1 Legal and enforcement framework

1.1 In broad terms, which legislative and regulatory provisions govern the fintech space in your jurisdiction?

  • The Consolidated Financial Act (Legislative Decree 58 of 24 February 1998);
  • The Consolidated Law on Banking (Legislative Decree 385 of 1 September 1993, as amended);
  • The Private Insurance Code (Legislative Decree 209 of 7 September 2005, as amended);
  • The Growth Decree (Law Decree 34 of 30 April 2019, converted into Law 58 of 28 June 2019, as implemented, among others, by Ministry of Economy and Finance (MEF) Decree 100 of 30 April 2021;
  • The Simplifications Decree (Law Decree 135 of 14 December 2018, converted into Law 12 of 11 February 2019);
  • The Privacy Code (Legislative Decree 101 of 10 August 2018, implementing Regulation 2016/679 and amending Legislative Decree 196 of 30 June 2003);
  • The Cybersecurity Law (Legislative Decree 65 of 18 May 2018);
  • Legislative Decree 218 of 15 December 2017, which implemented the EU Payment Services Directive (2015/2366);
  • The Anti-money Laundering Law (Legislative Decree 231 of 21 November 2007, as amended);
  • The Insurance and Reinsurance Distribution Regulation (Istituto per la Vigilanza sulle Assicurazioni (IVASS) Regulation 40 of 2 August 2018);
  • The Intermediaries Regulation (Commissione Nazionale per le Società e la Borsa (Consob) Resolution 20307 of 15 February 2018, as amended);
  • The Bank of Italy (BoI) Provisions for Non-banks' Collection of Saving (Resolution 584 of 8 November 2016);
  • The Crowdfunding Regulation (Consob Regulation 18592 of 26 June 2013, as recently amended by Consob Resolution 21259 of 6 February 2020);
  • The BoI Supervisory Instructions for Banks (BoI Circular 285 of 17 December 2013); and
  • The Joint BoI/Consob Regulation of 29 October 2007.

1.2 Do any special regimes apply to specific areas of the fintech space?

Article 36, paragraph 2bis of the Growth Decree introduced a regulatory sandbox in Italy, tasking the MEF with the duty of adopting one or more regulations to define the conditions and modalities for carrying out the testing of fintech applications, which – through the use of new technologies (eg, artificial intelligence and distributed registers) – could foster innovation of services and products in the financial, credit, insurance and other regulated markets.

Such testing must be characterised by:

  • a maximum duration of 18 months;
  • reduced capital requirements;
  • simplified formalities;
  • reduced timing for the granting of an authorisation; and
  • defined operating perimeters.

MEF Decree 100 of 30 April 2021, which entered into force on 17 July 2021, introduced implementing provisions for the regulatory sandbox. In 2021, the national competent authorities (ie, the BoI, Consob, IVASS) opened the first window for applications to access the sandbox, which ended on 15 January 2022. Other windows are likely to be opened in the near future.

This is one of the most innovative projects in the sector and represents an important step forward in the digitalisation of Italy. The sandbox allows fintech operators to test innovative solutions, benefiting from a simplified transitional regime and ongoing dialogue with the national competent authorities. The latter will publish an annual report on the application of the sandbox, proposing regulatory changes to promote the development of the sector, the protection of savings and financial stability.

1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?

MEF: The MEF, which regulates the banking and finance sector, is responsible for budgeting, monitoring and overseeing public finance management and state stockholdings, among other things.

BoI: The BoI supervises the banking sector to ensure:

  • risk containment and asset liability; and
  • compliance with applicable laws and regulations by supervised legal entities.

Consob: The supervisory authority for investor protection and control over the securities market is responsible for:

  • transparency and correct behaviour by intermediaries and financial market participants;
  • the disclosure of complete and accurate information to the public by listed companies; and
  • the accuracy of the facts represented in prospectuses for offerings of transferable securities to the public.

IVASS: The national insurance supervisory authority ensures the sound and prudent management of insurance and reinsurance undertakings and their transparency and fairness towards customers.

Unità di Informazione Finanziaria per l'Italia: The national anti-money laundering authority receives and analyses reports of suspicious transactions, including in relation to the use of crypto-activities, provided by supervised legal entities that are subject to the anti-money laundering legislation.

Garante per la Protezione dei Dati Personali (Privacy Authority): The Privacy Authority ensures that data is processed as required by the law and that the rights of individuals with regard to the processing of their personal data are respected.

Autorità per le Garanzie nelle Comunicazioni (AGCOM): The national communications authority ensures the fair competition of operators in the communications and media market, and protects the fundamental rights of users in these sectors.

Autorità Garante della Concorrenza e del Mercato: The antitrust authority is responsible, among other things, for combating unfair commercial practices and misleading and unlawful comparative advertising.

1.4 What is the regulators' general approach to fintech?

The regulatory approach followed so far has been quite sectoral and has focused on credit and payment services in particular. Moreover, it does not distinguish between new players and incumbents, which has thus created a general atmosphere of uncertainty. The introduction of the regulatory sandbox (see question 1.2) aims to simplify access for new operators and to create a defined regulatory perimeter for fintech.

The dialogue between market players and the national competent authorities (NCAs) is also facilitated by:

  • the Fintech Committee, set up by the Growth Decree and comprising representatives of MEF, the Ministry of Economic Development, the Ministry for European Affairs, the BoI, Consob, IVASS, AGCOM, the Privacy Authority, the Digital Agency for Italy and the Tax Agency. The Fintech Committee aims to identify objectives, define programmes and promote the development of the sector in cooperation with EU and foreign NCAs, and to formulate law proposals;
  • the BoI's Fintech Channel, an initiative that seeks to support innovation in the regulatory arena, adopting a forward-looking approach. Active start-ups and firms that would like to offer technological solutions to banks and financial intermediaries, or the latter if directly involved in the development of innovative solutions in the area of financial services, can contact the BoI at canale-fintech@bancaditalia.it. Submitted applications are scrutinised by the BoI and applicants receive feedback through meetings and telephone calls; and
  • fintech roundtables organised by the BoI and IVASS.

1.5 Are there any trade associations for the fintech sector?

  • Since May 2017, non-profit trade association Assofintech has officially represented fintech and insurtech companies operating in Italy. It encourages dialogue with institutions, while promoting knowledge and qualitative growth of entrepreneurs through the provision of a common ethical code.
  • ItaliaFintech is a working group established in March 2018, which includes the most innovative national and foreign fintech companies operating in Italy, with the aim of promoting knowledge and the adoption of fintech solutions by consumers, families and companies.
  • The Italian Insurtech Association is a non-profit established in March 2020, comprising the different market players, which aims to accelerate innovation in the insurance sector through technical training, sharing of technological best practices and the creation of synergies among its members, while engaging in dialogue with national and international NCAs.

2 Fintech market

2.1 Which sub-sectors of the fintech industry have become most embedded in your jurisdiction?

  • Credit services, including crowdfunding and peer-to-peer (P2P) lending;
  • Payment services;
  • Investment advisory;
  • Asset management;
  • Insurance services;
  • Market infrastructure; and
  • Crypto-activities.

2.2 What products and services are offered?

  • Technologies for contracts and remote operations;
  • Crowdfunding platforms;
  • P2P payment platforms;
  • Instant-payment related services;
  • Robo-advisory services;
  • Wealth and asset management services;
  • Regtech services;
  • Insurtech services; and
  • Crypto-activities and utility tokens.

2.3 How are fintech players generally structured?

At present, there are two main categories of market players:

  • incumbents (ie, banks, financial intermediaries and insurance companies); and
  • newcomers (ie, fintech companies and techfin companies).

In particular, depending on the services or products that they provide, a distinction must be drawn between fintech companies that are subject to supervision by national and/or foreign competent authorities and those that are exempt from supervision as they provide neither investment activities or services nor banking and/or insurance services.

Among the supervised fintechs, one may distinguish between:

  • regulated operators (ie, fintechs working as crowdfunding platforms, supervised by the Commissione Nazionale per le Società e la Borsa (Consob);
  • supervised financial intermediaries (ie, payment institutions and electronic money institutions), which are subject to the authorisation of the Bank of Italy (BoI) pursuant to Article 106 of the Consolidated Law on Banking; and
  • insurance brokers (insurtechs), which are subject to supervision by the Istituto per la Vigilanza sulle Assicurazioni.

2.4 How are they generally financed?

Among fintechs, start-ups may be funded through equity or debt funding. The most common ways to obtain equity finance include:

  • bootstrapping (ie, self-financing through the founders' own assets);
  • business angel financing;
  • financing from certified incubators (ie, stock companies registered in a special section of the Register of Companies); and
  • venture capital raising (eg, simple investment companies, introduced by the Growth Decree as a vehicle to support start-ups).

Moreover, start-ups can be financed through bank loans. However, in Italy, this traditional channel of financing is not well developed due to banks' resistance to equity investments, as they deem start-ups' business plans to be very risky.

There are also some public funding measures, such as:

  • Smart&Start Italia, which was established by means of a Ministry of Economic Development Decree of 24 September 2014 and aims to introduce measures for the promotion of entrepreneurship and financing for the production of goods and the exchange of services with high technological and innovative content. By means of the Relaunch Decree (Legislative Decree 34 of 19 May 2020), its budget has been increased to €100 million; and
  • the Central Guarantee Fund, which consists of a public guarantee for financing from banks and other intermediaries in favour of start-ups, among others.

The Relaunch Decree allocated for the year 2020:

  • €10 million for the granting of facilities to innovative start-ups in the form of non-repayable contributions for the provision of services by incubators, accelerators, innovation hubs, business angels and other public or private entities; and
  • €200 million for the Venture Capital Support Fund.

In addition, the Sostegni-ter Decree (Law Decree 4 of 27 January 2022) provided non-repayable funding for companies and economic operators affected by the COVID-19 pandemic (including fintech companies).

2.5 How are they positioned within the broader financial services landscape?

Fintech companies undertake a wide range of financial activities through multiple direct intermediary channels, offering specialised services in specific operational areas. They avail themselves of particularly fast and flexible structures.

In particular, fintech companies attract clients by leveraging on process and product innovations or new channels and distribution methods, as well as by expanding the markets (telematic/virtual) in which demand and supply of financial services can be matched. In this way, fintech companies propose new business models that may compete with those of incumbents.

This progressive entry into the market may be further encouraged by the introduction of the regulatory sandbox (see question 1.2).

This approach distinguishes fintech companies from the incumbents (especially banks and financial intermediaries), which have gradually expanded their areas of activity to become comprehensive providers of financial services and products.

Existing banks and financial intermediaries have been somewhat disorientated by the arrival of the newcomers. As a result, they have adapted their business models and organisational structures to the new market conditions, so that they can reach a wider range of clients by offering them an integrated and diversified range of services and products.

2.6 Do start-ups generally outsource back office functions and is there a developed market for them to access? What are the legal implications of outsourcing?

Under Italian law, start-ups may outsource back office functions. However, at this stage, the market for this kind of outsourcing does not seem well developed.

With regard to those start-ups willing to provide banking services, a licence must first be obtained from the BoI in order to operate in Italy. In such case the outsourcing of back office functions is regulated by the BoI Supervisory Instructions for Banks (see Part I, Title IV, Chapter III, Section IV thereof).

In addition, start-ups that wish to provide financial services must be authorised by Consob. In such case the outsourcing of back office functions is governed by the Joint BoI/Consob Regulation (see Articles 19, 20 and 21 thereof).

The above provisions aim to prevent and manage the risks deriving from an excessive and unmonitored use of outsourcing by those operators that, due to the type of activities carried out, might prejudice the management of public savings.

In any case, banks and/or intermediaries that outsource remain fully liable for the outsourced functions vis-à-vis their clients. In addition, outsourcers must put in place internal control systems designed to protect clients from the risks arising from the outsourcing of back office functions, among others.

On the other hand, the outsourcee must have the competence, capacity and authorisations required by law to carry out the outsourced functions in a professional and reliable manner, and must inform the outsourcer of any event that could affect its ability to efficiently carry out such functions.

3 Technologies

3.1 How are the following key technologies in the fintech space regulated and what specific legal issues are associated with each? (a) Internet (e-commerce); (b) Mobile (m-commerce); (c) Big data (mining); (d) Cloud computing; (e) Artificial intelligence; and (f) Distributed ledger technology (Blockchain, cryptocurrencies)

(a) Internet (e-commerce)

E-commerce is mainly governed by the following provisions:

  • The Electronic Commerce Code (Legislative Decree 70/2003) provides, among other things, for a set of disclosure obligations to be satisfied by the service provider, concerning detailed information thereon, prices and tariffs, as well as the conditions under which it offers its services to the public. Any breach of such obligations is sanctioned by an administrative fine of up to €10,000.
  • The Consumer Code (Legislative Decree 206/2005) distinguishes between ‘professionals' (ie, entrepreneurs) and ‘consumers', which provides for:
    • a set of disclosure obligations to be satisfied by professionals (concerning the consumer's personal details, a description and price of the service or product, the price of delivery and information on payment systems), so as to allow the consumer to make a conscious decision such service or product. Should the above information not be provided to the client, the relevant contract is null and void;
    • the nullity of clauses that create an imbalance between the parties' rights and obligations (so-called ‘vexatious clauses'); and
    • a right of withdrawal in favour of the consumer, which must be exercised within 14 days of the receipt of goods or the conclusion of the contract itself.
  • The Privacy Code governs the processing, dissemination, communication, storage, adaptation, alteration, erasure and destruction of personal data of the parties to an agreement, as well as the way in which data subjects can give consent to the processing of their personal data for one or more specific purposes.

(b) Mobile (m-commerce)

Mobile commerce is a form of commercial evolution, based on the use of any mobile device, smartphone or tablet. Currently, it is not subject to a special regime in Italy and instead is regulated by the general provisions governing e-commerce.

However, m-commerce applications imply the permanent storage of data needed for the conclusion of a transaction. As a result, stricter security measures must be observed in order to protect personal data and combat the potentially illegal use of the latter.

(c) Big data (mining)

For the purpose of monitoring the growing role of data in the production and exchange of goods and services, the final report on a survey on big data jointly carried out by the Autorità per le Garanzie nelle Comunicazioni (AGCOM), the Autorità Garante della Concorrenza e del Mercato (AGCN) and the Privacy Authority was published on 10 February 2020. It contains some comments on the impact of big data on the electronic communications and media sector, data protection, consumer protection and antitrust law. In particular, the report defines ‘big data' as the collection, analysis and accumulation of a large amount of data, while identifying its characteristics (ie, volume, variety, speed). In addition, AGCOM and the AGCN have issued some guidelines for the establishment of a permanent cooperation body to monitor the impact of big data on companies, consumers and citizens at large.

The Regional Administrative Court of Lazio issued two important decisions (260 and 261 of 10 January 2020), qualifying big data as an asset. In particular, with regard to the agreement for use of a social network service, the economic value of subscribers' personal data implies that the social network provider must comply with the duties of clarity, completeness and non-deceptiveness of the information to be supplied to subscribers for consumer protection purposes. Therefore, the social network provider must inform end users in advance that their personal data may be used for commercial purposes.

(d) Cloud computing

EU law (ie, EU Regulation 593/2008) establishes the applicability to cloud computing agreements of the law of the EU member state in which the consumer resides. Accordingly, the Consumer Code applies to such technology should the related service be provided to a consumer based in Italy.

The related agreement includes a variety of clauses typical of service agreements and licence agreements. The former usually include remuneration for the service provided, although cloud computing does not imply a service provided ad hoc to the client. Conversely, a licence agreement specifies how the end user may make use of the service. For this purpose, the cloud provider must ensure that the service will continue to be provided.

In order to enter into a cloud computing agreement, the following documents must be signed by the end user:

  • general terms of service;
  • a service level agreement;
  • an acceptable use policy; and
  • a data protection agreement aimed at regulating the relationship (and related liabilities) between the data controller and processor, as well as at guaranteeing the unavailability, integrity, confidentiality and portability of the relevant data.

Such agreements often include additional clauses, such as those regulating outsourcing of services.

With the adoption of the Recovery and Resilience Facility (by means of Law 233 of 29 December 2021), the Italian government has stated that its goals include achieving a high level of digitisation (ie, the Cloud Strategy Italy programme) through the adoption of cloud technologies in the public administration.

(e) Artificial intelligence

Artificial intelligence (AI) is usually analysed in light of data protection law provisions, with regard to the liability for damages resulting from its application. In this respect, it is worth mentioning those cases in which the outcome of the elaboration carried out through the AI application is characterised by a high degree of uncertainty. In such cases it should be established who is liable for any damages that ensue (ie, the author of the program, the manufacturer, the seller or the end user).

Legislative Decree 101/2018, which implemented the General Data Protection Regulation in Italy, introduced the accountability principle, whereby the data controller must adopt technical and organisational measures necessary to ensure and prove that data processing complies with the applicable law, with the consequence that it is not important who has acted in a way that is capable of causing damages, but rather who could have avoided such damages (ie, the data controller).

The Ministry of Economic Development, the Ministry of Technological Innovation and the Ministry of University and Research recently issued the Artificial Intelligence Strategy Programme (2022-2024), which has the following aims:

  • strengthening skills and attracting talent to develop an AI ecosystem in Italy;
  • increasing funding for advanced AI research; and
  • encouraging the adoption of AI and its applications, both in the public administration and in the productive sectors in general.

(f) Distributed ledger technology (Blockchain, cryptocurrencies)

Pursuant to Article 8ter of the Simplifications Decree, ‘distributed ledger technology' (DLT) is defined as: "computer technologies and protocols that use a shared, distributed, replicable, simultaneously accessible, architecturally decentralised and cryptographically based register, allowing for the recording, validation, updating and storage of both unencrypted and further encrypted data that can be verified by each participant, and that cannot be altered or modified."

The best-known DLT application is blockchain, which seems to conflict with data protection provisions insofar as its immutability collides with the right to data erasure or destruction. In addition, with regard to the right of data access, the person to contact in order to obtain the requested information often cannot be identified, as frequently there is no clearly stated data controller.

Another DLT application is virtual crypto-assets, which can be created through the launch of an initial coin offering. Once issued, the relevant crypto-asset can be bought or sold on an exchange platform using a legal tender currency. Their anonymous nature has made crypto-assets attractive to criminals, who use them for money laundering and terrorism financing purposes.

The increasing prominence of virtual currencies and the risk of their misuse for money laundering purposes has led the Unità di Informazione Finanziaria per l'Italia (UIF) (see Communication of 28 May 2019) to request banks and financial intermediaries providing payment services to detect and promptly report suspicious transactions to the UIF.

4 Activities

4.1 How are the following key activities in the fintech space regulated and what specific legal issues are associated with each? (a) Crowdfunding, peer-to-peer lending; (b) Online lending and other forms of alternative finance; (c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb); (d) Forex; (e) Trading; (f) Investment and asset management; (g) Risk management; (h) Roboadvice; and (i) Insurtech.

(a) Crowdfunding, peer-to-peer lending

The Crowdfunding Regulation aims to provide small and medium-sized enterprises and innovative start-ups with an alternative financing channel, while also protecting investors. The offer of financial instruments issued by innovative start-ups through online portals is allowed:

  • up to €5 million of stock capital;
  • provided that 5% of the venture capital shares are subscribed by professional investors; and
  • on condition that investors are entitled to withdraw from the offer in the event of subsequent changes to the latter or to the conditions of the start-up in question.

Crowdfunding portal managers must meet several disclosure obligations with regard to potential investors in relation to their activities, the risk of the investment at issue and the suitability of the subscription order.

In addition, investors are entitled to:

  • revoke the order if new significant facts arise which could influence the investment decision; and/or
  • withdraw from the investment within seven days of sending the order or in the event of a change of control of the issuer.

With regard to peer-to-peer lending, the BoI Provisions for Non-banks' Collection of Savings establish the conditions to be satisfied by subjects other than banks to collect savings from the public:

  • For portal managers, the receipt of funds to be deposited in payment accounts, as well as those related to the issuance of electronic money, does not amount to the collection of public saving; and
  • For applicants, the acquisition of funds through the platform does not constitute the collection of savings where it is carried out on the basis of personalised negotiations with individual lenders.

(b) Online lending and other forms of alternative finance (DLT, Smart Contract, crypto-activities):

In its report on initial coin offerings and exchanges of crypto-assets dated 2 January 2020, the Commissione Nazionale per le Società e la Borsa (Consob) specified that crypto-assets are to be deemed as ‘investments', consisting of the digital representation of rights related to a business investment issued, stored and distributed by means of DLT technologies. They can hence be qualified as ‘financial instruments' only if they fall within the scope of Article 1, paragraph 2 of the Consolidated Financial Act.

In addition, the offering platforms are governed by the provisions on crowdfunding. Accordingly, in order to operate as such, a platform manager must be authorised by Consob and enrol in an ad hoc register kept by Consob (or by an equivalent foreign national competent authority (NCA)). Upon issuance of a crypto-asset, the platform manager must publish a white paper containing all information related to the offer. Compliance with transparency, efficiency and technology quality standards, and with investor protection requirements, must be also ensured by portal managers during their activities.

A ‘smart contract' has been defined (for the first time in Italy) by Article 8ter of the Simplifications Decree as "a computer programme running on DLT and whose performance automatically binds two or more parties based on parameters defined by the parties themselves. It must meet the written form". Regardless of such legislative effort, some issues relating to the use of smart contracts remain, including:

  • the difficulty of identifying the applicable provisions in case of lack of consent;
  • how the identity and suitability of the parties to the relevant agreement should be assessed;
  • compliance with principles and general clauses of the Italian Civil Code, such as good faith, diligence and force majeure; and
  • consumer protection-related issues.

(c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb):

Legislative Decree 11 of 27 January 2010, as subsequently amended by Legislative Decree 218/2017 (which transposed the First and Second Payment Services Directives into national law), contains the key provisions on payment services in Italy.

Under the above framework, one must first understand whether a given transaction falls within the so-called ‘positive' scope pursuant to the decree (which includes payment transactions in any official currency), and then check whether such transaction is excluded therefrom (by using the so-called ‘negative' test, whereby payment transactions made through an authorised agent who acts only on behalf of either the payer or the payee do not fall within the scope of payments relevant under the decree).

Moreover, payment service providers authorised by the BoI (ie, banks, payment institutions and electronic money institutions) are flanked by third-party providers, non-financial operators providing account information services (ie, account information service providers) and payment initiation service providers.

Furthermore, an electronic central register of payment service providers kept by the BoI has been established pursuant to the decree.

The provisions on security measures have recently been strengthened so as to protect end users against fraud and other risks. In particular, payment service providers must adopt strong customer authentication procedures in the event that a client accesses his or her payment account online, initiates an e-payment transaction or carries out any action through a remote channel that may cause damage to him or her.

According to the Italian Fintech Guide 2022, recently published by the Fintech District, payment services remain the most relevant business segment in Italy: they were the main driver of investments in the sector in 2020 and also played an important role in the first quarter of 2021. Strong demand for alternative payment models – particularly in the B2B and challenger banking sectors – has led to the growth of integrated payment solutions and ‘banking as a service' platforms (ie, platforms where banking services are integrated into a broader process allowing a complex financial service to be completed directly).

(d) Forex

Forex is a contract for the purchase and sale of currency settled for the difference, whose use is now monitored by Consob in order to combat the dangerously increasing phenomenon of abusive provision of financial services.

Forex is a highly risky financial instrument subject to volatility and leverage. It is lawful per se, yet capable of becoming unlawful if offered by unlicensed companies (ie, those that are not (or not yet) authorised to provide investment services by Consob, the BoI or a foreign NCA).

At present, it is possible to consult Consob's website in order to check whether an intermediary offering forex investments falls within the list of authorised companies. In addition, Consob periodically issues communications to protect investors from unauthorised offers and hosts investor protection warnings from foreign NCAs.

Should an investor have doubt about the abusive nature of a forex service provider, he or she should promptly report the matter to Consob, which – if it ascertains the existence of a possible fraud – must file a report with the competent judicial authority.

Finally, should the commitment of an unlawful act be ascertained, Consob must black out the provider's website and apply an administrative sanction thereto (including to its manager(s) and employee(s), if necessary).

(e) Trading

In general terms, online trading is governed by the Consolidated Financial Act (Articles 34 and following), as well as by the Intermediaries Regulation (Articles 42 and following), which governs the receipt and transmission of orders and execution only; and by Consob Communication DI/30396 of 21 April 2000 on online trading and rules of conduct.

Participation in regulated markets and multilateral trading facilities is allowed for authorised intermediaries, to which a trading identification code is assigned upon grant of the relevant licence(s). Access to the markets by parties other than authorised intermediaries is possible only through ‘direct electronic access', which allows clients to access to the market using (‘direct market access') or not using (‘sponsored access') the intermediary's trading identification code.

Pursuant to the ‘technological neutrality' principle, a legal entity that wishes to offer investment services or products in Italy must obtain a licence, regardless of whether such services or products are also intended to be provided online. Should this be the case, intermediaries must implement specific technical and operational procedures to ensure full and effective compliance with the relevant obligations pursuant to the applicable law (see question 4.6).

Among other things, these include:

  • the written form of the investment contract;
  • the information disclosure obligations (especially vis-à-vis retail clients); and
  • client due diligence for anti-money laundering purposes.

(f) Investment and asset management:

Under Italian law, there is no specific regulation governing the use of technologies in the financial services sector. Hence, the general rules apply.

Investment services can be provided by fintech companies only after they have been granted ad hoc authorisation by Consob and/or the BoI.

As a key principle, fintech companies licensed to provide for the above services must act diligently, fairly and transparently (see Article 21, letter a) of the Consolidated Financial Act).

Moreover, fintech companies must comply with:

  • the appropriateness test principle, in order to carry out the receipt and transmission of orders, trading on own account and placing of financial instruments; and
  • the sustainability test principle, in order to provide portfolio management and/or investment advice services (see Articles 40 and 42 of the Intermediaries Regulation).

Furthermore, fintech companies providing collective asset management services must:

  • operate with diligence, fairness and transparency;
  • ensure that the management is performed independently;
  • acquire knowledge and adequate understanding of the conditions of marketability of financial instruments, assets and other valuables in which it is possible to invest the assets managed;
  • ensure equal treatment of all investors; and
  • acquire reliable, up-to-date information necessary to formulate provisions and conduct analysis, and define the consequent general investment strategies (see, among others, Articles 97 and 98 of the Intermediaries Regulation).

(g) Risk management:

Pursuant to the Joint BoI/Consob Regulation of 29 October 2007, an intermediary must establish a permanent risk management function, whose tasks may be summarised as follows:

  • Define the intermediary's risk management system;
  • Preside over the functioning thereof;
  • Monitor compliance with such system by the intermediary itself;
  • Verify the adequacy and effectiveness of the measures adopted to deal with the deficiencies identified; and
  • Submit to the intermediary's bodies, at least once a year, a report on the activities carried out.

The prospective impact of new technologies on the risk management systems of financial intermediaries has been extensively analysed by the BoI, which has also classified the most relevant risks to which an intermediary is exposed (eg, liquidity, counterparty, credit, market, regulatory and reputational risks).

In addition, the BoI has pointed out that the impact of fintech on the traditional risks faced by incumbents (ie, existing banks and intermediaries) derives indirectly from the arrival of newcomers (ie, fintech companies), and directly from the latter's entry into one or more new business areas through an expansion of the range of products and services offered, and/or the establishment of controlled legal entities.

(h) Roboadvice

Roboadvice is governed by the same provisions that regulate investment advice in general (see question 4.6), as it concerns a well-contextualised transaction relating to specific financial instruments, characterised by a personalised recommendation addressed to a client or group of clients.

Pursuant to the suitability test principle, in order to recommend investment services and/or financial instruments that are deemed to be suitable to a client, the intermediary must obtain from the latter a complete set of information (ie, investment knowledge and experience, financial situation and investment objectives (including risk tolerance)).

Both the European Security and Markets Authority and Consob have recently focused on the safety of algorithms, emphasising that it is always necessary for robo-advisory processes to have human intervention to verify that the decision processes they govern are not affected by errors.

Retail investors based in Italy still seem reluctant to avail of roboadvice, due to both an insufficiently sophisticated financial culture and the risks associated with digital investments (eg, cybersecurity and improper data processing). Therefore, roboadvice is mainly addressed to professional investors.

(i) Insurtech

To date, there are no specific provisions in force in Italy governing insurtech. Therefore, this is regulated by the Private Insurance Code, and the provision of insurance services through the use of technologies is reserved to insurance companies authorised by the Istituto per la Vigilanza sulle Assicurazioni (IVASS).

Pursuant to the Insurance and Reinsurance Distribution Regulation, which transposed the EU Insurance Distribution Directive into national law, an insurance intermediary must inform the client, prior to the provision of the relevant service, of:

  • its disclosure obligations, aimed at ensuring the highest level of transparency for the client;
  • specific information on the intermediary itself;
  • potential conflicts of interest; and
  • its client protection measures.

The intermediary must also provide the client with a suitability questionnaire in order to identify the insurance service or product most suitable for his or her specific needs, as well as an informative note in which the insured's guarantees and rights, as well as the insurance company's obligations, are clearly summarised.

IVASS is working on the definition of a new set of provisions and technological standards governing insurtech services and products. The aim is to ensure adequate levels of market and client protection, and guarantee the fair regulatory treatment of both existing and new operators, while avoiding regulatory arbitrage and encouraging innovation.

In this regard, IVASS recently adopted a Strategic Plan (2021-2023) in order to:

  • investigate the phenomena associated with the digitalisation process and foster a dialogue with insurance and technology operators;
  • promote activities relating to the development of innovative supervisory and regulatory technology tools in collaboration with the BoI and with the academic world; and
  • identify research initiatives on topics related to insurtech and artificial intelligence aimed at a more intense action of consumer protection for aspects relating to transparency, ethics and insurance inclusion.

5 Data security and cybersecurity

5.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for fintech companies?

Data protection provisions are contained in the Privacy Code, which is characterised by:

  • significant sanctions;
  • lawfulness, fairness and transparency principles; and
  • the recent introduction of new rights for data subjects, such as the right to erase their data.

In the banking and financial sector, the protection of personal data mainly concerns the circulation of information and the tracking of transactions.

The principle of accountability, as introduced by the General Data Protection Regulation, requires the adoption of technical measures and organisational models that enable data to be managed and stored in accordance with the abovementioned principles.

In particular, the data controller must carry out a preventive data privacy impact assessment in order to identify and apply appropriate corrective measures to prevent the occurrence of the identified risks.

In light of such principles, fintech companies must justify the use of certain kinds of data and ensure that this is adequate, accurate and updated, while not exceeding the purpose for which it was collected. They must also ensure that sensitive data is used only with the data subject's explicit consent and solely for limited purposes.

Conversely, clients are entitled to be informed in a clear and easily accessible manner of all possible uses of their data, especially if this is to be used in automated decision-making processes, such as profiling.

Finally, in order to avoid sanctions, fintech operators must comply with the provisions on monitoring access to clients' data and implement alerts that detect any abnormal access to the same.

5.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for fintech companies?

The banking and financial sector is more vulnerable to cyberattacks due to the widespread use of information and communication technology services. The Ministry of Economy and Finance (MEF) is the competent authority in this field, in collaboration with the BoI and the Consob.

The relevant law in this field is the Cybersecurity Law, which implemented the Directive on Network and Information Systems Security in Italy, assigning to the Department of Information for Security (DIS) the role of single point of contact with the MEF. DIS is responsible for coordinating issues relating to the security of networks and information systems, as well as cross-border cooperation between Italian and European national competent authorities.

With the aim of increasing cyber risk management capacity and IT security, a highly specialised cybersecurity structure (CERTFin) was established in 2017 by the BoI, the Italian Banking Association (IBA), the Istituto per la Vigilanza sulle Assicurazioni, the Italian Association of Insurance Companies and IBA Lab (the Research and Innovation Centre for Banks promoted by the IBA). CERTFin is authorised to support and coordinate relevant cybersecurity incidents suffered or threatened to the participants in its constituency. On 3 December 2019 Consob also joined CERTFin.

Finally, on 16 January 2020 Consob and the BoI agreed on a common strategy for strengthening cybersecurity in the Italian financial system, fighting cyber threats relating to the use of new technologies and, in general, ensuring the reliability of the financial system.

Law Decree 82 came into force on 14 June 2021, which established the National Cybersecurity Agency with the aim of:

  • promoting a coherent regulatory framework in the sector;
  • exercising inspection and sanction functions;
  • developing collaborations at international level with counterpart agencies; and
  • ensuring coordination between public actors and the implementation of public-private actions for the purpose of fostering cybersecurity and resilience in the digital development of Italy.

6 Financial crime

6.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for fintech companies?

The relevant provisions governing this field are set out in the Anti-money Laundering Law.

Recipients (including banks and financial intermediaries) must comply with specific obligations regarding customer due diligence, storage of documents and information acquired so as to allow the tracking of financial flows, as well as the reporting of suspicious transactions to the Unità di Informazione Finanziaria per l'Italia (UIF).

By means of Legislative Decree 90/2017, the client due diligence obligation has been strengthened. As a result, service providers in the crypto-asset sector – currently limited to those converting virtual currencies from or into traditional currencies – have been included on the list of addressees of anti-money laundering provisions. Therefore, they must enrol in the special register managed by the Board of Agents and Brokers (Organismo Agenti e Mediatori (OAM)), which is likely to enter into force by 18 May 2022. The Ministerial Decree of 30 January 2022 established the procedures for the implementation of this register.

Moreover, by means of Legislative Decree 125/2019, electronic wallets have been included in the categories of devices that fall within the scope of the above provisions, with the consequence that the obligation to enrol on the special register also apply to digital portfolio service providers.

Furthermore, since crowdfunding platforms risk being used for illicit purposes, customer due diligence, data recording and the reporting of suspicious transactions to the UIF must also be complied with by financial intermediaries that assist portal managers. Conversely, in social lending, such obligations must be satisfied directly by portal managers.

7 Competition

7.1 Does the fintech sector present any specific challenges or concerns from a competition perspective? Are there any pro-competition measures that are targeted specifically at fintech companies?

Fintech operators do not operate on the same level. Big-techs and fintech companies, unlike incumbents, are characterised by the extensive use of technology and streamlined procedures, as well as by a limited but highly specialised workforce (see question 2.5).

According to a fintech observatory called Banca Impresa 2030 (established at an academic level with the support of the Italian Private Equity, Venture Capital, and Private Debt Association and KPMG), a healthy competitive market can be achieved only by creating a regulatory framework that does not distinguish between incumbents and newcomers.

Therefore, the creation of a level playing regulatory field is the ultimate goal of the following proposals:

  • more dynamic and suitable rules;
  • prevention of the fragmentation of EU law provisions;
  • more homogeneous business models in terms of client protection and appropriateness of operational processes; and
  • application to the incumbents of the same regulatory regime reserved to fintech operators.

The introduction of the regulatory sandbox (see question 1.2) aims to promote competition in an already highly regulated sector. It remains to be seen whether this recently introduced regime will incentivise foreign companies to enter the Italian fintech market, ultimately contributing to the digitalisation and innovation of the Italian financial services sector.

8 Innovation

8.1 How is innovation in the fintech space protected in your jurisdiction?

In Italy, the protection of IP rights is mainly regulated by the Industrial Property Code (Legislative Decree 30 of 10 February 2005).

Inventions (ie, new ideas, models and applications that involve an inventive step and are capable of industrial application) may be the object of a patent application. Industrial property includes trademarks and other distinctive signs, geographical indications, designations of origin, designs and models, inventions, utility models and trade secrets.

Industrial property rights are acquired through a patent or registration. Inventions and utility models are patented. Trademarks, designs and models are registered.

In compliance with the European Patent Convention, to which Italy is a party, a computer program (ie, a software) on which some of the technologies used for the provision of fintech services is based is not patentable per se, but may be patentable as a ‘method'. This is referred to as a ‘computer-implemented invention', rather than a ‘software patent'. However, in order to be patentable, there must be a technical effect resulting from execution of the computer program in question which goes beyond the normal interaction between a program and the computer running it.

Software is protected by copyright pursuant to Law 633 of 22 April 1941, in whatever form expressed, as long as it is original (ie, it is the result of the author's intellectual creation).

Finally, Ministerial Decree of 14 May 2020 established the criteria for assigning money vouchers in favour of innovative start-ups to finance consulting services necessary to enhance and protect their innovation processes through a patent for industrial invention (up to €19.5 million allocated for the period 2019-2021).

8.2 How is innovation in the fintech space incentivised in your jurisdiction?

The Stability Law for 2015 (Law 190 of 23 December 2014) introduced the so-called ‘patent box', setting out tax relief for revenue deriving from the exploitation of IP assets such as patents, designs, know-how and software. This encourages companies to invest in research and development, and helps to attract investment into Italy and consequently promote economic growth.

The Stability Law for 2022 (Law 234 of 30 December 2021) amended the current regulations by changing the system of relief in two respects:

  • The surcharge, for the purposes of direct taxation and regional tax on productive activities, has been increased from 90% to 110%; and
  • The scope of application has been restricted to expenses incurred in carrying out research and development activities for maintaining, enhancing, protecting and increasing the value of software protected by copyright, industrial patents and legally protected designs.

Trademarks, processes, formulae and information relating to experience acquired in the industrial, commercial or scientific field are excluded.

In addition, a group of experts established by the European Commission (the so-called ‘Rofieg'), has identified, in accordance with the FinTech Action Plan of 2018, the regulatory obstacles facing fintech companies that hinder financial innovation. It has also set out some recommendations aimed at facilitating the balanced development of regulation, so as to ensure the competitiveness of the financial system while also contributing to the development of standards for the interoperability of technology.

In any case, the competitiveness of the European financial system will also depend on other factors, such as the availability of specialised expertise, fair taxation, an increase in risk capital and suitable technological infrastructure.

9 Talent acquisition

9.1 What is the applicable employment regime in your jurisdiction and what specific implications does this have for fintech companies?

Law Decree 179 of 18 October 2012 (converted into Law 221 of 17 December 2012, as subsequently amended and supplemented) contains a specific regime for innovative start-ups in the employment context. The main features are as follows:

  • The 20% limit for fixed-term hires compared to the total number of permanent employees does not apply;
  • Fixed-term contracts can be renewed without respecting the so-called ‘stop-and-go' period; and
  • Tax credits are granted for the hiring of highly qualified employees.

The law further provides that employees' compensation must include:

  • a fixed part, which cannot be lower than the minimum set out by the applicable national collective bargaining agreement; and
  • a variable part, linked to the efficiency and profitability of the company in question, as well as to the employee's productivity or to production targets specifically agreed between the parties. This variable part may also consist of the assignment of stock options, as well as the free transfer of company quotas or shares.

Finally, at the beginning of each working year, a special tax exemption for the hiring of permanent employees is introduced (or confirmed) by means of a new law provision.

9.2 How can fintech companies attract specialist talent from overseas where necessary?

The attraction of specialist talent implies a rethink of the recruitment process, which necessarily involves:

  • reformulating hiring strategies to emphasise opportunities to work with innovative technologies for a competitive fee (eg, fintech companies could attend international job fairs to attract tech talent); and
  • considering flexible alternatives, such as talent exchange and project recruitment through partnerships with third parties to obtain the necessary talent in the short or long term.

To combat the so-called ‘brain drain', the Growth Decree provides for a series of tax incentives. In particular:

  • the duration of the so-called ‘favourable tax regime' has been extended from four to six years; and
  • the duration of the tax benefit has been extended to eight, 11 and 13 years, respectively, provided that some conditions are met (eg, number of children and the purchase of a residential property unit in Italy).

10 Trends and predictions

10.1 How would you describe the current fintech landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

Due to the ongoing COVID-19 crisis, there will likely be growth opportunities for companies that provide credit and liquidity to clients or enable companies to make large savings in terms of time and simplification of related processes.

Despite the COVID-19 crisis, Italy has adopted the Recovery and Resilience Facility (RRF) to access funds from the Next Generation EU programme. The RRF, which was approved on 13 July 2021, aims to:

  • revive the Italian economy after the pandemic by stimulating an ecological and digital transition; and
  • promote structural changes in the national economy, starting with combating gender, territorial and generational inequalities.

The RRF has six main missions, to be implemented over a period of five years. The government began implementing these in the second half of 2021 and must complete and report on them by the end of 2026. The RRF aims to revitalise the country's economic and social structure by focusing in particular on the levers of digitalisation, ecological transition and social inclusion.

The adoption of the regulatory sandbox represents an important step in this direction.

Another challenge is represented by sustainability. In this regard, fintech companies could revise their business models and organisational processes towards more sustainable development.

11 Tips and traps

11.1 What are your top tips for fintech players seeking to enter your jurisdiction and what potential sticking points would you highlight?

The COVID-19 emergency may accelerate the development of a third phase in the fintech sector, characterised by stronger partnerships between existing banks and intermediaries on the one hand and fintech companies on the other. For example, banks could simplify the procedure to allow start-ups to access the beneficial measures available under the Liquidity Decree; while fintech companies could reduce the time needed to bring new innovations to market, due to the high degree of digitalisation and specialisation that distinguishes them. Nevertheless, such collaboration would require greater maturity from banks and intermediaries in order to be effective.

To position themselves for success, fintech companies should:

  • personalise their activities to adapt more to clients' individual needs and preferences;
  • balance tech and the ‘human touch', as clients need to engage with a human adviser on key decisions; and
  • make cybersecurity a business priority.

Finally, the lack of a specific and homogeneous regulatory fintech framework is an obstacle to investment in Italy, as fintech companies operate in a general atmosphere of uncertainty that can result in higher operational costs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.