What are the sources of payments law in your jurisdiction?
Italian legal framework applicable to payment services has been shaped by EU legislative initiatives aimed at creating an integrated market for electronic and retail payments, in particular:
- the second payment service directive (Directive (EU) 2015/2366, ‘PSD2’), enhancing the set of common rules with respect to the provision of payment services that had been laid down by directive 2007/64/EC;
- the single euro payments area (SEPA) regulation (Regulation (EU) no 260/2012), fostering a single european cashless payments area (for credit transfer and direct debit transaction denominated in euro);
- regulation on cross-border payments in the Union (Regulation (EU) 2021/1230), establishing the principle that charges paid by users for a cross-border payment in euro are the same as for the corresponding payment within a member state;
- payments accounts directive (Directive 2014/92/EU, ‘PAD’) concerning the comparability of fees and payment account switching and access to payment accounts with basic features;
- e-money directive (Directive 2009/110/EC), regulating the taking up, pursuit of and prudential supervision of the business of electronic money institutions.
The principal domestic sources applicable to the provision of payment services are:
- consolidated law on banking (legislative decree no. 385/1993);
- legislative decree no. 11/2010, implementing the payment service directive;
- supervisory provisions for payment institutions and e-money institutions issued by the Bank of Italy.
Payment service providers should also comply with anti-money laundering regulation (legislative decree no. 231/2007 transposing the EU anti-money laundering directives and implementing regulations).
Bank of Italy is the national competent authority for the supervision of payment services.
Can payment services be provided by non-banks, and if so on what conditions?
In addition to banks, payment services can be provided by:
- payment institutions;
- e-money institutions;
- financial intermediaries authorized under art. 106 of the consolidated law on banking.
The carrying out of payment services is subject to prior authorization by the Bank of Italy, in order to ensure the sound and prudent management of the payment service provider. In particular, the authorization is granted upon assessment of the governance arrangements, paid-up capital, business model, suitability of the qualified shareholders and of the directors of the service provider.
Payment institutions and e-money institutions already authorized in a Member State other than Italy can carry out payment services in Italy under the freedom to provide services or right of establishment regime, provided that the Bank of Italy has been notified by the competent authority of their home Member State. E-money institutions having their seat in a Third Country can operate in Italy only after being authorized by the Bank of Italy, provided that they have established a branch in Italy.
It should be noted that, in accordance with PSD2, some activities are exempt from the payment services regulations and can be carried out without need of prior authorization. For instance, legislative decree no. 11/2010 sets out exemptions for:
- services based on specific payment instruments that can be used only in a limited way (e.g.: instruments allowing the holder to acquire goods or services only in the premises of the issuer or within a limited network of service providers under direct commercial agreement with a professional issuer; or instruments which can be used only to acquire a very limited range of goods or services, such as fuel cards); and
- payment transactions by a provider of electronic communications networks or services provided in addition to electronic communications services for a subscriber to the network or service, provided certain conditions are met.
What are the most popular payment methods and payment instruments in your jurisdiction?
In accordance with Bank of Italy’s report on the payment attitudes of consumers of March 2022, based on studies conducted by the European Central Bank in 2019 and 2020, the following considerations on the use of cash and other means of payment in Italy can be made:
- cash remains the most used instrument at physical points of sale, although its use has declined over time;
- the value of cash payments represents 58% of the total payments (68% in 2016), compared to 32% of transactions with cards (29% in 2016) and 10% with other instruments (3% in 2016). Therefore, the main cashless payment instruments consist of credit and debit cards;
- cash is mainly used for low-value transactions and transactions between individuals (person-to-person);
- the adoption of cashless payment instruments is widespread in Italy: 90% of the respondents has access to at least one payment card (94% for the euro area). Contactless card payments represent 55% of all card payments (against 38% for the euro area). Italy seems to lag behind in the access to innovative means of payment (e.g. smartphones) compared with the euro area, since only 10% of Italian respondents use them, against 28% in the euro area.
However, covid-19 pandemic may have fostered the decline of the use of cash at the physical point of sale. In fact, the report suggests that the lower risk of infection compared to the use of cash and the greater convenience of cards (probably due to contactless technology) have led respondents to answer that they pay less frequently in cash than before. Such behaviours are likely to be maintained in the future, also taking into account some legislative measures aimed at fostering the spread of cashless transactions. In particular:
- limits have been imposed to cash transactions (which cannot exceed 2.000 euro until 31 December 2022 and shall not exceed 1.000 euro starting from 1 January 2023), in compliance with anti-money laundering provisions;
- during the pandemic, a cashback bonus was granted to consumers who used electronic payment transactions;
- merchants are now required to accept cashless transactions. This measure may meet the expectations resulting from the studies reported by the Bank of Italy, according to which about half of the respondents stated that, being able to choose freely, they would prefer to use alternative instruments, while only a quarter expressed a preference for cash.
What is the status of open banking in your jurisdiction (i.e. access to banks’ transaction data and push-payment functionality by third party service providers)? Is it mandated by law, if so to which entities, and what is state of implementation in practice?
With reference to open banking, PSD2 has given way to the provisions of the following payment services:
- payment initiation service (PIS): a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider (PSP);
- account information service (AIS): an online service to provide consolidated information on one or more payment accounts held by the payment service user with either another PSP or with more than one PSP;
- card initiated service (CIS): is a service where an account servicing payment service provider, upon the request of a PSP issuing card-based payment instruments, immediately confirms whether an amount necessary for the execution of a card-based payment transaction is available on the payment account of the payer.
In accordance with a report issued by the Bank of Italy on November 2021 (PSD2 and Open Banking: new business models and relevant risks), the provision of the above mentioned payment services in Italy has started following the entering into force in September 2019 of the PSD2 supplementing regulation on strong customer authentication and common and secure open standards of communication (delegated Regulation no. (EU) 2018/389). At present, Bank of Italy’s monitoring highlights a limited recourse to such open banking services, especially referring to CIS. This may be due to issues regarding the establishing of access interfaces through which third party providers (TTPs) offering AIS and PIS can access the customers’ payment accounts in a secure manner.
Bank of Italy notes that payment service providers offer AIS and PIS not as stand-alone services, but in bundle with financial, insurance, investment services, or even commercial services. In fact, PIS and AIS act as carriers to more profitable services.
Among the main risks arising from these open banking practices, Bank of Italy notes that the presence of more entities involved in the carrying out of such services increases the cyber risks and may lead to a less effective transaction risk analysis (relevant for the identification of frauds). Moreover, the provision of such services requires that payment service users’ are adequately informed on the different stages through which the service payment is carried out.
How does the regulation of data in your jurisdiction impact on the provision of financial services to consumers and businesses?
The general data protection regulation (Regulation (EU) 2016/679, ‘GDPR’) applies to the processing of personal data in the context of payment services carried out in accordance with PSD2. Therefore, payment service providers (PSPs) must comply with requirements set out in GDPR, adopting organizational and technical measures that may overlap or, in some cases, be additional to those required by PSD2. For instance, PSPs should appoint a data protection officer, maintain a record of processing activities, implement appropriate technical and organisational measures which (i) must be designed to implement data protection principles -privacy by design- (e.g. pseudonymisation, encryption) and (ii) ensure, by default, the highest privacy protection so that personal data isn’t made accessible to an indefinite number of persons (privacy by default). Moreover, notification requirements to the national data protection authority (e.g. in case of personal data breach) must be complied with in addition to the notification requirements provided for by PSD2.
The European Data Protection Board (EDPB) has provided guidance on the interplay of PSD2 and GDPR (guidelines 6/2020). Pursuant to GDPR, data processing is lawful only if at least one of the legal grounds provided in art. 6 of GDPR applies. It should be noted that the payment service user’s consent required by art. 94(2) of PSD2 is not equivalent to the data subject’s consent provided as legal ground by GDPR. This is due to the fact that payment services are provided on a contractual basis between the payment services user and the payment services provider. Therefore, explicit consent required under art. 94(2) of PSP2 is a requirement of a contractual nature additional to that of the GDPR. Such provision entails transparency requirements on PSPs, that must provide payment service users’ with specific and explicit information about the purposes identified by the PSPs for which their personal data are accessed, processed and retained. Under a GDPR perspective, data processing linked with the provision of payment services may be legitimate under the ground provided by art. 6(1)(b) of GDPR, in accordance with which processing must be necessary for the performance of the payment service contract to which the data subject is a party.
In some cases, data processing may be necessary for compliance with legal obligations to which the PSPs are subject (ground under art. 6(1)(c) of GDPR). This may be the case with reference to customer due diligence measures provided for by anti-money laundering regulations. Such legal ground applies also with reference to AIS and PIS, since PSD2 imposes on the account servicing payment service provider (ASPSP) the legal obligation to grant the PSP access to personal data in order to be able to provide such payment services.
EDPB also gives guidance on the issue related to the processing of “silent party data”. Such data are processed by the PSPs even if they refer to a data subject who is not the user of a specific payment service provider (e.g. where a payment service user, data subject A, makes use of the services of an AIS provider, and data subject B has made a series of payment transactions to the payment account of data subject A, data subject B would be the silent party whose data may be processed during the provision of AIS). Such processing may be legitimate in case it falls under the “legitimate interest” ground provided for by art. 6 (1)(f) GDPR. However, EDPB clarifies that the necessity to process personal data of the silent party is limited and determined by the reasonable expectations of these data subjects and appropriate measures have to be established to safeguard that the interests or fundamental rights and freedoms of the silent parties are not overridden.
What are regulators in your jurisdiction doing to encourage innovation in the financial sector? Are there any initiatives such as sandboxes, or special regulatory conditions for fintechs?
Above all the initiatives activated in Italy to foster the innovation in the financial sector (such as the creation of various research committee dedicated to this field) the one that is more worth to mention is the introduction of a regulatory sandbox regime. Indeed, with the ministerial decree no. 100/2021, the Bank of Italy, Consob and IVASS have been given power to create a “temporary space” in which – under the constant monitor of the mentioned authorities – fintech start-ups can develop their products and offer them on the market, while benefitting of simplified authorization regime.
Do you foresee any imminent risks to the growth of the fintech market in your jurisdiction?
There are no risks to the growth of the fintech sector in Italy. The principle of neutrality (according to which the specific technology adopted should not have a influence on the applicable regulation of that financial service) helps innovation in the financial market. In addition, public authorities are doing their best to low (in the controlled space of regulatory sandboxes) the burden of regulation for fintech start-ups.
What tax incentives exist in your jurisdiction to encourage fintech investment?
In Italy there are no tax incentives regarding specifically the fintech sector yet. Notwithstanding this, there are some measures to sustain innovation that can be applied directly to fintech activities.
For instance, investments in Italian innovative startups (start-up innovative) and Italian innovative SMEs (PMI innovative), grants tax incentives (in the form of a tax deduction from the amount of tax to be paid annually) equals to an amount varying from the 30% and the 50% of the investments made in the company.
Other tax incentives applicable to the fintech sector regards, for instance, tax credit for research and development and a patent box regime reducing the burden of taxation on revenues deriving from certain intellectual properties.
Which areas of fintech are attracting investment in your jurisdiction, and at what level (Series A, Series B etc)?
According to a recent survey of the Bank of Italy of November 2021, fintech areas that are attracting the highest amount of investments are: artificial intelligence, big data analysis and distributed ledger technologies (DLT).
If a fintech entrepreneur was looking for a jurisdiction in which to begin operations, why would it choose yours?
Italy offers various opportunities for fintech companies. Above all, Italian clients and, in general, Italian families have one of the highest amounts of savings, per capita, in Europe. In addition, in Italy it is possible to have access to high qualified personnel belonging to the IT or the financial industry.
Access to talent is often cited as a key issue for fintechs – are there any immigration rules in your jurisdiction which would help or hinder that access, whether in force now or imminently? For instance, are quotas systems/immigration caps in place in your jurisdiction and how are they determined?
Italy has enacted a set of measures aimed at attracting human resources to Italy, by providing tax benefits conditional on the transfer of residence and the return of workers from abroad.
In addition, specific benefits have been implemented for professors and researchers moving their activities to Italy.
If there are gaps in access to talent, are regulators looking to fill these and if so how? How much impact does the fintech industry have on influencing immigration policy in your jurisdiction?
In recent years, growing attention has been paid to the issue of the so called “brain-drain” and, conversely, attracting human resources from abroad. In fact, laws and regulation aimed at attracting human resources to Italy have been enacted and regularly updated. At the moment, it is unlikely that such benefits will be limited in future, considering that the implementation of the European recovery plan, NextGenerationEU, will require as many experienced and professional human resources as possible.
Fintech companies may benefit from such policies, since the qualified human resources they need are in scope for the above mentioned tax benefits.
What protections can a fintech use in your jurisdiction to protect its intellectual property?
Intellectual property of fintech projects can be protected in two major ways: via copyright or using a patent. Both these instruments can be used for softwares developed by fintech company with the following main differences.
Intellectual property of softwares is automatically protected by copyright in the moment of their creation and publication. Software covered by copyright can also be registered to increase the intellectual property protection. Indeed, registering a software in Italy grants proof that, on a specific date, (i) the software existed and about (ii) who is the author detaining the related economics rights.
In addition, for software with specific characteristics also a patent can be requested. In this case the software needs to be considered as a “computer-implemented invention”, i.e. an invention whose implementation involves the use of a computer.
How are cryptocurrencies treated under the regulatory framework in your jurisdiction?
Cryptoassets do not have a specific regulatory status in Italy. The only italian laws and regulations that provide a definition applicable to them are those concerning anti-money laundering (AML) regulations. Article 1, paragraph 2, letter (qq) of legislative decree no. 231/2007, implementing, inter alia, the fifth anti-money laundering directive, provides the definition of ‘virtual currency’. Virtual currencies are defined in the AML regulation as ‘the digital representation of value that: is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency accepted as a means of exchange to buy goods and services or for investment purposes; and which can be transferred, stored and traded electronically’. The introduction of this definition implies that offering of services related to the use of cryptoassets will fall under the definition of ‘providing services related to the use of cryptocurrencies’ in accordance with article 1, paragraph 2, letter (ff) of the AML regulation.
The same regulation also regulates the offering of crypto custody activities, through the introduction of the definition of companies ‘providing custodian wallet services’ in accordance with article 1, paragraph 2, letter (ff) bis of the AML regulation.
The Italian legislator recently introduced licensing requirements for the provision of services related to cryptoassets by Crypto Assets Service Providers (CASP) and Wallet Service Providers (WSP).
Article 8(1) of legislative decree no. 90 of 2017 extends the provisions of article 17 bis of legislative decree no. 141 of 2010 to CASP, and article 5 (2), letters (a) and (b) of legislative decree no. 125 of 2019 extends the provisions of article 17 bis of legislative decree no. 141 of 2010 to WSP. Most recently, the Italian Ministry of Economy and Finance (MEF), by decree of 13 January 2022, set out the modalities and timing by which providers of services relating to the use of virtual currency and providers of digital wallet services are required to notify their operations in Italy, as well as forms of cooperation between the MEF and the police forces.
According to article 17 bis (8 bis) of legislative lecree 13 August 2010, No. 141 (on loan brokerage services referred to by the AML regulation, known as the Loan Broking Rules), to provide services related to the use of cryptoassets, CASP and WSP are required to enrol in a special section of the Register of Foreign Exchange Providers (OAM Register), which is kept by the Association of Loan Agents and Credit Brokers (OAM) in accordance with Article 17 bis (1,2).
CASP and WSP, which are legal persons, are required to establish their registered or administrative office in Italy, and European legal persons shall have a stable organisation in Italy, while those who are natural persons, shall be citizens of Italy, of a European Union Member State or of a third country. The provision of services related to the use of cryptocurrencies by natural or legal persons that are not enrolled in the OAM Register is considered unlawful.
After being enrolled in the register, CASP and WSP shall transmit data on transactions carried out in Italy to the OAM quarterly. The data that shall be provided are client identification data and data on the operations carried out by each client.
With regard to sanctioning powers, the Association of Loan Agents and Credit Brokers may suspend from the special section of the register any natural or legal person that violates the reporting duties or remove them should they not meet any of the requirements for carrying out their activity, should they repeatedly violate the data reporting obligation, should they be inactive for more than one year unless there is a justified reason or should they terminate their activity.
How are initial coin offerings treated in your jurisdiction? Do you foresee any change in this over the next 12-24 months?
The legal framework applicable to initial coin offering depends on the cryptoasset issued. Where the issuance concerns cryptoassets that qualify as financial instruments (i.e., investment tokens and, in rare cases, utility tokens), Article 94 et seq. of the Italian Consolidated Financial Act apply.
In contrast, where the issuance concerns cryptoassets that are not of a financial nature (i.e., assets other than financial instruments or financial products), no specific regulation applies, apart from what has been said with reference to AML obligations.
Considering that MICA regulation will enter into force within the next years, this will have potential effects also on Italian ICO regulation.
Are you aware of any live blockchain projects (beyond proof of concept) in your jurisdiction and if so in what areas?
Italy has a discrete amount of blockchain live projects. They cover the most important areas on this sector, such as investment activities, counselling and advice (so-called Web3 Agency), NFT and metaverse.
To what extent are you aware of artificial intelligence already being used in the financial sector in your jurisdiction, and do you think regulation will impede or encourage its further use?
AI is greatly used in Italy by the fintech sector, being one of the technology that is attracting more investments. To mention some of the most important application, it is possible to referrer to the providing of robo-advice services.
The approach followed by the applicable regulation is in line with the principle of neutrality that, as mentioned above, may foster the development of this technology.
Insurtech is generally thought to be developing but some way behind other areas of fintech such as payments. Is there much insurtech business in your jurisdiction and if so what form does it generally take?
The survey of Bank of Italy of November 2021 shows a good amount of investments in the insurtech sector. The technologies predominantly employed here are big data and DLT.
In particular, the use of DLT in insurtech is increasing the standard of serviced offered to the public, thanks to the innovations followed by the implementation of self-liquidating insurance policies, fully digital and based on blockchain technology.
Are there any areas of fintech that are particularly strong in your jurisdiction?
In Italy, according to a survey of the Bank of Italy of November 2021, fintech areas that are particularly strong are related to artificial intelligence, big data analysis and DLT.
With particular reference to the DLT and blockchain area, an important data can be highlighted. In less than five months from the introduction of a licence for crypto-asset service providers, there are already 74 companies enrolled in the OAM register.
What is the status of collaboration vs disruption in your jurisdiction as between fintechs and incumbent financial institutions?
Based on a report issued by the Bank of Italy on November 2021, the interest of Italian financial intermediaries into fintech technologies has led not only to an increase of in-house investments (such as acquiring new software, hardware, technological equipment) but also to the acquisition of qualifying holdings in fintech companies or other form of close cooperation (e.g. joint ventures). In fact, such operations allow intermediaries to secure advanced technologies otherwise unavailable in-house and to speed up project implementation times in order to be competitive towards new market incumbents.
Bank of Italy’s survey reports 330 partnership agreements involving 199 companies. It is also noted that fintech companies usually enter into an exclusive relationship with a sole intermediary and only a few companies have established partnerships with more than one intermediary. On the other side, each intermediary deals on average with 4.6 fintech companies. The partnerships are mostly aimed at providing innovation in the areas of lending and savings collection (e.g. credit scoring projects and mobile banking models), together with payments services (e.g. digital wallets and peer-to-peer transfers).
To what extent are the banks and other incumbent financial institutions in your jurisdiction carrying out their own fintech development / innovation programmes?
Bank of Italy’s survey reports the following findings:
- most of the projects and resources are addressed to provide innovation in the areas of lending and payments services (specifically, mobile banking, digital lending and open banking). Projects for process innovation in business operations and governance are also relevant for their quantity, although a significant lower amount of resources is invested in such projects. Innovation in investment and insurance services remains low both in terms of projects launched and expenditure;
- with reference to the technologies involved, investments in application interfaces and technological infrastructures (APIs) account for 58% of expenditure. Other consolidated fields of innovation consist in biometrics (mainly related to onboarding procedures) and robot process automation (with reference to projects concerning business operations and governance). Artificial intelligence-based projects, including machine learning and natural language processing, while decreasing in number, grew in terms of expenditure, driven mainly by applications for digital lending.
Are there any strong examples of disruption through fintech in your jurisdiction?
Among Italian fintech companies it is possible to identify some examples of enterprises which have managed to develop innovative products and markets. Satispay has created a mobile payment network alternative to credit and debit cards which has enjoyed an exceptional growth, recently becoming an Italian “unicorn”, after raising investment for 320 mln euro (and exceeding a valuation of 1 bln euro).
Another dynamic sector regards payment solutions labelled as “buy now pay later”, which are now provided through electronic tools (e.g. apps) by fintech companies such as Scalapay, Clearpay, Klarna and PayPal.
Italy: Fintech
This country-specific Q&A provides an overview of Fintech laws and regulations applicable in Italy.
What are the sources of payments law in your jurisdiction?
Can payment services be provided by non-banks, and if so on what conditions?
What are the most popular payment methods and payment instruments in your jurisdiction?
What is the status of open banking in your jurisdiction (i.e. access to banks’ transaction data and push-payment functionality by third party service providers)? Is it mandated by law, if so to which entities, and what is state of implementation in practice?
How does the regulation of data in your jurisdiction impact on the provision of financial services to consumers and businesses?
What are regulators in your jurisdiction doing to encourage innovation in the financial sector? Are there any initiatives such as sandboxes, or special regulatory conditions for fintechs?
Do you foresee any imminent risks to the growth of the fintech market in your jurisdiction?
What tax incentives exist in your jurisdiction to encourage fintech investment?
Which areas of fintech are attracting investment in your jurisdiction, and at what level (Series A, Series B etc)?
If a fintech entrepreneur was looking for a jurisdiction in which to begin operations, why would it choose yours?
Access to talent is often cited as a key issue for fintechs – are there any immigration rules in your jurisdiction which would help or hinder that access, whether in force now or imminently? For instance, are quotas systems/immigration caps in place in your jurisdiction and how are they determined?
If there are gaps in access to talent, are regulators looking to fill these and if so how? How much impact does the fintech industry have on influencing immigration policy in your jurisdiction?
What protections can a fintech use in your jurisdiction to protect its intellectual property?
How are cryptocurrencies treated under the regulatory framework in your jurisdiction?
How are initial coin offerings treated in your jurisdiction? Do you foresee any change in this over the next 12-24 months?
Are you aware of any live blockchain projects (beyond proof of concept) in your jurisdiction and if so in what areas?
To what extent are you aware of artificial intelligence already being used in the financial sector in your jurisdiction, and do you think regulation will impede or encourage its further use?
Insurtech is generally thought to be developing but some way behind other areas of fintech such as payments. Is there much insurtech business in your jurisdiction and if so what form does it generally take?
Are there any areas of fintech that are particularly strong in your jurisdiction?
What is the status of collaboration vs disruption in your jurisdiction as between fintechs and incumbent financial institutions?
To what extent are the banks and other incumbent financial institutions in your jurisdiction carrying out their own fintech development / innovation programmes?
Are there any strong examples of disruption through fintech in your jurisdiction?