trade Secret regime The Italian trade secret regime protects business information and technical-industrial knowledge, including commercial, only if it is secret and the information may be valued from an economic standpoint (ie, it is an element that can be in-serted in a balance sheet). Any professional carrying out an evaluation (for example, in court) who accesses trade-secret protected information is obliged to maintain professional secrecy, according to the Code of Industrial Property, and the Criminal Code and the report should not disclose the information.

6.3 copyrights, Patents, trade MarksFinancial technology is generally regarded as patentable in Italy. Marks related to FinTech can be trade-marked as well, following the general IP regime. Software involved in finan-cial technology is protected by copyright. Italy, as in the EU, does not recognise business model patents.

6.4 Protection of intellectual Property or trade SecretsIt is generally advisable in IT platforms to have a working and functional deposit of the platform, as existing registers (for example, software registers) are static and fail to prove the complexities of modern integrated platforms. Specialised providers offer techniques to deposit ‘live’ technology (for example, technology escrow), which can be made valid in front of Italian courts. After the eIDaS Regulation came into force, Italian courts should recognise any electronic docu-ment (ie, any document/information that is necessary to prove legal elements stored in electronic form).

6.5 Joint development of intellectual Property If the developers do not sign a specific agreement about the quotas, the property of a joint development protected by IP is assumed to be divided into equal quotas. In the case that the developers decide to use a private agreement, they can assign each one any quota they want and then dispose of it, which is especially relevant for complex software platforms and websites because they are regarded as a joint ‘multime-dia’ work.

6.6 intellectual Property LitigationAt this time, there is no indication that IP in FinTech is a significant source of litigation in Italy, compared to other business areas.

6.7 Open Source code Open source is treated as licensed copyrighted code. There-fore, a violation of the open-source licence determines the application of remedies provided for copyright violation. For example, if open-source code is incorporated into a


14

commercial software solution without re-applying the cor-responding licence, the resulting software is illegal from a civil and criminal standpoint, and courts can prevent its sale, seize distributed copies and order restoration of damages.

Issues with open-source code should be dealt with pre-emp-tively by entering into contracts (insurance/maintenance) that define who will be liable for problems in the code. This is because some open-source projects are developed on a voluntary basis by many developers and there is no specific liability for the software, which is used at the user’s risk.

7. tax Matters

7.1 Special tax issues, Benefits or detriments The best benefit tax available in Italy is patent box. This is an innovative Italian system that allows companies to reduce their taxes with investment, mainly in patents and trade-marks. All the holders of business income deriving from the direct exploitation or the licence of IP assets and who performed R&D activities — in order to maintain, enhance or develop their IP assets — are entitled to benefit from the tax advantage. These beneficiaries are probably companies, commercial entities and permanent establishments (PEs) within the Italian territory of foreign subjects. The Italian branch of foreign companies can claim for the regime under the conditions that it is resident in a country that has in force

a double tax agreement and has developed with Italy an ef-fective exchange of information.

Investors in the equity and obligations of start-up companies have a no-tax regime on 30% of their investment.

8. issues Specific to the Specified activities8.1 additional Legal issues Italy has usury laws that pose a limit to the amount of inter-est that may be charged.

The Ministry of Economy and Finance publishes online rates for various types of financial activities that should not be exceeded.

Another relevant element in the Italian jurisdiction is the existence of the ABF (Banking and Financial Arbitration), which is an ombudsmancommission for bank/consumer controversies that has a very low cost of access and can de-liver quick decisions for claims up to EUR100,000.

Studio ProsperettiVia Gerolamo Belloni, 8800191 Rome - Italy

Tel: +39 06 36304109Fax: +39 06 36301896Email: [email protected]: www.studioprosperetti.it

chambers global practice guides italy fintech · 2017. 12. 11. · case between europe and the...

Documents