FINTECH DECREE. THE LIST OF THOSE RESPONSIBLE FOR DIGITAL CIRCULATION REGISTERS

Autore: Prof. Enea Franza, Economista

1. Regulatory framework

As is well known, the "Fintech Decree" referred to in Legislative Decree No. 25 of March 17, 2023, as converted by Law No. 52 of May 10, 2023, introduced into the Italian legal system a new regime of form and circulation for certain categories of financial instruments that is based on entries made on registers for digital circulation[1] as an alternative to the securitized regime and that of accounting entries at a central depository.

In this regard, it should be noted that the trading of shares or bonds on the Italian Stock Exchange markets takes place exclusively in dematerialized form, i.e. without any "physical passage" of paper certificates. For each issue of financial instruments, the offeror of the securities must choose a single centralised management company with which to open an account. In Italy, Euronext Securities Milan (Monte Titoli S.p.A.) acts as central depository of dematerialized financial instruments. The bidder can decide whether to operate independently with the central depository or use a third-party company specialized in this activity (so-called Issuer Agent). With the exception of LLC shares, all financial instruments can or must be dematerialized, subject to the issuance of an ISIN code by the Bank of Italy, which uniquely identifies each financial instrument to be centralized.

The relevant legislation allows the voluntary dematerialization of shares to all joint-stock companies, even if they are not listed and not subject to regulatory obligations. Dematerializing and centralizing shares allows, among other things, the registration of each transfer of ownership without any notary cost by old and new shareholders, making it easier to buy and sell[2]. Dematerialization is not exclusive to shares, it also easily extends to other financial products[3].

The "Fintech Decree", it should be recalled, constitutes, on the one hand, the national complement to Regulation (EU) 858/2022 which established the so-called pilot regime for DLT market infrastructures ("Pilot Regime Regulation") and, on the other hand, it also applies to cases not included in the scope of operation of the Pilot Regime Regulation. In essence, the new regulation provides that the issuance of "digital financial instruments" takes place on registers for digital circulation held by entities responsible for the register that are registered in a special list kept by Consob.

In detail, Article 2 of the "Fintech Decree" sets out the scope of application of the new regime for issuing and circulating in digital form, identifying certain categories of financial instruments, without prejudice to the qualitative and quantitative limits set by the DLT Regulation for the purposes of applying the DLT pilot regime^[4]. In addition, pursuant to Article 28(2)(b) of the "Fintech Decree", Consob, in agreement with the Bank of Italy, may identify by regulation additional instruments that issuers may subject to the new rules.

It should be noted that the provisions of the "Fintech Decree" referred to in Section I provide that the issuance and transfer of digital financial instruments must be carried out through entries on a register for digital circulation held by a Registry Manager, by the manager of a DLT SS or DLT TSS or by the Bank of Italy or the Ministry of Economy and Finance,  as well as any other subjects identified with the regulation to be adopted by Consob pursuant to Article 28, paragraph 2, letter i). Moreover, in addition to establishing the requirements of the registers for digital circulation (Article 4 of the Decree), the Decree regulates the effects produced by the entry made in the register, which guarantees, to the person in whose favour it is made, full and exclusive legitimacy regarding the exercise of the rights relating to the financial instruments subject to the same, according to their own regulations. Now, pursuant to the provisions of the "Fintech Decree", the person who has obtained the registration on the basis of a suitable title and in good faith will not be subject to claims or actions by previous holders and against him the issuer will only be able to oppose the personal exceptions to the subject itself and those common to all other holders of the same rights.

As a result of the entries on the register, by adapting the provisions of the securitized regime to the digital nature of the underlying asset, it will be possible to determine the legitimacy to attend the shareholders' meeting and to exercise the vote, the legitimacy to pay profits and other distributions relating to digital financial instruments, as well as to create constraints and fulfill the formation and keeping of company books. The aforementioned Decree introduced into the legal system the new figure of the Registry Manager as a person authorized to execute entries in digital form relating to the issuance and transfer of the financial instruments identified in art. 2, paragraph 1, of the Decree (the "digital financial instruments") and the establishment of constraints on them[5].

2. The "Regulation" on the issuance and circulation of financial instruments in digital form. The Registry.

The adoption of the "Regulation" on the issuance and circulation of financial instruments in digital form, referred to in Consob resolution no. 22923 of 6 December 2023, has integrated the regulatory provisions on the Register of persons authorised to execute entries in digital form in terms of the establishment, registration, cancellation and regulation of the activity of members. The aforementioned Regulation consists of two parts and is accompanied by three Annexes; Part I, containing the "General provisions" (regulatory sources, definitions, organisational unit responsible for the procedure and methods of communication with the Authority) and Part II dedicated to the "List of Persons in charge of digital circulation registers and related regulations.

In detail, the "Regulation" regulates: the establishment of the list (Art. 5 - Establishment of the list, Art. 6 - Content of the list and Art. 7 - Publication of the list) Registration and removal from the list (Art. 8 - Application and investigation for registration, Art. 9 - Registration in the list of Italian central depositaries, Art. 10 - Removal from the list upon request, Art. 11 - Ex officio removal from the list, Art. 12 - Further procedural provisions) and, finally, Art. 13 - Communications on the exercise of the activity); and, finally, the Discipline of the activity of the Registry Manager (Art. 14 - Minimum content of the document on the operating procedures of the Register).

The activity of Registry Manager can only be carried out by certain categories of subjects, including: banks, investment firms and market operators established in Italy [art. 19, paragraph 1, lett. (a)]; financial intermediaries pursuant to Article 106 of the Consolidated Law on Finance, electronic money institutions, payment institutions, insurance or reinsurance managers and undertakings established in Italy[6]  [Article 19, paragraph 1, lett. (b)]; corporate issuers  with registered office in Italy who intend to become Heads of the Register exclusively in relation to financial instruments issued by them [art. 19, paragraph 1, lett. (c)]; entities established in Italy who intend to carry out the activity of Registry Managers also for financial instruments of third-party issuers [art. 19, paragraph 1, lett. (d)]; subject to registration in the appropriate list kept by Consob. This registration is subject to the submission of an application and the successful outcome of the relevant investigation, which must verify the possession of the requirements referred to in art. 20, paragraphs 3 to 6, established in order to ensure a level of reliability and security of transactions similar to that of the scriptural and securitized regimes already known to the legal system.

As is well known, these are activities that pertain to Consob's new supervisory competences that have as their object operations with a particularly high degree of innovation and complexity since their distinctive feature is the use of Distributed Ledger Technology (DLT) technologies, i.e. a register created, maintained and updated synchronously by several computational centers (the "nodes") connected to each other in a network and typically operating in independently.

Referring to the provisions of the above-mentioned rules for further details, it seems useful here to provide a brief summary of the key requirements set out in the Decree. 

The requirements of the registers for digital circulation identify the following characteristics that the register must guarantee: the integrity, authenticity, non-repudiation, non-duplication and validity of the entries, the prevention of the loss or unauthorised modification of the data on the entries, the identifiability of the persons in whose favour the entries are made and their position in securities,  the accessibility to entries and the transferability of digital financial instruments at any time by the holders, the bookability of constraints and the identifiability of the related characteristics and, finally, the accessibility by Consob and the Bank of Italy for the exercise of their respective functions.

The property of integrity pertains to the "starting data", i.e., it is connected to the quality of the data relating to the so-called writing. The underlying principle is related to the impossibility of modifying it and, therefore, the need for it to be protected from accidental or unauthorized alterations, deletions or additions. On the other hand, the ownership of the so-called authenticity indicates the need for the data to always be attributable to a certain address (i.e. to  the wallet of a specific subject). Therefore, the system must make it possible to verify the origin of a piece of data (the origin of the writing must always be certain, i.e. the identity of the person who carried it out and the subjects against whom it produces effects).

In addition, the ownership of the so-called non-repudiation implies that the holder of the wallet, the subject to whom a certain address is assigned, from which a certain data comes, cannot deny its origin[7].

The property of non-duplicability/non-reproducibility relates to the problem of the so-called double expenditure. The system must be implemented in such a way as to ensure that each "legal situation" (issuance, transfer, creation of a bond) corresponds to a single entry. The principle stated implies that it cannot be technically possible to create reproductions of the original data that are indistinguishable from the original itself[8]. The validity property indicates that the write is done as a result of a validation process[9].

The Registry Managers are required to ensure the compliance of the Registry with the above requirements and must comply with a series of obligations aimed at ensuring the integrity and security of the system, preventing the use of digital financial instruments by entities other than those legitimate, ensuring business continuity, the restoration of activity and the non-modifiability of the number of digital financial instruments that constitute the individual issue,  to adequately inform the public about the characteristics of the register.

The Registry Managers are also obliged to send Consob a technical report illustrating the initiative and to define a clear and detailed transition strategy for the transfer of entries to another register or (where this is not available) for the change in the regime of form and circulation of digital financial instruments. Finally, further obligations are provided for the Managers of the Register attributable to lett. (c) and d) or only to lett. (d), Article 19(1). These include the obligation, for both categories of subjects, to take out a policy, or other appropriate form of guarantee, to cover liability for damages that may arise from assuming the role of Registry Manager.

With the Regulation adopted on 6 December, Consob has regulated the procedures for submitting the application for registration in the list (also identifying the list of documents to be attached) and has detailed in a special scheme (Annex 2 to the Regulation pursuant to Article 20, paragraph 3, letter e) of the Decree), the minimum information elements that the applicant must include in the illustrative technical report. These are documents on which Consob's verification activity is hinged aimed at ascertaining the compliance of the overall infrastructure used by the applicant with the requirements of the Decree.

Incidentally, due to the fact that the technological component is of central importance in the exercise of the activity, Consob, as established by the "FinTech Decree", may require the acquisition of technical assessments by subjects with specific expertise in the field. 6 Again along the lines of the provisions of Article 17 of Law 241/1990, it is also provided that, if the appointed auditor does not transmit the results of the audit or does not represent the need for investigation within the prescribed period, a different independent auditor with equivalent qualification and technical capacity is to be appointed.

In particular, it should be noted that according to the scheme attached to the Regulation, the report is articulated, firstly, in the description of the combination of all those components necessary for the operation and management of IT environments and enterprise IT services, or, in other words, of the technological infrastructure as a whole, including off-chain components and functions,  with a focus on the functioning and characteristics of DLT.

A second aspect of relevance is related to the analysis of risks, including those related to the processing of information from a company's IT system (databases, hardware, software) that are violated, stolen or deleted due to accidental events or malicious actions (such as, for example, hacker attacks) or, in a broad sense, all cyber risks) and related mitigation measures. Equally important is the self-assessment, i.e., the self-assessment by the applicant on compliance with the requirements of the Decree. Finally, there is a specific section where "further information" is provided regarding, among other things, the category of digital financial instruments to be processed, the methods of cash settlement, the transactions that can be entered on the register and the third parties that the Registry Manager intends to use.

Incidentally, Article 23, paragraph 3, of the "FinTech Decree" places on the managers of the register the burden of preparing a document to be made available to the public in an electronic form that is easily accessible and can be consulted at any time that informs potential users about the operating methods of the register and the devices to protect its operation,  including the transition strategy. Article 14 of the regulatory text under consultation provides that this document must present at least the content detailed in Annex 3 to the aforementioned Regulation.

3. Conclusions

As we have noted, the "Fintech Decree" recognises the possibility of using distributed ledger technologies (DLT) for the issuance and transfer of financial instruments, regulating the relevant conditions and defining the traffic law. The provision also confers on Consob a series of regulatory powers including, as we have seen, the determination of the principles and criteria for the formation and maintenance of the list of those responsible for the register, a series of discretionary powers that the Supervisory Authority has reserved the right to exercise in several phases, also in light of market needs.

The Regulation regulates, as a first step, the registration and removal from the list of those responsible for the register for digital circulation; the entities responsible for the registers also include issuers with registered office in Italy for the holding of financial instruments issued by them (Article 19 of the Fintech Decree) which, in this case, would be exempt from the mandatory dematerialisation rules provided for by the TUF (see Article 3 of the Fintech Decree) and, in addition, establishes minimum information requirements relating to the document that contains the operating methods of the register and the measures to protect its operation.

With regard to the supervision of digital issuance and circulation, the "Fintech Decree" assigns the functions to the Bank of Italy and Consob according to the following division of competences: Consob is responsible for transparency and the orderly performance of the activity of the head of the register as well as the protection of investors. The Bank of Italy, on the other hand, is responsible for the stability and containment of risk in its various configurations limited to central depositories, operators of wholesale markets in government securities, banks, and investment firms that carry out the activity of head of the register with reference to digital financial instruments of third-party issuers other than the members of the group to which they belong.

Furthermore, with reference to information obligations, it is reiterated that the reporting obligations, including periodic ones, for issuers of digital financial instruments vis-à-vis the Supervisory Authorities. Similarly, it also regulates cases in which the persons in charge of the digital circulation registers are required to inform the competent supervisory authority of all acts, or facts that may constitute an irregularity in management, or a violation of the rules governing the activity of the person in charge of the register.

The control and monitoring of implementation will be carried out by Consob and the Bank of Italy according to the division of responsibilities mentioned above. In fact, Article 27 of the Decree indicates the division of competence between Consob and the Bank of Italy, attributing the relevant powers, necessary to ensure supervision of compliance with the provisions relating to the issuance and circulation of digital financial instruments by the heads of the register, of the issuers who make use of the regulations in question, where different from the heads of the register and the managers of SS DLT and TSS DLT[10].

Finally, Article 32 provides for the monitoring regime.

In detail, paragraph 3 provides that Consob and the Bank of Italy shall transmit, within five years of the entry into force of the article in question, to the "Fintech Committee" established at the Ministry of Economy and Finance[11], an explanatory report on the market phenomenon and the results that emerged from the application of the new rules. Within the report, the Authorities will have to indicate, each for the profiles of its competence, the critical issues encountered by the interested parties and by the Authorities themselves, including the assessments relating to the discipline of the head of the single and multi-issuer register), given the novelty of the new entity, any limits of the discipline and the regulatory interventions that are necessary,  also taking into account any subsequent developments in the European regulatory framework[12].

[1] That is the phrase chosen by the national legislature to identify distributed ledgers.

[2] Once the transaction has been concluded (whether between private individuals or on a Borsa Italiana market in the case of shares admitted to trading, for example) the investor will not have to worry about physically delivering the share certificates, but it will be the centralized management company (Monte Titoli) that will make an accounting entry with which he will transfer the securities from the securities deposit account of the seller to the securities deposit account of the buyer. The banks of the respective entities will also act as withholding agents for individuals.

[3] The financial instruments are listed in the Consolidated Law on Finance in Article 1, paragraph 2. They are: shares and other risk capital securities that can be traded on the capital market; bonds, government securities and other debt securities marketable on the capital market; units of mutual funds; securities normally traded on the money market; any other normally traded security that allows the acquisition of the instruments indicated above; futures contracts on financial instruments, interest rates, currencies, commodities and related indices; spot and forward exchange contracts (swaps) on interest rates, currencies, commodities and equity indices; forward contracts linked to financial instruments, interest rates, currencies, commodities and related indices; options contracts to buy or sell the instruments referred to in the preceding paragraphs and their indices, as well as options contracts on currencies, interest rates, commodities and related indices; combinations of contracts or securities set out above. Means of payment are not considered financial instruments.

[4] In general terms, a financial instrument is a contract that creates both a financial asset for one party and a liability or equity for another. The Fintech Decree defines "digital financial instruments" as those issued on a register for digital circulation, while "digital form" refers to the circumstance that certain financial instruments exist only as entries in a register for digital circulation. The decree does not extend its scope of application to all types of financial instruments provided for by MiFID II, but limits its regulatory regime to the following specific categories: • shares and bonds of joint-stock companies; • debt securities issued by limited liability companies;• additional debt securities whose issuance is permitted under Italian law;• depositary receipts relating to bonds and other debt securities of non-domiciled issuers issued by Italian issuers; • money market instruments regulated by Italian law; • shares or units of Italian AIFs or UCITS. Excluded from the decree are the shares of s.r.l.

[5] For the sake of completeness, it should be noted that the Fintech Decree has also granted Consob other regulatory powers, which the Authority has communicated to exercise subsequently and in several phases.

[6] These persons may carry out the activity of Registry Manager exclusively with reference to digital financial instruments issued by them or by members of the group to which they belong established in Italy.

[7] The system must be developed in such a way that the subject from whom the data comes cannot deny the origin of that data and, conversely, the subject who receives that data cannot deny that he or she has received it).

[8] Such ownership, which in the abstract would seem to solve the problem of a possible double alienation, does not, however, solve the further possible pathological situations, such as the theft of the private key, which would in any case justify the introduction of a regime on the acquisition of good faith.

[9] It should be remembered that the model of a transaction can have the following two outcomes: a) operation terminated correctly and this occurs when the application, after executing all the operations, executes a particular SQL statement, called COMMIT, with which it communicates to the Transaction Manager the end of the operations, i.e., b) operation terminated incorrectly; the latter event occurs when the transaction decides, for a certain reason, that it does not make sense to continue and therefore "aborts" by executing the ROLLBACK instruction, i.e., when the system is unable (e.g. due to a failure) to ensure the correct continuation of the transaction, which is then aborted.  If the transaction cannot terminate successfully, the DBMS must discard (UNDO) any changes made to the database. Now it should be noted that the transaction model is actually much more complex. For example, it is possible to define so-called "savepoints" that are used by a transaction to only partially undo the work done.

[10] With particular reference to the implementation of the DLT pilot regime regulation, Article 29 identifies Consob and the Bank of Italy as competent authorities for the application of Regulation (EU) 2022/858 pursuant to art. 2, number 21 of the same regulation, taking into account the current structure of powers in the field of investment services, markets and central depositories provided for by Legislative Decree no. 58 of 1998, and without prejudice to the provisions of EU Regulation 1024/2013.

[11] See Article 36, paragraph 2-octies, of Decree-Law No. 34 of 30 April 2019, converted, with amendments, by Law No. 58 of 28 June 2019.

[12] On the other hand, with reference to the simplification of the procedures for accessing the Fintech trial, the control and monitoring of the implementation of the regulatory intervention will be implemented by the supervisory authorities, which are responsible for assessing applications for admission to the FinTech trial. The verification of the achievement of the objectives will be possible both in the context of the analysis reports submitted by the supervisory authorities pursuant to Article 36, paragraph 2-septies, Growth Decree, as well as the annual report of the FinTech Committee referred to in Article 3, paragraph 2 of the Decree.