Search This Blog

Tuesday 12 December 2023

Anti-Greenwashing Guidance


The UK's Financial Conduct Authority is proposing guidance for firms making sustainability claims in their promotional material, to avoid exaggerated and misleading messages. This includes situations where non-FCA authorised firms are getting promotions approved by FCA-authorised firms. The guidance will be finalised in Q1 2024, to take effect with the anti-greenwashing rule on 31 May 2024.

References to 'sustainability' must be:

  1. Correct and capable of substantiation;
  2. Clear and presented so as to be understood;
  3. Complete and not omit/hide key information;
  4. Take into account the full lifecycle of the product;
  5. Fair and meaningful in relation to any comparisons made.

Monday 13 November 2023

Anti-fraud and Complaints Handling in UK Payment Service Providers

The UK's Financial Conduct Authority has published a summary of its findings of its review of anti-fraud controls of UK payment service providers, particularly focused on Authorised Push Payment (APP) fraud. Let me know if you need assistance in this area.

E-money and payment institutions should at least consider these findings and recommendations as part of their continuing work on staying ahead of fraudsters, even if they consider their systems to be already robust. There is more detail in the FCA web page, but in summary, they found: 

• an insufficient focus on delivering good consumer outcomes in many of the firms we reviewed 

• management information and actions often focused on commercial risk appetite, rather than customer impact and treatment 

• significant scope in many firms to improve the support provided to victims of fraud including from the first point of contact. In many cases, firms need to do more to enable customers to report fraud easily and promptly 

• poor complaint handling including firms often taking too long to respond to customer complaints 

• customers provided with decision letters that were sometimes unclear, confusing, or included unhelpful and, on occasion, accusatory language 

• limited evidence that firms are appropriately taking account of characteristics of customer vulnerability when making decisions about fraud claims and complaints.

Let me know if you need assistance in this area.

Thursday 19 October 2023

Do Payment Account Balances Held By A Payment Institution Without A Payment Order Constitute E-money?

Interesting opinion in ABC Projektai UAB v Bank of Lithuania, where the regulator had said that a payment institution had engaged in e-money issuance merely by holding funds for which it had received no payment orders. I've advised on this issue before, but this post is not legal advice, so let me know if you need it.  

The Advocate General's view is that a payment institution which holds funds without executing a payment order will infringe Articles 78 and 83 of PSD2 (as locally implemented) which govern the timing of receipt and execution of payment orders; potentially breach the service contractual for the operation of the payment account; and may trigger liability for non-/late execution under Article 89. 

But the funds would not be somehow converted into e-money "merely because funds have been transferred to a payment account and are kept in that account for the execution of future payment orders." 

There was also no e-money involved because the steps required for issuance of e-money under the E-money Directive (as implemented locally) were neither contemplated by the parties nor actually followed. 

It's worrying that there were in fact no payment orders (rather than, for example, existing payment orders that were not yet deemed to have been received by virtue of article 78(2) PSD2). The PSP had said that it had warned customers to provide payment orders or their funds would be returned (though the firm had not actually returned them...😬). Consistent with the AG's overall reasoning, however, the view must be that this will only amount to a breach of PSD2, rather than somehow convert the payment account balances into e-money. 

Monday 2 October 2023

FCA's Final Warning To Crypto Firms On Marketing and Money Laundering

The UK's Financial Conduct Authority has issued a "final warning" to all firms marketing cryptoassets to UK consumers, including firms based overseas, that it will strictly enforce the new 'financial promotions' restrictions that take effect on 8 October 2023. Among the FCA's concerns, in particular, is the fact that overseas firms with UK customers have failed to engage with the process of introducing the restrictions. Of 150 overseas firms surveyed by the FCA, only 24 responded. The FCA has updated its Warning List accordingly. In addition to criminal prosecutions for breaching the restrictions, the FCA envisages actions to recover the proceeds of crime from those who receive money from offending firms, as well as prosecutions for related money laundering offences. I've summarised the FCA's concerns below for information purposes. This note does not constitute legal advice. If you need advice on any of the matters raised, please get in touch.

What is a financial promotion?

A 'financial promotion' basically means any invitation or inducement to engage in a regulated activity. This could be a feature of any customer communications, marketing activity, social media posts, advertising or part of sponsorship arrangements, for example. 

What is the main restriction?

Firms lacking the appropriate authorisation or registration must only communicate to UK residents financial promotions that either fit an exemption or have been approved by an FCA authorised firm (who have to comply with their own financial promotions rules). 

The FCA expects authorised firms who are considering approving cryptoasset financial promotions to notify the FCA before doing so.  

Depending on the type of product and related activity involved, there may be different promotional rules that the approving firm must check that the promotion complies with before giving approval.

Crypto firms which cannot legally communicate financial promotions to UK consumers will be expected to have robust processes to prevent UK consumers accessing and responding to their financial promotions, including geo-blocking UK consumers, clear statements that their services are not available to UK residents, on-boarding and KYC/AML checks for UK addresses, preventing the use of UK-based payment methods, and ongoing monitoring. 

What happens if there's a breach?

Breaching the financial promotions restrictions is a criminal offence. 

In turn, the FCA considers that any benefits obtained from illegal financial promotions could be criminal property, so anyone receiving or dealing with such proceeds of crime may be implicated in money laundering. Some may also commit an offence where they breach requirements to report suspicious activity. In this context, the FCA will be looking at funds flows such as: 

  • the fees generated by app stores, social media platforms, search engines and domain name registrars from hosting illegal financial promotions; 
  • investments made due to illegal financial promotions; 
  • receipt of payments under advertising, co-marketing and sponsorship deals; and 
  • fees charged by payments firms or other intermediaries for services to unregistered cryptoasset businesses that generate income through illegal financial promotions. 
The FCA would likely begin its enforcement activity with an alert on the FCA website and by seeking to remove or block offending promotions, in addition to targeting intermediaries, social media platforms, search engines, app stores, domain name registrars, hosting providers and payment service providers who support the activities of offending firms.

What if I have UK residents as customers right now?

The FCA explains that firms who are at risk of non-compliance may communicate with their existing UK consumers for a limited time but only to allow those customers to transfer, withdraw or sell their existing assets, which must be communicated in a way that does not breach the financial promotion requirements and clearly explain how consumers can use each option and any associated fees, costs and charges. The FCA considers it unsustainable for unregistered cryptoasset firms to maintain a longer-term relationship with UK consumers who cannot be shown financial promotions. 

This note does not constitute legal advice. If you need advice on any of the matters raised, please get in touch.


Thursday 24 August 2023

Reverse Solicitation

My piece for Ogier Leman on 'reverse solicitation' is here.

Any business dealing with residents of another country faces the potential risk that the authorities in the other country might decide that it is somehow actively operating in that other country, rather than only dealing with foreign customers in or from its home territory after being approached by them ('reverse solicitation'). This could mean action being taken by a foreign consumer, ombudsman or regulator, including action in the civil or criminal courts of another country. A recent Irish case has added some colour to the factors that the European Court of Justice ('CJEU' or 'ECJ') has previously said may show that a business is actively doing business in another country; and I've added a list gleaned from guidance applicable to financial services in particular. This post is for information purposes only. If you need advice, please get in touch.

The ECJ has held that a firm based in one EU Member State won't be doing business in another Member State just because its website is accessible in the other country. Nor will it be enough for the firm's website to display its own email/ geographical address, or phone number (without an international dialing code), because that information is needed by consumers in the firm's own home country. 

Instead, a firm must have somehow 'manifested' or demonstrated its intention to establish a commercial relationship (contract) with consumers in the other country. There must be clear expression of the intention to solicit custom from those foreign consumers. 

The sort of objective factors that the ECJ held to be relevant to that question include: the international nature of the business activity (e.g. tourism); telephone numbers with the relevant country code; a web address with the other country's top-level domain name (e.g. “.de” or ".fr"); itineraries to get to the foreign place where the relevant service is provided; mentions/testimonials of clients based in other countries; and using a foreign language and/or currency not also commonly used in the firm's home country.

The Irish courts have also pointed to these factors in various cases with unsurprising results. But a recent Irish case adds a bit more colour... 

A UK-based firm organised group cycling tours in foreign countries, but not the travel to those countries. So the consumers were never going to be using the firm's service in the UK. Customers had to make their own way to where the tours operated locally. The firm stipulated that it was only responsible for the tour from the appointed start time at the meeting point, but it did also arrange the transport of customers from the foreign/local airport to the meeting point. 

While there was evidence that the booking process did not target a customer's specific country of residence (e.g. Ireland), the firm was aware of the country they had come from and this did not have to be from the UK. The website/email addresses ended in "" but the contact phone number carried the international "+44" country code. Customer testimonials also stated the customer's nationality, including one from Ireland. Prices were stated in currencies other than GBP, including the Euro, and there was a currency conversion feature on the website, to enable customers to figure out how much they would have to pay in their own currency when paying the price in GBP. Prior to booking, a customer also had to create an online account, giving details of their city, country of residence and post code (not just provide those details in the form to verify the payment card details being used, for example, which may only go to the card acquirer rather than the merchant). 

So, the Irish court held that, before the conclusion of any contract with the consumer, it was apparent from the firm's website and overall activity that the defendant intended to do business with - and enter into contracts with - consumers in Ireland (among other places).

These are not the only factors to consider, of course. For example, the EU's financial services 'passporting' requirements and Brexit have provided opportunities for UK and EU authorities to consider what factors - alone or together in a specific context - could mean that an EU financial services provider may be wrongfully targeting the UK market or vice versa:

  • firms must have a 'head office' and hold board meetings in their country/territory of residence/authorisation, so any of those features that are instead based in the other jurisdiction would be problematic from that standpoint alone (i.e. those who decide the firm’s direction, make material management decisions on a day-to-day basis; the finance, settlement and compliance functions - ‘central administrative functions’ - and their systems and records),
  • the website should be hosted on local servers in the 'home' territory (and certainly not in any other country where foreign customers are resident);
  • no marketing, advertising or services should be directed specifically at other countries/territories or their residents;
  • there should not be a foreign language version of the website or customer communications or support specifically for the relevant foreign customers;
  • management and staff should not visit any foreign customers or service providers for operational or marketing purposes or to resolve disputes;
  • foreign customers should only be able to approach the firm's website or staff in its 'home' territory;
  • the firm should not set cookies on the devices of of foreign customers or otherwise monitor their behaviour outside the firm's home territory;
  • the firm should not provide services beyond the scope requested by the foreign customer approaching the firm and they should have to request the service each time they wish to use it;
  • the firms should keep records (not just a tickbox or contractual provision) showing that it was approached by the customers, not the other way around; 
  • the firm should have no agents, intermediaries or outsourced/delegated services outside its home territory or be a member of a foreign payment system, trading exchange/venue or trade body - or vice versa - but could use services in other countries (e.g. hold foreign bank accounts or rely on advice from foreign professional firms);
  • being part of a wider corporate group based outside the territory or being funded from outside the territory may also be problematic; 
  • customer contracts must not be subject to any law of a country other than the firm's home state or specifically refer disputes to any other jurisdiction;
  • a firm should not deposit its clients' money/assets in any institution outside its home territory, or safeguard customer funds outside its home territory (other than as incidental to dealing appropriately with foreign customers in or from the home home territory, supported by correspondent services outside the country where necessary for that purpose).

This post is for information purposes only. If you need advice, please get in touch.

Saturday 5 August 2023

APCOA's Parking Problem

Imagine my surprise when I received a £140 debt recovery notice for a £1 parking charge that I'd paid via APCOA's parking app, alleging “parking without a valid payment or permit”. I called the collection agency (Debt Recovery Plus) and explained that both the app and my credit card statement show that I paid the £1 to park my car at the relevant location (for the second year running, I might add). But, "Aha!" they said. We can see that the registration number entered in your version of the APCOA app has one letter different to your car's actual registration number (an "O" instead of a "P"), so neither the payment APCOA took from your credit card nor the permit it issued to you were valid. That means APCOA can now charge you a £140 penalty!

There are so many things wrong with this that I'm actually kind of hoping it goes to court. Here's the gist of what I've written to all concerned (yet their processes grind on): 

  1. APCOA knew of the mistake (through its licence plate recognition system), yet had proceeded to charge my credit card by submitting the payment to its card acquirer as a valid transaction; and duly issued the parking permit for my vehicle, regardless of the typo in the app (for the second year running). My contract debt of £1 was discharged. The end. Everything that followed was of no legal consequence at all, void, unenforceable. You cannot somehow revive or rely on a contract debt once it is discharged. It's irrelevant that I missed a deadline in a later document APCOA wasn't entitled to issue in the first place. The “terms and conditions of use” at the location don't entitle APCOA to collect a parking fee of £1 and then seek payment of further charges as if it had not already been paid. If English contract law were to allow that, the wheels of commerce would come to an abrupt halt. 
  2. If APCOA regarded the typo in the app as a problem at all, then it had elected not to take the point and reject my payment, so it could not later claim that the typo somehow rendered the attempted transaction invalid.
  3. APCOA had suffered no loss, because they had received the £1 charge and not refunded it.
  4. APCOA is also estopped by its conduct from claiming that the payment/permit was invalid, issuing the parking charge notice and other enforcement activity. By issuing the notice with the correct registration at my address, APCOA (and later the collection agency) demonstrated that it was on notice that I was the registered keeper of the relevant vehicle at the relevant location on the day in question and that I had paid a £1 parking charge using my card (also registered to the app).
  5. To charge 140 times the amount of a contract debt is extravagant and unconscionable in comparison with any legitimate interest, particularly in circumstances where APCOA had in fact accepted payment for a £1 charge and both it and its collection agency were aware of an obvious mistake. The charge is also not a genuine pre-estimate of any loss, since there is no loss!
  6. The debt recovery firm is also on notice of the obvious mistake and is similarly estopped, but has no better claim to payment than APCOA in any event.
  7. To the extent that APCOA seeks to rely on the “terms and conditions of use” as the basis for additional charges, those terms and conditions fail the fairness and transparency tests and/or are otherwise unenforceable under the Consumer Rights Act 2015. 
  8. Any contract formed on the day for the use of the car park would be rectifiable for obvious mistake to cure the minor typographical error in the reference to the registration number. Alternatively, APCOA breached the contract by collecting my payment but failing to apply it to the vehicle that it knew to be the one I had parked, for which the damages are at least equal to the amount they subsequently try to claim from me in charges (plus my costs). 
  9. The debt collection agency has also misrepresented that the UK Supreme Court decision in Cavendish Square Holding BV v Makdessi [2015] UKSC 67; [2016] AC 1172 entitles APCOA or the agency to act as they have. 
  10. Both APCOA and the debt recovery agency have acted wrongfully on several occasions in pursuing the amount of the charge. In all of the circumstances, APCOA and its collections agency are in breach of their duty not to trade unfairly under The Consumer Protection from Unfair Trading Regulations 2008. 

While some of the remedies to which I am entitled may well be beyond the jurisdiction of the small claims court, they would include:

  • judgment in my favour on any attempt to recover the charges;
  • An order that each of the parking charge notice and debt recovery notices are void and/or unenforceable. 
  • An order that any contract formed by my App and the terms and conditions of use of the car park at the Location should be rectified by the court to cure the minor typographical error in the reference to the registration number. 
  • Damages equivalent to all amounts sought by APCOA and its collections agent and my costs and expenses incurred, including (where recoverable under the relevant court rules) legal fees and expenses in defending any proceedings.   

I have written to APCOA, the debt collection agency and APCOA's Managing Director for UK and Ireland, putting them on notice of the above and reserving all my rights and remedies. So far, their highly automated processes grind on...

Tuesday 25 July 2023

EU Expands Open Banking to Open Finance

My piece for Ogier Leman on the EU's proposed Open Finance Regulation is here.

As part of its review of the second Payment Services Directive (PSD2), the EU consulted on whether to expand the concept of 'account information services' to other types of online financial services. As a result, the EU is now proposing a financial data access regulation (Open Finance Regulation) that will give a wider range of financial services customers new ways to extract, use and share their account data independently of the service provider who holds their account. For instance, you could get an independent adviser to analyse all your finances - savings, pensions and mortgages/loans - in detail at any time, including creditworthiness data, rather than rely on periodic summaries from the primary service providers. As a regulation, it will apply directly applicable in all Member States to ensure consistency, without needing to be 'transposed' under local law. Firms will have 2 years to prepare, although 'financial data sharing schemes' will have an earlier window in which to notify the local regulator of their activities. The Regulation is summarised below for information purposes, if you require advice on its application please let us know

Barriers to Data Access

Most financial service providers rely on knowing more than you about your use of their services, so they don't give you the same access to your data or convenient ways to share that data with advisers or other service providers.  Without secure ways to share the data, you won't do it or can't figure out how to do it - which is costly and not standardised.

Consistent with other EU legislation

The Open Finance Regulation not only builds on 'open banking' under PSD2, but is consistent with data access and portability rights under GDPR, the Data Governance Act (improving interoperability between data platforms), the Digital Markets Act (tackling the power of gatekeeper platforms), the proposed Data Act to provide data access rights to Internet of Things (IoT) data for users and providers of related services), the EU retail investment strategy (to provide safeguards in the use of retail investor data) and the Digital Operational Resilience Act (rules on cybersecurity and operational resilience in the financial sector).

Preferred Approach

The EU has chosen the following approach from a wide range of options considered by an experts group and other stakeholders. The Open Finance Regulation will:

  • require data holders to provide customers with 'permission dashboards' to grant access to selected customer datasets;
  • set eligibility rules on who can access customer data;
  • empower European authorities to issue guidelines to protect consumers against unfair treatment or exclusion;
  • require common standards for customer data and interfaces (APIs) for access to that data; and
  • require agreement on compensation and contractual liability.


The Regulation is considered to be a necessary transition that will pay off in the medium to long term. Big providers will lose some of their 'hold' over customers, while providing new entrants access to data that will promote more customer activity and help grow the overall financial services market. 

A key example would be enabling you and your finance providers to figure out how to fund a sustainable lifestyle and retirement, make the decisions to meet your goals and obtain the relevant services to achieve them. 

Creating standard ways to efficiently share data will enable less form filling for customers and better productivity for service providers. 

The estimated total annual benefits from Open Finance for the EU economy ranges from €4.6bn to €12.4bn, including a direct impact on the financial data sector of €663m to €2bn. The overall estimated cost could be €2.2bn to €2.4bn initially and ongoing annual costs of €147m to €465m.

Specific Features of the Open Finance Regulation


In this context 'customer data' means personal and non-personal data that is collected, stored and otherwise processed by a financial institution as part of their normal course of business, whether provided by a customer or generated as a result of customer interaction with the institution. So it includes access to, and processing of, business-to-business as well as business-to-consumer data, at the customer's request.

Certain categories of customer data may be accessed, shared, and used; with specific rights and obligations of defined data users/holders and authorised 'financial information service providers' (who provide information services as a regular occupation or business activity). 

The specific sets of data relate to mortgages, savings, investments, pensions, credit information and so on; and the types of firms in scope are regulated financial institutions - as well as authorised financial information service providers - when acting as holders or users of those types of data. 

A 'data holder' must make available the specified type of data to customers and their nominated 'data users' at the customer's request, in real time. 

Where personal data is involved, the request must also align with a valid legal basis for that data holder to undertake the requested processing under the General Data Protection Regulation (GDPR). 

Data users receiving data at the request of customers should only access the customer data made available to them, and only for the purposes and the conditions agreed with the customer. 

The customer’s personalised security credentials must not be accessible to other parties, nor can the data be stored longer than necessary.

Responsible data use and security 

The Regulation also guides firms on how they should use data for given use cases, and prohibits any discrimination or restriction in the access to services as a result of the use of the data. 

Customers can't be refused access to financial products just because they refuse to grant permission to use their data. 

Data holders must provide the customer with a 'permission dashboard' that meets certain criteria to monitor, manage and withdraw permissions the customer's gives to data users.

Creation and governance of financial data sharing schemes 

Financial data schemes are those whose aim is to bring together data holders, data users and consumer organisations. A scheme should develop data and interface standards, 'coordination mechanisms' for the operation of permission dashboards and a standardised contractual framework governing access to specific datasets and rules on governance, transparency, compensation, liability, and dispute resolution. 

Such data-sharing schemes must be notified to the local regulator; and benefit from a passport for operations across the EU. 

Data holders must be entitled to compensation for making the data available to data users, according to the terms of the scheme of which they are members. 

Financial information service providers. 

Financial information providers must apply for authorisation and meet various operational requirements, appoint a legal representative and may passport their services throughout the EU/EEA.

The Regulation will apply 24 months after its entry into force, except that 'financial data sharing schemes' will be able to apply 6 months in advance months to be ready for the Regulation to go live.

This note summarises the Regulation for information purposes, if you require advice on its application please let us know